Search

EP-4199565-B1 - CERTIFICATE-BASED LOCAL UE AUTHENTICATION

EP4199565B1EP 4199565 B1EP4199565 B1EP 4199565B1EP-4199565-B1

Inventors

  • SCHNEIDER, PETER
  • MAVUREDDI DHANASEKARAN, Ranganathan

Dates

Publication Date
20260506
Application Date
20221216

Claims (15)

  1. An apparatus comprising means for performing: checking (S120) whether a terminal receives, using an established security association between the terminal and a first base station, from the first base station, a first local authentication certificate, wherein the first local authentication certificate comprises a public key of the terminal, a public key of the first base station, and a base station identifier of the first base station; storing (S130) the first local authentication certificate if the terminal receives the first local authentication certificate; monitoring (S140) whether the terminal is to be authenticated; and if the terminal is to be authenticated: retrieving (S150) the public key of the first base station and the base station identifier from the first local authentication certificate; encrypting (S160) a certificate unit with the public key of the first base station to create an encrypted certificate unit, wherein the certificate unit comprises the first local authentication certificate; and sending (S170), to a second base station, a request for local authentication of the terminal, wherein the request for local authentication comprises the encrypted certificate unit and the base station identifier, and the base station identifier is not encrypted in the request for local authentication.
  2. The apparatus according to claim 1, wherein the local authentication certificate further comprises a key identifier; and wherein the means are further configured to perform: retrieving the key identifier from the first local authentication certificate; and sending the key identifier in the request for local authentication, wherein the key identifier is not encrypted in the request for local authentication.
  3. The apparatus according to any of claims 1 and 2, wherein the means are further configured to perform: selecting a nonce; and at least one of protecting an uplink message from the terminal to the second base station using the nonce and the communication comprises the uplink message; or verifying a downlink message received from the second base station to the terminal using the nonce and the communication comprises the downlink message; wherein the certificate unit comprises a combination of the first local authentication certificate and the nonce.
  4. The apparatus according to claim 3, wherein the means are further configured to perform: determining the base station as authenticated if the downlink message from the second base station to the terminal is verified using the nonce.
  5. The apparatus according to any of claims 1 to 4, wherein the means are further configured to perform: generating a pair of a private key of the terminal and the public key of the terminal belonging to the private key of the terminal; and sending the public key of the terminal to the first base station using the established security association prior to the checking whether the terminal receives, using the established security association, the first local authentication certificate.
  6. The apparatus according to any of claims 1 to 5, wherein the means are further configured to perform: checking, for each one of plural base stations including the first base station, whether the terminal receives, using a respective established security association between the terminal and the respective base station, from the respective base station, a respective local authentication certificate, wherein the respective local authentication certificate comprises a respective public key of the terminal, a public key of the respective base station, and a base station identifier of the respective base station; storing, for each one of the plural base stations, the respective local authentication certificate if the terminal receives the respective local authentication certificate; and selecting one of the stored plural local authentication certificates as the first local authentication certificate.
  7. An apparatus comprising means for performing: generating (S220) a local authentication certificate, wherein the local authentication certificate comprises an identifier of a base station, a public key of the base station, and a public key of a terminal; signing (S230) the local authentication certificate by a signature based on a private key of the base station, wherein the private key of the base station is belonging to the public key of the base station; sending (S240) the signed local authentication certificate to the terminal using an established security association between the base station and the terminal; monitoring (S250) whether the base station receives a request for local authentication of the terminal, wherein the request for local authentication comprises an encrypted certificate unit and a base station identifier; checking (S260), without decrypting the received base station identifier, whether the received base station identifier is the identifier of the base station if the base station receives the request for local authentication; decrypting (S270) the encrypted certificate unit using the private key of the base station to create a certificate unit if the received base station identifier is the identifier of the base station; checking (S280) whether the certificate unit comprises the local authentication certificate signed by the signature; and using (S290) the public key of the terminal for a communication with the terminal if the certificate unit comprises the local authentication certificate signed by the signature.
  8. The apparatus according to claim 7, wherein the local authentication certificate comprises additionally a key identifier; the key identifier identifies the public key of the base station; and the received request for local authentication comprises a received key identifier; wherein the means are further configured to perform: using the private key of the base station belonging to the public key of the base station identified by the received key identifier to decrypt the encrypted certificate unit.
  9. The apparatus according to any of claims 7 to 8, wherein the means are further configured to perform: retrieving a nonce from the certificate unit; and at least one of protecting a downlink message to the terminal using the nonce, wherein the communication comprises the downlink message; and verifying an uplink message received from the terminal using the nonce, wherein the communication comprises the uplink message.
  10. The apparatus according to any of claims 7 to 9, wherein the means are further configured to perform: receiving the public key of the terminal using the security association prior to the generating the local authentication certificate.
  11. The apparatus according to any of claims 7 to 10, wherein the local authentication certificate comprises a policy, and the means are further configured to perform: authorizing the terminal to a service based on the policy.
  12. An apparatus comprising means for performing: generating (S320) a local authentication certificate, wherein the local authentication certificate comprises plural information elements including an identifier of a first base station, a public key of the first base station, and a public key of a terminal; signing (S330) the local authentication certificate by a signature based on a private key of the first base station, wherein the private key of the first base station belongs to the public key of the first base station; sending (S340) the signed local authentication certificate to the terminal using an established security association between the first base station and the terminal; monitoring (S350) whether the first base station receives, from a second base station, a request to decrypt an encrypted certificate unit; decrypting (S360) the encrypted certificate unit using the private key of the first base station to create a certificate unit if the first base station receives the request to decrypt the encrypted certificate unit; checking (S370) whether the certificate unit comprises the local authentication certificate signed by the signature; and providing (S380) at least a subset of the information elements comprised by the local authentication certificate in response to the received request if the certificate unit comprises the local authentication certificate signed by the signature, wherein the subset includes the public key of the terminal.
  13. The apparatus according to claim 12, wherein the information elements comprised by the local authentication certificate include additionally a key identifier; the key identifier identifies the public key of the first base station; the received request to decrypt the encrypted certificate unit comprises a received key identifier; wherein the means are further configured to perform: using the private key belonging to the public key identified by the received key identifier to decrypt the encrypted certificate unit.
  14. The apparatus according to any of claims 12 to 13, wherein the certificate unit comprises a nonce in addition to the local authentication certificate, and the means are further configured to perform: providing the nonce in response to the received request if the certificate unit comprises the nonce.
  15. The apparatus according to any of claims 1 to 14, wherein the means comprise at least one processor (810); and at least one memory (820) including computer program code, the at least one memory and computer program code configured to, with the at least one processor, cause the performance of the apparatus.

Description

Field of the invention The present disclosure relates to local UE authentication. Abbreviations 3GPP3rd Generation Partnership Project5G/6G/7G5th6th7th GenerationAMFAccess and Mobility Management FunctionARPFAccess Credential Repository and Processing FunctionASAccess StratumAUSFAuthentication Server FunctionDHDiffie-HellmanEAPExtensible Authentication ProtocolECElliptic CurveECCElliptic Curve CryptosystemECIESElliptic Curve Integrated Encryption SchemeFBSFake Base StationgNB5G base stationHNHome NetworkHTTPSHyper Text Transfer Protocol SecureICBInitial Counter BlockIDIdentifierIKEInternet Key ExchangeIPInternet ProtocolIPsecIP secureKDFKey Derivative FunctionLTELong Term EvolutionMACMessage Authentication CodeMEMobile EquipmentNASNon Access StratumPDCPPacket Data Convergence ProtocolPDUProtocol Data UnitRANRadio Access NetworkRRCRadio Resource ControlSIDFSubscription Identifier De-concealing FunctionSNServing NetworkSUCISubscription Concealed IdentifierSUPISubscription Permanent IdentifierTLSTransport Layer SecurityTRTechnical ReportTSTechnical SpecificationUDMUnified Data ManagementUEUser EquipmentUSIMUniversal Subscriber Identity ModuleWWWWorld Wide Web Background Mutual authentication between UE and network in 3GPP is based on a shared long-term key. On the network side, this key is stored at a central location, using the ARPF (Access Credential Repository and Processing Function). The ARPF is accessed via the UDM. Thus, an authentication run always requires connectivity and access to centralized components (UDM, APRF). With 5G, increased Home Network (HN) control has been introduced, meaning that the authentication run always involves the HN. Unlike with LTE, it is no longer possible to pass a bunch of Authentication Vectors from HN to serving network (SN), to allow the SN to carry out additional authentication runs without contacting the HN. In 3GPP networks, it is up to the network's policy how often the authentication run is carried out. It is good security practice to authenticate a UE on a regular basis, not only when the UE registers with the network, but also when the UE starts a new session or makes a new service request. Note that former versions of 3GPP TS 33.501 mention in clause 6.13 the term "local authentication", in the context of a procedure that allows UE and gNB to inform each other about the current values of the counters for user plane packets. The term is a misnomer, as there is no authentication involved there. Consequently, the procedure is called "Signalling procedure for PDCP COUNT check" in current versions of 3GPP TS 33.501. Between UE and network, 3GPP uses authentication based on a shared key. Many other crypto protocols such as TLS or IKE use however public/private key pairs for authentication. Two peers can mutually authenticate when both peers have a private/public key pair, and each peer knows the other peer's public key. Mostly, public keys are exchanged using certificates, where a trusted party asserts the mapping of a public key to an entity by means of a signed certificate. 3GPP UEs do not have private/public keypairs for authentication in public mobile networks nowadays. But in private 5G networks, EAP-TLS may be used as authentication method - then each UE has a private/public key pair, and the network authenticates the UE based on this via the EAP-based authentication procedure involving AUSF/UDM. For public networks, 3GPP will probably stick to the current authentication mechanisms relying on the shared key provisioned on the USIM. An authentication solution that requires that all UEs are provisioned with private/public key pairs would be a major change that is unlikely to be adopted by 3GPP in the near future. The use of a shared key for authentication between UE and network requires that the UE must tell its identity to the network before a secure connection can be established. Mostly, only a temporary identity is used here, but in some situations, no temporary identity is assigned, and the permanent identity must be sent. Up to 4G, the permanent identity was sent in the clear. In 5G, 3GPP has introduced a mechanism by which a UE can encrypt its permanent identity, called the SUCI Scheme (see 3GPP TS 33.501, Annex C, for further details): Elliptic Curve Integrated Encryption Scheme is used for concealment of the SUPI at UE and de-concealment at SIDF. Elliptic Curve Integrated Encryption Scheme (ECIES) encryption combines ECC based asymmetric cryptography with a symmetric cipher to provide data encryption by the EC private key and data decryption by the corresponding EC public key. All the symmetric keys can be derived in the UE and network independently. At UE, a key pair (Ephemeral public key and private key) is generated using a key pair generation primitive. Based on the Diffie-Hellman primitive, a shared secret key element is derived from the public key of HN (that is securely provisioned on the UE's USIM) and the generated ephemeral private key. Subsequen