RU2008104627A - METHOD AND DEVICE FOR AUTHENTICATION AND PRIVACY - Google Patents

Abstract

1. A method in a communication network that implements OAA / OANZ (generalized authentication architecture / generalized bootstrap architecture), and in which the network node (120) FSNZ (functions of the bootstrap server) performs the initial steps, at least containing authorization of the user object OP (140) and establishing at least one security key shared with the OP containing the first key Ks and the associated key identifier B_TID, and at least one second key Ks_NAF obtained from Ks and associated with at least one f The FSP (130) network application function, for improved privacy protection and authentication support, contains steps! additional generation by the FSNZ network node of an authentication voucher announcing that the OP has been authenticated; ! generating at least one key identifier B_TID_NAF associated with said at least one second key received, wherein the key identifier is unique to each FSF; ! sending by the network node FSNZ identifiers B_TID and at least one identifier B_TID_NAF on the OP; ! providing the FSP network application function in response to an OP request for services, including at least one B_TID_NAF identifier of at least said B_TID_NAF identifier for the FSS; ! identification of the FSNZ network node in response to the said identifier B_TID_NAF of the OP authentication voucher for the possibility of establishing the authentication status of the OP. ! 2. The method according to claim 1, in which the user object OP is identified by the Ub interface between the FSNZ-OP mentioned identifier B_TID. ! 3. The method according to claim 1, wherein the step of sending the ident

Claims (23)

1. A method in a communication network that implements OAA / OANZ (generalized authentication architecture / generalized bootstrap architecture), and in which the network node (120) FSNZ (functions of the bootstrap server) performs the initial steps, at least containing authorization of the user object OP (140) and establishing at least one security key shared with the OP containing the first key Ks and the associated key identifier B_TID, and at least one second key Ks_NAF obtained from Ks and associated with at least one f The FSP (130) network application function, for improved privacy protection and authentication support, contains the steps additional generation by the FSNZ network node of an authentication voucher announcing that the OP has been authenticated; generating at least one key identifier B_TID_NAF associated with said at least one second key received, wherein the key identifier is unique to each FSF; sending the network node FSNZ identifiers B_TID and at least one identifier B_TID_NAF on OP; providing the FSP network application function in response to an OP request for services, including at least one B_TID_NAF identifier of at least said B_TID_NAF identifier for the FSS; identification of the FSNZ network node in response to the said identifier B_TID_NAF of the OP authentication voucher for the possibility of establishing the authentication status of the OP. 2. The method according to claim 1, in which the user object OP is identified by the Ub interface between the FSNZ-OP mentioned identifier B_TID. 3. The method according to claim 1, wherein the step of sending the identifier B_TID of the key and at least one identifier B_TID_NAF from the FSES to the OP further comprises encrypting the identifiers using the key Ks. 4. The method according to claim 1, in which the authentication voucher is unique to each FSF and is identified by the said at least one identifier B_TID_NAF. 5. The method according to claim 1, wherein the step of providing further includes providing a signature of B_TID_NAF, wherein the signature is created by the OP using the key Ks and is included in said request for services. 6. The method according to claim 5, in which the signature includes a sign of renewal. 7. The method according to claim 5, further comprising the step of verifying the FSES signature B_TID_NAF. 8. The method according to any one of claims 1 to 5, further comprising the step of establishing the FSP authentication status by requesting an authentication voucher from the FSNZ network node. 9. The method according to any one of claims 1 to 5, further comprising the step of establishing an authentication status of the FSN by analyzing the authentication voucher. 10. The method according to any one of claims 1 to 5, in which the FSF with the said provision further includes requesting a key Ks_NAF. 11. The method according to any one of claims 1 to 5, in which the authentication voucher includes information about at least one of: validity time, time for authentication, and authentication method. 12. The method of claim 8, further comprising stages submission of FSP for the FSNZ network node of additional requirements to confirm the authenticity of authorization; inspections of the Federal Security Service for the Federal Tariff Service, which of the additional requirements are met. 13. The method according to any one of claims 1 to 3, further comprising the step of sending the FSNS to the OP authentication voucher, together with sending identifiers or separately from them. 14. The method according to item 13, in which the authentication voucher is unique for each FSF and is identified by the mentioned at least one identifier B_TID_NAF. 15. The method according to 14, in which the authentication voucher is unique by encrypting its FSS using the key Ks and a selected random number (Rand), different for each FSP, according to the formula Encr (Ks, voucher, Rand), where Encr is an encryption function, and wherein said method further comprises establishing an authentication status by sending encrypted FSNZ authentication voucher; decryption FSNZ voucher authentication and verification of its authenticity; selecting a new random number from the Federal Security Service (Rand2) and re-encrypting the authentication voucher for the second time with the key Ks as follows: Encr (Ks, Encr (Ks, voucher, Rand2)); return of the FSNZ re-encrypted authentication voucher to the OP through the FSF; decrypting the OP of the received authentication voucher once to receive: Encr (Ks, voucher, Rand2); use of OP decrypted authentication voucher once upon subsequent access to the FSF. 16. In a communication network that implements the OAA / OANZ architecture, the network node FSNZ (120) authenticates the user object OP (140) and negotiates a shared key Ks with OP (140), and the network node FSNZ (120) further comprises means (320) for generating a B_TID associated with Ks; means (320) for generating at least one received key Ks_NAF associated with at least one function of the network application of the FSF (130) and for generating at least the corresponding identifier B_TID_NAF, the identifier being unique for each FSF (130); means (330) for generating an authentication voucher announcing that the OP has been authenticated; means (360) for storing keys, key identifiers and an authentication voucher and for linking these objects to the OP; means (310) for sending a B_TID and at least one B_TID_NAF to an OP; means (360) for retrieving, in response to receiving at least one identifier B_TID_NAF, related to the user equipment of the OP, the corresponding authentication voucher for the possibility of establishing the authentication status of the OP. 17. The network node according to clause 16, further comprising means (380) for encryption using the key Ks and the encryption algorithm (Encr). 18. The network node according to claim 17, comprising means (390) for generating a random Rand number, and wherein said encryption means (380) is used to encrypt the authentication voucher in the form of Encr (Ks, voucher, Rand). 19. The network node according to clause 16, comprising means (310) for receiving and responding to a request from the FSF regarding authentication details of the user object of the UE received from means (340) that analyzes the authentication voucher. 20. The network node of claim 19, wherein said request relates to any or all of an authentication time, an authentication method, or an authentication validity time. 21. A system for providing improved protection of confidentiality and authentication in a communication network implementing the OAA / OANZ infrastructure (100), the system comprising the function of the FSNZ bootstrap server (120), which provides an authentication voucher declaring the authentication of the user OP object (140), and the identifiers B_TID_NAF of the keys Ks_NAF associated with at least one function of the network application of the FSF, and the identifiers are unique for each FSF (130) ; an Ub interface between the FSNZ (130) and the OP (140), which is further protected by encryption using the key Ks shared by the FSNZ (130) and the OP (140); the Ua interface between the OP (140) and the FSF (130), which is additionally protected against attacks by a wildcard connection by signing messages using the Ks key and the update sign; at least one function of the network application FSP (130), designed to communicate with the Federal Security Service (120) regarding the validity of the authentication voucher so as to prevent collusion of several FSP (130) in order to track the user object OP (140). 22. The system of claim 21, which further comprises means (330) for restricting information in the authentication voucher only by declaring that authentication has taken place; means for providing the FSF (130) for setting additional requirements related to user authentication, and means (340) for the FSES (130) to verify that each additional requirement is met. 23. The system according to item 21, which further comprises means (380) for encrypting the authentication voucher using the key Ks and depending on a random number so as to generate a unique authentication voucher for each FSP (130).