Methods and devices for establishing security associations in communications systems

This application claims the benefit of priority of U.S. Provisional Application No. 60/969,773, filed Sep. 4, 2007; U.S. Provisional Application No. 60/981,767, filed Oct. 22, 2007; and U.S. Provisional Application No. 60/985,538, filed Nov. 5, 2007, all of which are incorporated by reference herein in their entirety for any purpose.

The present disclosure relates to the field of communications and, more particularly, to systems and methods for establishing security associations in a communication system.

Conventional wireless network environments connect mobile electronic devices to a service provider. More specifically, WiMAX (Worldwide Interoperability for Microwave Access) network environments connect a client device, through intermediate connections, to, for example, the Internet. WiMAX is a wireless networking technology that provides communication to wireless devices over significant distances. Authentication and reauthentication delays, however, can slow communication with the client device and decrease the efficiency of a WiMAX environment.

FIG. 1 is a block diagram of an exemplary prior art wireless communication system for use in an IEEE 802.16d/802.16e WiMAX wireless communication system. Access to Internet 100 is provided to at least one connectivity service network (CSN) 102, using at least one authentication, authorization, and accounting (AAA) server 104. CSN 102 is connected to gateways (GWs) 106 and 108. Gateways 106 and 108 are each a type of communication network authenticator and typically connected to several base stations (BSs) 110-115, the number of such BSs depending on network demands in a given area, though a gateway may instead be connected to only a single base station. Only two gateways 106 and 108 are shown, but it is possible to have greater or fewer gateways depending on the number of required base stations.

In FIG. 1, six base stations are shown as an exemplary WiMAX environment, but greater or fewer base stations may be provided depending on the number of available gateways and the network demands in the WiMAX environment. Base stations, such as base station 110 and base station 114, communicate with one or more client devices. Client devices include mobile stations (MSs), such as mobile stations 120, 122 and 124, to which the base stations provide wireless network service, and subscriber stations (SSs), such as subscriber stations 126 and 128, to which base stations provide wired or wireless network service. The network needs of several client devices may be satisfied by a single base station, and a single base station may satisfy the network needs of both mobile stations and subscriber stations.

In the conventional WiMAX environment, such as that shown in FIG. 1, each time mobile station 120 is initially served by a gateway, e.g., gateway 106, via an associated base station, e.g., base station 110, it is necessary to authenticate mobile station 120. Following such authentication, so long as mobile station 120 moves in areas that enable continued service via the original authenticating gateway, no further gateway authentication is required. However, if mobile station 120 moves to an area served by a different gateway, e.g., gateway 108, mobile station 120 is handed over to the different gateway, so that it is necessary for that different gateway to reauthenticate mobile station 120 as part of the handoff processing before service may be provided. After a client device has been authenticated or reauthenticated, security associations, or the sharing of security information between two network entities such as mobile station 120 and base station 110, are established to ensure that communications between the two entities are secure.

Authentication protocol standards have been created to standardize advance authentication techniques. These standardized protocols may include, for example, IEEE 802.1X authentication, extensible authentication protocol (EAP) method for global system for mobile communications (GSM) subscriber identity (EAP-SIM) and extensible authentication protocol method for universal mobile telecommunications systems (UMTS) authentication and key agreement (EAP-AKA) and/or a combination of the extensible authentication protocol (EAP) and the remote authentication dial in user service (RADIUS) protocol. In addition, standardized handshake protocols, such as security association signaling protocols, e.g., security association and traffic encryption key (SA-TEK) 3-way handshakes, and traffic encryption key (TEK) 3-way handshakes may be used to establish security associations over a communication link.

In IEEE 802.16d/802.16e WiMAX wireless communication systems, these standardized techniques are performed between a base station and a mobile station. Each standardized authentication technique requires multiple transmissions, which consume authentication time and processing overhead.

FIG. 2 is a signaling diagram of exemplary prior art authentication and authorization in an IEEE 802.16d and 802.16e WiMAX wireless communication system. An initialization process 200 is used to ensure that a mobile station requesting network service is authorized to access the network and to provide a security association between mobile stations and base stations to allow secure message transmission. For example, initialization process 200 may be used to provide a security association between mobile station 120 just after it moved into the range of base station 111 after previously being within the range of base station 110.

In the first step of initialization process 200, mobile station 120 is wirelessly connected to base station 111 through the link up process 202 which includes, for example, a ranging request and a ranging response. Mobile station 120 must then go through a multi-step process of authentication such as IEEE 802.1X full authentication 206 with AAA server 104 through gateway 106. Then AAA server 104 computes a master session key (MSK) 208 for mobile station 120 and transfers MSK 208 to gateway 106, which stores MSK 208 in its cache. The product of authentication through, for example, the EAP method or other authentication method is the transfer of MSK 208, which is known to AAA server 104, gateway 106, and mobile station 120. Gateway 106 will generate a pairwise master key (PMK) 210 and an authentication key (AK) 212 for mobile station 120, and transfer AK 212 to base station 111.

Mobile station 120 may also independently hold and store MSK 208 in its memory and may generate AK 212. Then base station 111 may perform the SA-TEK 3-way handshake procedure 214 to confirm that the AK held by mobile station 120 is the same AK 212 held by base station 111. Using AK 212, commonly held by base station 111 and mobile station 120, base station 111 and mobile station 120 may both respectively calculate a common message authentication code key (MACK) 224 and a common key encryption key (KEK) 220. MACK 224 may identify an authenticated message generated by mobile station 120 and base station 111. KEK 220 may protect transmission of traffic encryption keys from base station 120 to mobile station 111. Base station 110 and mobile station 120 may perform SA-TEK 3 way handshake procedure 214 using MACK 224 to authenticate each other. When SA-TEK 3-way handshake procedure 214 has been successfully completed, the base station 110 may generate a traffic encryption key (TEK) 222 and then carry out a TEK 3-way handshake procedure 216 with KEK 220 to establish security association with the mobile station 120. TEK 222 is typically randomly generated by the base station 111 and is used to encrypt data transmitted between mobile station 120 and base station 111 after mobile station 120 has been authenticated and authorized to access the network. SA-TEK 3-way handshake 214 and TEK 3-way handshake 216 are well-known in the art and will not be discussed further.

In initialization process 200 for use in IEEE 802.16d and 802.16e WiMAX wireless communication systems as shown in FIG. 2, base station 111 controls whether data transmission occurs over the channel between base station 111 and mobile station 120 because base station 111 and mobile station 120 both hold the same TEK 222, KEK 220, and AK 212, from which MACK 224 can be derived. After mobile station 120 has established a security association with base station 111, or, in other words, after mobile station 120 has been granted permission to communicate over the network, encrypted data transmission occurs between mobile station 120 and base station 111 using TEK 222.

Referring again to FIG. 1, in operation, the strength of the signal and transmission quality may decrease as the network signal travels from gateway 106 or gateway 108 to base stations 110-115 to client devices 120, 122, 124, 126, and 128. Additionally, the signal and transmission quality decrease as a mobile station travels further from its serving base station. Signal quality and coverage may also be affected by factors such as physical structures, signal interferences, weather and transmission conditions and formats. Therefore, coverage gaps or holes may exist and users in those areas may have limited or no network access.

One solution to avoid or reduce coverage gaps is to provide more base stations, but this solution can be costly. Alternatively, a network may avoid or reduce coverage gaps and/or extend its network coverage by using relay stations (RSs), such as those implementing the concept of multi-hop relaying (MR) as set forth in IEEE 802.16j. Base stations communicate with these relay stations, which boost and relay signals to and from mobile stations and base stations, but otherwise are not involved in authentication and/or establishing security associations.

FIG. 3 is a block diagram of an exemplary prior art wireless communication system for use in an IEEE 802.16j WiMAX wireless communication system with MR architecture. Similar to the IEEE 802.16d and 802.16e WiMAX wireless communication systems, access to Internet 100 is provided through at least one AAA server, such as AAA server 104, and via at least one gateway, such as gateway 106. For convenience, Internet 100, CSN 102, AAA server 104 and gateway 106 are referred to as core network 300. Network 300, and specifically, gateway 106, typically communicates with base stations 310-313 over a wired connection.

Four base stations 310-313 are shown in FIG. 3, but greater or fewer base stations may be provided. Base stations, such as base station 310, may communicate directly with one or more mobile stations, such as mobile station 320, via wireless transmission. Base stations, such as base station 311 and base station 312, may communicate indirectly with one or more mobile stations, such as mobile stations 322, 324, and 326. Base stations typically communicate with one or more relay stations, such as relay stations 328, 330, and 332, via wireless transmission, but they may also communicate over wired connections. Relay stations 328, 330, and 332 boost and relay the signal to/from mobile station 322 via wireless transmission. As shown, relay stations 328, 330, and 332 are fixed relay stations. However, base stations may also communicate with mobile relay stations (MRSs), such as mobile relay station 334. A mobile relay station could reside, for example, on a train, plane or automobile and provide its passengers having mobile stations with mobile network access to various base stations and/or relay stations as the mobile relay station travels. As shown in FIG. 3, mobile relay station 334 provides wireless service to mobile stations 324 and 326, but the network needs of only one mobile station, or several mobile stations, may be satisfied by a single mobile relay station. Although not shown, base stations, such as base stations 310-313, may also communicate with one or more subscriber station. The network needs of several client devices, therefore, may be satisfied by a single base station either directly or through one or more relay stations. Moreover, relay stations 328, 330, and 332 may provide wireless service to additional relay stations, additional mobile relay stations, and/or additional mobile stations.

In some applications, the use of relay stations may increase the need for station-to-station (base/relay) handoffs and may require increased processing overhead for such handoffs due to the limited coverage areas of each relay station (including mobile relay stations). In addition, when secure communications are involved, the handoff process from one base/relay station to another base/relay station may require additional overhead and reduce efficiency, bandwidth, or quality of the communication connection.

The disclosed embodiments are directed to overcoming one or more of the problems set forth above.