[go: up one dir, main page]

WO2025165205A1 - Protection d'une procédure d'enregistrement ou de rattachement à l'aide d'une cryptographie basée sur un certificat - Google Patents

Protection d'une procédure d'enregistrement ou de rattachement à l'aide d'une cryptographie basée sur un certificat

Info

Publication number
WO2025165205A1
WO2025165205A1 PCT/KR2025/099197 KR2025099197W WO2025165205A1 WO 2025165205 A1 WO2025165205 A1 WO 2025165205A1 KR 2025099197 W KR2025099197 W KR 2025099197W WO 2025165205 A1 WO2025165205 A1 WO 2025165205A1
Authority
WO
WIPO (PCT)
Prior art keywords
registration
message
attach
certificate
accept message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/KR2025/099197
Other languages
English (en)
Inventor
Rajavelsamy Rajadurai
Rohini RAJENDRAN
Nivedya PARAMBATH SASI
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Publication of WO2025165205A1 publication Critical patent/WO2025165205A1/fr
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • H04W60/04Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration using triggered events
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/22Processing or transfer of terminal data, e.g. status or physical capabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming

Definitions

  • the present disclosure is related to wireless communication networks. More particularly, the present disclosure is related to a method and system for protecting a registration or attach procedure using a certificate based cryptography.
  • 5G mobile communication technologies define broad frequency bands such that high transmission rates and new services are possible, and can be implemented not only in “Sub 6GHz” bands such as 3.5GHz, but also in “Above 6GHz” bands referred to as mmWave including 28GHz and 39GHz.
  • 6G mobile communication technologies referred to as Beyond 5G systems
  • terahertz bands for example, 95GHz to 3THz bands
  • IIoT Industrial Internet of Things
  • IAB Integrated Access and Backhaul
  • DAPS Dual Active Protocol Stack
  • 5G baseline architecture for example, service based architecture or service based interface
  • NFV Network Functions Virtualization
  • SDN Software-Defined Networking
  • MEC Mobile Edge Computing
  • multi-antenna transmission technologies such as Full Dimensional MIMO (FD-MIMO), array antennas and large-scale antennas, metamaterial-based lenses and antennas for improving coverage of terahertz band signals, high-dimensional space multiplexing technology using OAM (Orbital Angular Momentum), and RIS (Reconfigurable Intelligent Surface), but also full-duplex technology for increasing frequency efficiency of 6G mobile communication technologies and improving system networks, AI-based communication technology for implementing system optimization by utilizing satellites and AI (Artificial Intelligence) from the design stage and internalizing end-to-end AI support functions, and next-generation distributed computing technology for implementing services at levels of complexity exceeding the limit of UE operation capability by utilizing ultra-high-performance communication and computing resources.
  • FD-MIMO Full Dimensional MIMO
  • OAM Organic Angular Momentum
  • RIS Reconfigurable Intelligent Surface
  • a method performed by a user equipment (UE) for protection of a partial registration or attach accept message using a certificate based cryptography may include pre-configuring a private key and a certificate at the UE based on an operator policy.
  • the method may include transmitting a registration or attach request message including a public key of the UE in the certificate to an on-board network entity.
  • the method may include receiving the partial registration or attach accept message from the on-board network entity, wherein the partial registration or attach accept message may be encrypted using the public key of the UE, and wherein the partial registration or attach accept message may include a temporary identifier for the UE.
  • the method may include decrypting the received encrypted partial registration or attach accept message using the private key.
  • the method may include storing the temporary identifier included in the decrypted partial registration or attach accept message.
  • a method performed by an on-board network entity for protection of a partial registration or attach accept message using a certificate based cryptography may include receiving a registration or attach request message including a public key of a user equipment (UE) in a certificate from the UE.
  • the method may include verifying the certificate of the UE.
  • the method may include generating a temporary identifier for the UE.
  • the method may include encrypting the partial registration or attach accept message using the public key of the UE, wherein the partial registration or attach accept message may include the generated temporary identifier.
  • the method may include transmitting the encrypted partial registration or attach accept message to the UE.
  • a user equipment (UE) for protection of a partial registration or attach accept message using a certificate based cryptography may include memory, a processor coupled to the memory, and a registration protection controller communicatively coupled to the memory and the processor.
  • the registration protection controller may pre-configure a private key and a certificate at the UE based on an operator policy.
  • the registration protection controller may transmit a registration or attach request message including a public key of the UE in the certificate to an on-board network entity.
  • the registration protection controller may receive the partial registration or attach accept message from the on-board network entity, wherein the partial registration or attach accept message may be encrypted using the public key of the UE, and wherein the partial registration or attach accept message may include a temporary identifier for the UE.
  • the registration protection controller may decrypt the received encrypted partial registration or attach accept message using the private key.
  • the registration protection controller may store the temporary identifier included in the decrypted partial registration or attach accept message.
  • an on-board network entity for protection of a partial registration or attach accept message using a certificate based cryptography.
  • the on-board network entity may include memory, a processor coupled to the memory, and an on-board registration protection controller communicatively coupled to the memory and the processor.
  • the on-board registration protection controller may receive a registration or attach request message including a public key of a user equipment (UE) in a certificate from the UE.
  • the on-board registration protection controller may verify the certificate of the UE.
  • the on-board registration protection controller may generate a temporary identifier for the UE.
  • the on-board registration protection controller may encrypt the partial registration or attach accept message using the public key of the UE, wherein the partial registration or attach accept message may include the generated temporary identifier.
  • the on-board registration protection controller may transmit the encrypted partial registration or attach accept message to the UE.
  • Fig. 1 is a schematic diagram that illustrates a scenario of a serving satellite change during a feeder link disconnection while an IoT device is moving according to an embodiment as disclosed herein.
  • Fig. 2 is a schematic diagram that illustrates a scenario of the serving satellite change during the feeder link disconnection while the satellite is moving according to an embodiment as disclosed herein.
  • Fig. 3 is a sequence diagram that illustrates a scenario of initial registration and/or attach procedure between a UE, a single satellite and a network according to an embodiment as disclosed herein.
  • Fig. 4 is a sequence diagram that illustrates a scenario of initial registration and/or attach procedure between the UE, multiple satellites, and the network according to an embodiment as disclosed herein.
  • Fig. 5 is a block diagram that illustrates a schematic of the UE implemented to carry out the disclosed subject matter according to an embodiment as disclosed herein.
  • Fig. 6 is a block diagram that illustrates a schematic of an on-board network apparatus implemented to carry out the disclosed subject matter according to an embodiment as disclosed herein.
  • Fig. 7 is a sequence diagram that illustrates a protection of partial registration/attach accept message using public key cryptography while the UE is in possession of key pairs according to an embodiment as disclosed herein.
  • Fig. 8 is a sequence diagram that illustrates a protection of partial registration/attach accept message using certificate based cryptography while the UE in possession of certificates according to an embodiment as disclosed herein.
  • Fig. 9 is a sequence diagram that illustrates a protection of partial registration/attach accept message using a public key based cryptography while network functions (NFs) on-board are in possession of key pairs according to an embodiment as disclosed herein.
  • NFs network functions
  • Fig. 10 is a sequence diagram that illustrates a protection of partial registration/attach accept message using a certificate based cryptography using NFs on-board in possession of certificates according to an embodiment as disclosed herein.
  • Fig. 11 is a sequence diagram that illustrates a protection of partial registration/attach accept message using a TLS Certificate based cryptography using the UE and the NFs-onboard according to an embodiment as disclosed herein.
  • Fig. 12 is a sequence diagram that illustrates K AMF-SAT key derivation per satellite according to an embodiment as disclosed herein.
  • Fig. 13 is a sequence diagram that illustrates NAS key derivation per satellite according to an embodiment as disclosed herein.
  • Fig. 14 is a schematic diagram that illustrates K AMF-SAT derivation function according to an embodiment as disclosed herein.
  • Fig. 15 is a schematic diagram that illustrates the K AMF-SAT derivation function according to an embodiment as disclosed herein.
  • Fig. 16 is a schematic diagram that illustrates K NASint derivation function according to an embodiment as disclosed herein.
  • Fig. 17 is a schematic diagram that illustrates K NASenc derivation function according to an embodiment as disclosed herein.
  • Fig. 18 is a sequence diagram that illustrates a scenario where the UE selects another PDU session in case of satellite unavailability according to an embodiment as disclosed herein.
  • Figs. 19A and 19B are a sequence diagram that illustrates a scenario where the UE switches the PDU based on uplink unavailability according to an embodiment as disclosed herein.
  • Fig. 20 is a schematic diagram that illustrates a scenario where the same PDU session is maintained between both 3GPP and non-3GPP access according to an embodiment as disclosed herein.
  • Fig. 21 is a schematic diagram that illustrates a scenario where the same PDU session is maintained between both 3GPP and non-3GPP access according to an embodiment as disclosed herein.
  • Fig. 22 is a schematic diagram that illustrates a process of key derivation in dual connectivity according to an embodiment as disclosed herein.
  • Fig. 23 is a sequence diagram that illustrates key derivation and handling during dual connectivity in satellite communication according to an embodiment as disclosed herein.
  • Fig. 24 is a flow diagram that illustrates a method for protecting a registration or attach procedure using a certificate based cryptography by the UE according to an embodiment as disclosed herein.
  • Fig. 25 is a flow diagram that illustrates a method for protecting a registration or attach procedure using a certificate based cryptography by the on-board network apparatus according to an embodiment as disclosed herein.
  • modules As is traditional in the field, embodiments are described and illustrated in terms of blocks that carry out a described function or functions. These blocks, which referred to herein as managers, units, modules, hardware components or the like, are physically implemented by analog and/or digital circuits such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuits, and the like, and optionally be driven by firmware and software.
  • the circuits for example, be embodied in a plurality of semiconductor chips, or on substrate supports such as printed circuit boards, and the like.
  • circuits constituting a block be implemented by dedicated hardware, or by a processor (e.g., a plurality of programmed microprocessors and associated circuitry), or by a combination of dedicated hardware to perform some functions of the block and a processor to perform other functions of the block.
  • a processor e.g., a plurality of programmed microprocessors and associated circuitry
  • a combination of dedicated hardware to perform some functions of the block and a processor to perform other functions of the block e.g., a plurality of programmed microprocessors and associated circuitry
  • Each block of the embodiments be physically separated into two or more interacting and discrete blocks without departing from the scope of the proposed method.
  • the blocks of the embodiments be physically combined into more complex blocks without departing from the scope of the proposed method.
  • 3GPP is currently examining various use cases related to store and forward (S&F) scenarios where the service link (connecting the user equipment (UE) to the satellite) and the feeder link (linking the satellite to the non-terrestrial network (NTN) gateway) are not available simultaneously.
  • S&F store and forward
  • the satellite is linked to the ground network through the feeder link, messages are uploaded to the satellite. All accumulated and stored mobile terminated (MT) messages are transferred to the satellite via this feeder link.
  • MT mobile terminated
  • MO mobile originated
  • NAS Non-Access-Stratum
  • UE user equipment
  • the satellite supporting S&F operation stores the registration request until the feeder link is available and sends an interim response message to the UE. Due to unavailability of the feeder link, the UE may not get authenticated (until the feeder link is available) and establish the security context to protect the response messages. In these situations, the on-board eNB/gNB and MME/AMF must prioritize the security and privacy of the (UE by safeguarding the response message, which may contain sensitive UE information, such as the assignment of a temporary ID. If any UE-related data is transmitted in clear text, it could expose the system to potential threats concerning UE traceability and linkability.
  • Fig. 1 is a schematic diagram that illustrates a scenario of a serving satellite change during a feeder link disconnection while an IoT device (106) is moving according to an embodiment as disclosed herein.
  • Fig. 2 is a schematic diagram that illustrates a scenario of the serving satellite change during the feeder link disconnection while the satellite is moving according to an embodiment as disclosed herein.
  • Fig. 1 and Fig. 2 include the IoT device (106), a satellite A (102A), a satellite B (102B), and a gateway (104).
  • the IoT device (106) is in communication with the satellite A (102A) via the service link.
  • the satellite A (102A) and the satellite B (102B) are in communication with each other via an inter-satellite link.
  • the gateway (104) is in communication with the satellite A (102A) and the satellite B (102B) via the feeder link.
  • the IoT device (106) may move from the coverage of one satellite to the other (e.g. containers tracing and tracking), or as shown in Fig. 2, a Non-Geostationary Satellite Orbit (NGSO) satellite may fly away and the other one will come and turn to serving a static IoT device. Under such circumstances, the serving satellite may forward the stored user plane data to the next serving satellite through Inter-Satellite Links, and the next serving satellite may help forward the data to the gateway.
  • NGSO Non-Geostationary Satellite Orbit
  • the feeder link of the next satellite is also unavailable, it will continue the store operation until the recovery of its feeder link.
  • the mobile operators will be easier to manage and maintain the data rather than dealing with the separate data which is belong to one device but among different satellites.
  • the serving satellite only stores or forwards (Inter-satellite) the data received from the IoT device (106), which is already able to send data to the application server through the mobile network with satellite access. Since the disconnection separates the two parts of the mobile network temporarily, the part in the serving satellite will not be able to fulfill common communication procedures and it will refuse any access from an unregistered device. Furthermore, considering the limited data storage in satellite and the large amount of IoT devices, a maximum storage for the IoT device (106) should be pre-configured based on the application data characteristics, user subscriptions and overall performance of satellite communication system.
  • Fig. 3 and Fig. 4 show the potential solutions under consideration for initial registration and/or attach procedure without PDN connectivity. Whenever a procedure needs an interaction with a core network node in the ground, then AMF/MME-onboard stores the respective messages when feeder link is not available and progresses the procedure when feeder link is available. At step 3 in Fig. 3 and Fig.
  • the AMF/MME-onboard sends a NAS message e.g., Partial attach accept which is unprotected to the UE (502), indicating to the UE (502) that the sent REGISTRATION/ATTACH REQUEST message is partially stored by the AMF/MME-onboard.
  • the Partial registration/attach accept message includes a temporary UE identifier (say 5G-GUTI/ Globally Unique Temporary UE Identity (GUTI)) and other possible sensitive information such as parameters used for security mechanism which can lead to privacy attacks. Therefore, it is desired to address the risk of sending the UE temporary identifier in an unprotected message (e.g., partial registration/attach accept).
  • Fig. 5 is a block diagram that illustrates a schematic of a UE (502) implemented to carry out the disclosed subject matter according to an embodiment as disclosed herein.
  • the UE (502) may include, but not limited to a smartphone, a tablet, a laptop, a personal computer (PC), a television, automotive systems (such as connected cars, autonomous vehicles, vehicle-to-everything (V2X) communication devices, etc.), enterprise Devices such as robotics, specialized Equipment (such as medical devices, public safety devices, etc.), media Devices (such as gaming Consoles, streaming Devices, etc.), and the like.
  • the UE (502) may include a first processor (504), first memory (506), a first Input/Output (I/O) Interface (508), and a registration protection controller (510). Each component is explained in further detail below.
  • the first processor (504) may communicates with the first memory (506), the first I/O Interface (508) and the registration protection controller (510).
  • the first processor (504) may be configured to execute instructions stored in the first memory (506) and to perform various processes.
  • the first processor (504) may include one or a plurality of processors, may be a general-purpose processor, such as a central processing unit (CPU), an application processor (AP), or the like, a graphics-only processing unit such as a graphics processing unit (GPU), a visual processing unit (VPU), and/or an Artificial intelligence (AI) dedicated processor such as a neural processing unit (NPU).
  • CPU central processing unit
  • AP application processor
  • AI Artificial intelligence
  • the first memory (506) may include storage locations to be addressable through the first processor (504).
  • the first memory (506) is not limited to a volatile memory and/or a non-volatile memory. Further, the first memory (506) may include a plurality of computer-readable storage media.
  • the first memory (506) may include non-volatile storage elements. For example, non-volatile storage elements may include magnetic hard discs, optical discs, floppy discs, flash memories, or forms of electrically programmable memories (EPROM) or electrically erasable and programmable (EEPROM) memories.
  • the first I/O Interface (508) may transmit the information between the first memory (506) and external peripheral devices.
  • the peripheral devices may be the input-output devices associated with the UE (502).
  • the registration protection controller (510) may communicate with the first I/O Interface (508) and the first memory (506).
  • the registration protection controller (510) may be communicatively coupled to the first memory (506) and the first processor (504).
  • the registration protection controller (510) may be an innovative hardware that is realized through the physical implementation of both analog and digital circuits, including logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive and active electronic components, as well as optical components.
  • the registration protection controller (510) may pre-configure a private key and a certificate at the UE (502) based on an operator policy.
  • the certificate may include a public key of the UE (502).
  • the operator policy may outline the security protocols and standards that must be adhered to for the protection of user data and network integrity.
  • the private key may be used to encrypt data and authenticate the identity of the UE (502) during communication sessions.
  • the private key may remain confidential and may be stored securely within the UE (502), ensuring that only the authorized device can access and utilize it for secure transactions.
  • the certificate may act as an additional security layer and include the public key associated with the UE (502).
  • the registration protection controller (510) may generate a registration or attach request message by adding the certificate including the public key of the UE (502).
  • the registration or attach request message may be crucial for establishing a connection between the UE (502) and the network.
  • the registration protection controller (510) may incorporate the certificate into the registration or attach request message.
  • the registration protection controller (510) may transmit the registration or attach request message to an on-board network apparatus (602).
  • the on-board network apparatus (602) may include a next generation node B (gNB), an evolved node B (eNB), an access and mobility management function (AMF), and a mobility management entity (MME).
  • gNB next generation node B
  • eNB evolved node B
  • AMF access and mobility management function
  • MME mobility management entity
  • the registration protection controller (510) may receive a partial attach registration or accept message from the on-board network apparatus (602) in response to the registration or attach request message.
  • the partial attach registration or accept message may be received upon successful verification of the certificate by the on-board network apparatus (602).
  • the partial attach registration or accept message may be encrypted using the public key of the UE (502).
  • the partial attach registration or accept message may include a temporary identifier for the UE (502) and a security parameter. This temporary identifier may serve as a unique reference for the UE (502) during the ongoing session, allowing the on-board network apparatus (602) to manage and track the connection effectively.
  • the security parameter may include information related to encryption keys, authentication tokens, or other security-related data necessary for establishing a secure communication channel between the UE (502) and the on-board network apparatus (602).
  • the registration protection controller (510) may decrypt the received encrypted partial registration or attach accept message using the private key preconfigured at the UE (502).
  • the decryption process may involve using the private key to reverse the encryption applied to the message prior to its transmission. This ensures that only authorized entities, equipped with the correct private key, can interpret the contents of the message.
  • the encrypted partial registration or attach accept message may contain vital information necessary for establishing or maintaining a connection between the UE (502) and the on-board network apparatus (602).
  • Fig. 6 is a block diagram that illustrates a schematic of the on-board network apparatus (602) implemented to carry out the disclosed subject matter according to an embodiment as disclosed herein.
  • the on-board network apparatus (602) may include a next generation node B (gNB), an evolved node B (eNB), an access and mobility management function (AMF), and a mobility management entity (MME) on-board a satellite.
  • the gNB may be responsible for providing radio access to the UE (502).
  • the gNB may facilitate high-speed data transmission, low latency, supports a large number of connected devices, manages user sessions, and ensure seamless connectivity.
  • the eNB may be responsible for connecting user devices within the network. It may handle radio resource management, scheduling, and the transmission of data to and from the UE (502).
  • the eNB may play a crucial role in maintaining the quality of service and managing handovers between cells.
  • the AMF may be responsible for managing user access and mobility. It may handle registration, connection management, and mobility procedures, ensuring that users maintain a stable connection as they move between different coverage areas. Further, the MME may be responsible for managing the signaling between the UE (502) and the core network. It may handle tasks such as user authentication, session management, and mobility management.
  • the on-board network apparatus (602) may include a second processor (604), second memory (606), a second I/O interface (608), and an on-board registration protection controller (610).
  • the on-board registration protection controller (610) may communicate with the second I/O interface (608) and the second memory (606).
  • the on-board registration protection controller (610) may be communicatively coupled to the second memory (606) and the second processor (604).
  • the on-board registration protection controller (610) may be an innovative hardware that is realized through the physical implementation of both analog and digital circuits, including logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive and active electronic components, as well as optical components.
  • the on-board registration protection controller (610) may receive a registration or attach request message from the UE (502).
  • the registration or attach request message may include a public key and a certificate associated with the UE (502).
  • the certificate may include the public key of the UE (502).
  • the public key may be used to encrypt data that can only be decrypted by the corresponding private key, ensuring that sensitive information remains secure during transmission.
  • the certificate may be issued by a trusted certificate authority (CA).
  • the certificate may include information such as the identity of the UE (502), the validity period of the certificate, the digital signature of the CA, which verifies the authenticity of the certificate, and the like.
  • the on-board registration protection controller (610) may verify the certificate of the UE (502).
  • the verification may be carried out by provisioning a root certificate of a root CA that issued the certificate of the UE (502) at the on-board network apparatus (602).
  • the certificate of the UE (502) may be verified based on the provisioned root certificate of the root CA.
  • the root certificate may serve as a trusted anchor for the entire authentication framework.
  • the installation of the root certificate may be performed on the on-board network apparatus (602), which acts as a gateway for managing and verifying the certificates of the UE (502).
  • the on-board registration protection controller (610) may generate a temporary identifier for the UE (502) upon successful verification of the certificate of the UE (502).
  • the use of the temporary identifier may enhance privacy and security, as it minimizes the risk of unauthorized access and protects the actual identity of the UE (502) from potential threats.
  • the on-board registration protection controller (610) may generate a partial attach registration or accept message to be transmitted to the UE (502) upon generation of the temporary identifier.
  • the partial attach registration or accept message may include essential information that indicates the current status of the UE (502) in the network and may include details such as the temporary identifier itself, network capabilities, and any relevant parameters that the UE (502) needs to be aware of for further communication.
  • the partial attach registration or accept message may be crucial for establishing a secure and efficient connection between the UE (502) and the on-board network apparatus (602). This may allow the UE (502) to proceed with its registration process while ensuring that it is duly recognized and authenticated.
  • the on-board registration protection controller (610) may encrypt the partial registration or attach accept message using the public key of the UE (502).
  • the partial registration or attach accept message may include the generated temporary identifier and security parameters.
  • the security parameters may be critical for establishing a secure communication channel between the UE (502) and the on-board network apparatus (602).
  • the security parameters may include encryption procedures, integrity protection mechanisms, and other security-related information that ensures the confidentiality and integrity of the data being transmitted.
  • Fig. 7 is a sequence diagram that illustrates a protection of partial registration/attach accept message using public key cryptography while the UE (502) is in possession of key pairs according to an embodiment as disclosed herein.
  • the UE (502), the satellite A (102A) (including the eNB and MME-onboard), and a ground network (702) are in communication with each other. Each step is explained in further detail below.
  • the UE (502) may be in possession of private-public key pair required for public key cryptography.
  • the UE (502) may be configured with the private-public key pair by the core network (ground network (702)) as part of UE configuration and/or in the Universal integrated circuit card (UICC).
  • the UE (502) may be configured with the private-public key pair by the NFs-onboarded (on the satellite A (102A)) as part of UE configuration and/or in the UICC.
  • the Key Management Server (KMS) (operator managed/third party provided) may configure the UE (502) with the private-public key pair as part of UE configuration and/or in the UICC.
  • the UE (502) Universal Subscriber Identity Module (USIM)/UICC/ Mobile Equipment (ME)
  • USB Universal Subscriber Identity Module
  • ME Mobile Equipment
  • the UE (502) may send Registration or Attach Request message to the AMF or MME-onboard (in the satellite A (102A) (as in Fig. 7)).
  • the UE (502) may include at least one of the UE identifier (International Mobile Subscriber Identity (IMSI)/Subscription Concealed Identifier (SUCI) and/or Generic Public Subscription Identifier (GPSI)), Message Authentication Code (MAC) of the message in the request message.
  • the UE (502) may additionally include the public key in the registration or Attach Request message. This public key will be used to encrypt the partial registration or attach accept message.
  • the GPSI may be included instead of IMSI to ensure the long term permanent identities are not exposed over the air and/or the certificate includes GPSI as the identity of the client (for example, if certificate/public key is issued by third party then long term permanent identities cannot be exposed to the 3 rd party).
  • the UE (502) may include the security capability (for the protection of initial message exchanges) more specifically the asymmetric cryptographic information (at least one of the following parameters such as protection scheme like null-scheme or profiles, Elliptic Curve Integrated Encryption Scheme (ECIES), length of the cryptographic keys, size of the Message Authentication code (MAC), MAC algorithm, Digital Signature algorithm, Encryption algorithm, HASH algorithm, Key Derivation Function, Size of the scheme output, like so).
  • the certificates may be associated with validity to avoid any tracking issue due to using same certificate for longer period of time.
  • the gNB or eNB and/or AMF or MME may assign and/or generate a Temporary Identifier for the UE (502).
  • the gNB or eNB and/or AMF or MME may associate or map the assigned Temporary Identifier with at least one of the received IMSI/SUCI and/or GPSI and the Public Key and further store the received Registration or Attach Request message until the feeder link is available as part of S&F operation.
  • the temporary identifier may be of single usage or may be associated with a validity period.
  • the gNB or eNB and/or AMF or MME may check the legitimacy of the UE (502) and the request message by verifying the MAC.
  • the gNB or eNB and/or AMF or MME-onboard may send a NAS message as Partial registration/attach accept message to the UE (502).
  • the Partial registration/attach accept message may include the generated Temporary Identifier and other possible parameters encrypted and/or integrity protected using the public key of the UE (502), considering the received security capability of the UE (502). Further, the parameters/details of the used security mechanism may be included in the Partial registration/attach accept message.
  • the partial registration/attach accept message may be the response NAS (N1) message for the received Registration or Attach Request message.
  • the response message may be encrypted and/or integrity protected by the random key generated by the on-board NF or the satellite A (102A).
  • the on-board NF or the satellite A (102A) may encrypt the random key using the public key of the UE (502).
  • the on-board NF or the satellite A (102A) may transmit encrypted and/or Internet Protocol (IP) response and also includes the encrypted random key to the UE (502) along with the message.
  • IP Internet Protocol
  • the UE (502) may decrypt the received Partial registration/attach accept message using the private key and store the Temporary Identifier and the received security parameters/details if any in the Partial registration/attach accept message.
  • the UE (502) shall not trigger the registration/attach request again until paging message is received or appropriate timer value elapses.
  • the AMF or MME-onboard may fetch the authentication vectors, subscription details and other possible required parameters from the Unified Data Management (UDM) or a Home Subscriber Server (HSS) (302) on the ground network (702) and indicate that it is pre-fetching the subscription data without authenticating the UE (502).
  • the gNB or eNB and/or AMF or MME (onboard) may store the received authentication vectors, subscription details and other possible parameters received until the service link is available.
  • the onboard AMF or MME may enter UE serving area; it will start paging the UE (502) with the assigned temporary identifier in the partial registration or attach accept message.
  • the paging message will include a cause Information Element (IE) indicating to complete the registration or attach procedure for the UE (502).
  • IE cause Information Element
  • the UE (502) may re-send the Registration or Attach request message including the IMSI/SUCI.
  • the UE (502) and gNB/eNB or AMF/MME-onboard may perform the authentication and security procedure with the UE (502), once primary authentication procedure is successful remaining steps are performed to complete the Registration or Attach procedure with the UE (502).
  • the UE and gNB/eNB and/or AMF/MME may establish the Access Stratum (AS), User Plane (UP) and Non-Access Stratum (NAS) security context.
  • AS Access Stratum
  • UP User Plane
  • NAS Non-Access Stratum
  • step 12 further message exchanges may be protected using AS, UP and NAS security context appropriately.
  • Fig. 8 is a sequence diagram that illustrates a protection of partial registration/attach accept message using certificate based cryptography while the UE (502) in possession of certificates according to an embodiment as disclosed herein.
  • the UE (502), the satellite A (102A) (including the eNB and MME-onboard), and the ground network (702) are in communication with each other. Each step is explained in further detail below.
  • the UE (502) may be in possession of certificate and private key.
  • the UE (502) may be configured with the certificate and private key by the Core Network (ground network (702)) as part of UE configuration and/or in the UICC.
  • the UE (502) may be configured with the certificate and private key by the NFs-onboarded (on the satellite A (102A)) as part of UE configuration and/or in the UICC.
  • the Certificate Authority (CA)/ Registration Authority (RA) may configure the UE (502) with the certificate and private key as part of UE pre-configuration and/or in the UICC.
  • the UE (502) may send Registration or Attach Request message to the AMF or MME-onboard (in the satellite A (102A)).
  • the UE (502) may include at least one of the UE identifier IMSI/SUCI and/or GPSI in the request message.
  • the UE (502) may additionally include the public key of the UE (502) in the certificate in the registration or Attach Request message. This Public key in the Certificate will be used to encrypt the partial registration or attach accept message.
  • the GPSI may be included instead of IMSI to ensure the long term permanent identities are not exposed over the air and/or the certificate may include GPSI as the identity of the client (for example, if certificate/public key is issues by third party then long term permanent identities cannot be exposed to the 3 rd party).
  • the UE (502) may include the security capability (for the protection of initial message exchanges) more specifically the asymmetric cryptographic information (at least one of the following parameters such as protection scheme like null-scheme or profiles, ECIES, length of the cryptographic keys, size of the MAC, MAC algorithm, Digital Signature algorithm, Encryption algorithm, HASH algorithm, Key Derivation Function, Size of the scheme output, like so).
  • the gNB or eNB and/or AMF or MME may assign and/or generate a Temporary Identifier for the UE (502).
  • the gNB or eNB and/or AMF or MME may associate or map the assigned Temporary Identifier with the received IMSI/SUCI and/or GPSI and the Public Key in the Certificate and further store the received Registration or Attach Request message until the feeder link is available as part of S&F operation.
  • the onboard NFs or an entity/module in the satellite A may be provisioned with the certificate of the root CA who issued the certificate.
  • the Root CA for this purpose is the GSMA CI, which is defined in SGP.02
  • the gNB or eNB and/or AMF or MME-onboard may send a NAS message as Partial registration/attach accept message to the UE (502).
  • the Partial attach registration/accept message may include the generated Temporary Identifier and other possible parameters encrypted using public key of the UE (502) in the certificate considering the received security capability of the UE (502). Further, the parameters/details of the used security mechanism may be included in the Partial registration/attach accept message.
  • the response message may be encrypted and/or integrity protected by the random key generated by the Onboard NF or the satellite A (102A).
  • the Onboard NF or the satellite A (102A) may encrypt the random key using the public key of the UE (502).
  • the Onboard NF or the satellite A (102A) may transmit encrypted and/or IP response and also includes the encrypted random key to the UE (502) along with the message.
  • the UE (502) may decrypt the received encrypted Partial registration/attach accept message using the private key and store the Temporary Identifier and the received security parameters/details if any in the Partial registration/attach accept message.
  • the UE (502) shall not trigger the registration/attach request again until paging message is received or appropriate timer value elapses.
  • the AMF or MME-onboard may fetch the authentication vectors, subscription details and other possible required parameters from the UDM or the HSS (302) on the ground network (702) and indicate that it is pre-fetching the subscription data without authenticating the UE (502).
  • the gNB or eNB and/or AMF or MME (onboard) may store the received authentication vectors, subscription details and other possible parameters received until the service link is available.
  • the on-board AMF or MME may enter UE serving area; it will start paging the UE (502) with the assigned temporary identifier in the partial registration or attach accept message.
  • the paging message will include a cause IE indicating to complete the registration or attach procedure for the UE (502).
  • the UE (502) may re-send the Registration or Attach request message including the IMSI/SUCI.
  • the UE (502) and gNB/eNB or AMF/MME-onboard may perform the authentication and security procedure with the UE (502), once primary authentication procedure is successful remaining steps may be performed to complete the Registration or Attach procedure with the UE (502). After successful authentication the UE (502) and gNB/eNB and/or AMF/MME may establish the AS, UP, and NAS security context.
  • step 12 further message exchanges may be protected using AS, UP and NAS security context appropriately.
  • Fig. 9 is a sequence diagram that illustrates a protection of partial registration/attach accept message using a public key based cryptography while NFs on-board are in possession of key pairs according to an embodiment as disclosed herein.
  • the UE (502), the satellite A (102A) (including the eNB and MME-onboard), and the ground network (702) are in communication with each other. Each step is explained in further detail below.
  • the Network on-board in the satellite A (102A) may be in possession of private-public key pair required for public key cryptography.
  • the UE (502) may receive the public key of the satellite A (102A) in a system information block (SIB) broadcasted by the eNB/gNB on-board.
  • SIB system information block
  • the UE (502) may be configured with the public key by the NFs on-boarded in the satellite A (102A) as part of UE configuration and/or in the UICC.
  • the Key Management Server (operator managed/third party provided) may configure the UE (502) with the public key as part of UE configuration and/or in the UICC.
  • the UE (502) may derive the Temporary Key pair from the public key of the satellite A (102A) and associate and/or map the temporary key with at least one of the gNB/eNB ID, Cell ID, PCI, ARFCN, Satellite ID and other possible parameters.
  • the UE (502) may encrypt the temporary key using the public key of the satellite A (102A).
  • the UE (502) may send Registration or Attach Request message to the AMF or MME-onboard (in the satellite A (102A) (as in Fig. 9)).
  • the UE (502) may include at least one of the UE identifier IMSI/SUCI and/or GPSI if possible in the request message.
  • the UE (502) may additionally include the encrypted Temporary key in the registration or Attach Request message. This temporary key will be used to encrypt the partial registration or attach accept message.
  • the GPSI may be included instead of IMSI to ensure the long term permanent identities are not exposed over the air and/or the certificate may include GPSI as the identity of the client (for example, if certificate/public key is issues by third party then long term permanent identities cannot be exposed to the 3 rd party).
  • the UE (502) may include the security capability more specifically the asymmetric cryptographic information (at least one of the following parameters such as protection scheme like null-scheme or profiles, ECIES, length of the cryptographic keys, size of the MAC, MAC algorithm, Digital Signature algorithm, Encryption algorithm, HASH algorithm, Key Derivation Function, Size of the scheme output, and the like so).
  • the gNB or eNB and/or AMF or MME may assign a Temporary Identifier for the UE (502).
  • the gNB or eNB and/or AMF or MME may associate or map the assigned Temporary Identifier with at least one of the received IMSI/SUCI and/or GPSI and the Temporary Key (decrypted using the private key of the satellite A (102A)) and store the Registration or Attach Request message until the feeder link is available as part of S&F operation.
  • the gNB or eNB and/or AMF or MME-onboard may send a NAS message as Partial registration/attach accept message to the UE (502).
  • the Partial attach accept message may include the Temporary Identifier and other possible parameters encrypted and/or integrity protected using the stored temporary key of the UE (502) (received in Registration/attach request message) considering the received security capability of the UE (502). Further, the parameters/details of the used security mechanism may be included in the Partial registration/attach accept message.
  • the UE (502) may decrypt the received Partial registration/attach accept message using the temporary private key and store the Temporary Identifier and the received security parameters/details if any in the Partial registration/attach accept message.
  • the UE (502) shall not trigger the registration/attach request again until paging message is received or appropriate timer value elapses.
  • the AMF or MME-onboard may fetch the authentication vectors, subscription details and other possible required parameters from the UDM or the HSS (302) on the ground network (702) and indicate that it is pre-fetching the subscription data without authenticating the UE (502).
  • the gNB or eNB and/or AMF or MME (onboard) may store the received authentication vectors, subscription details and other possible parameters received until the service link is available.
  • the onboard AMF or MME may enter UE serving area; it will start paging the UE (502) with the assigned temporary identifier in the partial registration or attach accept message.
  • the paging message will include a cause IE indicating to complete the registration or attach procedure for the UE (502).
  • the UE (502) may re-send the Registration or Attach request message including the IMSI/SUCI.
  • the UE (502) and gNB/eNB or AMF/MME-onboard may perform the authentication and security procedure with the UE (502), once primary authentication procedure is successful remaining steps may be performed to complete the Registration or Attach procedure with the UE (502).
  • the UE (502) and gNB/eNB and/or AMF/MME may establish the AS, the UP, and NAS security context.
  • step 14 further message exchanges may be protected using AS, UP and NAS security context appropriately.
  • Fig. 10 is a sequence diagram that illustrates a protection of partial registration/attach accept message using a certificate based cryptography using NFs on-board in possession of certificates according to an embodiment as disclosed herein.
  • the UE (502), the satellite A (102A) (including the eNB and MME-onboard), and the ground network (702) are in communication with each other. Each step is explained in further detail below.
  • the network on-board in the satellite A (102A) may be in possession of private key and the certificate.
  • the UE (502) may receive the public key certificate of the satellite A (102A) in the SIB broadcasted by the eNB/gNB on-board.
  • the UE (502) may be configured with the public key certificate of the satellite A (102A) by the NFs on-boarded in the satellite A (102A) as part of UE configuration and/or in the UICC.
  • the CA/RA (operator managed/third party provided) may configure the UE (502) with the certificate and private key as part of UE pre-configuration and/or in the UICC.
  • the UE (502) may derive the Temporary Key pair from the public key certificate of the satellite A (102A) and associate and/or map the temporary key with at least one of the gNB/eNB ID, Cell ID, PCI, ARFCN, Satellite ID and other possible parameters.
  • the UE (502) may encrypt the temporary key using the public key certificate of the satellite A (102A).
  • the UE (502) may send Registration or Attach Request message to the AMF or MME-onboard (in the satellite A (102A) (as in Fig. 10)).
  • the UE (502) may include the at least one of the UE identifier IMSI/SUCI and/or GPSI if possible in the request message.
  • the UE (502) may additionally include the encrypted Temporary key in the registration or Attach Request message. This temporary key will be used to encrypt the partial registration or attach accept message.
  • the GPSI may be included instead of IMSI to ensure the long term permanent identities are not exposed over the air and/or the certificate may include GPSI as the identity of the client (for example, if certificate/public key is issues by third party then long term permanent identities cannot be exposed to the 3 rd party).
  • the UE (502) may include the security capability more specifically the asymmetric cryptographic information (at least one of the following parameters such as protection scheme like null-scheme or profiles, ECIES, length of the cryptographic keys, size of the MAC, MAC algorithm, Digital Signature algorithm, Encryption algorithm, HASH algorithm, Key Derivation Function, Size of the scheme output, like so).
  • the gNB or eNB and/or AMF or MME may assign a Temporary Identifier for the UE (502).
  • the gNB or eNB and/or AMF or MME may associate or map the assigned Temporary Identifier with the received IMSI/SUCI and/or GPSI and the Temporary Key (decrypted using the private key of the satellite A (102A)) and store the Registration or Attach Request message until the feeder link is available as part of S&F operation.
  • the gNB or eNB and/or AMF or MME-onboard may send a NAS message as Partial registration/attach accept message to the UE (502).
  • the Partial registration/attach accept message may include the generated Temporary Identifier and other possible parameters encrypted and/or integrity protected using the stored temporary key of the UE (502) (received in Registration/attach request message) considering the received security capability of the UE (502). Further, the parameters/details of the used security mechanism may be included in the Partial registration/attach accept message.
  • the UE (502) may decrypt the received Partial registration/attach accept message using the temporary private key and store the Temporary Identifier and the received security parameters/details if any in the Partial registration/attach accept message.
  • the UE (502) shall not trigger the registration/attach request again until paging message is received or appropriate timer value elapses.
  • the onboard NFs or an entity/module in the satellite A (102A) may be provisioned with the certificate of the root CA who issued the certificate, and to verify the server certificate (certificate of onboard NF or the satellite A (102A)), the UE (502) may be provisioned with the certificate of the root CA who issued the server certificate.
  • the root CA for this purpose is the GSMA CI which is defined in SGP.02.
  • the AMF or MME-onboard may fetch the authentication vectors, subscription details and other possible required parameters from the UDM or the HSS (302) on the ground network (702) and indicate that it is pre-fetching the subscription data without authenticating the UE (502).
  • the gNB or eNB and/or AMF or MME (onboard) may store the received authentication vectors, subscription details and other possible parameters received until the service link is available.
  • the onboard AMF or MME may enter UE serving area; it will start paging the UE (502) with the assigned temporary identifier in the partial registration or attach accept message.
  • the paging message will include a cause IE indicating to complete the registration or attach procedure for the UE (502).
  • the UE (502) may re-send the Registration or Attach request message including the IMSI/SUCI.
  • the UE (502) and gNB/eNB or AMF/MME may perform the authentication and security procedure with the UE (502), once primary authentication procedure is successful remaining steps may be performed to complete the Registration or Attach procedure with the UE (502). After successful authentication the UE (502) and gNB/eNB and/or AMF/MME may establish the AS, the UP, and NAS security context.
  • step 14 further message exchanges may be protected using AS, UP and NAS security context appropriately.
  • Fig. 11 is a sequence diagram that illustrates a protection of partial registration/attach accept message using a TLS Certificate based cryptography using the UE (502) and the NFs-onboard according to an embodiment as disclosed herein.
  • the UE (502), the satellite A (102A) (including the eNB and MME-onboard), and the ground network (702) are in communication with each other. Each step is explained in further detail below.
  • the UE (502) and the NFs on-board the satellite A (102A) may be in possession of private key and certificate.
  • the UE (502) may be configured with the private key and certificates by the Core Network (ground network (702)) as part of UE configuration and/or in the UICC.
  • the UE (502) may be configured with the private key and certificate by the NFs-onboarded (on the satellite A (102A)) as part of UE configuration and/or in the UICC.
  • the key management server (operator managed/third party provided) may configure the UE (502) with the certificate and private key as part of UE configuration and/or in the UICC.
  • the CA/ RA (operator managed/third party provided) may configure the UE (502) with the certificate and private key as part of UE pre-configuration and/or in the UICC.
  • a Security Gateway (SeGW) may be deployed in the satellite A (102A).
  • the UE (502) and NFs onboard in the satellite A (102A) may establish a TLS connection using server side certificates over N1 interface.
  • the further message exchanges may be protected using TLS security association.
  • the onboard NFs or an entity/module in the satellite A (102A) may be provisioned with the certificate of the root CA who issued the certificate, and to verify the server certificate (certificate of onboard NF or the satellite A (102A)), the UE (502) may be provisioned with the certificate of the root CA who issued the server certificate.
  • the Root CA for this purpose is the GSMA CI which is defined in SGP.02
  • the UE (502) may send Registration or Attach Request message to the AMF or MME-onboard (in the satellite A (102A) (as in Fig. 11)).
  • the UE (502) may include the at least one of the UE identifier IMSI/SUCI and/or GPSI if possible in the request message.
  • the GPSI may be included instead of IMSI to ensure the long term permanent identities are not exposed over the air and/or the certificate may include GPSI as the identity of the client (for example, if certificate/public key is issues by third party then long term permanent identities cannot be exposed to the 3 rd party).
  • the gNB or eNB and/or AMF or MME may assign a Temporary Identifier for the UE (502).
  • the gNB or eNB and/or AMF or MME may associate or map the assigned Temporary Identifier with the received IMSI/SUCI and/or GPSI and store the Registration or Attach Request message until the feeder link is available as part of S&F operation.
  • the gNB or eNB and/or AMF or MME-onboard may send a NAS message as Partial registration/attach accept message to the UE (502).
  • the Partial registration/attach accept message may include the Temporary Identifier and other possible parameters.
  • the UE (502) may store the Temporary Identifier received in the Partial registration/attach accept message.
  • the UE (502) shall not trigger the registration/attach request again until paging message is received or appropriate timer value elapses.
  • the AMF or MME-onboard may fetch the authentication vectors, subscription details and other possible required parameters from the UDM or the HSS (302) on the ground network (702) and indicate that it is pre-fetching the subscription data without authenticating the UE (502).
  • the gNB or eNB and/or AMF or MME (onboard) may store the received authentication vectors, subscription details and other possible parameters received until the service link is available.
  • the onboard AMF or MME may enter UE serving area; it will start paging the UE (502) with the assigned temporary identifier in the partial registration or attach accept message.
  • This paging message will include a cause IE indicating to complete the registration or attach procedure for the UE (502).
  • the UE (502) may re-send the Registration or Attach request message including the IMSI/SUCI.
  • the UE (502) and gNB/eNB or AMF/MME may perform the authentication and security procedure with the UE (502), once primary authentication procedure is successful remaining steps may be performed to complete the Registration or Attach procedure with the UE (502). After successful authentication the UE (502) and gNB/eNB and/or AMF/MME may establish the AS, UP, and NAS security context.
  • step 14 further message exchanges may be protected using AS, UP and NAS security context appropriately.
  • Fig. 12 is a sequence diagram that illustrates K AMF-SAT key derivation per satellite according to an embodiment as disclosed herein.
  • the UE 502
  • the satellite A 102A
  • the satellite B 102B
  • an AMF-ground 1202
  • an Authentication Server Function (1204)
  • a UDM (1206)
  • the Security Anchor Function may include the authentication request indication and/or the ciphering and/or the integrity algorithm.
  • Authentication request indication may be to indicate the UE (502) to perform authentication when performing next NAS procedure.
  • the NAS procedure can be Registration procedure or Packet Data Unit (PDU) session establishment/modification procedure or Service request or UL NAS transport, like so.
  • PDU Packet Data Unit
  • the UE (502) may select an unused sequence number (SQN)/authentication token (AUTN) and corresponding RAND from the stored values. Further the UE (502) may derive the RES* from the selected AUTN and RAND, if not derived when storing the received AUTN and RAND.
  • the UE (502) may derive the MAC-I on the N1 request message.
  • the UE (502) may then send an N1 message request to the SEAF.
  • the message may include the SUCI or 5G-GUTI, RES*, AUTN and/or RAND and/or SQN, NAS MAC-I and other possible parameters.
  • the NAS MAC-I may be used for integrity protection of the message.
  • the SEAF may store the NAS MAC-I for the later integrity check and/or verification.
  • the SEAF/the AMF-onboard may invoke the Authentication service by sending an Authenticate Request message to the AMF-ground (1202) whenever the SEAF wishes to initiate an authentication.
  • This message may include SUCI or Subscription Permanent Identifier (SUPI), SN-name, AUTN and/or RAND and/or SQN, RES*.
  • SUPI Subscription Permanent Identifier
  • the AMF-ground may invoke the Nausf_UEAuthentication service by sending a Nausf_UEAuthentication_Authenticate Request message to the AUSF (1204) whenever the AMF-onboard wishes to initiate an authentication.
  • This message may include SUCI or SUPI, SN-name, AUTN and/or RAND and/or SQN, RES*.
  • the AUSF (1204) may send Nudm_UEAuthentication_Get Request to the UDM (1206), if there is no 5G Home Environment Authentication Vector (5G HE AV) available with the AUSF (1204) for the SUPI. If the AUSF (1204) is able to retrieve the 5G HE AV for the received SUPI and AUTN and/or RAND and/or SQN, then the AUSF (1204) may perform the step 9, skipping steps 6,7 & 8 (interaction with the UDM (1206)).
  • 5G HE AV 5G Home Environment Authentication Vector
  • the Nudm_UEAuthentication_Get Request sent from the AUSF (1204) to the UDM (1206) may include the following information:
  • the AUSF (1204) may derive the K AUSF .
  • the AUSF (1204) may send the Nausf_UEAuthentication_Authenticate Response message to the SEAF/AMF-ground (1202).
  • the SEAF may then compute HRES* from RES* according to 3GPP TS 33.501, and the SEAF may compare HRES* and HXRES*. If they coincide, the SEAF may consider the authentication successful from the serving network point of view.
  • the SEAF/AMF-ground (1202) may derive further keys to establish the NAS security context.
  • the SEAF/AMF-ground 1202 may derive the K AMF-SAT keys from the K AMF /K SEAF key.
  • KDF Key Derivation Function
  • the input key KEY shall be the 256-bit K SEAF / K AMF .
  • the K AMF and K AMF-SAT may be same and the input key for the derivation may be K SEAF .
  • the AMF-ground (1202) may send the Authentication response message to the AMF-onboard of the satellite A (102A).
  • This message may include the newly derived K AMF-SAT1 key, 5G SE AV, Result and other possible parameters.
  • the AMF-onboard may send the N1 message to the UE (502).
  • This message may include ngKSI (either generated or the received ngKSI from the UE (502)), UE security capabilities, NAS MAC-I, Freshness parameter and other possible parameters.
  • the UE (502) may connect via the satellite B (102B).
  • the authentication and NAS Security Mode Command (SMC) procedure may follow as it is performed for the satellite A (102A) connection.
  • the AMF-on board from the satellite B (102B) may send the key indication to the UE (502).
  • the UE (502) checks if there is any key indication. If yes, the UE (502) may derive the K AMF-SAT2 .
  • the input key KEY shall be the 256-bit K SEAF / K AMF .
  • Fig. 13 is a sequence diagram that illustrates NAS key derivation per satellite according to an embodiment as disclosed herein. As shown in the sequence diagram, the UE (502), the satellite A (102A), the satellite B (102B), and the AMF-ground (1202) are in communication with each other.
  • the UE (502) may derive the K AMF-SAT1 , and K AMF-SAT2 from the K AMF /K SEAF . Once the K AMF-SAT keys are derived for the respective keys, the UE (502) may also derive the K NAS integrity and encryption keys.
  • K AMF-SAT1 the following parameters should be used to form the input S to the KDF.
  • the input key KEY shall be the K AMF-SAT1 .
  • the input key KEY shall be the K AMF-SAT1 .
  • the AMF-ground 1202 may derive the K AMF-SAT keys and the K NASint and K NASenc keys for both the satellite A (102A) and the satellite B (102B) respectively.
  • K AMF-SAT1 the following parameters should be used to form the input S to the KDF.
  • the input key KEY shall be the K AMF-SAT1 .
  • the input key KEY shall be the K AMF-SAT1 .
  • the keys will be derived for the satellite B (102B) using the same input parameters except the respective satellite IDs.
  • the AMF-ground (1202) may push the keys to the AMF-onboard in each respective satellites.
  • the AMF-ground (1202) may only push the K AMF-SAT keys to the respective satellites including other possible parameters to derive the NAS integrity and encryption keys at the AMF-onboard.
  • the AMF-onboard may derive the K NASenc and K NASint keys using the input parameters as detailed in the Alternative 1 of the solution.
  • the AMF-onboard may store the keys and start the integrity protection/NAS SMC procedure as detailed in TS 33.501. Steps 4 to 6 may be performed as detailed in TS 33.501 for the NAS SMC procedure.
  • the freshness parameter may be provided to the UE (502) in the NAS Security mode command message once the UE (502) is successfully authenticated with the core network to further derive the NAS keys.
  • the procedure for the key derivation and distribution to multiple satellites may be followed respectively for the EPS network.
  • Fig. 14 is a schematic diagram that illustrates K AMF-SAT derivation function according to an embodiment as disclosed herein. It is assumed that the K AMF is the input key to the KDF (1402) for the K AMF-SAT derivation.
  • Fig. 15 is a schematic diagram that illustrates the K AMF-SAT derivation function according to an embodiment as disclosed herein. It is assumed that the K SEAF is the input key to the KDF (1402) for the K AMF-SAT derivation. In an embodiment, it is assumed that the K AMF-SAT and the K AMF-SAT are same.
  • Fig. 16 is a schematic diagram that illustrates K NASint derivation function according to an embodiment as disclosed herein. It is assumed that the K AMF-SAT is the input key to the KDF for the K NASint derivation.
  • Fig. 17 is a schematic diagram that illustrates K NASenc derivation function according to an embodiment as disclosed herein. It is assumed that the K AMF-SAT is the input key to the KDF for the K NASenc derivation.
  • Fig. 18 is a sequence diagram that illustrates a scenario where the UE (502) selects another PDU session in case of satellite unavailability according to an embodiment as disclosed herein.
  • the UE 502
  • the satellite A (102A) including gNB-1 and UPF-1
  • the satellite B (102B) including gNB-2 and UPF-2
  • an AMF 1802
  • a Session Management Function-1 (SMF-1) 1804A
  • SMF-2 Session Management Function-1
  • UPF User Plane
  • UDM UDM
  • the AMF (1802) may identify the gNB ID associated with the satellite ID (e.g., the global Radio Access Network (RAN) node IDs associated with the satellite Backhaul).
  • the OAM may configure and/or provide the mapping and/or association of satellite ID with global RAN node ID.
  • the UE (502) may be preconfigured and/or may create the list of satellites available for the given location or the route.
  • the network may be preconfigured and/or may create the list of satellites available for the given location or the route of the UE (502).
  • the UE (502) may include the NAS Message (Single - Network Slice Selection Assistance Information (S-NSSAI)(s), [Alternative S-NSSAI], UE Requested Data Network Name (DNN), PDU Session ID, Request type, Old PDU Session ID, N1 session management (SM) container (PDU Session Establishment Request, [Port Management Information Container])) and additionally the satellite ID (if available) and other possible parameters.
  • S-NSSAI Single - Network Slice Selection Assistance Information
  • DNN UE Requested Data Network Name
  • PDU Session ID Request type
  • Old PDU Session ID N1 session management (SM) container
  • SM session management
  • satellite ID if available
  • the UE (502) may include the redundant PDU session indication to the AMF (1802).
  • USRP UE Route Selection Policy
  • UE Configuration Update like so
  • step 2 on receiving the request from the UE (502), the AMF (1802) may perform the SMF selection. Once the SMF is selected for the particular PDU session creation, the AMF (1802) may send the Nsmf_PDUsession_create context Request to the SMF.
  • step 3 if Session Management Subscription data for corresponding SUPI, DNN and S-NSSAI of the Home Public Land Mobile Network (HPLMN) is not available, then SMF may retrieve the Session Management Subscription data using Nudm_SDM_Get (SUPI, Session Management Subscription data, selected DNN, S-NSSAI of the HPLMN, Serving PLMN ID, [NID]) and subscribe to be notified when this subscription data is modified as detailed in TS 23.502. On retrieving the subscription data from the UDM, the SMF may also select one or more UPFs as needed as detailed in clause 6.3.3 of TS 23.501.
  • Nudm_SDM_Get SUPI, Session Management Subscription data, selected DNN, S-NSSAI of the HPLMN, Serving PLMN ID, [NID]
  • the SMF may allocate an IP address/prefix for the PDU Session (unless configured otherwise) as described in clause 5.8.2 of TS 23.501.
  • the SMF will perform UPF selection to select the UPF (1806) as the anchor of this PDU Session as detailed in TS 23.502.
  • the PDU session may be established between the UE (502), gNB-1 and the UPF-1.
  • the PDU session may be established the redundant PDU sessions with the gNB-2 of the satellite B (102B) and gNB-3 of satellite 3.
  • the PDU session may be established using the same PDU session ID and the tunnel ID for all the redundant connections.
  • the list of satellites with which the PDU session has to be established may be either provided by the UE (502) or determined by the SMF.
  • the SMF may establish the PDU session with multiple UPFs and also provide PDU session establishment accept message to the UE (502) appropriately via multiple AMFs, whenever the link (feeder link) is available with the UPF (1806) and/or the AMF (1802).
  • the AMF (1802) may send the N2 PDU session request to the gNB to allocate resources and establish the session with the UPF (1806).
  • the AMF (1802) may send the PDU session establishment accept message to the UE (502) whenever connectivity (service link) with the UE (502) is available.
  • the SMF may send the PDU Nsmf_PDUsession_create context Request message to the appropriate SMF(s), which have N4 connectivity with the determined UPFs.
  • step 5 upon receiving the PDU session establishment accept message, the UE (502) may store the PDU contexts and send the uplink user plane data with the available satellite.
  • the radio link between the UE (502) and the gNB-1 may be lost due to the connectivity issue and/or the UE (502) moved out of coverage and/or poor signal.
  • the satellite A (102A) may not be reachable for the UE (502).
  • the UE (502) may suspend the SCG transmission for all the radio bearers and report the SCG failure information to the gNB.
  • the UE (502) may maintain the ongoing PDU session with the gNB-1 in the satellite A (102A) as the satellite may serve the UE (502) later once the connection is re-established.
  • the UE (502) may determine that the satellite A (102A) is not reachable and decide to select another satellite in which it has already established the PDU session (based on the received PDU session establishment accept message). In an embodiment, the UE (502) may decide to send the indication to the gNB2 in the satellite B (102B).
  • the message may include the SUPI, PDU session ID, Tunnel ID, redundant PDU indication, SN ID, Redundancy Sequence Number (RSN) and other possible parameters.
  • RSN Redundancy Sequence Number
  • the UE (502) may also send an indication to the home network (AMF) about the change in the serving satellite.
  • AMF home network
  • the UE (502) may move into the coverage of the satellite B (102B). Between the UE (502) and the gNB-2, the already created PDU session may be used with the same PDU session ID and the Tunnel ID as used by the UE (502) with the satellite A (102A). In an embodiment, the UE (502) may use the same user plane data between the satellite B (102B) using a Different PDU session ID and/or Tunnel ID different from the one used with the satellite A (102A). In this alternative, the SMF may indicate to the PSA UPF that one tunnel info is used as the redundancy tunnel of the PDU session.
  • the SMF may retrieve the subscription data from the UDM (1206) and select the UPF (1806) (SMF-1 (1804A) selects UPF 1 and the SMF-2 (1804B) selects UPF 2 respectively).
  • SMF-1 (1804A) selects UPF 1
  • SMF-2 (1804B) selects UPF 2 respectively.
  • Figs. 19A and 19B are a sequence diagram that illustrates a scenario where the UE (502) switches the PDU based on uplink unavailability according to an embodiment as disclosed herein.
  • the UE 502
  • a UPF-1 (1806A), a UPF-2 (1806B) are in communication with each other.
  • step 1 if the UE (502) is not registered via 3GPP access, the UE (502) may initiate Registration procedure via 3GPP access and send the NAS message over the RAN1.
  • the UE (502) may also include an Multi-access Packet Data Unit (MA-PDU) Capability flag to indicate to the network that it can support MA-PDU sessions.
  • the UE (502) may also include the PDU session ID, Request type which includes if the request is for MA PDU session or not, and the RSN and the PDU Session pair ID in the PDU session request message.
  • MA-PDU Multi-access Packet Data Unit
  • the AMF (1802) may select the SMF (1804) as described in clause 4.3.2.2.3 of TS 23.502.
  • the AMF (1802) may include an MA-PDU Capability flag in the Nsmf_PDUSession_CreateSMContext Request message sent to SMF. This message may additionally also include the PDU session ID, RSN, and the PDU session pair ID.
  • step 3 the SMF (1804) may register with the UDM (1206) for the subscription data retrieval.
  • the SMF (1804) may send the Create SM context Response message to the AMF (1802).
  • step 5 the secondary authorization and/or authentication procedure may take place, as specified in TS 23.502, clause 4.3.2.3.
  • step 6 the SMF (1804) may perform the UPF selection.
  • step 7 the SMF (1804) may send the N4 session establishment request to the UPF-1 (1806A) as detailed in TS 23.502.
  • the UPF-1 (1806A) may send the N4 session establishment response to the SMF (1804) as detailed in TS 23.502
  • the SMF (1804) may send a PDU Session Establishment Accept message with a MA-PDU Capability flag to inform the UE (502) that the network can support MA-PDU procedures for this PDU session. Otherwise, the SMF (1804) may accept the PDU Session establishment but does not include the MA-PDU Capability flag in the PDU Session Establishment Accept message. If the MA-PDU Capability flag is received by the UE (502), the UE (502) may later add another child PDU session to the existing PDU session with the steps below (steps 13-15).
  • the UE (502) may send the first uplink data message to the Next Generation Radio Access Network (NGRAN) node over the 3GPP access. It is assumed that the uplink may be unavailable for the UE (502) that supports the MA PDU.
  • NGRAN Next Generation Radio Access Network
  • the UE (502) may determine that the satellite is out of coverage and/or not reachable and therefore the PDU session is unavailable for the UE (502).
  • step 15 the UE (502) should not trigger the PDU session release procedure and the UE (502) shall retain the PDU session related info and store and forward info for the satellite A (102A).
  • the UE (502) shall keep pinging the satellite A (102A) to check the availability of the satellite A (102A).
  • Similar steps may also be performed (steps 6 to step 13), if the MA PDU session type is "non-3GPP access".
  • the UE (502) may determine that the PDU session is not available over the first 3GPP access and continue with uplink data transmission over 3GPP2 and/or non-3gpp access.
  • Fig. 20 is a schematic diagram that illustrates a scenario where the same PDU session is maintained between both 3GPP and non-3GPP access according to an embodiment as disclosed herein.
  • the UE (502) may establish communication with the satellite A (102A) using the 3GPP access, whereas the UE (502) may establish communication with the satellite B (102B) using the non-3GPP access.
  • the gNB and the UPF (1806) may maintain the same PDU sessions (e.g., the PDU session ID, Tunnel ID and other parameters).
  • the AMF (1802) may be the same for both the 3GPP access and the non-3GPP access. Based on the local configuration, the AMF (1802) may have prior knowledge of the mapping of the gNB ID and the Satellite ID (SAT ID where the gNB is deployed).
  • Fig. 21 is a schematic diagram that illustrates a scenario where the same PDU session is maintained between both 3GPP and non-3GPP access according to an embodiment as disclosed herein.
  • the UE (502) may be connected to both the satellites using the 3GPP access. Whenever there is a Radio link failure, the UE (502) may select the other satellite in its coverage and uses the same PDU session with the satellite B (102B).
  • the gNB2 and the UPF (1806) may maintain the user plane data and establish the PDU session.
  • the UE (502) may use the same PDU session ID for the PDU session establishment with multiple satellites (gNBs and UPFs) or alternatively, the UE (502) may maintain the mapping of the PDU Session IDs and Sat ID and/or TAI and/or gNB ID and/or Physical cell ID (PCI) and/or absolute radio-frequency channel number (ARFCN), like so) for the PDU session.
  • the UE (502) may include multiple PDU session IDs in the PDU session establishment request, if determined that the PDU session to be established with multiple satellites (gNBs and UPFs).
  • the UPFs (1806A, 1806B) are located in the satellites respectively, and the gNB1 (from satellite A (102A)) and the gNB2 (from satellite B (102B)) connects to the UPF-1 (1806A) (I-UPF). Both the UPFs (1806A, 1806B) from the satellites may be connected to a PSA-UPF in the ground. Between the intermediate UPF (1806) and the gNBs (gNB1 and gNB2), the same PDU sessions may be maintained.
  • Fig. 22 is a schematic diagram that illustrates a process of key derivation in dual connectivity according to an embodiment as disclosed herein.
  • the satellite-ID/gNB-ID may be included as the input parameter to the key derivation of gNB and/or K SN .
  • K SNs may be pushed to the satellites which can serve the UE (502) (list of allowed satellites which can serve the UE (502) and/or the satellite A (102A) has Inter-satellite link (ISL) with).
  • MN may derive the AS keys as well from the K SN and provide the AS context to each satellite.
  • Fig. 23 is a sequence diagram that illustrates key derivation and handling during dual connectivity in satellite communication according to an embodiment as disclosed herein.
  • the UE (502), a MN (2302), a SN-1 (2304A), and a SN-2 (2304B) are in communication with each other.
  • the MN (2302) may be configured with Sat-IDs based on Satellite backhaul category and the MN (2302) may derive corresponding K SN-SAT for each satellite in the list and pushes the keys when the MN (2302) triggers SN addition with the SN on-board.
  • step 1 the UE (502) and the MN (2302) may establish the RRC connection.
  • the MN (2302) may send SN Addition/Modification Request to the SN to negotiate the available resources, configuration, and algorithms at each SN (2304A, 2304B) at the satellites.
  • the MN (2302) may compute and deliver the K SN for each SN (2304A, 2304B).
  • the UE security capabilities and the UP security policy received from the SMF may also be sent to each SN (2304A, 2304B).
  • the SMF may send the UP security policies associated with each SN (2304A, 2304B) to the MN (2302).
  • the MN (2302) When the MN (2302) decides to configure CPA or CPC, if there are more than one candidate SNs, for each SN (2304A, 2304B), the MN (2302) shall derive a different K SN and delivers the K SN to each SN separately.
  • the UE (502), MN (2302), and SN follow the same procedure as in dual connectivity.
  • the UE (502) may establish RRC connection with SN-2 (2304B) (Sat-C) when SN-1 (2304A) (Sat-B) is unavailable (SN-2 (2304B) is indicated to use the context derived from K SN-SAT-2 ).
  • the unique K SEAF may be derived for each AMF (may be on-board) by the UE (502) and the AUSF from K AUSF .
  • K SEAF may be provided by AUSF to the SEAF.
  • the following one or more parameters shall be used to form the input to the KDF along with other possible parameters: IMSI, Network Access Identifier (NAI), GCI, GLI, ABBA, Global Unique AMF ID (GUAMI), AMF Identifier (AMFI), SN name, NAS UL/DL Count.
  • K AMF may be a key derived by ME and SEAF from K SEAF .
  • unique K AMF may be derived for each SEAF/AMF (may be on-board) by the UE (502) and the SEAF from K SEAF .
  • the following one or more parameters shall be used to form the input to the KDF along with other possible parameters: IMSI, Network Access Identifier (NAI), GCI, GLI, ABBA, Global Unique AMF ID (GUAMI), AMF Identifier (AMFI).
  • the unique Access stratum key may be derived for each gNB (may be on-board).
  • the following one or more parameters shall be used to form the input to the KDF along with other possible parameters: Uplink NAS COUNT, Access type distinguisher, gNB ID, Satellite ID, TAI, PCI, ARFCN.
  • the UE (502) and the AMF may perform NAS Security Mode Command procedure when the registered UE connects with the AMF (on-board) upon re-establishing the service link with the Satellite to ensure that the security context in the UE and in the AMF are in synchronization.
  • the UE (502) and the gNB may perform AS Security Mode Command procedure when the registered UE connects with the gNB (on-board) upon re-establishing the service link with the Satellite.
  • Fig. 24 is a flow diagram that illustrates a method for protecting a registration or attach procedure using a certificate based cryptography by the UE (502) according to an embodiment as disclosed herein.
  • the method may include steps (2402-2412). Each step is explained in further detail below.
  • the UE (502) may pre-configure a private key and a certificate at the UE (502) based on an operator policy.
  • the certificate may include a public key of the UE (502).
  • the operator policy may outline the security measures and standards necessary for safeguarding user data and maintaining network integrity.
  • the private key may be employed to encrypt information and verify the identity of the UE (502) during communication sessions. This private key may be kept confidential and securely stored within the UE (502), guaranteeing that only the authorized device can access and use it for secure transactions. Additionally, the certificate may serve as an extra layer of security and contain the public key linked to the UE (502).
  • the UE (502) may generate a registration or attach request message by adding the certificate including the public key of the UE (502).
  • the registration or attach request message may be crucial for establishing a connection between the UE (502) and the network.
  • the UE (502) may incorporate the certificate into the registration or attach request message.
  • the UE (502) may transmit the registration or attach request message to an on-board network apparatus (602).
  • the on-board network apparatus (602) may include a next generation node B (gNB), an evolved node B (eNB), an access and mobility management function (AMF), and a mobility management entity (MME).
  • gNB next generation node B
  • eNB evolved node B
  • AMF access and mobility management function
  • MME mobility management entity
  • the UE (502) may receive a partial attach registration or accept message from the on-board network apparatus (602) in response to the registration or attach request message.
  • the partial attach registration or accept message may be received upon successful verification of the certificate by the on-board network apparatus (602).
  • the partial attach registration or accept message may be encrypted using the public key of the UE (502).
  • the partial attach registration or accept message may include a temporary identifier for the UE (502) and a security parameter. This temporary identifier may act as a distinct reference for the UE (502) throughout the current session, enabling the on-board network apparatus (602) to efficiently oversee and monitor the connection.
  • the security parameter may encompass details pertaining to encryption keys, authentication tokens, or other security-related information essential for creating a secure communication link between the UE (502) and the on-board network apparatus (602).
  • the UE (502) may decrypt the received encrypted partial registration or attach accept message using the private key preconfigured at the UE (502).
  • the decryption procedure may include utilizing the private key to undo the encryption that was applied to the message before it was sent. This may guarantee that only those with the appropriate private key are able to understand the message's contents.
  • the encrypted partial registration or attach accept message may hold essential information required for creating or sustaining a connection between the UE (502) and the on-board network apparatus (602).
  • the UE (502) may store the identifier and the security parameter decrypted from the partial registration or attach accept message.
  • Fig. 25 is a flow diagram that illustrates a method for protecting a registration or attach procedure using a certificate based cryptography by the on-board network apparatus (602) according to an embodiment as disclosed herein.
  • the method may include steps (2502-2516). Each step is explained in further detail below.
  • the on-board network apparatus (602) may receive a registration or attach request message from the UE (502).
  • the registration or attach request message may include a public key and a certificate associated with the UE (502).
  • the certificate may include the public key of the UE (502).
  • the public key may serve to encrypt data, which can only be decrypted by its associated private key, thereby safeguarding sensitive information throughout its transmission.
  • a trusted certificate authority (CA) may issue the certificate. This certificate may contain details such as the identity of the UE (502), the certificate's validity period, and the CA's digital signature, which confirms the certificate's authenticity, among other information.
  • the on-board network apparatus (602) may verify the certificate of the UE (502).
  • the verification may be carried out by provisioning a root certificate of a root CA that issued the certificate of the UE (502) at the on-board network apparatus (602).
  • the certificate of the UE (502) may be verified based on the provisioned root certificate of the root CA.
  • the root certificate may serve as a trusted anchor for the entire authentication framework.
  • the installation of the root certificate may be performed on the on-board network apparatus (602), which acts as a gateway for managing and verifying the certificates of the UE (502).
  • the on-board network apparatus (602) may generate a temporary identifier for the UE (502) upon successful verification of the certificate of the UE (502).
  • the implementation of a temporary identifier may improve privacy and security by reducing the likelihood of unauthorized access and safeguarding the true identity of the UE (502) against potential threats.
  • the on-board network apparatus (602) may generate a partial attach registration or accept message to be transmitted to the UE (502) upon generation of the temporary identifier.
  • the partial attach registration or accept message may include essential information that indicates the current status of the UE (502) in the network and may include details such as the temporary identifier itself, network capabilities, and any relevant parameters that the UE (502) needs to be aware of for further communication.
  • the partial attach registration or accept message may be crucial for establishing a secure and efficient connection between the UE (502) and the on-board network apparatus (602). This may allow the UE (502) to proceed with its registration process while ensuring that it is duly recognized and authenticated.
  • the on-board network apparatus (602) may encrypt the partial registration or attach accept message using the public key of the UE (502).
  • the partial registration or attach accept message may include the generated temporary identifier and security parameters.
  • the security parameters may be critical for establishing a secure communication channel between the UE (502) and the on-board network apparatus (602).
  • the security parameters may include encryption procedures, integrity protection mechanisms, and other security-related information that ensures the confidentiality and integrity of the data being transmitted.
  • the on-board network apparatus (602) may transmit the encrypted partial registration or attach accept message to the UE (502).
  • the principal object of an embodiment herein may be to protect a registration or attach procedure using a certificate based cryptography.
  • Another object of an embodiment herein may be to protect registration or attach procedure without public data network (PDN) connectivity in S&F operation.
  • PDN public data network
  • Yet another object of an embodiment herein may be to protect partial registration/attach accept message using a public key cryptography.
  • Yet another object of an embodiment herein may be to protect partial registration/attach accept message using a transport layer security (TLS) certificate.
  • TLS transport layer security
  • Yet another object of an embodiment herein may be to provide a system and method for isolation of non-access stratum (NAS) keys in S&F operating mode.
  • NAS non-access stratum
  • Another object of an embodiment herein may be to provide a method to derive the NAS security context for example, a K AMF-SAT key at the ground from the K AMF and distribute to the AMF-onboard when the feeder link is available.
  • Yet another object of an embodiment herein may be to provide a method to derive the NAS security context for example, K AMF-SAT key at the ground from the security anchor function key (K SEAF ) and distribute to the AMF-onboard when the feeder link is available.
  • K SEAF security anchor function key
  • Yet another object of an embodiment herein may be to provide a method to derive a K NASint and K NASenc key at the ground and distribute it to the AMF-onboard when the feeder link is available.
  • Yet another object of an embodiment herein may be to provide a method to derive the K NASint and K NASenc at the AMF-onboard using the K AMF-SAT key received from the AMF-ground after the successful authentication procedure.
  • Yet another object of an embodiment herein may be to provide a method to isolate the NAS keys for the satellites, in case multiple satellites are serving the UE.
  • Yet another object of an embodiment herein may be to disclose systems and methods for handling PDU sessions in S&F 5G satellite communication operations.
  • Yet another object of an embodiment herein may be to disclose systems and methods for establishing a PDU session of a UE across multiple gNBs and/or user plane functions (UPFs) in S&F 5G satellite communication operations.
  • UPFs user plane functions
  • Yet another object of an embodiment herein may be to disclose systems and methods for handling PDU sessions in S&F 5G satellite communication operations, where the same PDU session IDs is used between all gNBs and UPFs serving the UE.
  • Yet another object of an embodiment herein may be to disclose systems and methods for handling PDU sessions in S&F 5G satellite communication operations, wherein the same tunnel IDs is used between all the gNBs and UPF serving the UE.
  • Yet another object of an embodiment herein may be to disclose systems and methods for handling PDU sessions in S&F 5G satellite communication operations, wherein redundant (two or more than two) multi-access PDU sessions are maintained over two 3GPP access and/or 3GPP and non-3GPP access.
  • Yet another object of an embodiment herein may be to disclose systems and methods for handling PDU sessions in S&F 5G satellite communication operations, wherein the session related and S&F information are retained both at the UE and the satellite even when the UE goes out-of-coverage, or the satellite is unavailable.
  • Yet another object of an embodiment herein may be to disclose systems and methods for key derivation and handling in S&F 5G satellite communication operations.
  • Yet another object of an embodiment herein may be to disclose systems and methods for releasing PDU Session to release all the resources associated with a PDU Session in one or more than one gNB and/or UPF.
  • the objectives are achieved by providing a method performed by a UE for protecting a registration or attach procedure using a certificate based cryptography.
  • the method may include pre-configuring a private key and a certificate at the UE based on an operator policy.
  • the method wherein the certificate may include a public key of the UE.
  • the method may include generating a registration or attach request message by adding the certificate including the public key of the UE.
  • the method may include transmitting the registration or attach request message to an on-board network apparatus.
  • the method may include receiving a partial attach registration or accept message from the network apparatus in response to the registration or attach request message.
  • the method, wherein the partial attach registration or accept message may be encrypted using the public key of the UE.
  • the method wherein the partial attach registration or accept message may include a temporary identifier for the UE.
  • the method may include decrypting the received encrypted partial registration or attach accept message using the private key preconfigured at the UE.
  • the method may include storing the temporary identifier decrypted from the partial registration or attach accept message.
  • the method, wherein the partial attach registration or accept message may be received upon successful verification of the certificate by the on-board network apparatus.
  • the method wherein the UE may be pre-configured with the private key and the certificate by a core network as part of at least one of a UE configuration and in a universal integrated circuit card (UICC).
  • a core network as part of at least one of a UE configuration and in a universal integrated circuit card (UICC).
  • UICC universal integrated circuit card
  • the method, wherein the partial attach registration or accept message comprises one or more parameters associated with a security capability of the UE.
  • the method may include refraining, by the UE, from triggering another registration or attach request message to the on-board network apparatus until a paging message is received or a predetermined timer value elapses.
  • the method may include receiving a paging message on the temporary identifier to complete registration of the UE with the on-board network apparatus.
  • the method may include transmitting, by the UE, an attach or registration request message to the on-board network apparatus upon receiving the paging message, wherein the attach or registration request message comprises an IMSI and SUCI of the UE.
  • the method may include establishing at least one of an AS security context, a UP security context and a NAS security context.
  • the method may include transmitting communication with the on-board network apparatus using at least one of the AS security context, the UP security context and the NAS security context.
  • the method may include determining whether at least one of a paging message has been received from the on-board network apparatus and a time value of a timer associated with the UE has elapsed. The method may include retransmitting the registration or attach request message to the on-board network apparatus only upon receiving the paging message or when the timer value of the timer associated with the UE has elapsed.
  • the objectives are achieved by providing a method performed by an on-board network apparatus for protecting a registration or attach procedure using certificate based cryptography.
  • the method may include receiving a registration or attach request message from a UE.
  • the method, wherein the registration or attach request message may include a public key and a certificate associated with the UE.
  • the method, wherein the certificate may include a public key of the UE.
  • the method may include verifying the certificate of the UE.
  • the method may include generating a temporary identifier for the UE upon successful verification of the certificate of the UE.
  • the method may include generating a partial attach registration or accept message to be transmitted to the UE upon generation of the temporary identifier.
  • the method may include encrypting the partial registration or attach accept message using the public key of the UE.
  • the method, wherein the partial registration or attach accept message may include the generated temporary identifier.
  • the method may include transmitting the encrypted partial registration or attach accept message to the UE.
  • the method, wherein verifying the certificate of the UE may include provisioning a root certificate of a root certificate authority (CA) that issued the certificate of the UE at the on-board network apparatus.
  • the method, wherein verifying the certificate of the UE may include verifying the certificate of the UE based on the provisioned root certificate of the root CA.
  • CA root certificate authority
  • the method may include receiving authentication vectors and subscription details from a UDM or a HSS on a ground network.
  • the method may include storing the authentication vectors, the subscription details received until a service link is available.
  • the method wherein the service link may be unavailable when an onboard satellite A is connected to the ground network and is cannot connect to the UE and a feeder link connectivity is available at the on-board network apparatus.
  • the method may include entering into a UE serving area when a service link is available and a feeder link connectivity is not available.
  • the method may include generating a paging message to be transmitted to the UE upon entering into the UE serving area.
  • the method may include receiving a re-transmission of the registration or attach request message from the UE upon receiving the paging message.
  • the method wherein the registration or attach request message may be retransmitted only upon transmission of the paging message to the UE or when a timer value of a timer associated with the UE has elapsed.
  • the on-board network apparatus may include at least one of a next generation node B (gNB), an evolved node B (eNB), an access and mobility management function (AMF), and a mobility management entity (MME).
  • gNB next generation node B
  • eNB evolved node B
  • AMF access and mobility management function
  • MME mobility management entity
  • the objectives are achieved by providing a UE for protecting a registration or attach procedure using a certificate based cryptography.
  • the UE may include a memory, a processor coupled to the memory, and a registration protection controller communicatively coupled to the processor and the memory.
  • the registration protection controller may pre-configure a private key and a certificate at the UE based on an operator policy.
  • the certificate may include a public key of the UE.
  • the registration protection controller may generate a registration or attach request message by adding the certificate including the public key of the UE.
  • the registration protection controller may transmit the registration or attach request message to an on-board network apparatus.
  • the registration protection controller may receive a partial attach registration or accept message from the network apparatus in response to the registration or attach request message.
  • the partial attach registration or accept message may be received upon successful verification of the certificate by the on-board network apparatus.
  • the partial attach registration or accept message may be encrypted using the public key of the UE.
  • the partial attach registration or accept message may include a temporary identifier for the UE.
  • the registration protection controller may decrypt the received encrypted partial registration or attach accept message using the private key preconfigured at the UE.
  • the registration protection controller may store the temporary identifier decrypted from the partial registration or attach accept message.
  • the UE wherein the registration protection controller may refrain the UE from triggering another registration or attach request message to the on-board network apparatus (602) until a paging message is received or a predetermined timer value elapses.
  • the UE wherein the registration protection controller may receive a paging message on the temporary identifier to complete registration of the UE with the on-board network apparatus.
  • the registration protection controller may transmit an attach or registration request message to the on-board network apparatus upon receiving the paging message, wherein the attach or registration request message comprises an IMSI and SUCI of the UE.
  • the registration protection controller may establish at least one of an AS security context, an UP security context and a NAS security context.
  • the registration protection controller may transmit a communication with the on-board network apparatus using at least one of the AS security context, the UP security context and the NAS security context.
  • the UE wherein the registration protection controller may determine whether at least one of a paging message has been received from the on-board network apparatus and a time value of a timer associated with the UE has elapsed.
  • the registration protection controller may retransmit the registration or attach request message to the on-board network apparatus only upon receiving the paging message or when the timer value of the timer associated with the UE has elapsed.
  • the objectives are achieved by providing an on-board network apparatus for protecting a registration or attach procedure using a certificate based cryptography.
  • the on-board network apparatus may include a memory, a processor coupled to the memory, and an on-board registration protection controller communicatively coupled to the memory and the processor.
  • the on-board registration protection controller may receive a registration or attach request message from a UE.
  • the registration or attach request message may include a public key and a certificate associated with the UE.
  • the certificate may include a public key of the UE.
  • the on-board registration protection controller may verify the certificate of the UE.
  • the on-board registration protection controller may generate a temporary identifier for the UE upon successful verification of the certificate of the UE.
  • the on-board registration protection controller may generate a partial attach registration or accept message to be transmitted to the UE upon generation of the temporary identifier.
  • the on-board registration protection controller may encrypt the partial registration or attach accept message using the public key of the UE.
  • the partial registration or attach accept message may include the generated temporary identifier.
  • the on-board registration protection controller may transmit the encrypted partial registration or attach accept message to the UE.
  • the on-board network apparatus wherein the on-board registration protection controller may provision a root certificate of a root CA that issued the certificate of the UE at the on-board network apparatus.
  • the on-board registration protection controller may verify the certificate of the UE based on the provisioned root certificate of the root CA.
  • the on-board network apparatus wherein the on-board registration protection controller may receive authentication vectors and subscription details from a UDM or a HSS on a ground network.
  • the on-board registration protection controller may store the authentication vectors, the subscription details received until a service link is available, wherein the service link may be unavailable when an onboard satellite A is connected to the ground network and cannot connect to the UE and a feeder link connectivity is available at the on-board network apparatus.
  • the on-board network apparatus wherein the on-board registration protection controller may enter into a UE serving area when a service link is available and a feeder link connectivity is not available.
  • the on-board registration protection controller may generate a paging message to be transmitted to the UE upon entering into the UE serving area.
  • the on-board registration protection controller may receive a re-transmission of the registration or attach request message from the UE upon receiving the paging message, wherein the registration or attach request message may be retransmitted only upon transmission of the paging message to the UE or when a timer value of a timer associated with the UE has elapsed.
  • a method performed by a user equipment (UE) for protection of a partial registration or attach accept message using a certificate based cryptography is provided.
  • the method, wherein the partial registration or attach accept message includes one or more parameters associated with a security capability of the UE.
  • the method may include receiving a paging message with the temporary identifier to complete registration from the on-board network entity.
  • the method may include retransmitting the registration or attach request message including an International Mobile Subscriber Identity (IMSI) or a Subscriber Concealed Identifier (SUCI) to the on-board network entity.
  • IMSI International Mobile Subscriber Identity
  • SUCI Subscriber Concealed Identifier
  • the method may include establishing an Access Stratum (AS) security context, a User Plane (UP) security context and a Non-Access Stratum (NAS) security context.
  • the method may include performing protection of a message exchange using the AS security context, the UP security context and the NAS security context.
  • the method may include identifying whether a paging message is received or a timer value elapses.
  • the method may include transmitting the registration or attach request message again to the on-board network entity in case that the paging message is received or the timer value elapses.
  • a method performed by an on-board network entity for protection of a partial registration or attach accept message using a certificate based cryptography is provided.
  • the method may include receiving authentication vectors and subscription details from a unified data management (UDM) or a home subscriber server (HSS) on a ground station.
  • the method may include storing the authentication vectors and the subscription details received until a service link is available, wherein the service link connectivity is unavailable and a feeder link connectivity is available in case that an onboard satellite is connected to the ground station and cannot connect to the UE.
  • UDM unified data management
  • HSS home subscriber server
  • the method may include entering a UE serving area in case that a service link is available and a feeder link connectivity is not available, wherein the registration or attach request message is re-transmitted at the UE in response to receiving a paging message, wherein the registration or attach request message is retransmitted in case that the UE receives the paging message or a timer value associated with the UE elapses.
  • the on-board network entity may include at least one of a next generation node B (gNB), an evolved node B (eNB), an access and mobility management function (AMF), or a mobility management entity (MME).
  • gNB next generation node B
  • eNB evolved node B
  • AMF access and mobility management function
  • MME mobility management entity
  • a user equipment (UE) for protection of a partial registration or attach accept message using a certificate based cryptography is provided.
  • the UE, wherein the partial registration or attach accept message may include one or more parameters associated with a security capability of the UE.
  • the UE wherein the registration protection controller may receive a paging message with the temporary identifier to complete registration from the on-board network entity.
  • the registration protection controller may retransmit the registration or attach request message including an International Mobile Subscriber Identity (IMSI) or a Subscriber Concealed Identifier (SUCI) to the on-board network entity.
  • IMSI International Mobile Subscriber Identity
  • SUCI Subscriber Concealed Identifier
  • the registration protection controller may establish an Access Stratum (AS) security context, a User Plane (UP) security context and a Non-Access Stratum (NAS) security context.
  • the registration protection controller may perform protection of a message exchange using the AS security context, the UP security context and the NAS security context.
  • the UE wherein the registration protection controller may identify whether a paging message is received or a timer value elapses.
  • the registration protection controller may transmit the registration or attach request message again to the on-board network entity in case that the paging message is received or the timer value elapses.
  • an on-board network entity for protection of a partial registration or attach accept message using a certificate based cryptography is provided.
  • the on-board network entity wherein the on-board registration protection controller may receive authentication vectors and subscription details from a unified data management (UDM) or a home subscriber server (HSS) on a ground station.
  • the on-board registration protection controller may store the authentication vectors and the subscription details received until a service link is available, wherein the service link connectivity is unavailable and a feeder link connectivity is available in case that an onboard satellite is connected to the ground station and cannot connect to the UE.
  • UDM unified data management
  • HSS home subscriber server
  • the on-board network entity wherein the on-board registration protection controller may enter a UE serving area in case that a service link is available and a feeder link connectivity is not available, wherein the registration or attach request message is re-transmitted at the UE in response to receiving a paging message, wherein the registration or attach request message is retransmitted in case that the UE receives the paging message or a timer value associated with the UE elapses.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La divulgation concerne un système de communication 5G ou 6G destiné à prendre en charge un débit supérieur de transmission de données. Des modes de réalisation de la présente invention concernent un procédé de protection d'une procédure d'enregistrement ou de rattachement à l'aide d'une cryptographie basée sur un certificat. Le procédé consiste à préconfigurer une clé privée et un certificat au niveau d'un UE sur la base d'une politique d'opérateur. Le procédé consiste à générer un message de demande d'enregistrement ou de rattachement en ajoutant le certificat comprenant la clé publique de l'UE. Le procédé consiste à transmettre le message de demande d'enregistrement ou de rattachement à un appareil de réseau embarqué. Le procédé consiste à recevoir un message d'enregistrement ou d'acceptation de rattachement partiel provenant de l'appareil de réseau embarqué en réponse au message de demande d'enregistrement ou de rattachement. Le procédé consiste à déchiffrer le message d'acceptation d'enregistrement ou de rattachement partiel chiffré reçu à l'aide de la clé privée préconfigurée au niveau de l'UE. Le procédé comprend le stockage de l'identifiant temporaire déchiffré à partir du message d'acceptation d'enregistrement ou de rattachement partiel.
PCT/KR2025/099197 2024-02-02 2025-02-03 Protection d'une procédure d'enregistrement ou de rattachement à l'aide d'une cryptographie basée sur un certificat Pending WO2025165205A1 (fr)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
IN202441007238 2024-02-02
IN202441009930 2024-02-13
IN202441009930 2024-02-13
IN202441010411 2024-02-14
IN202441010411 2024-02-14
IN202441007238 2025-01-16

Publications (1)

Publication Number Publication Date
WO2025165205A1 true WO2025165205A1 (fr) 2025-08-07

Family

ID=96591528

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2025/099197 Pending WO2025165205A1 (fr) 2024-02-02 2025-02-03 Protection d'une procédure d'enregistrement ou de rattachement à l'aide d'une cryptographie basée sur un certificat

Country Status (1)

Country Link
WO (1) WO2025165205A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20220138648A (ko) * 2021-04-06 2022-10-13 주식회사 이와이엘 Qrng를 활용한 양자키와 이를 통해 생성된 인증서를 이용한 기기 인증 방법
US20230056321A1 (en) * 2021-07-19 2023-02-23 Cisco Technology, Inc. Automated provisioning of endpoint devices with management connectivity
US20230137814A1 (en) * 2021-10-29 2023-05-04 Nokia Technologies Oy Configuration of provisioning parameters for onboarding a device to a network
US20230231702A1 (en) * 2018-06-28 2023-07-20 Iot And M2M Technologies, Llc ECDHE Key Exchange for Mutual Authentication Using a Key Server
KR20230163970A (ko) * 2017-09-06 2023-12-01 주식회사 씨피랩스 스마트 컨트랙트 기반의 인증서 서비스를 제공하는 방법 및 이를 이용한 서버

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20230163970A (ko) * 2017-09-06 2023-12-01 주식회사 씨피랩스 스마트 컨트랙트 기반의 인증서 서비스를 제공하는 방법 및 이를 이용한 서버
US20230231702A1 (en) * 2018-06-28 2023-07-20 Iot And M2M Technologies, Llc ECDHE Key Exchange for Mutual Authentication Using a Key Server
KR20220138648A (ko) * 2021-04-06 2022-10-13 주식회사 이와이엘 Qrng를 활용한 양자키와 이를 통해 생성된 인증서를 이용한 기기 인증 방법
US20230056321A1 (en) * 2021-07-19 2023-02-23 Cisco Technology, Inc. Automated provisioning of endpoint devices with management connectivity
US20230137814A1 (en) * 2021-10-29 2023-05-04 Nokia Technologies Oy Configuration of provisioning parameters for onboarding a device to a network

Similar Documents

Publication Publication Date Title
WO2018008972A1 (fr) Procédé et appareil d'accès à un réseau cellulaire pour obtenir un profil de carte sim
WO2018008943A1 (fr) Procédé et dispositif de gestion de la sécurité selon le service dans un système de communication sans fil
WO2018008983A1 (fr) Procédé et système d'authentification d'accès dans un système de réseau sans fil mobile
WO2021091186A1 (fr) Procédé de commande de réseau pour transmission de politique d'ue
WO2015037926A1 (fr) Procédé et système de communication sécurisée pour une transmission entre enb
WO2022114760A1 (fr) Procédé et dispositif pour authentifier une strate d'accès dans un système de communication sans fil de prochaine génération
WO2023140704A1 (fr) Procédé et dispositif de mappage de politique de sélection de routage d'ue dans un système de communication sans fil
WO2020013468A1 (fr) Procédé permettant à un terminal d'exécuter une demande d'établissement de session pdu après que des informations relatives à une zone ladn ont changé
WO2025014222A1 (fr) Procédés et appareil de gestion de mobilité déclenchée de couche inférieure dans un système de communication sans fil
WO2023132650A1 (fr) Procédé et dispositif pour former une sécurité de bout en bout pendant la fourniture de justificatifs d'identité à un terminal à l'aide d'un plan de contrôle
WO2022177353A1 (fr) Procédé et système de gestion de distribution de clé pour services de multidiffusion et de diffusion dans un réseau sans fil
WO2021133047A1 (fr) Procédé par lequel un ue de communication de relais prend en charge efficacement un ue à distance lors d'une mise à jour de configuration
WO2023003113A1 (fr) Procédé et dispositif pour faire fonctionner un terminal dans un système de communication sans fil
WO2021167200A1 (fr) Procédé de fonctionnement pour ausf et udm pour authentification et autorisation pour chaque tranche de réseau
WO2014171711A1 (fr) Procédé pour favoriser la politique de restriction des changements de prestataires de services pour l'abonné dans les communications mobiles et appareil associé
WO2019088801A1 (fr) Procédé de protection de données utilisateur dans un système de communication sans fil, et appareil associé
WO2024025375A1 (fr) Procédé et appareil pour l'authentification d'une attaque de fausse station de base dans un système de communication sans fil
WO2024232698A1 (fr) Améliorations sur et relatives à un système de télécommunication
WO2025165205A1 (fr) Protection d'une procédure d'enregistrement ou de rattachement à l'aide d'une cryptographie basée sur un certificat
WO2024205145A1 (fr) Chiffrement basé sur un attribut de politique de texte chiffré dans une interface basée sur un service central 5g
WO2023204641A1 (fr) Procédé et appareil pour l'enregistrement d'un ue dans un réseau de télécommunications
WO2023080355A1 (fr) Procédé et dispositif d'authentification d'ue dans un système de communication sans fil
WO2022131719A1 (fr) Procédé d'authentification d'une couche d'accès sur la base d'une infrastructure de clé publique en tenant compte d'un transfert dans un système de communication sans fil de prochaine génération
WO2025089797A1 (fr) Systèmes et procédés de protection d'une confidentialité de l'identité permanente d'abonné
WO2025136035A1 (fr) Procédé et appareil de pré-extraction d'informations d'authentification dans un système de communication sans fil

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 25749244

Country of ref document: EP

Kind code of ref document: A1