Authenticating a device in a network

摘要

There is disclosed a system for authentication of a device in a network by establishing a second security context between the device and a serving network node when a first security context has previously been established, assisted by an authentication server, based on a random value and a secret shared between an identity module associated with the device and the authentication server. First re-use information from the establishment of the first security context is stored at the authentication server and at the device, the first re-use information enabling secure generation of the second security context from the random value and the secret. Second re-use information may be generated or stored at the device. A context regeneration request is generated at the device, the context regeneration request authenticated at least partly based on the secret. The context regeneration request is sent to the serving network node. The context regeneration request is sent from the serving network node to the authentication server. The context regeneration request is verified at the authentication server. The second security context is generated at the authentication server based on at least the secret, the random value, and the first and second re-use information. The second security context is communicated from the authentication server to the serving network node.

主权项

1. A serving network node, comprising:
a communications unit for sending and receiving data; a storage unit for storing data; and a control unit for controlling operation of the communications unit and storage unit; wherein:
the communications unit is configured to communicate with a device in the network and an authentication server to establish a first security context for the device based on a random value and a secret shared between an identity module associated with the device and the authentication server;the storage unit is configured to store the first security context or a cryptographic key associated therewith;the control unit is configured, after a period of time, to instruct the storage unit to delete at least some of the first security context and/or the cryptographic key;the communications unit is configured to receive a context regeneration request from the device after the cryptographic key and/or at least some of the first security context has been deleted, the context regeneration request having been generated by the device and authenticated at least partly based on the secret;the communications unit is configured to send the context regeneration request to the authentication server and to receive at least a second security context from the authentication server in response; andthe control unit is configured to use the second security context to protect data exchanged with the device;wherein the storage unit is configured to store at least one of the random number and the first re-use information when the first security context is stored, the storage unit is configured to not delete the random number and/or first re-use information when the first security context and/or cryptographic key is deleted, and the control unit is configured to add the random number and/or first re-use information to the context regeneration request before it is sent to the authentication server.