Optimizing PKI for 3GPP Authentication and Key Agreement

摘要

Authentication and key agreement (AKA) is one of the key security mechanisms in the Third Generation (3G) telecommunication. Contrast to the traditional symmetric encryption based 3G AKA scheme, this paper proposes a PKI based AKA scheme named OPAKA. To minimize performance overheads that normal PKI certificate verification incurs, OPAKA introduces a novel notion of certificate validity ticket (CVT), which is created by home network (HN) of mobile equipment (ME), indicating whether the certificate of the visited network (VN) is valid. Because CVT is sealed by the pre-shared secret between ME and HN and ME trusts HN, VN can attest its identity to ME by presenting CVT to ME. Thus relieves ME from verifying the certificate of VN online. It's argued that OPAKA can achieve the security goals of denying unauthorized ME, protecting ME from fake VN, and allowing mutual authentication between VN and HN. Compared with SPAKA and Lee's Scheme, OPAKA incurs less communication and computation overhead at both ME and HN ends.