[go: up one dir, main page]

WO2025234814A1 - Procédé et appareil pour améliorer l'authentification d'une communication par satellite - Google Patents

Procédé et appareil pour améliorer l'authentification d'une communication par satellite

Info

Publication number
WO2025234814A1
WO2025234814A1 PCT/KR2025/006240 KR2025006240W WO2025234814A1 WO 2025234814 A1 WO2025234814 A1 WO 2025234814A1 KR 2025006240 W KR2025006240 W KR 2025006240W WO 2025234814 A1 WO2025234814 A1 WO 2025234814A1
Authority
WO
WIPO (PCT)
Prior art keywords
satellite
message
authentication
sat
generated
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/KR2025/006240
Other languages
English (en)
Korean (ko)
Inventor
임태형
최홍진
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020240113060A external-priority patent/KR20250162280A/ko
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Publication of WO2025234814A1 publication Critical patent/WO2025234814A1/fr
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/73Access point logical identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/06Airborne or Satellite Networks

Definitions

  • the present disclosure relates to a method and device for improving the existing authentication process between a terminal and a network by strengthening authentication of the terminal and the satellite when the satellite communication operates in a store and transmit mode.
  • 5G mobile communication technology defines a wide frequency band to enable fast transmission speeds and new services, and can be implemented not only in the sub-6GHz frequency band such as 3.5 gigahertz (3.5GHz), but also in the ultra-high frequency band called millimeter wave (mmWave) such as 28GHz and 39GHz ('Above 6GHz').
  • mmWave millimeter wave
  • mmWave millimeter wave
  • mmWave millimeter wave
  • 'Above 6GHz' millimeter wave
  • 6G mobile communication technology which is called the system after 5G communication (Beyond 5G)
  • implementation in the terahertz band for example, the 3 terahertz (3THz) band at 95GHz
  • 3THz the 3 terahertz
  • eMBB enhanced Mobile Broadband
  • URLLC Ultra-Reliable Low-Latency Communications
  • mMTC massive Machine-Type Communications
  • beamforming and massive MIMO to mitigate path loss of radio waves in ultra-high frequency bands and increase the transmission distance of radio waves
  • numerologies such as operation of multiple subcarrier intervals
  • dynamic operation of slot formats for efficient use of ultra-high frequency resources
  • initial access technology to support multi-beam transmission and wideband
  • definition and operation of BWP Bitth Part
  • new channel coding methods such as LDPC (Low Density Parity Check) codes for large-capacity data transmission and Polar Code for reliable transmission of control information
  • L2 pre-processing L2 pre-processing
  • V2X Vehicle-to-Everything
  • NR-U New Radio Unlicensed
  • UE Power Saving NR terminal low power consumption technology
  • NTN Non-Terrestrial Network
  • Standardization is also in progress for system architecture/services such as 5G baseline architecture (e.g., Service-based Architecture, Service-based Interface) for grafting Network Functions Virtualization (NFV) and Software-Defined Networking (SDN) technologies, and Mobile Edge Computing (MEC) that provides services based on the location of the terminal.
  • 5G baseline architecture e.g., Service-based Architecture, Service-based Interface
  • NFV Network Functions Virtualization
  • SDN Software-Defined Networking
  • MEC Mobile Edge Computing
  • the development of these 5G mobile communication systems includes new waveforms to ensure coverage in the terahertz band of 6G mobile communication technology, multi-antenna transmission technologies such as Full Dimensional MIMO (FD-MIMO), Array Antenna, and Large Scale Antenna, metamaterial-based lenses and antennas to improve the coverage of terahertz band signals, high-dimensional spatial multiplexing technology using Orbital Angular Momentum (OAM), Reconfigurable Intelligent Surface (RIS) technology, as well as full duplex technology to improve the frequency efficiency and system network of 6G mobile communication technology, satellite, AI (Artificial Intelligence) from the design stage and AI-based communication technology that realizes system optimization by internalizing end-to-end AI support functions, and ultra-high-performance communication and computing resources to provide services with complexity that exceeds the limits of terminal computing capabilities. It can serve as a basis for the development of next-generation distributed computing technologies that can be realized by utilizing them.
  • FD-MIMO Full Dimensional MIMO
  • Array Antenna and
  • Authentication in a communications system primarily refers to authentication between a terminal and a network. This also applies to satellite communications systems, where a satellite exists between the terminal and the network.
  • the present disclosure provides a description of a method and device for the above additional authentication.
  • a method of operating a user equipment (UE) in a wireless communication system may include receiving a first message from a satellite, the first message including an ID of the satellite and a first random number generated by the satellite for additional authentication of the UE and the satellite; transmitting a second message to the satellite, the second message including an ID of the UE, an authentication value generated by the UE based on the first message, and a second random number generated by the UE for additional authentication of the UE and the satellite; and receiving a third message from the satellite, the third message including an authentication value generated by the satellite based on the second message.
  • a method for operating a satellite in a wireless communication system may include transmitting a first message to a user equipment (UE), the first message including an ID of the satellite and a first random number generated by the satellite for additional authentication of the UE and the satellite; receiving a second message from the UE, the second message including an ID of the UE, an authentication value generated by the UE based on the first message, and a second random number generated by the UE for additional authentication of the UE and the satellite; and transmitting a third message to the UE, the third message including an authentication value generated by the satellite based on the second message.
  • UE user equipment
  • a user equipment includes a transceiver; and a processor.
  • the processor may control the reception of a first message from a satellite, the first message including an ID of a satellite and a first random number generated by the satellite for additional authentication of the UE and the satellite, the transmission of a second message to the satellite, the second message including an ID of the UE, an authentication value generated by the UE based on the first message, and a second random number generated by the UE for additional authentication of the UE and the satellite, and the reception of a third message from the satellite, the third message including an authentication value generated by the satellite based on the second message.
  • a satellite includes a transceiver; and a processor.
  • the processor may control to transmit a first message including an ID of the satellite and a first random number generated by the satellite for additional authentication of a user equipment (UE) and the satellite to the UE, receive a second message including the ID of the UE, an authentication value generated by the UE based on the first message, and a second random number generated by the UE for additional authentication of the UE and the satellite from the UE, and transmit a third message including an authentication value generated by the satellite based on the second message to the UE.
  • UE user equipment
  • Various embodiments of the present disclosure can provide a method and apparatus for improving authentication between a terminal and a network by introducing an additional authentication process between the terminal and the satellite when the satellite communication system operates in a store-and-forward mode.
  • FIG. 1 is a conceptual diagram illustrating two different modes of satellite communication to be covered in an embodiment of the present disclosure.
  • Figure 2 is a conceptual diagram illustrating a key of an encryption system to be handled in an embodiment of the present disclosure.
  • FIG. 3 is a conceptual diagram illustrating a database for additional authentication to be handled in an embodiment of the present disclosure.
  • Figure 4 is a conceptual diagram illustrating how the above-described database is used in a specific mode of the above-described satellite communication.
  • FIG. 5 is a diagram illustrating an authentication process between a terminal and a network of an EPS according to an embodiment of the present disclosure.
  • FIG. 6 is a diagram illustrating an authentication process between a terminal and a network of an EPS using a satellite communication system according to an embodiment of the present disclosure.
  • FIG. 7 is a diagram illustrating an authentication process between a 5G terminal and a network according to an embodiment of the present disclosure.
  • FIG. 8 is a diagram illustrating an authentication process between a terminal and a network of a 5G using a satellite communication system according to an embodiment of the present disclosure.
  • FIG. 9 is a diagram illustrating an additional authentication process performed between a terminal and a satellite to enhance security during the terminal and network authentication process of a satellite communication system according to an embodiment of the present disclosure.
  • FIG. 10 is another diagram illustrating an additional authentication process performed between a terminal and a satellite to enhance security during the terminal and network authentication process of a satellite communication system according to an embodiment of the present disclosure.
  • FIG. 11 is another diagram illustrating an additional authentication process performed between a terminal and a satellite to enhance security during the terminal and network authentication process of a satellite communication system according to an embodiment of the present disclosure.
  • FIG. 12 is another diagram illustrating an additional authentication process performed between a terminal and a satellite to enhance security during the terminal and network authentication process of a satellite communication system according to an embodiment of the present disclosure.
  • FIG. 13 is another diagram illustrating an additional authentication process performed between a terminal and a satellite to enhance security during the terminal and network authentication process of a satellite communication system according to an embodiment of the present disclosure.
  • FIG. 14 is a diagram showing the configuration of a UE according to one embodiment of the present disclosure.
  • FIG. 15 is a diagram showing the configuration of a network entity according to one embodiment of the present disclosure.
  • each block of the processing flowchart drawings and combinations of the flowchart drawings can be performed by computer program instructions.
  • These computer program instructions can be installed in a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing equipment, so that the instructions executed by the processor of the computer or other programmable data processing equipment create a means for performing the functions described in the flowchart block(s).
  • These computer program instructions can also be stored in a computer-available or computer-readable memory that can direct a computer or other programmable data processing equipment to implement the functions in a specific manner, so that the instructions stored in the computer-available or computer-readable memory can also produce a manufactured item that includes an instruction means for performing the functions described in the flowchart block(s).
  • the computer program instructions may be installed on a computer or other programmable data processing device, a series of operational steps may be performed on the computer or other programmable data processing device to create a computer-executable process, and the instructions that cause the computer or other programmable data processing device to perform the steps for performing the functions described in the flowchart block(s) may also provide steps for performing the functions described in the flowchart block(s).
  • each block may represent a module, segment, or portion of code that contains one or more executable instructions for performing a specific logical function(s).
  • the functions described in the blocks may occur out of order. For example, two blocks depicted in succession may actually be executed substantially concurrently, or the blocks may sometimes be executed in reverse order, depending on their respective functions.
  • the term ' ⁇ unit' used in various embodiments of the present disclosure means a software or hardware component such as an FPGA or ASIC, and the ' ⁇ unit' can perform certain roles.
  • the ' ⁇ unit' is not limited to software or hardware.
  • the ' ⁇ unit' may be configured to be on an addressable storage medium and may be configured to play one or more processors.
  • the ' ⁇ unit' may include components such as software components, object-oriented software components, class components, and task components, processes, functions, properties, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuits, data, databases, data structures, tables, arrays, and variables.
  • components and ' ⁇ units' may be combined into a smaller number of components and ' ⁇ units' or further separated into additional components and ' ⁇ units'. Additionally, components and ' ⁇ parts' may be implemented to regenerate one or more CPUs within a device or secure multimedia card.
  • FIG. 1 is a conceptual diagram illustrating two different modes of satellite communication to be covered in an embodiment of the present disclosure.
  • the communication between the UE and the Satellite illustrated in Fig. 1 may be collectively referred to as a Service link.
  • the communication between the Satellite and the GN illustrated in Fig. 1 may be collectively referred to as a Feeder link.
  • the two different modes of satellite communication are as follows:
  • Figure 2 is a conceptual diagram illustrating a key of an encryption system to be handled in an embodiment of the present disclosure.
  • K UE may be common confidential information (credential) shared by the terminal and the network.
  • the confidential information may be a symmetric key of a symmetric key cryptosystem.
  • the symmetric key may be the same as the symmetric key (K used in the authentication process of an EPS or 5G system) required for mutual authentication between the network and the terminal of a mobile communication system, or may be a newly defined symmetric key for additional mutual authentication between the satellite and the terminal described in this embodiment.
  • K SAT,UE may be a credential derived from K UE .
  • K SAT,UE may be a symmetric key of a symmetric key cryptosystem derived from K UE .
  • K SAT,UE can be derived from K UE by the terminal and the network.
  • K SAT,UE can be derived by the network and then transmitted to the satellite.
  • K SAT K SAT
  • UE K UE
  • ID.SAT ID of the satellite that will receive K SAT,UE from the network.
  • the satellite may include a 'base station' and/or 'part and/or all of the core network entity' as components.
  • ID.SAT may be one of the following values: 1) ID assigned to the entire satellite, 2) ID of the base station which is one of the components of the satellite, 3) ID of the core network entity among the components of the satellite.
  • Nonce value A random number generated by the network to derive K SAT, UE .
  • the use of the Nonce value may be optional. That is, although the embodiments in this disclosure are written only for cases where the Nonce value is used, when the Nonce value is not used, all operations related to the Nonce may be omitted in embodiments to be disclosed later.
  • FIG. 3 is a conceptual diagram illustrating a database for additional authentication to be handled in an embodiment of the present disclosure.
  • the above database may be a database used for additional mutual authentication between the terminal and satellite described in the present disclosure.
  • the above database may be a database generated by the network for additional mutual authentication between the terminal and satellite.
  • the above database may be a database generated by the network and transmitted to the satellite for additional mutual authentication between the terminal and satellite.
  • the above database can be created in the following manner.
  • ID.UE may be the same as an ID previously used by the network of a mobile communication system to identify a terminal (such as IMSI used in EPS or SUPI used in a 5G system), or may be a newly defined ID for additional mutual authentication between the satellite and the terminal described in this embodiment.
  • K SAT,UE Credential to be used for additional mutual authentication between the 'terminal' and the 'satellite to receive the database'.
  • the derivation of K SAT,UE can follow the process of Fig. 2. If the process of Fig. 2 is followed, the 'ID of the satellite to receive the database' and the 'Nonce' value can be used to derivate K SAT,UE .
  • the network collects the prepared values for multiple terminals and creates a table as shown in Figure 3. At this time, the Nonce values may be different for each UE or may be common values.
  • the database may be referred to as PAM (Partial Authentication Management).
  • Figure 4 is a conceptual diagram illustrating how the above-described database is used in a specific mode of the above-described satellite communication.
  • This conceptual diagram presents a schematic process for enabling additional mutual authentication between a terminal and a satellite using the database created in Figure 3.
  • the network can generate PAM.
  • the definition and generation process of PAM are described in Figure 3.
  • the network can transmit the PAM generated above via satellite.
  • the satellite and terminal can use PAM for additional mutual authentication.
  • PAM for additional mutual authentication.
  • FIG. 5 is a diagram illustrating an authentication process between a terminal and a network of an EPS according to an embodiment of the present disclosure.
  • the UE illustrated in FIG. 5 is an abbreviation for user equipment, and is also collectively called a terminal, and may include a mobile station (MS), a cellular phone, a smartphone, a computer, an IoT device, or a multimedia system capable of performing a communication function.
  • MS mobile station
  • cellular phone a smartphone
  • computer a computer
  • IoT device an IoT device
  • multimedia system capable of performing a communication function.
  • the eNB illustrated in FIG. 5 is an entity that performs resource allocation of the UE, and may be at least one of an eNode B, a Node B, a BS (base station), a RAN (radio access network), an AN (access network), a RAN node, a NR NB, a gNB, a radio access unit, a base station controller, or a node on a network.
  • the MME illustrated in FIG. 5 may be an entity that provides mobility management functions and session management functions of the UE.
  • the HSS illustrated in Fig. 5 may be an entity that provides data management functions such as subscriber data and policy control data.
  • the authentication process between the terminal and the network of the EPS system can be as follows.
  • step 501 one or more of the following processes may be performed:
  • the UE can request network access to the MME.
  • An ID identifying the UE may be transmitted during the above process.
  • step 502 one or more of the following processes may be performed:
  • the MME may request information to authenticate the UE with the HSS.
  • An ID identifying the UE may be transmitted during the process.
  • step 503 one or more of the following processes may be performed:
  • the HSS After verifying the terminal's ID, the HSS can generate information necessary for authenticating the terminal. This information may be referred to as an authentication vector (AV).
  • AV authentication vector
  • step 504 one or more of the following steps may be performed:
  • the HSS may transmit an authentication vector to the MME.
  • the authentication vector may include one or more of the following information:
  • the above information is information that can verify the validity of the network, and the UE can verify the above information to authenticate the network.
  • the above information is information that can verify the validity of the terminal, and the network can use the above information to authenticate the terminal.
  • step 505 one or more of the following processes may be performed:
  • - MME can send AUTH to UE.
  • the terminal can verify AUTH.
  • the terminal can authenticate the network by verifying AUTH.
  • the terminal can generate RES.
  • the above information may be used by the network in the process of verifying the validity of the terminal.
  • the terminal can transmit the RES generated by the MME.
  • step 508 one or more of the following processes may be performed:
  • the MME can verify the RES.
  • the above verification process may be a process of checking whether the 'XRES value received in step 4' and the 'RES value received in step 7' match. If the two values match as a result of the above verification, the network can authenticate the terminal.
  • the terminal and the network can generate a security key for future secure communication.
  • FIG. 6 is a diagram illustrating an authentication process between a terminal and a network of an EPS using a satellite communication system according to an embodiment of the present disclosure.
  • the UE illustrated in FIG. 6 may be the UE illustrated in FIG. 5.
  • the Satellite illustrated in FIG. 6 may include the eNB disclosed in FIG. 5.
  • the Satellite illustrated in FIG. 6 may include part and/or all of the MME disclosed in FIG. 5.
  • the GN illustrated in FIG. 6 may include part and/or all of the MME disclosed in FIG. 5.
  • the GN illustrated in FIG. 6 may include the HSS disclosed in FIG. 5.
  • the authentication process disclosed in Fig. 6 is a process modified from the authentication process disclosed in Fig. 5 to suit satellite communication in the storage and transmission mode.
  • the process may be as follows.
  • Step 501 of FIG. 5 may not be sufficient and additional steps may be required. A detailed description of the additional steps will be provided in FIGS. 9 through 13.
  • step 601 one or more of the following processes may be performed:
  • step 502 of FIG. 5 A process corresponding to step 502 of FIG. 5 can be performed.
  • step 602 one or more of the following processes may be performed:
  • step 603 one or more of the following processes may be performed:
  • the UE can make an Attach Request to the Satellite again.
  • step 3 processes corresponding to steps 505 to 509 of FIG. 5 may be performed.
  • FIG. 7 is a diagram illustrating an authentication process between a 5G terminal and a network according to an embodiment of the present disclosure.
  • the UE illustrated in FIG. 7 is an abbreviation for user equipment, and is also collectively called a terminal, and may include a mobile station (MS), a cellular phone, a smartphone, a computer, an IoT device, or a multimedia system capable of performing a communication function.
  • MS mobile station
  • cellular phone a smartphone
  • computer a computer
  • IoT device an IoT device
  • multimedia system capable of performing a communication function.
  • SEAF shown in Figure 7, is an abbreviation for Security Anchor Function and can act as a middleman in the authentication process.
  • AUSF shown in Fig. 7, is an abbreviation for Authentication Server Function and may be a network function responsible for authentication with a terminal.
  • UDM shown in Figure 7, is an abbreviation for Unified Data Management and may be an entity that provides data management functions such as subscriber data and policy control data.
  • the authentication process disclosed in Fig. 7 may be as follows.
  • step 701 one or more of the following processes may be performed:
  • - UE can request access to SEAF.
  • step 702 one or more of the following processes may be performed:
  • - SEAF may request AUSF to initiate certification.
  • AUSF may request data for certification from UDM.
  • step 703 one or more of the following processes may be performed:
  • the - UDM can generate data AV (Authentication Vector) for authentication.
  • the AV can include AUTH and XRES.
  • the AUTH can be information used when the terminal authenticates the network.
  • the XRES can be information used when the network authenticates the terminal.
  • step 704 one or more of the following processes may be performed:
  • - UDM can transmit AUTH and XRES to AUSF.
  • step 705 one or more of the following processes may be performed:
  • - AUSF can generate HXRES from the received XRES.
  • step 706 one or more of the following processes may be performed:
  • - AUSF can transmit AUTH and HXRES to SEAF.
  • step 707 one or more of the following processes may be performed:
  • - SEAF can send AUTH to UE.
  • step 708 one or more of the following processes may be performed:
  • - UE can authenticate the network using AIUTH.
  • - UE can generate RES.
  • step 709 one or more of the following processes may be performed:
  • - UE can transmit RES to SEAF.
  • step 710 one or more of the following processes may be performed:
  • - SEAF can authenticate a terminal by verifying the RES. However, this authentication may not complete terminal authentication on the network.
  • step 711 one or more of the following processes may be performed:
  • - SEAF can send RES to AUSF.
  • the above process can be performed if authentication in step 710 is successful.
  • step 712 one or more of the following processes may be performed:
  • - AUSF can authenticate RES. This process can terminate UE authentication in the network.
  • - AUSF can notify SEAF that terminal authentication on the network has been successful.
  • FIG. 8 is a diagram illustrating an authentication process between a terminal and a network of a 5G using a satellite communication system according to an embodiment of the present disclosure.
  • the UE illustrated in FIG. 8 may be the UE illustrated in FIG. 7.
  • the Satellite illustrated in FIG. 8 may include a portion and/or all of the SEAF disclosed in FIG. 7.
  • the Satellite illustrated in FIG. 8 may include a portion and/or all of the ASUF disclosed in FIG. 7.
  • the GN illustrated in FIG. 8 may include a portion and/or all of the SEAF disclosed in FIG. 7.
  • the GN illustrated in FIG. 8 may include a portion and/or all of the AUSF disclosed in FIG. 7.
  • the GN illustrated in FIG. 8 may include the UDM disclosed in FIG. 7.
  • the authentication process disclosed in Fig. 8 is a modification of the authentication process disclosed in Fig. 7, adapted to satellite communication in the storage and transmission mode.
  • the modified process may be as follows.
  • Step 701 of FIG. 7 may not be sufficient and additional steps may be required. A detailed description of the additional steps will be provided in FIGS. 9 through 13.
  • step 801 one or more of the following processes may be performed:
  • step 802 one or more of the following processes may be performed:
  • step 803 one or more of the following processes may be performed:
  • the UE can make an Attach Request to the Satellite again.
  • steps 707 to 714 of FIG. 7 may be performed.
  • communication between the UE and SEAF may be performed in a situation where 'Service Link is available / Feeder Link is unavailable'
  • communication between the SEAF and AUSF may be performed in a situation where 'Service Link is unavailable / Feeder Link is available'.
  • FIG. 9 is a diagram illustrating an additional authentication process performed between a terminal and a satellite to enhance security during the terminal and network authentication process of a satellite communication system according to an embodiment of the present disclosure.
  • FIG. 9 may be a process corresponding to the Attach Request Procedure of FIG. 6 or FIG. 8.
  • the definitions of the UE and Satellite may follow the definitions disclosed in FIG. 6 and FIG. 8.
  • the additional authentication process of Fig. 9 may be as follows.
  • step 901 one or more of the following processes may be performed:
  • - Satellite may transmit one or more of the following information to UE:
  • ⁇ ID.SAT Satellite ID.
  • the above ID may be the Satellite ID used to derive the PAM information held by the Satellite.
  • PAM For a description of PAM, refer to Fig. 3.
  • Nonce value included in the PAM held by the Satellite The Nonce value included in the PAM held by the Satellite.
  • the Nonce value included in the PAM may not differ by UE and may be the same value for all UEs.
  • ⁇ RN.SAT A random number generated by the Satellite for additional authentication of the terminal and satellite.
  • the random value may not differ by UE and may be the same for all UEs.
  • step 902 one or more of the following processes may be performed:
  • the UE may perform one or more of the following processes:
  • the UE can create K SAT,UE using the K UE it owns and the information (ID.SAT and/or Nonce) received in step 1.
  • the UE can generate an authentication value SIG.UE for RN.SAT (and/or ID.UE and/or RN.UE) using the above-mentioned generated K SAT,UE .
  • K SAT,UE may be used as a credential for generating the authentication value, or another value derived from K SAT,UE may be used.
  • RN.SAT which is the source of the authentication value generation, may be encrypted using the above-mentioned credential or may be integrity protected in the form of a message authenticity code.
  • the UE may transmit one or more of the following information to the Satellite:
  • ⁇ ID.UE UE ID.
  • the above information is included in the PAM held by the Satellite, and may be an identifier that allows the Satellite to identify the UE.
  • ⁇ RN.UE A random number generated by the UE for additional authentication of the terminal and satellite.
  • step 3 one or more of the following processes may be performed:
  • - Satellite can perform one or more of the following processes:
  • ⁇ Satellite can obtain K SAT,UE of the UE that transmitted the ID by searching PAM using the received ID.UE.
  • the satellite can verify the validity of the SIG.UE transmitted by the UE using the K SAT,UE acquired above. Through the above process, the satellite can authenticate the terminal.
  • ⁇ Satellite can generate an authentication value SIG.SAT for RN.UE using the K SAT,UE acquired above.
  • K SAT,UE may be used as the credential for generating the authentication value, or another value derived from K SAT,UE may be used.
  • RN.UE which is the target of authentication value generation, may be encrypted using the above-mentioned credential or may be integrity protected in the form of a message authenticity code.
  • the Satellite may transmit one or more of the following information to the UE.
  • the Satellite may also transmit additional information necessary for the UE to access the network.
  • the information transmitted by the Satellite to the UE may be securely protected.
  • the credential used for protection may be K SAT,UE or another value derived from K SAT,UE .
  • the protection may be achieved by encryption using the credential, or an integrity protection technique (such as a Message Authentication Code, for example) may be used.
  • the UE may perform one or more of the following processes:
  • the UE can perform the following steps: If the received message is encrypted, it can decrypt it and verify the contents. If the received message is integrity protected, it can verify the integrity of the received message.
  • the UE can authenticate the satellite by verifying the validity of the received SIG.SAT.
  • At least one operation illustrated in FIG. 9 can be used in STEP 1 of FIG. 6 or STEP 1 of FIG. 8. According to one embodiment, at least one operation illustrated in FIG. 9 can also be applied to STEP 3 of FIG. 6 or STEP 3 of FIG. 8. When applied, some of the operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' already described may be changed as follows. (Operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' that are not described below are identical to the operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' already described.)
  • STEP 3 of FIG. 6 can be composed of the sequential progression of ‘Step 603 of FIG. 6’ and ‘Steps 505 to 509 of FIG. 5’.
  • the embodiment of FIG. 9 can be applied to STEP3 of FIG. 6 in the manner described below.
  • step 901 of FIG. 9 may be performed before step 3 of FIG. 6 is executed.
  • steps 603 of FIG. 6 and 902 of FIG. 9 may be combined as follows:
  • the UE may transmit the message described in step 603 of FIG. 6 to the satellite.
  • the UE may further transmit the message described in step 902 of FIG. 9 to the satellite.
  • the message described in step 603 of FIG. 6 may further be included in the source for generating the SIG.UE described in step 902 of FIG. 9.
  • step 603 of FIG. 6, step 505 of FIG. 5 and step 903 of FIG. 9 may be combined as follows:
  • the satellite may transmit the message described in step 505 of FIG. 5 to the UE.
  • the satellite may further transmit the message described in step 903 of FIG. 9 to the UE.
  • the message described in step 505 of FIG. 5 may further be included in the source for generating SIG.SAT described in step 903 of FIG. 9.
  • STEP 3 of FIG. 8 can be composed of the sequential progression of ‘Step 803 of FIG. 8’ and ‘Steps 707 to 714 of FIG. 7’.
  • FIG. 9 can be applied to STEP3 of FIG. 8 in a manner described below.
  • step 901 of FIG. 9 may be performed before step 803 of FIG. 8 is performed.
  • steps 803 of FIG. 8 and 902 of FIG. 9 may be combined as follows:
  • the UE may transmit the message described in step 803 of FIG. 8 to the satellite.
  • the UE may further transmit the message described in step 902 of FIG. 9 to the satellite.
  • the message described in step 803 of FIG. 8 may further be included in the source for generating the SIG.UE described in step 902 of FIG. 9.
  • step 803 of FIG. 8, step 707 of FIG. 7 and step 903 of FIG. 9 may be combined as follows:
  • the satellite may transmit the message described in step 707 of FIG. 7 to the UE.
  • the satellite may further transmit the message described in step 903 of FIG. 9 to the UE.
  • the message described in step 707 of FIG. 7 may further be included in the source for generating SIG.SAT described in step 903 of FIG. 9.
  • FIG. 10 is another diagram illustrating an additional authentication process performed between a terminal and a satellite to enhance security during the terminal and network authentication process of a satellite communication system according to an embodiment of the present disclosure.
  • FIG. 10 may be a process corresponding to the Attach Request Procedure of FIG. 6 or FIG. 8.
  • the definitions of the UE and Satellite may follow the definitions disclosed in FIG. 6 and FIG. 8.
  • the additional authentication process of Fig. 10 may be as follows.
  • step 1001 one or more of the following processes may be performed:
  • - Satellite may transmit one or more of the following information to UE:
  • ⁇ ID.SAT Satellite ID.
  • the above ID may be the Satellite ID used to derive the PAM information held by the Satellite.
  • PAM For a description of PAM, refer to Fig. 3.
  • Nonce value included in the PAM held by the Satellite The Nonce value included in the PAM held by the Satellite.
  • the Nonce value included in the PAM may not differ by UE and may be the same value for all UEs.
  • step 1002 one or more of the following processes may be performed:
  • the UE may perform one or more of the following processes:
  • the UE can create K SAT,UE using the K UE it owns and the information (ID.SAT and/or Nonce) received in step 1.
  • the UE can generate a value SIG.UE that can verify itself using the K SAT,UE generated above.
  • K SAT,UE may be used as a credential for generating an authentication value, or another value derived from K SAT,UE may be used.
  • an arbitrary value (and/or ID.UE) that ensures the refreshability of the current session (and can prevent replay attacks) can be used as the source of authentication value generation.
  • One example of a value that ensures refreshability is the current time. If current time information is used, various verification mechanisms utilizing it can be utilized. For example, a verifier can verify whether the received time information is acceptable within a certain error range. If the received time information falls within the acceptable error range, the verifier can determine that the information is valid.
  • the source of authentication value generation can be encrypted using the above-mentioned credential or integrity protected in the form of a message authenticity code.
  • the UE may transmit one or more of the following information to the Satellite:
  • ⁇ IE.UE UE ID.
  • the above information is included in the PAM held by the Satellite, and may be an identifier that allows the Satellite to identify the UE.
  • step 3 one or more of the following processes may be performed:
  • - Satellite can perform one or more of the following processes:
  • ⁇ Satellite can obtain K SAT,UE of the UE that transmitted the ID by searching PAM using the received ID.UE.
  • the satellite can verify the validity of the SIG.UE transmitted by the UE using the K SAT,UE acquired above. Through the above process, the satellite can authenticate the terminal.
  • Satellite can generate a value SIG.SAT that can verify itself using the K SAT,UE obtained above.
  • K SAT,UE may be used as a credential for generating an authentication value, or another value derived from K SAT,UE may be used.
  • any arbitrary value that guarantees the refreshability of the current session (and can prevent replay attacks) can be used as the source of authentication value generation.
  • the source of authentication value generation in the above process may be the current time information. If current time information is used, various verification mechanisms utilizing it can be utilized. For example, the verifier can verify whether the received time information is acceptable within a certain error range. If the received time information falls within the acceptable error range, the content of the information can be deemed valid.
  • the source of authentication value generation can be encrypted using the above-mentioned credential or integrity protected in the form of a message authenticity code.
  • - Satellite may transmit one or more of the following information to UE:
  • the UE may perform one or more of the following processes:
  • the UE can authenticate the satellite by verifying the validity of the received SIG.SAT.
  • At least one operation illustrated in FIG. 10 can be used in STEP 1 of FIG. 6 or STEP 1 of FIG. 8. According to one embodiment, at least one operation illustrated in FIG. 10 can also be applied to STEP 3 of FIG. 6 or STEP 3 of FIG. 8. According to one embodiment, when at least one operation illustrated in FIG. 10 is applied, some of the operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' already described may be changed as follows. (Operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' that are not described below are identical to operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' that have already been described.)
  • STEP 3 of FIG. 6 can be composed of the sequential progression of ‘Step 603 of FIG. 6’ and ‘Steps 505 to 509 of FIG. 5’.
  • the embodiment of FIG. 10 can be applied to STEP3 of FIG. 6 in a manner described below.
  • step 1001 of FIG. 10 may be performed before step 603 of FIG. 6 is performed.
  • steps 603 of FIG. 6 and 1002 of FIG. 10 may be combined as follows:
  • the UE may transmit the message described in step 603 of FIG. 6 to the satellite.
  • the UE may further transmit the message described in step 1002 of FIG. 10 to the satellite.
  • the message described in step 603 of FIG. 6 may further be included in the source for generating the SIG.UE described in step 1002 of FIG. 10.
  • step 603 of FIG. 6, step 505 of FIG. 5 and step 1003 of FIG. 10 may be combined as follows:
  • the satellite may transmit the message described in step 505 of FIG. 5 to the UE.
  • the satellite may further transmit the message described in step 1003 of FIG. 10 to the UE.
  • the message described in step 505 of FIG. 5 may further be included in the source for generating SIG.SAT described in step 1003 of FIG. 10.
  • STEP 3 of FIG. 8 can be composed of the sequential progression of ‘Step 803 of FIG. 8’ and ‘Steps 707 to 714 of FIG. 7’.
  • the embodiment of FIG. 10 can be applied to STEP3 of FIG. 8 in a manner described below.
  • step 1001 of FIG. 10 may be performed before step 803 of FIG. 8 is performed.
  • steps 803 of FIG. 8 and 1002 of FIG. 10 may be combined as follows:
  • the UE may transmit the message described in step 803 of FIG. 8 to the satellite.
  • the UE may further transmit the message described in step 1002 of FIG. 10 to the satellite.
  • the message described in step 803 of FIG. 8 may further be included in the source for generating the SIG.UE described in step 1002 of FIG. 10.
  • step 803 of FIG. 8, step 707 of FIG. 7 and step 1003 of FIG. 10 may be combined as follows:
  • the satellite may transmit the message described in step 707 of FIG. 7 to the UE.
  • the satellite may further transmit the message described in step 1003 of FIG. 10 to the UE.
  • the message described in step 707 of FIG. 7 may further be included in the source for generating SIG.SAT described in step 1003 of FIG. 10.
  • FIG. 11 is another diagram illustrating an additional authentication process performed between a terminal and a satellite to enhance security during the terminal and network authentication process of a satellite communication system according to an embodiment of the present disclosure.
  • FIG. 11 may be a process corresponding to the Attach Request Procedure of FIG. 6 or FIG. 8.
  • the definitions of the UE and Satellite may follow the definitions disclosed in FIG. 6 and FIG. 8.
  • the additional authentication process of Fig. 11 may be as follows.
  • step 1101 one or more of the following processes may be performed:
  • - Satellite may transmit one or more of the following information to UE:
  • ⁇ ID.SAT Satellite ID.
  • the above ID may be the Satellite ID used to derive the PAM information held by the Satellite.
  • PAM For a description of PAM, refer to Fig. 3.
  • Nonce value included in the PAM held by the Satellite The Nonce value included in the PAM held by the Satellite.
  • the Nonce value included in the PAM may not differ by UE and may be the same value for all UEs.
  • step 1102 one or more of the following processes may be performed:
  • the UE may transmit one or more of the following information to the Satellite:
  • ⁇ IE.UE UE ID.
  • the above information is included in the PAM held by the Satellite, and may be an identifier that allows the Satellite to identify the UE.
  • ⁇ RN.UE A random number generated by the UE for additional authentication of the terminal and satellite.
  • step 1103 one or more of the following processes may be performed:
  • - Satellite can perform one or more of the following processes:
  • ⁇ Satellite can obtain K SAT,UE of the UE that transmitted the ID by searching PAM using the received ID.UE.
  • ⁇ Satellite can generate authentication value SIG.SAT for RN.UE (and/or RN.SAT) using K SAT,UE acquired above.
  • K SAT,UE may be used as the credential for generating authentication value, or another value derived from K SAT,UE may be used.
  • RN.UE which is the target of authentication value generation, may be encrypted using the above-mentioned credential or may be integrity protected in the form of a message authenticity code.
  • - Satellite may transmit one or more of the following information to UE:
  • ⁇ RN.SAT A random number generated by the Satellite for additional authentication between the terminal and the satellite.
  • the random value may be different for each UE or may be the same for all UEs.
  • step 1104 one or more of the following processes may be performed:
  • the UE may perform one or more of the following processes:
  • the UE can authenticate the satellite by verifying the validity of the received SIG.SAT.
  • the UE can create K SAT,UE using the K UE it owns and the information (ID.SAT and/or Nonce) received in step 1.
  • the UE can generate an authentication value SIG.UE for RN.SAT using the above-mentioned K SAT,UE .
  • K SAT,UE may be used as the credential for generating the authentication value, or another value derived from K SAT,UE may be used.
  • RN.SAT which is the source of the authentication value generation, may be encrypted using the above-mentioned credential or may be integrity protected in the form of a message authenticity code.
  • the UE may transmit one or more of the following information to the Satellite:
  • - Satellite can perform one or more of the following processes:
  • the satellite can verify the validity of the SIG.UE transmitted by the UE using the K SAT,UE acquired above. Through the above process, the satellite can authenticate the terminal.
  • At least one operation illustrated in FIG. 11 can be used in STEP 1 of FIG. 6 or STEP 1 of FIG. 8. According to one embodiment, at least one operation illustrated in FIG. 11 can also be applied to STEP 3 of FIG. 6 or STEP 3 of FIG. 8. According to one embodiment, when at least one operation illustrated in FIG. 11 is applied, some of the operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' already described may be changed as follows. (Operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' that are not described below are identical to operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' that have already been described.)
  • STEP 3 of FIG. 6 may be composed of the sequential progression of 'Step 603 of FIG. 6' and 'Steps 505 to 509 of FIG. 5'.
  • the embodiment of FIG. 11 can be applied to STEP3 of FIG. 6 in a manner described below.
  • step 1101 of FIG. 11 may be performed before step 603 of FIG. 6 is performed.
  • steps 603 of FIG. 6 and 1102 of FIG. 11 may be combined as follows:
  • the UE may transmit the message described in step 603 of FIG. 6 to the satellite.
  • the UE may further transmit the message described in step 1102 of FIG. 11 to the satellite.
  • step 603 of FIG. 6, step 505 of FIG. 5 and step 1103 of FIG. 11, may be combined as follows:
  • the satellite may transmit the message described in step 505 of FIG. 5 to the UE.
  • the satellite may further transmit the message described in step 1103 of FIG. 11 to the UE.
  • the message described in step 505 of FIG. 5 may further be included in the source for generating SIG.SAT described in step 1103 of FIG. 11.
  • step 603 of FIG. 6, step 507 of FIG. 5 and step 504 of FIG. 11 may be combined as follows:
  • the UE may transmit the message described in step 507 of FIG. 5 to the satellite.
  • the UE may further transmit the message described in step 1104 of FIG. 11 to the satellite.
  • the message described in step 507 of FIG. 5 may further be included in the source for generating SIG.UE described in step 1104 of FIG. 11.
  • STEP 3 of FIG. 8 may be composed of the sequential progression of 'Step 803 of FIG. 8' and 'Steps 707 to 714 of FIG. 7'.
  • the embodiment of FIG. 11 can be applied to STEP3 of FIG. 8 in a manner described below.
  • step 1101 of FIG. 11 may be performed before step 803 of FIG. 8 is performed.
  • steps 803 of FIG. 8 and 1102 of FIG. 11 may be combined as follows:
  • the UE may transmit the message described in step 803 of FIG. 8 to the satellite.
  • the UE may further transmit the message described in step 1102 of FIG. 11 to the satellite.
  • step 707 of FIG. 7 may be combined as follows:
  • the satellite may transmit the message described in step 707 of FIG. 7 to the UE.
  • the satellite may further transmit the message described in step 1103 of FIG. 11 to the UE.
  • the message described in step 707 of FIG. 7 may further be included in the source for generating SIG.SAT described in step 1103 of FIG. 11.
  • step 709 of FIG. 7 may be combined as follows:
  • the UE may transmit the message described in step 709 of FIG. 7 to the satellite.
  • the UE may further transmit the message described in step 1104 of FIG. 11 to the satellite.
  • the message described in step 709 of FIG. 7 may further be included in the source for generating SIG.UE described in step 1104 of FIG. 11.
  • FIG. 12 is another diagram illustrating an additional authentication process performed between a terminal and a satellite to enhance security during the terminal and network authentication process of a satellite communication system according to an embodiment of the present disclosure.
  • FIG. 12 may be a process corresponding to the Attach Request Procedure of FIG. 6 or FIG. 8.
  • the definitions of the UE and Satellite may follow the definitions disclosed in FIG. 6 and FIG. 8.
  • the additional authentication process of Fig. 12 may be as follows.
  • step 1201 one or more of the following processes may be performed:
  • - Satellite may transmit one or more of the following information to UE:
  • ⁇ ID.SAT Satellite ID.
  • the above ID may be the Satellite ID used to derive the PAM information held by the Satellite.
  • PAM For a description of PAM, refer to Fig. 3.
  • step 1202 one or more of the following processes may be performed:
  • the UE may transmit one or more of the following information to the Satellite:
  • ⁇ IE.UE UE ID.
  • the above information is included in the PAM held by the Satellite, and may be an identifier that allows the Satellite to identify the UE.
  • ⁇ RN.UE A random number generated by the UE for additional authentication of the terminal and satellite.
  • step 1203 one or more of the following processes may be performed:
  • - Satellite can perform one or more of the following processes:
  • ⁇ Satellite can obtain K SAT,UE of the UE that transmitted the ID by searching PAM using the received ID.UE.
  • ⁇ Satellite can generate an authentication value SIG.SAT for RN.UE (and/or Nonce and/or RN.SAT) using the above-obtained K SAT,UE .
  • K SAT,UE may be used as the credential for generating the authentication value, or another value derived from K SAT,UE may be used.
  • RN.UE which is the target of authentication value generation, may be encrypted using the above-mentioned credential or may be integrity protected in the form of a message authenticity code.
  • - Satellite may transmit one or more of the following information to UE:
  • Nonce value included in the PAM held by the Satellite may be different for each UE, or may be the same value for all UEs.
  • ⁇ RN.SAT A random number generated by the Satellite for additional authentication between the terminal and the satellite.
  • the random value may be different for each UE or may be the same for all UEs.
  • step 1204 one or more of the following processes may be performed:
  • the UE may perform one or more of the following processes:
  • the UE can authenticate the satellite by verifying the validity of the received SIG.SAT.
  • the UE can create K SAT,UE using the K UE it owns and the information (ID.SAT and/or Nonce) received in step 1.
  • the UE can generate an authentication value SIG.UE for RN.SAT using the above-mentioned K SAT,UE .
  • K SAT,UE may be used as the credential for generating the authentication value, or another value derived from K SAT,UE may be used.
  • RN.SAT which is the source of the authentication value generation, may be encrypted using the above-mentioned credential or may be integrity protected in the form of a message authenticity code.
  • the UE may transmit one or more of the following information to the Satellite:
  • ⁇ Satellite can perform one or more of the following processes:
  • the satellite can verify the validity of the SIG.UE transmitted by the UE using the K SAT,UE acquired above. Through the above process, the satellite can authenticate the terminal.
  • At least one operation illustrated in FIG. 12 can be used in STEP 1 of FIG. 6 or STEP 1 of FIG. 8. According to one embodiment, at least one operation illustrated in FIG. 12 can also be applied to STEP 3 of FIG. 6 or STEP 3 of FIG. 8. According to one embodiment, when at least one operation illustrated in FIG. 12 is applied, some of the operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' already described may be changed as follows. (Operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' that are not described below are identical to operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' that have already been described.)
  • STEP 3 of FIG. 6 can be composed of the sequential progression of ‘Step 603 of FIG. 6’ and ‘Steps 505 to 509 of FIG. 5’.
  • the embodiment of FIG. 12 can be applied to STEP3 of FIG. 6 in a manner described below.
  • step 1201 of FIG. 12 may be performed before step 603 of FIG. 6 is performed.
  • steps 603 of FIG. 6 and 1202 of FIG. 12 may be combined as follows:
  • the UE may transmit the message described in step 603 of FIG. 6 to the satellite.
  • the UE may further transmit the message described in step 1202 of FIG. 12 to the satellite.
  • step 603 of FIG. 6, step 505 of FIG. 5 and step 1203 of FIG. 12 may be combined as follows:
  • the satellite may transmit the message described in step 505 of FIG. 5 to the UE.
  • the satellite may further transmit the message described in step 1203 of FIG. 12 to the UE.
  • the message described in step 505 of FIG. 5 may further be included in the source for generating SIG.SAT described in step 1203 of FIG. 12.
  • step 603 of FIG. 6, step 507 of FIG. 5 and step 1204 of FIG. 12 may be combined as follows:
  • the UE may transmit the message described in step 507 of FIG. 5 to the satellite.
  • the UE may further transmit the message described in step 1204 of FIG. 12 to the satellite.
  • the message described in step 507 of FIG. 5 may further be included in the source for generating SIG.UE described in step 1204 of FIG. 12.
  • STEP 3 of FIG. 8 can be composed of the sequential progression of ‘Step 803 of FIG. 8’ and ‘Steps 707 to 714 of FIG. 7’.
  • the embodiment of FIG. 12 can be applied to STEP3 of FIG. 8 in a manner described below.
  • step 1201 of FIG. 12 may be performed before step 803 of FIG. 8 is performed.
  • steps 803 of FIG. 8 and 1202 of FIG. 12 may be combined as follows:
  • the UE may transmit the message described in step 803 of FIG. 8 to the satellite.
  • the UE may further transmit the message described in step 1202 of FIG. 12 to the satellite.
  • step 1203 of FIG. 8 step 707 of FIG. 7 and step 1203 of FIG. 12 may be combined as follows:
  • the satellite may transmit the message described in step 707 of FIG. 7 to the UE.
  • the satellite may further transmit the message described in step 1203 of FIG. 12 to the UE.
  • the message described in step 707 of FIG. 7 may further be included in the source for generating SIG.SAT described in step 1203 of FIG. 12.
  • step 803 of FIG. 8, step 709 of FIG. 7 and step 1204 of FIG. 12 may be combined as follows:
  • the UE may transmit the message described in step 709 of FIG. 7 to the satellite.
  • the UE may further transmit the message described in step 1204 of FIG. 12 to the satellite.
  • the message described in step 1209 of FIG. 7 may further be included in the source for generating SIG.UE described in step 1204 of FIG. 12.
  • FIG. 13 is another diagram illustrating an additional authentication process performed between a terminal and a satellite to enhance security during the terminal and network authentication process of a satellite communication system according to an embodiment of the present disclosure.
  • FIG. 13 may be a process corresponding to the Attach Request Procedure of FIG. 6 or FIG. 8.
  • the definitions of the UE and Satellite may follow the definitions disclosed in FIG. 6 and FIG. 8.
  • the additional authentication process of Fig. 13 may be as follows.
  • step 1301 one or more of the following processes may be performed:
  • - Satellite may transmit one or more of the following information to UE:
  • ⁇ ID.SAT Satellite ID.
  • the above ID may be the Satellite ID used to derive the PAM information held by the Satellite.
  • PAM For a description of PAM, refer to Fig. 3.
  • step 1302 one or more of the following processes may be performed:
  • the UE may transmit one or more of the following information to the Satellite:
  • ⁇ IE.UE UE ID.
  • the above information is included in the PAM held by the Satellite, and may be an identifier that allows the Satellite to identify the UE.
  • step 1303 one or more of the following processes may be performed:
  • - Satellite can perform one or more of the following processes:
  • ⁇ Satellite can obtain K SAT,UE of the UE that transmitted the ID by searching PAM using the received ID.UE.
  • Satellite can generate a value SIG.SAT that can verify itself using the K SAT,UE obtained above.
  • K SAT,UE may be used as a credential for generating an authentication value, or another value derived from K SAT,UE may be used.
  • an arbitrary value (and/or nonce) that guarantees the refreshability of the current session (and can prevent replay attacks) can be used as the source of authentication value generation.
  • the source of authentication value generation in the above process can be the current time information. If the current time information is used, various verification mechanisms utilizing it can be utilized. For example, the verifier can verify whether the received time information is acceptable within a certain error range, and if the received time information is within the acceptable error range, the content of the information can be determined to be valid.
  • the source of authentication value generation can be encrypted using the above-mentioned credential or integrity protected in the form of a message authenticity code.
  • - Satellite may transmit one or more of the following information to UE:
  • Nonce value included in the PAM held by the Satellite may be different for each UE, or may be the same value for all UEs.
  • step 1304 one or more of the following processes may be performed:
  • the UE may perform one or more of the following processes:
  • the UE can authenticate the satellite by verifying the validity of the received SIG.SAT.
  • the UE can create K SAT,UE using the K UE it owns and the information (ID.SAT and/or Nonce) received in step 1.
  • the UE can generate a value SIG.UE that can verify itself using the above-generated K SAT,UE .
  • K SAT,UE may be used as a credential for generating an authentication value, or another value derived from K SAT,UE may be used.
  • any arbitrary value that guarantees the refreshability of the current session (and can prevent replay attacks) can be used as the source of authentication value generation.
  • the source of authentication value generation in the above process may be the current time information. If current time information is used, various verification mechanisms utilizing it can be utilized. For example, the verifier can verify whether the received time information is acceptable within a certain error range. If the received time information falls within the acceptable error range, the content of the information can be deemed valid.
  • the source of authentication value generation can be encrypted using the above-mentioned credential or integrity protected in the form of a message authenticity code.
  • the UE may transmit one or more of the following information to the Satellite:
  • ⁇ Satellite can perform one or more of the following processes:
  • the satellite can verify the validity of the SIG.UE transmitted by the UE using the K SAT,UE acquired above. Through the above process, the satellite can authenticate the terminal.
  • At least one operation illustrated in FIG. 13 can be used in STEP 1 of FIG. 6 or STEP 1 of FIG. 8. According to one embodiment, at least one operation illustrated in FIG. 13 can also be applied to STEP 3 of FIG. 6 or STEP 3 of FIG. 8. According to one embodiment, when at least one operation illustrated in FIG. 13 is applied, some of the operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' already described may be changed as follows. (Operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' that are not described below are identical to operations of 'STEP 3 of FIG. 6 or STEP 3 of FIG. 8' that have already been described.)
  • STEP 3 of FIG. 6 can be composed of the sequential progression of ‘Step 603 of FIG. 6’ and ‘Steps 505 to 509 of FIG. 5’.
  • FIG. 13 can be applied to STEP3 of FIG. 6 in a manner described below.
  • step 1 of FIG. 13 may be performed before step 603 of FIG. 6 is executed.
  • steps 603 of FIG. 6 and 1302 of FIG. 13 may be combined as follows:
  • the UE may transmit the message described in step 603 of FIG. 6 to the satellite.
  • the UE may further transmit the message described in step 1302 of FIG. 13 to the satellite.
  • step 603 of FIG. 6, step 505 of FIG. 5 and step 1303 of FIG. 13 may be combined as follows:
  • the satellite may transmit the message described in step 505 of FIG. 5 to the UE.
  • the satellite may further transmit the message described in step 1303 of FIG. 13 to the UE.
  • the message described in step 505 of FIG. 5 may further be included in the source for generating SIG.SAT described in step 1303 of FIG. 13.
  • step 603 of FIG. 6, step 507 of FIG. 5 and step 1304 of FIG. 13, may be combined as follows:
  • the UE may transmit the message described in step 507 of FIG. 5 to the satellite.
  • the UE may further transmit the message described in step 1304 of FIG. 13 to the satellite.
  • the message described in step 507 of FIG. 5 may further be included in the source for generating SIG.UE described in step 1304 of FIG. 13.
  • STEP 3 of FIG. 8 can be composed of the sequential progression of ‘Step 803 of FIG. 8’ and ‘Steps 707 to 714 of FIG. 7’.
  • FIG. 13 can be applied to STEP3 of FIG. 8 in a manner described below.
  • step 1301 of FIG. 13 may be performed before step 803 of FIG. 8 is performed.
  • steps 803 of FIG. 8 and 1302 of FIG. 13 may be combined as follows:
  • the UE may transmit the message described in step 803 of FIG. 8 to the satellite.
  • the UE may further transmit the message described in step 1302 of FIG. 13 to the satellite.
  • step 707 of FIG. 7 may be combined as follows:
  • the satellite may transmit the message described in step 707 of FIG. 7 to the UE.
  • the satellite may further transmit the message described in step 1303 of FIG. 13 to the UE.
  • the message described in step 707 of FIG. 7 may further be included in the source for generating SIG.SAT described in step 1303 of FIG. 13.
  • step 709 of FIG. 7 may be combined as follows:
  • the UE may transmit the message described in step 709 of FIG. 7 to the satellite.
  • the UE may further transmit the message described in step 1304 of FIG. 13 to the satellite.
  • the message described in step 709 of FIG. 7 may further be included in the source for generating SIG.UE described in step 1304 of FIG. 13.
  • FIG. 14 is a diagram showing the configuration of a UE according to one embodiment of the present disclosure.
  • the UE of the present disclosure may include a transceiver (1410), a memory (1420), and a processor (1430).
  • the processor (1430), the transceiver (1410), and the memory (1420) of the UE may operate according to the aforementioned UE communication method.
  • the components of the UE are not limited to the examples described above.
  • the UE may include more or fewer components than the aforementioned components.
  • the processor (1430), the transceiver (1410), and the memory (1420) may be implemented in the form of a single chip.
  • the transceiver (1410) is a general term for the receiver and transmitter of the UE, and can transmit and receive signals with a base station or various network entities.
  • the signals transmitted and received with the base station may include control information and data.
  • the transceiver (1410) may be configured with an RF (radio frequency) transmitter that up-converts and amplifies the frequency of a transmitted signal, and an RF receiver that low-noise amplifies and frequency-downconverts the received signal.
  • RF radio frequency
  • the transceiver (1410) may include wired and wireless transceivers, and may include various configurations for transmitting and receiving signals.
  • the transceiver (1410) may receive a signal through a wireless channel, output it to the processor (1430), and transmit the signal output from the processor (1430) through the wireless channel.
  • the transceiver (1410) can receive a communication signal and output it to the processor, and transmit the signal output from the processor to various network entities via a wired or wireless network.
  • the memory (1420) can store programs and data required for the operation of the UE. In addition, the memory (1420) can store control information or data included in signals acquired from the UE.
  • the memory (1420) can be configured as a storage medium or a combination of storage media, such as a ROM, a RAM, a hard disk, a CD-ROM, and a DVD.
  • the processor (1430) can control a series of processes so that the UE can operate according to the embodiments of the present disclosure described above.
  • the processor (1430) may include at least one processor.
  • the processor (1430) may include a communication processor (CP) that performs control for communication and an application processor (AP) that controls upper layers such as application programs.
  • CP communication processor
  • AP application processor
  • FIG. 15 is a diagram showing the configuration of an entity according to one embodiment of the present disclosure.
  • a network entity of the present disclosure may include a transceiver (1510), a memory (1520), and a processor (1530).
  • the processor (1530), the transceiver (1510), and the memory (1520) of the network entity may operate according to the communication method of the network entity described above.
  • the components of the network entity are not limited to the examples described above.
  • the network entity may include more or fewer components than the components described above.
  • the processor (1530), the transceiver (1510), and the memory (1520) may be implemented in the form of a single chip.
  • the network entity may include a Satellite, GN, a base station, or other network devices described above with reference to FIGS. 1 to 13.
  • the transceiver (1510) is a general term for the receiver and transmitter of a network entity, and can transmit and receive signals with a terminal or other network entities. At this time, the transmitted and received signals may include control information and data. To this end, the transceiver (1510) may be configured with an RF transmitter that up-converts and amplifies the frequency of a transmitted signal, and an RF receiver that low-noise amplifies and frequency-converts the received signal. However, this is only an example of the transceiver (1510), and the components of the transceiver (1510) are not limited to the RF transmitter and RF receiver. The transceiver (1510) may include wired and wireless transceivers, and may include various configurations for transmitting and receiving signals.
  • the transceiver (1510) may receive a signal through a communication channel (e.g., a wireless channel) and output it to the processor (1530), and transmit the signal output from the processor (1530) through the communication channel.
  • the transceiver (1510) may receive a communication signal and output it to the processor, and transmit the signal output from the processor to a terminal or network entity through a wired or wireless network.
  • the memory (1520) can store programs and data necessary for the operation of the network entity. Furthermore, the memory (1520) can store control information or data included in signals acquired from the network entity.
  • the memory (1520) can be configured as a storage medium, such as a ROM, a RAM, a hard disk, a CD-ROM, a DVD, or a combination of storage media.
  • the processor (1530) may control a series of processes to enable a network entity to operate according to the embodiments of the present disclosure described above.
  • the processor (1530) may include at least one processor.
  • FIGS. 1 to 13 are not intended to limit the scope of the embodiments of the present disclosure. That is, not all components, entities, or operational steps described in FIGS. 1 to 10 should be construed as essential components for the implementation of the disclosure, and implementations may be made within a scope that does not detract from the essence of the disclosure even if only some components are included.
  • the operations of the embodiments described above can be realized by providing a memory device storing the corresponding program code in any component within the device. That is, the control unit within the device can execute the operations described above by reading and executing the program code stored in the memory device through a processor or a CPU (Central Processing Unit).
  • a processor or a CPU (Central Processing Unit).
  • the various components and modules of the entity or terminal device described in the present disclosure may be operated using hardware circuits, such as logic circuits based on complementary metal oxide semiconductors, firmware, software, and/or hardware and firmware and/or software embedded in a machine-readable medium.
  • hardware circuits such as logic circuits based on complementary metal oxide semiconductors, firmware, software, and/or hardware and firmware and/or software embedded in a machine-readable medium.
  • various electrical structures and methods may be implemented using electrical circuits such as transistors, logic gates, and application-specific semiconductors.
  • a computer-readable storage medium storing one or more programs (software modules) may be provided.
  • the one or more programs stored in the computer-readable storage medium are configured for execution by one or more processors within an electronic device.
  • the one or more programs include instructions that cause the electronic device to execute methods according to embodiments described in the claims or specification of the present disclosure.
  • programs may be stored in random access memory, non-volatile memory including flash memory, read only memory (ROM), electrically erasable programmable read only memory (EEPROM), magnetic disc storage devices, compact disc-ROMs (CD-ROMs), digital versatile discs (DVDs) or other forms of optical storage devices, magnetic cassettes, or may be stored in memories formed by a combination of some or all of these.
  • non-volatile memory including flash memory, read only memory (ROM), electrically erasable programmable read only memory (EEPROM), magnetic disc storage devices, compact disc-ROMs (CD-ROMs), digital versatile discs (DVDs) or other forms of optical storage devices, magnetic cassettes, or may be stored in memories formed by a combination of some or all of these.
  • each configuration memory may include multiple copies.
  • the program may be stored on an attachable storage device that is accessible via a communication network, such as the Internet, an intranet, a local area network (LAN), a wide area network (WAN), a storage area network (SAN), or a combination thereof.
  • a storage device may be connected to a device implementing an embodiment of the present disclosure via an external port.
  • a separate storage device on the communication network may be connected to a device implementing an embodiment of the present disclosure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Astronomy & Astrophysics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un système de communication 5G ou 6G destiné à prendre en charge un débit supérieur de transmission de données. Un mode de fonctionnement d'un équipement utilisateur (UE) dans un système de communication sans fil, selon un mode de réalisation de la présente invention, peut comprendre les étapes suivantes : recevoir un premier message provenant d'un satellite, le premier message comprenant un identifiant du satellite et un premier nombre aléatoire généré par le satellite pour une authentification supplémentaire entre l'UE et le satellite ; transmettre un deuxième message au satellite, le deuxième message comprenant un identifiant de l'UE, une valeur d'authentification générée par l'UE sur la base du premier message, et un deuxième nombre aléatoire généré par l'UE pour une authentification supplémentaire entre l'UE et le satellite ; et recevoir un troisième message provenant du satellite, le troisième message comprenant une valeur d'authentification générée par le satellite sur la base du deuxième message.
PCT/KR2025/006240 2024-05-10 2025-05-09 Procédé et appareil pour améliorer l'authentification d'une communication par satellite Pending WO2025234814A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR20240062082 2024-05-10
KR10-2024-0062082 2024-05-10
KR10-2024-0113060 2024-08-22
KR1020240113060A KR20250162280A (ko) 2024-05-10 2024-08-22 위성 통신의 인증 개선을 위한 방법 및 장치

Publications (1)

Publication Number Publication Date
WO2025234814A1 true WO2025234814A1 (fr) 2025-11-13

Family

ID=97675477

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2025/006240 Pending WO2025234814A1 (fr) 2024-05-10 2025-05-09 Procédé et appareil pour améliorer l'authentification d'une communication par satellite

Country Status (1)

Country Link
WO (1) WO2025234814A1 (fr)

Similar Documents

Publication Publication Date Title
WO2015037926A1 (fr) Procédé et système de communication sécurisée pour une transmission entre enb
WO2019216739A1 (fr) Procédé et appareil de protection de sécurité dans un système de communication sans fil
WO2021066515A1 (fr) Nœud principal, nœud secondaire et équipement d'utilisateur dans un réseau de communication mobile et leurs procédés de communication entre eux
WO2019177397A1 (fr) Procédé et appareil permettant d'établir support radio
WO2023075352A1 (fr) Procédé et appareil de communication d'information d'équipement utilisateur dans un reseau non terrestre (ntn)
WO2023059164A1 (fr) Procédé et appareil pour gérer l'enregistrement d'une tranche de réseau dans un système de communication sans fil
WO2024029932A1 (fr) Procédé et dispositif d'optimisation de transfert
WO2022211496A1 (fr) Procédé et appareil d'utilisation d'un message nas pour la protection de données
WO2024025282A1 (fr) Appareil et procédé de prise en charge de continuité de service de communication dans système de communication sans fil
WO2024232698A1 (fr) Améliorations sur et relatives à un système de télécommunication
WO2024096601A1 (fr) Dispositif et procédé mis en œuvre par le dispositif dans une communication sans fil
WO2024096634A1 (fr) Procédé et appareil pour prendre en charge une auto-configuration et une auto-optimisation
WO2025234814A1 (fr) Procédé et appareil pour améliorer l'authentification d'une communication par satellite
WO2025211840A1 (fr) Procédé et appareil d'authentification pour communication par satellite dans un mode de stockage et de réacheminement
WO2025170329A1 (fr) Procédé et appareil pour transmission basés sur l'internet des objets ambiant dans un système de communication sans fil
WO2024029985A1 (fr) Procédé et dispositif de transmission d'informations
WO2025234837A1 (fr) Procédé et appareil de transmission sécurisée d'objet d'avatar dans un système de communication sans fil
WO2024219778A1 (fr) Procédé de sélection d'algorithme de sécurité dans une procédure d'authentification d'un réseau de communication sans fil
WO2025159602A1 (fr) Procédé et appareil d'authentification utilisateur dans un système de communication sans fil
WO2024029884A1 (fr) Procédé et appareil pour confirmer un nœud donneur de terminaison f1
WO2025211950A1 (fr) Procédé et appareil d'authentification de terminal dans un accès non-3gpp
WO2025150955A1 (fr) Procédé et appareil pour la prise en charge de multiples accès nr dans un même réseau
WO2024014776A1 (fr) Station de base et procédé réalisé par celle-ci
WO2025071285A1 (fr) Procédé et appareil de configuration de signal de référence dans un système de communication sans fil
WO2025033843A1 (fr) Procédé et appareil de sécurité de découverte de prose 5g à l'aide d'un ensemble de clés multiples dans un système de communication sans fil