Security for a non-3GPP access to an evolved packet system

摘要

A home subscriber server (400) receives a request for authentication information from an authentication server (300) and transforms cryptographic keys for a user equipment (100) into access specific cryptographic keys based on an identity of an authenticator (200) controlling access from the user equipment (100) to an EPS network, and generates the authentication information including the access specific cryptographic keys and a separation indicator which is set. The user equipment (100) checks whether the separation indicator included in the authentication information is set, and if the separation indicator is set, transforms cryptographic keys into access specific cryptographic keys based on the identity of the authenticator (200), and computes a key specific to an authentication method from the access specific cryptographic keys.

主权项

1. An apparatus, configured to:
check whether a separation indicator included in authentication information is set, the authentication information being received during authentication between the apparatus and a core network using an extensible authentication protocol method for authentication and key agreement, the separation indicator indicating whether or not the core network is an evolved packet system network; if the separation indicator is set, use a key derivation function to transform available cryptographic keys for the apparatus into new cryptographic keys, with the available cryptographic keys and an identifier of an access network via which the apparatus and the core network are communicating being inputs into the key derivation function; and compute a key to be used in the extensible authentication protocol method from the new cryptographic keys.