WO2018227431A1 - Methods and computing device for obtaining a security key for access to a wireless network - Google Patents
Methods and computing device for obtaining a security key for access to a wireless network Download PDFInfo
- Publication number
- WO2018227431A1 WO2018227431A1 PCT/CN2017/088255 CN2017088255W WO2018227431A1 WO 2018227431 A1 WO2018227431 A1 WO 2018227431A1 CN 2017088255 W CN2017088255 W CN 2017088255W WO 2018227431 A1 WO2018227431 A1 WO 2018227431A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- computing device
- key
- amf
- next hop
- hop value
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
- H04W36/0033—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
- H04W36/0038—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
Definitions
- the present disclosure is related generally to wireless networks and, more particularly, to a method and computing device for deriving a key for access to a wireless network.
- K AMF next hop security key
- NH next hop security key
- FIG. 1 is a diagram of a system in which various embodiments of the disclosure are implemented.
- FIG. 2 shows an example hardware architecture, according to an embodiment.
- FIG. 3 is a message flow diagram of a currently proposed attach procedure.
- FIG. 4 is a message flow diagram of a currently proposed idle mobility scenario.
- FIG. 5 is a message flow diagram of an attach procedure according to an embodiment.
- FIG. 6, FIG. 7, and FIG. 8 are message flow diagrams of idle mobility procedures, according to various embodiments.
- FIG. 9 is a message flow diagram of a handover procedure, according to an embodiment.
- a method for obtaining a security key for access to a wireless network involves a first computing device executing a communication function (e.g., an access mobility management function or a security anchor function) and carrying out the following actions: deriving an access mobility management function key from a communication function key (e.g., an initial access mobility management function key or a security access function key) , and transmitting the access mobility management function key and a next hop value to an access mobility management function executing on a second computing device.
- a communication function e.g., an access mobility management function or a security anchor function
- the first computing device derives the next hop value from the communication function key, derives a network access key from the communication function key, and derives the next hop value from the network access key.
- the second computing device transmits the next hop value and the network access key to a communication node, derives a second network access key from the next hop value, and transmits the next hop value and the second network access key to the communication node.
- the second computing device derives a second network access key from the next hop value, derives a second next hop value from the next hop value, and transmits the second network access key and the second next hop value to a third computing device executing a second access mobility management function.
- the second computing device derives a second network access key from the next hop value, and transmits the second network access key and the next hop value to a third computing device executing a second access and mobility management function.
- the second computing device derives a second access mobility management function key from the access mobility management function key and transmits the second access mobility management function key and the next hop value to a third computing device executing a second access and mobility management function.
- the third computing device derives a second network access key from the next hop value and transmits the second network access key to a communication node.
- Table 1 lists various abbreviations used in the present disclosure, along with their expanded forms.
- the wireless networking environment includes a RAN 102 and a CN 104 (an example of which is a next generation CN) .
- the CN 104 includes one or more computing devices that execute various function.
- the computing devices of the CN 104 may be owned and operated by a wireless communication carrier (such as one of the major commercial carriers) or may physically be owned by and reside with a third party (such as a cloud computing service) .
- the functions carried out by the CN 104 may be virtualized.
- the RAN 102 includes multiple network communication nodes, represented by nodes 106 and 108, each of which is depicted as a BS (and will be referred to as such in parts of this disclosure as the “first BS” and “second BS” or the Source BS and the Target BS) .
- FIG. 1 also depicts a UE 116, which is capable of communicating over the RAN 102.
- the area of coverage of each of the nodes is indicated by a dashed circle and, in some embodiments, this area is known as a “cell. ”
- the UE 116 shown in FIG. 1 is meant to be representative, and many UEs may in fact communicate over the RAN 102 at the same time or at different times.
- the UE 116 will sometimes be referred to herein as a NG-UE.
- the core network 104 includes a first AMF 110 (i.e., a computing device executing software that constitutes the AMF) , an SEAF or initial AMF 112 (i.e., a computing device executing software that constitutes the SEAF) , and a second AMF 114.
- the functions of the SEAF are carried out by an AMF (the initial AMF) .
- AMF the initial AMF
- SEAF or initial AMF. the general term “communication function” may be used.
- Each AMF carries out one or more of the following procedures in support of the RAN 102: registration management, connection management, reachability management and mobility management. Each AMF also carries out access authentication and access authorization, acts as the non-access stratus security termination, and relays the session management between the UE 116 and various other components of the CN 104.
- the first AMF 110 will sometimes be referred to as the “old AMF” or the “Source AMF, ” and the second AMF will be referred to as the “new AMF” or “Target AMF. ” It is to be understood that these designations are purely to facilitate the description, and that any AMF may fulfill different roles during different operations.
- the SEAF 112 performs UE authentication for connection via different access networks. In the course of doing so, the SEAF 112 stores the security context for UEs that communicate on the RAN 102, such as the UE 116.
- the SEAF 112 maintains a security anchor key (which acts as an authentication session root key) referred to herein as K SEAF .
- K SEAF a security anchor key
- Other keys that will be referred to herein are the K AN and the NH, which are keys provided to the AN.
- Possible implementations of the UE 116 include any device capable of wireless communication, such as a smartphone, tablet, laptop computer, and non-traditional devices (e.g., household appliances or other parts of the “Internet of Things” ) .
- Possible implementations of the RAN 102 include a wireless communication network, for example a LTE network or next generation of LTE network.
- FIG. 2 illustrates a basic (computing device) hardware architecture implemented by the elements of FIG. 1, including the AMF 110, the SEAF 112, the AMF 114, and the UE 116, according to an embodiment.
- the elements of FIG. 1 have other components as well.
- the hardware architecture depicted in FIG. 2 includes logic circuitry 202, memory 204, transceiver 206, and one more antennas represented by antenna 208.
- the memory 204 may be or include a buffer that, for example, holds incoming transmissions until the logic circuitry is able to process the transmission.
- Each of these elements is communicatively linked to one another via one or more data pathways 210. Examples of data pathways include wires, conductive pathways on a microchip, and wireless connections.
- logic circuitry means a circuit (a type of electronic hardware) designed to perform complex functions defined in terms of mathematical logic. Examples of logic circuitry include a microprocessor, a controller, or an application-specific integrated circuit. When the present disclosure refers to a device carrying out an action, it is to be understood that this can also mean that logic circuitry integrated with the device is, in fact, carrying out the action.
- Possible implementations of the memory 204 include: volatile data storage; nonvolatile data storage, electrical memory, magnetic memory, optical memory, random access memory ( “RAM” ) , cache memory, and hard drives.
- K AMF next hop security key
- NH next hop security key
- the AMF will need to obtain a value for K AMF from the SEAF or the initial AMF (which may carry out the SEAF functions) , derive the security key for the RAN ( “K AN ” ) and the NH from K AMF , and send those keys to the BS to which the UE is attaching.
- FIG. 3 and example of an attachment procedure that uses this process will now be described, with reference to the devices depicted in FIG. 1. Note that this example assumes that UE and SEAF share same K SEAF . Also note that, in those instances where K SEAF or the initial K AMF may be used, the two types of keys are encompassed using the general term “communication key. ”
- the UE 116 sends an Attach Request message to the AMF 110 via the first BS 106.
- the AMF 110 sends a Key Request message to the SEAF 112.
- the SEAF 112 derives the K AMF from K SEAF (or the initial AMF 112 derives the K AMF from the initial K AMF ) .
- the SEAF 112 sends a Key Response message including the K AMF to the AMF 110.
- AMF derives K AN for network access and NH for handover from K AMF .
- the AMF 110 sends an Initial UE Context Setup message including the K AN and the NH to the BS 106.
- the BS 106 sends an Attach Accept message to the UE 116.
- the UE 116 uses the same rule to derive K AMF , K AN , and NH as the other components in FIG. 3 so that the UE 116 and the RAN 102 and interact correctly.
- FIG. 4 a currently-proposed scheme for handling security keys during a transition from one AMF to another will now be described. It will be assume that the UE 116 has attached to the network, so the UE 116 and the Old AMF 110 share the same K AMF .
- the UE 116 sends a TAU Request message to a new AMF (AMF 114 in this example) via the BS 106.
- the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110.
- the Old AMF 110 use keys derived from K AMF (the “first AMF key” ) to verify the integrity of the TAU Request message, and, if successful, derives K AMF * (the “second AMF key) from K AMF .
- the Old AMF 110 sends a Forward TAU Accept message including K AMF *to the New AMF 114.
- AMF sends Initial UE Context Setup message including the K AN and NH to the BS.
- BS sends TAU Accept message to the UE.
- UE use same rule to derive K AMF *, K AN , NH, so UE and network can interact correctly.
- the AMF does not derive K AN and NH from K AMF , but rather receives K AN and NH from the SEAF. This reduces the amount of computing resources required by the AMF.
- An example an an attach procedure that implements this embodiment is shown in FIG. 5.
- the UE 116 sends an Attach Request message to the AMF 110 via the BS 106.
- the AMF 110 sends a Key Request message to the SEAF 112.
- the SEAF 112 derives K AN and NH from K SEAF .
- the inputs to the K AN derivation function include K SEAF
- the inputs to the NH derivation function includes K SEAF or K AN and, for example, an NCC start from, for example, 0.
- the SEAF 112 sends a Key Response message containing K AN and NH in addition to K AMF to the AMF 110.
- the new AMF when the AMF changes, the new AMF does not need to derive NH, but rather receives NH from the old AMF. This reduces the amount of computing resources required by the new AMF.
- An example an idle mobility procedure that implements this embodiment is shown in FIG. 6.
- the UE 116 sends a TAU Request message to a new AMF (AMF 114 in this example) via the BS 104.
- the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110.
- the Old AMF 110 uses keys derived from K AMF to verify the integrity of the TAU Request message, and, if successful, derives K AMF *from K AMF .
- the Old AMF 110 sends a Forward TAU Accept message, which includes NH as well as K AMF *, to the New AMF 114.
- the New AMF 114 derives K AN from NH instead of K AMF *, i.e., the inputs to the K AN derivation function include NH and, for example, the NCC of the received UE packet.
- the UE 116 sends a TAU Request message to a new AMF (AMF 114 in this example) via the BS 104.
- the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110.
- the Old AMF 110 derives K AN * (a “second access network key, ” with K AN constituting the “first network access key” ) from NH, i.e., the inputs to the K AN *derivation function includes NH and NCC of the received UE packet.
- the Old AMF 110 sends a Forward TAU Accept message that includes K AN *as well as K AMF *and NH to the New AMF 114.
- UE sends a TAU Request message to a new AMF (AMF 114 in this example) via the BS 106.
- the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110.
- the Old AMF 110 derives NH* (a “second next-hop key” ) from NH (the “first next-hop key” ) , i.e., the inputs to the NH*derivation function include NH and NCC.
- the Old AMF 110 sends a Forward TAU Accept message that includes NH*as well as K AMF *and K AN *to the New AMF.
- the Source AMF derives NH*from NH and sends NH*to target AMF, and the target AMF sends NH*to the target BS.
- the source BS 106 transmits a Handover Required message to the Source AMF 110.
- the Source AMF 110 derives K AMF *from K AMF , and derives NH*from NH.
- the Source AMF transmits a Forward Relocation Request message (containing K AMF *, and ⁇ NH*or NCC ⁇ ) to the Target AMF 114.
- the Target AMF 114 Replaces K AMF with K AMF *.
- the Target AMF 114 transmits a Handover Request (containing ⁇ NH*or NCC ⁇ ) to the Target BS 108.
- the Target BS 108 transmits a Handover Request ACK message containing the NCC to the Target AMF 114.
- the Target AMF 114 transmits a Forward Relocation Response message containing the NCC to the Source AMF 110.
- the Source AMF 110 transmits a Handover Command message containing the NCC, AMF (along with an “AMF changed” indicator) to the Source BS 106 (as the Handover Command message will be delivered to the UE, the “AMF changed” indication will prompt the UE to derive K AMF *) .
- the Source BS 106 transmits a Handover Command message containing the NCC and the AMF changed indicator to the UE 116.
- the UE 116 derives the K AMF *from K AMF and replaces K AMF with K AMF *.
- the the UE 116 transmits a Handover Confirm message to the Target BS 108.
- the Target BS 108 transmits a Handover Notify message to the Target AMF 114.
- the UE 116 also derives K AN or NH according from NCC.
- any and all of the methods described herein are carried out by or on one or more computing devices. Furthermore, instructions for carrying out any or all of the methods described herein may be stored on a non-transitory, computer-readable medium, such as any of the various types of memory described herein.
Abstract
A method for obtaining a security key for access to a wireless network involves a first computing device executing a communication function (e.g., an access mobility management function or a security anchor function) and carrying out the following actions: deriving an access mobility management function key from a communication function key (e.g., an initial access mobility management function key or a security access function key), and transmitting the access mobility management function key and a next hop value to an access mobility management function executing on a second computing device.
Description
The present disclosure is related generally to wireless networks and, more particularly, to a method and computing device for deriving a key for access to a wireless network.
In currently proposed systems, under currently proposed security schemes for next generation wireless communication networks, whenever the AMF serving a UE changes, the AMF security key ( “KAMF” ) also changes. This change in KAMF means that the next hop security key ( “NH” ) will also change. Thus, the AMF will need to obtain a value for KAMF from the SEAF, derive the security key for the RAN ( “KAN” ) and the NH from KAMF, and send those keys to the BS to which the UE is attaching.
DRAWINGS
While the appended claims set forth the features of the present techniques with particularity, these techniques, together with their objects and advantages, may be best understood from the following detailed description taken in conjunction with the accompanying drawings of which:
FIG. 1 is a diagram of a system in which various embodiments of the disclosure are implemented.
FIG. 2 shows an example hardware architecture, according to an embodiment.
FIG. 3 is a message flow diagram of a currently proposed attach procedure.
FIG. 4 is a message flow diagram of a currently proposed idle mobility scenario.
FIG. 5 is a message flow diagram of an attach procedure according to an embodiment.
FIG. 6, FIG. 7, and FIG. 8 are message flow diagrams of idle mobility procedures, according to various embodiments.
FIG. 9 is a message flow diagram of a handover procedure, according to an embodiment.
A method for obtaining a security key for access to a wireless network involves a first computing device executing a communication function (e.g., an access mobility management function or a security anchor function) and carrying out the following actions: deriving an access mobility management function key from a communication function key (e.g., an initial access mobility management function key or a security access function key) , and transmitting the access mobility management function key and a next hop value to an access mobility management function executing on a second computing device.
In embodiment, the first computing device derives the next hop value from the communication function key, derives a network access key from the communication function key, and derives the next hop value from the network access key.
According to an embodiment, the second computing device transmits the next hop value and the network access key to a communication node, derives a second network access key from the next hop value, and transmits the next hop value and the second network access key to the communication node.
In an embodiment, the second computing device derives a second network access key from the next hop value, derives a second next hop value from the next hop value, and transmits the second network access key and the second next hop value to a third computing device executing a second access mobility management function.
According to an embodiment, the second computing device derives a second network access key from the next hop value, and transmits the second network access key and the next hop value to a third computing device executing a second access and mobility management function.
In an embodiment, the second computing device derives a second access mobility management function key from the access mobility management function key and transmits the second access mobility management function key and the next hop value to a third computing device executing a second access and mobility management function. The third computing device derives a second network access key from the next hop value and transmits the second network access key to a communication node.
Table 1 lists various abbreviations used in the present disclosure, along with their expanded forms.
Abbreviation | Expansion |
AMF | Access Mobility Management Function |
AN | Access Network |
CN | Core Network |
BS | Base Station |
KAMF | AMF Key |
Kan | AN Key |
KSEAF | SEAF Key |
NCC | Next Hop Chaining Counter |
NG | Next Generation |
NG-UE | Next Generation User Equipment |
NH | Next Hop |
RAN | Radio Access Network |
SEAF | Security Anchor Function |
TAU | Tracking Area Update |
UE | User Equipment |
Table 1
Turning to FIG. 1, an example of a wireless networking environment in which the various techniques described herein may be practiced is shown. The wireless networking environment includes a RAN 102 and a CN 104 (an example of which is a next generation CN) . The CN 104 includes one or more computing devices that execute various function. The computing devices of the CN 104 may be owned and operated by a wireless communication carrier (such as one of the major commercial carriers) or may physically be owned by and reside with a third party (such as a cloud computing service) . The functions carried out by the CN 104 may be virtualized.
The RAN 102 includes multiple network communication nodes, represented by nodes 106 and 108, each of which is depicted as a BS (and will be referred to as such in parts of this disclosure as the “first BS” and “second BS” or the Source BS and the Target BS) . FIG. 1 also depicts a UE 116, which is capable of communicating over the RAN 102. The area of coverage of each of the nodes is indicated by a dashed circle and, in some embodiments, this area is known as a “cell. ” The UE 116 shown in FIG. 1 is meant to be representative, and many UEs may in fact communicate over the RAN 102 at the same time or at different times. The UE 116 will sometimes be referred to herein as a NG-UE.
Continuing with FIG. 1, the core network 104 includes a first AMF 110 (i.e., a computing device executing software that constitutes the AMF) , an SEAF or initial AMF 112 (i.e., a computing device executing software that constitutes the SEAF) , and a second AMF 114. In some embodiments, the functions of the SEAF are carried out by an AMF (the initial AMF) . This is denoted in FIG. 1 and the following figures by the label “SEAF or initial AMF. ” In those instances where either an AMF or SEAF may be employed to take an action, the general term “communication function” may be used. Each AMF carries out one or more of the following procedures in support of the RAN 102: registration management, connection management, reachability management and mobility management. Each AMF also carries out access authentication and access authorization, acts as the non-access stratus security termination, and relays the session management between the UE 116 and various other components of the CN 104. In some of the examples that follow, the first AMF 110 will sometimes be referred to as the “old AMF” or the “Source AMF, ” and the second AMF will be referred to as the “new AMF” or “Target AMF. ” It is to be understood that these designations are purely to facilitate the description, and that any AMF may fulfill different roles during different operations.
The SEAF 112 performs UE authentication for connection via different access networks. In the course of doing so, the SEAF 112 stores the security context for UEs that communicate on the RAN 102, such as the UE 116. The SEAF 112 maintains a security anchor key (which acts as an authentication session root key) referred to herein as KSEAF. Other keys that will be referred to herein are the KAN and the NH, which are keys provided to the AN.
Possible implementations of the UE 116 include any device capable of wireless communication, such as a smartphone, tablet, laptop computer, and non-traditional devices (e.g., household appliances or other parts of the “Internet of Things” ) . Possible implementations of the RAN 102 include a wireless communication network, for example a LTE network or next generation of LTE network.
FIG. 2 illustrates a basic (computing device) hardware architecture implemented by the elements of FIG. 1, including the AMF 110, the SEAF 112, the AMF 114, and the UE 116, according to an embodiment. The elements of FIG. 1 have other components as well. The hardware architecture depicted in FIG. 2 includes logic circuitry 202, memory 204, transceiver 206, and one more antennas represented by antenna 208. The memory 204 may be or include a buffer that, for example, holds incoming transmissions until the logic circuitry is able to process the transmission. Each of these elements is communicatively linked to one another via one or more data pathways 210. Examples of data pathways include wires, conductive pathways on a microchip, and wireless connections.
The term “logic circuitry” as used herein means a circuit (a type of electronic hardware) designed to perform complex functions defined in terms of mathematical logic. Examples of logic circuitry include a microprocessor, a controller, or an application-specific integrated circuit. When the present disclosure refers to a device carrying out an action, it is to be understood that this can also mean that logic circuitry integrated with the device is, in fact, carrying out the action.
Possible implementations of the memory 204 include: volatile data storage; nonvolatile data storage, electrical memory, magnetic memory, optical memory, random access memory ( “RAM” ) , cache memory, and hard drives.
Turning to FIG. 3, under currently proposed security schemes for next generation networks, whenever the AMF serving a UE changes, the AMF security key ( “KAMF” ) also changes. This change in KAMF means that the next hop security key ( “NH” ) will also change. Thus, the AMF will need to obtain a value for KAMF from the SEAF or the initial AMF (which may carry out the SEAF functions) , derive the security key for the RAN ( “KAN” ) and the NH
from KAMF, and send those keys to the BS to which the UE is attaching. Turning to FIG. 3, and example of an attachment procedure that uses this process will now be described, with reference to the devices depicted in FIG. 1. Note that this example assumes that UE and SEAF share same KSEAF. Also note that, in those instances where KSEAF or the initial KAMF may be used, the two types of keys are encompassed using the general term “communication key. ”
At 302, the UE 116 sends an Attach Request message to the AMF 110 via the first BS 106. At 304, the AMF 110 sends a Key Request message to the SEAF 112. At 306, the SEAF 112 derives the KAMF from KSEAF (or the initial AMF 112 derives the KAMF from the initial KAMF) . At 308, the SEAF 112 sends a Key Response message including the KAMF to the AMF 110. At 310, AMF derives KAN for network access and NH for handover from KAMF. At 312, the AMF 110 sends an Initial UE Context Setup message including the KAN and the NH to the BS 106. At 314, the BS 106 sends an Attach Accept message to the UE 116. The UE 116 uses the same rule to derive KAMF, KAN, and NH as the other components in FIG. 3 so that the UE 116 and the RAN 102 and interact correctly.
Turning to FIG. 4, a currently-proposed scheme for handling security keys during a transition from one AMF to another will now be described. It will be assume that the UE 116 has attached to the network, so the UE 116 and the Old AMF 110 share the same KAMF. At 402, the UE 116 sends a TAU Request message to a new AMF (AMF 114 in this example) via the BS 106. At 404, the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110. At 406, the Old AMF 110 use keys derived from KAMF (the “first AMF key” ) to verify the integrity of the TAU Request message, and, if successful, derives KAMF* (the “second AMF key) from KAMF. At 408, the Old AMF 110 sends a Forward TAU Accept message including KAMF*to the New AMF 114. At 410, the New AMF 114 sets KAMF = KAMF*, and derives KAN and NH from the new KAMF. At 412, AMF sends Initial UE Context Setup message including the KAN and NH to the BS. At 414, BS sends TAU Accept message to the UE. UE use same rule to derive KAMF*, KAN, NH, so UE and network can interact correctly.
According to an embodiment, the AMF does not derive KAN and NH from KAMF, but rather receives KAN and NH from the SEAF. This reduces the amount of computing resources
required by the AMF. An example an an attach procedure that implements this embodiment is shown in FIG. 5. At 502, the UE 116 sends an Attach Request message to the AMF 110 via the BS 106. At 504, the AMF 110 sends a Key Request message to the SEAF 112. At 506, the SEAF 112 derives KAN and NH from KSEAF. In other words, the inputs to the KAN derivation function include KSEAF, the inputs to the NH derivation function includes KSEAF or KAN and, for example, an NCC start from, for example, 0. At 508, the SEAF 112 sends a Key Response message containing KAN and NH in addition to KAMF to the AMF 110.
According to an embodiment, when the AMF changes, the new AMF does not need to derive NH, but rather receives NH from the old AMF. This reduces the amount of computing resources required by the new AMF. An example an idle mobility procedure that implements this embodiment is shown in FIG. 6. At 602, the UE 116 sends a TAU Request message to a new AMF (AMF 114 in this example) via the BS 104. At 604, the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110. At 606, the Old AMF 110 uses keys derived from KAMF to verify the integrity of the TAU Request message, and, if successful, derives KAMF*from KAMF. At 608, the Old AMF 110 sends a Forward TAU Accept message, which includes NH as well as KAMF*, to the New AMF 114. At 610, the New AMF 114 derives KAN from NH instead of KAMF*, i.e., the inputs to the KAN derivation function include NH and, for example, the NCC of the received UE packet.
Turning to FIG. 7, another idle mobility procedure according to an embodiment will now be described. At 702, the UE 116 sends a TAU Request message to a new AMF (AMF 114 in this example) via the BS 104. At 704, the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110. At 706, the Old AMF 110 derives KAN* (a “second access network key, ” with KAN constituting the “first network access key” ) from NH, i.e., the inputs to the KAN*derivation function includes NH and NCC of the received UE packet. At 708, the Old AMF 110 sends a Forward TAU Accept message that includes KAN*as well as KAMF*and NH to the New AMF 114. At 710, the New AMF 114 sets KAN = KAN* (instead of having to derive KAN from NH, as has been proposed previously) .
Turning to FIG. 8, another idle mobility procedure according to an embodiment will now be described. At 802, UE sends a TAU Request message to a new AMF (AMF 114 in this
example) via the BS 106. At 804, the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110. At 806, the Old AMF 110 derives NH* (a “second next-hop key” ) from NH (the “first next-hop key” ) , i.e., the inputs to the NH*derivation function include NH and NCC. At 808, the Old AMF 110 sends a Forward TAU Accept message that includes NH*as well as KAMF*and KAN*to the New AMF. At 810, the New AMF 114 sets NH = NH*.
Turning to FIG. 9, a handover procedure carried out according to an embodiment will now be described. In this embodiment, the Source AMF derives NH*from NH and sends NH*to target AMF, and the target AMF sends NH*to the target BS. At 902, the source BS 106 transmits a Handover Required message to the Source AMF 110. At 904, the Source AMF 110 derives KAMF*from KAMF, and derives NH*from NH. At 906, the Source AMF transmits a Forward Relocation Request message (containing KAMF*, and {NH*or NCC} ) to the Target AMF 114. At 908, the Target AMF 114 Replaces KAMF with KAMF*. At 910, the Target AMF 114 transmits a Handover Request (containing {NH*or NCC} ) to the Target BS 108. At 912, the Target BS 108 transmits a Handover Request ACK message containing the NCC to the Target AMF 114. At 914, the Target AMF 114 transmits a Forward Relocation Response message containing the NCC to the Source AMF 110. At 916, the Source AMF 110 transmits a Handover Command message containing the NCC, AMF (along with an “AMF changed” indicator) to the Source BS 106 (as the Handover Command message will be delivered to the UE, the “AMF changed” indication will prompt the UE to derive KAMF*) . At 918, the Source BS 106 transmits a Handover Command message containing the NCC and the AMF changed indicator to the UE 116. At 920, the UE 116 derives the KAMF*from KAMF and replaces KAMF with KAMF*. At 922, the the UE 116 transmits a Handover Confirm message to the Target BS 108. At 924, the Target BS 108 transmits a Handover Notify message to the Target AMF 114. The UE 116 also derives KAN or NH according from NCC.
Any and all of the methods described herein are carried out by or on one or more computing devices. Furthermore, instructions for carrying out any or all of the methods described herein may be stored on a non-transitory, computer-readable medium, such as any of the various types of memory described herein.
It should be understood that the exemplary embodiments described herein should be considered in a descriptive sense only and not for purposes of limitation. Descriptions of features or aspects within each embodiment should typically be considered as available for other similar features or aspects in other embodiments. It will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from their spirit and scope of as defined by the following claims. For example, the steps of the various methods can be reordered in ways that will be apparent to those of skill in the art.
Claims (17)
- A method for obtaining a security key for access to a wireless network, the method comprising:a first computing device executing a communication function carrying out actions comprising:deriving an access mobility management function key from a communication function key; andtransmitting the access mobility management function key and a next hop value to an access mobility management function executing on a second computing device.
- The method claim 1, further comprising deriving the next hop value from the communication function key.
- The method of claim 1, further comprising:deriving a network access key from the communication function key; andderiving the next hop value from the network access key.
- The method of claim 3, further comprising the second computing device transmitting the next hop value and the network access key to a communication node.
- The method of claim 1, further comprising the second computing device:deriving a second network access key from the next hop value; andtransmitting the next hop value and the second network access key to the communication node.
- The method of claim 1, further comprising the second computing device:deriving a second network access key from the next hop value;deriving a second next hop value from the next hop value; andtransmitting the second network access key and the second next hop value to a third computing device executing a second access mobility management function.
- The method of claim 1, further comprising the second computing device:deriving a second network access key from the next hop value; andtransmitting the second network access key and the next hop value to a third computing device executing a second access and mobility management function.
- The method of claim 1, further comprising the second computing device:deriving a second access mobility management function key from the access mobility management function key;transmitting the second access mobility management function key and the next hop value to a third computing device executing a second access andmobility management function; andthe third computing devicederiving a second network access key from the next hop value;transmitting the second network access key to a communication node.
- The method of claim 1, further comprising the second computing device:deriving a second network access key from the next hop value;transmitting the second network access key and the next hop value to a third computing device executing a second access and mobility management function; andthe third computing devicetransmitting the second network access key and the next hop value to a communication node.
- A non-transitory computer-readable medium having stored thereon computer-executable instructions for carrying out the method of any one of claims 1 through 9.
- A computing device executing a security anchor function, wherein the computing device is configured to carry out actions comprising:deriving an access mobility management function key from a communication function key;andtransmitting the access mobility management function key and a next hop value to an access mobility management function executing on a second computing device.
- The computing device of claim 11, further configured to carry out actions comprising deriving the next hop value from the communication function key.
- The computing device of claim 11, further configured to carry out actions comprising:deriving a network access key from the communication function key; andderiving the next hop value from the access network key.
- A system comprising the computing device of claim 13 and the second computing device, wherein the second computing device is configured to carry out actions comprising transmitting the next hop value and the network access key to a communication node.
- A system comprising the computing device of claim 11 and the second computing device, wherein the second computing device is configured to carry out actions comprising:deriving a second network access key from the next hop value; andtransmitting the next hop value and the second network access key to the communication node.
- A system comprising the computing device of claim 11 and the second computing device, wherein the second computing device is configured to carry out actions comprising:deriving a second network access key from the next hop value;deriving a second next hop value from the next hop value; andtransmitting the second network access key and the second next hop value to a third computing device executing a second access mobility management function.
- A system comprising the computing device of claim 11 and the second computing device, wherein the second computing device is configured to carry out actions comprising:deriving a second network access key from the next hop value; andtransmitting the second network access key and the next hop value to a third computing device executing a second access mobility management function.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2017/088255 WO2018227431A1 (en) | 2017-06-14 | 2017-06-14 | Methods and computing device for obtaining a security key for access to a wireless network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2017/088255 WO2018227431A1 (en) | 2017-06-14 | 2017-06-14 | Methods and computing device for obtaining a security key for access to a wireless network |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018227431A1 true WO2018227431A1 (en) | 2018-12-20 |
Family
ID=64659799
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2017/088255 WO2018227431A1 (en) | 2017-06-14 | 2017-06-14 | Methods and computing device for obtaining a security key for access to a wireless network |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2018227431A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220053325A1 (en) * | 2019-04-28 | 2022-02-17 | Huawei Technologies Co., Ltd. | Information obtaining method and apparatus |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103139771A (en) * | 2011-11-25 | 2013-06-05 | 中兴通讯股份有限公司 | Key generation method and system in switching process |
US20130294405A1 (en) * | 2012-05-02 | 2013-11-07 | Qualcomm Incorporated | Apparatus and method for a connected mode with reduced signaling |
-
2017
- 2017-06-14 WO PCT/CN2017/088255 patent/WO2018227431A1/en active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103139771A (en) * | 2011-11-25 | 2013-06-05 | 中兴通讯股份有限公司 | Key generation method and system in switching process |
US20130294405A1 (en) * | 2012-05-02 | 2013-11-07 | Qualcomm Incorporated | Apparatus and method for a connected mode with reduced signaling |
Non-Patent Citations (1)
Title |
---|
ZTE ET AL.: "Key hierarchy when using UP security function", 3GPP TSG SA WG3 (SECURITY) MEETING #87 S 3-171054, 19 May 2017 (2017-05-19), XP051269086 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220053325A1 (en) * | 2019-04-28 | 2022-02-17 | Huawei Technologies Co., Ltd. | Information obtaining method and apparatus |
EP3955615A4 (en) * | 2019-04-28 | 2022-05-11 | Huawei Technologies Co., Ltd. | Information acquisition method and device |
US11877150B2 (en) | 2019-04-28 | 2024-01-16 | Huawei Technologies Co., Ltd. | Information obtaining method and apparatus |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11924630B2 (en) | Security context handling in 5G during idle mode | |
US20200267545A1 (en) | Key processing method in dual connectivity mode and device | |
EP3641363B1 (en) | Method and apparatus for inserting a smf entity | |
US11032712B2 (en) | Method and computing device for carrying out data integrity protection | |
US20190007921A1 (en) | Pdu session management | |
WO2018201487A1 (en) | Method and apparatus for carrying out a group handover | |
US10812973B2 (en) | System and method for communicating with provisioned security protection | |
WO2019127035A1 (en) | Method for activating and deactivating secondary cell, and terminal device | |
US20210266735A1 (en) | Methods, device and computer-readable medium for protecting mac addresses | |
AU2018415753B2 (en) | Methods and system for transmitting a temporary identifier | |
JP7047055B2 (en) | Data transmission method and terminal equipment | |
US20170150475A1 (en) | Positioning method and apparatus and communication system | |
US20200100105A1 (en) | Network authentication method, network device, and core network device | |
WO2019080014A1 (en) | Bandwidth part switching method and terminal device | |
TWI669019B (en) | Device and method of handling an interworking procedure | |
JP2017534207A (en) | Generation of multiple shared keys by user equipment and base station using key expansion multiplier | |
US9258711B2 (en) | Wireless communication system and authentication method thereof | |
WO2018205100A1 (en) | Method and apparatus for conducting a handover | |
WO2019033281A1 (en) | Methods and computing device for changing a user plane function | |
CN111886884B (en) | Method, apparatus and computer readable medium for authentication in communications | |
CN109936444B (en) | Key generation method and device | |
WO2018227431A1 (en) | Methods and computing device for obtaining a security key for access to a wireless network | |
CN116074821A (en) | Communication method and device | |
US10206234B2 (en) | D2D communication control method, D2D communication method, and apparatuses thereof | |
CN110235512A (en) | Control plane delays in cordless communication network reduce |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17913558 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 17913558 Country of ref document: EP Kind code of ref document: A1 |