WO2001080520A2 - Security encrypted network access identifier for ip mobility systems - Google Patents

Security encrypted network access identifier for ip mobility systems Download PDF

Info

Publication number
WO2001080520A2
WO2001080520A2 PCT/US2001/011280 US0111280W WO0180520A2 WO 2001080520 A2 WO2001080520 A2 WO 2001080520A2 US 0111280 W US0111280 W US 0111280W WO 0180520 A2 WO0180520 A2 WO 0180520A2
Authority
WO
WIPO (PCT)
Prior art keywords
private key
data value
network
value
permutations
Prior art date
Application number
PCT/US2001/011280
Other languages
French (fr)
Other versions
WO2001080520A3 (en
Inventor
Mohamed Khalil
Haseeb Akhtar
Emad A. Qaddoura
Original Assignee
Nortel Networks Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nortel Networks Limited filed Critical Nortel Networks Limited
Priority to AU2001253217A priority Critical patent/AU2001253217A1/en
Publication of WO2001080520A2 publication Critical patent/WO2001080520A2/en
Publication of WO2001080520A3 publication Critical patent/WO2001080520A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/234Processing of video elementary streams, e.g. splicing of video streams, manipulating MPEG-4 scene graphs
    • H04N21/2347Processing of video elementary streams, e.g. splicing of video streams, manipulating MPEG-4 scene graphs involving video stream encryption
    • H04N21/23476Processing of video elementary streams, e.g. splicing of video streams, manipulating MPEG-4 scene graphs involving video stream encryption by partially encrypting, e.g. encrypting the ending portion of a movie
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/24Key scheduling, i.e. generating round keys or sub-keys for block encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]

Definitions

  • An encryption system and method for a packet-based communication system including an IP- based mobile communication system having a home network, foreign network and a mobile node.
  • IP Internet Protocol
  • the IP standard identifies the types of services to be provided to users, and specifies the mechanisms needed to support these services.
  • the IP standard also describes the upper and lower system interfaces, defines the services to be provided on these interfaces, and outlines the execution environment for services needed in the system.
  • a transmission protocol called the Transmission Control Protocol (TCP) was also developed to provide connection-oriented, end-to-end data transmission between packet-switched computer networks.
  • TCP/IP Transmission Control Protocol
  • the combination of TCP with IP (TCP/IP) forms a suite of protocols for communication between computers on the Internet.
  • the TCP/IP standard has become mandatory for use in all packet switching networks that have the potential for utilizing connectivity across network or sub-network boundaries.
  • data in an information packet is transmitted from an applications program in a first computer, through the first computer's network hardware, and across the transmission medium to the intended destination computer network on the Internet.
  • the information packet is transmitted through the destination network to a second computer.
  • the second computer interprets the received communication using the TCP/IP protocols on a second application program. Because the protocols used in Internet communications are standardized, the TCP IP protocol on the second computer decodes the transmitted information packet into the original data transmitted by the first computer.
  • TCP/IP One of the guiding principles in a TCP/IP communication is that a computer user does not need to get involved with details of data communication. In order to accomplish this goal, the TCP/IP
  • a computer operating on a network is assigned a unique physical address.
  • the physical address of the computer is a number given to computer's network adapter card.
  • Hardware LAN protocols use this physical address to deliver information packets to computers on the LAN.
  • the TCP/IP protocol routes information packets using logical addressing.
  • the network software in the Network Layer generates logical addresses. Specifically, a logical address in the TCP/IP network is translated into a corresponding physical address using the ARP (Address Resolution Protocol) and RARP (Reverse Address Resolution Protocol) protocols in the Network Layer.
  • ARP Address Resolution Protocol
  • RARP Reverse Address Resolution Protocol
  • the TCP/IP's logical address is also called an IP address.
  • the IP address can include: (1) a network ID number identifying a network, (2) a sub-network ID number identifying a sub-network on the network, and (3) a host ID number identifying a particular computer on the sub-network.
  • the header data in the IP information packet will include source and destination addresses.
  • the IP addressing scheme imposes a sensible addressing scheme that reflects the internal organization of the network or sub-network.
  • a computer network is often subdivided into smaller sub-networks.
  • the divisions in the computer network increase data transmission efficiency and reduce overall network traffic.
  • Routers are used to regulate the flow of data into and out of designated sub-networks of the computer network.
  • a router interprets the logical address of an information packet, such as an IP address, and directs the information packet across the network to its intended destination. Information packets addressed between computers on the sub-network do not pass through the router to the greater network, and therefore these packets do not clutter the transmission lines of the greater network. If data is addressed to a computer outside the sub-network, however, the router forwards the data onto the larger network.
  • an information packet such as an IP address
  • the TCP/IP network includes protocols that define how routers will determine the path for data through the network. Routing decisions are based upon information in the IP packet header and entries in each router's routing table.
  • a routing table possesses sufficient information for a router to make a determination on whether to accept the communicated information on behalf of a destination computer or pass the information onto another router in the network. The routing table also permits the router to determine where the information packet should be forwarded within the network or subnetwork.
  • the routing table can be configured manually with routing table entries or a dynamic routing protocol that can accommodate changing network topologies.
  • a network topology includes a network architecture including the network layouts, routers, and interconnections between host computers and routers on the network. In a dynamic routing protocol, a router advertises reachability when it sends updated routing information to a second router. Advertising accessibility is important to the process of receiving, directing and re-directing data packets on the Internet.
  • IP-based mobile system includes at least one Mobile Node in a wireless communication system.
  • Mobile Node includes a mobile communication unit, and, in addition to the Mobile Node, the communication system has a home network and a foreign network.
  • the Mobile Node may change its point of attachment to the Internet through various networks, but the Mobile Node will always be associated with a single home network for IP addressing purposes.
  • the home network has a Home Agent and the foreign network has a Foreign Agent ⁇ both of which control the routing of information packets into and out of their network. Registration of a Mobile Node
  • the Mobile Node keeps the Home Agent informed of its current location by registering a care- of address with the Home Agent.
  • the care-of address represents the location of the current foreign network where the Mobile Node is attached to the Internet. If the Home Agent receives an information packet addressed to the Mobile Node while the Mobile Node is located on a foreign network, the Home Agent will "tunnel" the information packet to the Mobile Node's current location on the foreign network using the applicable care-of address.
  • the Foreign Agent participates in informing the Home Agent of the Mobile Node's current care-of address.
  • the Foreign Agent also de-tunnels information packets for the Mobile Node after the information packets have been forwarded by the Home Agent. Further, the Foreign Agent serves as a default router for out-going information packets generated by the Mobile Node.
  • Foreign Agents and Home Agents periodically broadcast an agent advertisement to all nodes on the local network associated with that agent.
  • An agent advertisement is a message from the agent on a network that may be issued under the Mobile IP protocol (RFC 2002) or any other type of communication protocol. This advertisement should include sufficient information to uniquely identify a mobility agent (e.g. a Home Agent, a Foreign Agent, etc.) to a mobile node.
  • Mobile Nodes examine the agent advertisement and determine whether they are connected to the home network or a foreign network. If the Mobile Node is located on its home network, information packets will be routed to the
  • Mobile Node according to a standard internetwork (internal to the network) addressing and routing scheme. If the Mobile Node is visiting a foreign network, however, the Mobile Node obtains appropriate information from the agent advertisement and transmits a registration request message to its Home Agent.
  • the registration request message will include a care-of address for the Mobile Node.
  • the registered care-of address identifies the foreign network where the Mobile Node is located, and the Home Agent uses this registered care-of address to tunnel information packets to the foreign network for subsequent transfer to the Mobile Node.
  • a registration reply message may be sent to the Mobile Node by the Home Agent to confirm that the registration process has been successfully completed.
  • AAA Authenticate, Authorize and Accounting
  • the Mobile Node changes its point of attachment to the network while maintaining network connectivity.
  • the Mobile IP Protocol (RFC 2002) assumes that mobile IP communications with a Mobile Node will be performed on a single administrative domain or a single network controlled by one administrator.
  • ROC 2002 assumes that mobile IP communications with a Mobile Node will be performed on a single administrative domain or a single network controlled by one administrator.
  • the Mobile Node When a Mobile Node travels outside its home administrative domain, however, the Mobile Node must communicate through multiple domains in order to maintain network connectivity with its home network.
  • network servers While connected to a foreign network controlled by another administrative domain, network servers must authenticate, authorize and collect accounting information for services rendered to the Mobile Node. These authentication, authorization, and accounting activities are called "AAA" services.
  • Authentication is the process of proving someone' s claimed identity, and security systems on a mobile IP network will often require authentication of the system user's identity before authorizing a requested activity.
  • An AAA server computer on the communication network authenticates the identity of an authorized user, and authorizes the Mobile Node's requested activity. Additionally, the AAA server will also support the accounting function, including tracking usage and charges for use of transmission links between administrative domains.
  • the Mobile Node changes its point of attachment to the network while maintaining network connectivity.
  • Security concerns arise in the mobile system because authorized users are subject to the following forms of attack: (1) session stealing where a hostile node hijacks the network session from mobile node by redirecting information packets, (2) spoofing where the identity of an authorized user is utilized in an unauthorized manner to obtain access to the network, and (3) eavesdropping and stealing information during a session with an authorized user. It is necessary to protect information transmitted in an IP-based mobility system from the above-identified security attacks.
  • Cryptographic security systems are used to send communications in a confidential manner.
  • These security systems maintain the confidentiality of the information packet by encoding, or encrypting, the data in the information packet.
  • the transformation of the transmitted data into a secure, encrypted format is accomplished using mathematical algorithms and keys.
  • An authorized person using the cryptographic keys can reverse the encryption process, called decryption, to decode the data. Without the cryptographic keys, the decryption process is very difficult and time consuming.
  • Other activities performed by the security system include authentication (you are who you say you are), integrity checking (the information packet was sent in the decoded form), and non-repudiation (identification of the person sending the information packet).
  • Party A uses the algorithm and a key to encrypt the data in the transmitted information packet.
  • the encrypted information packet does not resemble the data in the original information packet. Further, the encryption method cannot be easily broken without the use of the encryption algorithm and key.
  • the encrypted information packet is transmitted over the public networks on the Internet to
  • Party B without disclosing the content of the original information packet.
  • Party B decodes the encrypted information packet using the algorithm and cryptographic key.
  • the encrypted information is decoded, the original data should be disclosed in the decrypted information packet.
  • the level of security associated with the encryption scheme is directly related to the sophistication of the encryption algorithm and keys.
  • the security of the cryptographic system will increase with the complexity of the encryption algorithm and keys.
  • the encryption algorithm can be kept secret. If the encryption algorithm is publicly disclosed, the strength of the cryptographic security system is dependant upon the secrecy of the keys. It is preferable that only the appropriate or authorized parties to the communication know the key.
  • This type of key is known as a "secret key” or “private key”, and the sender and receiver of the information packet use the same secret key to encrypt and decrypt information packets with the algorithm.
  • Public key encryption may also be supported by cryptographic security systems, where the sender and receiver possess a public key and a private key. Messages may be encoded by the sender using the receiver's public key, and decoded by the receiver using the receiver's private key.
  • Hybrid security systems are also used to encrypt and decrypt information in information packets.
  • the present invention avoids the significant memory and data overhead associated with these prior art cryptographic schemes by selectively encrypting certain portions of the information packet.
  • the present invention creates an encrypted Secured Generalized Network Access Identifier (SG-NAI) extension located in the Network Access Identifier (NAI) field of the information packet extension.
  • SG-NAI Secured Generalized Network Access Identifier
  • NAI Network Access Identifier
  • the 32-bit SG-NAI field can identify the Mobile Node or some other uniquely addressed entity such as the Home Agent.
  • the identity of the Mobile Node and the sender are protected by encrypting the SG-NAI value alone or with other data fields in the extension.
  • Cryptographic keys used in the present invention are encrypted using algorithms that are sufficient to secure the confidentiality of the information packets.
  • the algorithm of the invention has a private key length of 64-bits, a default round rotation of three for encrypting the NAI, and a rotation matrix of size 1 x 8 bytes for generating the different permutations of the initial private key.
  • This encryption scheme provides sufficient security for confidential mobile IP communications based upon the brief duration of most mobile IP communications.
  • Fig. 1 is a mobile IP-based communication system
  • Fig. 2 is a generalized diagram of an information packet used in an IP communication
  • Fig. 3 is an NAI extension format of an information packet used in an IP communication
  • Fig. 4 is a Mobile Node NAI extension format of an information packet used in an IP communication
  • Fig. 5 is a Secured Generalized NAI extension format of an information packet used in the present invention.
  • Fig. 6 is a Secured Mobile Node NAI extension format of an information packet used in the present invention
  • Fig. 7 is a diagram of the encryption procedure used in the present invention
  • Fig. 8 is a diagram of the decryption procedure used in the present invention
  • Fig. 9 is a diagram of the key generation procedure used in the present invention.
  • FIG 1 the overall architecture of the IP-based mobile system is shown with a Mobile Node 64, a home network 10 and a foreign network 40.
  • the home network 10 and the foreign network 40 are coupled to the Internet represented by the cloud 35.
  • the home network 10 has a central buss line 20 coupled to the Home Agent 28 via communication link 24.
  • the buss line 20 is coupled to the AAA server 17 via communication link 22.
  • the home network 10 is coupled to the Internet 35 via communication link 30.
  • a communications link is any connection between two or more nodes on a network or users on networks or administrative domains.
  • the foreign network 40 has a central buss line 50 coupled to the foreign agent 58 via communication link 54.
  • the buss line 50 is coupled to the AAA foreign network server 47 via communication link 52.
  • the foreign network 40 is coupled to the Internet 35 via communication link 37.
  • Mobile Node 64 is shown electronically coupled to the foreign network 40 via the wireless communication link 66 of transceiver 60.
  • Transceiver 60 is coupled to the foreign network 40 via communication link 62.
  • the Mobile Node 64 can communicate with any transceiver 60 or Access Network coupled to the foreign network 40.
  • the terms Home Agent and Foreign Agent may be defined in the Mobile IP Protocol (RFC 2002), but these agents are not restricted to a single protocol or system.
  • the term Home Agent can refer to a Home Mobility Manager, Home Location Register, Home Serving Entity, or any other agent at a home network 10 having the responsibility to manage mobility- related functionality for a Mobile Node 64.
  • the term Foreign Agent can refer to a Serving Mobility Manager, Visited Location Register, Visiting Serving Entity, or any other agent on a foreign network 40 having the responsibility to manage mobility- related functionality for a Mobile Node 64.
  • the Mobile Node 64 is identified by a permanent IP address. While the Mobile Node 64 is coupled to its home network 10, the Mobile Node 64 receives information packets like any other fixed node on the home network 10. When mobile, the Mobile Node 64 can also locate itself on foreign network 40. The Mobile Node 64 keeps the Home Agent 28 informed of its current location, or foreign network association, by registering a care-of address with the Home Agent 28. Essentially, the care-of address represents the foreign network 40 where the Mobile Node 64 is currently located. If the Home Agent 28 receives an information packet addressed to the Mobile Node 64 while the Mobile Node 64 is located on a foreign network 40, the Home Agent 28 will "tunnel" the information packet to foreign network 40 for subsequent transmission to Mobile Node 64.
  • the Foreign Agent 58 participates in informing the Home Agent 28 of the Mobile Node's 64 current care-of address.
  • the Foreign Agent 58 also de-tunnels information packets for the Mobile Node 64 after the information packets have been forwarded to the Foreign Agent 58 by the Home Agent 28.
  • the Foreign Agent 58 serves as a default router for out-going information packets generated by the Mobile Node 64 while connected to the foreign network 40.
  • the Mobile Node 64 also participates in informing the Home Agent 28 of its current care-of address.
  • the Mobile Node 64 obtains appropriate information regarding the address of the foreign network 40 and/or the Foreign Agent 58 from an agent advertisement. After obtaining this information, the Mobile Node 64 works with the Foreign Agent 58 to transmit a registration request message to the Home Agent 28.
  • Mobile IP protocols require that the mobile node register the care-of address with the Home Agent 28 and/or the AAA server 17 on the home network 10 after movement to a new foreign network 40.
  • the Mobile Node 64 issues a registration request in response to power-up on the foreign network 40 or receipt of an agent advertisement.
  • the registration request is sent to the Home Agent 28 and/or the AAA server 17 on the home network.
  • a registration request message includes a care-of address for the Mobile Node 64.
  • a registration reply is issued by the Home Agent 28 to acknowledge receipt of the registration request, confirm receipt of the care-of address for the Mobile Node 64, and indicate completion of the registration process.
  • the care-of address identifies the foreign network 40 where the Mobile Node 64 is located, and the Home Agent 28 uses this care-of address to tunnel information packets to the foreign network 40 for subsequent transfer to the Mobile Node 64. Consistent with normal IP protocols, all communications addressed to the Mobile Node 64 are routed to the Mobile Node's 64 home network 10. After registration is completed, the Home Agent 28 receives this communication and "tunnels" the message to the Mobile Node 64 on the foreign network 40.
  • the Foreign Agent 58 accepts the re-directed communication and delivers the information packet to the Mobile Node 64 through the transceiver 60. In this manner, the information packets addressed to the Mobile Node 64 at its usual address on the home network 10 are re-directed or "tunneled" to the Mobile Node 64 on the foreign network 40.
  • AAA servers provide authentication and authorization services for users on their home network 10 and Mobile Node 64 when connected.to foreign network 40.
  • AAA servers such as servers 17 and 47, identify entities on the networks using a Network Access Identifier (NAI) extension found in a registration request message.
  • NAI Network Access Identifier
  • the NAI extension in this message is typically used to uniquely identify one of the entities in the network (e.g. Mobile Node, Foreign Agent, Home Agent).
  • extensions are data structures used to support the transmission of variable amounts of information in an information packet, the registration of a Mobile Node, or the AAA functions performed by AAA network servers.
  • An extension defines how information packets are configured in a control message, agent advertisement, registration request, registration reply or information packet transmission.
  • the general format for extensions has been defined in the Mobile IP protocol (RFC 2002) and particular types of extensions have been defined in similar protocols.
  • the general extension format 100 is shown in Figure 2 in a Type-Length-Data format.
  • the Type 105 variable (designated by “T") occupies the first 8 bits of the extension
  • the Length 110 variable (designated by “L”) occupies the next 8 bits of the extension
  • the Data 115 variable (designated by "D") occupies the remaining bits in the extension.
  • the Type 105 variable indicates the particular type of extension found therein
  • the Length 110 indicates the length in bytes of the Data field 115.
  • the Data field 115 may be zero or more bytes in length.
  • AAA servers identify mobile nodes or other entities using a Network Access Identifier (NAI) extension found in a registration request message.
  • NAI Network Access Identifier
  • the general format for an NAI extension 125 is found in Figure 3.
  • This NAI extension 125 consists of a Type 130 variable (designated by "T"), a Length 135 variable (designated by "L”), and a Network Access Identifier Extension 140 (designated by "NAI”) data variable.
  • the Type 130 variable in the NAI extension occupies the first 8 bits of the extension.
  • the Length 135 variable occupies the next 8 bits of the NAI extension, and the Length 140 variable identifies the length in bytes of the NAI 140 field.
  • the data variable is the NAI 140 identifier, and that particular data field occupies the remaining bits in the extension.
  • a Mobile Node NAI (MN-NAI) extension 150 is a particular type of NAI extension found in a registration request message sent from a Mobile Node 64.
  • the MN-NAI extension 150 in Figure 4 contains the user and/or host name following the Type-Length-Data format for extensions.
  • the Type 155 variable (designated by "T") in the NAI extension occupies the first 8 bits of the extension.
  • the Length 160 variable (designated by "L”) occupies the next 8 bits of the NAI extension, and the Length 160 variable identifies the length in bytes of the Mobile Node NAI 165 field.
  • the data variable is the Mobile Node NAI 165 identifier (designated by "MN-NAI”), and that particular data field occupies the remaining bits in the extension.
  • unencrypted extensions can expose the identity of a Mobile Node 64 or his home network 10.
  • Sending such information in the public domain can subject authorized users to the following forms of attack: (1) session stealing where a hostile node hijacks the network session from mobile node by redirecting information packets, (2) spoofing where the identity of an authorized user is utilized in an unauthorized manner to obtain access to the network, and (3) eavesdropping and stealing information during a session with an authorized user.
  • the present invention protects authorized users from the above-identified security attacks.
  • a Secured Generalized Network Access Identifier Extension (SG-NAI) 175 is shown in Figure
  • the SG-NAI 175 has a Type-Length Data format where the Type 180 variable occupies the first 8 bits of the general extension.
  • the Length 145 variable in SG-NAI 175 occupies the next 8 bits of the extension, and the Sub-Type 190 variable occupies the next 8 bits of the SG-NAI extension 175.
  • the Length 185 variable identifies the length of the SG-NAI field 205.
  • the Sub-Type 190 field identifies the particular type of user identified in the NAI field 205.
  • An 8-bit data field 195 is reserved for future use.
  • the 8-bit Type 180 field and Sub-Type 190 field identify the NAI as an SG-NAI extension.
  • a security parameter index (SPI) 200 occupies the next 32-bit field and identifies a security context between a pair of nodes available in the mobility security association. Each designated security context indicates an authentication algorithm and mode, a public or private key ("secret key”), and a style of replay protection.
  • An SPI 200 is found in all authentication extensions and can be used to authenticate the identity of the mobile node by designating the security protocol (algorithm and keys) to compute the authenticator value.
  • a default authentication algorithm uses keyed-MD5 in "prefix-suffix" mode to compute a 128-bit "message digest" of the registration message used to authenticate the communication.
  • the SG-NAI 205 is an encrypted 32-bit NAI designation.
  • encryption is accomplished using an encryption and decryption algorithm that is sufficient to protect relatively brief mobile IP communications.
  • the encryption of SG-NAI 205 protects the identity of the NAI entity and minimizes the security concerns of publicly transmitting the NAI extension. Other portions of the SG-NAI extension can also be encrypted to provide greater security.
  • Figure 6 shows a Secured Mobile Node NAI 225 extension (SMN-NAI). This extension is an alternative form of the SG-NAI 175 extension which identifies a Mobile Node address.
  • the Type 230, Length 240, and SPI 255 fields correspond and carry out the same functions as the same fields found in the SG-NAI 175 extension of Figure 5.
  • the SMN-NAI extension 175 has a Type-Length- Data format where the Type 230 variable occupies the first 8 bits of the general extension.
  • the Length 240 variable in SMN-NAI 225 occupies the next 8 bits of the extension
  • the Sub-Type 245 variable occupies the next 8 bits of the SMN-NAI extension 225.
  • the Length 240 variable identifies the length of the SMN-NAI field 260.
  • the Sub-Type 245 field identifies the particular type of user designated in the NAI field 260.
  • An 8-bit data field 250 is reserved for future use.
  • the 8-bit Type 230 field and Sub-Type 245 field identify the NAI as an SMN-NAI extension 260.
  • a security parameter index (SPI) 200 occupies the next 32-bit field and identifies a security context between a pair of nodes available in the mobility security association.
  • the SMN-NAI 225 is an encrypted 32-bit NAI designation for a Mobile Node. This encrypted SMN-NAI 225 can be found in a registration request or reply message.
  • the Sub-Type 245 field has a value of "1" when the NAI field possesses an encrypted SMN-NAI 260 value. Encrypting the MN- NAI will keep the identity of the mobile node secure during Mobile IP session, and prevent attacks against the integrity of the communication.
  • the encryption and decryption algorithms used in the preferred embodiment assume the length of the private key is 64 bits.
  • the encryption algorithm performs an "XOR", or exclusive OR, operation with unencrypted data and a private communication session key.
  • An exclusive OR operation is then performed with the result of that operation and another private communication session key. This XOR procedure is repeated "n" times to produce the encrypted data.
  • the default number of rounds in the encryption process must be at least three rounds.
  • variables Kl, K2, and Kn are private keys for the communication session.
  • the variable X is unencrypted data found in the extension, (e.g. the unencrypted MN-NAI).
  • the variable ED is encrypted data to be placed in the SG-NAI 175 or SMN-NAI 225.
  • the "+" operator shown above is the exclusive “or” operator; and the "n” variable is the number of rounds, or cycles, the algorithm will execute to encrypt the data "X”.
  • Another way of identifying the encryption formula is to designate:
  • variables Kl, K2, and Kn are private keys for the communication session.
  • the variable X is unencrypted data found in the extension, (e.g. the MN- NAI).
  • the variable ED is encrypted data to be placed in the SG-NAI 175 or SMN-NAI 225.
  • the "XOR” operator shown above is the exclusive “or” operator; the "i” variable is the particular round of encryption being performed, and the "n” variable is the number of rounds, or cycles, the algorithm will execute to encrypt the data "X".
  • the decryption procedure reverses the encryption process by performing an XOR operation with the final encrypted data and the same private communication session keys.
  • the XOR exclusive OR operation starts with the encrypted data and the last applied private communication session key.
  • the XOR operation is repeated with the resultant of the prior XOR operation and next to last private communication session key.
  • the XOR operation is repeated using the same private communication session keys in reverse order from the encryption process to produce the unencrypted data.
  • variables Kl, K2, and Kn are the private communication session keys used in the encryption process.
  • the variable X is unencrypted data identifying the NAI extension value, (e.g. the MN-NAI).
  • the variable ED is encrypted data to be placed in the SG-NAI 175 or
  • the variables Kl, K2, and Kn are the private session keys used in the encryption process.
  • the variable X is unencrypted data identifying the NAI extension value, (e.g. the MN-NAI).
  • the variable ED is encrypted data to be placed in the SG-NAI 175 or SMN-NAI 225.
  • the "XOR” operator shown above is the exclusive “or” operator; the "i” variable is the particular round of encryption being performed, and the "n” variable is the round, or cycle, of the algorithm.
  • the private communication session keys used in the encryption and decryption process e.g.
  • Kl, K2) are generated using an eight byte rotational matrix.
  • an authorized user chooses an input value K as an initial private key.
  • K is transformed into an 64-bit binary representation of K, placed into an eight byte rotational matrix, and the eight bytes representing K are rotated one byte to the left to produce a byte representation for a different number, Kl .
  • Kl is used as the first private communication session key, and the eight bytes of Kl are rotated again to produce a byte representation of a different number, K2.
  • K2 is the next private communication session key. This operation is repeated to produce the necessary number of private communication session keys with each rotation producing a different byte representation for the next private key value.
  • a rotation matrix (RM) of size 1 8 bytes is used to generate the different permutations of the private key values.
  • the variables Kl, K2, and Kn are generated using the eight byte rotational operators ROT1, ROT2 to ROTn.
  • Each ROT operation generates a private key that can be used in the encryption and decryption process.
  • the key generation process starts with the value K being input in the rotation operator ROT1, the eight bytes of K are rotated 1 byte to the left, and the resultant is private key Kl .
  • Kl is then input in ROT2, the eight bytes of Kl are rotated 1 byte to the left, and the resultant is the private key K2.
  • the procedure is repeated with rotation operators ROTn to generate "n" private keys.
  • Kitj] LeftRotate (Ki-l[j], RM£j])
  • the rotation operator (ROTi) is shown as "LeftRotate”.
  • the jth byte in the K key will be rotated left in Ki-1 and the value specified in the jth entry of the rotation matrix (RM). This operation will be repeated until all the necessary private keys are generated, but it is advised that at least three private keys be used in a default encryption and decryption process.

Abstract

The present invention improves the security of communications in an IP mobile communications systems by creating a Secured Generalized Network Identifier (SG-NAI). The SG-NAI is encrypted and decrypted using a key-based encryption and decryption algorithm. The present invention reduces the data overhead for communications over Mobile IP systems compared to existing methods of encrypting and decrypting IP data packets.

Description

SECURITY ENCRYPTED NETWORK ACCESS IDENTIFIER FOR IP MOBILITY SYSTEMS
Technical Field of the Invention An encryption system and method for a packet-based communication system, including an IP- based mobile communication system having a home network, foreign network and a mobile node. BACKGROUND OF THE INVENTION
Present-day Internet communications represent the synthesis of technical developments begun in the 1960s. These developments include the creation of an interface system to support communications between different United States military computers, and the subsequent use of an interface standard established by the military to support communications between research computers at United States universities.
The Internet, like so many other high tech developments, grew from research originally performed by the United States Department of Defense. In the 1960s, Defense Department officials began to notice that the military was accumulating a large collection of different computer networks. Some of the computer networks were connected to large open computer systems and other networks were connected to smaller closed computer systems. Computers on the Defense Department's open computer networks, however, could not communicate with the other military computers on the closed systems. Defense Department officials needed an interface system to permit communication between these different computer networks. The Defense Department recognized that a single centralized interface system would be vulnerable to missile attacks or sabotage. Accordingly, the Defense Department mandated that the system to be used for communication between these different military computer networks be decentralized, and that no critical services in the system be concentrated in vulnerable failure points. In order to achieve these goals, the Defense Department established a decentralized standard protocol for communication between network computers. The standard communication protocol adopted by the Defense Department established a format for all communications between the Defense Department computers.
A few years later, the National Science Foundation (NSF) wanted to connect different types of network computers at various research institutions across the United States. Faced with many of the same problems encountered by the Defense Department, the NSF looked to the same solution adopted by the Defense Department. As a means to facilitate communications between these research facilities, the NSF adopted the Defense Department's standard protocol for communication. This combination of research computer networks coupled together with a de-centralized standard communication protocol would eventually evolve into the Internet. Internet Protocols
The Defense Department's standard communication protocol was called the Internet Protocol (IP) standard. The NSF adopted the IP standard to regulate communications between research computers in the United States. Now, the IP standard supports communications between computers and networks on the Internet.
The IP standard identifies the types of services to be provided to users, and specifies the mechanisms needed to support these services. The IP standard also describes the upper and lower system interfaces, defines the services to be provided on these interfaces, and outlines the execution environment for services needed in the system. A transmission protocol, called the Transmission Control Protocol (TCP), was also developed to provide connection-oriented, end-to-end data transmission between packet-switched computer networks. The combination of TCP with IP (TCP/IP) forms a suite of protocols for communication between computers on the Internet. The TCP/IP standard has become mandatory for use in all packet switching networks that have the potential for utilizing connectivity across network or sub-network boundaries.
The TCP/IP Protocol
In a typical Internet-based communication scenario, data in an information packet is transmitted from an applications program in a first computer, through the first computer's network hardware, and across the transmission medium to the intended destination computer network on the Internet. After receipt at the destination computer network, the information packet is transmitted through the destination network to a second computer. The second computer then interprets the received communication using the TCP/IP protocols on a second application program. Because the protocols used in Internet communications are standardized, the TCP IP protocol on the second computer decodes the transmitted information packet into the original data transmitted by the first computer.
One of the guiding principles in a TCP/IP communication is that a computer user does not need to get involved with details of data communication. In order to accomplish this goal, the TCP/IP
ensures a consistent conversion of base data regardless of the particular TCP/IP conversion software used on an applications program. TCP/IP Addressing and Routing
A computer operating on a network is assigned a unique physical address. On a Local Area Network ("LAN"), the physical address of the computer is a number given to computer's network adapter card. Hardware LAN protocols use this physical address to deliver information packets to computers on the LAN.
On the Internet, the TCP/IP protocol routes information packets using logical addressing. The network software in the Network Layer generates logical addresses. Specifically, a logical address in the TCP/IP network is translated into a corresponding physical address using the ARP (Address Resolution Protocol) and RARP (Reverse Address Resolution Protocol) protocols in the Network Layer.
The TCP/IP's logical address is also called an IP address. The IP address can include: (1) a network ID number identifying a network, (2) a sub-network ID number identifying a sub-network on the network, and (3) a host ID number identifying a particular computer on the sub-network. The header data in the IP information packet will include source and destination addresses. The IP addressing scheme imposes a sensible addressing scheme that reflects the internal organization of the network or sub-network.
A computer network is often subdivided into smaller sub-networks. The divisions in the computer network increase data transmission efficiency and reduce overall network traffic. Routers are used to regulate the flow of data into and out of designated sub-networks of the computer network.
A router interprets the logical address of an information packet, such as an IP address, and directs the information packet across the network to its intended destination. Information packets addressed between computers on the sub-network do not pass through the router to the greater network, and therefore these packets do not clutter the transmission lines of the greater network. If data is addressed to a computer outside the sub-network, however, the router forwards the data onto the larger network.
The TCP/IP network includes protocols that define how routers will determine the path for data through the network. Routing decisions are based upon information in the IP packet header and entries in each router's routing table. A routing table possesses sufficient information for a router to make a determination on whether to accept the communicated information on behalf of a destination computer or pass the information onto another router in the network. The routing table also permits the router to determine where the information packet should be forwarded within the network or subnetwork. The routing table can be configured manually with routing table entries or a dynamic routing protocol that can accommodate changing network topologies. A network topology includes a network architecture including the network layouts, routers, and interconnections between host computers and routers on the network. In a dynamic routing protocol, a router advertises reachability when it sends updated routing information to a second router. Advertising accessibility is important to the process of receiving, directing and re-directing data packets on the Internet. The IP-Based Mobility Systems
Internet protocols were originally developed with an assumption that Internet users, which are assigned a unique IP address, would be connected to a single, fixed network. That is, the assumption was that each computer on the Internet would be associated with one physical fixed location. With the advent of portable computers and cellular wireless communication systems, however, the movement of Internet users within a network and across network boundaries has become quite common. Because of this highly mobile Internet usage, the implicit design assumptions for the Internet protocols have been violated. An IP-based mobile system includes at least one Mobile Node in a wireless communication system. The term "Mobile Node" includes a mobile communication unit, and, in addition to the Mobile Node, the communication system has a home network and a foreign network. The Mobile Node may change its point of attachment to the Internet through various networks, but the Mobile Node will always be associated with a single home network for IP addressing purposes. The home network has a Home Agent and the foreign network has a Foreign Agent ~ both of which control the routing of information packets into and out of their network. Registration of a Mobile Node
The Mobile Node keeps the Home Agent informed of its current location by registering a care- of address with the Home Agent. Essentially, the care-of address represents the location of the current foreign network where the Mobile Node is attached to the Internet. If the Home Agent receives an information packet addressed to the Mobile Node while the Mobile Node is located on a foreign network, the Home Agent will "tunnel" the information packet to the Mobile Node's current location on the foreign network using the applicable care-of address.
The Foreign Agent participates in informing the Home Agent of the Mobile Node's current care-of address. The Foreign Agent also de-tunnels information packets for the Mobile Node after the information packets have been forwarded by the Home Agent. Further, the Foreign Agent serves as a default router for out-going information packets generated by the Mobile Node.
Foreign Agents and Home Agents periodically broadcast an agent advertisement to all nodes on the local network associated with that agent. An agent advertisement is a message from the agent on a network that may be issued under the Mobile IP protocol (RFC 2002) or any other type of communication protocol. This advertisement should include sufficient information to uniquely identify a mobility agent (e.g. a Home Agent, a Foreign Agent, etc.) to a mobile node. Mobile Nodes examine the agent advertisement and determine whether they are connected to the home network or a foreign network. If the Mobile Node is located on its home network, information packets will be routed to the
Mobile Node according to a standard internetwork (internal to the network) addressing and routing scheme. If the Mobile Node is visiting a foreign network, however, the Mobile Node obtains appropriate information from the agent advertisement and transmits a registration request message to its Home Agent. The registration request message will include a care-of address for the Mobile Node. The registered care-of address identifies the foreign network where the Mobile Node is located, and the Home Agent uses this registered care-of address to tunnel information packets to the foreign network for subsequent transfer to the Mobile Node. A registration reply message may be sent to the Mobile Node by the Home Agent to confirm that the registration process has been successfully completed. Authenticate, Authorize and Accounting ("AAA") Services
In an IP-based mobile communication system, the Mobile Node changes its point of attachment to the network while maintaining network connectivity. The Mobile IP Protocol (RFC 2002) assumes that mobile IP communications with a Mobile Node will be performed on a single administrative domain or a single network controlled by one administrator. When a Mobile Node travels outside its home administrative domain, however, the Mobile Node must communicate through multiple domains in order to maintain network connectivity with its home network. While connected to a foreign network controlled by another administrative domain, network servers must authenticate, authorize and collect accounting information for services rendered to the Mobile Node. These authentication, authorization, and accounting activities are called "AAA" services. Authentication is the process of proving someone' s claimed identity, and security systems on a mobile IP network will often require authentication of the system user's identity before authorizing a requested activity. An AAA server computer on the communication network authenticates the identity of an authorized user, and authorizes the Mobile Node's requested activity. Additionally, the AAA server will also support the accounting function, including tracking usage and charges for use of transmission links between administrative domains. Security for the IP-Based Mobile System
In an IP-based mobile communications system, the Mobile Node changes its point of attachment to the network while maintaining network connectivity. Security concerns arise in the mobile system because authorized users are subject to the following forms of attack: (1) session stealing where a hostile node hijacks the network session from mobile node by redirecting information packets, (2) spoofing where the identity of an authorized user is utilized in an unauthorized manner to obtain access to the network, and (3) eavesdropping and stealing information during a session with an authorized user. It is necessary to protect information transmitted in an IP-based mobility system from the above-identified security attacks. Cryptographic security systems are used to send communications in a confidential manner.
These security systems maintain the confidentiality of the information packet by encoding, or encrypting, the data in the information packet. The transformation of the transmitted data into a secure, encrypted format is accomplished using mathematical algorithms and keys. An authorized person using the cryptographic keys can reverse the encryption process, called decryption, to decode the data. Without the cryptographic keys, the decryption process is very difficult and time consuming. Other activities performed by the security system include authentication (you are who you say you are), integrity checking (the information packet was sent in the decoded form), and non-repudiation (identification of the person sending the information packet).
As an example of the encryption process, consider the situation where Party A intends to communicate confidentially with Party B using the cryptographic system. First, Party A uses the algorithm and a key to encrypt the data in the transmitted information packet. In order to maintain the confidentiality of data in the transmitted information packet, the encrypted information packet does not resemble the data in the original information packet. Further, the encryption method cannot be easily broken without the use of the encryption algorithm and key. The encrypted information packet is transmitted over the public networks on the Internet to
Party B without disclosing the content of the original information packet. After receiving the encrypted information packet, Party B decodes the encrypted information packet using the algorithm and cryptographic key. When the encrypted information is decoded, the original data should be disclosed in the decrypted information packet. The level of security associated with the encryption scheme is directly related to the sophistication of the encryption algorithm and keys. The security of the cryptographic system will increase with the complexity of the encryption algorithm and keys. To increase the security of the system, the encryption algorithm can be kept secret. If the encryption algorithm is publicly disclosed, the strength of the cryptographic security system is dependant upon the secrecy of the keys. It is preferable that only the appropriate or authorized parties to the communication know the key. This type of key is known as a "secret key" or "private key", and the sender and receiver of the information packet use the same secret key to encrypt and decrypt information packets with the algorithm. Public key encryption may also be supported by cryptographic security systems, where the sender and receiver possess a public key and a private key. Messages may be encoded by the sender using the receiver's public key, and decoded by the receiver using the receiver's private key. Hybrid security systems are also used to encrypt and decrypt information in information packets.
Prior art encryption protocols, such as the Data Encryption Standard (DES), Triple DES, and RC5 are encryption and decryption standards that use very complex encryption algorithms. These encryption and decryption systems produce lengthy strings of encrypted data. If these prior art standards were used in a Mobile IP system, the memory and data overhead associated with these lengthy communications would be significant and burdensome on the system. SUMMARY OF THE INVENTION
The present invention avoids the significant memory and data overhead associated with these prior art cryptographic schemes by selectively encrypting certain portions of the information packet. The present invention creates an encrypted Secured Generalized Network Access Identifier (SG-NAI) extension located in the Network Access Identifier (NAI) field of the information packet extension. The 32-bit SG-NAI field can identify the Mobile Node or some other uniquely addressed entity such as the Home Agent. The identity of the Mobile Node and the sender are protected by encrypting the SG-NAI value alone or with other data fields in the extension.
Cryptographic keys used in the present invention, sometimes called session keys, are encrypted using algorithms that are sufficient to secure the confidentiality of the information packets. The algorithm of the invention has a private key length of 64-bits, a default round rotation of three for encrypting the NAI, and a rotation matrix of size 1 x 8 bytes for generating the different permutations of the initial private key. This encryption scheme provides sufficient security for confidential mobile IP communications based upon the brief duration of most mobile IP communications. BRIEF DESCRIPTION OF THE DRAWINGS
The objects and features of the invention will become more readily understood from the following detailed description and appended claims when read in conjunction with the accompanying drawings in which like numerals represent like elements and in which:
Fig. 1 is a mobile IP-based communication system;
Fig. 2 is a generalized diagram of an information packet used in an IP communication;
Fig. 3 is an NAI extension format of an information packet used in an IP communication;
Fig. 4 is a Mobile Node NAI extension format of an information packet used in an IP communication;
Fig. 5 is a Secured Generalized NAI extension format of an information packet used in the present invention;
Fig. 6 is a Secured Mobile Node NAI extension format of an information packet used in the present invention; Fig. 7 is a diagram of the encryption procedure used in the present invention; Fig. 8 is a diagram of the decryption procedure used in the present invention; and, Fig. 9 is a diagram of the key generation procedure used in the present invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
In Figure 1, the overall architecture of the IP-based mobile system is shown with a Mobile Node 64, a home network 10 and a foreign network 40. As shown in Figure 1, the home network 10 and the foreign network 40 are coupled to the Internet represented by the cloud 35. The home network 10 has a central buss line 20 coupled to the Home Agent 28 via communication link 24. The buss line 20 is coupled to the AAA server 17 via communication link 22. The home network 10 is coupled to the Internet 35 via communication link 30. A communications link is any connection between two or more nodes on a network or users on networks or administrative domains.
The foreign network 40 has a central buss line 50 coupled to the foreign agent 58 via communication link 54. The buss line 50 is coupled to the AAA foreign network server 47 via communication link 52. The foreign network 40 is coupled to the Internet 35 via communication link 37. Mobile Node 64 is shown electronically coupled to the foreign network 40 via the wireless communication link 66 of transceiver 60. Transceiver 60 is coupled to the foreign network 40 via communication link 62. The Mobile Node 64 can communicate with any transceiver 60 or Access Network coupled to the foreign network 40.
The terms Home Agent and Foreign Agent may be defined in the Mobile IP Protocol (RFC 2002), but these agents are not restricted to a single protocol or system. In fact, the term Home Agent, as used in this application, can refer to a Home Mobility Manager, Home Location Register, Home Serving Entity, or any other agent at a home network 10 having the responsibility to manage mobility- related functionality for a Mobile Node 64. Likewise, the term Foreign Agent, as used in this application, can refer to a Serving Mobility Manager, Visited Location Register, Visiting Serving Entity, or any other agent on a foreign network 40 having the responsibility to manage mobility- related functionality for a Mobile Node 64.
In the mobile IP communications system shown in Figure 1, the Mobile Node 64 is identified by a permanent IP address. While the Mobile Node 64 is coupled to its home network 10, the Mobile Node 64 receives information packets like any other fixed node on the home network 10. When mobile, the Mobile Node 64 can also locate itself on foreign network 40. The Mobile Node 64 keeps the Home Agent 28 informed of its current location, or foreign network association, by registering a care-of address with the Home Agent 28. Essentially, the care-of address represents the foreign network 40 where the Mobile Node 64 is currently located. If the Home Agent 28 receives an information packet addressed to the Mobile Node 64 while the Mobile Node 64 is located on a foreign network 40, the Home Agent 28 will "tunnel" the information packet to foreign network 40 for subsequent transmission to Mobile Node 64.
The Foreign Agent 58 participates in informing the Home Agent 28 of the Mobile Node's 64 current care-of address. The Foreign Agent 58 also de-tunnels information packets for the Mobile Node 64 after the information packets have been forwarded to the Foreign Agent 58 by the Home Agent 28. Moreover, the Foreign Agent 58 serves as a default router for out-going information packets generated by the Mobile Node 64 while connected to the foreign network 40.
The Mobile Node 64 also participates in informing the Home Agent 28 of its current care-of address. When the Mobile Node 64 is visiting a foreign network 40, the Mobile Node 64 obtains appropriate information regarding the address of the foreign network 40 and/or the Foreign Agent 58 from an agent advertisement. After obtaining this information, the Mobile Node 64 works with the Foreign Agent 58 to transmit a registration request message to the Home Agent 28.
Mobile IP protocols require that the mobile node register the care-of address with the Home Agent 28 and/or the AAA server 17 on the home network 10 after movement to a new foreign network 40. As part of the registration process, the Mobile Node 64 issues a registration request in response to power-up on the foreign network 40 or receipt of an agent advertisement. The registration request is sent to the Home Agent 28 and/or the AAA server 17 on the home network. A registration request message includes a care-of address for the Mobile Node 64.
A registration reply is issued by the Home Agent 28 to acknowledge receipt of the registration request, confirm receipt of the care-of address for the Mobile Node 64, and indicate completion of the registration process. The care-of address identifies the foreign network 40 where the Mobile Node 64 is located, and the Home Agent 28 uses this care-of address to tunnel information packets to the foreign network 40 for subsequent transfer to the Mobile Node 64. Consistent with normal IP protocols, all communications addressed to the Mobile Node 64 are routed to the Mobile Node's 64 home network 10. After registration is completed, the Home Agent 28 receives this communication and "tunnels" the message to the Mobile Node 64 on the foreign network 40. The Foreign Agent 58 accepts the re-directed communication and delivers the information packet to the Mobile Node 64 through the transceiver 60. In this manner, the information packets addressed to the Mobile Node 64 at its usual address on the home network 10 are re-directed or "tunneled" to the Mobile Node 64 on the foreign network 40. Mobile IP Extensions
AAA servers provide authentication and authorization services for users on their home network 10 and Mobile Node 64 when connected.to foreign network 40. AAA servers, such as servers 17 and 47, identify entities on the networks using a Network Access Identifier (NAI) extension found in a registration request message. The NAI extension in this message is typically used to uniquely identify one of the entities in the network (e.g. Mobile Node, Foreign Agent, Home Agent).
In general, extensions are data structures used to support the transmission of variable amounts of information in an information packet, the registration of a Mobile Node, or the AAA functions performed by AAA network servers. An extension defines how information packets are configured in a control message, agent advertisement, registration request, registration reply or information packet transmission. The general format for extensions has been defined in the Mobile IP protocol (RFC 2002) and particular types of extensions have been defined in similar protocols.
The general extension format 100 is shown in Figure 2 in a Type-Length-Data format. As shown in Figure 2, the Type 105 variable (designated by "T") occupies the first 8 bits of the extension, the Length 110 variable (designated by "L") occupies the next 8 bits of the extension, and the Data 115 variable (designated by "D") occupies the remaining bits in the extension. The Type 105 variable indicates the particular type of extension found therein, and the Length 110 indicates the length in bytes of the Data field 115. The Data field 115 may be zero or more bytes in length. The Network Access Identifier Extension
AAA servers identify mobile nodes or other entities using a Network Access Identifier (NAI) extension found in a registration request message. The general format for an NAI extension 125 is found in Figure 3. This NAI extension 125 consists of a Type 130 variable (designated by "T"), a Length 135 variable (designated by "L"), and a Network Access Identifier Extension 140 (designated by "NAI") data variable. The Type 130 variable in the NAI extension occupies the first 8 bits of the extension. The Length 135 variable occupies the next 8 bits of the NAI extension, and the Length 140 variable identifies the length in bytes of the NAI 140 field. The data variable is the NAI 140 identifier, and that particular data field occupies the remaining bits in the extension.
A Mobile Node NAI (MN-NAI) extension 150, shown in Figure 4, is a particular type of NAI extension found in a registration request message sent from a Mobile Node 64. The MN-NAI extension 150 in Figure 4 contains the user and/or host name following the Type-Length-Data format for extensions. The Type 155 variable (designated by "T") in the NAI extension occupies the first 8 bits of the extension. The Length 160 variable (designated by "L") occupies the next 8 bits of the NAI extension, and the Length 160 variable identifies the length in bytes of the Mobile Node NAI 165 field. The data variable is the Mobile Node NAI 165 identifier (designated by "MN-NAI"), and that particular data field occupies the remaining bits in the extension.
Secured Generalized NAI Extensions (SG-NAI)
In the prior art, unencrypted extensions can expose the identity of a Mobile Node 64 or his home network 10. Sending such information in the public domain can subject authorized users to the following forms of attack: (1) session stealing where a hostile node hijacks the network session from mobile node by redirecting information packets, (2) spoofing where the identity of an authorized user is utilized in an unauthorized manner to obtain access to the network, and (3) eavesdropping and stealing information during a session with an authorized user. The present invention protects authorized users from the above-identified security attacks. A Secured Generalized Network Access Identifier Extension (SG-NAI) 175 is shown in Figure
5. The SG-NAI 175 has a Type-Length Data format where the Type 180 variable occupies the first 8 bits of the general extension. The Length 145 variable in SG-NAI 175 occupies the next 8 bits of the extension, and the Sub-Type 190 variable occupies the next 8 bits of the SG-NAI extension 175. The Length 185 variable identifies the length of the SG-NAI field 205. The Sub-Type 190 field identifies the particular type of user identified in the NAI field 205. An 8-bit data field 195 is reserved for future use. The 8-bit Type 180 field and Sub-Type 190 field identify the NAI as an SG-NAI extension.
A security parameter index (SPI) 200 occupies the next 32-bit field and identifies a security context between a pair of nodes available in the mobility security association. Each designated security context indicates an authentication algorithm and mode, a public or private key ("secret key"), and a style of replay protection. An SPI 200 is found in all authentication extensions and can be used to authenticate the identity of the mobile node by designating the security protocol (algorithm and keys) to compute the authenticator value. A default authentication algorithm uses keyed-MD5 in "prefix-suffix" mode to compute a 128-bit "message digest" of the registration message used to authenticate the communication. The SG-NAI 205 is an encrypted 32-bit NAI designation. In the preferred embodiment, encryption is accomplished using an encryption and decryption algorithm that is sufficient to protect relatively brief mobile IP communications. The encryption of SG-NAI 205 protects the identity of the NAI entity and minimizes the security concerns of publicly transmitting the NAI extension. Other portions of the SG-NAI extension can also be encrypted to provide greater security. Figure 6 shows a Secured Mobile Node NAI 225 extension (SMN-NAI). This extension is an alternative form of the SG-NAI 175 extension which identifies a Mobile Node address. The Type 230, Length 240, and SPI 255 fields correspond and carry out the same functions as the same fields found in the SG-NAI 175 extension of Figure 5. That is, the SMN-NAI extension 175 has a Type-Length- Data format where the Type 230 variable occupies the first 8 bits of the general extension. The Length 240 variable in SMN-NAI 225 occupies the next 8 bits of the extension, and the Sub-Type 245 variable occupies the next 8 bits of the SMN-NAI extension 225. The Length 240 variable identifies the length of the SMN-NAI field 260. The Sub-Type 245 field identifies the particular type of user designated in the NAI field 260. An 8-bit data field 250 is reserved for future use. The 8-bit Type 230 field and Sub-Type 245 field identify the NAI as an SMN-NAI extension 260. A security parameter index (SPI) 200 occupies the next 32-bit field and identifies a security context between a pair of nodes available in the mobility security association.
The SMN-NAI 225 is an encrypted 32-bit NAI designation for a Mobile Node. This encrypted SMN-NAI 225 can be found in a registration request or reply message. The Sub-Type 245 field has a value of "1" when the NAI field possesses an encrypted SMN-NAI 260 value. Encrypting the MN- NAI will keep the identity of the mobile node secure during Mobile IP session, and prevent attacks against the integrity of the communication. The Encryption and Decryption Algorithms
The encryption and decryption algorithms used in the preferred embodiment assume the length of the private key is 64 bits. The encryption algorithm performs an "XOR", or exclusive OR, operation with unencrypted data and a private communication session key. An exclusive OR operation is then performed with the result of that operation and another private communication session key. This XOR procedure is repeated "n" times to produce the encrypted data. In order to provide satisfactory security, the default number of rounds in the encryption process must be at least three rounds.
As also shown in Figure 7, the encryption procedure follows the following formula:
ED = (((X + Kl) + K2) + +Kn)
In the encryption algorithm, the variables Kl, K2, and Kn are private keys for the communication session. The variable X is unencrypted data found in the extension, (e.g. the unencrypted MN-NAI). The variable ED is encrypted data to be placed in the SG-NAI 175 or SMN-NAI 225. The "+" operator shown above is the exclusive "or" operator; and the "n" variable is the number of rounds, or cycles, the algorithm will execute to encrypt the data "X". Another way of identifying the encryption formula is to designate:
ED = X for (i = 0; i < n, i ++) ED = ED XOR Ki
As described in the prior encryption algorithm, the variables Kl, K2, and Kn are private keys for the communication session. The variable X is unencrypted data found in the extension, (e.g. the MN- NAI). The variable ED is encrypted data to be placed in the SG-NAI 175 or SMN-NAI 225. The "XOR" operator shown above is the exclusive "or" operator; the "i" variable is the particular round of encryption being performed, and the "n" variable is the number of rounds, or cycles, the algorithm will execute to encrypt the data "X".
The decryption procedure reverses the encryption process by performing an XOR operation with the final encrypted data and the same private communication session keys. The XOR exclusive OR operation starts with the encrypted data and the last applied private communication session key. The XOR operation is repeated with the resultant of the prior XOR operation and next to last private communication session key. The XOR operation is repeated using the same private communication session keys in reverse order from the encryption process to produce the unencrypted data.
As shown in Figure 8, the following formula describes the decryption process:
X = (((ED + Kn) + Kn-1)+ + K1)
In this decryption algorithm, the variables Kl, K2, and Kn are the private communication session keys used in the encryption process. The variable X is unencrypted data identifying the NAI extension value, (e.g. the MN-NAI). The variable ED is encrypted data to be placed in the SG-NAI 175 or
SMN-NAI 225. The "+" operator shown above is the exclusive "or" operator; and the "n" variable is the number of rounds, or cycles, the algorithm will execute to encrypt the data "X". Another way of representing the decryption process is as follows:
X = ED n = N for (i = 0; i < N; i++) X = X XOR Kn-i
As described in the prior decryption algorithm, the variables Kl, K2, and Kn are the private session keys used in the encryption process. The variable X is unencrypted data identifying the NAI extension value, (e.g. the MN-NAI). The variable ED is encrypted data to be placed in the SG-NAI 175 or SMN-NAI 225. The "XOR" operator shown above is the exclusive "or" operator; the "i" variable is the particular round of encryption being performed, and the "n" variable is the round, or cycle, of the algorithm.
The private communication session keys used in the encryption and decryption process (e.g.
Kl, K2) are generated using an eight byte rotational matrix. As shown in Figure 9, an authorized user chooses an input value K as an initial private key. K is transformed into an 64-bit binary representation of K, placed into an eight byte rotational matrix, and the eight bytes representing K are rotated one byte to the left to produce a byte representation for a different number, Kl . Kl is used as the first private communication session key, and the eight bytes of Kl are rotated again to produce a byte representation of a different number, K2. K2 is the next private communication session key. This operation is repeated to produce the necessary number of private communication session keys with each rotation producing a different byte representation for the next private key value. As shown in Figure 9, a rotation matrix (RM) of size 1 8 bytes is used to generate the different permutations of the private key values. The variables Kl, K2, and Kn are generated using the eight byte rotational operators ROT1, ROT2 to ROTn. Each ROT operation generates a private key that can be used in the encryption and decryption process. The key generation process starts with the value K being input in the rotation operator ROT1, the eight bytes of K are rotated 1 byte to the left, and the resultant is private key Kl . Kl is then input in ROT2, the eight bytes of Kl are rotated 1 byte to the left, and the resultant is the private key K2. The procedure is repeated with rotation operators ROTn to generate "n" private keys.
Another manner of representing the private key generation is shown in Figure 9 as follows:
for (j = 0; j < 8; j++)
Kitj] = LeftRotate (Ki-l[j], RM£j])
The rotation operator (ROTi) is shown as "LeftRotate". The jth byte in the K key will be rotated left in Ki-1 and the value specified in the jth entry of the rotation matrix (RM). This operation will be repeated until all the necessary private keys are generated, but it is advised that at least three private keys be used in a default encryption and decryption process.
While the invention has been particularly shown and described with respect to preferred embodiments, it will be readily understood that minor changes in the details of the invention may be made without departing from the spirit of the invention. Having described the invention, we claim:

Claims

1. A communication system, comprising: a home network having a home agent coupled to a home network server computer; a foreign network having a foreign agent coupled to a foreign network server computer, the foreign network having a mobile node located thereon; an information packet transmitted on the communication system having a network access identifier extension that is encrypted using a security encryption algorithm.
2. The communication system of Claim 1, wherein the network access identifier designates the mobile node.
3. The communication system of Claim 1, wherein the network access identifier designates the home agent.
4. The communication system of Claim 1, wherein the network access identifier is encrypted by: generating a plurality of private key permutations from an initial private key value, setting the network access identifier as a first data value, operating on the first data value with one of the plurality of private key permutations beginning with a first private key permutation to produce a new first data value, setting the new first data value as the first data value, continuing to operate on the first data value with each one of the remaining permutation keys until the last permutation key, setting the result of the last operation between the first data value and the last private key permutation as the encrypted network access identifier to be transmitted on the communication system.
5. The communication system of Claim 1, wherein the transmitted network access identifier is decrypted by: setting the encrypted network access identifier transmitted on the system as a second data value, operating on the second data value with one of the plurality of private key permutations beginning with the last private key permutation to produce a new second data value, setting the new second data value as the second data value, continuing to operate on the second data value with each one of the remaining permutation keys continuing backwards until the first key permutation, using the result of the last operation between the second data value and the first private key permutation to produce an unencrypted network access identifier.
6. The communication system of Claim 1, wherein the plurality of private key permutations are generated by: providing a rotation matrix with a data representation of the initial private key, generating an initial one of the plurality of private key permutations by rotating the data representation of the previous private key, generating the remainder of the plurality of private key permutations by rotating the data representation of the prior private key value.
7. The communication system of Claim 6, wherein the rotation matrix is 8 bytes in length.
8. The communication system of Claim 6, wherein the private key is 8 bytes in length.
9. The communication system of Claim 6 wherein rotating the data representation further comprises left rotating one byte of the previous private key value.
10. A method for encrypting and decrypting a first data value, comprising the steps of: generating a plurality of private key permutations from a first private key value, encrypting a first data value by: setting an encrypted data value as the first data value, operating on the encrypted data value with the one of the plurality of private key permutations beginning with the first private key permutation and continuing in order until the last private key permutation, and storing the result of the last operation as the encrypted data value; decrypting the encrypted data value by: setting a decrypted data value as the encrypted data value, and operating on the decrypted data value with one of the plurality of private key permutations beginning with the last private key permutation and continuing backwards until the first key value, and storing the result of the operation as the first data value.
11. The method of Claim 10, wherein operating on the first data value with the one of the plurality of private key permutations further comprises performing an exclusive OR logic operation.
12. The method of Claim 11, wherein generating the plurality of private key permutations from the private key comprises the steps of: providing a first private key value in a rotation matrix, setting a previous key value as the first private key value, generating the one of the plurality of private key permutations by rotating a data representation of the previous key value, and generating the remainder of the plurality of private key permutations by setting the previous key value to the generated one of the plurality of private key permutations and rotating the data representation of the previous key value.
13. The method of Claim 12, wherein the private key is 8 bytes in length.
14. The method of Claim 12, wherein the rotation matrix is 8 bytes in length.
15. The method of Claim 12, wherein rotating the previous key value further comprises left rotating a byte of the previous private key value.
16. A method for securely transmitting an address identifier over a communication network, comprising: providing a first address identifier for transmission over the communication network, generating a plurality of private key permutations from a private key value, operating on the first address identifier with one of the private key permutations to produce an encrypted data value, continuing to operate on the result on the prior operation with the remainder of the permutation keys to produce an encrypted data value, and transmitting the encrypted data value over the network.
17. The method of Claim 16, wherein the first address identifier is encrypted by: setting an encrypted data value as the first address identifier value, operating on the encrypted data value with the one of the plurality of private key permutations beginning with the first private key permutation and continuing in order until the last private key permutation and resetting the encrypted data value as the value obtained from the prior operation, and storing the result of the last operation as the encrypted data value for subsequent transmission over the communication network.
18. The method of Claim 16, further comprising: receiving the encrypted data value transmitted over a communication network, and operating on the encrypted data value with a plurality of private key permutations to produce a decrypted data value that equals the first data value.
19. The method of Claim 18, wherein the first address identifier is decrypted by: setting a decrypted data value to the encrypted data value, operating on the decrypted data value with one of the plurality of private key permutations beginning with the last private key permutation and continuing backwards until the first key permutation and resetting the decrypted data value as the value obtained from the result of the prior operation, and storing the result of the last operation as the first address identifier.
20. The method of Claim 16, wherein the first address identifier designates the address of a mobile node.
21. The method of Claim 16, wherein the first address identifier designates the address of the home network.
PCT/US2001/011280 2000-04-12 2001-04-06 Security encrypted network access identifier for ip mobility systems WO2001080520A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001253217A AU2001253217A1 (en) 2000-04-12 2001-04-06 Security encrypted network access identifier for ip mobility systems

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US19663100P 2000-04-12 2000-04-12
US60/196,631 2000-04-12

Publications (2)

Publication Number Publication Date
WO2001080520A2 true WO2001080520A2 (en) 2001-10-25
WO2001080520A3 WO2001080520A3 (en) 2002-02-07

Family

ID=22726189

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/011280 WO2001080520A2 (en) 2000-04-12 2001-04-06 Security encrypted network access identifier for ip mobility systems

Country Status (2)

Country Link
AU (1) AU2001253217A1 (en)
WO (1) WO2001080520A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006005999A1 (en) * 2004-06-29 2006-01-19 Nokia Corporation Enhanced use of a network access identifier in wlan
WO2009093084A2 (en) * 2008-01-24 2009-07-30 Vodafone Group Plc A method of sending providing data security over an unsecured network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5142579A (en) * 1991-01-29 1992-08-25 Anderson Walter M Public key cryptographic system and method
US5367516A (en) * 1993-03-17 1994-11-22 Miller William J Method and apparatus for signal transmission and reception
US5619576A (en) * 1994-03-14 1997-04-08 Shaw; William Y. Variable-key cryptography system
EP0912026A2 (en) * 1997-10-14 1999-04-28 Lucent Technologies Inc. Registration scheme for network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5142579A (en) * 1991-01-29 1992-08-25 Anderson Walter M Public key cryptographic system and method
US5367516A (en) * 1993-03-17 1994-11-22 Miller William J Method and apparatus for signal transmission and reception
US5619576A (en) * 1994-03-14 1997-04-08 Shaw; William Y. Variable-key cryptography system
EP0912026A2 (en) * 1997-10-14 1999-04-28 Lucent Technologies Inc. Registration scheme for network

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006005999A1 (en) * 2004-06-29 2006-01-19 Nokia Corporation Enhanced use of a network access identifier in wlan
WO2009093084A2 (en) * 2008-01-24 2009-07-30 Vodafone Group Plc A method of sending providing data security over an unsecured network
WO2009093084A3 (en) * 2008-01-24 2009-10-15 Vodafone Group Plc A method of sending providing data security over an unsecured network

Also Published As

Publication number Publication date
WO2001080520A3 (en) 2002-02-07
AU2001253217A1 (en) 2001-10-30

Similar Documents

Publication Publication Date Title
US7174018B1 (en) Security framework for an IP mobility system using variable-based security associations and broker redirection
US8549294B2 (en) Securing home agent to mobile node communication with HA-MN key
US6915345B1 (en) AAA broker specification and protocol
US5416842A (en) Method and apparatus for key-management scheme for use with internet protocols at site firewalls
JP3688830B2 (en) Packet transfer method and packet processing apparatus
CN101160924B (en) Method for distributing certificates in a communication system
US5588060A (en) Method and apparatus for a key-management scheme for internet protocols
US5825891A (en) Key management for network communication
US6965992B1 (en) Method and system for network security capable of doing stronger encryption with authorized devices
US7350077B2 (en) 802.11 using a compressed reassociation exchange to facilitate fast handoff
US7380124B1 (en) Security transmission protocol for a mobility IP network
EP1560396A2 (en) Method and apparatus for handling authentication on IPv6 network
EP1735990B1 (en) Mobile ipv6 authentication and authorization
Zao et al. A public-key based secure mobile IP
EP0693836A1 (en) Method and apparatus for a key-management scheme for internet protocols.
US7233782B2 (en) Method of generating an authentication
US9628454B2 (en) Signalling delegation in a moving network
US7502932B2 (en) Return routability method for secure communication
JP4752064B2 (en) Communication system on public line for restricting access, terminal connection device and server connection restriction device
WO2001080520A2 (en) Security encrypted network access identifier for ip mobility systems
Choi et al. Practical solution for location privacy in mobile IPv6
JP2007281918A (en) Communication system on public line for performing access restriction, terminal connection apparatus, and server connection restriction apparatus
Kong et al. ESCORT: a decentralized and localized access control system for mobile wireless access to secured domains
JP4752062B2 (en) Terminal connection device and server connection restriction device on public line for performing access restriction
JP3962050B2 (en) Packet encryption method and packet decryption method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP