US-20260129450-A1 - METHOD AND DEVICE FOR AUTHENTICATING A PRIMARY STATION

Abstract

The present invention relates to a method, apparatus, and system for secure communication wherein an end device is adapted to: receive a first system information message from or through a first primary station, decode the first system information message and obtaining a “protection field”, use the “protection field” to determine the location of “security information”, and use “security information” to verify the received message and/or first primary station and/or send a subsequent secure message to the first primary station or a third primary station.

Inventors

• Oscar Garcia Morchon

Assignees

• KONINKLIJKE PHILIPS N.V.

Dates

Publication Date

20260507

Application Date

20231011

Priority Date

20221014

Claims (20)

1. 1 . An apparatus comprising: a controller circuit; a receiver circuit; and a transmitter circuit, wherein the receiver circuit is arranged to receive a first system information message, wherein the first system information message is sent from or through a first primary station, wherein the controller circuit is arranged to decode the first system information message, wherein the controller circuit is arranged to obtain a protection field, wherein the controller circuit is arranged to use the protection field to determine a location of a security information, wherein the controller circuit is arranged to use security information to verify the received message and/or the first primary station and/or to cause the transmitter circuit to send a subsequent secure message to the first primary station or to a third primary station.
2. 2 . The apparatus of claim 1 , wherein the controller circuit is arranged to send a security information request to the first primary station or the third primary station, wherein the controller circuit is arranged to receive security information from the first primary station, wherein the controller circuit is arranged to use the received security information to verify the previously received first system information message or a second system information message received from a second primary station.
3. 3 . The apparatus of claim 2 , wherein the controller circuit is arranged to send the security information request based on the location of the security information.
4. 4 . The apparatus of claim 2 , wherein the controller circuit is arranged to send a security information request to a first primary station or a third primary station, wherein the security information request requires the security information for the verification of system information message, wherein the request is sent if at least one of the following conditions are met: the apparatus belongs to a type; the system information message is transmitted by a primary station with an identity; the system information message is transmitted at a time or a time frame; and the system information message is transmitted in an area.
5. 5 . The apparatus of claim 1 , wherein the security information of the first primary station is retrieved from a distributed ledger.
6. 6 . The apparatus of claim 2 , wherein the security information request is sent in an initial Physical Random Access Channel message.
7. 7 . The apparatus of claim 1 , wherein a freshness of the first system information message is verified by comparing the local time of the apparatus with the signing time of the security information after correction with the timing advance, wherein the timing advance is indicated by the primary station, wherein the timing advance is securely protected using the security information.
8. 8 . The apparatus of claim 1 , wherein the controller circuit is arranged to receive a second system information message, wherein the controller circuit is arranged to verify the second system information message based on the security information received to verify the first system information message.
9. 9 . The apparatus of claim 8 , wherein the controller circuit uses a Merkle tree structure to verify the second system information message.
10. 10 . The apparatus of claim 1 , wherein the protection field in the first system information message comprises a challenge, wherein the controller circuit uses the challenge, a first function P( ) and a secret internal state variable to verify the primary station.
11. 11 . The apparatus of claim 1 , wherein the protection field comprises at least one identities, wherein the controller circuit uses the at least on one identities to determine whether the controller circuit needs to further process the received first system information message.
12. 12 . The apparatus of claim 10 , wherein the secret internal state variable is updated based at least on the received challenge, the previous value of the secret internal state variable and a second function PP( ).
13. 13 . The apparatus of claim 1 , wherein the subsequent secure message comprises data that is confidentiality protected based on the information in the protection field, the secret internal state information, and a third variable PPP( ).
14. 14 . The apparatus of claim 1 , wherein the subsequent secure message is integrity protected and/or a proof of the new secret internal state is obtained based on the information in the protection field, the secret internal state information, and a fourth function PPPP( ).
15. 15 . The apparatus of claim 10 , wherein the first, second, third, and fourth functions are at least one of: a physical unclonable function; a list of challenge-response values stored in memory; a secret permutation; a hash function such as ASCON-HASH; an extendable output function such as ASCON-XOF; and an authenticated encryption algorithm such as ASCON-AE.
16. 16 . An apparatus comprising: a controller circuit; a receiver circuit; and a transmitter circuit, wherein the controller circuit is arranged to cause the transmitter circuit to broadcast a first system information message, wherein the first system information message comprises a protection field, wherein the receiver circuit is arranged to receive a security information request and/or a secure message from an end device.
17. 17 . The apparatus of claim 16 , wherein the controller circuit is arranged to securely process the secure message by extracting data included in the secure message based on the information in the protection field, wherein the secret internal state information of the end device, and/or wherein the controller circuit is arranged to determine security information for the first system information message and transmit the security information.
18. 18 . The apparatus of claim 17 , wherein the receiver circuit is arranged to receive a second secure message, wherein the controller circuit is arranged to securely process the second secure message.
19. 19 . The apparatus of claim 17 , wherein the a random-access response message comprises the security information.
20. 20 . The apparatus of claim 17 , wherein the security information integrity is arranged to protect fields in the random-access response message such as the timing advance and/or wherein the security information integrity is arranged to protect properties of the security information request message.

Description

FIELD OF THE INVENTION The present invention relates to the field of wireless communications, and in particular to security aspects of the communication between a primary station, e.g. a base station, and a secondary station, e.g. a terminal or a mobile station forming a network. Other entities may be present in such a network, such a security entity. BACKGROUND OF THE INVENTION In wireless networks, terminals connect to the network in order to exchange data. Security is crucial in particular for wireless devices where a physical interaction is not required to access the network. Wireless networks must thus implement some measures to be able to exclude devices that are not authorized in the network. A conventional attack includes an attacker to impersonate an entity of the wireless network, and in particular the primary station, or base station. Thus, many countermeasures are aimed authenticating the identity of the various entities of the network. In these telecommunication systems illustrated on FIG. 1, secondary stations 100 act as terminals or end devices (also referred to as User Equipment, UE, in 5G or End Device (ED) in this invention). The secondary station can access different types of services including voice and data services through primary stations 110 acting as base stations (also referred to as gNB in 5G) that are deployed in field. Each primary station 110 serves and communicates with the secondary stations 100 present in an area, also referred as a cell 111. The primary stations are connected to a core network (CN) 120—managed by a network operator—that controls the telecommunications systems and orchestrates the delivery of services. As mentioned above, an attacker may impersonate network entities such as the primary station by using “False” base stations (FBS) to attack the secondary stations in many ways. A FBS behaves as a proper primary station managed by the network operator and aims at attracting UEs with different goals such as performing DoS attacks, obtaining private user data, performing Man in the Middle (MitM) attacks and subsequent attacks (e.g. aLTEr, imp4gt, network misconfiguration, . . . ), etc. 3GPP defines a system comprising a secondary station or end device ED (100) and a primary station or base station (110) as used in a wireless telecommunication system such as 2G or 3G or 4G or 5G. The ED connects to a core network through the primary device. The connection procedure between ED and primary station involves multiple steps: The primary station broadcasting system information, in particular, MIB and SIB1;The ED receiving system information of one or more primary stations;The ED selecting a primary station based on a number of conditions such as signal strength, preferences, etc;The ED obtaining random access parameters from the SIB1 of the selected primary station;The ED sending a first random access message to the primary station;The primary station replying with a second random access message to the ED. The above procedure can be a 2 message RACH or a 4-message random access procedure. There is a need to secure the broadcast of system information, e.g., to ensure that EDs only join trusted primary stations or to ensure that an ED can verify broadcasted information by a primary station such as public warning messages or coverage information in Non-Terrestrial Networks. There is also the need to make sure that an ED does not join a FBS of an old generation when old generation base stations (e.g., 2G) have been already decommissioned. An option is to attach some security information used to verify the integrity and freshness of the SIB in the SIBs themselves. However, SIBs are limited in size at the physical layer to around 3000 bits. Furthermore, SIBs already contain a considerable amount of data so that limited space is left for said security information. Typical size of the security information might range from 260 bits to a few thousands of bits, thus, in many cases, the security information does not fit in the same SIB that requires protection. An option consists in broadcasting said security information in a SIB as well, e.g., a new SIB whose periodicity and timing is closely aligned with the periodicity and timing of existing system information, e.g., the same periodicity of MIB or SIB1 that are regularly broadcasted every 80 ms or 160 ms and that can be repeated multiple times in that period of time. A concrete option consists in broadcasting said security information with the same frequency and within the timeslot. However, this leads to a considerable usage of communication resources (spectrum usage) and energy. Another problem refers to the fact that legacy primary devices, e.g., in 3G or 4G, might not support the broadcasting of system information. Thus, such systems relying on legacy technologies are still prone to attacks. Another problem arises from the fact that low cost ambient IoT tags, small low power devices, may be requested to provide certain data,