WO2018227431A1 - Methods and computing device for obtaining a security key for access to a wireless network - Google Patents

Methods and computing device for obtaining a security key for access to a wireless network Download PDF

Info

Publication number
WO2018227431A1
WO2018227431A1 PCT/CN2017/088255 CN2017088255W WO2018227431A1 WO 2018227431 A1 WO2018227431 A1 WO 2018227431A1 CN 2017088255 W CN2017088255 W CN 2017088255W WO 2018227431 A1 WO2018227431 A1 WO 2018227431A1
Authority
WO
WIPO (PCT)
Prior art keywords
computing device
key
amf
next hop
hop value
Prior art date
Application number
PCT/CN2017/088255
Other languages
French (fr)
Inventor
Zhenhua Xie
Original Assignee
Zte Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation filed Critical Zte Corporation
Priority to PCT/CN2017/088255 priority Critical patent/WO2018227431A1/en
Publication of WO2018227431A1 publication Critical patent/WO2018227431A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information

Definitions

  • the present disclosure is related generally to wireless networks and, more particularly, to a method and computing device for deriving a key for access to a wireless network.
  • K AMF next hop security key
  • NH next hop security key
  • FIG. 1 is a diagram of a system in which various embodiments of the disclosure are implemented.
  • FIG. 2 shows an example hardware architecture, according to an embodiment.
  • FIG. 3 is a message flow diagram of a currently proposed attach procedure.
  • FIG. 4 is a message flow diagram of a currently proposed idle mobility scenario.
  • FIG. 5 is a message flow diagram of an attach procedure according to an embodiment.
  • FIG. 6, FIG. 7, and FIG. 8 are message flow diagrams of idle mobility procedures, according to various embodiments.
  • FIG. 9 is a message flow diagram of a handover procedure, according to an embodiment.
  • a method for obtaining a security key for access to a wireless network involves a first computing device executing a communication function (e.g., an access mobility management function or a security anchor function) and carrying out the following actions: deriving an access mobility management function key from a communication function key (e.g., an initial access mobility management function key or a security access function key) , and transmitting the access mobility management function key and a next hop value to an access mobility management function executing on a second computing device.
  • a communication function e.g., an access mobility management function or a security anchor function
  • the first computing device derives the next hop value from the communication function key, derives a network access key from the communication function key, and derives the next hop value from the network access key.
  • the second computing device transmits the next hop value and the network access key to a communication node, derives a second network access key from the next hop value, and transmits the next hop value and the second network access key to the communication node.
  • the second computing device derives a second network access key from the next hop value, derives a second next hop value from the next hop value, and transmits the second network access key and the second next hop value to a third computing device executing a second access mobility management function.
  • the second computing device derives a second network access key from the next hop value, and transmits the second network access key and the next hop value to a third computing device executing a second access and mobility management function.
  • the second computing device derives a second access mobility management function key from the access mobility management function key and transmits the second access mobility management function key and the next hop value to a third computing device executing a second access and mobility management function.
  • the third computing device derives a second network access key from the next hop value and transmits the second network access key to a communication node.
  • Table 1 lists various abbreviations used in the present disclosure, along with their expanded forms.
  • the wireless networking environment includes a RAN 102 and a CN 104 (an example of which is a next generation CN) .
  • the CN 104 includes one or more computing devices that execute various function.
  • the computing devices of the CN 104 may be owned and operated by a wireless communication carrier (such as one of the major commercial carriers) or may physically be owned by and reside with a third party (such as a cloud computing service) .
  • the functions carried out by the CN 104 may be virtualized.
  • the RAN 102 includes multiple network communication nodes, represented by nodes 106 and 108, each of which is depicted as a BS (and will be referred to as such in parts of this disclosure as the “first BS” and “second BS” or the Source BS and the Target BS) .
  • FIG. 1 also depicts a UE 116, which is capable of communicating over the RAN 102.
  • the area of coverage of each of the nodes is indicated by a dashed circle and, in some embodiments, this area is known as a “cell. ”
  • the UE 116 shown in FIG. 1 is meant to be representative, and many UEs may in fact communicate over the RAN 102 at the same time or at different times.
  • the UE 116 will sometimes be referred to herein as a NG-UE.
  • the core network 104 includes a first AMF 110 (i.e., a computing device executing software that constitutes the AMF) , an SEAF or initial AMF 112 (i.e., a computing device executing software that constitutes the SEAF) , and a second AMF 114.
  • the functions of the SEAF are carried out by an AMF (the initial AMF) .
  • AMF the initial AMF
  • SEAF or initial AMF. the general term “communication function” may be used.
  • Each AMF carries out one or more of the following procedures in support of the RAN 102: registration management, connection management, reachability management and mobility management. Each AMF also carries out access authentication and access authorization, acts as the non-access stratus security termination, and relays the session management between the UE 116 and various other components of the CN 104.
  • the first AMF 110 will sometimes be referred to as the “old AMF” or the “Source AMF, ” and the second AMF will be referred to as the “new AMF” or “Target AMF. ” It is to be understood that these designations are purely to facilitate the description, and that any AMF may fulfill different roles during different operations.
  • the SEAF 112 performs UE authentication for connection via different access networks. In the course of doing so, the SEAF 112 stores the security context for UEs that communicate on the RAN 102, such as the UE 116.
  • the SEAF 112 maintains a security anchor key (which acts as an authentication session root key) referred to herein as K SEAF .
  • K SEAF a security anchor key
  • Other keys that will be referred to herein are the K AN and the NH, which are keys provided to the AN.
  • Possible implementations of the UE 116 include any device capable of wireless communication, such as a smartphone, tablet, laptop computer, and non-traditional devices (e.g., household appliances or other parts of the “Internet of Things” ) .
  • Possible implementations of the RAN 102 include a wireless communication network, for example a LTE network or next generation of LTE network.
  • FIG. 2 illustrates a basic (computing device) hardware architecture implemented by the elements of FIG. 1, including the AMF 110, the SEAF 112, the AMF 114, and the UE 116, according to an embodiment.
  • the elements of FIG. 1 have other components as well.
  • the hardware architecture depicted in FIG. 2 includes logic circuitry 202, memory 204, transceiver 206, and one more antennas represented by antenna 208.
  • the memory 204 may be or include a buffer that, for example, holds incoming transmissions until the logic circuitry is able to process the transmission.
  • Each of these elements is communicatively linked to one another via one or more data pathways 210. Examples of data pathways include wires, conductive pathways on a microchip, and wireless connections.
  • logic circuitry means a circuit (a type of electronic hardware) designed to perform complex functions defined in terms of mathematical logic. Examples of logic circuitry include a microprocessor, a controller, or an application-specific integrated circuit. When the present disclosure refers to a device carrying out an action, it is to be understood that this can also mean that logic circuitry integrated with the device is, in fact, carrying out the action.
  • Possible implementations of the memory 204 include: volatile data storage; nonvolatile data storage, electrical memory, magnetic memory, optical memory, random access memory ( “RAM” ) , cache memory, and hard drives.
  • K AMF next hop security key
  • NH next hop security key
  • the AMF will need to obtain a value for K AMF from the SEAF or the initial AMF (which may carry out the SEAF functions) , derive the security key for the RAN ( “K AN ” ) and the NH from K AMF , and send those keys to the BS to which the UE is attaching.
  • FIG. 3 and example of an attachment procedure that uses this process will now be described, with reference to the devices depicted in FIG. 1. Note that this example assumes that UE and SEAF share same K SEAF . Also note that, in those instances where K SEAF or the initial K AMF may be used, the two types of keys are encompassed using the general term “communication key. ”
  • the UE 116 sends an Attach Request message to the AMF 110 via the first BS 106.
  • the AMF 110 sends a Key Request message to the SEAF 112.
  • the SEAF 112 derives the K AMF from K SEAF (or the initial AMF 112 derives the K AMF from the initial K AMF ) .
  • the SEAF 112 sends a Key Response message including the K AMF to the AMF 110.
  • AMF derives K AN for network access and NH for handover from K AMF .
  • the AMF 110 sends an Initial UE Context Setup message including the K AN and the NH to the BS 106.
  • the BS 106 sends an Attach Accept message to the UE 116.
  • the UE 116 uses the same rule to derive K AMF , K AN , and NH as the other components in FIG. 3 so that the UE 116 and the RAN 102 and interact correctly.
  • FIG. 4 a currently-proposed scheme for handling security keys during a transition from one AMF to another will now be described. It will be assume that the UE 116 has attached to the network, so the UE 116 and the Old AMF 110 share the same K AMF .
  • the UE 116 sends a TAU Request message to a new AMF (AMF 114 in this example) via the BS 106.
  • the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110.
  • the Old AMF 110 use keys derived from K AMF (the “first AMF key” ) to verify the integrity of the TAU Request message, and, if successful, derives K AMF * (the “second AMF key) from K AMF .
  • the Old AMF 110 sends a Forward TAU Accept message including K AMF *to the New AMF 114.
  • AMF sends Initial UE Context Setup message including the K AN and NH to the BS.
  • BS sends TAU Accept message to the UE.
  • UE use same rule to derive K AMF *, K AN , NH, so UE and network can interact correctly.
  • the AMF does not derive K AN and NH from K AMF , but rather receives K AN and NH from the SEAF. This reduces the amount of computing resources required by the AMF.
  • An example an an attach procedure that implements this embodiment is shown in FIG. 5.
  • the UE 116 sends an Attach Request message to the AMF 110 via the BS 106.
  • the AMF 110 sends a Key Request message to the SEAF 112.
  • the SEAF 112 derives K AN and NH from K SEAF .
  • the inputs to the K AN derivation function include K SEAF
  • the inputs to the NH derivation function includes K SEAF or K AN and, for example, an NCC start from, for example, 0.
  • the SEAF 112 sends a Key Response message containing K AN and NH in addition to K AMF to the AMF 110.
  • the new AMF when the AMF changes, the new AMF does not need to derive NH, but rather receives NH from the old AMF. This reduces the amount of computing resources required by the new AMF.
  • An example an idle mobility procedure that implements this embodiment is shown in FIG. 6.
  • the UE 116 sends a TAU Request message to a new AMF (AMF 114 in this example) via the BS 104.
  • the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110.
  • the Old AMF 110 uses keys derived from K AMF to verify the integrity of the TAU Request message, and, if successful, derives K AMF *from K AMF .
  • the Old AMF 110 sends a Forward TAU Accept message, which includes NH as well as K AMF *, to the New AMF 114.
  • the New AMF 114 derives K AN from NH instead of K AMF *, i.e., the inputs to the K AN derivation function include NH and, for example, the NCC of the received UE packet.
  • the UE 116 sends a TAU Request message to a new AMF (AMF 114 in this example) via the BS 104.
  • the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110.
  • the Old AMF 110 derives K AN * (a “second access network key, ” with K AN constituting the “first network access key” ) from NH, i.e., the inputs to the K AN *derivation function includes NH and NCC of the received UE packet.
  • the Old AMF 110 sends a Forward TAU Accept message that includes K AN *as well as K AMF *and NH to the New AMF 114.
  • UE sends a TAU Request message to a new AMF (AMF 114 in this example) via the BS 106.
  • the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110.
  • the Old AMF 110 derives NH* (a “second next-hop key” ) from NH (the “first next-hop key” ) , i.e., the inputs to the NH*derivation function include NH and NCC.
  • the Old AMF 110 sends a Forward TAU Accept message that includes NH*as well as K AMF *and K AN *to the New AMF.
  • the Source AMF derives NH*from NH and sends NH*to target AMF, and the target AMF sends NH*to the target BS.
  • the source BS 106 transmits a Handover Required message to the Source AMF 110.
  • the Source AMF 110 derives K AMF *from K AMF , and derives NH*from NH.
  • the Source AMF transmits a Forward Relocation Request message (containing K AMF *, and ⁇ NH*or NCC ⁇ ) to the Target AMF 114.
  • the Target AMF 114 Replaces K AMF with K AMF *.
  • the Target AMF 114 transmits a Handover Request (containing ⁇ NH*or NCC ⁇ ) to the Target BS 108.
  • the Target BS 108 transmits a Handover Request ACK message containing the NCC to the Target AMF 114.
  • the Target AMF 114 transmits a Forward Relocation Response message containing the NCC to the Source AMF 110.
  • the Source AMF 110 transmits a Handover Command message containing the NCC, AMF (along with an “AMF changed” indicator) to the Source BS 106 (as the Handover Command message will be delivered to the UE, the “AMF changed” indication will prompt the UE to derive K AMF *) .
  • the Source BS 106 transmits a Handover Command message containing the NCC and the AMF changed indicator to the UE 116.
  • the UE 116 derives the K AMF *from K AMF and replaces K AMF with K AMF *.
  • the the UE 116 transmits a Handover Confirm message to the Target BS 108.
  • the Target BS 108 transmits a Handover Notify message to the Target AMF 114.
  • the UE 116 also derives K AN or NH according from NCC.
  • any and all of the methods described herein are carried out by or on one or more computing devices. Furthermore, instructions for carrying out any or all of the methods described herein may be stored on a non-transitory, computer-readable medium, such as any of the various types of memory described herein.

Abstract

A method for obtaining a security key for access to a wireless network involves a first computing device executing a communication function (e.g., an access mobility management function or a security anchor function) and carrying out the following actions: deriving an access mobility management function key from a communication function key (e.g., an initial access mobility management function key or a security access function key), and transmitting the access mobility management function key and a next hop value to an access mobility management function executing on a second computing device.

Description

METHODS AND COMPUTING DEVICE FOR OBTAINING A SECURITY KEY FOR ACCESS TO A WIRELESS NETWORK TECHNICAL FIELD
The present disclosure is related generally to wireless networks and, more particularly, to a method and computing device for deriving a key for access to a wireless network.
BACKGROUND
In currently proposed systems, under currently proposed security schemes for next generation wireless communication networks, whenever the AMF serving a UE changes, the AMF security key ( “KAMF” ) also changes. This change in KAMF means that the next hop security key ( “NH” ) will also change. Thus, the AMF will need to obtain a value for KAMF from the SEAF, derive the security key for the RAN ( “KAN” ) and the NH from KAMF, and send those keys to the BS to which the UE is attaching.
DRAWINGS
While the appended claims set forth the features of the present techniques with particularity, these techniques, together with their objects and advantages, may be best understood from the following detailed description taken in conjunction with the accompanying drawings of which:
FIG. 1 is a diagram of a system in which various embodiments of the disclosure are implemented.
FIG. 2 shows an example hardware architecture, according to an embodiment.
FIG. 3 is a message flow diagram of a currently proposed attach procedure.
FIG. 4 is a message flow diagram of a currently proposed idle mobility scenario.
FIG. 5 is a message flow diagram of an attach procedure according to an embodiment.
FIG. 6, FIG. 7, and FIG. 8 are message flow diagrams of idle mobility procedures, according to various embodiments.
FIG. 9 is a message flow diagram of a handover procedure, according to an embodiment.
DESCRIPTION
A method for obtaining a security key for access to a wireless network involves a first computing device executing a communication function (e.g., an access mobility management function or a security anchor function) and carrying out the following actions: deriving an access mobility management function key from a communication function key (e.g., an initial access mobility management function key or a security access function key) , and transmitting the access mobility management function key and a next hop value to an access mobility management function executing on a second computing device.
In embodiment, the first computing device derives the next hop value from the communication function key, derives a network access key from the communication function key, and derives the next hop value from the network access key.
According to an embodiment, the second computing device transmits the next hop value and the network access key to a communication node, derives a second network access key from the next hop value, and transmits the next hop value and the second network access key to the communication node.
In an embodiment, the second computing device derives a second network access key from the next hop value, derives a second next hop value from the next hop value, and transmits the second network access key and the second next hop value to a third computing device executing a second access mobility management function.
According to an embodiment, the second computing device derives a second network access key from the next hop value, and transmits the second network access key and the next hop value to a third computing device executing a second access and mobility management function.
In an embodiment, the second computing device derives a second access mobility management function key from the access mobility management function key and transmits the second access mobility management function key and the next hop value to a third computing device executing a second access and mobility management function. The third computing device derives a second network access key from the next hop value and transmits the second network access key to a communication node.
Table 1 lists various abbreviations used in the present disclosure, along with their expanded forms.
Abbreviation Expansion
AMF Access Mobility Management Function
AN Access Network
CN Core Network
BS Base Station
KAMF AMF Key
Kan AN Key
KSEAF SEAF Key
NCC Next Hop Chaining Counter
   
NG Next Generation
NG-UE Next Generation User Equipment
NH Next Hop
RAN Radio Access Network
SEAF Security Anchor Function
TAU Tracking Area Update
UE User Equipment
Table 1
Turning to FIG. 1, an example of a wireless networking environment in which the various techniques described herein may be practiced is shown. The wireless networking environment includes a RAN 102 and a CN 104 (an example of which is a next generation CN) . The CN 104 includes one or more computing devices that execute various function. The computing devices of the CN 104 may be owned and operated by a wireless communication carrier (such as one of the major commercial carriers) or may physically be owned by and reside with a third party (such as a cloud computing service) . The functions carried out by the CN 104 may be virtualized.
The RAN 102 includes multiple network communication nodes, represented by  nodes  106 and 108, each of which is depicted as a BS (and will be referred to as such in parts of this disclosure as the “first BS” and “second BS” or the Source BS and the Target BS) . FIG. 1 also depicts a UE 116, which is capable of communicating over the RAN 102. The area of coverage of each of the nodes is indicated by a dashed circle and, in some embodiments, this area is known as a “cell. ” The UE 116 shown in FIG. 1 is meant to be representative, and many UEs may in fact communicate over the RAN 102 at the same time or at different times. The UE 116 will sometimes be referred to herein as a NG-UE.
Continuing with FIG. 1, the core network 104 includes a first AMF 110 (i.e., a computing device executing software that constitutes the AMF) , an SEAF or initial AMF 112 (i.e., a computing device executing software that constitutes the SEAF) , and a second AMF 114. In some embodiments, the functions of the SEAF are carried out by an AMF (the initial AMF) . This is denoted in FIG. 1 and the following figures by the label “SEAF or initial AMF. ” In those instances where either an AMF or SEAF may be employed to take an action, the general term “communication function” may be used. Each AMF carries out one or more of the following procedures in support of the RAN 102: registration management, connection management, reachability management and mobility management. Each AMF also carries out access authentication and access authorization, acts as the non-access stratus security termination, and relays the session management between the UE 116 and various other components of the CN 104. In some of the examples that follow, the first AMF 110 will sometimes be referred to as the “old AMF” or the “Source AMF, ” and the second AMF will be referred to as the “new AMF” or “Target AMF. ” It is to be understood that these designations are purely to facilitate the description, and that any AMF may fulfill different roles during different operations.
The SEAF 112 performs UE authentication for connection via different access networks. In the course of doing so, the SEAF 112 stores the security context for UEs that communicate on the RAN 102, such as the UE 116. The SEAF 112 maintains a security anchor key (which acts as an authentication session root key) referred to herein as KSEAF. Other keys that will be referred to herein are the KAN and the NH, which are keys provided to the AN.
Possible implementations of the UE 116 include any device capable of wireless communication, such as a smartphone, tablet, laptop computer, and non-traditional devices (e.g., household appliances or other parts of the “Internet of Things” ) . Possible implementations of the RAN 102 include a wireless communication network, for example a LTE network or next generation of LTE network.
FIG. 2 illustrates a basic (computing device) hardware architecture implemented by the elements of FIG. 1, including the AMF 110, the SEAF 112, the AMF 114, and the UE 116, according to an embodiment. The elements of FIG. 1 have other components as well. The hardware architecture depicted in FIG. 2 includes logic circuitry 202, memory 204, transceiver 206, and one more antennas represented by antenna 208. The memory 204 may be or include a buffer that, for example, holds incoming transmissions until the logic circuitry is able to process the transmission. Each of these elements is communicatively linked to one another via one or more data pathways 210. Examples of data pathways include wires, conductive pathways on a microchip, and wireless connections.
The term “logic circuitry” as used herein means a circuit (a type of electronic hardware) designed to perform complex functions defined in terms of mathematical logic. Examples of logic circuitry include a microprocessor, a controller, or an application-specific integrated circuit. When the present disclosure refers to a device carrying out an action, it is to be understood that this can also mean that logic circuitry integrated with the device is, in fact, carrying out the action.
Possible implementations of the memory 204 include: volatile data storage; nonvolatile data storage, electrical memory, magnetic memory, optical memory, random access memory ( “RAM” ) , cache memory, and hard drives.
Turning to FIG. 3, under currently proposed security schemes for next generation networks, whenever the AMF serving a UE changes, the AMF security key ( “KAMF” ) also changes. This change in KAMF means that the next hop security key ( “NH” ) will also change. Thus, the AMF will need to obtain a value for KAMF from the SEAF or the initial AMF (which may carry out the SEAF functions) , derive the security key for the RAN ( “KAN” ) and the NH  from KAMF, and send those keys to the BS to which the UE is attaching. Turning to FIG. 3, and example of an attachment procedure that uses this process will now be described, with reference to the devices depicted in FIG. 1. Note that this example assumes that UE and SEAF share same KSEAF. Also note that, in those instances where KSEAF or the initial KAMF may be used, the two types of keys are encompassed using the general term “communication key. ”
At 302, the UE 116 sends an Attach Request message to the AMF 110 via the first BS 106. At 304, the AMF 110 sends a Key Request message to the SEAF 112. At 306, the SEAF 112 derives the KAMF from KSEAF (or the initial AMF 112 derives the KAMF from the initial KAMF) . At 308, the SEAF 112 sends a Key Response message including the KAMF to the AMF 110. At 310, AMF derives KAN for network access and NH for handover from KAMF. At 312, the AMF 110 sends an Initial UE Context Setup message including the KAN and the NH to the BS 106. At 314, the BS 106 sends an Attach Accept message to the UE 116. The UE 116 uses the same rule to derive KAMF, KAN, and NH as the other components in FIG. 3 so that the UE 116 and the RAN 102 and interact correctly.
Turning to FIG. 4, a currently-proposed scheme for handling security keys during a transition from one AMF to another will now be described. It will be assume that the UE 116 has attached to the network, so the UE 116 and the Old AMF 110 share the same KAMF. At 402, the UE 116 sends a TAU Request message to a new AMF (AMF 114 in this example) via the BS 106. At 404, the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110. At 406, the Old AMF 110 use keys derived from KAMF (the “first AMF key” ) to verify the integrity of the TAU Request message, and, if successful, derives KAMF* (the “second AMF key) from KAMF. At 408, the Old AMF 110 sends a Forward TAU Accept message including KAMF*to the New AMF 114. At 410, the New AMF 114 sets KAMF = KAMF*, and derives KAN and NH from the new KAMF. At 412, AMF sends Initial UE Context Setup message including the KAN and NH to the BS. At 414, BS sends TAU Accept message to the UE. UE use same rule to derive KAMF*, KAN, NH, so UE and network can interact correctly.
According to an embodiment, the AMF does not derive KAN and NH from KAMF, but rather receives KAN and NH from the SEAF. This reduces the amount of computing resources  required by the AMF. An example an an attach procedure that implements this embodiment is shown in FIG. 5. At 502, the UE 116 sends an Attach Request message to the AMF 110 via the BS 106. At 504, the AMF 110 sends a Key Request message to the SEAF 112. At 506, the SEAF 112 derives KAN and NH from KSEAF. In other words, the inputs to the KAN derivation function include KSEAF, the inputs to the NH derivation function includes KSEAF or KAN and, for example, an NCC start from, for example, 0. At 508, the SEAF 112 sends a Key Response message containing KAN and NH in addition to KAMF to the AMF 110.
According to an embodiment, when the AMF changes, the new AMF does not need to derive NH, but rather receives NH from the old AMF. This reduces the amount of computing resources required by the new AMF. An example an idle mobility procedure that implements this embodiment is shown in FIG. 6. At 602, the UE 116 sends a TAU Request message to a new AMF (AMF 114 in this example) via the BS 104. At 604, the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110. At 606, the Old AMF 110 uses keys derived from KAMF to verify the integrity of the TAU Request message, and, if successful, derives KAMF*from KAMF. At 608, the Old AMF 110 sends a Forward TAU Accept message, which includes NH as well as KAMF*, to the New AMF 114. At 610, the New AMF 114 derives KAN from NH instead of KAMF*, i.e., the inputs to the KAN derivation function include NH and, for example, the NCC of the received UE packet.
Turning to FIG. 7, another idle mobility procedure according to an embodiment will now be described. At 702, the UE 116 sends a TAU Request message to a new AMF (AMF 114 in this example) via the BS 104. At 704, the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110. At 706, the Old AMF 110 derives KAN* (a “second access network key, ” with KAN constituting the “first network access key” ) from NH, i.e., the inputs to the KAN*derivation function includes NH and NCC of the received UE packet. At 708, the Old AMF 110 sends a Forward TAU Accept message that includes KAN*as well as KAMF*and NH to the New AMF 114. At 710, the New AMF 114 sets KAN = KAN* (instead of having to derive KAN from NH, as has been proposed previously) .
Turning to FIG. 8, another idle mobility procedure according to an embodiment will now be described. At 802, UE sends a TAU Request message to a new AMF (AMF 114 in this  example) via the BS 106. At 804, the New AMF 114 sends a Forward TAU Request message including the TAU Request message to the Old AMF 110. At 806, the Old AMF 110 derives NH* (a “second next-hop key” ) from NH (the “first next-hop key” ) , i.e., the inputs to the NH*derivation function include NH and NCC. At 808, the Old AMF 110 sends a Forward TAU Accept message that includes NH*as well as KAMF*and KAN*to the New AMF. At 810, the New AMF 114 sets NH = NH*.
Turning to FIG. 9, a handover procedure carried out according to an embodiment will now be described. In this embodiment, the Source AMF derives NH*from NH and sends NH*to target AMF, and the target AMF sends NH*to the target BS. At 902, the source BS 106 transmits a Handover Required message to the Source AMF 110. At 904, the Source AMF 110 derives KAMF*from KAMF, and derives NH*from NH. At 906, the Source AMF transmits a Forward Relocation Request message (containing KAMF*, and {NH*or NCC} ) to the Target AMF 114. At 908, the Target AMF 114 Replaces KAMF with KAMF*. At 910, the Target AMF 114 transmits a Handover Request (containing {NH*or NCC} ) to the Target BS 108. At 912, the Target BS 108 transmits a Handover Request ACK message containing the NCC to the Target AMF 114. At 914, the Target AMF 114 transmits a Forward Relocation Response message containing the NCC to the Source AMF 110. At 916, the Source AMF 110 transmits a Handover Command message containing the NCC, AMF (along with an “AMF changed” indicator) to the Source BS 106 (as the Handover Command message will be delivered to the UE, the “AMF changed” indication will prompt the UE to derive KAMF*) . At 918, the Source BS 106 transmits a Handover Command message containing the NCC and the AMF changed indicator to the UE 116. At 920, the UE 116 derives the KAMF*from KAMF and replaces KAMF with KAMF*. At 922, the the UE 116 transmits a Handover Confirm message to the Target BS 108. At 924, the Target BS 108 transmits a Handover Notify message to the Target AMF 114. The UE 116 also derives KAN or NH according from NCC.
Any and all of the methods described herein are carried out by or on one or more computing devices. Furthermore, instructions for carrying out any or all of the methods described herein may be stored on a non-transitory, computer-readable medium, such as any of the various types of memory described herein.
It should be understood that the exemplary embodiments described herein should be considered in a descriptive sense only and not for purposes of limitation. Descriptions of features or aspects within each embodiment should typically be considered as available for other similar features or aspects in other embodiments. It will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from their spirit and scope of as defined by the following claims. For example, the steps of the various methods can be reordered in ways that will be apparent to those of skill in the art.

Claims (17)

  1. A method for obtaining a security key for access to a wireless network, the method comprising:
    a first computing device executing a communication function carrying out actions comprising:
    deriving an access mobility management function key from a communication function key; and
    transmitting the access mobility management function key and a next hop value to an access mobility management function executing on a second computing device.
  2. The method claim 1, further comprising deriving the next hop value from the communication function key.
  3. The method of claim 1, further comprising:
    deriving a network access key from the communication function key; and
    deriving the next hop value from the network access key.
  4. The method of claim 3, further comprising the second computing device transmitting the next hop value and the network access key to a communication node.
  5. The method of claim 1, further comprising the second computing device:
    deriving a second network access key from the next hop value; and
    transmitting the next hop value and the second network access key to the communication node.
  6. The method of claim 1, further comprising the second computing device:
    deriving a second network access key from the next hop value;
    deriving a second next hop value from the next hop value; and
    transmitting the second network access key and the second next hop value to a third computing device executing a second access mobility management function.
  7. The method of claim 1, further comprising the second computing device:
    deriving a second network access key from the next hop value; and
    transmitting the second network access key and the next hop value to a third computing device executing a second access and mobility management function.
  8. The method of claim 1, further comprising the second computing device:
    deriving a second access mobility management function key from the access mobility management function key;
    transmitting the second access mobility management function key and the next hop value to a third computing device executing a second access and
    mobility management function; and
    the third computing device
    deriving a second network access key from the next hop value;
    transmitting the second network access key to a communication node.
  9. The method of claim 1, further comprising the second computing device:
    deriving a second network access key from the next hop value;
    transmitting the second network access key and the next hop value to a third computing device executing a second access and mobility management function; and
    the third computing device
    transmitting the second network access key and the next hop value to a communication node.
  10. A non-transitory computer-readable medium having stored thereon computer-executable instructions for carrying out the method of any one of claims 1 through 9.
  11. A computing device executing a security anchor function, wherein the computing device is configured to carry out actions comprising:
    deriving an access mobility management function key from a communication function key;
    and
    transmitting the access mobility management function key and a next hop value to an access mobility management function executing on a second computing device.
  12. The computing device of claim 11, further configured to carry out actions comprising deriving the next hop value from the communication function key.
  13. The computing device of claim 11, further configured to carry out actions comprising:
    deriving a network access key from the communication function key; and
    deriving the next hop value from the access network key.
  14. A system comprising the computing device of claim 13 and the second computing device, wherein the second computing device is configured to carry out actions comprising transmitting the next hop value and the network access key to a communication node.
  15. A system comprising the computing device of claim 11 and the second computing device, wherein the second computing device is configured to carry out actions comprising:
    deriving a second network access key from the next hop value; and
    transmitting the next hop value and the second network access key to the communication node.
  16. A system comprising the computing device of claim 11 and the second computing device, wherein the second computing device is configured to carry out actions comprising:
    deriving a second network access key from the next hop value;
    deriving a second next hop value from the next hop value; and
    transmitting the second network access key and the second next hop value to a third computing device executing a second access mobility management function.
  17. A system comprising the computing device of claim 11 and the second computing device, wherein the second computing device is configured to carry out actions comprising:
    deriving a second network access key from the next hop value; and
    transmitting the second network access key and the next hop value to a third computing device executing a second access mobility management function.
PCT/CN2017/088255 2017-06-14 2017-06-14 Methods and computing device for obtaining a security key for access to a wireless network WO2018227431A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/088255 WO2018227431A1 (en) 2017-06-14 2017-06-14 Methods and computing device for obtaining a security key for access to a wireless network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/088255 WO2018227431A1 (en) 2017-06-14 2017-06-14 Methods and computing device for obtaining a security key for access to a wireless network

Publications (1)

Publication Number Publication Date
WO2018227431A1 true WO2018227431A1 (en) 2018-12-20

Family

ID=64659799

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/088255 WO2018227431A1 (en) 2017-06-14 2017-06-14 Methods and computing device for obtaining a security key for access to a wireless network

Country Status (1)

Country Link
WO (1) WO2018227431A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220053325A1 (en) * 2019-04-28 2022-02-17 Huawei Technologies Co., Ltd. Information obtaining method and apparatus

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103139771A (en) * 2011-11-25 2013-06-05 中兴通讯股份有限公司 Key generation method and system in switching process
US20130294405A1 (en) * 2012-05-02 2013-11-07 Qualcomm Incorporated Apparatus and method for a connected mode with reduced signaling

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103139771A (en) * 2011-11-25 2013-06-05 中兴通讯股份有限公司 Key generation method and system in switching process
US20130294405A1 (en) * 2012-05-02 2013-11-07 Qualcomm Incorporated Apparatus and method for a connected mode with reduced signaling

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZTE ET AL.: "Key hierarchy when using UP security function", 3GPP TSG SA WG3 (SECURITY) MEETING #87 S 3-171054, 19 May 2017 (2017-05-19), XP051269086 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220053325A1 (en) * 2019-04-28 2022-02-17 Huawei Technologies Co., Ltd. Information obtaining method and apparatus
EP3955615A4 (en) * 2019-04-28 2022-05-11 Huawei Technologies Co., Ltd. Information acquisition method and device
US11877150B2 (en) 2019-04-28 2024-01-16 Huawei Technologies Co., Ltd. Information obtaining method and apparatus

Similar Documents

Publication Publication Date Title
US11924630B2 (en) Security context handling in 5G during idle mode
US20200267545A1 (en) Key processing method in dual connectivity mode and device
EP3641363B1 (en) Method and apparatus for inserting a smf entity
US11032712B2 (en) Method and computing device for carrying out data integrity protection
US20190007921A1 (en) Pdu session management
WO2018201487A1 (en) Method and apparatus for carrying out a group handover
US10812973B2 (en) System and method for communicating with provisioned security protection
WO2019127035A1 (en) Method for activating and deactivating secondary cell, and terminal device
US20210266735A1 (en) Methods, device and computer-readable medium for protecting mac addresses
AU2018415753B2 (en) Methods and system for transmitting a temporary identifier
JP7047055B2 (en) Data transmission method and terminal equipment
US20170150475A1 (en) Positioning method and apparatus and communication system
US20200100105A1 (en) Network authentication method, network device, and core network device
WO2019080014A1 (en) Bandwidth part switching method and terminal device
TWI669019B (en) Device and method of handling an interworking procedure
JP2017534207A (en) Generation of multiple shared keys by user equipment and base station using key expansion multiplier
US9258711B2 (en) Wireless communication system and authentication method thereof
WO2018205100A1 (en) Method and apparatus for conducting a handover
WO2019033281A1 (en) Methods and computing device for changing a user plane function
CN111886884B (en) Method, apparatus and computer readable medium for authentication in communications
CN109936444B (en) Key generation method and device
WO2018227431A1 (en) Methods and computing device for obtaining a security key for access to a wireless network
CN116074821A (en) Communication method and device
US10206234B2 (en) D2D communication control method, D2D communication method, and apparatuses thereof
CN110235512A (en) Control plane delays in cordless communication network reduce

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17913558

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17913558

Country of ref document: EP

Kind code of ref document: A1