Local Security Key Generation

1. A method, comprising: obtaining, by a calling device, a first calling security parameter by registering with a network; obtaining, by the calling device, a second calling security parameter in response to causing an application authentication architecture of the network to verify that the calling device is authorized to access a network service corresponding to a communication application stored by the calling device; communicating the first calling security parameter and the second calling security parameter to a called device; receiving a first called security parameter and a second called security parameter from the called device in response to communicating the first calling security parameter and the second calling security parameter; generating a security key based on the first calling security parameter, the second calling security parameter, the first called security parameter, and the second called security parameter; and using the security key to encrypt or decrypt communication between the calling device and the called device.

2. The method of claim 1 , further comprising: establishing a communication session with the called device; and using the security key to encrypt information communicated to the called device and decrypt information received from the called device during the communication session.

3. The method of claim 1 , further comprising: obtaining a third calling security parameter comprising a data structure used to demonstrate to the application authentication architecture that the calling device is authorized to use the communication application to establish a communication session within the network; and communicating the third calling security parameter to the called device with the first calling security parameter and the second calling security parameter.

4. The method of claim 3 , further comprising: receiving a third called security parameter, from the called device, with the first called security parameter and the second called security parameter, where the third called security parameter comprises a data structure used to demonstrate to the application authentication architecture that the called device is authorized to use a communication application that corresponds to the communication application of the calling device.

5. The method of claim 1 , where the first calling security parameter comprises a data structure identifying a network session associated with the calling device upon registering with the network.

6. The method of claim 1 , where: the first called security parameter comprises a data structure identifying a network session associated with the called device upon registering with the network, and the second called security parameter comprises a security parameter type and security parameter format consistent with the second calling security parameter.

7. The method of claim 1 , where communicating the first calling security parameter and the second calling security parameter comprises sending a session communication invitation, comprising the first and second calling security parameters, to the called device.

8. The method of claim 1 , where generating the security key comprises executing a key generation function, where: an input of the key generation function comprises the first calling security parameter, the second calling security parameter, the first called security parameter, and the second called security parameter, and an output of the key generation function is the security key.

9. The method of claim 8 , where the key generation function comprises a key derivation function (KDF) that is identical to a KDF used by the called device to generate security keys.

10. The method of claim 1 , where: the network comprises an Internet Protocol (IP) multimedia subsystem (IMS) network, the application authentication architecture comprises a generic bootstrap architecture (GBA) of the IMS network, and the second calling security parameter comprises a bootstrap transaction identifier (B-TID).

11. A first device, comprising: a memory to: store a communication application to enable the first device to establish a first communication session with a second device using a selected network service, and store a first key generation function to enable the first device to generate a security key; and a processor, connected to the memory, to: register the first device with a network, where registering with the network comprises receiving a first network session identifier from the network, communicate with an application authentication architecture of the network to demonstrate that the first device is authorized to use the selected network service, where communicating with the application authentication architecture comprises receiving a first transaction identifier from the application authentication architecture, communicate the first network session identifier and the first transaction identifier to the second device, receive a second network session identifier and a second transaction identifier from the second device, and execute the first key generation function to generate a security key based on the first network session identifier, the first transaction identifier, the second network session identifier, and the second transaction identifier.

12. The first device of claim 11 , where the first device obtains access to at least one network service, other than the selected network service, upon registering with the network.

13. The first device of claim 11 , where the processor is to: establish a communication session, with the second device, using the selected network service, and use the security key to encrypt information sent to the second device via the selected network service and decrypt information received from the second device via the network service.

14. The first device of claim 11 , where the processor is to: obtain a first data structure used to demonstrate to the application authentication architecture of the network that the first device is authorized to use the communication application to establish a communication session within the network, and communicate the first data structure, to the second device, the first network session identifier and the first transaction identifier.

15. The first device of claim 14 , where the first transaction identifier comprises a data structure that associates the first device with a first authentication process, performed by the application authentication architecture, to verify that the first device is authorized to use the communication application.

16. The first device of claim 14 , where the processor is to: receive a second data structure, from the second device, with the second network session identifier and the second transaction identifier, where the second data structure comprises information used to demonstrate to the application authentication architecture that the second device is authorized to use a communication application that corresponds to the communication application stored by the first device.

17. The first device of claim 11 , where the second transaction identifier comprises a data structure that associates the second device with a second authentication process, performed by the application authentication architecture, to verify that the second device is authorized to use a communication application that corresponds to the communication application stored by the first device.

18. The first device of claim 11 , where, to communicate the first network session identifier and the first transaction identifier to the second device, the processor is to: generate a communication session invitation directed to the second device, include the first network session identifier and the first transaction identifier in the communication session invitation, and send the communication session invitation to the second device.

19. The first device of claim 11 , where: the network comprises an Internet Protocol (IP) multimedia subsystem (IMS) network, and the application authentication architecture comprises a generic bootstrap architecture (GBA) of the IMS network.

20. A non-transitory computer-readable medium storing a program for causing a first device to perform a method, the method comprising: obtaining a first security parameter by communicating with a generic bootstrapping architecture (GBA) to demonstrate that the first device is authorized to use a selected network communication service for establishing a communication session within a network, where the first security parameter is generated by the GBA to associate the first device with a first GBA authentication process; obtaining a second security parameter from a second device in response to communicating the first security parameter to the second device, where the second security parameter is obtained by the second device by communicating with the GBA to demonstrate that the second device is authorized to use the selected network communication service, where the second security parameter is generated by the GBA to associate the second device with a second GBA authentication process; generating a security key based on the first security parameter and the second security parameter; and using the security key to establish an encrypted communication session, using the selected network communication service, with the second device.

21. The computer-readable medium of claim 20 , where the method further comprises: obtaining a third security parameter by registering with the network, where: registering with the network enables the first device to communicate with the GBA, and the third security parameter is generated by a network registration architecture of the network to identify a network session associated with the first device; and generating the security key based on the first security parameter, the second security parameter, and the third security parameter.

22. The computer-readable medium of claim 20 , where: the network comprises an Internet Protocol (IP) multimedia subsystem (IMS) network, and the network communication service corresponds to a voice over IP (VoIP) communication service.