EP2559275A1 - Appareil et procédé de transition de contexte de sécurité améliorée d'un réseau de desserte utran à un réseau de desserte geran - Google Patents

Appareil et procédé de transition de contexte de sécurité améliorée d'un réseau de desserte utran à un réseau de desserte geran

Info

Publication number
EP2559275A1
EP2559275A1 EP11717850A EP11717850A EP2559275A1 EP 2559275 A1 EP2559275 A1 EP 2559275A1 EP 11717850 A EP11717850 A EP 11717850A EP 11717850 A EP11717850 A EP 11717850A EP 2559275 A1 EP2559275 A1 EP 2559275A1
Authority
EP
European Patent Office
Prior art keywords
serving network
session keys
remote station
security context
information element
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP11717850A
Other languages
German (de)
English (en)
Inventor
Adrian Edward Escott
Anand Palanigounder
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qualcomm Inc
Original Assignee
Qualcomm Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US13/084,324 external-priority patent/US20110255691A1/en
Application filed by Qualcomm Inc filed Critical Qualcomm Inc
Publication of EP2559275A1 publication Critical patent/EP2559275A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation

Definitions

  • the present invention relates generally to an enhanced security context for user equipment operating in a Universal Mobile Telecommunications Service (UMTS) and/or GSM Edge Radio Access Network (GERAN).
  • UMTS Universal Mobile Telecommunications Service
  • GERAN GSM Edge Radio Access Network
  • a successful AKA (Authentication and Key Agreement) authentication in a UMTS third generation (3G) radio access network or in a GERAN networks using 3G AKA authentication results in a pair of shared keys, a cipher key (CK) and an integrity key (IK), for securing communications between a user equipment (UE) and the network.
  • the shared keys may be used directly to secure the traffic between the UE and the network as in the case of UTRAN (UMTS Terrestrial Radio Access Network), or may be used to statically derive keys, e.g. Kc or ⁇ 8 , in the case of GERAN (GSM Edge Radio Access Network).
  • a compromised key may result in serious security problems until the keys are changed at a next AKA authentication.
  • the AKA authentication is not run often due to the significant overhead required.
  • both keys (CK and IK) are compromised, then the GERAN keys are compromised.
  • UMTS/HSPA High Speed Packet Access
  • RNC radio network controller
  • Node B some or all of functionalities of a radio network controller (RNC) and a Node B may be collapsed together into one node at the edge of the network.
  • the RNC needs the keys for functionalities such as user plane ciphering and signaling plane ciphering and integrity protection.
  • the R C functionality may be deployed in an exposed location such as in a Home Node B in a UMTS Femtocell. Accordingly, RNC functionality deployed in possibly insecure locations providing access (including physical access) may allow the keys, CK and IK, to be compromised.
  • Session keys (modified version of CK and IK) may be used to lower the security risks associated with exposed RNC functionality. Techniques for providing such session keys are disclosed in U.S. Patent Application Publication No. US 2007/0230707 Al .
  • An aspect of the present invention may reside in a method for transitioning a first security context from a first-type serving network to a second-type serving network.
  • the remote station the remote station generates first and second session keys, in accordance with the first security context, using a first information element and using a root key associated with the first security context.
  • the remote station receives a first message from the first-type serving network.
  • the first message includes a second information element signaling to the remote station to generate third and fourth session keys for use with the second-type serving network.
  • the remote station generates, in response to the first message, the third and fourth session keys using the second information element and the first and second session keys.
  • the remote station protects wireless communications, on the second-type serving network, based on the third and fourth session keys.
  • the first information element may comprise a count value.
  • the first security context may be an enhanced security context having a security property that is not supported by a second security context.
  • the first-type serving network may be a UTRAN-based serving network, and the second-type serving network may be a GERAN-based serving network.
  • the first-type serving network may be a GERAN-based serving network, and the second-type serving network may be a UTRAN-based serving network.
  • the remote station may comprise a mobile user equipment.
  • a remote station which may include means for generating first and second session keys, in accordance with a first security context, using a first information element and using a root key associated with the first security context; means for receiving a first message from a first-type-based serving network, wherein the first message includes a second information element signaling to the remote station to generate third and fourth session keys for use with a second-type serving network; means for generating, in response to the first message, the third and fourth session keys using the second information element and the first and second session keys; and means for protecting wireless communications, on the second-type serving network, based on the third and fourth session keys.
  • a remote station which may include a processor configured to: generate first and second session keys, in accordance with a first security context, using a first information element and using a root key associated with the first security context; receive a first message from a first-type serving network, wherein the first message includes a second information element signaling to the remote station to generate third and fourth session keys for use with a second-type serving network; generate, in response to the first message, the third and fourth session keys using the second information element and the first and second session keys; and protect wireless communications, on the second-type serving network, based on the third and fourth session keys.
  • Another aspect of the invention may reside in a computer program product, comprising computer-readable storage medium, comprising code for causing a computer to generate first and second session keys, in accordance with a first security context, using a first information element and using a root key associated with the first security context; code for causing a computer to receive a first message from a first-type serving network, wherein the first message includes a second information element signaling to the remote station to generate third and fourth session keys for use with a second-type serving network; code for causing a computer to generate, in response to the first message, the third and fourth session keys using the second information element and the first and second session keys; and code for causing a computer to protect wireless communications, on the second-type serving network, based on the third and fourth session keys.
  • FIG. 1 is a block diagram of an example of a wireless communication system.
  • FIG. 2 is a block diagram of an example of a wireless communication system in accordance with a UMTS/UTRAN architecture.
  • FIG. 3 is a block diagram of an example of a wireless communication system in accordance with a GERAN architecture.
  • FIG. 4 is a flow diagram of a method for transitioning an enhanced security context support from a UTRAN-based serving network to a GERAN-based serving network.
  • FIG. 5 is a flow diagram of a method for establishing an enhanced security context between a remote station and a serving network based on an attach request message.
  • FIG. 6 is a flow diagram of a method for establishing at least one session key from an enhanced security context between a remote station and a serving network based on a service request message.
  • FIG. 7 is a flow diagram of a method for establishing at least one session key from an enhanced security context between a remote station and a serving network based on a routing area update request message.
  • FIG. 8 is a block diagram of a computer including a processor and a memory.
  • FIG. 9 is a flow diagram of a method for transitioning an enhanced security context support from a UTRAN-based serving network to a GERAN-based serving network.
  • an aspect of the present invention may reside in a method 400 for transitioning an enhanced security context from a UTRAN-based serving network 230 to a GERAN-based serving network 230'.
  • the remote station 210 generates first and second session keys, in accordance with the enhanced security context, using an enhance security context root key and a first information element (step 410).
  • the remote station receives a first message from the UTRAN-based serving network (step 420).
  • the first message includes a second information element signaling to the remote station to generate third and fourth session keys for use with the GERAN-based serving network.
  • the remote station generates, in response to the first message, the third and fourth session keys using the second information element and the first and second session keys (step 430).
  • the remote station protects wireless communications, on the GERAN-based serving network, based on the third and fourth session keys (step 440).
  • the first information element may comprise a count.
  • the remote station may comprise a mobile user equipment (UE) such as a wireless device.
  • UE mobile user equipment
  • a remote station 210 may include means (processor 810) for generating first and second session keys, in accordance with an enhanced security context, using an enhanced security context root key and a first information element; means for receiving a first message from a UTRAN-based serving network, wherein the first message includes a second information element signaling to the remote station to generate third and fourth session keys for use with a GERAN-based serving network; means for generating, in response to the first message, the third and fourth session keys using the second information element and the first and second session keys; and means for protecting wireless communications, on the GERAN-based serving network, based on the third and fourth session keys.
  • a remote station 210 which may include a processor 810 configured to: generate first and second session keys, in accordance with an enhanced security context, using an enhanced security context root key and a first information element; receive a first message from a UTRAN-based serving network, wherein the first message includes a second information element signaling to the remote station to generate third and fourth session keys for use with a GERAN-based serving network; generate, in response to the first message, the third and fourth session keys using the second information element and the first and second session keys; and protect wireless communications, on the GERAN-based serving network, based on the third and fourth session keys.
  • a processor 810 configured to: generate first and second session keys, in accordance with an enhanced security context, using an enhanced security context root key and a first information element; receive a first message from a UTRAN-based serving network, wherein the first message includes a second information element signaling to the remote station to generate third and fourth session keys for use with a GERAN-based serving network; generate, in response to the first message
  • FIG. 820 Another aspect of the invention may reside in a computer program product, comprising computer-readable storage medium 820, comprising code for causing a computer 800 to generate first and second session keys, in accordance with an enhanced security context, using an enhanced security context root key and a first information element; code for causing a computer to receive a first message from a UTRAN-based serving network, wherein the first message includes a second information element signaling to the remote station to generate third and fourth session keys for use with a GERAN-based serving network; code for causing a computer to generate, in response to the first message, the third and fourth session keys using the second information element and the first and second session keys; and code for causing a computer to protect wireless communications, on the GERAN-based serving network, based on the third and fourth session keys.
  • the serving core network 230 is connected to a serving RAN (Radio Access Network) 220 which provides wireless communications to the remote station 210.
  • the serving RAN includes a Node B and a RNC (Radio Network Controller).
  • the serving RAN includes a BTS (Base Transceiver Station) and a BSC (Base Station Controller).
  • the serving core network includes an MSC/VLR (Mobile Switching Center/Visitor Location Register) for providing circuit-switched (CS) service, and an SGSN (Serving GPRS Support Node) for providing packet-switched (PS) services.
  • the home network includes an HLR (Home Location Register) and an AuC (Authentication Center).
  • the UE 210 and the serving core network 230 may be enhanced with new security properties to create an enhanced UMTS security context (ESC) using a COUNT (counter value).
  • a 256-bit root key (KASMEU) for the ESC may be derived from the CK and IK when AKA authentication is performed.
  • the root key may be set equal to CK
  • the COUNT may be a 16-bit counter value that is maintained between the UE and the serving core network.
  • a legacy UTRAN security context consists of KSI (a 3-bit Key Set Identifier), CK (a 128-bit encryption key), and IK (a 128-bit integrity key)).
  • the GERAN PS service differs from the UMTS/UTRAN PS service in that the security used to protect traffic exists through idle mode. This means that if it is desired to have fresh UMTS keys for each active session, then an enhancement is needed.
  • the UTRAN to GERAN handover can be done in a way that is independent of the method used to determine the session keys.
  • the UE and the SGSN share an enhanced security context that includes the following parameters: KSI (also called CKSN) which is a key set identifier and which is also currently used in UMTS/GERAN, and KASMEU* which is a 256-bit root key for the security context.
  • KSI also called CKSN
  • KASMEU* which is a 256-bit root key for the security context.
  • the source SGSN passes the session keys CKs and IK ⁇ and the root key KASMEU to the target SGSN.
  • a target SGSN that supports the ESC calculates new session keys CK S and IK S from the root key KASMEU an d the old session keys CK ⁇ and IK ⁇ and possibly some additional information.
  • the target SGSN indicates to the UE that the new session keys were calculated and possibly includes the additional information used by the SGSN that is not already known to the UE, in a parameter sent as part of the handover signaling (e.g. NAS container set for PS HO), and the UE performs the same calculation to get the new session keys CK ⁇ and IK ⁇ . Accordingly, when the UE returns to UMTS/UTRAN, the old session keys will not be used.
  • the UE 210 may signal that it supports ESC in a UMTS attach request message (step 510).
  • the support signal may be the presence of a new information element (IE) in the message.
  • the IE may comprise the COUNT value.
  • a serving network SN 230 that does not support ESC will ignore the new IE.
  • Authentication data (RAND, XRES, CK, IK, AUTN) is obtained from the HLR/AuC 240 (step 515).
  • the SN may indicate ESC support in the AKA challenge (Authentication Request) to the UE (step 520).
  • the UE performs the authentication procedures (step 525) and returns a response RES to the SN (step 530).
  • the UE and SN derive the root key KASMEU an d the session keys CK ⁇ and IK ⁇ (step 535).
  • the SN forwards the session keys to the RAN 220 in an SMC (Security Mode Command) message (step 540).
  • the RAN generates a message authentication code (MAC) using the session key IK S , which is forwarded to the UE in an SMC message (step 545).
  • MAC message authentication code
  • the UE checks the MAC (step 550) using the session key IK S that the UE derived (step 535), and returns a complete indication to the RAN (step 555), which forwards it to the SN (step 560). The UE is then able to protect communications using the session keys (step 565).
  • the UE 210 forwards a service request message which includes the COUNT value to the SN 230 (step 610).
  • the UE and SN derive new the session keys CK ⁇ and IK ⁇ from the root key K ASMEU (step 620).
  • the SN forwards the session keys to the RAN 220 in an SMC message (step 630).
  • the RAN generates a MAC, which is forwarded to the UE in an SMC message (step 640).
  • the UE checks the MAC (step 650), and returns a complete indication to the RAN (step 660), which forwards it to the SN (step 670).
  • the UE is then able to protect communications using the session keys (step 680).
  • a method 700 related to mobility management procedures 700 (such as a Routing Area Update (RAU) or Location Area Update (LAU)
  • the UE 210 forwards a RAU (or LAU) request message which includes the COUNT value to the SN 230 (step 710).
  • the UE and SN may derive new the session keys CKs and IK ⁇ from the root key KASMEU (step 720)
  • the SN may forward the session keys to the RAN 220 in an SMC message (step 730).
  • the RAN may generate a MAC, which may be forwarded to the UE in an SMC message (step 740).
  • the UE may check the MAC (step 750), and may return a complete indication to the RAN (step 760), which forwards it to the SN (step 770).
  • the SN then sends a RAU accept message to the UE (step 780).
  • the UE is then able to protect communications using the session keys.
  • New access stratum (AS) keys may be generated for each transition from Idle to Active State. Similarly, keys may be generated at other events.
  • the COUNT value may be sent in idle mobility messages and in initial layer 3 messages, e.g., Attaches, RAUs, LAUs, for idle, mobility, or service request.
  • the SN may check that the sent COUNT value has not been used before, and updates the stored COUNT value in the process. If the COUNT value is new (e.g., received COUNT value > stored COUNT value), the UE and the SN proceed to calculate the new key CK ⁇ and IK ⁇ , using a Key Derivation Function (KDF) such as HMAC-SHA256, from the root key KASMEU an d the sent COUNT value.
  • KDF Key Derivation Function
  • the KDF may include additional information, such as RAN node identity, for the new key calculation. If the check fails (the COUNT value is not new), the SN rejects the message.
  • additional information such as RAN node identity
  • the SN rejects the message.
  • Kc and Kci28 are calculated from CKs and IKs , it may be done in the same manner as when calculated from CK and IK.
  • the session keys (CK ⁇ and IK ⁇ ) may have a lifetime such that the UE and the serving network keep and use the session keys until either it is no longer necessary to store the keys to send traffic securely between the UE and the network (UE moves to Idle mode), or a new context is created at a subsequent event (e.g., AKA authentication or a mobility event).
  • an aspect of the present invention may reside in a method 900 for transitioning an enhanced security context from a UTRAN-based serving network 230 (a first-type serving network) to a GERAN-based serving network 230' (a second- type serving network).
  • the remote station 210 generates first and second session keys CK ⁇ A and IK ⁇ A, in accordance with the enhanced security context, using an enhance security context root key (such as KASMEU) and a first information element IE1 (such as a COUNT value) (step 910).
  • an enhance security context root key such as KASMEU
  • IE1 such as a COUNT value
  • the UTRAN-based serving network 230 may pass the session keys CK ⁇ A and IK ⁇ A and the root key KASMEU to the GERAN-based serving network 230' (step 920).
  • the GERAN-based serving network's response which includes a second information element IE2, tells the UTRAN-based serving network that it may hand the remote station over to the GERAN-based serving network (step 930).
  • the remote station receives a first message from the UTRAN- based serving network (step 940).
  • the first message includes the second information element IE2 signaling to the remote station to generate third and fourth session keys CKSB and IK ⁇ B, for use with the GERAN-based serving network.
  • the remote station generates, in response to the first message, the third and fourth session keys using the second information element and the first and second session keys (step 950).
  • Kc and Kci 2 g are calculated from G3 ⁇ 4B and IK ⁇ B, it may be done in the same manner as when calculated from CK and IK (step 960).
  • the remote station protects wireless communications, on the GERAN-based serving network, based on the third and fourth session keys (step 970).
  • the first- type serving network may be a GERAN-based serving network
  • the second-type serving network may be a UTRAN-based serving network.
  • the remote station 210 may comprise a computer 800 that includes a storage medium 820 such as memory, a display 830, and an input device 840 such as a keyboard.
  • the apparatus may include a wireless connection 850.
  • a wireless remote station (RS) 102 (or UE) may communicate with one or more base stations (BS) 104 of a wireless communication system 100.
  • the wireless communication system 100 may further include one or more base station controllers (BSC) 106, and a core network 108.
  • Core network may be connected to an Internet 110 and a Public Switched Telephone Network (PSTN) 112 via suitable backhauls.
  • PSTN Public Switched Telephone Network
  • a typical wireless mobile station may include a handheld phone, or a laptop computer.
  • the wireless communication system 100 may employ any one of a number of multiple access techniques such as code division multiple access (CDMA), time division multiple access (TDMA), frequency division multiple access (FDMA), space division multiple access (SDMA), polarization division multiple access (PDMA), or other modulation techniques known in the art.
  • CDMA code division multiple access
  • TDMA time division multiple access
  • FDMA frequency division multiple access
  • SDMA space division multiple access
  • PDMA polarization division multiple access
  • a wireless device 102 may include various components that perform functions based on signals that are transmitted by or received at the wireless device.
  • a wireless headset may include a transducer adapted to provide an audio output based on a signal received via the receiver.
  • a wireless watch may include a user interface adapted to provide an indication based on a signal received via the receiver.
  • a wireless sensing device may include a sensor adapted to provide data to be transmitted to another device.
  • a wireless device may communicate via one or more wireless communication links that are based on or otherwise support any suitable wireless communication technology.
  • a wireless device may associate with a network.
  • the network may comprise a body area network or a personal area network (e.g., an ultra- wideband network).
  • the network may comprise a local area network or a wide area network.
  • a wireless device may support or otherwise use one or more of a variety of wireless communication technologies, protocols, or standards such as, for example, CDMA, TDMA, OFDM, OFDMA, WiMAX, and Wi-Fi.
  • a wireless device may support or otherwise use one or more of a variety of corresponding modulation or multiplexing schemes.
  • a wireless device may thus include appropriate components (e.g., air interfaces) to establish and communicate via one or more wireless communication links using the above or other wireless communication technologies.
  • a device may comprise a wireless transceiver with associated transmitter and receiver components (e.g., a transmitter and a receiver) that may include various components (e.g., signal generators and signal processors) that facilitate communication over a wireless medium.
  • transmitter and receiver components e.g., a transmitter and a receiver
  • various components e.g., signal generators and signal processors
  • the teachings herein may be incorporated into (e.g., implemented within or performed by) a variety of apparatuses (e.g., devices).
  • one or more aspects taught herein may be incorporated into a phone (e.g., a cellular phone), a personal data assistant ("PDA"), an entertainment device (e.g., a music or video device), a headset (e.g., headphones, an earpiece, etc.), a microphone, a medical device (e.g., a biometric sensor, a heart rate monitor, a pedometer, an EKG device, etc.), a user I/O device (e.g., a watch, a remote control, a light switch, a keyboard, a mouse, etc.), a tire pressure monitor, a computer, a point-of-sale device, an entertainment device, a hearing aid, a set-top box, or any other suitable device.
  • a phone e.g., a cellular phone
  • PDA personal data assistant
  • an entertainment device e.g., a music or video device
  • a headset e.g., headphones, an earpiece, etc.
  • teachings herein may be adapted for use in low power applications (e.g., through the use of an impulse-based signaling scheme and low duty cycle modes) and may support a variety of data rates including relatively high data rates (e.g., through the use of high- bandwidth pulses).
  • a wireless device may comprise an access device (e.g., a Wi-Fi access point) for a communication system.
  • an access device may provide, for example, connectivity to another network (e.g., a wide area network such as the Internet or a cellular network) via a wired or wireless communication link.
  • the access device may enable another device (e.g., a Wi-Fi station) to access the other network or some other functionality.
  • another device e.g., a Wi-Fi station
  • one or both of the devices may be portable or, in some cases, relatively non-portable.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • a general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine.
  • a processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
  • a software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
  • An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium.
  • the storage medium may be integral to the processor.
  • the processor and the storage medium may reside in an ASIC.
  • the ASIC may reside in a user terminal.
  • the processor and the storage medium may reside as discrete components in a user terminal.
  • the functions described may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software as a computer program product, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
  • Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • a storage media may be any available media that can be accessed by a computer.
  • such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
  • any connection is properly termed a computer-readable medium.
  • the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwave
  • the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium.
  • Disk and disc includes compact disc (CD), laser disc, optical disc, digital versatile disc (DVD), floppy disk and blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention porte sur un procédé de transition d'un contexte de sécurité améliorée d'un réseau de desserte UTRAN à un réseau de desserte GERAN. Dans le procédé, la station distante génère des première et deuxième clés de session, conformément au contexte de sécurité améliorée, à l'aide d'une clé racine de contexte de sécurité améliorée et d'un premier élément d'information. La station distante reçoit un premier message provenant du réseau de desserte UTRAN. Le premier message comprend un second élément d'informations signalant à la station distante de générer des troisième et quatrième clés de session destinées à être utilisées avec le réseau de desserte GERAN. La station distante génère, en réponse au premier message, les troisième et quatrième clés de session à l'aide du second élément d'information et des première et deuxième clés de session. La station distante protège des communications sans fil, sur le réseau de desserte GERAN, sur la base des troisième et quatrième clés de session.
EP11717850A 2010-04-16 2011-04-15 Appareil et procédé de transition de contexte de sécurité améliorée d'un réseau de desserte utran à un réseau de desserte geran Withdrawn EP2559275A1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US32500110P 2010-04-16 2010-04-16
US13/084,324 US20110255691A1 (en) 2010-04-15 2011-04-11 Apparatus and method for transitioning enhanced security context from a utran-based serving network to a geran-based serving network
PCT/US2011/032757 WO2011130684A1 (fr) 2010-04-16 2011-04-15 Appareil et procédé de transition de contexte de sécurité améliorée d'un réseau de desserte utran à un réseau de desserte geran

Publications (1)

Publication Number Publication Date
EP2559275A1 true EP2559275A1 (fr) 2013-02-20

Family

ID=44310410

Family Applications (1)

Application Number Title Priority Date Filing Date
EP11717850A Withdrawn EP2559275A1 (fr) 2010-04-16 2011-04-15 Appareil et procédé de transition de contexte de sécurité améliorée d'un réseau de desserte utran à un réseau de desserte geran

Country Status (6)

Country Link
EP (1) EP2559275A1 (fr)
JP (1) JP5398934B2 (fr)
KR (1) KR20130009849A (fr)
CN (1) CN103004243A (fr)
TW (1) TW201203988A (fr)
WO (1) WO2011130684A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11831655B2 (en) * 2017-10-02 2023-11-28 Qualcomm Incorporated Incorporating network policies in key generation
CN114629645A (zh) * 2018-04-10 2022-06-14 联发科技(新加坡)私人有限公司 移动通信中错误ksi处理的改进方法、装置及计算机可读存储介质
CN111404666A (zh) * 2019-01-02 2020-07-10 中国移动通信有限公司研究院 一种密钥生成方法、终端设备及网络设备

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6591364B1 (en) * 1998-08-28 2003-07-08 Lucent Technologies Inc. Method for establishing session key agreement
US6876747B1 (en) * 2000-09-29 2005-04-05 Nokia Networks Oy Method and system for security mobility between different cellular systems
KR20070015770A (ko) * 2005-08-01 2007-02-06 엘지전자 주식회사 이종망간의 핸드오버 수행 및 제어방법
US9106409B2 (en) 2006-03-28 2015-08-11 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for handling keys used for encryption and integrity
US8583929B2 (en) * 2006-05-26 2013-11-12 Alcatel Lucent Encryption method for secure packet transmission
WO2008046915A1 (fr) * 2006-10-20 2008-04-24 Nokia Corporation Production de codes de protection dans des réseaux mobiles de la prochaine génération
FI20070094A0 (fi) * 2007-02-02 2007-02-02 Nokia Corp Radiopäällysverkon turvallisuusalgoritmin vaihtaminen handoverin aikana
CN101610147A (zh) * 2008-06-16 2009-12-23 华为技术有限公司 密钥处理方法、系统、设备及终端

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2011130684A1 *

Also Published As

Publication number Publication date
JP5398934B2 (ja) 2014-01-29
CN103004243A (zh) 2013-03-27
KR20130009849A (ko) 2013-01-23
WO2011130684A1 (fr) 2011-10-20
JP2013524742A (ja) 2013-06-17
TW201203988A (en) 2012-01-16

Similar Documents

Publication Publication Date Title
CA2802488C (fr) Appareil et procede pour faire passer contexte de securite optimisee d'un reseau de service a base utran/geran a un reseau de service a base e-utran
US9191812B2 (en) Apparatus and method for transitioning from a serving network node that supports an enhanced security context to a legacy serving network node
US9197669B2 (en) Apparatus and method for signaling enhanced security context for session encryption and integrity keys
CA2795358C (fr) Appareil et procede pour la signalisation d'un contexte de securite ameliore pour cles de chiffrement et d'integrite de session
JP5398934B2 (ja) 拡張セキュリティコンテキストをutranベースのサービングネットワークからgeranベースのサービングネットワークへ移行するための装置および方法

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20121116

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20151103