US006418130B1
`(10) Patent No:
`a2) United States Patent
`US 6,418,130 B1
`Chengetal.
`(45) Date of Patent:
`Jul. 9, 2002
`
`
`(54) REUSE OF SECURITY ASSOCIATIONS FOR
`IMPROVING HAND-OVER PERFORMANCE
`
`(75)
`
`Inventors: Yi Cheng, Solna; Lars Bjérup,
`Stockholm; Martin Jakob Rinman,
`Tiby; Karl Dan Gustav Jerrestam,
`Johanneshoy, all of (SE)
`
`(73) Assignee: Telefonaktiebolaget L M Ericsson
`(publ), Stockholm (SE)
`
`5,243,653 A
`5,293,423 A
`5,444,766 A *
`5,546,464 A
`5,778,075 A *
`6,253,321 Bl *
`
`9/1993. Malek etal.
`3/1994 Dahlin etal.
`8/1995 Farwell et al... 455/437
`8/1996 Raith etal.
`7/1998 Haartsen ......... eee 375/138
`6/2001 Nikanderet al.
`........... 713/160
`
`FOREIGN PATENT DOCUMENTS
`
`WO
`
`WO 0139538
`
`*
`
`§/2001 oe H040/7/38
`
`(*) Notice:
`
`* cited by examiner
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b)
`by 0 days.
`(b) by0days Primary Examiner—Hassan Kizou
`
`
`Assistant Examiner—lim Spafford
`(21) Appl. No.: 09/234,512
`(74) Attorney, Agent, or Firm—Burns, Doane, Swecker &
`(22)
`Filed:
`Jan. 21, 1999
`Mathis, L.L.P.
`ABSTRACT
`Related U.S. Application Data
`67)
`Provisional application No. 60/115,349, filed on Jan. 8,
`In a radio telecommunication system, the performance of a
`.
`.
`1999,
`:
`:
`:
`mobile unit can be significantly improved during a hand-
`over procedure by reusing existing security associationsthat
`(SL) Ute C17 ee eeeeeccesessessessessesseeneeneseesess HO4M 1/66
`(52) US. Ch oes 370/331; 455/411; 455/410;|correspond to the mobile unit. By reusing existing security
`370/328; 370/338; 380/247
`associations, a mobile unit can begin secure communica-
`(58) Field of Search ......cccccccccccsuseeeeeeen 370/328, 338,
`“ons immediately following the hand-over. Otherwise, and
`370/331; 455/410, 411; 380/247
`in accordance with conventional practice, the mobile unit
`will have to undertake the time consuming task of renego-
`tiating the required security associations, before it can begin
`transmitting and receiving secure communications.
`
`(60)
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`5,081,679 A
`
`1/1992 Dent
`
`35 Claims, 5 Drawing Sheets
`
`101
`
`105
`
`"0
`
`0001
`
`Ex. 1015
`Apple v. MPH Techs. Oy
`IPR2019-00819
`
`0001
`
`Ex. 1015
`Apple v. MPH Techs. Oy
`IPR2019-00819
`
`

`

`U.S. Patent
`
`Jul. 9, 2002
`
`Sheet 1 of 5
`
`US 6,418,130 B1
`
`FIG.
`
`1
`
`105
`
`{01
`
`110
`
`0002
`
`0002
`
`

`

`U.S. Patent
`
`Jul. 9, 2002
`
`Sheet 2 of 5
`
`US 6,418,130 B1
`
`215
`
`201
`
`205
`
`0003
`
`0003
`
`

`

`U.S. Patent
`
`Jul. 9, 2002
`
`Sheet 3 of 5
`
`US 6,418,130 B1
`
`SO
`
`
`
`NOISSSSdWXVSI
`
`SAdy
`
`JWIL3SSINVSdWXVSI
`SOl
`
`Oll
`
`
`
`AJNOISSSS95Sy;
`
`
`
`VIYSLVWONIAZY
`
`0004
`
`0004
`
`
`

`

`U.S. Patent
`
`Jul. 9, 2002
`
`Sheet 4 of 5
`
`US 6,418,130 B1
`
`SILNAYLLVYVSdNXVSI SOV
`(dS3/HV)SIODOLOYd945y}
`
`
`
`JGOW10D90L0Yd238g}
`
`YAEWNNSONSNODIS
`
`SAINOISSSS2Sy]
`AWIL3SSITws948g]
`
`
`0005
`
`0005
`
`

`

`U.S. Patent
`
`Jul. 9, 2002
`
`Sheet 5 of 5
`
`US 6,418,130 B1
`
`‘MWg(Zz)(15(WS)¥SMongSANG))8ALSyy1‘'(ws)¥SHong
`
`
`
`
`
`
`
`
`
`(vs)Vong<=Wg,
`
`300100SOcwy
`
`
`
`(vs)"S4ona(p)
`
`GSls
`
`Ch)
`
`0006
`
`0006
`
`
`
`

`

`US 6,418,130 B1
`
`1
`REUSE OF SECURITY ASSOCIATIONS FOR
`IMPROVING HAND-OVER PERFORMANCE
`
`This application claims priority under 35 U.S.C. §§119
`and/or 365 to U.S. Provisional Application No. 60/115,349
`filed in the United States on Jan. 8, 1999; the entire content
`of which is hereby incorporated by reference.
`
`FIELD OF THE INVENTION
`
`The present invention involves wireless telecommunica-
`tion systems and/or networks, such as wireless local are a
`networks (LANs) and Mobile Internet Protocol (IP) systems.
`Moreparticularly, the present invention involvesthe reuse of
`security associations when a mobile unit or mobile terminal
`undergoes handover from onestationary unit in the network
`to another.
`
`BACKGROUND
`
`With the rapid development of wireless and mobile com-
`munication technologies, communication security issues,
`such as user authentication,
`traffic privacy and message
`integrity have become important concerns. In response, a
`numberof Internet Engineering Task Force (IETF) security
`protocol standards, such as the Internet Key Exchange (IKE)
`protocol, the Internet Security Association and Key Man-
`agement Protocol (ISAKMP), and the Internet Protocol
`Security (IP.--), are now employed in various wireless
`LAN and Mobile IP environments.
`
`2
`LAN and mobile IP applications where the mobile unit is
`frequently undergoing hand-over from one SU to another
`and where the MU has limited computational power. Under
`such conditions, overall system performance will be excep-
`tionally low since a significant amountof time must be spent
`renegotiating SAs rather than communicating.
`SUMMARYOF THE INVENTION
`
`10
`
`15
`
`invention to provide a
`is an object of the present
`It
`technique which improves the performance of a mobile unit
`(MU)in a wireless LAN or mobile IP environment, particu-
`larly during hand-over. The present invention accomplishes
`this by reusing rather then renegotiating the security asso-
`ciations (SAs) corresponding to the MU once the MU is
`handed-over. By reusing the SAs, less time is spent nego-
`tiating SAs. Consequently, a MU can begin secure commu-
`nications almost immediately upon being handed-over from
`one SU to a another SU.
`
`20
`
`Accordingly, it is an objective of the present invention to
`provide a moreefficient way to utilize SAs during hand-
`over.
`
`25
`
`It is another objective of the present invention to reduce
`and/or minimize the latency period between the time a MU
`is handed-overto a stationary unit and the time the MU can
`begin secure communications with that stationary unit.
`It is yet another objective of the present invention to
`generally improve the performance of a MU through seam-
`less hand-over.
`
`30
`
`35
`
`40
`
`It is still another objective of the present invention to
`maintain a required level of performance withoutsacrificing
`communication security.
`In accordance with one embodiment of the present
`invention,
`the above-identified and other objectives are
`achieved through a method and/or an apparatus for accom-
`plishing hand-over of a mobile unit from a first stationary
`unit
`to a second stationary unit. The method involves
`disconnecting the mobile unit from the first stationary unit,
`and thereafter, connecting the mobile unit to the second
`stationary unit. The method also involves reusing an existing
`security association to support the connection between the
`mobile unit and the second stationary unit, wherein the
`existing security association was previously used to support
`the connection between the mobile unit and the first station-
`
`The IKE protocol was designed to provide a mechanism
`for two or more communicating parties, such as a mobile
`unit (MU) and a networkstationary unit (SU), to negotiate
`various security services and security associations. A secu-
`rity service is a method or meansfor providing protection for
`the communication between the two or more parties,
`whereas, a security association (SA)
`is a relationship
`between the two or more communicating parties which
`defines how the parties will execute the agreed upon security
`services. A security association is actually defined by a set
`of attributes, such as an authentication algorithm, an authen-
`tication key, an encryption algorithm, an encryption key, and
`a SA lifetime, which represents the period of time during
`which the corresponding SA is valid. As one skilled in the
`art will appreciate, the SAs must be negotiated and in place
`ary unit.
`before the two or more parties can begin secure communi-
`cations the procedure for negotiating security services and
`In accordance with another embodiment of the present
`SAs in accordance with the IKE protocol is accomplished in
`invention,
`the above-identified and other objectives are
`two phases. Inafirst phase (i.e., phase 1), the communicat-
`achieved with a method and/or an apparatus for accomplish-
`ing parties negotiate the ISAKMP SA. The ISAKMPSAis
`ing hand-overof a mobile unit fromafirst stationary unit to
`50
`defined by a set of basic security attributes which provide
`a second stationary unit. More specifically,
`the method
`protection for subsequent ISAKMPexchanges. In a second
`involves disconnecting the mobile unit from the first sta-
`phase (i.e., phase 2), and under the protection of the
`tionary unit, and thereafter, connecting the mobile unit to the
`ISAKMPSA,the communicating parties negotiate the IP...
`second stationary unit. The method then involves reusing an
`SAs associated with the IP,-~ authentication header (AH)
`existing security association to support
`the connection
`protocol and/or the IP,-~ encapsulating security payload
`between the mobile unit and the second stationary unit,
`(ESP) protocol. The IP,,< protocols provide security ser-
`wherein the existing security association was previously
`used to ensure secure communications for a connection
`vices for communicationsat the IP layer. As is knownin the
`art, a specific IP,,-SA is uniquely defined by a security
`between the mobile unit and a third stationary unit, and
`parameter index (SPI),a destination IP address, and an IPgpe
`wherein the third stationary unit and the second stationary
`unit are associated with a first administrative domain that
`protocol (i.e., AH or ESP).
`employs a common security policy.
`Because the SAs (i.e., the ISAKMP SA and the IP.-o
`In accordance with still another embodiment of the
`SAs) are bound to the negotiating parties,
`the SAs are
`renegotiated whenever a mobile unit moves from one access
`present invention, the above-identified and other objectives
`point to another in a wireless LAN environment,or from one
`are achieved with a method for reusing security associations
`foreign agent to another in a mobile IP context. However, the
`to facilitate hand-over of a mobile unit between stationary
`units that are associated with a common administrative
`IKE negotiation process is computationally intensive, par-
`ticularly phase 1. This is especially troublesome in wireless
`
`45
`
`55
`
`60
`
`65
`
`domain, wherein all of the stationary units associated with
`
`0007
`
`0007
`
`

`

`US 6,418,130 B1
`
`3
`the common administrative domain are subject to the same
`security policy. The method involves negotiating a first
`security association for a connection between the mobile
`unit and a first stationary unit associated with the common
`administrative domain. The mobile unit is then disconnected
`
`from the first stationary unit, and thereafter, connected to a
`second stationary unit associated with the common admin-
`istrative domain. A first set of security association attributes,
`corresponding to the first security association, is then trans-
`ferred from the first stationary unit to the second stationary
`unit. The first security association can then be employed to
`ensure secure communications for the connection between
`
`the mobile unit and the second stationary unit.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The objects and advantages of the invention will be
`understood by reading the following detailed description in
`conjunction with the drawings in which:
`FIG. 1 illustrates a first exemplary embodiment of the
`present invention;
`FIG. 2 illustrates a second exemplary embodimentof the
`present invention;
`FIG. 3 illustrates a first exemplary set of security asso-
`ciation attributes being transferred in accordance with the
`present invention;
`FIG. 4 illustrates a second set of security association
`attributes being transferred in accordance with the present
`invention; and
`FIG. 5 illustrates the transfer of security association
`attribute information,
`in accordance with the present
`invention, using encryption and authentication techniques.
`
`DETAILED DESCRIPTION OF THE
`INVENTION
`
`For a better understanding of the invention, the following
`detailed description refers to the accompanying drawings,
`wherein preferred exemplary embodiments of the present
`invention are illustrated and described.
`In addition,
`the
`reference numbers used to identify key elements of the
`invention in the drawings are consistent throughout this
`description.
`invention involves a technique which
`The present
`improves the performance of a mobile unit or mobile
`terminal (herein referred to as a “MU7”)in a radio telecom-
`munication system, particularly during hand-over, wherein
`the MU becomes disconnected from a first stationary unit
`(herein referred to as “SUk,”) and connected to another
`stationary unit (herein referred to as “SU,,;’) and wherein
`SU, and SU,,, belong to a common administrative network
`domain that is under the control of a common security
`policy. The present invention accomplishes this by reusing
`one or more previously established security associations to
`support the newly formed connection between the MU and
`SU,,,- By reusing these previously established security
`associations, the MU and SU,,, need not go through the
`time consuming task of renegotiating the security associa-
`tions (herein referred to as “SA”s) each time the MU
`changesit’s point of connection (e.g., undergoes hand-over)
`within the administrative domain. The present invention is
`of particularly importance where the communicating entities
`(e.g.,
`the MU and SU,,,) exhibit
`low to medium level
`computational power, and where the MUis especially
`mobile and frequently undergoing hand-over.
`In accordance with the present
`invention, each of a
`numberof stationary units (SUs) associated with the same
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`administrative domain, and thus under the control of a
`commonsecurity policy, are managed in an identical manner
`with respect to the SAs that are employed to protect the
`communication between the MU and the various SUs.
`Accordingly, the set of SAs that are established between the
`MU and any one of the various SUs belonging to that
`administrative domain can be reused by any one of the other
`SUsassociated with that administrative domain, if and when
`the MU is handed-over to one of these other SUs. As
`
`previously stated, reuse of the previously established SAs
`will improve the performance of the MU during hand-over,
`without sacrificing communication security. However,
`depending upon the extent
`to which MU performance
`improvementis desired, two exemplary embodimentsof the
`present invention are described herein below.
`In accordance with a first exemplary embodimentof the
`present invention, herein referred to as the partial SA reuse
`embodiment, a previously established Internet Security
`Association and Key Management ProtocolISAKMP) SA
`is reused each time the MUis handed-over to another SU
`(i.e., SU,,,) in the administrative domain. Morespecifically,
`when the MUestablishes a connection with a SU in the
`administrative domain for the first time, the Internet Key
`Exchange (IKE) phase 1 negotiation, which is used for
`establishing the ISAKMP SA, and the IKE phase 2
`negotiation, which is used for establishing the IP... SAs,
`are carried out in accordance with the various standards set
`forth by the Internet Engineering Task Force (IETF).
`However, as the mobile unit moves about, and is handed-
`over to another SU (i.e., SU,,,) associated with the same
`administrative domain, the previously established ISAKMP
`SA is reused by the MU and SU,,,. Nevertheless, the MU
`and SU,,, still must conduct an IKE phase 2 negotiation;
`that is, the MU and SU,,, must renegotiate the IP... SAs.
`Because the IKE phase 1 SA negotiation process is far more
`time consuming relative to the IKE phase 2 negotiation
`process, the reuse of the ISAKMPSAgreatly improves the
`performance of the MU during hand-over.
`In accordance with a second exemplary embodiment of
`the present invention, herein referred to as the full SA reuse
`embodiment, the previously established ISAKMP SA and
`the previously established IP... SAs are reused each time
`the MU undergoes hand-over from one SU (ie., SU,) to
`another SU (i.e., SU,,,) in the administrative domain. As
`stated above, when a MU connects with a SU in the
`administrative domain for the first time, the ISAKMP SA
`and the IP,-~ SAs are established in accordance with the
`IKE phase 1 and the IKE phase 2 negotiation processes
`respectively. However, unlike the partial SA reuse embodi-
`ment described above, subsequent hand-overs result in the
`reuse of both the previously established ISAKMP SA and
`the previously established IP... SAs. Thus, the entire IKE
`SA negotiation process, including phase 1 and phase 2, is
`avoided. Therefore, the MU and SU,,, can begin commu-
`nicating with each other almost
`immediately after the
`ISAKMPSAandthe IP... SAs are transferred from SU, to
`SU,,,- Consequently,
`the hand-over procedure is accom-
`plished in a seamless or near seamless fashion.
`In general, the full SA reuse embodimentprovides greater
`MUperformance enhancement during hand-over than does
`the partial SA reuse embodiment. That is because the MU
`and SU,,, need not renegotiate any SAs. Why then might a
`network administrator opt to implementthe partial SA reuse
`embodiment over the full SA reuse embodiment? One
`
`reason might be that the network administrator does not
`want
`the various SUs associated with an administrative
`domain to share the same session keys(i.e., encryption and
`
`0008
`
`0008
`
`

`

`US 6,418,130 B1
`
`5
`authentication keys) as specified by the IP,-~ SAs. If, for
`example, all
`the SUs associated with the administrative
`domain share the samesession keys andjust one of the SUs
`is compromised, an attacker can probably compromise com-
`munications between the MU and anyof the SUsassociated
`with the administrative domain.
`
`As stated previously, a specific IP.-- SA is uniquely
`identified by a security parameter index (SPI), in combina-
`tion with a destination IP address, and a particular security
`protocol (e.g.,
`the authentication header protocol or the
`encapsulating security payload protocol). As such, a com-
`mon IP address is needed for all SUs in the administrative
`
`domain, in order to reuse an IP... SA. In accordance with
`the full SA reuse embodiment, this commonIP address may
`be assigned to each SU as an alias IP address. However,
`under certain circumstances, a network administrator may
`not want to assign a common IP address to each SU. If this
`is the case, the network administrator is likely to opt the
`partial SA reuse embodiment rather than the full SA reuse
`embodiment.
`
`When a MUis handed-over from one SU (e.g. SU,) to
`another SU (e.g. SU;,,), the SA attributes corresponding to
`the ISAKMPSAand the SAattributes corresponding to the
`IPsec SAs, depending upon whether the partial SA reuse
`embodiment or the full SA reuse embodiment
`is being
`employed, must be transferred from SU, to SU,,,. This
`transfer of SA attributes from SU, to SU,,, may be accom-
`plished in accordance with any one of a number of exem-
`plary techniques.
`FIG. 1 illustrates one such technique herein referred to as
`the direct transfer technique. According to the direct transfer
`technique, a MU 101 undergoes a hand-over from SU, 105
`to SU,,, 110, as illustrated by the directional arrow marked
`“1”. Next, SU,,, 110 contacts SU, 105 by sending a SA
`request message, as illustrated by the directional arrow
`marked “2”. The SA request message specifically requests
`those SAs associated with the MU 101. Accordingly, the SA
`request message must contain an identifier code for the MU
`101. SU, 105 then replies to the SA request message by
`sending the appropriate SA attributes to SU,,, 110, as
`illustrated by the directional arrow marked “3”.
`In addition to the procedural steps described above, the
`direct transfer technique illustrated in FIG. 1, might also
`involve the step of verifying that SU, belongs to the same
`administrative domain as SU,,,. To accomplish this, each
`SU associated with the administrative domain might main-
`tain a list containing all IP addresses associated with the
`administrative domain. SU,,,can then perform the required
`verification by simply checking to see if the IP address
`associated with SU, is on the list. Alternatively, if admin-
`istrative domain corresponds with an IP network or subnet,
`SU,,, can simply compare the network identification por-
`tion of SU,’s IP address with the network identification
`portion of it’s own IP address. If they match, SU,,, has
`verified that SU,, in fact, belongs to the same administrative
`domain. If SU,,, determines that SU, does not belong to the
`same administrative domain, then the MU and SU,,, may be
`required to renegotiate the ISAKMPSAandthe IP... SAs,
`unless the attributes associated with the ISAKMPSAandthe
`
`in a database, as
`IPsec SAs were stored, for example,
`illustrated in FIG. 2, during a previous connection between
`the MU and any one of the SUs associated with the admin-
`istrative domain to which SU,,, belongs.
`FIG. 2 illustrates an alternative techniquefor transferring
`the appropriate SA attributes. This alternative technique is
`herein referred to as the intermediate storage technique. The
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`intermediate storage technique may be preferable where the
`network configuration makesit difficult to identify SUk, or
`when direct communication between SU, and SU,,,
`is
`difficult or undesirable. In accordance with this alternative
`technique, as shown in FIG. 2, a MU 201 undergoes a
`hand-over from SU, 205 to SU,,, 210, as illustrated by the
`directional arrow marked “1”. Prior to, simultaneousto, or
`if necessary, subsequent to the hand-over, SU,transfers the
`appropriate SAs associated with the MU 201to a database
`(DBS) 215, as indicated by the directional arrow marked
`“2”. SU,,, 210 then sends a SA request message to the DBS
`215, as illustrated by the directional arrow marked “3”. As
`in the direct transfer technique,
`the SA request message
`contains an identifier code that specifically identifies the MU
`201. Thus, the DBS 215 can reply to the SA request message
`by sending the appropriate SAs, associated with the MU
`201, to SU,,, 210, as illustrated by the directional arrow
`marked “4”.
`
`As one skilled in the art will readily appropriate, the SAs
`contain sensitive information (e.g., session keys).
`Accordingly, the SA information that is transferred from
`SU, to SU,,,, using the direct transfer or the intermediate
`storage technique, should be protected. Therefore, encryp-
`tion and authentication mechanisms might be employed to
`ensure confidentiality and authenticity for this information.
`FIG. 3 illustrates, more specifically, the SA attributes that
`might be transferred from SU, to SU,,,, if the partial SA
`reuse embodiment is employed. As illustrated, SU, 105,
`upon receiving a SA request message from SU,,, 110, as
`indicated by the directional arrow marked “2”, sends a reply
`message 305 to SU,,, 110, wherein the reply message 305
`contains the information necessary to define the following
`ISAKMPSA attributes:
`the ISAKMP SA lifetime;
`the
`ISAKMPsession keys, including the ISAKMPsession key
`for authentication and the ISAKMPsession key for encryp-
`tion; keying material, which is required for deriving the
`IP.-c session keys; the last IKE phase 1 CBC (i.e., cipher
`block chaining) output block for generating an initialization
`vector which,in turn,is needed for the encryption of the first
`IKE phase 2 message. Although FIG. 3 indicates that the SA
`attributes are being transferred in accordance with the direct
`transfer technique described above, it will be readily appar-
`ent to one skilled in the art that the intermediate storage
`technique may be employed in the alternative.
`FIG. 4 illustrates the SA attributes that might be trans-
`ferred from SU, 105 to SU,,, 110, in addition to the SA
`attributes identified in FIG. 3, if the full SA reuse embodi-
`ment is employed. As illustrated in FIG. 4, SU, 105, upon
`receiving a SA request message from SU,,, 110, as indi-
`cated by the directional arrow marked “2” sends a reply
`message 405 to SU,,, 110, wherein the reply message 405
`contains the information necessary to define the ISAKMP
`SAattributes identified above in FIG. 3, and the information
`necessary to define the following IP... SA attributes: the
`IPc-c SA lifetime; the IP;protocols being used, that is,
`the authentication header and/or encapsulating security pay-
`load protocols; the IP.;¢. protocol mode, that is, the trans-
`port mode or
`the tunnel mode;
`the security parameter
`index(es); the IP,,-- session keys, including the session keys
`for authentication and encryption, as well as their respective
`algorithms; the last CBC output block prior to hand-over,
`which is used as the initialization vector for encryption of
`the first IP packet subsequent to hand-over; and the value of
`the sequence number, in accordance with the authentication
`header protocol or
`the encapsulating security payload
`protocol, just prior to hand-over, as this value plus 1 will be
`the initial value of the sequence numberafter hand-overfor
`
`0009
`
`0009
`
`

`

`US 6,418,130 B1
`
`7
`anti-relay checking purposes. As wasthe case in FIG. 3, the
`transfer of SA attributes in FIG. 4 is accomplished in
`accordance with the direct
`transfer technique described
`above. However, it will be understood that the SA attributes
`may be transferred in accordance with the intermediate
`storage technique, also described above.
`As stated previously, the first time a MU connects to any
`SU in a given administrative domain, an IKE phase 1
`negotiation and an IKE phase 2 negotiation must be
`accomplished, thereby establishing the ISAKMPSAandthe
`IP;-¢ SAs respectively. However,
`in accordance with
`another aspect of the present invention, the SA attributes
`associated with the ISAKMPSAandthe IP... SAs may be
`stored for a period of time, for example, a period of time
`equivalent to the ISAKMPSAlifetime and the IP,.. SA
`lifetime respectively. The SA attributes might be stored in a
`database, such as the database 215 illustrated in FIG. 2. By
`storing the SA attributes, the MU might avoid having to
`renegotiate the ISAKMPSAand the IP... SAs if the MU
`becomesdisassociated with the administrative domain, for
`example, by being handed-over to a SU which is not
`associated with the administrative domain, and then the MU
`becomes reassociated with the administrative domain, for
`example, by being handed back-overto a SU associated with
`the administrative domain, before the aforementioned period
`of time expires.
`In accordance with this aspect of the
`invention, the transfer of SA attributes to SU,,, might be
`accomplished in much the same way as the intermediate
`storage techniqueillustrated in FIG. 2, but for the fact that
`the MU is handed-over to a SU associated with another
`
`administrative domain during an interim period between the
`time the MUis connected to SU, and the time the MUis
`connected to SU,,;.-
`FIG. 5 illustrates a procedure for transferring SAattribute
`control messages, in accordance with an exemplary embodi-
`mentof the present invention, using encryption and authen-
`tication techniques to protect the SA attributes during trans-
`fer. While the procedure illustrated in FIG. 5 involves the
`intermediate storage technique, described above with refer-
`ence to FIG. 2, one skilled in the art will readily appreciate
`that a similar procedure could be applied to the direct
`transfer technique, described above with reference to FIG. 1.
`The procedure illustrated in FIG. 5 initially begins with
`the MU undergoing a hand-over procedure from the station-
`ary unit SUkto the stationary unit SU,,,, as indicated by the
`directional arrow marked “1”, wherein SU, and SU,,, are
`associated with the same administrative domain. Therefore,
`SUk and SU,,,, are subject to the same security policy. Then,
`at some point during the hand-over procedure, SU,transfers
`the SAattribute control message to the DBS, as indicated by
`the directional arrow marked “2”. As shown,the SAattribute
`control message contains a MU identification code (IDj,z));
`the SA attributes (ENC,.,4), which are encrypted using an
`encryption key K,,; a time stamp (T); and a Hash value
`(HASHgpz). The purpose of the MU identification code
`(Dz) is to identify the SA attributes (i.e., ENC,.,4) as
`being associated with the MU. The purpose of the time
`stamp (T) is inform the DBSastothe period of timethat has
`elapsed since the SU, sent the SA control message. If a
`significant period of time has elapsed,
`the DBS may be
`designedto reject the SA attribute control message to protect
`against unauthorized replay. While the MU identification
`code a (IDy,;;) and the time stamp (T) are not typically
`encrypted, the SA attributes are encrypted using an encryp-
`tion key KSA,whichis shared by each of the SUs associated
`with the administrative domain. The Hash value
`(HASHpz) is used for authentication purposes, and it is
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`8
`derived using an authentication key K,, and as a function
`of the MU identification code (IDj,,,),
`the SA attributes
`(ENCxgs4) and the time stamp (T). The authentication key
`Kpz;like the encryption key K,,, is shared by each of the
`SUsassociated with the administrative domain. In addition,
`it is shared by the DBS.
`As stated, SU, transfers the SA attribute control message,
`containing the MU identification code (IDj,;;), the encrypted
`SAattributes (ENC,.,), the time stamp (T), and the Hash
`value (HASH,,,), to the DBS. Upon receiving the SA
`attribute control message, the DBSrecalculates the Hash
`value as a function of the received values for the MU
`identification code (ID,,,)), the SA attributes (ENCx<,4), and
`the time stamp (T),and based on the authentication key Kpp.
`Then DBS then comparesthe recalculated Hash value with
`the received Hash value. If the two values are equal (i.e., if
`the two values match),
`the DBS authenticates SU,, and
`accepts the SA attribute control message. The DBS then
`stores the encrypted SA attributes (ENC,,,) along with the
`MUidentification code (IDjyz;).
`Further in accordance with the procedure illustrated in
`FIG. 5, SU,,, now issues a SAattribute request message to
`the DBS,as indicated by the directional arrow marked “3”,
`wherein the SA attribute request message contains the MU
`identification code (ID,,;,). In response, the DBStransfers to
`SU,,,; the encrypted SAattributes (ENC,.,) that correspond
`to the MU identification code (ID,,,,) contained in the SA
`attribute request message. By applying the encryption key
`K,, to the SA attributes (ENC,.,), SU,,, can decipher the
`encrypted SA attributes.
`The present invention has been described with reference
`to a preferred embodiment. However,
`it will be readily
`apparent to those skilled in the art that it is possible to
`embody the invention in specific forms other than as
`described above without departing from the spirit of the
`invention. The preferred embodiments are illustrative and
`should not be considered restrictive in any way. The scope
`of the invention is given by the appendedclaims,rather than
`the preceding description, and all variations and equivalents
`which fall within the range of the claims are intended to be
`embraced therein.
`Whatis claimedis:
`
`1. In a radio telecommunication system, a method for
`accomplishing hand-over of a mobile unit from a first
`stationary unit
`to a second stationary unit, said method
`comprising the steps of:
`disconnecting the mobile unit from the first stationary
`unit;
`connecting the mobile unit to the second stationary unit;
`and
`
`reusing an existing security association to support the
`connection between the mobile unit and the second
`stationary unit, wherein the existing security associa-
`tion was previously used to support the connection
`between the mobile unit and the first stationary unit.
`2. The method of claim 1 further comprising the step of:
`transferring a number of security association attributes,
`associated with the security association, from the first
`stationary unit to the second stationary unit.
`3. The method of claim 2, wherein the security association
`attributes are transferred from the first stationary unit
`directly to the second stationary unit.
`4. The method of claim 2, wherein said step of transfer-
`ring the numberof security association attributes, associated
`with the security association, from thefirst stationary unit to
`the second stationary unit comprises the steps of:
`
`0010
`
`0010
`
`

`

`US 6,418,130 B1
`
`9
`transferring the number of security association attributes
`from thefirst stationary unit to a data storage entity; and
`transferring the number of security association attributes
`from the data storage entity to the second stationary
`unit.
`
`5. The method of claim 4, wherein the data storage entity
`is a database accessible to the second stationary unit.
`6. The method of claim 2 further comprising the step of:
`encrypting the numberof security association attributes,
`prior to the step of transferring the numberof security
`association attributes from thefirst stationary unit to the
`second stationary unit, using an encryption key that is
`shared by the first and the second stationary units.
`7. The method of claim 1, wherein the existing security
`association is an ISAKMPsecurity association.
`8. The m