[go: up one dir, main page]

WO2011130682A2 - Appareil et procédé pour la signalisation d'un contexte de sécurité amélioré pour clés de chiffrement et d'intégrité de session - Google Patents

Appareil et procédé pour la signalisation d'un contexte de sécurité amélioré pour clés de chiffrement et d'intégrité de session Download PDF

Info

Publication number
WO2011130682A2
WO2011130682A2 PCT/US2011/032755 US2011032755W WO2011130682A2 WO 2011130682 A2 WO2011130682 A2 WO 2011130682A2 US 2011032755 W US2011032755 W US 2011032755W WO 2011130682 A2 WO2011130682 A2 WO 2011130682A2
Authority
WO
WIPO (PCT)
Prior art keywords
security context
serving network
remote station
message
information element
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2011/032755
Other languages
English (en)
Other versions
WO2011130682A3 (fr
Inventor
Adrian Edward Escott
Anand Palanigounder
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qualcomm Inc
Original Assignee
Qualcomm Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US13/084,378 external-priority patent/US9197669B2/en
Priority to BR112012026136-3A priority Critical patent/BR112012026136B1/pt
Priority to RU2012148506/08A priority patent/RU2555227C2/ru
Priority to HK13104841.8A priority patent/HK1177861B/xx
Application filed by Qualcomm Inc filed Critical Qualcomm Inc
Priority to PH1/2012/502037A priority patent/PH12012502037A1/en
Priority to JP2013505195A priority patent/JP5795055B2/ja
Priority to UAA201212984A priority patent/UA108099C2/ru
Priority to MX2012011985A priority patent/MX2012011985A/es
Priority to AU2011239422A priority patent/AU2011239422B2/en
Priority to KR1020127029828A priority patent/KR101474093B1/ko
Priority to SG2012073748A priority patent/SG184442A1/en
Priority to CA2795358A priority patent/CA2795358C/fr
Priority to CN201180018855.1A priority patent/CN102835136B/zh
Priority to EP11738847A priority patent/EP2559276A2/fr
Publication of WO2011130682A2 publication Critical patent/WO2011130682A2/fr
Publication of WO2011130682A3 publication Critical patent/WO2011130682A3/fr
Priority to IL222384A priority patent/IL222384A/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/14Backbone network devices

Definitions

  • the present invention relates generally to an enhanced security context signaling for user equipment operating in a Universal Mobile Telecommunications Service (UMTS) and/or GSM Edge Radio Access Network (GERAN).
  • UMTS Universal Mobile Telecommunications Service
  • GERAN GSM Edge Radio Access Network
  • a successful AKA (Authentication and Key Agreement) authentication in a UMTS third generation (3G) radio access network or in a GERAN networks using 3G AKA authentication results in a pair of shared keys, a cipher key (CK) and an integrity key (IK), for securing communications between a user equipment (UE) and the network.
  • the shared keys may be used directly to secure the traffic between the UE and the network as in the case of UTRAN (UMTS Terrestrial Radio Access Network), or may be used to statically derive keys, e.g. Kc or Ko 2 8, in the case of GERAN (GSM Edge Radio Access Network).
  • a compromised key may result in serious security problems until the keys are changed at a next AKA authentication.
  • the AKA authentication is not run often due to the significant overhead required.
  • both keys (CK and IK) are compromised, then the GERAN keys are compromised.
  • UMTS/HSPA High Speed Packet Access
  • RNC radio network controller
  • Node B some or all of functionalities of a radio network controller (RNC) and a Node B may be collapsed together into one node at the edge of the network.
  • the RNC needs the keys for functionalities such as user plane ciphering and signaling plane ciphering and integrity protection.
  • the RNC functionality may be deployed in an exposed location such as in a Home Node B in a UMTS Femtocell. Accordingly, RNC functionality deployed in possibly insecure locations providing access (including physical access) may allow the keys, CK and IK, to be compromised.
  • Session keys (modified version of CK and IK) may be used to lower the security risks associated with exposed RNC functionality. Techniques for providing such session keys are disclosed in U.S. Patent Application Publication No. US 2007/0230707 Al .
  • An aspect of the present invention may reside in a method for establishing a first security context between a remote station and a serving network.
  • the first security context has a security property that is not supported by a second security context.
  • the remote station forwards a first message to the serving network, wherein the first message includes an information element signaling that the remote station supports the first security context.
  • the remote station generates at least one session key, in accordance with the first security context, using the information element.
  • the remote station receives, in response to the first message, a second message having an indication that the serving network supports the first security context.
  • the remote station in response to the second message, has wireless communications protected by the at least one session key.
  • the information element may comprise a count value updated for a session.
  • the indication that the serving network supports the first security context may comprise an authentication code generated based on a corresponding at least one session key generated by the serving network using the information element received from the remote station.
  • the remote station may comprise a mobile user equipment.
  • the serving network may be a UMTS serving network.
  • the first security context may be an enhanced UMTS security context, and the second security context may be a legacy UTRAN security context.
  • the serving network may be a GERAN serving network.
  • a remote station which may include means for forwarding a first message to a serving network, wherein the first message includes an information element signaling that the remote station supports a first security context, and wherein the first security context has a security property that is not supported by a second security context; means for generating at least one session key, in accordance with the first security context, using the information element; means for receiving, in response to the first message, a second message having an indication that the serving network supports the first security context; and means for having wireless communications, in response to the second message, protected by the at least one session key.
  • a remote station which may include a processor configured to: forward a first message to a serving network, wherein the first message includes an information element signaling that the remote station supports a first security context, and wherein the first security context has a security property that is not supported by a second security context; generate at least one session key, in accordance with the first security context, using the information element; receive, in response to the first message, a second message having an indication that the serving network supports the first security context; and have wireless communications, in response to the second message, protected by the at least one session key.
  • Another aspect of the invention may reside in a computer program product, comprising computer-readable storage medium, comprising code for causing a computer to forward a first message to a serving network, wherein the first message includes an information element signaling that the computer supports a first security context, and wherein the first security context has a security property that is not supported by a second security context; code for causing a computer to generate at least one session key, in accordance with the first security context, using the information element; code for causing a computer to receive, in response to the first message, a second message having an indication that the serving network supports the first security context; and code for causing a computer to have wireless communications, in response to the second message, protected by the at least one session key.
  • code for causing a computer to forward a first message to a serving network wherein the first message includes an information element signaling that the computer supports a first security context, and wherein the first security context has a security property that is not supported by a second security context
  • FIG. 1 is a block diagram of an example of a wireless communication system.
  • FIG. 2 is a block diagram of an example of a wireless communication system in accordance with a UMTS/UTRAN architecture.
  • FIG. 3 is a block diagram of an example of a wireless communication system in accordance with a GERAN architecture.
  • FIG. 4 is a flow diagram of a method for establishing an enhanced security context between a remote station and a serving network.
  • FIG. 5 is a flow diagram of a method for establishing an enhanced security context between a remote station and a serving network based on an attach request message.
  • FIG. 6 is a flow diagram of a method for establishing at least one session key from an enhanced security context between a remote station and a serving network based on a service request message.
  • FIG. 7 is a flow diagram of a method for establishing at least one session key from an enhanced security context between a remote station and a serving network based on a routing area update request message.
  • FIG. 8 is a block diagram of a computer including a processor and a memory.
  • an aspect of the present invention may reside in a method 400 for establishing an enhanced security context between a remote station 210 and a serving network 230.
  • the remote station forwards a first message to the serving network (step 410), wherein the first message includes an information element signaling that the remote station supports an enhanced security context.
  • the remote station generates at least one session key, CK ⁇ and IK ⁇ , in accordance with the enhanced security context, using the information element (step 420).
  • the remote station receives, in response to the first message, a second message having an indication that the serving network supports the enhanced security context (step 430).
  • the remote station in response to the second message, has wireless communications protected by the at least one session key (step 440).
  • the information element may comprise a count.
  • the indication that the serving network supports the enhanced security context may comprise an authentication code (MAC) generated based on a corresponding at least one session key generated by the serving network 230 using the information element received from the remote station 210.
  • the remote station may comprise a mobile user equipment (UE) such as a wireless device.
  • UE mobile user equipment
  • a remote station 210 which may include means (processor 810) for forwarding a first message to a serving network 230, wherein the first message includes an information element signaling that the remote station supports an enhanced security context; means for generating at least one session key, in accordance with the enhanced security context, using the information element; means for receiving, in response to the first message, a second message having an indication that the serving network supports the enhanced security context; and means for having wireless communications, in response to the second message, protected by at least one session key.
  • a remote station 210 which may include a processor 810 configured to: forward a first message to a serving network 230, wherein the first message includes an information element signaling that the remote station supports an enhanced security context; generate at least one session key, in accordance with the enhanced security context, using the information element; receive, in response to the first message, a second message having an indication that the serving network supports the enhanced security context; and have wireless communications, in response to the second message, protected by the at least one session key.
  • a processor 810 configured to: forward a first message to a serving network 230, wherein the first message includes an information element signaling that the remote station supports an enhanced security context; generate at least one session key, in accordance with the enhanced security context, using the information element; receive, in response to the first message, a second message having an indication that the serving network supports the enhanced security context; and have wireless communications, in response to the second message, protected by the at least one session key.
  • Another aspect of the invention may reside in a computer program product, comprising computer-readable storage medium 820, comprising code for causing a computer 800 to forward a first message to a serving network 230, wherein the first message includes an information element signaling that the computer supports an enhanced security context; code for causing a computer to generate at least one session key, in accordance with the enhanced security context, using the information element; code for causing a computer to receive, in response to the first message, a second message having an indication that the serving network supports the enhanced security context; and code for causing a computer to have wireless communications, in response to the second message, protected by the at least one session key.
  • the serving core network 230 is connected to a serving RAN (Radio Access Network) 220 which provides wireless communications to the remote station 210.
  • the serving RAN includes a Node B and a RNC (Radio Network Controller).
  • the serving RAN includes a BTS (Base Transceiver Station) and a BSC (Base Station Controller).
  • the serving core network includes an MSC/VLR (Mobile Switching Center/Visitor Location Register) for providing circuit-switched (CS) service, and an SGSN (Serving GPRS Support Node) for providing packet-switched (PS) services.
  • the home network includes an HLR (Home Location Register) and an AuC (Authentication Center).
  • the UE 210 and the serving core network 230 may be enhanced with new security properties to create an enhanced UMTS security context (ESC) using a COUNT (counter value).
  • a 256-bit root key (KASMEU) for the ESC may be derived from the CK and IK when AKA authentication is performed.
  • the root key may be set equal to CK
  • the COUNT may be a 16-bit counter value that is maintained between the UE and the serving core network.
  • a legacy UTRAN security context consists of KSI (a 3-bit Key Set Identifier), CK (a 128-bit encryption key), and IK (a 128-bit integrity key)).
  • the UE 210 may signal that it supports ESC in a UMTS attach request message (step 510).
  • the ESC is an example of the first security context.
  • the support signal may be the presence of a new information element (IE) in the message.
  • the IE may comprise the COUNT value.
  • a serving network SN 230 that does not support ESC will ignore the new IE.
  • Not supporting the ESC is an example of the second security context.
  • Authentication data (RAND, XRES, CK, IK, AUTN) is obtained from the HLR/AuC 240 (step 515).
  • the SN may indicate ESC support in the AKA challenge (Authentication Request) to the UE (step 520).
  • the UE performs the authentication procedures (step 525) and returns a response RES to the SN (step 530).
  • the UE and SN derive the root key K ASMEU and the session keys CK S and IK S (step 535).
  • the SN forwards the session keys to the RAN 220 in an SMC (Security Mode Command) message (step 540).
  • the RAN generates a message authentication code (MAC) using the session key IK ⁇ , which is forwarded to the UE in an SMC message (step 545).
  • MAC message authentication code
  • the UE checks the MAC (step 550) using the session key IK S that the UE derived (step 535), and returns a complete indication to the RAN (step 555), which forwards it to the SN (step 560). The UE is then able to protect communications using the session keys (step 565).
  • the UE 210 forwards a service request message which includes the COUNT value to the SN 230 (step 610).
  • the UE and SN derive new the session keys CK S and IK S from the root key KASMEU (step 620).
  • the SN forwards the session keys to the RAN 220 in an SMC message (step 630).
  • the RAN generates a MAC, which is forwarded to the UE in an SMC message (step 640).
  • the UE checks the MAC (step 650), and returns a complete indication to the RAN (step 660), which forwards it to the SN (step 670).
  • the UE is then able to protect communications using the session keys (step 680).
  • a method 700 related to mobility management procedures 700 (such as a Routing Area Update (RAU) or Location Area Update (LAU)
  • the UE 210 forwards a RAU (or LAU) request message which includes the COUNT value to the SN 230 (step 710).
  • the UE and SN may derive new the session keys CKs and IK ⁇ from the root key KASMEU (step 720)
  • the SN may forward the session keys to the RAN 220 in an SMC message (step 730).
  • the RAN may generate a MAC, which may be forwarded to the UE in an SMC message (step 740).
  • the UE may check the MAC (step 750), and may return a complete indication to the RAN (step 760), which forwards it to the SN (step 770).
  • the SN then sends a RAU accept message to the UE (step 780).
  • the UE is then able to protect communications using the session keys.
  • New access stratum (AS) keys may be generated for each transition from Idle to Active State. Similarly, keys may be generated at other events.
  • the COUNT value may be sent in idle mobility messages and in initial layer 3 messages, e.g., Attaches, RAUs, LAUs, for idle, mobility, or service request.
  • the SN may check that the sent COUNT value has not been used before, and updates the stored COUNT value in the process. If the COUNT value is new (e.g., received COUNT value > stored COUNT value), the UE and the SN proceed to calculate the new key CK ⁇ and IK ⁇ , using a Key Derivation Function (KDF) such as HMAC-SHA256, from the root key KASMEU an d the sent COUNT value.
  • KDF Key Derivation Function
  • the KDF may include additional information, such as RAN node identity, for the new key calculation. If the check fails (the COUNT value is not new), the SN rejects the message. For GERAN usage, when and Kci28 are calculated from CKg and IK ⁇ , it may be done in the same manner as when calculated from CK and IK.
  • the session keys may have a lifetime such that the UE and the serving network keep and use the session keys until either it is no longer necessary to store the keys to send traffic securely between the UE and the network (UE moves to Idle mode), or a new context is created at a subsequent event (e.g., AKA authentication or a mobility event).
  • the remote station 210 may comprise a computer 800 that includes a storage medium 820 such as memory, a display 830, and an input device 840 such as a keyboard.
  • the apparatus may include a wireless connection 850.
  • a wireless remote station (RS) 102 may communicate with one or more base stations (BS) 104 of a wireless communication system 100.
  • the wireless communication system 100 may further include one or more base station controllers (BSC) 106, and a core network 108.
  • Core network may be connected to an Internet 110 and a Public Switched Telephone Network (PSTN) 112 via suitable backhauls.
  • PSTN Public Switched Telephone Network
  • a typical wireless mobile station may include a handheld phone, or a laptop computer.
  • the wireless communication system 100 may employ any one of a number of multiple access techniques such as code division multiple access (CDMA), time division multiple access (TDMA), frequency division multiple access (FDMA), space division multiple access (SDMA), polarization division multiple access (PDMA), or other modulation techniques known in the art.
  • CDMA code division multiple access
  • TDMA time division multiple access
  • FDMA frequency division multiple access
  • SDMA space division multiple access
  • PDMA polarization division multiple access
  • a wireless device 102 may include various components that perform functions based on signals that are transmitted by or received at the wireless device.
  • a wireless headset may include a transducer adapted to provide an audio output based on a signal received via the receiver.
  • a wireless watch may include a user interface adapted to provide an indication based on a signal received via the receiver.
  • a wireless sensing device may include a sensor adapted to provide data to be transmitted to another device.
  • a wireless device may communicate via one or more wireless communication links that are based on or otherwise support any suitable wireless communication technology.
  • a wireless device may associate with a network.
  • the network may comprise a body area network or a personal area network (e.g., an ultra- wideband network).
  • the network may comprise a local area network or a wide area network.
  • a wireless device may support or otherwise use one or more of a variety of wireless communication technologies, protocols, or standards such as, for example, CDMA, TDMA, OFDM, OFDMA, WiMAX, and Wi-Fi.
  • a wireless device may support or otherwise use one or more of a variety of corresponding modulation or multiplexing schemes.
  • a wireless device may thus include appropriate components (e.g., air interfaces) to establish and communicate via one or more wireless communication links using the above or other wireless communication technologies.
  • a device may comprise a wireless transceiver with associated transmitter and receiver components (e.g., a transmitter and a receiver) that may include various components (e.g., signal generators and signal processors) that facilitate communication over a wireless medium.
  • the teachings herein may be incorporated into (e.g., implemented within or performed by) a variety of apparatuses (e.g., devices).
  • a phone e.g., a cellular phone
  • PDA personal data assistant
  • an entertainment device e.g., a music or video device
  • a headset e.g., headphones, an earpiece, etc.
  • a microphone e.g., a medical device, e.g., a biometric sensor, a heart rate monitor, a pedometer, an EKG device, etc.
  • a user I/O device e.g., a watch, a remote control, a light switch, a keyboard, a mouse, etc.
  • a tire pressure monitor e.g., a computer, a point-of-sale device, an entertainment device, a hearing aid, a set-top box, or any other suitable device.
  • teachings herein may be adapted for use in low power applications (e.g., through the use of an impulse-based signaling scheme and low duty cycle modes) and may support a variety of data rates including relatively high data rates (e.g., through the use of high- bandwidth pulses).
  • a wireless device may comprise an access device (e.g., a Wi-Fi access point) for a communication system.
  • an access device may provide, for example, connectivity to another network (e.g., a wide area network such as the Internet or a cellular network) via a wired or wireless communication link.
  • the access device may enable another device (e.g., a Wi-Fi station) to access the other network or some other functionality.
  • another device e.g., a Wi-Fi station
  • one or both of the devices may be portable or, in some cases, relatively non-portable.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • a general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine.
  • a processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
  • the steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two.
  • a software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
  • An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium.
  • the storage medium may be integral to the processor.
  • the processor and the storage medium may reside in an ASIC.
  • the ASIC may reside in a user terminal.
  • the processor and the storage medium may reside as discrete components in a user terminal.
  • the functions described may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software as a computer program product, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
  • Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • a storage media may be any available media that can be accessed by a computer.
  • such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
  • any connection is properly termed a computer-readable medium.
  • the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwave
  • the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium.
  • Disk and disc includes compact disc (CD), laser disc, optical disc, digital versatile disc (DVD), floppy disk and blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

L'invention porte sur un procédé pour l'établissement d'un contexte de sécurité amélioré entre une station distante et un réseau de service. Dans le procédé, la station distante envoie un premier message au réseau de service, le premier message comprenant une information signalant que la station distante supporte un contexte de sécurité amélioré. La station distante génère au moins une clé de session, conformément au contexte de sécurité amélioré, à l'aide de l'information. La station distante reçoit, en réponse au premier message, un second message ayant une indication selon laquelle le réseau de service supporte le contexte de sécurité amélioré. La station distante, en réponse au second message, a des communications sans fil protégées par la ou les clés de session.
PCT/US2011/032755 2010-04-15 2011-04-15 Appareil et procédé pour la signalisation d'un contexte de sécurité amélioré pour clés de chiffrement et d'intégrité de session Ceased WO2011130682A2 (fr)

Priority Applications (14)

Application Number Priority Date Filing Date Title
EP11738847A EP2559276A2 (fr) 2010-04-15 2011-04-15 Appareil et procédé pour la signalisation d'un contexte de sécurité amélioré pour clés de chiffrement et d'intégrité de session
AU2011239422A AU2011239422B2 (en) 2010-04-15 2011-04-15 Apparatus and method for signaling enhanced security context for session encryption and integrity keys
HK13104841.8A HK1177861B (en) 2010-04-15 2011-04-15 Apparatus and method for signaling enhanced security context for session encryption and integrity keys
SG2012073748A SG184442A1 (en) 2010-04-15 2011-04-15 Apparatus and method for signaling enhanced security context for session encryption and integrity keys
PH1/2012/502037A PH12012502037A1 (en) 2010-04-15 2011-04-15 Apparatus and method for signaling enhanced security context for session encryption and integrity keys
JP2013505195A JP5795055B2 (ja) 2010-04-15 2011-04-15 セッション暗号化および完全性キーのために拡張セキュリティコンテキストを通知するための装置および方法
UAA201212984A UA108099C2 (uk) 2010-04-15 2011-04-15 Пристрій і спосіб сигналізації про поліпшений контекст безпеки для сесійних ключів шифрування і цілісності
MX2012011985A MX2012011985A (es) 2010-04-15 2011-04-15 Aparato y metodo para señalizar contexto de seguridad mejorada para cifrado de sesion y claves de integridad.
KR1020127029828A KR101474093B1 (ko) 2010-04-15 2011-04-15 세션 암호화 및 무결성 키들을 위한 강화된 보안 콘텍스트를 시그널링하는 장치 및 방법
BR112012026136-3A BR112012026136B1 (pt) 2010-04-15 2011-04-15 Aparelho e método para sinalizar um contexto de segurança aprimorado para chaves de criptografia e integridade de sessão
RU2012148506/08A RU2555227C2 (ru) 2010-04-15 2011-04-15 Устройство и способ сигнализации об улучшенном контексте безопасности для сессионных ключей шифрования и целостности
CA2795358A CA2795358C (fr) 2010-04-15 2011-04-15 Appareil et procede pour la signalisation d'un contexte de securite ameliore pour cles de chiffrement et d'integrite de session
CN201180018855.1A CN102835136B (zh) 2010-04-15 2011-04-15 用于为会话加密和完整性密钥信令通知增强型安全性上下文的装置和方法
IL222384A IL222384A (en) 2010-04-15 2012-10-11 Device and method for marking enhanced security content for seat coding and integrity keys

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US32464610P 2010-04-15 2010-04-15
US61/324,646 2010-04-15
US13/084,378 2011-04-11
US13/084,378 US9197669B2 (en) 2010-04-15 2011-04-11 Apparatus and method for signaling enhanced security context for session encryption and integrity keys

Publications (2)

Publication Number Publication Date
WO2011130682A2 true WO2011130682A2 (fr) 2011-10-20
WO2011130682A3 WO2011130682A3 (fr) 2012-03-01

Family

ID=44584594

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2011/032755 Ceased WO2011130682A2 (fr) 2010-04-15 2011-04-15 Appareil et procédé pour la signalisation d'un contexte de sécurité amélioré pour clés de chiffrement et d'intégrité de session

Country Status (16)

Country Link
EP (1) EP2559276A2 (fr)
JP (2) JP5795055B2 (fr)
KR (1) KR101474093B1 (fr)
CN (1) CN102835136B (fr)
AU (1) AU2011239422B2 (fr)
BR (1) BR112012026136B1 (fr)
CA (1) CA2795358C (fr)
IL (1) IL222384A (fr)
MX (1) MX2012011985A (fr)
MY (1) MY171059A (fr)
PH (1) PH12012502037A1 (fr)
RU (1) RU2555227C2 (fr)
SG (1) SG184442A1 (fr)
TW (1) TWI450557B (fr)
UA (1) UA108099C2 (fr)
WO (1) WO2011130682A2 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020207401A1 (fr) * 2019-04-08 2020-10-15 Mediatek Singapore Pte. Ltd. Récupération de nas 5g depuis un échec de nasc
US10849191B2 (en) 2016-07-13 2020-11-24 Huawei International PTE., Ltd. Unified authentication for heterogeneous networks
EP3493464B1 (fr) 2015-07-02 2020-12-02 GN Hearing A/S Dispositif client avec certificat et procédé associé
EP3334185B1 (fr) 2016-12-08 2021-06-02 GN Hearing A/S Système auditif, dispositifs et procédé de sécurisation de communication pour une application d'utilisateur
US12160744B2 (en) 2018-08-10 2024-12-03 Huawei Technologies Co., Ltd. User plane integrity protection method and apparatus, and device

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10091649B2 (en) * 2015-07-12 2018-10-02 Qualcomm Incorporated Network architecture and security with encrypted client device contexts
JP6651613B2 (ja) * 2015-10-05 2020-02-19 テレフオンアクチーボラゲット エルエム エリクソン(パブル) ワイヤレス通信
RU2738808C2 (ru) * 2015-12-21 2020-12-17 Конинклейке Филипс Н.В. Сетевая система для безопасной связи
US10887089B2 (en) * 2016-07-18 2021-01-05 Telefonaktiebolaget Lm Ericsson (Publ) Security of ciphering and integrity protection
RU2734873C1 (ru) * 2017-01-30 2020-10-23 Телефонактиеболагет Лм Эрикссон (Пабл) Функция привязки безопасности в 5g-системах
US10893568B2 (en) 2017-08-18 2021-01-12 Huawei Technologies Co., Ltd. Location and context management in a RAN INACTIVE mode
US10939288B2 (en) * 2018-01-14 2021-03-02 Qualcomm Incorporated Cellular unicast link establishment for vehicle-to-vehicle (V2V) communication
CN111937424A (zh) * 2018-04-04 2020-11-13 中兴通讯股份有限公司 用于管理完整性保护的技术

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070230707A1 (en) 2006-03-28 2007-10-04 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for handling keys used for encryption and integrity

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6986040B1 (en) * 2000-11-03 2006-01-10 Citrix Systems, Inc. System and method of exploiting the security of a secure communication channel to secure a non-secure communication channel
US7873163B2 (en) * 2001-11-05 2011-01-18 Qualcomm Incorporated Method and apparatus for message integrity in a CDMA communication system
US7715822B2 (en) * 2005-02-04 2010-05-11 Qualcomm Incorporated Secure bootstrapping for wireless communications
CA2567416C (fr) * 2005-11-07 2018-10-09 Harsch Khandelwal Verification d'un temoignage
US7752441B2 (en) * 2006-02-13 2010-07-06 Alcatel-Lucent Usa Inc. Method of cryptographic synchronization
CN101406024A (zh) * 2006-03-22 2009-04-08 Lg电子株式会社 Umts的lte的安全考量
JP5059096B2 (ja) * 2006-03-31 2012-10-24 サムスン エレクトロニクス カンパニー リミテッド アクセスシステム間のハンドオーバー時の認証手順を最適化するシステム及び方法
KR101338477B1 (ko) * 2006-04-19 2013-12-10 한국전자통신연구원 이동 통신 시스템의 인증키 생성 방법
PL2099584T3 (pl) * 2006-07-18 2018-01-31 Kistler Holding Ag Łączący zespół
US8094817B2 (en) * 2006-10-18 2012-01-10 Telefonaktiebolaget Lm Ericsson (Publ) Cryptographic key management in communication networks
FI20070094A0 (fi) * 2007-02-02 2007-02-02 Nokia Corp Radiopäällysverkon turvallisuusalgoritmin vaihtaminen handoverin aikana
EP1973265A1 (fr) * 2007-03-21 2008-09-24 Nokia Siemens Networks Gmbh & Co. Kg Mise à jour de clé dans un système SAE/LTE
CN101304600B (zh) * 2007-05-08 2011-12-07 华为技术有限公司 安全能力协商的方法及系统
CN101309500B (zh) * 2007-05-15 2011-07-20 华为技术有限公司 不同无线接入技术间切换时安全协商的方法和装置
KR100924168B1 (ko) * 2007-08-07 2009-10-28 한국전자통신연구원 주파수 오버레이 기반의 통신 시스템의 인증키 생성 방법및 인증 방식 협상 방법
CN103220674B (zh) * 2007-09-03 2015-09-09 华为技术有限公司 一种终端移动时防止降质攻击的方法、系统及装置
CN101232736B (zh) * 2008-02-22 2012-02-29 中兴通讯股份有限公司 用于不同接入系统之间密钥生存计数器的初始化设置方法

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070230707A1 (en) 2006-03-28 2007-10-04 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for handling keys used for encryption and integrity

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3493464B1 (fr) 2015-07-02 2020-12-02 GN Hearing A/S Dispositif client avec certificat et procédé associé
EP3800828B1 (fr) 2015-07-02 2024-12-25 GN Hearing A/S Dispositif client avec certificat et procédé associé
US10849191B2 (en) 2016-07-13 2020-11-24 Huawei International PTE., Ltd. Unified authentication for heterogeneous networks
EP3334185B1 (fr) 2016-12-08 2021-06-02 GN Hearing A/S Système auditif, dispositifs et procédé de sécurisation de communication pour une application d'utilisateur
US12160744B2 (en) 2018-08-10 2024-12-03 Huawei Technologies Co., Ltd. User plane integrity protection method and apparatus, and device
WO2020207401A1 (fr) * 2019-04-08 2020-10-15 Mediatek Singapore Pte. Ltd. Récupération de nas 5g depuis un échec de nasc

Also Published As

Publication number Publication date
WO2011130682A3 (fr) 2012-03-01
TWI450557B (zh) 2014-08-21
UA108099C2 (uk) 2015-03-25
CN102835136B (zh) 2016-04-06
AU2011239422B2 (en) 2014-05-08
SG184442A1 (en) 2012-11-29
MX2012011985A (es) 2012-12-17
TW201206139A (en) 2012-02-01
HK1177861A1 (zh) 2013-08-30
IL222384A (en) 2017-02-28
BR112012026136A2 (pt) 2016-06-28
RU2555227C2 (ru) 2015-07-10
MY171059A (en) 2019-09-23
CN102835136A (zh) 2012-12-19
JP5795055B2 (ja) 2015-10-14
CA2795358A1 (fr) 2011-10-20
JP6069407B2 (ja) 2017-02-01
CA2795358C (fr) 2017-12-19
JP2013524741A (ja) 2013-06-17
PH12012502037A1 (en) 2015-06-24
RU2012148506A (ru) 2014-05-20
JP2015180095A (ja) 2015-10-08
BR112012026136B1 (pt) 2021-09-21
KR101474093B1 (ko) 2014-12-17
AU2011239422A1 (en) 2012-11-08
KR20130018299A (ko) 2013-02-20
EP2559276A2 (fr) 2013-02-20
IL222384A0 (en) 2012-12-31

Similar Documents

Publication Publication Date Title
US9084110B2 (en) Apparatus and method for transitioning enhanced security context from a UTRAN/GERAN-based serving network to an E-UTRAN-based serving network
US9197669B2 (en) Apparatus and method for signaling enhanced security context for session encryption and integrity keys
CA2795358C (fr) Appareil et procede pour la signalisation d'un contexte de securite ameliore pour cles de chiffrement et d'integrite de session
US9191812B2 (en) Apparatus and method for transitioning from a serving network node that supports an enhanced security context to a legacy serving network node
WO2011130684A1 (fr) Appareil et procédé de transition de contexte de sécurité améliorée d'un réseau de desserte utran à un réseau de desserte geran
HK1177861B (en) Apparatus and method for signaling enhanced security context for session encryption and integrity keys
HK1180169A (en) Apparatus and method for transitioning enhanced security context from a utran/geran-based serving network to an e-utran-based serving network

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201180018855.1

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11738847

Country of ref document: EP

Kind code of ref document: A2

ENP Entry into the national phase

Ref document number: 2795358

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 12012502037

Country of ref document: PH

ENP Entry into the national phase

Ref document number: 2013505195

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 1201005390

Country of ref document: TH

Ref document number: MX/A/2012/011985

Country of ref document: MX

WWE Wipo information: entry into national phase

Ref document number: 8901/CHENP/2012

Country of ref document: IN

ENP Entry into the national phase

Ref document number: 2011239422

Country of ref document: AU

Date of ref document: 20110415

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 20127029828

Country of ref document: KR

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2012148506

Country of ref document: RU

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 2011738847

Country of ref document: EP

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11738847

Country of ref document: EP

Kind code of ref document: A2

REG Reference to national code

Ref country code: BR

Ref legal event code: B01A

Ref document number: 112012026136

Country of ref document: BR

ENP Entry into the national phase

Ref document number: 112012026136

Country of ref document: BR

Kind code of ref document: A2

Effective date: 20121011