US20030235305A1 - Key generation in a communication system - Google Patents

Key generation in a communication system Download PDF

Info

Publication number
US20030235305A1
US20030235305A1 US10/177,017 US17701702A US2003235305A1 US 20030235305 A1 US20030235305 A1 US 20030235305A1 US 17701702 A US17701702 A US 17701702A US 2003235305 A1 US2003235305 A1 US 2003235305A1
Authority
US
United States
Prior art keywords
access
msk
authentication
key
communication system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/177,017
Other languages
English (en)
Inventor
Raymond Hsu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qualcomm Inc
Original Assignee
Qualcomm Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=29734262&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=US20030235305(A1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by Qualcomm Inc filed Critical Qualcomm Inc
Priority to US10/177,017 priority Critical patent/US20030235305A1/en
Assigned to QUALCOMM INCORPORATED A DELAWARE reassignment QUALCOMM INCORPORATED A DELAWARE ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HSU, RAYMOND T.
Priority to EP03761176A priority patent/EP1525706A4/en
Priority to CA2792490A priority patent/CA2792490C/en
Priority to BRPI0311994-7A priority patent/BR0311994A/pt
Priority to PCT/US2003/019465 priority patent/WO2004002056A1/en
Priority to CN201310460165.2A priority patent/CN103532939B/zh
Priority to TW092116837A priority patent/TWI360975B/zh
Priority to TW101126108A priority patent/TWI388180B/zh
Priority to JP2004516007A priority patent/JP4897215B2/ja
Priority to CN201410439953.8A priority patent/CN104243145A/zh
Priority to KR1020047020774A priority patent/KR101062781B1/ko
Priority to CA2490131A priority patent/CA2490131C/en
Priority to CNA038192977A priority patent/CN1720688A/zh
Priority to CA2862069A priority patent/CA2862069C/en
Priority to AU2003243680A priority patent/AU2003243680B2/en
Priority to RU2005101217/09A priority patent/RU2333607C2/ru
Publication of US20030235305A1 publication Critical patent/US20030235305A1/en
Priority to US10/912,898 priority patent/US7190793B2/en
Priority to HK15103526.0A priority patent/HK1203706A1/zh
Priority to JP2010092578A priority patent/JP5313200B2/ja
Priority to TW099142508A priority patent/TWI376905B/zh
Priority to JP2012012031A priority patent/JP5512709B2/ja
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W74/00Wireless channel access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present relates to an inter-working function for a communication system, and more specifically to mechanisms for common authentication and key exchange through an inter-working function for use in a Wireless Local Area Network (WLAN).
  • WLAN Wireless Local Area Network
  • a Wireless Local Area Network allows users virtually unrestricted access to Internet Protocol (IP) services and data networks.
  • IP Internet Protocol
  • the use of a WLAN is not limited to laptop computers and other computing devices, but is rapidly expanding to include cellular telephones, Personal Digital Assistants (PDA)s, and other small wireless devices supported by an external network or carrier.
  • PDA Personal Digital Assistants
  • a wireless device communicating via a cellular carrier may roam into a WLAN in a cyber-cafe or workspace. In this situation, the wireless device has access to the cellular system, but desires access to the WLAN.
  • the WLAN access requires authentication. As the wireless device has already gained access to the cellular system, the need for further authentication is redundant. There is a need therefore, for a mechanism that allows a common authentication for access to a cellular system and to a WLAN. Further, there is a need for a common mechanism for generating encryption keys used during communications.
  • FIG. 1 is a communication system including an High Data Rate or HDR type network and a Wireless Local Area Network (WLAN).
  • WLAN Wireless Local Area Network
  • FIG. 2 is a timing diagram of authentication procedure in a communication system.
  • FIG. 3 is a timing diagram of an authentication procedure in a communication system.
  • FIGS. 4 and 5 are access request message formats.
  • FIG. 6 is a wireless apparatus including functionality to generate a Master Session Key (MSK).
  • MSK Master Session Key
  • An HDR subscriber station referred to herein as an access terminal (AT) may be mobile or stationary, and may communicate with one or more HDR base stations, referred to herein as modem pool transceivers (MPTs).
  • An access terminal transmits and receives data packets through one or more modem pool transceivers to an HDR base station controller, referred to herein as a modem pool controller (MPC).
  • Modem pool transceivers and modem pool controllers are parts of a network called an access network.
  • An access network transports data packets between multiple access terminals.
  • the access network may be further connected to additional networks outside the access network, such as a corporate intranet or the Internet, and may transport data packets between each access terminal and such outside networks.
  • An access terminal that has established an active traffic channel connection with one or more modem pool transceivers is called an active access terminal, and is said to be in a traffic state.
  • An access terminal that is in the process of establishing an active traffic channel connection with one or more modem pool transceivers is said to be in a connection setup state.
  • An access terminal may be any data device that communicates through a wireless channel or through a wired channel, for example using fiber optic or coaxial cables.
  • An access terminal may further be any of a number of types of devices including but not limited to PC card, compact flash, external or internal modem, or wireless or wireline phone.
  • the communication link through which the access terminal sends signals to the modem pool transceiver is called a reverse link.
  • the communication link through which a modem pool transceiver sends signals to an access terminal is called a forward link.
  • FIG. 1 illustrates a communication system having a Wireless Local Area Network (WLAN) 104 with multiple Access Points (APs).
  • WLAN Wireless Local Area Network
  • AP Access Points
  • An AP is a hub or bridge that provides a star topology control of the wireless side of the WLAN 104 , as well as access to a wired network.
  • Each AP 110 supports a connection to a data service, such as the Internet.
  • a MS 102 such as a laptop computer, or other digital computing device, communicates with an AP via the air interface, thus the term Wireless LAN.
  • the AP then communicates with an Authentication Server (AS) or Authentication Center (AC).
  • the AC is a component for performing authentication services for devices requesting admittance to a network. Implementations include Remote Authentication Dial-In User Service (RADIUS), which is an Internet user authentication described in RFC 2138, “Remote Authentication Dial In User Service (RADIUS)” by C. Rigney et al., published April 1997, and other Authentication, Authorization and Accounting (AAA) servers.
  • RADIUS Remote Authentication Dial-In User Service
  • Wireless networking is emerging as a significant aspect of internetworking. It presents a set of unique issues based on the fact that the only boundary of a wireless network is the radio signal strength. There is no wiring to define membership in a network. There is no physical method to restrict a system within radio range to be a member of a wireless network. Wireless networking, more than any other networking technology, needs an authentication and access control mechanism. Various groups are currently working on developing a standard authentication mechanism. Currently the accepted standard is the IEEE 802.11.
  • Authentication is the process of proving the identity of an individual or application in a communication. Such identification allows the service provider to verify the entity as a valid user and also to verify the user for the specific services requested. Authentication and authorization actually have very specific meanings, though the two names are often used interchangeably, and in practice are often not clearly distinguished.
  • Authentication is the process where a user establishes a right to an identity—in essence, the right to use a name.
  • a name or identity has attributes associated with it. Attributes may be bound closely to a name (for example, in a certificate payload) or they may be stored in a directory or other database under a key corresponding to the name. Attributes may change over time.
  • Authorization is the process of determining whether an identity (plus a set of attributes associated with that identity) is permitted to perform some action, such as accessing a resource. Note that permission to perform an action does not guarantee that the action can be performed. Note that authentication and authorization decisions can be made at different points, by different entities.
  • the authentication feature is a network capability that allows cellular networks to validate the identity of wireless device, thereby reducing unauthorized use of cellular networks.
  • the process is transparent to subscribers. Customers are not required to do anything to authenticate the identity of their phones when they make a call.
  • Authentication typically involves a cryptographic scheme, wherein the service provider and the user have some shared information and some private information.
  • the shared information is typically referred to as a “shared secret.”
  • the authentication key is a secret value that is unique to each individual cellular phone. It is registered with the cellular service provider and stored in the phone and Authentication Center (AC).
  • the A-key is programmed into the phone by the manufacturer. It can also be entered manually by the user, from the wireless device menu, or by a special terminal at the point of sale.
  • the wireless device and the AC must have the same A-key to produce the same calculations.
  • the primary function of the A-key is to be used as a parameter to calculate the shared secret data (SSD).
  • the SSD is used as an input for authentication calculations in the wireless device and the AC, and is stored in both places. Unlike the A-key, the SSD may be modified over the network.
  • the AC and the wireless device share three elements that go into the calculation of the SSD: 1) the Electronic Serial Number (ESN); 2) the Authentication Key (A-Key); and 3) a RANDom number for Shared Secret Data calculation (RANDSSD).
  • ESN Electronic Serial Number
  • A-Key Authentication Key
  • RANDSSD RANDom number for Shared Secret Data calculation
  • the ESN and RANDSSD are transmitted over the network and over the air interface.
  • the SSD is updated when a device makes its first system access, and periodically thereafter.
  • the result is two separate values, SSD-A and SSD-B.
  • SSD-A is used for authentication.
  • SSD-B is used for encryption and voice privacy.
  • SSD may be shared or not shared between the AC and serving Mobile Switching Center (MSC). If secret data is shared, it means the AC will send it to the serving MSC and the serving MSC must be capable of executing CAVE. If it is not shared, the AC will keep the data and perform authentication.
  • MSC Mobile Switching Center
  • the type of sharing affects how an authentication challenge is conducted.
  • An authentication challenge is a message sent to challenge the identify of the wireless device. Basically, the authentication challenge sends some information, typically random number data, for the user to process. The user then processes the information and sends a response. The response is analyzed for verification of the user.
  • shared secret data a challenge is handled at the serving MSC.
  • non-shared secret data a challenge is handled by the AC.
  • sharing secret data the system may minimize the amount of traffic sent and allow challenges to happen more quickly at the serving switch.
  • a Home Location Register controls the authentication process by acting as intermediary between the MSC and AC.
  • the serving MSC is set up to support authentication with the mobile's HLR and vice versa.
  • the device initiates the process by notifying the serving MSC if it is capable of authentication, by setting an authorization field in the overhead message train.
  • the serving MSC starts the registration/authentication process with an Authentication Request.
  • the serving MSC By sending the Authentication Request, the serving MSC tells the HLR/AC whether it is capable of doing CAVE calculations.
  • the AC controls which of the serving MSC's as well as device capabilities will be used out of those available.
  • the SSD cannot be shared between the AC and MSC and therefore all authentication processes are performed in the AC.
  • the purpose of the Authentication Request is to authenticate the phone and request SSD.
  • the AUTHREQ contains two parameters for authentication, the AUTHR and RAND parameters.
  • the AC gets the AUTHREQ it uses the RAND and the last known SSD to calculate AUTHR. If it matches the AUTHR sent in the AUTHREQ then authentication is successful.
  • the return result to the AUTHREQ will contain the SSD if it can be shared.
  • the Authentication process consists of a challenge and response dialog. If SSD is shared, the dialog runs between the MSC and the device. If SSD is not shared, the dialog runs between the HLR/AC and the device.
  • the MSC may be capable of either a Unique Challenge, a Global Challenge, or both. Some MSCs are currently not capable of global challenge.
  • the Unique Challenge is a challenge that occurs during call attempts only, because it uses the voice channel. Unique challenge presents an authentication to a single device during call origination and call delivery.
  • the Global Challenge is a challenge that occurs during registration, call origination, and call delivery.
  • the Global challenge presents an authentication challenge to all MSs that are using a particular radio control channel. It is called global challenge because it is broadcast on the radio control channel, and the challenge is used by all phones accessing that control channel.
  • the device responds to a random number provided by the MSC or AC.
  • the device uses the random number and shared secret data stored in the device to calculate a response to the MSC.
  • the MSC also uses the random number and shared secret data to calculate what the response from the device should be. These calculations are done through the CAVE algorithm. If the responses are not the same, service is denied.
  • the challenge process does not increase the amount of time it takes to connect the call. In fact, the call may proceed in some cases, only to be torn down when authentication fails.
  • WLANs have gained tremendous popularity as a means of providing users with untethered access to IP data networks.
  • High Data Rate (HDR) networks such as 1xEV-DO networks and other third generation (3G) networks are also designed to offer high-speed data access; although the data rates they support are typically lower than those of WLANs, 3G networks offer data coverage over a much wider area.
  • WLAN and HDR networks may be complementary: WLANs offer high-capacity “hot-spot” coverage in public areas such as airport lounges and hotel lobbies, while HDR networks can provide users with nearly ubiquitous data service while on the move. Therefore, the same carrier may provide both HDR and WLAN access services under a single user subscription. This means that the MS uses the same authentication method and secret to both types of access authentication.
  • CHAP Challenge Handshake Authentication Protocol
  • MD5-Challenge a protocol that is also referred to as MD5-Challenge
  • CHAP specifically uses the RADIUS protocol to authenticate a terminal without sending security data.
  • the MS is authenticated by its home RADIUS server, wherein the home RADIUS server and the MS share a root secret.
  • the MS and the home or HDR network derive the same encryption keys that are to be used to protect traffic exchanged between the MS and the WLAN Access Point (AP).
  • AP WLAN Access Point
  • the home RADIUS server and the MS After successful WLAN access authentication via a CHAP challenge, the home RADIUS server and the MS generate the same Master Session Key (MSK) from the shared root secret.
  • the MSK will be used to derive encryptions keys for the protection of actual traffic between the MS and the AP of the WLAN.
  • the shared root secret is configured to the MS and is static. The MSK is generated on a per packet data session and is only constant during the session. For a new session, a new MSK is generated from the shared root secret using a different random number.
  • one embodiment provides a mechanism to allow the home RADIUS server to determine whether the MS is accessing WLAN or the HDR network.
  • FIG. 1 illustrates a communication system 100 including an HDR network 106 , a WLAN 104 , and an MS 102 .
  • the MS 102 is able to access the HDR network 106 , and has roamed into a WLAN 104 coverage area.
  • the MS 102 seeks access to the WLAN 104 via the AP 110 within the WLAN 104 .
  • WLAN 104 may include any number of APs (not shown).
  • the WLAN 104 also includes an Authentication Authorization and Accounting entity or server 112 .
  • the HDR network 106 also includes an AAA server 108 .
  • FIG. 2 illustrates the message flow for access authentication to a WLAN when CHAP or the MD5-Challenge is used in the communication system 100 .
  • the MS 102 uses a Network Access Identifier (NAI) for identification.
  • NAI Network Access Identifier
  • the NAI has the format of username@realm, where realm identifies the home network of the MS, which in this instance is HDR network 106 .
  • the AAA server 112 in the WLAN network 104 initiates a RADIUS Access-Request message to the AAA server 108 at the home network of the MS 102 , i.e., to the HDR network 106 .
  • the HDR network 106 may be any network that supports high data rate transmissions.
  • the AAA 108 then issues a CHAP Challenge to the MS 102 via the WLAN 104 .
  • the MS 102 calculates a response based on the challenge, such as a random number, and the response is conveyed as a RADIUS Access-Request request to the AAA 108 via the WLAN 104 .
  • the home AAA server 108 acknowledges such with a RADIUS Access-Accept message granting the MS 102 access to the WLAN network 104 .
  • both the home AAA server 108 and the MS 102 generate a same Master Session Key (MSK) from a shared root secret.
  • MSK Master Session Key
  • the CAVE algorithm is commonly used for cellular communications and therefore, is well used and distributed. Alternate algorithms for authentication are also used. Specifically in data communications a variety of algorithms exist of varying complexity and application. To coordinate these mechanisms, the Extensible Authentication Protocol (EAP) has been developed as a general protocol framework that supports multiple authentication and key distribution mechanisms. The EAP is described in “PPP Extensible Authentication Protocol (EAP)” by L. Blunk et al, RFC 2284, published March 1998.
  • EAP Extensible Authentication Protocol
  • EAP AKA Authentication One such mechanism supported by the EAP as defined in “EAP AKA Authentication” by J. Arkko et al., published as an Internet Draft in February 2002, is the AKA algorithm. There is a need therefore to extend EAP to include the cellular algorithm CAVE. This is desirable to provide back compatibility for new systems and networks.
  • the Extensible Authentication Protocol is a general protocol for authentication which supports multiple authentication mechanisms. EAP does not select a specific authentication mechanism during link set up and control, but rather postpones this until the authentication procedure begins. This allows the authenticator to request more information before determining the specific authentication mechanism.
  • the authenticator is defined as the end of the link requiring the authentication. The authenticator specifies the authentication protocol to be used in the during link establishment.
  • a key hierarchy is the sequence of steps that are used to generate from a root key a set of encryption keys that are used to either encrypt/decrypt messages or authenticate messages.
  • a key hierarchy should include some time varying information so that the same set of encryption keys is not generated each time the hierarchy is used.
  • a key hierarchy should also be set up such that if the derived encryption keys were to become known, the root key could not be obtained from the encryption keys.
  • an overall key hierarchy consists of three smaller layered key hierarchies: master key hierarchy; rekeying key hierarchy; and per-packet key hierarchy.
  • the master key hierarchy may include EAP keying, pre-shared key, or random number, depending on the hierarchy and authentication method. If EAP keying is used for the master key hierarchy, the master key hierarchy will normally reside on the RADIUS server.
  • the rekeying key hierarchy has two types which are called Pairwise key hierarchies and Group key hierarchies. The steps in these two types of hierarchies are similar; only the inputs to the two types are different.
  • the per-packet key hierarchy This may be either for TKIP (using an RC4 encryption engine), or for AES.
  • Pairwise key hierarchies are used to derive the keys that are used between two entities in a wireless network (AP and associated station, or a pair of stations in a network).
  • Group key hierarchies are used to derive and transfer keys that are used by all entities in a wireless group (an AP and all stations associated with that AP in a network, or all entities in a network).
  • Pairwise key hierarchies are instantiated in parallel on the two entities that are using the Pairwise key, with each entity calculating the same set of encryption keys using shared information.
  • One of the two entities drives the Pairwise key hierarchy, that entity is known as the Pairwise key owner.
  • the Pairwise key owner is the AP; for other networks each possible pair of stations will have a Pairwise key hierarchy, and the Pairwise key owner is the station of the pair with the lower Medium Access Control layer address.
  • Group key hierarchies are instantiated only on one entity, and the derived encryption keys are promulgated to all the other entities; the entity that drives the Group key hierarchy is the Group key owner.
  • the Group key owner For a given network, such as referred to as a Basic Service Set (BSS), the Group key owner is the AP; for an Independent Basic Service Set (IBSS) network the Group key owner is the current beacon transmitter.
  • BSS Basic Service Set
  • IBSS Independent Basic Service Set
  • a BSS network is made up of an AP and associated stations
  • an IBSS network is made up of a set of stations, all of which are peers of one another.
  • station is a workstation, and includes a mobile station or other wireless device capable of accessing a local area network.
  • Each station will have at least two key hierarchies' instantiated, and quite probably more.
  • the AP will have a Pairwise key hierarchy instantiated for each station that is associated, and also at least one Group key hierarchy; the AP will be the key owner for all these hierarchies.
  • Each associated station will have one Pairwise key hierarchy instantiated, and at least one Group key hierarchy.
  • For the IBSS network each station will have a Pairwise key hierarchy instantiated for every other station in the network, as well as a single Group key hierarchy.
  • the key owner will have a single Group rekeying hierarchy instantiation for the Group keys, and a Pairwise rekeying hierarchy instantiation for each association.
  • a key owner will have a per-packet key hierarchy per Temporary Key Integrity Protocol (TKIP) temporal key for both Group and Pairwise temporal keys (if any).
  • TKIP Temporary Key Integrity Protocol
  • a non-key owner will have a rekeying hierarchy instantiation for Group keys and Pairwise keys per association, and a perpacket key hierarchy per TKIP temporal key for both Group and Pairwise temporal keys (if any).
  • the MSK includes the Cellular Message Encryption Algorithm (CMEA) key, which is used for protecting MS traffic such as to a WLAN, and a Cipher Key (CK).
  • CMEA Cellular Message Encryption Algorithm
  • CK Cipher Key
  • FIG. 3 illustrates the key hierarchy for generating encryption keys to protect traffic between the MS 102 and WLAN network 104 .
  • the process begins with the negotiation of the MS 102 identity.
  • the WLAN 104 then sends a RADIUS access request message to the AAA 108 , which responds with a RADIUS access challenge message.
  • the WLAN 104 passes the challenge to the MS 102 , which calculates a response therefrom.
  • the MS 102 response to the challenge is then provided to the WLAN 104 .
  • step 4 a after the MS 102 sends the authentication response to the WLAN 104 , the MS 102 uses the root secret to generate the Master Session Key (MSK).
  • MSK Master Session Key
  • the WLAN 104 sends the RADIUS access request message to the AAA 108 , including the challenge response.
  • the home AAA server 108 uses the MS 102 root secret to generate the same MSK as generated by the MS 102 at step 4 a .
  • the home AAA server 108 includes the MSK in the RADIUS Access-Accept message, using an attribute, such as the MS-MPPE-Recv-Key attribute.
  • the MS 102 and WLAN network 104 use the procedures such as those specified in the document entitled “Draft Supplement to Standard for Telecommunications and Information Exchange Between Systems—LAN/MAN Specific Requirements—Part 11: Wireless Medium Access Control (MAC) and physical layer (PHY) specifications: Specification for Enhanced Security” IEEE Std 802.11i/D2.0, March 2002, (herein referred to as “the 802.11i standard), to generate encryption keys from the MSK.
  • MAC Medium Access Control
  • PHY physical layer
  • the MSK is defined as:
  • MSK hashing function (secret, challenge, NAI, secret) (1)
  • MSK is the result of applying a hashing function (e.g., CHAP, HMAC) using the following parameters:
  • a hashing function e.g., CHAP, HMAC
  • the MS 102 and home AAA server 108 have all the key materials necessary to generate the same MSK independently. In other words, no additional key materials need be exchanged between the MS 102 and home AAA server 108 for MSK generation. Note that the MSK and the MS 102 access authentication response are generated from a same challenge value. An alternate embodiment generates the MSK from a different random value.
  • a second example according to another embodiment, defines the MSK as:
  • MSK hashing function (secret, NAI, random number) (2)
  • MSK is the result of applying a hashing function (e.g., CHAP, HMAC) on the following parameters:
  • a hashing function e.g., CHAP, HMAC
  • the random number is different from the challenge value.
  • the MSK is generated from a random number that is different from the challenge value used in the MS 102 access authentication.
  • the use of independent challenge values provides less correlation between the MSK and the MS 102 access authentication, and therefore, provides improved security.
  • the random number is sent to the MS 102 and the MSK generated therefrom.
  • the random number is sent to the MS 102 via a RADIUS Access-Accept (step 6 in FIG. 3) and the mechanisms defined in the 802.11i standard (step 7 in FIG. 3).
  • the procedure to generate MSK is used when the MS 102 is accessing a WLAN 104 , and is not used when the MS is accessing 1xEV-DO or other HDR network. This is due to the over the air encryption provided by the HDR system. As the MS initiates the access to either the WLAN network 104 or the HDR network 106 , the MS 102 is able to determine whether MSK generation is needed. However, the home AAA server must also determine when to generate the MSK.
  • a special RADIUS attribute is implemented to notify the AAA 108 to generate an MSK.
  • the WLAN network 104 sends the RADIUS Access-Request message containing a special or designated attribute indicating the MS 102 desires or is requesting WLAN 104 access.
  • the attribute status will trigger the home AAA server 108 to perform MSK generation (if the MS 102 authentication was successful).
  • the home AAA server 108 will not perform MSK generation. Note that for implementation in a system consistent with 3GPP2, the designated attribute is specific to 3GPP2 and thus may be defined as a vendor-specific attribute with the vendor ID of 3GPP2.
  • FIG. 4 illustrates the RADIUS format described in RFC 2865 entitled “Remote Authentication Dial In User Service (RADIUS)” by C. Rigney et al, published June 2000.
  • the data format 200 includes: a code field 202 identifying the type of RADIUS packet (e.g., access request, access reject, etc.); an ID field 204 to coordinate matching requests and responses; and a length field 206 to indicate the length of the associated packet.
  • An attribute 220 is also illustrated, including: a type field 222 identifying the contents of the value field 226 ; a length field 224 giving the length of the attribute; and a value field providing the specific information of this attribute.
  • RADIUS supports vendor-specific attributes, wherein the value field 226 is used to provide the vendor identification, followed by the attribute information.
  • the vendor-specific type may be as described in RFC 2548 entitled “Microsoft Vendor-specific RADIUS Attributes” by G. Zorn, published March 1999, for application to CHAP messages.
  • An alternate embodiment implements a standard attribute called the Network Access Server (NAS) Internet Protocol (IP) address in the RADIUS Access-Request message.
  • the standard attribute identifies the IP address of the RADIUS client originating the RADIUS Access-Request message.
  • the home AAA server 108 is configured with a database containing the IP addresses of all the RADIUS clients in the WLAN network 104 . If the IP address indicated in the NAS IP address attribute matches an address in the database, then the RADIUS Access-Request message is originated from the WLAN network 104 , and the home AAA server 108 will perform MSK generation (if the MS authentication was successful). Otherwise, the home AAA server 108 will not perform MSK generation.
  • the format for the standard attribute is illustrated in FIG. 5, with an example superimposed over the value field.
  • the attribute format 300 includes a type field 302 identifying the contents of a value field 306 ; a length field 304 giving the length of the attribute; and a value field 306 containing the attribute information.
  • the value field 306 may be partitioned into significant fields for type 322 indicating the type of sub-attribute, such as an MSK generation instruction; a length field 324 giving the length of the sub-attribute; and a value field 326 containing the sub-attribute information, such as an MSK generation indicator.
  • the type filed 322 may identify this sub-attribute as an MSK generation instruction using a corresponding predefined code.
  • the value field 326 would then have a value either: 1—instructing the AAA 108 to generate an MSK; or 2—instructing the AAA 108 to not generate the MSK.
  • a wireless device such as MS 102
  • the device 600 includes receive circuitry 602 and transmit circuitry 604 for receiving transmissions and sending transmissions, respectively.
  • the receive circuitry 602 and the transmit circuitry 604 are both coupled to a communication bus 612 .
  • the device 600 also includes a Central Processing Unit (CPU) 606 for controlling operations within the device 600 .
  • the CPU 606 is responsive to computer-readable instructions stored in memory storage devices within the device 600 . Two such storage devices are illustrated as storing the authentication procedure(s) 608 and the MSK generation 610 . Note that alternate embodiments may implement the procedure in hardware, software, firmware, or a combination thereof.
  • the CPU 606 is then responsive to authentication processing instructions from the authentication procedure 608 .
  • the CPU 606 places the authentication procedure 608 messages into a transport format, such as an EAP format. Upon authentication to a WLAN, the CPU 606 is responsive to the MSK generation unit 610 to generate the MSK. The CPU 606 further processes received transport format messages to extract the authentication messages therefrom.
  • a transport format such as an EAP format.
  • the present invention provides a method of enabling a system entity to provide encryption to a communication.
  • a home server By using the home server to generate the MSK, and providing the MSK to a system entity, that entity is provided sufficient information for secure transmissions to a user, such as a MS.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • a general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine.
  • a processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
  • a software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
  • An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium.
  • the storage medium may be integral to the processor.
  • the processor and the storage medium may reside in an ASIC.
  • the ASIC may reside in a user terminal.
  • the processor and the storage medium may reside as discrete components in a user terminal.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)
US10/177,017 2002-06-20 2002-06-20 Key generation in a communication system Abandoned US20030235305A1 (en)

Priority Applications (21)

Application Number Priority Date Filing Date Title
US10/177,017 US20030235305A1 (en) 2002-06-20 2002-06-20 Key generation in a communication system
AU2003243680A AU2003243680B2 (en) 2002-06-20 2003-06-20 Key generation in a communication system
RU2005101217/09A RU2333607C2 (ru) 2002-06-20 2003-06-20 Генерирование ключей в системе связи
CN201410439953.8A CN104243145A (zh) 2002-06-20 2003-06-20 通信系统中的密钥生成
CNA038192977A CN1720688A (zh) 2002-06-20 2003-06-20 通信系统中的密钥生成
BRPI0311994-7A BR0311994A (pt) 2002-06-20 2003-06-20 geração de chave em um sistema de comunicação
PCT/US2003/019465 WO2004002056A1 (en) 2002-06-20 2003-06-20 Key generation in a communication system
CN201310460165.2A CN103532939B (zh) 2002-06-20 2003-06-20 用于通信系统中的密钥生成的方法和设备
TW092116837A TWI360975B (en) 2002-06-20 2003-06-20 Key generation in a communication system
TW101126108A TWI388180B (zh) 2002-06-20 2003-06-20 通信系統中之金鑰產生
JP2004516007A JP4897215B2 (ja) 2002-06-20 2003-06-20 通信システムにおけるキー発生方法及び装置
EP03761176A EP1525706A4 (en) 2002-06-20 2003-06-20 GENERATING KEYS IN A COMMUNICATION SYSTEM
KR1020047020774A KR101062781B1 (ko) 2002-06-20 2003-06-20 통신 시스템에서의 키 생성
CA2490131A CA2490131C (en) 2002-06-20 2003-06-20 Key generation in a communication system
CA2792490A CA2792490C (en) 2002-06-20 2003-06-20 Key generation in a communication system
CA2862069A CA2862069C (en) 2002-06-20 2003-06-20 Key generation in a communication system
US10/912,898 US7190793B2 (en) 2002-06-20 2004-08-06 Key generation in a communication system
HK15103526.0A HK1203706A1 (zh) 2002-06-20 2006-04-12 通信系統中的密鑰生成
JP2010092578A JP5313200B2 (ja) 2002-06-20 2010-04-13 通信システムにおけるキー発生方法及び装置
TW099142508A TWI376905B (en) 2002-06-20 2010-06-20 Key generation in a communication system
JP2012012031A JP5512709B2 (ja) 2002-06-20 2012-01-24 通信システムにおけるキー発生方法及び装置

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/177,017 US20030235305A1 (en) 2002-06-20 2002-06-20 Key generation in a communication system

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US10/912,898 Division US7190793B2 (en) 2002-06-20 2004-08-06 Key generation in a communication system

Publications (1)

Publication Number Publication Date
US20030235305A1 true US20030235305A1 (en) 2003-12-25

Family

ID=29734262

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/177,017 Abandoned US20030235305A1 (en) 2002-06-20 2002-06-20 Key generation in a communication system
US10/912,898 Expired - Lifetime US7190793B2 (en) 2002-06-20 2004-08-06 Key generation in a communication system

Family Applications After (1)

Application Number Title Priority Date Filing Date
US10/912,898 Expired - Lifetime US7190793B2 (en) 2002-06-20 2004-08-06 Key generation in a communication system

Country Status (12)

Country Link
US (2) US20030235305A1 (zh)
EP (1) EP1525706A4 (zh)
JP (3) JP4897215B2 (zh)
KR (1) KR101062781B1 (zh)
CN (3) CN1720688A (zh)
AU (1) AU2003243680B2 (zh)
BR (1) BR0311994A (zh)
CA (3) CA2862069C (zh)
HK (1) HK1203706A1 (zh)
RU (1) RU2333607C2 (zh)
TW (3) TWI360975B (zh)
WO (1) WO2004002056A1 (zh)

Cited By (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030236982A1 (en) * 2002-06-20 2003-12-25 Hsu Raymond T. Inter-working function for a communication system
US20040073672A1 (en) * 2002-10-08 2004-04-15 Fascenda Anthony C. Self-managed network access using localized access management
US20040162998A1 (en) * 2003-02-14 2004-08-19 Jukka Tuomi Service authentication in a communication system
WO2004084019A2 (en) * 2003-03-14 2004-09-30 Thomson Licensing S.A. Secure web browser based system administration for embedded platforms
US20040203602A1 (en) * 2002-09-12 2004-10-14 Broadcom Corporation Enabling and controlling access to wireless hot spots
US20040221154A1 (en) * 2003-05-02 2004-11-04 Sudhir Aggarwal Mobile security architecture
US20040235468A1 (en) * 2003-05-19 2004-11-25 Luebke Charles J. Wireless network clustering communication system, wireless communication network, and access port for same
US20050074122A1 (en) * 2003-10-07 2005-04-07 Koolspan, Inc. Mass subscriber management
WO2005038608A2 (en) * 2003-10-15 2005-04-28 Koolspan, Inc. Mass subscriber management
US20050160269A1 (en) * 2004-01-20 2005-07-21 Matsushita Electric Works, Ltd. Common security key generation apparatus
US20060007897A1 (en) * 2003-05-15 2006-01-12 Matsushita Electric Industrial Co.,Ltd. Radio lan access authentication system
WO2006005999A1 (en) * 2004-06-29 2006-01-19 Nokia Corporation Enhanced use of a network access identifier in wlan
US20060030293A1 (en) * 2002-09-12 2006-02-09 Broadcom Corporation Controlling and enhancing handoff between wireless access points
US20060046690A1 (en) * 2004-09-02 2006-03-02 Rose Gregory G Pseudo-secret key generation in a communications system
US20060094401A1 (en) * 2004-10-29 2006-05-04 Eastlake Donald E Iii Method and apparatus for authentication of mobile devices
EP1657943A1 (en) * 2004-11-10 2006-05-17 Alcatel A method for ensuring secure access to a telecommunication system comprising a local network and a PLMN
US20060161771A1 (en) * 2002-08-14 2006-07-20 Junbiao Zhang Session key management for public wireless lan supporting multiple virtual operators
US20060173981A1 (en) * 2004-03-11 2006-08-03 Junbiao Zhang Secure web browser based system administration for embedded platforms
WO2007005588A1 (en) * 2005-06-30 2007-01-11 Intel Corporation Reservation with access points
US20070097934A1 (en) * 2005-11-03 2007-05-03 Jesse Walker Method and system of secured direct link set-up (DLS) for wireless networks
US20070263873A1 (en) * 2006-05-15 2007-11-15 Qi Emily H Methods and apparatus for a keying mechanism for end-to-end service control protection
US7310307B1 (en) * 2002-12-17 2007-12-18 Cisco Technology, Inc. System and method for authenticating an element in a network environment
US7325134B2 (en) 2002-10-08 2008-01-29 Koolspan, Inc. Localized network authentication and security using tamper-resistant keys
US20080104399A1 (en) * 2002-10-08 2008-05-01 Koolspan, Inc. Localized network authentication and security using tamper-resistant keys
US20090116651A1 (en) * 2006-07-12 2009-05-07 Huawei Technologies Co., Ltd. Method and system for generating and distributing mobile ip key
US20090136032A1 (en) * 2007-11-26 2009-05-28 Kyocera Mita Corporation Image reading apparatus and image forming apparatus
US20090279518A1 (en) * 2006-08-24 2009-11-12 Rainer Falk Method and arrangement for providing a wireless mesh network
US20110138170A1 (en) * 2007-06-15 2011-06-09 Koolspan, Inc. System and method of per-packet keying
US20110199997A1 (en) * 2008-11-04 2011-08-18 Huawei Technologies Co., Ltd. Method, apparatus and system for determining resource indices
US9008312B2 (en) 2007-06-15 2015-04-14 Koolspan, Inc. System and method of creating and sending broadcast and multicast data
EP2854329A4 (en) * 2012-05-23 2015-07-15 Huawei Tech Co Ltd METHOD, SYSTEM AND DEVICE FOR ESTABLISHING SECURE CONNECTION TO A WIRELESS LOCAL NETWORK
US20170338959A1 (en) * 2014-11-17 2017-11-23 Samsung Electronics Co., Ltd. Method and apparatus for providing service on basis of identifier of user equipment
CN108075896A (zh) * 2016-11-11 2018-05-25 华为国际有限公司 使用基于标识的密码学构建自认证消息的系统和方法
EP3916600A1 (en) * 2020-05-27 2021-12-01 Mettler-Toledo (Albstadt) GmbH Method for operating an electronic data processing system and electronic data processing system

Families Citing this family (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8140845B2 (en) * 2001-09-13 2012-03-20 Alcatel Lucent Scheme for authentication and dynamic key exchange
KR100479260B1 (ko) * 2002-10-11 2005-03-31 한국전자통신연구원 무선 데이터의 암호 및 복호 방법과 그 장치
US7787497B1 (en) * 2003-03-03 2010-08-31 Cisco Technology, Inc. System for grouping attributes in packets in a radius protocol
US20050044363A1 (en) * 2003-08-21 2005-02-24 Zimmer Vincent J. Trusted remote firmware interface
US7299354B2 (en) * 2003-09-30 2007-11-20 Intel Corporation Method to authenticate clients and hosts to provide secure network boot
JP3918827B2 (ja) * 2004-01-21 2007-05-23 株式会社日立製作所 セキュアリモートアクセスシステム
JP4009273B2 (ja) * 2004-05-19 2007-11-14 松下電器産業株式会社 通信方法
US7992193B2 (en) * 2005-03-17 2011-08-02 Cisco Technology, Inc. Method and apparatus to secure AAA protocol messages
US20060259759A1 (en) * 2005-05-16 2006-11-16 Fabio Maino Method and apparatus for securely extending a protected network through secure intermediation of AAA information
US7596225B2 (en) * 2005-06-30 2009-09-29 Alcatl-Lucent Usa Inc. Method for refreshing a pairwise master key
KR100770928B1 (ko) * 2005-07-02 2007-10-26 삼성전자주식회사 통신 시스템에서 인증 시스템 및 방법
US7715562B2 (en) * 2006-03-06 2010-05-11 Cisco Technology, Inc. System and method for access authentication in a mobile wireless network
CN101496387B (zh) 2006-03-06 2012-09-05 思科技术公司 用于移动无线网络中的接入认证的系统和方法
US8118214B2 (en) * 2006-03-24 2012-02-21 Atmel Corporation Method and system for generating electronic keys
KR101161258B1 (ko) 2006-04-14 2012-07-02 삼성전자주식회사 프라이버시 키 관리 버전 2 인증 방식을 사용하는 통신시스템에서 인증 시스템 및 방법
KR100739809B1 (ko) 2006-08-09 2007-07-13 삼성전자주식회사 Wpa-psk 환경의 무선 네트워크에서 스테이션을관리하는 방법 및 이를 위한 장치
DE102006038037A1 (de) * 2006-08-14 2008-02-21 Siemens Ag Verfahren und System zum Bereitstellen eines zugangsspezifischen Schlüssels
CN101155092B (zh) * 2006-09-29 2010-09-08 西安电子科技大学 一种无线局域网接入方法、设备及系统
US8176327B2 (en) * 2006-12-27 2012-05-08 Airvana, Corp. Authentication protocol
CN100456725C (zh) * 2007-03-15 2009-01-28 北京安拓思科技有限责任公司 用于wapi的获取公钥证书的网络系统和方法
CN100456726C (zh) * 2007-03-15 2009-01-28 北京安拓思科技有限责任公司 基于wapi的互联网接入认证的实现方法
KR101002799B1 (ko) * 2007-03-21 2010-12-21 삼성전자주식회사 이동통신 네트워크 및 상기 이동통신 네트워크에서 이동 노드의 인증을 수행하는 방법 및 장치
US8265281B2 (en) 2007-07-09 2012-09-11 Qualcomm Incorporated IP service authorization in wireless communications networks
US8509440B2 (en) * 2007-08-24 2013-08-13 Futurwei Technologies, Inc. PANA for roaming Wi-Fi access in fixed network architectures
CN101378591B (zh) * 2007-08-31 2010-10-27 华为技术有限公司 终端移动时安全能力协商的方法、系统及装置
CN101399767B (zh) 2007-09-29 2011-04-20 华为技术有限公司 终端移动时安全能力协商的方法、系统及装置
CN101145913B (zh) * 2007-10-25 2010-06-16 东软集团股份有限公司 一种实现网络安全通信的方法及系统
US20090217038A1 (en) * 2008-02-22 2009-08-27 Vesa Petteri Lehtovirta Methods and Apparatus for Locating a Device Registration Server in a Wireless Network
US8660268B2 (en) * 2008-04-29 2014-02-25 Red Hat, Inc. Keyed pseudo-random number generator
US8156333B2 (en) * 2008-05-29 2012-04-10 Red Hat, Inc. Username based authentication security
US9258113B2 (en) * 2008-08-29 2016-02-09 Red Hat, Inc. Username based key exchange
US8695082B2 (en) * 2008-10-27 2014-04-08 Nokia Siemens Networks Oy Method and communication system for accessing a wireless communication network
US20100106971A1 (en) * 2008-10-27 2010-04-29 Domagoj Premec Method and communication system for protecting an authentication connection
US9106426B2 (en) 2008-11-26 2015-08-11 Red Hat, Inc. Username based authentication and key generation
US20100251330A1 (en) * 2009-03-12 2010-09-30 Kroeselberg Dirk Optimized relaying of secure network entry of small base stations and access points
CN102026092B (zh) * 2009-09-16 2014-03-12 中兴通讯股份有限公司 一种移动多媒体广播业务密钥同步的方法及网络
CN102056159B (zh) * 2009-11-03 2014-04-02 华为技术有限公司 一种中继系统的安全密钥获取方法、装置
US9225526B2 (en) * 2009-11-30 2015-12-29 Red Hat, Inc. Multifactor username based authentication
JP2012044327A (ja) * 2010-08-16 2012-03-01 Ntt Docomo Inc 移動通信方法、リレーノード及び無線基地局
CN103797750B (zh) * 2011-09-20 2017-11-24 皇家飞利浦有限公司 组成员对组秘密的管理
KR101172876B1 (ko) 2011-10-19 2012-08-10 인포섹(주) 사용자 단말기와 서버 간의 상호 인증 방법 및 시스템
US20130254125A1 (en) * 2011-12-30 2013-09-26 VideoiGames, Inc. Remote Execution of and Transfer of Rights in Registered Applications
US9537663B2 (en) 2012-06-20 2017-01-03 Alcatel Lucent Manipulation and restoration of authentication challenge parameters in network authentication procedures
US20140153722A1 (en) * 2012-12-03 2014-06-05 Semyon Mizikovsky Restricting use of mobile subscriptions to authorized mobile devices
US9173095B2 (en) * 2013-03-11 2015-10-27 Intel Corporation Techniques for authenticating a device for wireless docking
US9392458B2 (en) * 2013-03-15 2016-07-12 Qualcomm Incorporated Authentication for relay deployment
KR102314917B1 (ko) * 2015-03-19 2021-10-21 삼성전자주식회사 통신 시스템에서 디바이스들 간의 연결 설정 방법 및 장치
EP3297206B1 (en) * 2015-05-08 2020-04-22 Panasonic Intellectual Property Management Co., Ltd. Authentication method, authentication system, and controller
CN106330445B (zh) * 2015-06-19 2019-11-12 中兴新能源汽车有限责任公司 车辆认证方法及装置
US9980133B2 (en) 2015-08-12 2018-05-22 Blackberry Limited Network access identifier including an identifier for a cellular access network node
CN105451245B (zh) * 2015-11-16 2020-02-21 上海斐讯数据通信技术有限公司 一种无线设备管理方法
US11172359B2 (en) * 2017-08-09 2021-11-09 Lenovo (Singapore) Pte. Ltd. Method and apparatus for attach procedure with security key exchange for restricted services for unauthenticated user equipment
RU2726144C1 (ru) * 2019-11-25 2020-07-09 Валерий Алексеевич Степанов Устройство криптографической защиты информации, передаваемой по сетям связи
CN113268722B (zh) * 2021-05-17 2022-04-26 时昕昱 一种个人数字身份管理系统与方法

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3526688B2 (ja) * 1996-03-29 2004-05-17 富士通株式会社 コネクションレスな通信における従量制課金システムおよび方法
EP1040691B1 (en) * 1997-12-10 2007-04-04 XIRCOM Wireless, Inc. Communication system and method for addressing multiple capacity wireless trunk
JPH11215116A (ja) * 1998-01-27 1999-08-06 Nippon Telegr & Teleph Corp <Ntt> 鍵管理方法およびシステム
DE19822795C2 (de) * 1998-05-20 2000-04-06 Siemens Ag Verfahren und Anordnung zum rechnergestützten Austausch kryptographischer Schlüssel zwischen einer ersten Computereinheit und einer zweiten Computereinheit
US6178506B1 (en) * 1998-10-23 2001-01-23 Qualcomm Inc. Wireless subscription portability
HU223924B1 (hu) * 1999-05-21 2005-03-29 International Business Machines Corp. Eljárás és rendszer egy első készülék és egy második készülék közötti biztonságos kommunikáció inicializálására
FI19991733A (fi) * 1999-08-16 2001-02-17 Nokia Networks Oy Autentikointi matkaviestinjärjestelmässä
JP3570310B2 (ja) * 1999-10-05 2004-09-29 日本電気株式会社 無線lanシステムにおける認証方法と認証装置
FI20000760A0 (fi) * 2000-03-31 2000-03-31 Nokia Corp Autentikointi pakettidataverkossa
JP2002009762A (ja) * 2000-06-26 2002-01-11 Sony Corp 情報処理システム、情報処理方法、および情報処理装置、並びにプログラム提供媒体
JP2002124952A (ja) * 2000-10-12 2002-04-26 Furukawa Electric Co Ltd:The 無線ネットワークにおける無線端末の認証方法および無線ネットワークにおける無線端末の認証システム
US8140845B2 (en) * 2001-09-13 2012-03-20 Alcatel Lucent Scheme for authentication and dynamic key exchange

Cited By (85)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8630414B2 (en) 2002-06-20 2014-01-14 Qualcomm Incorporated Inter-working function for a communication system
US20030236982A1 (en) * 2002-06-20 2003-12-25 Hsu Raymond T. Inter-working function for a communication system
US20070226499A1 (en) * 2002-08-14 2007-09-27 Thomson Licensing Session key management for public wireless lan supporting multiple virtual operators
US8145193B2 (en) * 2002-08-14 2012-03-27 Thomson Licensing Session key management for public wireless LAN supporting multiple virtual operators
US20060161771A1 (en) * 2002-08-14 2006-07-20 Junbiao Zhang Session key management for public wireless lan supporting multiple virtual operators
US7239864B2 (en) * 2002-08-14 2007-07-03 Thomson Licensing Session key management for public wireless LAN supporting multiple virtual operators
US20080212535A1 (en) * 2002-09-12 2008-09-04 Broadcom Corporation Controlling and enhancing handoff between wireless access points
US8538426B2 (en) 2002-09-12 2013-09-17 Broadcom Corporation Controlling and enhancing handoff between wireless access points
US20040203602A1 (en) * 2002-09-12 2004-10-14 Broadcom Corporation Enabling and controlling access to wireless hot spots
US8019342B2 (en) 2002-09-12 2011-09-13 Broadcom Corporation Controlling and enhancing handoff between wireless access points
US20060030293A1 (en) * 2002-09-12 2006-02-09 Broadcom Corporation Controlling and enhancing handoff between wireless access points
US20050260972A1 (en) * 2002-09-12 2005-11-24 Broadcom Corporation Enabling and controlling access to wireless hot spots
US7386296B2 (en) * 2002-09-12 2008-06-10 Broadcom Corporation Controlling and enhancing handoff between wireless access points
US7853788B2 (en) 2002-10-08 2010-12-14 Koolspan, Inc. Localized network authentication and security using tamper-resistant keys
US9294915B2 (en) 2002-10-08 2016-03-22 Koolspan, Inc. Localized network authentication and security using tamper-resistant keys
US20080104399A1 (en) * 2002-10-08 2008-05-01 Koolspan, Inc. Localized network authentication and security using tamper-resistant keys
US7325134B2 (en) 2002-10-08 2008-01-29 Koolspan, Inc. Localized network authentication and security using tamper-resistant keys
US7574731B2 (en) 2002-10-08 2009-08-11 Koolspan, Inc. Self-managed network access using localized access management
US20040073672A1 (en) * 2002-10-08 2004-04-15 Fascenda Anthony C. Self-managed network access using localized access management
US8301891B2 (en) 2002-10-08 2012-10-30 Koolspan, Inc. Localized network authentication and security using tamper-resistant keys
US8769282B2 (en) 2002-10-08 2014-07-01 Koolspan, Inc. Localized network authentication and security using tamper-resistant keys
US20110055574A1 (en) * 2002-10-08 2011-03-03 Koolspan, Inc. Localized network authentication and security using tamper-resistant keys
US7940656B2 (en) 2002-12-17 2011-05-10 Cisco Technology, Inc. System and method for authenticating an element in a network environment
US7310307B1 (en) * 2002-12-17 2007-12-18 Cisco Technology, Inc. System and method for authenticating an element in a network environment
US20080081592A1 (en) * 2002-12-17 2008-04-03 Cisco Technology, Inc. System and Method for Authenticating an Element in a Network Environment
US20040162998A1 (en) * 2003-02-14 2004-08-19 Jukka Tuomi Service authentication in a communication system
WO2004084019A3 (en) * 2003-03-14 2004-12-02 Thomson Licensing Sa Secure web browser based system administration for embedded platforms
WO2004084019A2 (en) * 2003-03-14 2004-09-30 Thomson Licensing S.A. Secure web browser based system administration for embedded platforms
US20040221154A1 (en) * 2003-05-02 2004-11-04 Sudhir Aggarwal Mobile security architecture
US20060007897A1 (en) * 2003-05-15 2006-01-12 Matsushita Electric Industrial Co.,Ltd. Radio lan access authentication system
US7127234B2 (en) * 2003-05-15 2006-10-24 Matsushita Electric Industrial Co., Ltd. Radio LAN access authentication system
US20040235468A1 (en) * 2003-05-19 2004-11-25 Luebke Charles J. Wireless network clustering communication system, wireless communication network, and access port for same
US20110004759A1 (en) * 2003-10-07 2011-01-06 Koolspan, Inc. Mass subscriber management
US7325133B2 (en) * 2003-10-07 2008-01-29 Koolspan, Inc. Mass subscriber management
US8515078B2 (en) 2003-10-07 2013-08-20 Koolspan, Inc. Mass subscriber management
US20050074122A1 (en) * 2003-10-07 2005-04-07 Koolspan, Inc. Mass subscriber management
US20080152140A1 (en) * 2003-10-07 2008-06-26 Koolspan, Inc. Mass subscriber management
WO2005038608A3 (en) * 2003-10-15 2006-09-08 Koolspan Inc Mass subscriber management
WO2005038608A2 (en) * 2003-10-15 2005-04-28 Koolspan, Inc. Mass subscriber management
US20050160269A1 (en) * 2004-01-20 2005-07-21 Matsushita Electric Works, Ltd. Common security key generation apparatus
US20060173981A1 (en) * 2004-03-11 2006-08-03 Junbiao Zhang Secure web browser based system administration for embedded platforms
WO2006005999A1 (en) * 2004-06-29 2006-01-19 Nokia Corporation Enhanced use of a network access identifier in wlan
US20060019635A1 (en) * 2004-06-29 2006-01-26 Nokia Corporation Enhanced use of a network access identifier in wlan
WO2006029051A1 (en) * 2004-09-02 2006-03-16 Qualcomm Incorporated Method and apparatus for pseudo-secret key generation to generate a response to a challenge received from service provider
US20060046690A1 (en) * 2004-09-02 2006-03-02 Rose Gregory G Pseudo-secret key generation in a communications system
EP2254305A1 (en) * 2004-09-02 2010-11-24 Qualcomm Incorporated Method and apparatus for pseudo-secret key generation to generate a response to a challenge received from service provider
KR100896365B1 (ko) * 2004-10-29 2009-05-08 모토로라 인코포레이티드 모바일 디바이스 인증 방법 및 장치
DE112005002651B4 (de) * 2004-10-29 2019-11-14 Motorola Solutions, Inc. Verfahren und Vorrichtung zur Authentifikation von mobilen Vorrichtungen
WO2006050200A3 (en) * 2004-10-29 2006-12-07 Motorola Inc Method and apparatus for authentication of mobile devices
US7734280B2 (en) * 2004-10-29 2010-06-08 Motorola, Inc. Method and apparatus for authentication of mobile devices
US20060094401A1 (en) * 2004-10-29 2006-05-04 Eastlake Donald E Iii Method and apparatus for authentication of mobile devices
WO2006050200A2 (en) * 2004-10-29 2006-05-11 Motorola, Inc. Method and apparatus for authentication of mobile devices
EP1657943A1 (en) * 2004-11-10 2006-05-17 Alcatel A method for ensuring secure access to a telecommunication system comprising a local network and a PLMN
US7394800B2 (en) 2005-06-30 2008-07-01 Intel Corporation Reservation with access points
WO2007005588A1 (en) * 2005-06-30 2007-01-11 Intel Corporation Reservation with access points
US20070097934A1 (en) * 2005-11-03 2007-05-03 Jesse Walker Method and system of secured direct link set-up (DLS) for wireless networks
US20100070767A1 (en) * 2005-11-03 2010-03-18 Intel Corporation Method and system of secured direct link set-up (DLS) for wireless networks
US7995546B2 (en) 2005-11-03 2011-08-09 Intel Corporation Method and system of secured direct link set-up (DLS) for wireless networks
EP2988471A1 (en) * 2005-11-03 2016-02-24 Intel Corporation Method, system and readable medium for setting up secure direct links between wireless network stations using direct link set-up (dls) protocol
US9380457B2 (en) 2005-11-03 2016-06-28 Intel Corporation Method and system of secured direct link set-up (DLS) for wireless networks
WO2007056103A1 (en) * 2005-11-03 2007-05-18 Intel Corporation Method, system and readable medium for setting up secure direct links between wireless network stations using direct link set-up (dls) protocol
US20070263873A1 (en) * 2006-05-15 2007-11-15 Qi Emily H Methods and apparatus for a keying mechanism for end-to-end service control protection
WO2007134227A1 (en) * 2006-05-15 2007-11-22 Intel Corporation Methods and apparatus for a keying mechanism for end-to-end service control protection
US7945053B2 (en) 2006-05-15 2011-05-17 Intel Corporation Methods and apparatus for a keying mechanism for end-to-end service control protection
US8542838B2 (en) * 2006-07-12 2013-09-24 Huawei Technologies Co., Ltd. Method and system for generating and distributing mobile IP key
US20090116651A1 (en) * 2006-07-12 2009-05-07 Huawei Technologies Co., Ltd. Method and system for generating and distributing mobile ip key
US9271319B2 (en) 2006-08-24 2016-02-23 Unify Gmbh & Co. Kg Method and arrangement for providing a wireless mesh network
US9560008B2 (en) 2006-08-24 2017-01-31 Unify Gmbh & Co. Kg Method and arrangement for providing a wireless mesh network
US20090279518A1 (en) * 2006-08-24 2009-11-12 Rainer Falk Method and arrangement for providing a wireless mesh network
US8811242B2 (en) * 2006-08-24 2014-08-19 Unify Gmbh & Co. Kg Method and arrangement for providing a wireless mesh network
US9820252B2 (en) 2006-08-24 2017-11-14 Unify Gmbh & Co. Kg Method and arrangement for providing a wireless mesh network
US9209969B2 (en) * 2007-06-15 2015-12-08 Koolspan, Inc. System and method of per-packet keying
US20110138170A1 (en) * 2007-06-15 2011-06-09 Koolspan, Inc. System and method of per-packet keying
US9008312B2 (en) 2007-06-15 2015-04-14 Koolspan, Inc. System and method of creating and sending broadcast and multicast data
US20090136032A1 (en) * 2007-11-26 2009-05-28 Kyocera Mita Corporation Image reading apparatus and image forming apparatus
US20110199997A1 (en) * 2008-11-04 2011-08-18 Huawei Technologies Co., Ltd. Method, apparatus and system for determining resource indices
US8331305B2 (en) 2008-11-04 2012-12-11 Huawei Technologies Co., Ltd. Method, apparatus and system for determining resource indices
US9826398B2 (en) 2012-05-23 2017-11-21 Huawei Technologies Co., Ltd. Secure establishment method, system and device of wireless local area network
EP3503496A1 (en) * 2012-05-23 2019-06-26 Huawei Technologies Co., Ltd. Secure establishment method, system and decive of a wireless local area network
EP2854329A4 (en) * 2012-05-23 2015-07-15 Huawei Tech Co Ltd METHOD, SYSTEM AND DEVICE FOR ESTABLISHING SECURE CONNECTION TO A WIRELESS LOCAL NETWORK
US10687213B2 (en) 2012-05-23 2020-06-16 Huawei Technologies Co., Ltd. Secure establishment method, system and device of wireless local area network
US20170338959A1 (en) * 2014-11-17 2017-11-23 Samsung Electronics Co., Ltd. Method and apparatus for providing service on basis of identifier of user equipment
US10862684B2 (en) * 2014-11-17 2020-12-08 Samsung Electronics Co., Ltd. Method and apparatus for providing service on basis of identifier of user equipment
CN108075896A (zh) * 2016-11-11 2018-05-25 华为国际有限公司 使用基于标识的密码学构建自认证消息的系统和方法
EP3916600A1 (en) * 2020-05-27 2021-12-01 Mettler-Toledo (Albstadt) GmbH Method for operating an electronic data processing system and electronic data processing system

Also Published As

Publication number Publication date
CA2862069A1 (en) 2003-12-31
CN103532939B (zh) 2017-01-11
JP5512709B2 (ja) 2014-06-04
TW200423604A (en) 2004-11-01
HK1203706A1 (zh) 2015-10-30
CA2862069C (en) 2016-07-19
EP1525706A1 (en) 2005-04-27
JP4897215B2 (ja) 2012-03-14
JP2010213305A (ja) 2010-09-24
TW201304486A (zh) 2013-01-16
BR0311994A (pt) 2007-05-22
CA2490131C (en) 2013-01-08
AU2003243680A1 (en) 2004-01-06
CA2792490C (en) 2015-11-24
TWI388180B (zh) 2013-03-01
CN103532939A (zh) 2014-01-22
CA2490131A1 (en) 2003-12-31
TW201123763A (en) 2011-07-01
WO2004002056A1 (en) 2003-12-31
JP5313200B2 (ja) 2013-10-09
US7190793B2 (en) 2007-03-13
EP1525706A4 (en) 2009-06-03
RU2333607C2 (ru) 2008-09-10
KR101062781B1 (ko) 2011-09-06
TWI360975B (en) 2012-03-21
TWI376905B (en) 2012-11-11
RU2005101217A (ru) 2006-01-27
CN1720688A (zh) 2006-01-11
CA2792490A1 (en) 2003-12-31
US20050081036A1 (en) 2005-04-14
AU2003243680B2 (en) 2008-07-17
CN104243145A (zh) 2014-12-24
JP2012134990A (ja) 2012-07-12
KR20050010960A (ko) 2005-01-28
JP2005530277A (ja) 2005-10-06

Similar Documents

Publication Publication Date Title
US7190793B2 (en) Key generation in a communication system
US8094821B2 (en) Key generation in a communication system
US8630414B2 (en) Inter-working function for a communication system
US20030236980A1 (en) Authentication in a communication system
KR101068426B1 (ko) 통신시스템을 위한 상호동작 기능

Legal Events

Date Code Title Description
AS Assignment

Owner name: QUALCOMM INCORPORATED A DELAWARE, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HSU, RAYMOND T.;REEL/FRAME:013057/0933

Effective date: 20020620

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION