| Title of Invention | METHOD OF USING PANA FOR NETWORK AND APPLICATION ACCESS AUTHENTICATION IN INTERWORKING WIRELESS LOCAL AREA NETWORK GENERIC BOOTSTRAPPING ARCHITECTURE AND 3GPP SYSTEM ARCHITECTURE EVOLUTION |
|---|---|
| Abstract | This invention relates to the field of Network and Application access authentication. The invention explains network access authentication procedures for System Architecture Evolution (SAE), Interworking WLAN (l-WLAN) and application access authentication procedure for Generic Bootstrapping Architecture (GBA) using Protocol for carrying Authentication for Network Access (PANA). |
| Full Text | FIELD OF THE INVENTION This invention relates to the field of Network and Application access authentication. Further, this invention is related to the network access authentication procedures for System Architecture Evolution (SAE), Interworking WLAN (l-WLAN) and application access authentication procedure for Generic Bootstrapping Architecture (GBA) using Protocol for carrying Authentication for Network Access (PANA). Specifically, this invention provides a system and method of using PANA for network access authentication and also to optimize the handover procedure in SAE and l-WLAN and also to provide bootstrapping and key agreement for application access authentication in GBA. More particularly, this invention relates to a system and method of using PANA for network and application access authentication in inter working wireless local area network, generic bootstrapping architecture and 3GPP system architecture evolution DESCRIPTION OF RELATED ART The integrated WLAN (l-WLAN) system specified in the 3GPP TS 23.234 specifications provides a system and method to integrate legacy UTRAN systems with WLAN systems, as shown in the Figure 1. The l-WLAN system allows WLAN users to access 3GPP packet switched services after authenticating the user and establishing a secure tunnel between the PDG and the UE. The radio access network (RAN), system architecture (SA) and the core terminal (CT) working groups of the third generation partnership project (3GPP) aim to develop an enhanced UTRAN (E-UTRAN) architecture for next generation wireless systems. The E-UTRAN system is also called as the system architecture evolution/ long term evolution (SAE/LTE system). The enhanced UTRAN system is also called as E-UMTS access system. The E-UTRAN system is required to co-exist with the current second (2G) and third generation (3G) wireless systems, and in particular, support handovers between the existing systems and the newly evolved E-UTRAN system, specified in the 3GPP TR 23.882. The E-UTRAN system is an evolution of the 3GPP UTRAN system, in which the main entities are the user equipment (UE), the enhanced Node B (ENB) and the enhanced GGSN (EGGSN), as shown in the Figure 2. The ENB of the EUTRAN system is expected to have the features of the Node B and the radio network controller (RNC) of the legacy UTRAN system. The EGGSN is expected to have the functionalities of the SGSN and the GGSN of the legacy UTRAN systems. The EGGSN can also be split into two nodes called mobility management entity (MME) and user plane entity (UPE). The MME and UPE can be combined into a single entity or can exist as two separate entities in the network. Currently there is no network access authentication method defined for the UE to access the EUTRAN access system. In the 3GPP SA WG 3, defined the security features and a mechanism to bootstrap authentication and key agreement for application security from the 3GPP AKA mechanism. The 3GPP authentication infrastructure, including the 3GPP Authentication Centre (AuC), the USIM or the ISIM, and the 3GPP AKA protocol run between them, is a very valuable asset of 3GPP operators. It has been recognized that this infrastructure could be leveraged to enable application functions in the network and on the user side to establish shared keys. Therefore, 3GPP provide the "bootstrapping of application security" to authenticate the subscriber by defining a Generic Bootstrapping Architecture (GBA) based on AKA protocol. The reference point Ub is between the UE and the BSF as shown in the Figure 3. Reference point Ub provides mutual authentication between the UE and the BSF. It allows the UE to bootstrap the session keys based on 3GPP AKA infrastructure. The HTTP Digest AKA protocol, which is specified in RFC 3310, is used on the reference point Ub. It is based on the 3GPP AKA TS 33.102 protocol. LIMITATIONS As the PANA proposed by the IETF will be adapted by the WLAN access systems and the main requirement in the l-WLAN is not to modify the WLAN as much as possible. So it would be better to adapt PANA for the l-WLAN so that 3GPP can inter-work with the WLAN access system without major modifications. As there is no network access method mentioned by the 3GPP for the UE to access the EUTRAN access system and it would be efficient method to adapt PANA for network access in the EUTRAN system, as the LTE/SAE architecture is IP based. For the GBA, current specification require special protocol for the Ub interface to carry out the AKA procedure to bootstrap the application access authentication and key agreement, it would be efficient to have single protocol for both the network access and application access authentication procedure. In the PANA specification, there is no scenario where there is mixture of network entities capable of ciphering/integrity protection at different layers defined, but where as the 3GPP-WLAN Interworking system consists of both the L2 and L3 ciphering/integrity protection. To adapt PANA for the l-WLAN system, the PANA protocol needs to be modified. SUMMARY OF THE INVENTION The primary object of the invention is to provide the network access authentication using PANA for l-WLAN and LTE/SAE access systems. It is another object of the invention to provide the mechanism to bootstrap the authentication and key agreement for application security in GBA using PANA. The present invention relates to a mechanism to provide the network access authentication in l-WLAN and the LTE/SAE and also the application access authentication using PANA. The invention also incorporates the mechanism by which the UE acts as the PANA Authentication Client (PAC) and the does the network access authentication in l-WLAN and LTE/SAE and also bootstraps the application authentication with the BSF in the GBA. The system for present invention for the l-WLAN access system comprises of a WLAN-3G capable UE, WLAN network interconnected to a 3GPP delivery network consisting of AAA-Server, WAG and PDG and intermediate IP nodes. The system for present invention for the LTE/SAE comprises of a LTE/SAE capable UE, LTE/SAE core network consists of ENB, EGGSN, AAA server (optionally) and intermediate IP nodes. The system for present invention for the GBA comprises of a 3G capable UE, 3GPP delivery network consisting of AAA-Server, BSF, NAF and intermediate IP nodes. The present invention comprises of methods which would solve the problems associated with current art, as mentioned below. 1. In the l-WLAN scenarios, where the UE does the WLAN Direct IP Access authentication to access the internet directly through WLAN access network and then does the WLAN 3GPP IP Access authentication to access the 3GPP IP services through the 3GPP core network. In the 3GPP-WLAN interworking system, the AP and the PDG are capable of layer 2 and layer 3 ciphering/integrity protection respectively and the UE need to perform WLAN Direct IP Access authentication and establish the L2 ciphering/integrity protection with WLAN AP and perform WLAN 3GPP IP Access authentication and establish the L3 ciphering/integrity protection with the PDG. In this case, with single PANA authentication, both the AP and the PDG can get the layer 2 and layer 3 security keys respectively, so that UE can have link-layer ciphering/integrity protection with the AP and network-layer ciphering/integrity protection with the PDG. 2. Also for the scenario mentioned above, there is possibility of mixture of layer 2 and layer 3 ciphering / integrity protection EPs within the network. The proposed mechanism, provide EPs to mention the ciphering layer to the PAA, so that PAA distributes the keys according to the ciphering layer. 3. Also a mechanism to include the list of EPs (with there ciphering layer) in the PANA Start Response message, so that PAA need not to send the KEYs to all the EPs in its domain. As 3G-WLAN Interworking system does not storage the UE context (keys and information), if the UE is not attached with it. 4. Due to load balancing or redirection of the tunnel, the serving PDG can transfer the PANA session context to the new PDG and can intimate the UE to shift the context. The proposed method intimates the redirection/change of PDG/PAA to the UE/PAC. 5. When the UE access both the WLAN Direct IP Access and the WLAN 3GPP IP Access and the UE moves between the APs owned by different operators and connected to a different PLMN, then the mechanism to transfer the PANA session context such that PAA in the visited network can derive and distribute the keys to the AP and also to the PDG, so that the UE shall perform the mobility procedure without performing the authentication procedure. Mechanism to incorporate the mobility messages to intimate whether multiple key derivation is needed within the PANA message is proposed. 6. The mechanism to perform the network access authentication using PANA for the LTE/SAE is proposed. 7. Method to perform the inter RAT mobility between the l-WLAN and the EUTRAN access system is proposed. 8. Method to perform the inter EGGSN mobility in the EUTRAN access system is proposed. 9. Method to perform the inter l-WLAN mobility in the 3GPP-WLAN Interworking system is proposed. 10. Mechanism to adapt PANA for GBA to bootstrap authentication and key agreement for application security in the Ub interface between the BSF and the UE is proposed. Accordingly, the present invention comprises a method of providing the network access authentication using PANA for l-WLAN and LTE/SAE access systems wherein to provide layer 2 and Iayer3 ciphering/integrity protection keys to the WLAN access point and the PDG respectively in a single PANA authentication procedure and the UE (PAC) derive both layer 2 and Iayer3 ciphering//integrity protection keys, so that UE can have link-layer ciphering/integrity protection with AP and network-layer ciphering/integrity protection with the PDG; to provide PANA to handle mixture of layer 2 and layer 3 ciphering EPs within the network; to intimate the ciphering layer to the PAA by the EPs, so that PAA distributes the keys according to the ciphering/integrity protection layer. Also the present invention comprises a method to provide the mechanism to bootstrap the authentication and key agreement for application security in GBA using PANA Accordingly, the present invention further comprises a method as above wherein to include the list of EPs in the PANA message, so that PAA need not send the keys to all the EPs in its domain; for load balancing or redirection of the tunnel, PDG (PAA) intimates the redirection/change to the UE (PAC); to provide the mechanism to perform the network access authentication using PANA for the LTE/SAE is proposed; to provide the mechanism to perform the inter RAT mobility between the l-WLAN and the EUTRAN access system is proposed. Accordingly, the present invention further comprises a method as above wherein to provide the mechanism to perform the inter EGGSN mobility in the EUTRAN access system is proposed; to provide the mechanism to perform the inter l-WLAN mobility in the EUTRAN access system is proposed; and to provide the mechanism to adapt PANA for GBA to bootstrap authentication and key agreement for application security in the Ub interface between the BSF and the UE is proposed. Accordingly, this invention explains a method to provide the network access authentication using PANA for l-WLAN and LTE/SAE access systems with optimized mobility support enabling PANA to handle mixture of layer 2 and layer 3 ciphering/integrity protection EPs within the network and also to intimate the ciphering/integrity protection layer to the PAA by the EPs, enabling the PAA to distribute the keys according to the ciphering/integrity protection layer wherein for the Inter RAT mobility between the EUMTS and l-WLAN, where the UE does a pre-authentication to reduce the handoff latency, if the UE is capable of simultaneous access of both the access technology. Accordingly, this invention also explains a method using PANA for bootstrapping authentication and key agreement for application security in GBA comprising: (a) starting authentication by initiating the PAA discovery and sending directly to the BSF; (b) the BSF initiating the authentication procedure once the BSF receives the PAA discovery message; and (c) the UE and the BSF mutually authenticating using AKA or alternatively EAP-AKA procedure and agreeing on a session key; where the NAF key derivation is as specified in the 3GPP specification or alternatively the NAF key derivation is according to PAC_EPJVIaster_KEY derivation as specified by PANA and the BSF use the PANA session identifier as the Bootstrapping Transaction Identifier (B-TID). Accordingly, this invention further explains a system to provide the network access authentication using PANA for l-WLAN and LTE/SAE access systems with optimized mobility support enabling PANA to handle mixture of layer 2 and layer 3 ciphering/integrity protection EPs within the network and also to intimate the ciphering/integrity protection layer to the PAA by the EPs, comprising: (a) PAA to distribute the keys according to the ciphering/integrity protection layer wherein for the Inter RAT mobility between the EUMTS and l-WLAN; (b) UE doing a pre-authentication to reduce the handoff latency, if the UE is capable of simultaneous access of both the access technology. Accordingly, this invention further explains a method using PANA for bootstrapping authentication and key agreement for application security in GBA comprising: (a) the BSF initiating the authentication procedure once the BSF receives the PAA discovery message; and (b) the UE mutually authenticating with BSF using AKA or alternatively EAP-AKA procedure and agreeing on a session key; where the NAF key derivation is as specified in the 3GPP specification or alternatively the NAF key derivation is according to PAC_EP_Master_KEY derivation as specified by PANA and the BSF use the PANA session identifier as the Bootstrapping Transaction Identifier (B-TID). These and other objects, features and advantages of the present invention will be apparent from the ensuing detailed description of the invention taken in conjunction with the accompanying drawings. BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS Figure 1 illustrates the different network elements of a WLAN-3G inter working system, involved in establishing an End-To-End tunnel between UE and PDG. Figure 2 illustrates the different network elements of LTE/SAE architecture. Figure 3 illustrates the different network elements of 3GPP GBA architecture. Figure 4 illustrates the sequence diagram, for network access authentication using PANA in LTE/SAE. Figure 5 illustrates the sequence diagram, for inter EGGSN mobility with authentication optimization using PANA. Figure 6 illustrates the sequence diagram, for inter RAT mobility from EUTRAN to l-WLAN with authentication optimization using PANA. Figure 7 illustrates the sequence diagram, for inter RAT mobility from l-WLAN to EUTRAN with authentication optimization using PANA. Figure 8 illustrates the Usage of PANA for bootstrapping authentication and key agreement for application security in GBA. Figure 9: illustrates the sequence diagram, for efficient Mobility support in l-WLAN using PANA. DETAILED DESCRIPTION OF THE INVENTION The preferred embodiments of the present invention will now be explained with reference to the accompanying drawings. It should be understood however that the disclosed embodiments are merely exemplary of the invention, which may be embodied in various forms. The following description and drawings are not to be construed as limiting the invention and numerous specific details are described to provide a thorough understanding of the present invention, as the basis for the claims and as a basis for teaching one skilled in the art how to make and/or use the invention. However in certain instances, well-known or conventional details are not described in order not to unnecessarily obscure the present invention in detail. Operation of the Invention The present invention provides a system and method to provide the network access authentication using PANA for l-WLAN and LTE/SAE access systems with optimized mobility support and also to provide the mechanism to bootstrap the authentication and key agreement for application security in GBA using PANA. The method of the invention comprises of mechanisms to provide PANA to handle mixture of layer 2 and layer 3 ciphering/integrity protection EPs within the network and also to intimate the ciphering/integrity protection layer to the PAA by the EPs, so that PAA distributes the keys according to the ciphering/integrity protection layer. For the Inter RAT mobility between the EUMTS and l-WLAN, the UE does a pre-authentication to reduce the handoff latency, if the UE is capable of simultaneous access (i.e., UE can access both the access technology simultaneously). The invention is operated as detailed below: Network Access Authentication using PANA in LTE/SAE as shown in the Figure 4: 1. The UE does the selection of access network as the LTE/SAE. 2. The UE then initiates the L2 connectivity with the ENB of the LTE/SAE system. 3. After establishing the L2 connectivity, the ENB assigns a temporary IP address (Pre-PANA address (PRPA)) to the UE. 4. The ENB establish an UP setup for the UE with the EGGSN. 5. The UE starts the PANA PAA Discovery/Request and selects the EGGSN (PAA) or alternatively the ENB will intimate the EGGSN IP address to the UE. 6. Then the UE start PANA authentication with the EGGSN using AKA or alternatively EAP-AKA. 7. Once the UE successfully authenticated with the EGGSN, the EGGSN assigns the Post-PANA address (POPA) and distribute the keys to the ENB (EP). 8. After receiving the keys from the EGGSN, the ENB starts the security mode command to start the security between the UE and the ENB. 9. Then the UE starts normal procedures like the RAU request as specified in the 3GPP specifications. Inter EGGSN Mobility using PANA authentication procedure as shown in Figure 5: 1. UE sends periodic or event based measurements to the serving ENB (sENB). 2. Based on the measurement reports, the ENB decides to initiate handover procedure. The sENB selects target ENB(s) (tENB) based on its decision/selection policy. 3. The sENB sends the handover preparation request to the tENB, which may contains security context, IP address of the UE and Radio capabilities. 4. After receiving the handover preparation request, tENB reserves the radio resources as mentioned in the handover preparation request. 5. The tENB initiates an UP establishment request to the target EGGSN which serves the tENB. 6. The tEGGSN contacts the sEGGSN based on the IP address or alternatively querying the HSS or alternatively using the PANA session identifier send by the UE or alternatively by some other means. The tGGSN establish a tunnel towards the sEGGSN, to retrieve the data packets destined to the UE. The tGGSN retrieves the PANA session context of the UE from the sEGGSN and computes the new key. 7. Once the tunnel is established, then the sEGGSN starts bi-casting the packets destined to the UE to both the tEGGSN and the sENB. 8. a. The tEGGSN sends the UP establishment response to the tENB including the keys required for protecting the air interface between the UE and the ENB. b. The tEGGSN starts buffering the packets destined to the UE. 9. The ENB stores the keys required for protecting the messages between the UE and the ENB received in the UP establishment response message. 10.After successfully receiving the UP establishment response from the tEGGSN, the tENB sends a HO prepare response to the sENB. The HO prepare response may contain the new RAI and new radio capabilities. 11. After receiving the HO preparation response, the sENB sends the HO command to the UE to start handover with the tENB. The sENB includes the tENB IP address. 12. The UE then establish L2/RRC connection with the EUMTS network. The UE derive the keys according to procedure specified in the PANA protocol for the tENB and the tEGGSN. 13. The UE send the RAU message or alternatively any initial L3 message after the L2 connection to the tEGGSN (Access Gateway). 14. The tEGGSN after receiving the initial L3 message from the UE, sends the initial L3 accept message to the UE. Optionally the EGGSN include the Post PANA IP address in the initial L3 accept message. Then the UE configures the IP address. 15. The tEGGSN forwards the buffered packets destined to the UE. 16. After receiving the initial L3 accept message, the UE sends the HO complete message to the tENB. 17.Then the tENB sends the HO confirmation message to the sENB. 18. Once the sENB receives the HO confirmation message, the sENB release the resources allocated to the UE and then trigger UP release procedure. inter RAT mobility from EUTRAN to i-WLAN with authentication optimization using PANA as shown in Figure 6: 1. UE sends periodic or event based measurements to the ENB/EGGSN. 2. a. If EGGSN finds that UE measurement is below the threshold or EGGSN decides by any other mean that EUTRAN cannot be continued, then EGGSN/ENB can request the UE to start scanning other RATs. b. By L2 or by some other means, the UE decides that the EUTRAN cannot be continued and starts scanning the other RATs. 3. a. UE can directly send the HO request to the AAA sever, through EGGSN. The packet can be routed to the home AAA server by resolving the NAI. HO request message contains the NAI, RAT type, Authentication Vectors and EGGSN IP address (included by the EGGSN). b. UE may send the measurements of l-WLAN to the EGGSN as requested by the EGGSN to scan other RATs. This measurement includes the details of the l-WLAN like WLAN ID, NAI and W-APN/s (formed by the UE according to the current ongoing application/s). Optionally EGGSN resolve IP addresses of the PDG using the W-APN(s). The HO request is sent to AAA server using NAI. The HO request sent by the EGGSN contains the NAI, RAT type, Authentication Vectors and EGGSN IP address (included by the EGGSN). 4. AAA verifies the NAI and stores the Authentication vectors and the EGGSN IP Address (Optional). The AAA server then sends the HO accept message to the EGGSN. The AAA server may assign new IP address to the UE (the AAA server may assign multiple new IP addresses, if more than one sessions are active) and include the IP address in the HO accept message. Optionally AAA server may specify the PDG IP address in the HO accept message, for the UE to establish the tunnel. 5. The EGGSN then sends the HO command to the UE. If the EGGSN resolves the PDG IP address/addresses, then the EGGSN includes the IP address/addresses in the HO command. If the AAA server sends the IP address to the UE in the HO accept message, then the EGGSN includes the IP address in the HO command. 6. EGGSN starts buffering the packets destined to the UE. 7. a. The UE starts WLAN access. The UE executes the PANA handshake phases with the PDG. In response to the parameters included in the PANA Start Answer message, the UE includes the unexpired PANA session context to the PDG. The PDG retrieves the PANA session context from the EGGSN by using the PANA session Identifier, through direct interface between the PDG and the EGGSN or alternatively through the AAA Server. Using the PANA session context, the PDG derives the keys and distributes to the WLAN AP. Then the WLAN AP establishes L2 ciphering/integrity protection with the UE. b. If the WLAN AP does not require authentication, then the UE after receiving the HO command, the UE starts the IKEv2 procedure to establish the IPsec tunnel towards the PDG. The UE may select the IP address of the PDG from the list provided by the EGGSN or UE by itself can resolve the IP addresses of the PDGs. The UE executes the PANA handshake phases with the PDG. In response to the parameters included in the PANA Start Answer message, the UE includes the unexpired PANA session context to the PDG. The PDG retrieves the PANA session context from the EGGSN by using the PANA session Identifier, through direct interface between the PDG and the EGGSN or alternatively through the AAA Server. Using the PANA session context, the PDG and the UE establish the IPsec tunnel. If the UE does the step 7a, then it directly establishes the IPsec tunnel. 8. After establishing the tunnel, the PDG updates the location of the UE to the AAA Server/HSS. 9. After receiving the location update procedure, AAA/HSS triggers the EGGSN to release the radio resources allocated to the UE. 10. The PDG establish a tunnel towards the EGGSN as like tunnel between HA and FA 11. The EGGSN tunnels the buffered packets to the PDG and the PDG forwards the packets to the UE. 12. After start receiving the packets from the EGGSN, the UE may do MIP based route optimization procedure with the CN, if CN supports MIP and tunnel overhead is not considered to be disadvantage. 13. If no active TCP connections were present, then the UE can do SIP based terminal mobility procedure, if it has any active IMS based sessions and can avoid the MIP based mobility procedure. The UE can intimate the release of IP to the EGGSN in the HO confirm message. The HO complete message is sent within the IKEv2 or with any new signaling protocol. If MIP based solution is used then the UE just confirms the HO by sending the HO complete message within the IKEv2 or with any new signaling protocol. 14. The PDG relays the HO complete message to the EGGSN. Inter RAT mobility from l-WLAN to EUTRAN with authentication optimization using PANA as shown in Figure 7: 1. Based on the signal strength of l-WLAN or by other means, the UE start scanning the other RAT and decided to attach with the EUMTS AS. 2. The UE intimate the PDG to buffer the packets destined to it through a new IKEv2 notification payload or through some other signaling message like MIP buffer management mechanism. Optionally UE may request the PDG to close the IPsec tunnel and resources reserved for this UE. 3. The PDG starts buffering the packets destined to the UE. 4. The UE then starts L2 establishment with the EUMTS network. 5. a. Initial L3 message triggers the UE to initiate PANA procedure with the EGGSN. After PANA discovery and handshake procedure, the UE includes PANA session identifier in the PANA response. b. The EGGSN contacts the PDG using the PANA session identifier and retrieves the PANA Session Context of the UE. c. The EGGSN successfully complete the PANA binding and pass the keys to the ENB. Then the ENB and the UE does the security mode command procedure and establish security association between them. 6. Then the UE send the RAU message or alternatively any initial L3 message after the L2 connection, including the HO preparation message containing l-WLAN ID, NAI and the PDG IP address. The user part of the NAI contains the IMSI or pseudonym or re-authentication id. 7. EGGSN provides the temporary identities and IP address (if the UE use pre PANA IP address, then the EGGSN passes the Post PANA IP address) to the UE in the RAU accept message or alternatively in the response message to the initial L3 request. 8. Optionally the HSS/AAA request the PDG to release the tunnel created for the UE. 9. EGGSN establish a tunnel with the PDG and if the S (simultaneous) bit is off then EGGSN request the PDG to forward all the packets destined to the UE. 10. The PDG tunnels the buffered packets to the EGGSN and then the EGGSN forwards to the UE. 11. After start receiving the packets through the EGGSN, the UE may do MIP based route optimization procedure with the CN, if CN supports MIP and tunnel overhead is not considered to be disadvantage. 12. If no active TCP connections are present, then the UE can do SIP based terminal mobility procedure, if it has any active IMS based sessions and can avoid the MIP based mobility procedure. The UE can intimate the release of IP to the EGGSN in the HO confirm message. If MIP based solution is used then the UE just confirms the HO by sending the HO complete message. 13. The EGGSN relays the HO complete message to the PDG. Using PANA for bootstrapping authentication and key agreement for application security in GBA as shown in Figure 8: For the GBA bootstrapping procedure, the UE has the PAC functionality, the BSF has the both PAA and AS functionality and the NAF has the EP functionality. The bootstrap authentication starts by initiating the PAA discovery send directly to the BSF. The BSF address is obtained as mentioned in the 3GPP specification. Once the BSF receives the PAA discovery message, the BSF initiate the authentication procedure. Then the UE and the BSF mutually authenticate using AKA or alternatively EAP-AKA procedure and agree on a session key. The NAF key derivation can be as specified in the 3GPP specification or alternatively the NAF key derivation can be according to PAC_EPJVIaster_KEY derivation as specified by PANA. The BSF use the PANA session identifier as the Bootstrapping Transaction Identifier (B-TID). Inter l-WLAN mobility using PANA as shown in the figure 9: 1. The UE obtains the post-PANA address (PRPA) from sWLAN AP and sends PANA-PAA-Discover. 2. The sPDG sends a PANA-Start-Request message after receiving the PANA-PAA-Discover. 3. In response to the PANA-Start-Request message from the sPDG, the UE sends the PANA-Start-Answer. When the PANA-Start-Answer received by the sWLAN AP, the sWLAN AP includes its ID and the ciphering/integrity protection layer and forward it to the sPDG. If the sPDG is an EP, then the sPDG also includes its ID and the ciphering/integrity protection layer and forwards to the PAA. In the illustrated example, the sPDG and the tPDG have both the functionalities of PAA and also EP. 4. After receiving the PANA-Start-Answer, with the list of EPs, the sPDG initiates authentication and authorization phase. After successful authentication, the PAA derives and distributes keys from the EP list according to the ciphering/integrity protection layer mentioned in the PANA-Start-Request and thus allows the UE to access both WLAN 3GPP IP Access and also WLAN Direct IP Access. Once the authentication phase is over, the sPDG sends the Post PANA IP Address to the UE. The UE, establish the L2 ciphering/integrity protection with the WLAN AP and L3 ciphering/integrity protection (with IPsec tunnel using IKEv2) with the sPDG. 5. When the UE starts moving in to another PLMN. 6. The UE associated with the tWLAN AP and obtains the post-PANA address (PRPA) from tWLAN AP and sends PANA-PAA-Discover. 7. The tPDG sends a PANA-Start-Request message after receiving the PANA-PAA-Discover. 8. In response to the PANA-Start-Request message from the tPDG, the UE sends the PANA-Start-Answer with the PANA Session Identifier. When the PANA-Start-Answer received by the tWLAN AP, the tWLAN AP includes its ID and the ciphering layer and forward it to the tPDG. If the tPDG is an EP, then the tPDG also includes its ID and the ciphering/integrity protection layer and forwards to the PAA. 9. The tPDG, using the PANA session identifier contact the sPDG and retrieves the PANA Session Context of the UE. 10. After successful retrieval, the PAA derives and distributes keys from the EP list according to the ciphering/integrity protection layer mentioned in the PANA-Start-Request and thus allows the UE to access both WLAN 3GPP IP Access and also WLAN Direct IP Access. After the PANA-Bind exchange signals, the sPDG sends the Post PANA IP Address to the UE. The UE, establish the L2 ciphering/integrity protection with the WLAN AP and L3 ciphering/integrity protection (with IPsec tunnel using IKEv2) with the tPDG. 11. The tPDG intimate the current location to the AAA and request the AAA to update the current location of the UE. 12. Optionally, the AAA can request the sPDG to release the resources allocated to the UE. It will also be obvious to those skilled in the art that other control methods and apparatuses can be derived from the combinations of the various methods and apparatuses of the present invention as taught by the description and the accompanying drawings and these shall also be considered within the scope of the present invention. Further, description of such combinations and variations is therefore omitted above. It should also be noted that the host for storing the applications include but not limited to a microchip, microprocessor, handheld communication device, computer, rendering device or a multi function device. Although the present invention has been fully described in connection with the preferred embodiments thereof with reference to the accompanying drawings, it is to be noted that various changes and modifications are possible and are apparent to those skilled in the art. Such changes and modifications are to be understood as included within the scope of the present invention as defined by the appended claims unless they depart there from. GLOSSARY OF TERMS AND DEFINITIONS THEREOF 3GPP: 3rd Generation Partnership Project AAA: Authentication, Authorization and Accounting AP: Wireless Local Area Network (WLAN) Access Point AP-id: Wireless Local Area Network (WLAN) Access Point Identity APN: Access Point Name BFS: Bootstrapping Server Function CSCF: Call Session Control Function DNS: Domain Name Server EMSK: Extended Master Session Key EUMTS: Evolving UMTS Terrestrial Radio Access Network EGGSN: Evolving GGSN EP: Enforcement Point GBA: Generic Bootstrapping Architecture GGSN: Gateway GPRS Support Node H-PLMN: Home Public Land Mobile Network (PLMN) HSS: Home Subscription Server IP-CAN: IP-Connectivity Access Network IPSec: IP Security Protocol MME: Mobility Management Entity NAF: Network Application Function PAA: PANA Authentication Agent PAC: PANA client PANA: Protocol for Carrying Authentication for Network Access PDG: Packet Data Gateway SDP: Session Description Protocol SGSN: Serving GPRS Support Node SPI: Security parameter Index TID: Tunnel ID TSK: Tunnel Session Key UPE: User Plane Entity. This combined with the MME can form the EGGSN USER TERMINAL: the end user equipment e.g., the Mobile Station (MS) or User Equipment (UE). UTRAN: UMTS Terrestrial Radio Access Network consisting of the Node B and the RNC. V-PLMN: Visited Public Land Mobile Network WAG: Wireless Access Gateway W-APN: WLAN APN WLAN UE: The WLAN UE is the UE (equipped with UICC card including (U)SIM) utilized by a 3GPP subscriber to access the WLAN inter working. WLAN UE's remote IP address: An address used in the data packet encapsulated by the WLAN UE-initiated tunnel. WE CLAIM 1. A method to provide the network access authentication using PANA for l-WLAN and LTE/SAE access systems with optimized mobility support enabling PANA to handle mixture of layer 2 and layer 3 ciphering/integrity protection EPs within the network and also to intimate the ciphering/integrity protection layer to the PAA by the EPs, enabling the PAA to distribute the keys according to the ciphering/integrity protection layer wherein for the Inter RAT mobility between the EUMTS and l-WLAN, where the UE does a pre-authentication to reduce the handoff latency, if the UE is capable of simultaneous access of both the access technology. 2. A method as claimed in claim 1 wherein the Network Access Authentication using PANA in LTE/SAE involves: (a) the UE doing the selection of access network as the LTE/SAE; (b) the UE initiating the L2 connectivity with the ENB of the LTE/SAE system; (c) the ENB assigning a temporary IP address (Pre-PANA address (PRPA)) to the UE after establishing the L2 connectivity; (d) the ENB establishing an UP setup for the UE with the EGGSN; (e) the UE starts the PANA PAA Discovery/Request and selecting the EGGSN (PAA) or alternatively the ENB intimating the EGGSN IP address to the UE; (f) the UE starts PANA authentication with the EGGSN using AKA or alternatively EAP-AKA; (g) the EGGSN assigning the Post-PANA address (POPA) and distributing the keys to the ENB (EP) once the UE successfully authenticated with the EGGSN; (h) the ENB starting the security mode command to start the security between the UE and the ENB after receiving the keys from the EGGSN; and (i) the UE starting normal procedures like the RAU request as specified in the 3GPP specifications. 3. A method as claimed in claim 1 wherein the said method involves Inter EGGSN Mobility using PANA authentication procedure comprising: (a) UE sending periodic or event based measurements to the serving ENB (sENB); (b) the ENB deciding to initiate handover procedure based on the measurement reports and the sENB selecting target ENB(s) (tENB) based on its decision/selection policy; (c) the sENB sending the handover preparation request to the tENB, which optionally contains security context, IP address of the UE and Radio capabilities; (d) tENB reserving the radio resources as mentioned in the handover preparation request after receiving the handover preparation request; (e) the tENB initiating an UP establishment request to the target EGGSN which serves the tENB; (f) the tEGGSN contacting the sEGGSN based on the IP address or alternatively querying the HSS or alternatively using the PANA session identifier send by the UE where the tGGSN establish a tunnel towards the sEGGSN, to retrieve the data packets destined to the UE and retrieves the PANA session context of the UE from the sEGGSN and computes a new key; (g) the sEGGSN starts bi-casting the packets destined to the UE to both the tEGGSN and the sENB once the tunnel is established; (h) the tEGGSN sending the UP establishment response to the tENB including the keys required for protecting the air interface between the UE and the ENB and the tEGGSN starts buffering the packets destined to the UE; (i) the ENB storing the keys required for protecting the messages between the UE and the ENB received in the UP establishment response message; (j) the tENB sending a HO prepare response to the sENB after successfully receiving the UP establishment response from the tEGGSN where the HO prepare response optionally contains the new RAI and new radio capabilities; (k) the sENB sending the HO command to the UE to start handover with the tENB after receiving the HO preparation response where the sENB includes the tENB IP address; (I) the UE establishing L2/RRC connection with the EUMTS network where the UE derive the keys according to procedure specified in the PANA for the tENB and the tEGGSN; (m)the UE sending the RAU message or alternatively any initial L3 message after the L2 connection to the tEGGSN; (n) the tEGGSN after receiving the initial L3 message from the UE, sending the initial L3 accept message to the UE and optionally the EGGSN include the Post PANA IP address in the initial L3 accept message where the UE configures the IP address; (o) the tEGGSN forwarding the buffered packets destined to the UE; (p) the UE sending the HO complete message to the tENB after receiving the initial L3 accept message; (q) the tENB sending the HO confirmation message to the sENB; and (r) the sENB releasing the resources allocated to the UE and then triggering UP release procedure once the sENB receives the HO confirmation message. 4. A method as claimed in claim 1 wherein the said method involves Inter RAT mobility from EUTRAN to l-WLAN with authentication optimization using PANA comprising: (a) the UE sending periodic or event based measurements to the ENB/EGGSN; (b) the EGGSN/ENB requesting the UE to start scanning other RATs if EGGSN finds that UE measurement is below the threshold or if EGGSN decides that EUTRAN cannot be continued; (c) the UE deciding that the EUTRAN cannot be continued and starts scanning the other RATs; (d) the UE directly sending the HO request to the AAA sever, through EGGSN where the packet is routed to the home AAA server by resolving the NAI where the HO request message contains the NAI, RAT type, Authentication Vectors and EGGSN IP address included by the EGGSN; (e) the UE optionally sending the measurements of l-WLAN to the EGGSN as requested by the EGGSN to scan other RATs where this measurement includes the details of the l-WLAN like WLAN ID, NAI and W-APN/s; (f) the EGGSN optionally resolving IP addresses of the PDG using the W-APN(s); (g) sending the HO request to AAA server using NAI where the HO request sent by the EGGSN contains the NAI, RAT type, Authentication Vectors and EGGSN IP address included by the EGGSN; (h) the AAA verifying the NAI and storing the Authentication vectors and the EGGSN IP Address and the AAA server then sending the HO accept message to the EGGSN and the AAA server optionally assigning new IP address to the UE and including the IP address in the HO accept message where optionally AAA server specify the PDG IP address in the HO accept message, for the UE to establish the tunnel; (i) the EGGSN then sending the HO command to the UE and if the EGGSN resolves the PDG IP address/addresses, then the EGGSN including the IP address/addresses in the HO command where if the AAA server sends the IP address to the UE in the HO accept message, then the EGGSN includes the IP address in the HO command; (j) the EGGSN starts buffering the packets destined to the UE; (k) the UE starting WLAN access and the UE executing the PANA handshake phases with the PDG and in response to the parameters included in the PANA Start Answer message, the UE includes the unexpired PANA session context to the PDG and the PDG retrieves the PANA session context from the EGGSN by using the PANA session Identifier, through direct interface between the PDG and the EGGSN or alternatively through the AAA Server where using the PANA session context, the PDG derives the keys and distributes to the WLAN AP where the WLAN AP establishes L2 ciphering/integrity protection with the UE; (I) the UE after receiving the HO command, starts the IKEv2 procedure to establish the IPsec tunnel towards the PDG if the WLAN AP does not require authentication and the UE optionally selects the IP address of the PDG from the list provided by the EGGSN or UE by itself to resolve the IP addresses of the PDGs and the UE executing the PANA handshake phases with the PDG and in response to the parameters included in the PANA Start Answer message, where the UE includes the unexpired PANA session context to the PDG and the PDG retrieves the PANA session context from the EGGSN by using the PANA session Identifier, through direct interface between the PDG and the EGGSN or alternatively through the AAA Server and using the PANA session context, the PDG and the UE establishes the IPsec tunnel if the UE WLAN AP establishes L2 ciphering/integrity protection with the UE; (m)the PDG updating the location of the UE to the AAA Server/HSS after establishing the tunnel; (n) the AAA/HSS triggering the EGGSN to release the radio resources allocated to the UE after receiving the location update procedure; (o) the PDG establishing a tunnel towards the EGGSN as like tunnel between HA and FA; (p)the EGGSN tunneling the buffered packets to the PDG and the PDG forwards the packets to the UE; (q) the UE optionally doing the MIP based route optimization procedure with the CN, after start receiving the packets from the EGGSN if CN supports MIP and tunnel overhead is not considered to be disadvantage; (r) the UE performing SIP based terminal mobility procedure, if it has any active IMS based sessions and can avoid the MIP based mobility procedure if no active TCP connections were present and the UE intimating the release of IP to the EGGSN in the HO confirm message where the HO complete message is sent within the IKEv2 or with any new signaling protocol and if MIP based solution is used then the UE confirms the HO by sending the HO complete message within the IKEv2 or with any new signaling protocol; and (s) the PDG relaying the HO complete message to the EGGSN. 5. A method as claimed in claim 1 wherein the said method involves inter RAT mobility from l-WLAN to EUTRAN with authentication optimization using PANA comprising: (a) the UE starting scanning the other RAT and deciding to attach with the EUMTS AS based on the signal strength of l-WLAN or other means; (b) the UE intimating the PDG to buffer the packets destined to it through a new IKEv2 notification payload or through a signaling message like MIP buffer management mechanism and UE optionally requesting the PDG to close the IPsec tunnel and resources reserved for this UE; (c) the PDG starting buffering the packets destined to the UE; (d) the UE then starting L2 establishment with the EUMTS network; (e) initiating PANA procedure with the EGGSN by initial L3 message triggering the UE where after PANA discovery and handshake procedure, the UE includes PANA session identifier in the PANA response; (f) the EGGSN contacting the PDG using the PANA session identifier and retrieving the PANA Session Context of the UE; (g) the EGGSN successfully completing the PANA binding and passing the keys to the ENB where the ENB and the UE does the security mode command procedure and establish security association between them; (h) the UE sending the RAU message or alternatively any initial L3 message after the L2 connection, including the HO preparation message containing l-WLAN ID, NAI and the PDG IP address where the user part of the NAI contains the IMSI or pseudonym or re-authentication id; (i) the EGGSN providing the temporary identities and IP address to the UE in the RAU accept message or alternatively in the response message to the initial L3 request; (j) the HSS/AAA optionally requesting the PDG to release the tunnel created for the UE; (k) the EGGSN establishing a tunnel with the PDG and if the simultaneous bit is off then EGGSN request the PDG to forward all the packets destined to the UE; (I) the PDG tunneling the buffered packets to the EGGSN and then the EGGSN forwarding to the UE; (m)the UE optionally doing MIP based route optimization procedure with the CN if CN supports MIP and tunnel overhead is not considered to be disadvantage after starting receiving the packets through the EGGSN; (n) the UE performing SIP based terminal mobility procedure, if it has any active IMS based sessions and avoiding the MIP based mobility procedure if no active TCP connections are present where the UE intimate the release of IP to the EGGSN in the HO confirm message and if MIP based solution is used then the UE confirming the HO by sending the HO complete message; and (o) the EGGSN relaying the HO complete message to the PDG. 6. A method as claimed in claim 1 wherein the said method involves inter l-WLAN mobility using PANA comprising: (a) the UE obtaining the post-PANA address (PRPA) from sWLAN AP and sending PANA-PAA-Discover; (b) the sPDG sending a PANA-Start-Request message after receiving the PANA-PAA-Discover; (c) the UE sending the PANA-Start-Answer in response to the PANA-Start-Request message from the sPDG; (d) the sWLAN AP including its ID and the ciphering/integrity protection layer and forwarding it to the sPDG when the PANA-Start-Answer received by the sWLAN AP; (e) the sPDG including its ID and the ciphering/integrity protection layer and forwarding to the PAA if the sPDG is an EP; (f) the sPDG initiating authentication and authorization phase after receiving the PANA-Start-Answer, with the list of EPs; (g) the PAA deriving and distributing keys from the EP list according to the ciphering/integrity protection layer mentioned in the PANA-Start-Request and allowing the UE to access both WLAN 3GPP IP Access and also WLAN Direct IP Access after successful authentication; (h)the sPDG sending the Post PANA IP Address to the UE once the authentication phase is over and the UE, establishing the L2 ciphering/integrity protection with the WLAN AP and L3 ciphering/integrity protection with the sPDG; (i) the UE starting moving in to another PLMN; (j) the UE associating with the tWLAN AP and obtaining the post-PANA address (PRPA) from tWLAN AP and sending PANA-PAA-Discover; (k) the tPDG sending a PANA-Start-Request message after receiving the PANA-PAA-Discover; (I) the UE sending the PANA-Start-Answer with the PANA Session Identifier in response to the PANA-Start-Request message from the tPDG; (m)the tWLAN AP including its ID and the ciphering layer and forwarding it to the tPDG when the PANA-Start-Answer received by the tWLAN AP; (n) the tPDG including its ID and the ciphering/integrity protection layer and forwarding to the PAA if the tPDG is an EP; (o) the tPDG, using the PANA session identifier contact the sPDG and retrieving the PANA Session Context of the UE; (p) the PAA deriving and distributing keys from the EP list after successful retrieval, according to the ciphering/integrity protection layer mentioned in the PANA-Start-Request and allowing the UE to access both WLAN 3GPP IP Access and also WLAN Direct IP Access; (q) the sPDG sending the Post PANA IP Address to the UE after the PANA-Bind exchange signals and the UE, establishing the L2 ciphering/integrity protection with the WLAN AP and L3 ciphering/integrity protection with the tPDG; (r) the tPDG intimating the current location to the AAA and request the AAA to update the current location of the UE; and (s) the AAA optionally requesting the sPDG to release the resources allocated to the UE. 7. A method using PANA for bootstrapping authentication and key agreement for application security in GBA comprising: (a) starting authentication by initiating the PAA discovery and sending directly to the BSF; (b) the BSF initiating the authentication procedure once the BSF receives the PAA discovery message; and (c) the UE and the BSF mutually authenticating using AKA or alternatively EAP-AKA procedure and agreeing on a session key; where the NAF key derivation is as specified in the 3GPP specification or alternatively the NAF key derivation is according to PAC_EP_Master_KEY derivation as specified by PANA and the BSF use the PANA session identifier as the Bootstrapping Transaction Identifier (B-TID). 8. A system to provide the network access authentication using PANA for l-WLAN and LTE/SAE access systems with optimized mobility support enabling PANA to handle mixture of layer 2 and layer 3 ciphering/integrity protection EPs within the network and also to intimate the ciphering/integrity protection layer to the PAA by the EPs, comprising; (a) PAA to distribute the keys according to the ciphering/integrity protection layer wherein for the Inter RAT mobility between the EUMTS and l-WLAN; (b) UE doing a pre-authentication to reduce the handoff latency, if the UE is capable of simultaneous access of both the access technology. 9. A system using PANA for bootstrapping authentication and key agreement for application security in GBA comprising: (a) the BSF initiating the authentication procedure once the BSF receives the PAA discovery message; and (b) the UE mutually authenticating with BSF using AKA or alternatively EAP-AKA procedure and agreeing on a session key; where the NAF key derivation is as specified in the 3GPP specification or alternatively the NAF key derivation is according to PAC_EP_Master_KEY derivation as specified by PANA and the BSF use the PANA session identifier as the Bootstrapping Transaction Identifier (B-TID). 10. A method to provide the network access authentication using PANA for l-WLAN and LTE/SAE access systems with optimized mobility support enabling PANA substantially as described with respect to the accompanying drawings. 11. A method using PANA for bootstrapping authentication and key agreement for application security in GBA substantially as described with respect to the accompanying drawings. 12. A system to provide the network access authentication using PANA for l-WLAN and LTE/SAE access systems with optimized mobility support enabling PANA substantially as described with respect to the accompanying drawings. 13. A system using PANA for bootstrapping authentication and key agreement for application security in GBA substantially as described with respect to the accompanying drawings. |
|---|
| Patent Number | 269815 | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Indian Patent Application Number | 1789/CHE/2005 | |||||||||||||||
| PG Journal Number | 46/2015 | |||||||||||||||
| Publication Date | 13-Nov-2015 | |||||||||||||||
| Grant Date | 09-Nov-2015 | |||||||||||||||
| Date of Filing | 06-Dec-2005 | |||||||||||||||
| Name of Patentee | SAMSUNG R&D INSTITUTE INDIA-BANGALORE PRIVATE LIMITED | |||||||||||||||
| Applicant Address | #2870 ORION BUILDING BAGMANE CONSTELLATION BUSINESS PARK OUTER RING ROAD DODDANEKUNDI CIRCLE MARATHAHALLI POST BANGALORE 560037 | |||||||||||||||
Inventors:
|
||||||||||||||||
| PCT International Classification Number | H04B1/00 | |||||||||||||||
| PCT International Application Number | N/A | |||||||||||||||
| PCT International Filing date | ||||||||||||||||
PCT Conventions:
|
||||||||||||||||