Search

EP-4233271-B1 - METHOD AND DEVICE FOR AUTHENTICATING ACCESS STRATUM IN NEXT GENERATION WIRELESS COMMUNICATION SYSTEM

EP4233271B1EP 4233271 B1EP4233271 B1EP 4233271B1EP-4233271-B1

Inventors

  • JE, Donghyun
  • JUNG, JUNGSOO

Dates

Publication Date
20260506
Application Date
20211124

Claims (12)

  1. A method of a user equipment, UE, for a mutual authentication operation in an access stratum, AS, section in a wireless communication system, the method comprising: transmitting, to a base station, a first message including a first random value; receiving, from the base station, a second message including a second random value and a base station certificate for the base station, in response to transmitting the first message; transmitting, to the base station, a certificate revocation information request message to receive revocation information for the base station certificate from a certificate verification server; receiving, from the base station, a certificate revocation information response message including the revocation information for the base station certificate; determining whether the base station certificate is valid based on information included in the base station certificate and the revocation information for the base station certificate; transmitting, to the base station, a third message including a UE certificate and a temporary session key based on a determination that the base station certificate is valid; and receiving, from the base station, a fourth message indicating that the mutual authentication operation between the UE and the base station is completed in case that an authentication operation of the UE certificate is completed, wherein a session key for the base station is generated based on the first random value, the second random value, and the temporary session key, and wherein the revocation information for the base station certificate is a credential revocation list, CRL, indicating a certificate revocation list and the revocation information for the base station certificate is identified per registration area, RA, or per tracking area, TA, based on location information for at least one base station and movement information for at least one UE, wherein the CRL includes a registration, RA, or a tracking area, TA.
  2. The method of claim 1, wherein the certificate revocation information request message is encrypted based on at least one of a private key of the UE, a hash function, or an operator public key.
  3. The method of claim 2, wherein the certificate revocation information request message is encrypted along with at least one of identification information for an entity transmitting the certificate revocation information request message or time information for transmission of the certificate revocation information request message.
  4. The method of claim 1, wherein the certificate revocation information response message is encrypted based on at least one of an operator private key, a hash function, or an operator public key.
  5. The method of claim 4, wherein the certificate revocation information response message is encrypted along with at least one of identification information for an entity receiving the certificate revocation information response message or time information for transmission of the certificate revocation information response message.
  6. The method of claim 1, further comprising: performing the mutual authentication operation with another base station based on a determination that the base station certificate is invalid; transmitting, to a certificate verification server, an authentication failure report message indicating a failure of the mutual authentication operation with the base station in case that the mutual authentication operation with the other base station is completed; and receiving, from the certificate verification server, an authentication failure report response message in response to transmitting the authentication failure report message.
  7. A method of a base station for a mutual authentication operation in an access stratum, AS, section in a wireless communication system, the method comprising: receiving, from a UE, a first message including a first random value; transmitting, to the UE, a second message including a second random value and a base station certificate for the base station, in response to receiving the first message; receiving, from the UE, a certificate revocation information request message to receive revocation information for the base station certificate from a certificate verification server; transmitting, to the UE, a certificate revocation information response message including the revocation information for the base station certificate; receiving, from the UE, a third message including a UE certificate and a temporary session key in case that an authentication operation of the base station certificate is completed; and determining whether the UE certificate is valid based on information included in the UE certificate; and transmitting, to the UE, a fourth message indicating that the mutual authentication operation between the UE and the base station is completed based on a determination that the UE certificate is valid, wherein a session key for the base station is generated based on the first random value, the second random value, and the temporary session key, and wherein the revocation information for the base station certificate is a credential revocation list, CRL, indicating a certificate revocation list and the revocation information for the base station certificate is identified per registration area, RA, or per tracking area, TA, based on location information for at least one base station and movement information for at least one UE, wherein the CRL includes a registration, RA, or a tracking area, TA.
  8. The method of claim 7, wherein the certificate revocation information request message is encrypted based on at least one of a private key of the UE, a hash function, or an operator public key, and wherein the certificate revocation information response message is encrypted based on at least one of an operator private key, a hash function, or an operator public key.
  9. The method of claim 7, wherein the revocation information for the base station certificate is managed per registration area, RA, or per tracking area, TA, based on location information for at least one base station and movement information for at least one UE.
  10. A user equipment, UE, for performing a mutual authentication operation in an access stratum, AS, section in a wireless communication system, the UE comprising: a transceiver; and a controller coupled with the transceiver and configured to control the transceiver to: transmit, to a base station, a first message including a first random value, receive, from the base station, a second message including a second random value and a base station certificate for the base station, in response to transmitting the first message, transmit, to the base station, a certificate revocation information request message to receive revocation information for the base station certificate from a certificate verification server, receive, from the base station, a certificate revocation information response message including the revocation information for the base station certificate, determine whether the base station certificate is valid based on information included in the base station certificate and the revocation information for the base station certificate, transmit, to the base station, a third message including a UE certificate and a temporary session key based on a determination that the base station certificate is valid, and receive, from the base station, a fourth message indicating that the mutual authentication operation between the UE and the base station is completed in case that an authentication operation of the UE certificate is completed, wherein a session key for the base station is generated based on the first random value, the second random value, and the temporary session key, and wherein the revocation information for the base station certificate is a credential revocation list, CRL, indicating a certificate revocation list and the revocation information for the base station certificate is identified per registration area, RA, or per tracking area, TA, based on location information for at least one base station and movement information for at least one UE, wherein the CRL includes a registration, RA, or a tracking area, TA.
  11. The UE of claim 10, wherein the certificate revocation information request message is encrypted based on at least one of a private key of the UE, a hash function, or an operator public key, and wherein the certificate revocation information response message is encrypted based on at least one of an operator private key, a hash function, or an operator public key.
  12. A base station for performing a mutual authentication operation in an access stratum, AS, section in a wireless communication system, comprising: a transceiver; and a controller coupled with the transceiver and configured to control the transceiver to: receive, from a UE, a first message including a first random value, transmit, to the UE, a second message including a second random value and a base station certificate for the base station, in response to receiving the first message, receive, from the UE, a certificate revocation information request message to receive revocation information for the base station certificate from a certificate verification server, transmit, to the UE, a certificate revocation information response message including the revocation information for the base station certificate, receive, from the UE, a third message including a UE certificate and a temporary session key in case that an authentication operation of the base station certificate is completed, determine whether the UE certificate is valid based on information included in the UE certificate, and transmit, to the UE, a fourth message indicating that the mutual authentication operation between the UE and the base station is completed based on a determination that the UE certificate is valid, wherein a session key for the base station is generated based on the first random value, the second random value, and the temporary session key, and wherein the revocation information for the base station certificate is a credential revocation list, CRL, indicating a certificate revocation list and the revocation information for the base station certificate is identified per registration area, RA, or per tracking area, TA, based on location information for at least one base station and movement information for at least one UE, wherein the CRL includes a registration, RA, or a tracking area, TA.

Description

[Technical Field] The disclosure relates to a method and device for mutual authentication between a UE and a base station based on a public key infrastructure (PKI) upon initial connection between a wireless device and a base station in a next-generation mobile communication system. [Background Art] Wireless communication technologies have been developed mainly for human services, such as voice, multimedia, and data communication. As 5th-generation (5G) communication systems are commercially available, connected devices are expected to explosively increase and to be connected to a communication network. Examples of things connected to a network may include vehicles, robots, drones, home appliances, displays, smart sensors installed in various infrastructures, construction machinery, and factory equipment. Mobile devices will evolve into various form factors, such as augmented reality glasses, virtual reality headsets, and hologram devices. In the 6th-generation (6G) era, efforts are being made to develop an enhanced 6G communication system to provide various services by connecting hundreds of billions of devices and things. For this reason, the 6G communication system is called a beyond 5G system. In the 6G communication system expected to be realized around year 2030, the maximum transmission rate is tera (i.e., 1000 gigabit) bps, and the wireless latency is 100 microseconds (µsec). In other words, the transmission rate of the 6G communication system is 50 times faster than that of the 5G communication system, and the wireless latency is reduced to one tenth. To achieve these high data rates and ultra-low latency, 6G communication systems are considered to be implemented in terahertz bands (e.g., 95 gigahertz (95 GHz) to 3 terahertz (3 THz) bands). As the path loss and atmospheric absorption issues worsen in the terahertz band as compared with millimeter wave (mmWave) introduced in 5G, technology that may guarantee signal reach, that is, coverage, would become more important. As major techniques for ensuring coverage, there need to be developed multi-antenna transmission techniques, such as new waveform, beamforming, massive multiple-input and multiple-output (MIMO), full dimensional MIMO (FD-MIMO), array antennas, or large-scale antennas, which exhibit better coverage characteristics than radio frequency (RF) devices and orthogonal frequency division multiplexing (OFDM). New technologies, such as a metamaterial-based lens and antennas, high-dimensional spatial multiplexing technology using an orbital angular momentum (OAM), and a reconfigurable intelligent surface (RIS), are being discussed to enhance the coverage of the terahertz band signals. For 6G communication systems to enhance frequency efficiency and system network for 6G communication systems include full-duplex technology, there are being developed full-duplex technology in which uplink and downlink simultaneously utilize the same frequency resource at the same time, network technology that comprehensively use satellite and high-altitude platform stations (HAPSs), network architecture innovation technology that enables optimization and automation of network operation and supports mobile base stations, dynamic spectrum sharing technology through collision avoidance based on prediction of spectrum usages, artificial intelligence (AI)-based communication technology that uses AI from the stage of designing and internalizes end-to-end AI supporting function to thereby optimize the system, and next-generation distributed computing technology that realizes services that exceed the limitation of the UE computation capability by ultra-high performance communication and mobile edge computing (MEC) or clouds. Further, continuous attempts have been made to reinforce connectivity between device, further optimizing the network, prompting implementation of network entities in software, and increase the openness of wireless communication by the design of a new protocol to be used in 6G communication systems, implementation of a hardware-based security environment, development of a mechanism for safely using data, and development of technology for maintaining privacy. Such research and development efforts for 6G communication systems would implement the next hyper-connected experience via hyper-connectivity of 6G communication systems which encompass human-thing connections as well as thing-to-thing connections. Specifically, the 6G communication system would be able to provide services, such as truly immersive extended reality (XR), high-fidelity mobile hologram, and digital replica. Further, services, such as remote surgery, industrial automation and emergency response would be provided through the 6G communication system thanks to enhanced security and reliability and would have various applications in medical, auto, or home appliance industries. Jingjing Zhang, etc.: "Formal Analysis of 5G EAP-TLS Authentication Protocol Using Proverif"; IEEE Access, disclos