Search

US-12627490-B2 - Rekeying in authentication and key management for applications in communication network

US12627490B2US 12627490 B2US12627490 B2US 12627490B2US-12627490-B2

Abstract

Techniques for authentication and key management for applications (AKMA) in a communication network are disclosed. For example, a method comprises receiving an indication from an application function that a first expiry time of a first application function key, generated using a first random value and configured to enable user equipment to participate in a session with the application function, has expired. The method generates a second application function key for the application function, using a second random value, with a second expiry time.

Inventors

  • Ranganathan Mavureddi Dhanasekaran
  • Saurabh KHARE
  • Suresh Nair

Assignees

  • NOKIA TECHNOLOGIES OY

Dates

Publication Date
20260512
Application Date
20230427

Claims (20)

  1. 1 . An apparatus comprising: at least one processor and at least one memory including computer program code; the at least one memory and the computer program code being configured to, with the at least one processor, cause the apparatus at least to: receive an indication from an application function that a first expiry time of a first application function key, configured to enable user equipment to participate in a session with the application function, has expired, the first application function key being generated using a first random value and one or more parameters of a current Authentication and Key Management for Applications (AKMA) context associated with the user equipment; and generate a second application function key for the application function, using a second random value and based on the one or more parameters of the current AKMA context associated with the user equipment, with a second expiry time.
  2. 2 . The apparatus of claim 1 , wherein the one or more parameters of the current AKMA context associated with the user equipment comprise an identifier of the application function and an AKMA anchor key.
  3. 3 . The apparatus of claim 1 , wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus to send the second application function key, the second random value, and the second expiry time to the application function.
  4. 4 . The apparatus of claim 1 , wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus to send the second random value in a key update request to a network entity configured to provide a unified data management function.
  5. 5 . The apparatus of claim 4 , wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus to receive a key update response from the network entity.
  6. 6 . The apparatus of claim 5 , wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus to, when the key update response is indicative that the user equipment successfully generated the second application function key based on updated parameters provided thereto by the network entity, send the second application function key, the second random value, and the second expiry time to the application function.
  7. 7 . The apparatus of claim 1 , wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus to determine which one of a plurality of procedures to initiate to update the user equipment with the second random value, wherein the determination is based on a security protocol supported by the user equipment.
  8. 8 . A method comprising: receiving, at a network entity configured to provide an anchor function, an indication from an application function that a first expiry time of a first application function key, configured to enable user equipment to participate in a session with the application function, has expired, the first application function key being generated using a first random value and one or more parameters of a current Authentication and Key Management for Applications (AKMA) context associated with the user equipment; and generating, at the network entity, a second application function key for the application function, using a second random value and the one or more parameters of the current AKMA context associated with the user equipment, with a second expiry time.
  9. 9 . An article of manufacture comprising a non-transitory computer-readable storage medium having embodied therein executable program code that when executed by a processor causes the processor to perform the step of claim 8 .
  10. 10 . An apparatus comprising: at least one processor and at least one memory including computer program code; the at least one memory and the computer program code being configured to, with the at least one processor, cause the apparatus at least to: send, to a network entity configured to provide an anchor function, an indication that a first expiry time of a first application function key, configured to enable user equipment to participate in a session with the apparatus, has expired, the first application function key being generated by the network entity using a first random value and one or more parameters of a current Authentication and Key Management for Applications (AKMA) context associated with the user equipment; and receive, from the network entity, a second application function key, a second random value, and a second expiry time, wherein the second application function key is generated by the network entity using the second random value and the one or more parameters of the current AKMA context associated with the user equipment.
  11. 11 . The apparatus of claim 10 , wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus to send the second random value to the user equipment to enable the user equipment to generate the second application function key.
  12. 12 . The apparatus of claim 10 , wherein the second application function key, the second random value, and the second expiry time, are received from the network entity following the network entity receiving an indication that the user equipment successfully generated the second application function key based on updated parameters.
  13. 13 . An apparatus comprising: at least one processor and at least one memory including computer program code; the at least one memory and the computer program code being configured to, with the at least one processor, cause the apparatus at least to: in response to expiration of a first application function key generated based on a first random value and one or more parameters of a current Authentication and Key Management for Applications (AKMA) context associated with the apparatus the apparatus to participate in a session with an application function, receive a second random value; and generate a second application function key based on the second random value and the one or more parameters of the current AKMA context associated with the apparatus.
  14. 14 . The apparatus of claim 13 , wherein the second random value is received from the application function.
  15. 15 . The apparatus of claim 13 , wherein the second random value is received from a network entity configured to operate as a unified data management function.
  16. 16 . The apparatus of claim 15 , wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus to send an indication of successful generation of the second application function key to the network entity.
  17. 17 . The apparatus of claim 13 , wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus to re-initiate communication with the application function based on the generated second application function key.
  18. 18 . The apparatus of claim 13 , wherein the one or more parameters of the current AKMA context associated with the apparatus comprise an identifier of the application function and an AKMA anchor key.
  19. 19 . The method of claim 8 , wherein the one or more parameters of the current AKMA context associated with the user equipment comprise an identifier of the application function and an AKMA anchor key.
  20. 20 . The apparatus of claim 10 , wherein the one or more parameters of the current AKMA context associated with the user equipment comprise an identifier of the application function and an AKMA anchor key.

Description

FIELD The field relates generally to communication networks, and more particularly, but not exclusively, to security management in such communication networks. BACKGROUND This section introduces aspects that may be helpful in facilitating a better understanding of the inventions. Accordingly, the statements of this section are to be read in this light and are not to be understood as admissions about what is in the prior art or what is not in the prior art. Fourth generation (4G) wireless mobile telecommunications technology, also known as Long Term Evolution (LTE) technology, was designed to provide high capacity mobile multimedia with high data rates particularly for human interaction. Next generation or fifth generation (5G) technology is intended to be used not only for human interaction, but also for machine type communications in so-called Internet of Things (IoT) networks. While 5G networks are intended to enable massive IoT services (e.g., very large numbers of limited capacity devices) and mission-critical IoT services (e.g., requiring high reliability), improvements over legacy mobile communication services are supported in the form of enhanced mobile broadband (eMBB) services providing improved wireless Internet access for mobile devices. In an example communication system, user equipment (5G UE in a 5G network or, more broadly, a UE) such as a mobile terminal (subscriber) communicates over an air interface with a base station or access point of an access network referred to as a 5G AN in a 5G network. The access point (e.g., gNB) is illustratively part of an access network of the communication system. For example, in a 5G network, the access network referred to as a 5G AN is described in 5G Technical Specification (TS) 23.501, entitled “Technical Specification Group Services and System Aspects; System Architecture for the 5G System,” and TS 23.502, entitled “Technical Specification Group Services and System Aspects; Procedures for the 5G System (5GS),” the disclosures of which are incorporated by reference herein in their entireties. In general, the access point (e.g., gNB) provides access for the UE to a core network (CN or 5GC), which then provides access for the UE to other UEs and/or a data network such as a packet data network (e.g., Internet). TS 23.501 goes on to define a 5G Service-Based Architecture (SBA) which models services as network functions (NFs) that communicate with each other using representational state transfer application programming interfaces (Restful APIs). Furthermore, 5G Technical Specification (TS) 33.501, entitled “Technical Specification Group Services and System Aspects; Security Architecture and Procedures for the 5G System,” the disclosure of which is incorporated by reference herein in its entirety, further describes security management details associated with a 5G network. Security management is an important consideration in any communication system. However, due to continuing attempts to improve the architectures and protocols associated with a 5G network in order to increase network efficiency and/or subscriber convenience, security management issues associated with access to application functions can present a significant challenge. SUMMARY Illustrative embodiments provide rekeying techniques for authentication and key management for applications (AKMA) in a communication network. For example, in one illustrative embodiment, a method comprises receiving an indication from an application function that a first expiry time of a first application function key, generated using a first random value and configured to enable user equipment to participate in a session with the application function, has expired. The method generates a second application function key for the application function, using a second random value, with a second expiry time. Further illustrative embodiments are provided in the form of a non-transitory computer-readable storage medium having embodied therein executable program code that when executed by a processor causes the processor to perform the above steps. Still further illustrative embodiments comprise apparatus with a processor and a memory configured to perform the above steps. Advantageously, illustrative embodiments provide for AKMA procedures to generate a new application function key (rekey) for an application function session between a UE and a specific application function without the need to reauthenticate, thus avoiding a need to update other keys associated with a current AKMA context. These and other features and advantages of embodiments described herein will become more apparent from the accompanying drawings and the following detailed description. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 illustrates a communication system with which one or more illustrative embodiments may be implemented. FIG. 2 illustrates user equipment and network entities with which one or more illustrative embodiments may be implemented. FIG. 3A illu