WO2006102565A2 - Optimized derivation of handover keys in mobile ipv6 - Google Patents

Optimized derivation of handover keys in mobile ipv6 Download PDF

Info

Publication number
WO2006102565A2
WO2006102565A2 PCT/US2006/010691 US2006010691W WO2006102565A2 WO 2006102565 A2 WO2006102565 A2 WO 2006102565A2 US 2006010691 W US2006010691 W US 2006010691W WO 2006102565 A2 WO2006102565 A2 WO 2006102565A2
Authority
WO
WIPO (PCT)
Prior art keywords
access
access router
access terminal
key number
public key
Prior art date
Application number
PCT/US2006/010691
Other languages
French (fr)
Other versions
WO2006102565A3 (en
Inventor
Mohamed Khalil
Haseeb Akhtar
Original Assignee
Nortel Networks Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nortel Networks Limited filed Critical Nortel Networks Limited
Publication of WO2006102565A2 publication Critical patent/WO2006102565A2/en
Publication of WO2006102565A3 publication Critical patent/WO2006102565A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0019Control or signalling for completing the hand-off for data sessions of end-to-end connection adapted for mobile IP [MIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/04Interfaces between hierarchically different network devices
    • H04W92/10Interfaces between hierarchically different network devices between terminal device and access point, i.e. wireless air interface

Definitions

  • IP Internet Protocol
  • the IP standard now supports communication between computers and networks on the Internet.
  • the IP standard identifies the types of services to be provided to users and specifies the mechanisms needed to support these services.
  • the IP standard also describes the upper and lower system interfaces, defines the services to be provided on these interfaces, and outlines the execution environment for services needed in this system.
  • a router is located on a network and is used to regulate the transmission of information packets into and out of computer networks and within sub-networks.
  • Routers are essential simple computers residing on the network with a central processing unit, memory, and operating software implementing one or more routing protocols. Routers are referred to by a number of names including Home Agent, Home Mobility Manager, Home Location Register, Foreign Agent, Serving Mobility Manager, Visited Location Register, and Visiting Serving Entity.
  • the router whichever label it bears, primarily interprets the logical address of an information packet and directs (i.e. "routes") the information packet to its intended destination.
  • Information packets addressed between computers on the sub-network do not pass through the router to the greater network, and as such, these sub-network information packets will not clutter the transmission lines of the greater network. If an information packet is addressed to a computer outside the sub-network, the router forwards the packet onto the greater network.
  • each of the cells possesses one or more transceivers coupled to a Base Transceiver Station (BTS) on the communication network.
  • BTS Base Transceiver Station
  • the BTSs are in turn coupled to an access network with an Access Router, which can be either a foreign or a home network.
  • An AT can be physically located anywhere on the network or sub-network, and its routing address data will change and require updating on other nodes while roaming.
  • nodes on the network will transmit notification and discovery information packets onto the network to advertise their presence on the network and solicit advertisements from other nodes.
  • an AT While on a foreign network, an AT will be assigned a care-of address that will be used to route information packets to the foreign network and the attached AT.
  • An advertisement from a router on the foreign network will inform a mobile node that is attached to a foreign network.
  • the AT i.e.mobile node
  • the AT i.e.mobile node
  • the AT i.e.mobile node
  • the AT i.e.mobile node
  • the AT will typically create a care-of address on the foreign network, which it will transmit to its home network in an information packet to register the care-of address.
  • Information packets addressed to the mobile node on the home network have the care-of address added. This information packet containing the care-of address will then be forwarded and routed to the mobile node on the foreign network by a router on the foreign network according to the care-of address.
  • the AT changes its point of attachment and Access Router (AR) association to the network while maintaining network connectivity.
  • AR Access Router
  • the AT node When an AT travels outside its home administrative domain, the AT node must communicate possibly through multiple domains in order to maintain network connectivity with its home network. While connected to a foreign network controlled by another administrative domain, - li ⁇
  • the security associated with encryption is directly tied to the sophistication of the algorithm and keys.
  • the cryptographic system will have a higher level of security the greater the complexity of the algorithm and keys. Because of its complexity, the algorithm can be kept secret or publicly disclosed without undermining the strength of the security system, which is fundamentally linked to the keys.
  • the goal of the encryption is to be computationally infeasible to break - derive the original data from the encrypted data — without exorbitant expenditures in cost or time to recover the data " or keys. Using keys helps make the encryption more difficult to break.
  • Party A intends to communicate confidentially with Party B using the cryptographic system.
  • Party A uses the algorithm and a key to transform the information in the transmitted information packet into encrypted information.
  • Party B After receiving the encrypted information packet, Party B decodes the encrypted information using the algorithm and a key. When the encrypted information is decoded, the original information should be disclosed in the decoded information packet.
  • IKE Internet Protocol Security
  • IKE IPSec Key Exchange
  • the Diffie-Hellman key agreement protocol (also called exponential key agreement) allows two users to exchange a secret key over an insecure medium without any prior secrets to establish secure communication using an encryption algorithm.
  • the Diffie-Hellman key exchange is vulnerable to a man-in-the-middle interception attack, and this vulnerability requires authentication of the participants using an authentication protocol.
  • the AT and AAA server already possess a security association shared between the them to authenticate the identity of the AT, namely the MN_AAA authentication extension.
  • the AAA server authenticates the Access Request using the existing MN_AAA authentication option and responds with an Access Accept message in step 125 authenticating the identity of the AT, authorizing access to the network, and updating routing table information for routing information packets to the AT.
  • the AR forms a Fast Binding Acknowledgment (FBack) message in step 130 to transmit to the AT.
  • the FBack message contains a security assocition formed by the AR and acknowledges receipt of the care-of address data.
  • the AR generates a shared secret key g ⁇ " 1 " ⁇ at the same time.
  • the pAR transmits a Handover Initiate (HI) message to the nAR to initiate the hand-off protocol to handover the communication connection to the nAR.
  • the routing path between the pAR and nAR is assumed to be secured by an established security protocol such as IPSec or some other security association.
  • the HI message includes the Diffie-Helman public value g (mn) for the AT .
  • the nAR transmits a Handover Acknowledge (Hack) message back to the pAR to acknowledge the handover initiation in step 225.
  • the hack message includes the Diffie-Helman public value g nar for the nAR.
  • the AT can now generate the shared secret key value g (nar ⁇ mn) and secure communication transmissions with the nAR using the shared value.
  • the AT disconnects from the pAR to change connection to the nAR.
  • the pAR forwards any buffered or arriving information packets to the nAR for delivery to the AT at its new connection.
  • the AT connects to the nAR at step 245 and can now receive information packets routed through the nAR.
  • the AT transmits a Fast Neighbor Advertisement (FNA) to the nAR after attaching to the nAR.
  • FNA Fast Neighbor Advertisement
  • the nAR transmits a FBack message through a secure path between the nAR and the pAR containing the public value g nar for the nAR, and the FBack message is authenticated using the security association previously created between the MN and the pAR (e.g. the MN-AR authentication option or another SA).
  • the pAR forwards the FBack message to the AT using the new link in step 335, which is authenticated by using the security association created previously between the AT and the pAR (e.g. MN-AR authentication option or some other SA).
  • the FBack message contains the public value g nar for the nAR.
  • the AT receives the FBack message, it generates the shared secret key from the nAR public key and the AT private.

Abstract

The invention consists of an optimized protocol for deriving handover keys to authenticate communication between an access terminal and an access router during a fast handoff protocol. An encryption public key generated using a private key for the access terminal and the access router is transmitted, each public key derived using the private key in an encryption algorithm. The public key for the access terminal is transmitted encapsulated in a binding update message that is received by the access router. The access router uses the received access terminal public key and its private key to generate a shared authentication key. The access router transmits its public key encapsulated in a message to the access terminal, which uses its private key and the access router public key to generate the shared authentication key. The shared authentication key is then used to authenticate communication between the access terminal and the access router. The messages transmitting the public keys are also secured using a security association for the routing links between the access terminal and the access router. The messages transmitting the keys are control messages used in the handover protocol and do not impose any additional messaging overhead to establish the authenticated communication link.

Description

OPTIMIZED DERIVATION OF HANDOVER KEYS
IN MOBILE IPV6
Related Application Data
This application is related to Provisional Patent Application Serial No. 60/664,578 filed on March 23, 2005, and priority is claimed for this earlier filing under 35 U.S.C. § 120. The Provisional Patent Application is also incorporated by reference into this utility patent application.
Technical Field of the Invention
A method for establishing an authentication protocol association between a mobile node and an access router during a fast handover.
BACKGROUND OF THE INVENTION
Present-day Internet communications represent the synthesis of technical developments begun in the 1960s. During that time period, the Defense Department developed a communication system to support communication between different United States military computer networks, and later a similar system was used to support communication between different research computer networks at United States universities. The Internet
The Internet, like so many other high tech developments, grew from research originally performed by the United States Department of Defense. In the 1960s, Defense Department officials wanted to connect different types of military computer networks. These different computer networks could not communicate with each other because they used different types of operating systems or networking protocols.
While the Defense Department officials wanted a system that would permit communication between these different computer networks, they realized that a centralized interface system would be vulnerable to missile attack and sabotage. To avoid this vulnerability, the Defense Department required that the interface system be decentralized with no vulnerable failure points.
The Defense Department developed an interface protocol for communication between these different network computers. A few years later, the National Science Foundation (NSF) wanted to connect different types of network computers located at research institutions across the country. The NSF adopted the Defense Department's interface protocol for communication between the research computer networks. Ultimately, this combination of research computer networks would form the foundation of today's Internet. Internet Protocols
The Defense Department's interface protocol was called the Internet Protocol (IP) standard. The IP standard now supports communication between computers and networks on the Internet. The IP standard identifies the types of services to be provided to users and specifies the mechanisms needed to support these services. The IP standard also describes the upper and lower system interfaces, defines the services to be provided on these interfaces, and outlines the execution environment for services needed in this system.
A transmission protocol, called the Transmission Control Protocol (TCP), was developed to provide connection-oriented, end-to-end data transmission between packet-switched computer networks. The combination of TCP with IP (TCP/IP) forms a system or suite of protocols for data transfer and communication between computers on the Internet. The TCP/IP standard has become mandatory for use in all packet switching networks that connect or have the potential for utilizing connectivity across network or sub-network boundaries.
A computer operating on a network is assigned a unique physical address under the TCP/IP protocols. This is called an IP address. The IP address can include: (1) a network ID and number identifying a network, (2) a sub-network ID number identifying a substructure on the network, and (3) a host ID number identifying a particular computer on the sub-network. A header data field in the information packet will include source and destination addresses. The IP addressing scheme imposes a sensible addressing scheme that reflects the internal organization of the network or sub-network. AU information packets transmitted over the Internet will have a set of EP header fields containing this IP address.
A router is located on a network and is used to regulate the transmission of information packets into and out of computer networks and within sub-networks. Routers are essential simple computers residing on the network with a central processing unit, memory, and operating software implementing one or more routing protocols. Routers are referred to by a number of names including Home Agent, Home Mobility Manager, Home Location Register, Foreign Agent, Serving Mobility Manager, Visited Location Register, and Visiting Serving Entity. The router, whichever label it bears, primarily interprets the logical address of an information packet and directs (i.e. "routes") the information packet to its intended destination. Information packets addressed between computers on the sub-network do not pass through the router to the greater network, and as such, these sub-network information packets will not clutter the transmission lines of the greater network. If an information packet is addressed to a computer outside the sub-network, the router forwards the packet onto the greater network.
The TCP/IP network includes protocols that define how routers will determine the transmittal path for data through the network. Routing decisions are based upon information in the IP header and entries maintained in a routing table stored in a router memory. A routing table possesses information for a router to determine whether to accept the communicated information packet on behalf of a destination computer or pass the information packet onto another router in the network or sub-network. The routing table's address data enables the router to accurately forward the information packets.
The routing table can be configured manually with routing table entries or with a dynamic routing protocol. In a dynamic routing protocol, routers update routing information with periodic information packet transmissions to other routers on the network. This is referred to as advertising. The dynamic routing protocol accommodates changing network topologies, such as the network architecture, network structure, layout of routers, and interconnection between hosts and routers. Internet Control Message Protocol (ICMP) information packets are used to update routing tables with this changing system topology. The IP-Based Mobility System
The Internet protocols were originally developed with an assumption that Internet users would be connected to a single, fixed network. With the advent of portable computers and cellular wireless communication systems, the movement of Internet users within a network and across network boundaries has become common. Because of this highly mobile Internet usage, the implicit design assumption of the Internet protocols has been violated.
In an IP-based mobile communication system, the mobile communication device (e.g. cellular phone, pager, computer, etc.) is called a mobile node. Other terms are used as well including mobile station and access terminal. Typically, a mobile node changes its point of attachment to a foreign network while maintaining connectivity to its home network. A mobile node may also change its point of attachment between sub-networks in its home network or foreign network. An access router is a mobile node's default router at the periphery (i.e. edge) of a network and is the communication interface, or connection point, onto the coupled network.
The mobile node will always be associated with its home network and sub-network for IP addressing purposes and will have information routed to it by routers located on the home and foreign network. Generally, there may also exist a correspondence node, which may be mobile or fixed, communicating with the mobile node over the communication network. IP Mobility Protocols
During the formative years since the Internet was first established, Internet Protocol version 4 (IPv4) was recognized and adopted as the standard version of the Internet Protocol. With the advent of mobile IP and proliferation of computers and computer systems linked to the Internet, various limitations in the IPv4 standard and associated procedures have developed and emerged. In response, new standards are evolving and emerging.
The most pressing limitation in the IPv4 standard is the restriction on the number of possible IP addresses imposed by the 32-bit address field size. A newer standard, the Internet Protocol version 6 (IPv6), increases the size of the available address space 400% to 128 bits, which vastly increases the number of available addresses. While the 32-bit address field provides 232 of approximately 4 billion IP address possibilities, a 128-bit field provides 2128 (34OxIO12) IP address possibilities.
A number of benefits emerge from this vastly larger available address field. First, there is little chance of exhausting the number of IP addresses. Second, a large address field allows aggregation of many network-prefix routers into a single network-prefix router. Finally, the large address pool allows nodes to auto configure using simple mechanisms. One practical advantage as a result is elimination of designated foreign agents to route information packets to a visiting mobile node on a foreign network. Home agents can typically handle the routing functions, simplifying many communication protocols and functions. Cellular Communication Systems
A typical cellular communication system is comprised of multiple cell sites, each covering an intended geographic region. Each of the cell sites can be assigned an address for routing information packets, and each of the mobile nodes can be assigned an address corresponding to their physical connectivity to the cell site.
Each cell site supports voice and data communication to the linked mobile nodes present within that geographic area. A wireless communication link is maintained by a transceiver generally at or very near the center of the cellular coverage area. The transceiver is coupled to a base station transceiver substation which is coupled to a base station controller, with controls the packet transmissions within the cell site area. The base station controller is also coupled to a mobile switching center, which routes calls handled by the base station controller and base transceiver station to a public switched telephone network or a packet data service node interface with the Internet. Typically, an access router coupled to one or more base station controllers routes information packets to and from the coupled mobile node based on an address assigned to its physical transceiver link.
Information packets on the communication system are processed by the base station controller for transmission in a format compatible with either the public switched telephone network or the Internet. As a mobile node, also referred to as an access terminal, moves across cellular boundaries, it changes its connectivity and its connectivity address corresponding to a new physical connectivity linked to the access router or even corresponding to a new access router and a new physical connectivity. Routers on the communication networks have to be updated with this new connectivity address information so that information packets can continue to be properly routed. The address used for routing can be a single IP address, a combination of an IP address and a connectivity address, or some other similar addressing scheme providing packet routing data on the communication network corresponding to the physical connectivity of the mobile node coupled to the appropriate access router.
Telecommunication networks are complex networks used to establish connections between two or more telecommunication devices and increasingly used to transmit different kinds of data including call or voice, video, or multimedia. These various types of data are all routed between the two devices according to the IP addressing assigned to each device and the embedded IP addressing data within an IP data packet. Voice and data transmitted according to the IP packet standard is the evolving and most current communication protocol for cellular telephone communication. With this migration to the IP standard and miniaturization of computer chip technology with dramatic increases in clock speeds, computational power, and memory storage has come increasingly sophisticated services such as email access, streaming video and audio data transfers, instant messaging, text messaging, multimedia applications, picture messaging, Internet website access, e-commerce applications, games and other services. Cell phones and other mobile communication devices have accordingly evolved from relatively crude devices limited to telephony communication over a built-in transceiver to near mini-computers possessing central processing units, memory, and operating software implementing with operating features and having capabilities equal to if not superior to early personal computers. Modern laptop personal computers can be equipped with small transceiver units allowing them to connect on cellular systems. Various types of data inputs devices, such as those used by delivery services, can also communicate over currently deployed cellular systems and maintain connection as the delivery person roams across coverage boundaries.
As the capability of the various communication standards have improved, there has been an increasing need for high-speed transmissions increasingly sensitive to latency delays inherent to the protocols for crossing cellular boundaries and updating routing addressing to the new access router and/or physical location address. As the Access Terminals (AT) (i.e. mobile nodded) roam within and across the cellular communication sites, each of the cells possesses one or more transceivers coupled to a Base Transceiver Station (BTS) on the communication network. The BTSs are in turn coupled to an access network with an Access Router, which can be either a foreign or a home network. An AT can be physically located anywhere on the network or sub-network, and its routing address data will change and require updating on other nodes while roaming. Wireless IP networks handle the mobile nature of the AT with hand-off procedures designed to update the communication network and sub-network with the location of the mobile node for information packet routing purposes. Because ATs can move within sub- networks and between networks, hand-off procedures are needed to insure that packets are continually routed to the recipient AT as it moves from one network to another or from one subnetwork to another. IP Mobility Care-of Addressing
In a mobile IP network with ATs moving across cell boundaries, nodes on the network will transmit notification and discovery information packets onto the network to advertise their presence on the network and solicit advertisements from other nodes. While on a foreign network, an AT will be assigned a care-of address that will be used to route information packets to the foreign network and the attached AT. An advertisement from a router on the foreign network will inform a mobile node that is attached to a foreign network. The AT (i.e.mobile node) will typically create a care-of address on the foreign network, which it will transmit to its home network in an information packet to register the care-of address. Information packets addressed to the mobile node on the home network have the care-of address added. This information packet containing the care-of address will then be forwarded and routed to the mobile node on the foreign network by a router on the foreign network according to the care-of address.
Mobile IPv6 Movement Detection and Binding
Upon moving to a new network, an AT typically detects its movement by receipt of a Router Advertisement message from a new access router (nAR) or exceeding the time interval for receiving an expected Router Advertisement message from a previous access router (pAR) or linked router. An AT can also periodically transmit a Router Solicitation message that will be received by a router on the network and initiate transmission of a Router Advertisement message that will be received by the mobile node. The Router Advertisement message contains network prefix information that is used to form a care-of address for routing information packets from the home network to the mobile node on the foreign network. A Binding Update message (BU) is used to register the care-of address with the home agent and any active correspondence node communicating with the AT. The new binding includes the care-of address, the home address, and a binding lifetime. A Binding Acknowledgment message (BA) is sent in response to the Binding Update message to either accept or reject the Binding Update as an authentication step. A Correspondence Node can send a Binding Request message (BR) to a mobile node to discover the care-of address for the mobile node, and a Binding Update will typically be sent to the Correspondence Node in response. The Binding Request is generally used to refresh a binding nearing expiration of the designated lifetime of the binding. Routers on the networks will maintain the care-of address and home IP address association for the mobile node on a data table, ensuring that information packets can be routed to a mobile node connected to the foreign network. Authentication, Authorization and Accounting ("AAA")
In an IP-based mobile communications system, the AT changes its point of attachment and Access Router (AR) association to the network while maintaining network connectivity. When an AT travels outside its home administrative domain, the AT node must communicate possibly through multiple domains in order to maintain network connectivity with its home network. While connected to a foreign network controlled by another administrative domain, - li ¬
the home network servers still must authenticate, authorize and collect accounting information for services rendered to the mobile node. This authentication, authorization, and accounting activity is called "AAA", and AAA servers on the home and foreign network perform the AAA activities for each network. Authentication is the process of proving one's claimed identity, and security systems on a mobile IP network will often require authentication of the system user's identity before authorizing a requested activity. The AAA server authenticates the identity of an authorized user and authorizes the mobile node's requested activity. Additionally, the AAA server will also provide the accounting function including tracking usage and charges for use of transmissions links between administrative domains.
Another function for the AAA server is to support secured transmission of information packets by storing and allocating security associations. Security associations refer to those encryption protocols, nonces, and keys required to specify and support encrypting an information packet transmission between two nodes in a secure format. The security associations are a collection of security contexts existing between the nodes that can be applied to the information packets exchanged between them. Each context indicates an authentication algorithm and mode, a shared or secret key or appropriate public/private key pair, and a style of replay protection. Additionally, these security associations can be the basis of the entire authentication protocol for authenticating the identity and authorization of the AT or communication between nodes sharing a security association. Key-Based Cryptographic Systems
Encryption algorithms use keys to generate the numeric permutations of encrypted data. It is preferable that the key be known only to the appropriate or authorized parties to the communication. This type of key is known as a "secret key", and the sender and receiver of the information packet use the same secret key to encrypt and decrypt information packets with the algorithm. Public key encryption may also be supported by cryptographic security systems, where the sender and receiver have a public key and a private key. Messages may be encoded by the sender using the receiver's public key, and decoded by the receiver using the receiver's private key. Hybrid security systems are also used to encrypt and decrypt information in mformationpackets. Accordingly, key-based security systems rely on the use of some type of secret key to support confidential communications. Confidential Communications Over a Public Network Because information packets are routed over the public networks that make up the
Internet, cryptographic security systems are used to send the communications in a confidential manner. These security systems maintain the confidentiality of the information packet by encoding, or encrypting, the information in the information packet. The transformation of the original data into a secure, encoded or encrypted format is accomplished using mathematical algorithms and keys. The encryption process can be reversed, or decoded, by an authorized person using the keys. Other activities performed by the security system include authentication (you are who you say you are), integrity checking (the information packet was sent in the decoded form), and non-repudiation (identification of the person sending the information packet). A cryptographic security system consists of two fundamental components - a complicated mathematical algorithm for encrypting the information, and one or more values, called keys, known to the parties authorized to transmit or receive the information packet. The security associated with encryption is directly tied to the sophistication of the algorithm and keys. The cryptographic system will have a higher level of security the greater the complexity of the algorithm and keys. Because of its complexity, the algorithm can be kept secret or publicly disclosed without undermining the strength of the security system, which is fundamentally linked to the keys. The goal of the encryption is to be computationally infeasible to break - derive the original data from the encrypted data — without exorbitant expenditures in cost or time to recover the data" or keys. Using keys helps make the encryption more difficult to break. As an example of the encryption process, consider the situation where Party A intends to communicate confidentially with Party B using the cryptographic system. First, Party A uses the algorithm and a key to transform the information in the transmitted information packet into encrypted information. In order to maintain the confidentiality of the transmitted information, the encrypted information does not resemble the information in the original information packet, and the encrypted information cannot be easily decoded into its original form without the use of the algorithm and a key. As such, the encrypted information is transmitted over the public networks on the
Internet to Party B without disclosing the content of the original information packet. After receiving the encrypted information packet, Party B decodes the encrypted information using the algorithm and a key. When the encrypted information is decoded, the original information should be disclosed in the decoded information packet. Security System for the IP-Based Mobile System
In an IP-based mobile communications system, the Mobile Node changes its point of attachment to the network while maintaining network connectivity. Security concerns arise in the mobile system because authorized users are subject to the following forms of attack: (1) session stealing where a hostile node hijacks the network session from mobile node by redirecting information packets, (2) spoofing where the identity of an authorized user is utilized in an unauthorized manner to obtain access to the network, and (3) eavesdropping and stealing of information during a session with an authorized user. No separate secure network exists in the IP-based mobility communications system, and therefore, it is necessary to protect information transmitted in the mobile system from the above-identified security attacks.
In Mobile IP, the memory and data overhead for encryption can be significant and burdensome. Prior art encryption protocols under the Internet Protocol Security (IPSec) standard depend on performing an IPSec Key Exchange (IKE) protocol. The IKE protocol negotiates the protocols, encryption algorithms, and encryption keys used. However, IKE increases setup time, is more expensive over a wireless link, and does not allow for dynamic security associations.
The Diffie-Hellman key agreement protocol (also called exponential key agreement) allows two users to exchange a secret key over an insecure medium without any prior secrets to establish secure communication using an encryption algorithm. The protocol uses two system parameters p and g. They are both public and may be used by all the users in a system. Parameter p is a prime number and parameter g (usually called a generator) is an integer less than jt?, with the following property: for every number n between 1 and p- 1 inclusive, there is a power k of g such that n = gk mod p. Two parties can generate a shared secret key using Diffie-Hellman key agreement protocol. Party A generates a random private value a, and party B generates a random private value b, with both a and b selected from the set of integers. Then they derive their public values using the parameters p and g and their private values. Party A's public value equals ga mod p and Party B's public value equals gb mod p. The two parties then exchange the public values, and Party A computes gab = {gb)a mod p, and Party B computes gba = (ga)h mod p. Since gab = gba = k, the two parties have generated a shared secret key L
The security relies upon a discrete logarithm, because it is computationally infeasible to calculate the shared secret key k = gab mod p based on the public values ga moάp and g mod/* when the prime/? is sufficiently large. However, the Diffie-Hellman key exchange is vulnerable to a man-in-the-middle interception attack, and this vulnerability requires authentication of the participants using an authentication protocol.
Latency issues are increasingly becoming important in cellular communications because of the increasing sophistication of services offered with both increased sensitive to any data transmission delays and an increasing demand for network resources for adequate support. A critical operation resulting in inherent delays is handover, where excessive delays can result in unacceptable delay, data loss, and even communication termination. This is especially problematic when secured communication protocols are implemented, further exacerbating the latency problem. There is a requirement to increase the efficiency of the handover protocols that minimizes latency in handover and optimizes the security protocols to minimize disruptions to communication. The invention presents an optimized protocol based upon the Diffie-Hellman key exchange to establish an authenticated communication link using this encryption protocol.
SUMMARY OF THE INVENTION
The invention is an optimized protocol for authenticating the identity of an access terminal, or mobile node, and creating a security association between the access terminal and a new access router. The access terminal and the access router share a secret key. A public key is transmitted by the access terminal to the access router using an authenticated binding message. The access router receives the public key and uses its private key to generate a shared secret. The access router also transmits an acknowledgement message containing its public key that is received by the access terminal. The access terminal uses its private key and the access router public key to generate a shared secret key. The messages containing the key are secured by a security association between the nodes. The two shared secrets are mathematically equal and can be used to authenticate ^and encrypt communication between the access router and the access terminal. The keys are transmitted encapsulated within the control message required to perform handoff or initialization and do not impose any additional control message overhead.
BRIEF DESCRIPTION OF THE DRAWINGS
The objects and features of the invention will become more readily understood from the following detailed description and appended claims when read in conjunction with the accompanying drawings in which like numerals represent like elements and in which: Fig. 1 is a diagram of a mobile IP wireless communication network compatible with the invention;
Fig. 2 is the message flow of the invention for an initial connection to a new domain such as during initial power-up or re-booting of the access terminal;
Fig. 3 is the message flow of the invention for a predictive fast hand-off where the access terminal node receives advance notice of the hand-off; and
Fig. 4 is the message flow of the invention for a reactive fast hand-off wherein the access terminal receives late notice of the hand-off.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
Figure 1 shows an embodiment for a mobile IP cellular communication network compatible with Mobile IPv6 using the invention wherein an Access Terminal is roaming to a new cell site. An AAA server 5 is coupled to a previous Access Router (pAR) 11 by communication link 9. The pAR 11 is coupled to a Base Transceiver Station (BTS) 21 by communication link 19. The BTS 21 has terminated a communication link with Access Terminal 25, which is crossing a cellular site boundary 30 to a new cellular site. The AAA server 5 is also coupled to a new Access Router (nAR) 10 by communication link 7. The nAR 10 is coupled to a Base Transceiver Station (BTS) 20 by communication link 17. The AT 25 is crossing cell site boundary 30 to establish a wireless connection 23 to the BTS 20.
The AAA server 5 will always reside on the home network for the AT 25 and is always associated with the AT 25. The AAA server 5 is a computer server specifically performing authentication and authorization functions for the AT 25 on the home network (i.e. accounting may be performed by a different server). The AAA server 5 also shares security association information applicable to the AT 25, such as encryption protocols, nonces, and keys required to specify and support encrypting an information packet transmission between two nodes in a secure format. In the invention, the AAA server 5 and the AT 25 share a secret key. Additionally, the AAA server 5 and AT 25 are each aware of each others public key. The security association (SA) information shared between the AT 25 and the AAA server 5 is used to authenticate the identity of AT 25 to authorize access to the network. In the invention, the
AAA server 5 and the AT 25 may share a secret key and are each aware of the others public key.
The pAR 11 and nAR 10 are access routers that control routing to and from the respective coupled BTS 21 and BTS 20. The two access routers can reside on the same sub- network, different sub-networks, or different networks, and either may reside on the same network as the AAA 5 or neither may reside on the same network (e.g. a total of three networks). For example, using the examples of Network 1, Network 2, and Network 3, the home network can be Network 1 with AAA server 5 residing on Network 1 and AT 25 permanently associated with Network 1. pAR 11 can reside on Network 2, and the nAR 10 can reside on Network 3. AT 25 currently located and registered on Network 2 moves to a cell site operated by Network 3. When this occurs, the routing instructions on Network 1 can be updated to the new Network 3 for routing information packets during an ongoing communication. The communication links 9 and 7 can include other intervening network, the Internet, an intranet, or communication infrastructure supporting information packet transmission between the home network, possibly one or more foreign networks, and the AT 25.
During handover from the pAR 11 to the nAR 10, the AT 25 maintains connectivity to the Internet or the sub-network to support ongoing packet routing. Various protocol operations are performed to maintain the connectivity including movement detection, address configuration, and location (e.g. physical address) updates. These protocols combine to cause latency that can affect real-time or other time-sensitive application. Handover is the process for terminating an existing network connectivity and creating a new network connectivity, which involves changing connection from the pAR 11 to the nAR 10. Minimizing the handover latency while establishing a secure communication link is the goal of the present invention. Figure 2 shows an embodiment for the message flow of the invention for authentication and authorization during an initial connection to an AR such as during a power-up or reboot procedure. In step 105, the AT transmits a Router Solicitation for Proxy Advertisement (RtSoIPr) message requesting information for a possible handover or, in the case, for an initialization. The AR receives the message, which causes the AR to transmit a Proxy Router Advertisement (PrRtAdv) received by the AT in step 110. Alternatively, the PrRtAdv message transmits periodically and is not generated in response to the receipt of the RtSoIPr message. The PrRtAdv message indicates that the AR and its linked access point is unknown implementing an initiation protocol.
In step 115, the AT transmits a Fast Binding Update (FBU) to the AR encapsulated in a Fast Neighbor Advertisement (FNA) message. The encapsulation permits AR to discard the (inner) FBU packet if an address conflict is detected as a result of (outer) FNA packet processing. The purpose of the FBU is to authorize the AR to bind a care-of address allocation created by the AT based on routing address data contained in the PrRtAdv to tunnel information packets to the AT. The FBU includes a generated care-of address and a MN_AAA authentication extension to the authenticate the FBU. The AT also transmits a Diffie-Hellman public value key gmn imbedded within the FBU. The AR processes the FNA/FBU packet data and transmits an Access Request message to the AAA server that the MN_AAA authentication extension, the gmn, and a care-of address for routing packet to the AT in step 120.
The AT and AAA server already possess a security association shared between the them to authenticate the identity of the AT, namely the MN_AAA authentication extension. The AAA server authenticates the Access Request using the existing MN_AAA authentication option and responds with an Access Accept message in step 125 authenticating the identity of the AT, authorizing access to the network, and updating routing table information for routing information packets to the AT. The AR forms a Fast Binding Acknowledgment (FBack) message in step 130 to transmit to the AT. The FBack message contains a security assocition formed by the AR and acknowledges receipt of the care-of address data. The AR generates a shared secret key g^"1"^ at the same time. The FBack also includes an encapsulated Diffie- Hellman public value key g^ for the AR After receiving the Fback, the AT extracts the AR public key, which the AT uses to generate a shared secret key value g(ar)(mn). The mn value is the private key for the AT, and the ar value is the private key for the AR. The generated g^ value is the public key for the AR, and the gmn value is the public key for the AT. The derived equal mathematical values (e.g. g^"1^ equals g(ar)(nin)) create a shared secret key, or security assocaition, used to authenticate future communication between the AT and the AR.
Figure 3 shows an embodiment for the message flow of the invention for authentication and authorization during a predictive hand-off where the AT receives advance notice of the hand-off. In step 205, the AT sends an RtSoIPr message soliciting neighboring AR for information, which is routed through the pAR. In step 210, the AT receives a PrRtAdv message from the pAR containing one or more rubles of information on neighboring ARs and/or other nodes. The AT transmits a FBU to the pAR that includes the Diffie-Helman public value g(mn) for the AT in step 215. The FBU is authenticated using the security association previously created between the AT and pAR (e.g. g(mn)(ar) 5 MN-AR authentication option, etc). In step 220, the pAR transmits a Handover Initiate (HI) message to the nAR to initiate the hand-off protocol to handover the communication connection to the nAR. The routing path between the pAR and nAR is assumed to be secured by an established security protocol such as IPSec or some other security association. The HI message includes the Diffie-Helman public value g(mn) for the AT . The nAR transmits a Handover Acknowledge (Hack) message back to the pAR to acknowledge the handover initiation in step 225. The Hack message includes the Diffie-Helman public value gnar for the nAR. At the same time, the nAR creates the shared secret value g^^^ using the nAR private key (nar) value and the Diffϊe-Hellman public value g(mn) for the AT. In step 230, the pAR transmits a FBack message to the AT on the new link to the nAR. Optionally, the FBack message is also transmitted to the previous link if the FBU was sent from there. The FBack message includes the Diffie-Hellman public value gnar for the nAR, and the FBack is authenticated using the previously created security association between the AT and the pAR (e.g. MN-AR authentication option or some other SA). The AT can now generate the shared secret key value g(nar^mn) and secure communication transmissions with the nAR using the shared value. In step 235, the AT disconnects from the pAR to change connection to the nAR. In step 240, the pAR forwards any buffered or arriving information packets to the nAR for delivery to the AT at its new connection. The AT connects to the nAR at step 245 and can now receive information packets routed through the nAR. In step 250, the AT transmits a Fast Neighbor Advertisement (FNA) to the nAR after attaching to the nAR.
Fig. 4 shows the message flow of the invention for a reactive fast hand-off wherein the access terminal receives late notice of the hand-off. In step 305, the AT sends an RtSoIPr message soliciting neighboring AR for information, which is routed through the pAR. In step 310, the AT receives a PrRtAdv message from the pAR containing one or more rubles of information on neighboring ARs and/or other nodes. In step 315, the AT disconnects from the pAR, and in step 320 the AT connects to the pAR. The AT transmits a FBU to the nAR encapsulated within a FNA message in step 325. The FBU is authenticated using the security association created previously between the AT and the pAR (e.g. the MN-AR authentication option or some other SA). The FBU includes the Diffie-Helman public value g(tnn) for the AT5 which the nAR uses to generate a secret g(mn)(nar) from the AT public key and the nAR private key. The pAR processes the FNA and forwards the FBU to the nAR containing the g(nar) public key value through a secure path between the nAR and the pAR. In step 330, the nAR transmits a FBack message through a secure path between the nAR and the pAR containing the public value gnar for the nAR, and the FBack message is authenticated using the security association previously created between the MN and the pAR (e.g. the MN-AR authentication option or another SA). The pAR forwards the FBack message to the AT using the new link in step 335, which is authenticated by using the security association created previously between the AT and the pAR (e.g. MN-AR authentication option or some other SA). The FBack message contains the public value gnar for the nAR. When the AT receives the FBack message, it generates the shared secret key from the nAR public key and the AT private. The shared secret g(narXmn) at the AT and the shared secret g(mnXnar) at the nAR values are equal and secure communication transmissions with the nAR and the AT using this shared secret key value.
The shared secret key calculations are as follows based upon a Diffϊe-Hellman key exchange:
AT shared key = g(nar)(mn) nAR shared key = g(mn)(nar) where (nar) is the nAR private key and (mn) is the AT private key g(nar) is the nAR public key and g(mn) is the AT public key and
(nar)(mn) _ (mn)(nar)
However, other encryption algorithm protocols may be possible. The important aspect is that the mathematical derived values by the AT and the nAR equal each other, and in that sense g may be a mathematical algorithm other than Diffϊe-Hellman.
While the invention has been particularly shown and described with respect to preferred embodiments, it will be readily understood that minor changes in the details of the invention may be made without departing from the spirit of the invention. Having described the invention, we claim:

Claims

Claims:
1. An authentication protocol for an access router, comprising the steps of: generating at the access router an access router public key number by raising a variable g to the power of an access router private key number; transmitting an authenticated message from said access router along a communication link connected to an access terminal, said authenticated message having said access router public key number and being used by said access terminal to generate a shared secret number by raising said access router public key number to the power of an access terminal private key number; receiving in a second authenticated message at the access router from an access terminal said second authenticated having an access terminal public key number, which was derived at the access terminal by raising the variable g to the power of an access terminal private key number; generating a shared secret key at the access router by raising the access terminal public key number to the power of the access router private key number; and authenticating communications on the system using the shared secret key numbers generated by the access router and the access terminal.
2. The authentication protocol for an access router of Claim 1, further comprising the step of: generating a binding message at the access terminal having the access terminal public key number and an authenticating security association code to securely transmit said access terminal public key number during an initialization protocol.
3. The authentication protocol for an access router of Claim 1, further comprising the step of: acknowledging a care-of address and encapsulating the access router public key number in a binding acknowledge message using a security association authenticating the message.
4. The authentication protocol for an access router of Claim 1, further comprising the step of: receiving a handoff initiate message at the access router during a handoff protocol from a second access router previously routing messages to the access terminal, said second access router sharing a security association with the access terminal for authentication.
5. The authentication protocol for an access router of Claim 1, further comprising the steps of: transmitting the access router public key number from the access router in an encapsulated binding acknowledge message; and acknowledging the care-of address receipt in a binding acknowledge message transmitted from the second access router and authenticated by the security association shared between the access terminal and the second access router.
6. The authentication protocol for an access router of Claim 1, further comprising the step of: authenticating a message transmitted from the access terminal using security association shared with a communication server on the access terminal home network used for authenticating the message.
7. A method of establishing a secured communication link at access router, comprising the steps of: receiving at the access router a first communication from an access terminal, said first communication having an access terminal public key number derived at the access terminal by raising a variable g to the power of an access terminal private key number; using said access terminal public key number at the access router to generate a shared secret number by raising the access terminal public key number to the power of an access router private key number; transmitting from the access router a second communication to said access terminal, said communication having an access router public key number derived at the access router by the variable g raised to the power of an access router private key number, said access terminal using said access router public key number to generate a shared secret key by raising the access router public key number to the power of the access terminal private key number; authenticating the first communication and the second communication using a security association code; and authenticating subsequent communications using said shared secret key number.
8. The method of establishing a secured communication link at an access router of Claim 7, further comprising the steps of: authenticating the first communication using a previously established security association with the access terminal, wherein the first communication comprises a binding message.
9. The method of establishing a secured communication link at an access router of Claim 8, wherein the security association authentication uses a communication server for authenticating the binding update on the access terminal's home network.
10. The method of establishing a secured communication link at an access router of Claim 8, wherein the security association authentication uses a second access router previously used for routing communication to the access terminal.
11. The method of establishing a secured communication link at an access router of Claim 7, further comprising the steps of: establishing the shared secret key as part of an initialization protocol; and transmitting the access router public key number from the access router to the access terminal using a binding acknowledge message.
12. The method of establishing a secured communication link at an access router of Claim 7, further comprising the steps of: establishing the shared secret key as part of a predictive handoff protocol; receiving the access terminal public key number at a second access router previously routing communications to the access terminal in a binding message; receiving the access terminal public key number from the second access router in a handoff initiate message; and transmitting the access router public key number from the first access router to the second access router in a handoff acknowledge message.
13. The method of establishing a secured communication link at an access router of Claim 7, further comprising the steps of: establishing the shared secret key as part of a reactive handoff protocol; receiving the access terminal public key number encapsulated in a neighbor advertisement message at a second access router previously routing information packets to the access terminal; and transmitting the access router public key number from the access router in a binding acknowledge message.
14. A communication device operating a communication authentication protocol, comprising: an access router with a central processing unit, a memory, and a routing table stored in the memory, said access router is capable of routing communications between one or more coupled access terminals and said access router generates an access router public key number derived from an access router private key number by raising a variable g to the power of said access router private key number; and said access router generates a shared secret code number by raising an access terminal public key number to the power of said access router private key number, said access terminal public key number received by the access router in an authenticated message and said communications on the network are securely transmitted using the shared secret numbers generated by the access router.
15. The communication device operating a communication authentication protocol of Claim
14, wherein communication to the access router is part of a handoff protocol from a second access router.
16. The communication device operating a communication authentication protocol of Claim
15, wherein communication between the access router and the second access router is secured using a previously established security association code.
17. The communication device operating a communication authentication protocol of Claim 14, wherein the access router receives the access terminal public key number encapsulated in a binding update message.
18. The communication device operating a communication authentication protocol of Claim 14, wherein the access router public key number is encapsulated in a binding acknowledgment message.
19. A communication device on an authenticated communication network, comprising: an access terminal with a transceiver, central processing unit, memory, and operating software, said access terminal initially connected to an access router and capable of transmitting a binding message to said access router, said message having an access terminal public key number derived from an access terminal private key number and a security association for authenticating the communication; said access terminal receiving an access router public key number from the access router, said access router public key number derived from an access router private key number, said access router public key number transmitted from the access router after receiving the access terminal public key number, and said access terminal generating a secret key number using the access terminal private key number and the received access router public key number; and said secret key number being used to authenticate subsequent communication.
20. The communication device on an authenticated communication network of Claim 19, wherein the binding message is authenticated using a previously created security association between the access terminal and an access router.
21. The communication device on an authenticated communication network of Claim 20, wherein the binding message is sent initially to a second access router previously routing communication to the access terminal.
22. The communication device on an authenticated communication network of Claim 21, wherein communication between the access terminal and the first and second access router is part of a handoff protocol from the second access router to the first access router.
23. The communication device on an authenticated communication network of Claim 19, wherein the access terminal transmits the access public key number encapsulated in a binding update message; and the access terminal receives said access router public key number encapsulated in a binding acknowledgment message.
24. The communication device on an authenticated communication network of Claim 19, wherein the first access terminal receives the first access router public key number encapsulated in a binding acknowledgment message; and the first access terminal transmits the access terminal public key number encapsulated in a binding message.
25. A method of establishing an authenticated information packet communication at an access terminal, comprising the steps of: transmitting from the access terminal to an access router an access terminal public key number derived from an access terminal private key number, said access terminal public key number being used by the access router along an access router private key number to generate a shared secret key number; receiving at the access terminal an access router public key number transmitted from the access router in a binding message, said binding message having said access router public key number and a security association for authenticating the wireless communication link from the access router; generating a shared secret key number at the access terminal using the access router public key number and an access terminal private key number; and authenticating subsequent communications between the access router and the access terminal using said shared secret key.
26. The method of establishing an authenticated information packet communication at an access terminal of Claim 25, further comprising the step of: authenticating the binding message using a previously established security association with the access terminal.
27. The method of establishing an authenticated information packet communication at an access terminal of Claim 26, wherein the security association authentication uses a communication server on a home network associated with the access terminal for authenticating the binding update.
28. The method of establishing an authenticated information packet communication at an access terminal of Claim 26, wherein the security association authentication uses a second access router previously used for routing communication to the access terminal.
29. The method of establishing an authenticated information packet communication at an access terminal of Claim 25, further comprising the steps of: establishing the shared secret key as part of an initialization protocol; and transmitting the access router public key to the access terminal using a binding acknowledge message.
30. The method of establishing an authenticated information packet communication at an access terminal of Claim 25, further comprising the steps of: establishing the shared secret key as part of a predictive handoff protocol; transmitting the binding message to a second access router previously routing information packets to the access terminal; and transmitting the access router public key number to the access terminal using a handoff acknowledge message.
31. The method of establishing an authenticated information packet communication from an access terminal of Claim 30, further comprising the step of: receiving the access terminal public key number at the access router using a handoff initiate message.
32. The method of establishing an authenticated information packet communication from an access terminal of Claim 25, further comprising the steps of: establishing the shared secret key as part of a reactive handoff protocol; receiving the binding encapsulated in an advertisement message routed at a second access router previously routing information packets to the access terminal; and transmitting the access router public key number from the first access router using a binding acknowledge message.
PCT/US2006/010691 2005-03-23 2006-03-23 Optimized derivation of handover keys in mobile ipv6 WO2006102565A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US66457805P 2005-03-23 2005-03-23
US60/664,578 2005-03-23

Publications (2)

Publication Number Publication Date
WO2006102565A2 true WO2006102565A2 (en) 2006-09-28
WO2006102565A3 WO2006102565A3 (en) 2007-12-13

Family

ID=37024665

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/010691 WO2006102565A2 (en) 2005-03-23 2006-03-23 Optimized derivation of handover keys in mobile ipv6

Country Status (1)

Country Link
WO (1) WO2006102565A2 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009003404A1 (en) * 2007-06-29 2009-01-08 Huawei Technologies Co., Ltd. A method and an apparatus for fast handover
WO2009067908A1 (en) * 2007-11-09 2009-06-04 Huawei Technologies Co., Ltd. A protection method and device during a mobile ipv6 fast handover
CN101102600B (en) * 2007-06-29 2012-07-04 中兴通讯股份有限公司 Secret key processing method for switching between different mobile access systems
WO2015013964A1 (en) * 2013-08-01 2015-02-05 Nokia Corporation Methods, apparatuses and computer program products for fast handover
CN105763517A (en) * 2014-12-17 2016-07-13 联芯科技有限公司 Router security access and control method and system
US11316667B1 (en) 2019-06-25 2022-04-26 Juniper Networks, Inc. Key exchange using pre-generated key pairs
US11924341B2 (en) 2021-04-27 2024-03-05 Rockwell Collins, Inc. Reliable cryptographic key update

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5930362A (en) * 1996-10-09 1999-07-27 At&T Wireless Services Inc Generation of encryption key
WO2001020925A2 (en) * 1999-09-10 2001-03-22 Telefonaktiebolaget Lm Ericsson (Publ) System and method of passing encryption keys after inter-exchange handoff
US20020118674A1 (en) * 2001-02-23 2002-08-29 Faccin Stefano M. Key distribution mechanism for IP environment
US20020147820A1 (en) * 2001-04-06 2002-10-10 Docomo Communications Laboratories Usa, Inc. Method for implementing IP security in mobile IP networks
WO2003051072A1 (en) * 2001-12-07 2003-06-19 Qualcomm, Incorporated Apparatus and method of using a ciphering key in a hybrid communications network
US6587680B1 (en) * 1999-11-23 2003-07-01 Nokia Corporation Transfer of security association during a mobile terminal handover
US20040166857A1 (en) * 2003-02-20 2004-08-26 Nec Laboratories America, Inc. Secure candidate access router discovery method and system
US6856800B1 (en) * 2001-05-14 2005-02-15 At&T Corp. Fast authentication and access control system for mobile networking
US20050055576A1 (en) * 2003-09-04 2005-03-10 Risto Mononen Location privacy in a communication system
EP1562340A1 (en) * 2004-02-05 2005-08-10 Siemens Aktiengesellschaft Method and apparatus for establishing a temporary secure connection between a mobile network node and an access network node during a data transmission handover
US7046647B2 (en) * 2004-01-22 2006-05-16 Toshiba America Research, Inc. Mobility architecture using pre-authentication, pre-configuration and/or virtual soft-handoff

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5930362A (en) * 1996-10-09 1999-07-27 At&T Wireless Services Inc Generation of encryption key
WO2001020925A2 (en) * 1999-09-10 2001-03-22 Telefonaktiebolaget Lm Ericsson (Publ) System and method of passing encryption keys after inter-exchange handoff
US6587680B1 (en) * 1999-11-23 2003-07-01 Nokia Corporation Transfer of security association during a mobile terminal handover
US20020118674A1 (en) * 2001-02-23 2002-08-29 Faccin Stefano M. Key distribution mechanism for IP environment
US20020147820A1 (en) * 2001-04-06 2002-10-10 Docomo Communications Laboratories Usa, Inc. Method for implementing IP security in mobile IP networks
US6856800B1 (en) * 2001-05-14 2005-02-15 At&T Corp. Fast authentication and access control system for mobile networking
WO2003051072A1 (en) * 2001-12-07 2003-06-19 Qualcomm, Incorporated Apparatus and method of using a ciphering key in a hybrid communications network
US20040166857A1 (en) * 2003-02-20 2004-08-26 Nec Laboratories America, Inc. Secure candidate access router discovery method and system
US20050055576A1 (en) * 2003-09-04 2005-03-10 Risto Mononen Location privacy in a communication system
US7046647B2 (en) * 2004-01-22 2006-05-16 Toshiba America Research, Inc. Mobility architecture using pre-authentication, pre-configuration and/or virtual soft-handoff
EP1562340A1 (en) * 2004-02-05 2005-08-10 Siemens Aktiengesellschaft Method and apparatus for establishing a temporary secure connection between a mobile network node and an access network node during a data transmission handover

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009003404A1 (en) * 2007-06-29 2009-01-08 Huawei Technologies Co., Ltd. A method and an apparatus for fast handover
CN101102600B (en) * 2007-06-29 2012-07-04 中兴通讯股份有限公司 Secret key processing method for switching between different mobile access systems
WO2009067908A1 (en) * 2007-11-09 2009-06-04 Huawei Technologies Co., Ltd. A protection method and device during a mobile ipv6 fast handover
WO2015013964A1 (en) * 2013-08-01 2015-02-05 Nokia Corporation Methods, apparatuses and computer program products for fast handover
US9924416B2 (en) 2013-08-01 2018-03-20 Nokia Technologies Oy Methods, apparatuses and computer program products for fast handover
CN105763517A (en) * 2014-12-17 2016-07-13 联芯科技有限公司 Router security access and control method and system
US11316667B1 (en) 2019-06-25 2022-04-26 Juniper Networks, Inc. Key exchange using pre-generated key pairs
US11924341B2 (en) 2021-04-27 2024-03-05 Rockwell Collins, Inc. Reliable cryptographic key update

Also Published As

Publication number Publication date
WO2006102565A3 (en) 2007-12-13

Similar Documents

Publication Publication Date Title
US10069803B2 (en) Method for secure network based route optimization in mobile networks
US8126148B2 (en) Securing home agent to mobile node communication with HA-MN key
US7286671B2 (en) Secure network access method
US7174018B1 (en) Security framework for an IP mobility system using variable-based security associations and broker redirection
US20020147820A1 (en) Method for implementing IP security in mobile IP networks
JP5597676B2 (en) Key material exchange
US20020157024A1 (en) Intelligent security association management server for mobile IP networks
US20020118674A1 (en) Key distribution mechanism for IP environment
KR101414711B1 (en) Method and system for providing a mobile ip key
EA013147B1 (en) Method and system for providing an access specific key
JP2011511519A (en) Route optimization in mobile IP networks
KR20060031813A (en) Method, system and apparatus to support mobile ip version 6 services in cdma systems
Shi et al. IEEE 802.11 roaming and authentication in wireless LAN/cellular mobile networks
EP1547400A2 (en) System and method for resource authorizations during handovers
WO2006102565A2 (en) Optimized derivation of handover keys in mobile ipv6
EP1792465A1 (en) Return routability optimisation
CA2675837A1 (en) Solving pana bootstrapping timing problem
US8750303B2 (en) Mobility signaling delegation
JP2003338850A (en) SECURITY ASSOCIATION MANAGEMENT SERVER FOR Mobile IP NETWORK
Karbasioun et al. Securing mobile IP communications using MOBIKE protocol
Xenakis et al. Alternative Schemes for Dynamic Secure VPN Deployment in UMTS
Kim et al. Secure and low latency handoff scheme for proxy mobile ipv6
Wu et al. Early security key exchange for encryption in Mobile IPv6 handoff
Hampel et al. Securing Host-Based Mobility and Multi-Homing Protocols against On-Path Attackers.
Komarova et al. Wireless Network Architecture to Support Mobile Users.

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 06748619

Country of ref document: EP

Kind code of ref document: A2