US20160149928A1 - Secure group creation in proximity based service communication - Google Patents

Secure group creation in proximity based service communication Download PDF

Info

Publication number
US20160149928A1
US20160149928A1 US14/900,006 US201414900006A US2016149928A1 US 20160149928 A1 US20160149928 A1 US 20160149928A1 US 201414900006 A US201414900006 A US 201414900006A US 2016149928 A1 US2016149928 A1 US 2016149928A1
Authority
US
United States
Prior art keywords
prose
requesting
communication
group
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/900,006
Other languages
English (en)
Inventor
Xiaowei Zhang
Anand Raghawa Prasad
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Assigned to NEC CORPORATION reassignment NEC CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: PRASAD, ANAND RAGHAWA, ZHANG, XIAOWEI
Publication of US20160149928A1 publication Critical patent/US20160149928A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/086Access security using security domains
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • H04L67/16
    • H04L67/18
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/52Network services specially adapted for the location of the user terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication

Definitions

  • This invention relates to a secure system and a method of forming a secure group, and more specifically, to a secure system that provides a method of forming a secure group in Proximity based Service (ProSe) communication.
  • ProSe Proximity based Service
  • 3GPP 3rd Generation Partnership Project
  • ProSe Proximity based Services
  • 3GPP SA1 Services Working Group
  • UE User Equipment
  • ProSe represents a recent and enormous socio-technological trend.
  • the principle of these applications is to discover instances of the applications running in devices that are within proximity of each other, and ultimately to also exchange application-related data.
  • proximity-based discovery and communications in the public safety community.
  • ProSe communication can provide services to the UEs in proximity via an eNB (Evolved Node B) or without the eNB.
  • the SA1 requires that the ProSe service be provided to UEs with or without network coverage.
  • the UEs can discover other nearby UEs or be discovered by other UEs, and they can communicate with each other. Some use cases can be found in NPL 1.
  • the ProSe server is a network element as agreed in 3GPP SA2#97 to NPL 2.
  • NPL 1 3GPP TR 22.803 Feasibility study for Proximity Services (ProSe), (Release 12)
  • NPL 2 3GPP TR 23.703 Study on architecture enhancements to support Proximity Services (ProSe) (Release 12)
  • 3GPP SA3 offers no security solution.
  • the present invention has been made to present an overall security solution for the above-mentioned security issues.
  • a method of forming a secure group in Proximity based Service (ProSe) communication by a requesting device which requests a communication and a receiving device which receives a communication request from the requesting device, wherein the requesting and receiving devices have subscribed ProSe service the method including requesting a service request to a ProSe server from the requesting device, the service request indicating a request to communicate with the receiving device from the requesting device, performing verification on the requesting and receiving devices by the ProSe server, sending a ProSe Service result to the requesting and receiving devices to inform to be allowed a group member, and starting a group security establishment of the group including the requesting and receiving devices.
  • ProSe Proximity based Service
  • a secure system including a plurality of User Equipments (UEs) and a Proximity based Service (ProSe) server, including a requesting device which requests a communication; and a receiving device which receives a communication request from the requesting device.
  • the requesting device and the receiving device have subscribed ProSe service.
  • the requesting device requests a service request to the ProSe server, the service request indicating a request to communicate with the receiving device from the requesting device.
  • the ProSe server performs verification on the requesting and receiving devices.
  • the ProSe server sends a ProSe Service result to the requesting and receiving devices to inform to be allowed a group member.
  • the requesting and receiving devices start a group security establishment of the group including the requesting and receiving devices.
  • a secure system and a method of forming a secure group in Proximity based Service (ProSe) communication can present solutions for security issues.
  • FIG. 1A is a schematic view showing the ProSe Communication scenario in NPL 1;
  • FIG. 1B is a schematic view showing the ProSe Communication scenario in NPL 1;
  • FIG. 2 is a schematic view showing an example of the systems which provide a method of making a secure communication according to an exemplary embodiment of the present invention
  • FIG. 3 is a schematic view showing a secure system of an exemplary embodiment of the present invention.
  • FIG. 4 is a sequence diagram explaining a method of making a secure communication of an exemplary embodiment of the invention.
  • FIG. 5A is a schematic view showing a One-to-one session
  • FIG. 5B is a schematic view showing a One-to-many session.
  • FIG. 5C is a schematic view showing a Many-to-many session.
  • FIG. 6 is a flow chart showing a method of performing the group management of a case 1 C of an exemplary embodiment.
  • ProSe-Enabled UE
  • a UE that supports ProSe requirements and associated procedures refers both to a non-public safety UE and a public safety UE.
  • ProSe-Enabled Public Safety UE
  • a ProSe-enabled UE that also supports ProSe procedures and capabilities specific to Public Safety.
  • a UE that supports ProSe procedures but not capabilities specific to public safety.
  • FIGS. 1A and 1B are schematic views showing the ProSe Communication scenarios in NPL 1.
  • a system 100 a can decide to perform ProSe Communication using control information exchanged between the UEs 11 , 12 , eNB 19 and an EPC (Evolved Packet Core) 14 (e.g., session management, authorization, security) as shown by the solid arrows in FIG. 1A .
  • EPC Evolved Packet Core
  • the UEs 11 and 12 can in addition exchange control signaling via the ProSe Communication path as shown by the dashed arrow in FIG. 1A .
  • a system 100 b can decide to perform ProSe Communication using control information exchanged between the UEs 11 , 12 , eNB 19 and the EPC 14 (e.g., session management, authorization, security) as shown by the solid arrows in FIG. 1B .
  • the eNBs 11 and 12 may coordinate with each other through the EPC 14 or communicate directly for radio resource management as shown by the dashed arrow between the eNBs 11 and 12 in FIG. 1B .
  • signaling modifications should be minimized with respect to the existing architecture.
  • the UEs 11 and 12 can in addition exchange control signaling via the ProSe Communication path as shown by the dashed arrow between the UE 11 and the UE 12 in FIG. 1B .
  • one or more Public Safety UEs may relay the radio resource management control information for other UEs that do not have network coverage.
  • the control path can exist directly between Public Safety UEs.
  • the Public Safety UEs can rely on pre-configured radio resources to establish and maintain the ProSe Communication.
  • a Public Safety Radio Resource Management Function which can reside in a Public Safety UE, can manage the allocation of radio resources for Public Safety ProSe Communication.
  • FIG. 2 is a schematic view showing an example of the systems which provide a method of making a secure communication according to an exemplary embodiment of the present invention.
  • a system 10 includes the UE 11 , the UE 12 , an E-UTERN 13 , the EPC 14 , a ProSe Function 15 , a ProSe APP Server 16 , a ProSe APP 17 , and a ProSe APP 18 .
  • the UE 11 and the UE 12 can communicate through a PC 5
  • the UE 11 and the E-UTERN 13 communicate through LTE-Uu 1
  • the UE 12 can communicate with the E-UTERN 13 and the ProSe Function 15 through LTE-Uu 2 and a PC 3 , respectively.
  • the EPC 14 and the ProSe Function 15 can communicate through a PC 4
  • the ProSe APP server 16 can communicate with the EPC 14 and the ProSe APP 18 through a SG 1 and a PC 1 , respectively
  • the ProSe Function 15 can communicate by itself through a PC 6 .
  • a new solution is needed for device-to-device direct discovery and communication; for example, a key can be sent from the network to communicating parties, a key can be created between communicating parties, or a similar algorithm for negotiation can be used directly or via the network. Further, a new solution is also needed for the security over the unlicensed spectrum.
  • This mode of operation for ProSe Direct Communication does not require any network assistance to authorize the connection and communication is performed by using only functionality and information local to the UE. This mode is applicable only to pre-authorized ProSe-enabled Public Safety UEs, regardless of whether the UEs are served by E-UTRAN or not.
  • Network authorized direct communication This mode of operation for ProSe Direct Communication always requires network assistance and may also be applicable when only one UE is “served by E-UTRAN” for Public safety UEs. For non-Public Safety UEs both UEs must be “served by E-UTRAN”.
  • ProSe App Server 16 It is the reference point between the ProSe App Server 16 and the ProSe Function 15 . It is used to define the interaction between the ProSe App Server 16 and ProSe functionality provided by the 3GPP EPS via the ProSe Function 15 .
  • One example of use of it may be for application data updates for a ProSe database in the ProSe Function 15 .
  • Another example of use of it may be data for use by the ProSe App Server 16 in interworking between 3GPP functionality and application data, e.g. name translation.
  • EPC 14 It is the reference point between the EPC 14 and the ProSe Function 15 . It is used to define the interaction between the EPC 14 and the ProSe Function 15 . Possible use cases of it may be when setting up a one-to-one communication path between UEs or when validating ProSe services (authorization) for session management or mobility management in real time.
  • This reference point may be used for functions such as ProSe Discovery between users which are subscribed to different PLMNs.
  • SGi In addition to the relevant functions defined in TS 29.061 [10] via SGi, it may be used for application data and application level control information exchange.
  • FIG. 3 is a schematic view showing a secure system of an exemplary embodiment of the present invention.
  • a secure system 1 of an exemplary embodiment of the present invention includes one or more requesting UEs L 01 , an operator network L 02 , and one or more receiving UEs L 03 .
  • a method of performing a secure communication includes steps of a secure group management L 1 , a secure discovery L 2 , an initial authorization L 3 , an authentication L 4 , an authorization L 5 , a security association establishment L 6 , a secure communication L 7 , and a termination L 8 , which are performed between UEs (the requesting UE L 01 , the receiving UE L 03 ) with or without interacting with the operator network L 02 .
  • broadcasting is presented as an example in this exemplary embodiment, but this exemplary embodiment also applies to multiple-casting and one-to-one communications as shown in FIGS. 1A, 1B, and 2 .
  • steps L 1 -L 4 can be in a different order depending on the service or application.
  • Members can join securely, members can leave securely, and an authorization level of service and each of the members, and any other required information can be modified securely.
  • discovery is not secured, a device may start communication with a wrong party or a rogue device, with the result that masquerading attacks can happen that in turn could lead to fraudulent charging.
  • the discovery related communication must be secured, i.e., a UE authenticates identity of other UEs in proximity; integrity protection for discovery and a device should be able to authenticate the message.
  • the initial authorization based on secure discovery will lead to the decision that the discovered device belongs to the group, and thus the next step can start.
  • the next level of authorization will find out what services can be used between the devices which belong to the same group. For example, a UE is allowed to send and receive different types of messages or is only allowed to receive broadcasting messages.
  • the UEs which belong to the same group should have keys to protect their communication such that other UEs which do not belong to the group or an attacker cannot eavesdrop or alter the messages.
  • the communication between UEs in the same group can be protected by the security association, with integrity and/or confidentiality protection according to the subscription service type.
  • the secure termination can provide security when UE(s) suspend or terminate the communication, or when the entire group communication is terminated.
  • FIG. 4 is a sequence diagram explaining a method of making a secure communication between UE 100 and network 200 of an exemplary embodiment of the invention.
  • a group can be any one of
  • a group can be set up for different communication purposes, and group members can be changed.
  • the operator network L 02 can check the requesting UE L 01 which requests the UE L 03 which it wants to communicate with, verify devices if they can communicate with each other, and inform the verified devices at both sides (the requesting UE L 01 and the receiving UE L 03 ) of the request and formation.
  • a UE 100 requests ProSe subscription to a network 200 and creates a group (Step 1 ).
  • the UE 100 needs to meet conditions, that is policy, e.g. interest, specific location etc.
  • the network 200 needs to verify whether UE meets conditions, that is policy, e.g. proximity range, subscription, home network in case of roaming UE, WiFi or not, ProSe enabled, etc.
  • the group is strictly formed, for example, the members of the group should be registered in a whitelist, or the group is dynamically formed on a request from the UE 100 , or by the network 200 if the network 200 knows all UE conditions.
  • UEs 100 For creating a secure group, UEs 100 must agree to be a part of the group, and only “agreed” UEs 100 become group members.
  • a group management includes adding group members, removing group members, ending the group, and adding temporary group members.
  • Each UE 100 can see who is in proximity from e.g. a social network application, and requests for ProSe service, and the ProSe server needs to perform the authorization, but does not have to perform discovery.
  • a UE (the requesting UE L 01 ) can discover other UEs (the receiving UEs L 03 ) in proximity: (1) Broadcast based, (2) Network based, and (3) Device service level information based. How secure discovery can be done will be described as follows.
  • the broadcast message can contain a token that only the given UEs can have.
  • the token should be used only once to prevent the receiving side from reusing it.
  • the UEs can calculate a token each time on receiving the broadcast message, or the network can inform all the UEs of the token to be used next. This can be used for such a use case as an information notification kind of service, since the token can be reused by the receiving side.
  • the broadcast message can be signed by a key that can be verified either by the receiving UEs or by the network for the receiving UEs. Signing can happen by different key management solutions or it can happen using the current keys for communicating with the infrastructure network (or derivation from current keys)—a new key hierarchy might be needed here.
  • the broadcast message can have an ID that can be verified during the authentication and is used initially only for authorization.
  • the broadcast message can contain a random value that can only be generated by the network and UE. Verification of the random value is done by the network on behalf of communicating UEs.
  • Each UE has a specific key belonging to other devices, and thus it sends a potentially long broadcast or a new type of broadcast that is sent in pieces with encrypted/integrity protected parts for each UE in the group.
  • the broadcast message can be signed with time-stamp and life-time. Note that this life-time can be a very short period or can last until the next broadcast.
  • a network can provide information.
  • the network can use the location information received from the UE (the requesting UE L 01 ), and the location information can be protected by the existing network security mechanism.
  • the requesting UE L 01 can use location information provided by a social network or other services. Security can be ensured in an application layer.
  • the UE 100 can set features and/or capabilities of Discovery/Discoverable in D2D (device-to-device communication) server.
  • the UE 100 can request the ProSe server for the ProSe service, and the ProSe server can send out the request for the ProSe service and meanwhile get the other UEs location information.
  • the ProSe server needs to perform the authorization but does not have to perform Discovery.
  • the UEs 100 enable the ProSe and/or UEs 100 to be allowed to get given service/communication means.
  • the UE 100 sends location information periodically protected by a unicast security context.
  • the network 200 requests location information when needed or periodically.
  • the request (step 3 ) can be broadcasted, and the broadcasted message requires security.
  • the response (step 4 ) can be protected by the unicast security context.
  • the Network stores the conditions for proximity, which can also be given by the requesting and receiving UE.
  • the network 200 can broadcast to the receiving UEs in a neighborhood which are allowed to be discovered, and the UEs respond with protected messages.
  • the UE 100 informs the network 200 of its conditions and capabilities at a first communication and/or registration or when any change happens.
  • the broadcast based solutions by the network 200 or the UE 100 require one or more of the following requirements. That is, the receiving side should be able to verify the source, the broadcast message should not be re-used, the network 200 which receives the response should be able to verify it, or the response should be discarded if it is too long.
  • the UE 100 can use one or more of solutions for performing secure discovery.
  • the solutions include a token, a sign, a message, a message ID, a random value, keys, and stamps. Note that those solutions can be used in the step 5 (mutually authenticate, the authentication L 4 ), in the step 6 (authorize, the authorization L 5 ), and in the step 7 (generate keys and negotiate algorithm, the secure communication L 7 ), as shown in FIG. 4 .
  • the steps 5 to 7 can happen together, and might be related to broadcast security.
  • the initial authorization varies according to the above discovery solution.
  • Whether the requesting UE L 01 is allowed to communicate with the receiving UE L 03 can be checked by a network or by the receiving UE L 03 having a proof provided by the network.
  • the requesting UE L 01 and the receiving UE L 03 can perform a mutual authentication over the direct wireless interface.
  • the receiving UE L 03 checks a list maintained by the user or in a UE among the members of the group of devices for ProSe service purpose.
  • authentication takes place. Authentication can be carried out locally or by interacting with the network.
  • UE There should be different levels for access control to services that the requesting UE L 01 and the receiving UE L 03 (hereinafter also referred to as “UE”) can use within the group.
  • a network can set up and provide the policy to the group members including the requesting UE L 01 and the receiving UE L 03 according to UE capabilities and user subscriptions.
  • the network 200 performs authorization for the UEs 100 want to join the group.
  • the group member of UEs 100 verify whether other UEs are authorized by the network by using the session keys.
  • Another method for performing validated authorization is done by (1) a network sending an authorization value to each UE 100 , and each UE 100 uses this value to perform authorization for each other, or (2)
  • Yet another method for performing a validated authorization is done by sending an authorization value from a requesting UE to a receiving UE, and then the receiving UE requests the Network to validate this authorization value and receiving result.
  • Kp is a key related to the group and also may related to a ProSe service. It has an indicator KSI_p related to it. Kp can be sent from ProSe Server to use.
  • Kpc and Kpi are session keys that are derived from Kp at UEs.
  • Kpc is a confidentiality key and Kpi is an integrity protection key.
  • the session keys are used for UE to perform authorization for each other, and ProSe communication setup, and have the direct communication between them.
  • the communicating devices including the requesting UE L 01 and the receiving UE L 03 can start sessions to communicate with each other.
  • the requesting UE L 01 and the receiving UE L 03 should share communication keys.
  • the keys can be a group key, and/or a unique key per communicating device as well as a session key per each session.
  • the key can be managed by the network and sent over the secure communication channel with the network.
  • the key can be managed by the requesting UE L 01 and sent to other devices including the receiving UE L 03 in the communication, over a secure unicast communication channel that can be secured by the network during authentication or verification.
  • the key can also be issued by a third trusted party.
  • FIGS. 5A to 5C are schematic views showing One-to-one, One-to-many, and Many-to-many sessions, respectively. As shown in FIGS. 5A to 5C , a UEa 21 and a UEa 31 indicate the requesting UE L 01 , and a UEb 22 , a UEb 32 , a UEc 33 and a UEn_ 33 n indicate the receiving UE L 03 .
  • the requesting UE L 01 (UEa 21 , the UEa 31 ) and the receiving UE L 03 (UEb 22 , the UEb 32 , the UEc 33 , the UEn_ 33 n ) use two kinds of keys including session keys.
  • Each group has a key Kp for each service (Kp is served as a service key) and a new session key is created for each session.
  • Each group has the key Kp (Kp is served as a group key), and a new session key is created for each session.
  • either the ProSe server or the requesting UE L 01 sends keys.
  • the ProSe server sends the key Kp to the requesting UE L 01 and the receiving UE(s) L 03
  • the requesting UE L 01 sends a session key to the receiving UE(s) L 03 every session.
  • the ProSe server sends both of the key Kp and the session key to the requesting UE L 0 and the receiving UE(s) L 03
  • the requesting UE L 01 sends both of the key Kp and the session key to the receiving UE(s) L 03 .
  • the group changes if someone leaves or is added, when a session ends or a key times out, or when the ProSe server has made a decision, for example, the key Kp and/or the session key should be changed.
  • UEs derive session keys from that for authorization and communication.
  • UEs can be pre-configured with algorithms for key derivation, or the key Kp is related to a KSI (key set identifier) and a service. Because of them, the security problems during UEs' authentication and authorization or the security problems of a key for direct communication may be solved.
  • KSI key set identifier
  • the key set identifier is a number which is associated with the cipher and integrity keys derived during the authentication.
  • the key set identifier can be allocated by the network and sent with the authentication request message to the mobile station where it is stored together with a calculated cipher key CK and an integrity key IK.
  • the purpose of the key set identifier is to make it possible for the network to identify the cipher key CK and integrity key IK which are stored in the mobile station without invoking the authentication procedure. This is used to allow re-use of the cipher key CK and integrity key IK during subsequent connections (session).
  • Secure communication can provide message transmission availability between group member UEs, as well as preventing a message from being eavesdropped on or altered by UEs that do not belong to the group. Also the secure communication can prevent UE from using an unauthorized service.
  • the communication within the group should have integrity and/or confidentiality protection. All the communications can be protected by the session keys described above, after the security association is established.
  • the security policy can be a negotiation and an agreement within the group with or without the support of the operator network L 02 . All the group members should follow the security policy.
  • group and security management need to be updated for the remaining UEs in the group.
  • group and security management need to be updated for the remaining UEs in the group, and a new group and security are needed for the traveler.
  • the ProSe Server should get UE location information from GMLC (Gateway Mobile Location Center) periodically, to compare and compute the location differences of all UEs.
  • GMLC Gateway Mobile Location Center
  • devices When the communication is to be suspended, devices should remove the session key while keeping information of the authentication and authorization.
  • the devices can keep history information, or the allocated token with a lifetime for the next use time to prevent signaling for authentication and authorization again.
  • Smooth handover from an infrastructure to a direct mode will require creation of a key between communicating parties (the requesting UE L 01 and the receiving UE L 03 ) before a handover happens.
  • a key should be allocated to WiFi AP and UEs.
  • the WiFi AP and UEs should authorize and authenticate each other.
  • the key should have a limited life-time.
  • a network can recognize which WiFi AP the UE can communicate with.
  • UEs can find that there is a WiFi AP nearby and the network verifies the WiFi AP.
  • UEs authenticate with the ProSe Server when UEs connect to a WiFi AP.
  • the ProSe Function can allocate keys for the UEs to communicate with a ProSe APP Server.
  • the method of making a secure communication of an exemplary embodiment includes the following features:
  • the operator network L 02 can determine the receiving UE(s) L 03 with which the requesting UE L 01 can communicate, and can ensure secure discovery by either providing security parameters to the requesting UE L 01 or receiving UE L 03 , and providing location information of the receiving UE L 03 to the requesting UE L 01 . Furthermore, the operator network L 02 can perform authentication and authorization for the requesting UE L 01 and receiving UE L 03 , and can support security association between UEs to secure ProSe communication.
  • the ProSe server is a network element as agreed in 3GPP SA2#97 to NPL2.
  • the subscription data of a user/UE indicates whether a UE is ProSe enabled, and if it is so, the subscription data also indicates the UE's ProSe capability which:
  • the subscription data is stored in a ProSe server that interacts with other network elements such as HSS. According to an operator policy, the subscription data can also be retrieved from HSS.
  • the UE can set a trigger event for being discovered and/or discovering and register its policy profile in the ProSe server.
  • the ProSe server can indicate a UE or discard it accordingly, when there is a ProSe service request to the UE.
  • the trigger events can be:
  • the ProSe server Upon receiving a ProSe Service Request from a UE, the ProSe server should verify the following, before initiating the Discovery procedure.
  • the ProSe server informs the requesting UE of the received request and pending.
  • the ProSe server should perform Discovery described above.
  • the ProSe server can request network support for those procedures.
  • the ProSe server informs the result of Discovery, containing a list of accepted UEs, allowed services, allowed communication means, and any other necessary parameters.
  • the requesting UE can automatically be the group manager if there is none and start to perform authentication, authorization, and security association establishment in the group.
  • FIG. 6 is a flow chart showing a method of performing the group management of a Case 1 C of an exemplary embodiment.
  • the system includes the UEa 21 serving as a requesting UE, the UEb 22 serving as a receiving UE, a ProSe server 24 , and an HSS 25 .
  • the method includes the following nine steps SP 1 to SP 9 .
  • the method of performing a secure group management of an exemplary embodiment includes the following features:
  • a network controls whether the requesting and receiving UEs can have ProSe service with each other.
  • the requesting UE can select receiving UEs with which the requesting UE wants to have the ProSe service, and requests a network to perform authorization.
  • the requesting and receiving UEs can set an event trigger for discovering and being discovered, such that it can have a customized setting.
  • the non-transitory computer readable media includes various types of tangible storage media.
  • Examples of the non-transitory computer readable media include a magnetic recording medium (such as a flexible disk, a magnetic tape, and a hard disk drive), a magneto-optic recording medium (such as a magneto-optic disk), a CD-ROM (Read Only Memory), a CD-R, and a CD-R/W, and a semiconductor memory (such as a mask ROM, a PROM (Programmable ROM), an EPROM (Erasable PROM), a flash ROM, and a RAM (Random Access Memory)).
  • the program can be supplied to computers by using various types of transitory computer readable media.
  • Examples of the transitory computer readable media include an electrical signal, an optical signal, and an electromagnetic wave.
  • the transitory computer readable media can be used to supply programs to computer through a wire communication path such as an electrical wire and an optical fiber, or wireless communication path.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)
US14/900,006 2013-06-28 2014-06-13 Secure group creation in proximity based service communication Abandoned US20160149928A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2013137291 2013-06-28
JP2013-137291 2013-06-28
PCT/JP2014/003166 WO2014208034A1 (en) 2013-06-28 2014-06-13 Secure group creation in proximity based service communication

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/003166 A-371-Of-International WO2014208034A1 (en) 2013-06-28 2014-06-13 Secure group creation in proximity based service communication

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/655,179 Continuation US20170324754A1 (en) 2013-06-28 2017-07-20 Secure group creation in proximity based service communication

Publications (1)

Publication Number Publication Date
US20160149928A1 true US20160149928A1 (en) 2016-05-26

Family

ID=51162871

Family Applications (4)

Application Number Title Priority Date Filing Date
US14/900,006 Abandoned US20160149928A1 (en) 2013-06-28 2014-06-13 Secure group creation in proximity based service communication
US15/655,179 Abandoned US20170324754A1 (en) 2013-06-28 2017-07-20 Secure group creation in proximity based service communication
US16/696,091 Pending US20200099697A1 (en) 2013-06-28 2019-11-26 Secure group creation in proximity based service communication
US16/830,970 Abandoned US20200228543A1 (en) 2013-06-28 2020-03-26 Secure group creation in proximity based service communication

Family Applications After (3)

Application Number Title Priority Date Filing Date
US15/655,179 Abandoned US20170324754A1 (en) 2013-06-28 2017-07-20 Secure group creation in proximity based service communication
US16/696,091 Pending US20200099697A1 (en) 2013-06-28 2019-11-26 Secure group creation in proximity based service communication
US16/830,970 Abandoned US20200228543A1 (en) 2013-06-28 2020-03-26 Secure group creation in proximity based service communication

Country Status (5)

Country Link
US (4) US20160149928A1 (ja)
EP (1) EP3014916A1 (ja)
JP (1) JP6512111B2 (ja)
CN (2) CN105340310A (ja)
WO (1) WO2014208034A1 (ja)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11184736B2 (en) * 2019-10-08 2021-11-23 International Business Machines Corporation Digital person and digital persona verification
US11310114B2 (en) * 2019-08-14 2022-04-19 Cisco Technology, Inc. Industrial machine configuration using private wireless networking

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI558250B (zh) * 2015-01-06 2016-11-11 宏碁股份有限公司 在鄰近服務限制探索中分群的方法和通訊系統
US9648487B2 (en) 2015-01-06 2017-05-09 Acer Incorporated Method and device for grouping user equipments in proximity services restricted discovery
US10080185B2 (en) * 2015-04-10 2018-09-18 Qualcomm Incorporated Method and apparatus for securing structured proximity service codes for restricted discovery
JP6432739B2 (ja) * 2015-04-13 2018-12-05 パナソニックIpマネジメント株式会社 通信システム、端末、基地局及び通信制御方法
CN111294740B (zh) * 2015-06-05 2021-07-09 华为技术有限公司 一种组通信方法、装置及设备
EP3314922B1 (en) * 2015-06-23 2020-10-28 Interdigital Patent Holdings, Inc. Priority handling for prose communications
US10757569B2 (en) 2016-08-05 2020-08-25 Nokia Technologies Oy Privacy preserving authentication and key agreement protocol for apparatus-to-apparatus communication
US11553348B2 (en) * 2017-11-15 2023-01-10 Nokia Technologies Oy Authorization of applications for direct discovery
US11510258B2 (en) * 2018-05-02 2022-11-22 Nokia Technologies Oy Direct user equipment to user equipment without data network access identifier
CN114697945B (zh) * 2022-04-02 2023-10-24 中国电信股份有限公司 发现响应消息的生成方法及装置、发现消息的处理方法

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130203378A1 (en) * 2012-02-02 2013-08-08 Sierra Wireless, Inc Subscription and charging control for wireless communications between proximate devices
US20130288668A1 (en) * 2012-04-27 2013-10-31 Interdigital Patent Holdings, Inc. Method and apparatus for supporting proximity discovery procedures
US20130287012A1 (en) * 2012-04-27 2013-10-31 Interdigital Patent Holdings, Inc. Method and apparatus for optimizing proximity data path setup
US20130290696A1 (en) * 2012-04-30 2013-10-31 Alcatel-Lucent Usa Inc. Secure communications for computing devices utilizing proximity services
US20140112270A1 (en) * 2012-10-22 2014-04-24 Innovative Sonic Corporation Method and apparatus for direct device to device communication in a wireless communication system
US20140153509A1 (en) * 2012-11-30 2014-06-05 Innovative Sonic Corporation Method and apparatus for establishing proximity service communication in a wireless communication system
US20140243040A1 (en) * 2013-02-28 2014-08-28 Maik Bienas Radio communication devices and cellular wide area radio base station
US20140335791A1 (en) * 2011-12-13 2014-11-13 Lg Electronics Inc. Method and device for providing a proximity service in a wireless communication system
US20140357228A1 (en) * 2013-05-31 2014-12-04 Intel IP Corporation Proximity-based services discovery privacy
US20150079899A1 (en) * 2013-04-02 2015-03-19 Broadcom Corporation Method and apparatus for discovering devices and application users
US20150087233A1 (en) * 2011-12-20 2015-03-26 Lg Electronics Inc. User equipment-initiated control method and apparatus for providing proximity service
US20150223274A1 (en) * 2012-06-21 2015-08-06 Nokia Solutions And Networks Oy Network assisted proximity service session management

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI110560B (fi) * 2000-12-27 2003-02-14 Nokia Corp Ryhmän muodostaminen langattomille kommunikaatiopäätelaitteille
US7069016B2 (en) * 2003-06-23 2006-06-27 Motorola, Inc. Dynamically determining a community of entities in a communication system
DE112004002233B4 (de) * 2003-11-19 2018-07-12 Nimcat Networks Inc. Zeit- und Datensynchronisation zwischen Netzwerkeinrichtungen
ATE390024T1 (de) * 2004-07-07 2008-04-15 Research In Motion Ltd Verfahren und vorrichtung zur erzeugung einer kommunikationsgruppe unter verwendung eines adressbuchs
US7818020B1 (en) * 2007-02-15 2010-10-19 Nextel Communications Company L.P. System and method for joining communication groups
US8522019B2 (en) * 2007-02-23 2013-08-27 Qualcomm Incorporated Method and apparatus to create trust domains based on proximity
EP1976220A1 (en) * 2007-03-30 2008-10-01 British Telecommunications Public Limited Company Computer network
US8577405B2 (en) * 2009-06-12 2013-11-05 Qualcomm Incorporated Systems, methods, and machine-readable media providing location-enabled group management
US8769285B2 (en) * 2009-08-13 2014-07-01 Qualcomm Incorporated Methods and apparatus for deriving, communicating and/or verifying ownership of expressions
WO2011020180A1 (en) * 2009-08-21 2011-02-24 Research In Motion Limited System and method for mobile network inter-device communications
US8619783B2 (en) * 2009-12-18 2013-12-31 Electronics And Telecommunications Research Institute System and method for coupling communication terminals
US8625787B2 (en) * 2010-01-14 2014-01-07 Alcatel Lucent Hierarchical key management for secure communications in multimedia communication system
US8942377B2 (en) * 2010-02-12 2015-01-27 Telefonaktiebolaget L M Ericsson (Publ) Trust discovery in a communications network
US8812657B2 (en) * 2010-04-15 2014-08-19 Qualcomm Incorporated Network-assisted peer discovery
US8862055B2 (en) * 2011-02-04 2014-10-14 Takwak GmBh Systems and methods for defining group of users with mobile devices
WO2012135680A1 (en) * 2011-04-01 2012-10-04 Interdigital Patent Holdings, Inc. System and method for sharing a common pdp context
US8831568B2 (en) * 2011-09-27 2014-09-09 Qualcomm Incorporated Automatic configuration of a wireless device
CN103458354B (zh) * 2012-05-21 2017-03-15 腾讯科技(深圳)有限公司 一种基于位置的群组生成方法、装置及系统

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140335791A1 (en) * 2011-12-13 2014-11-13 Lg Electronics Inc. Method and device for providing a proximity service in a wireless communication system
US20150087233A1 (en) * 2011-12-20 2015-03-26 Lg Electronics Inc. User equipment-initiated control method and apparatus for providing proximity service
US20130203378A1 (en) * 2012-02-02 2013-08-08 Sierra Wireless, Inc Subscription and charging control for wireless communications between proximate devices
US20130288668A1 (en) * 2012-04-27 2013-10-31 Interdigital Patent Holdings, Inc. Method and apparatus for supporting proximity discovery procedures
US20130287012A1 (en) * 2012-04-27 2013-10-31 Interdigital Patent Holdings, Inc. Method and apparatus for optimizing proximity data path setup
US20130290696A1 (en) * 2012-04-30 2013-10-31 Alcatel-Lucent Usa Inc. Secure communications for computing devices utilizing proximity services
US20150223274A1 (en) * 2012-06-21 2015-08-06 Nokia Solutions And Networks Oy Network assisted proximity service session management
US20140112270A1 (en) * 2012-10-22 2014-04-24 Innovative Sonic Corporation Method and apparatus for direct device to device communication in a wireless communication system
US20140153509A1 (en) * 2012-11-30 2014-06-05 Innovative Sonic Corporation Method and apparatus for establishing proximity service communication in a wireless communication system
US20140243040A1 (en) * 2013-02-28 2014-08-28 Maik Bienas Radio communication devices and cellular wide area radio base station
US8855645B2 (en) * 2013-02-28 2014-10-07 Intel Mobile Communications GmbH Radio communication devices and cellular wide area radio base station
US20150079899A1 (en) * 2013-04-02 2015-03-19 Broadcom Corporation Method and apparatus for discovering devices and application users
US20140357228A1 (en) * 2013-05-31 2014-12-04 Intel IP Corporation Proximity-based services discovery privacy

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Peng, Ying, et al. "Discovery of device-device proximity: Physical layer design for D2D discovery." Communications in China-Workshops (CIC/ICCC), 2013 IEEE/CIC International Conference on. IEEE, 2013. *
Raghothaman, Balaji, et al. "Architecture and protocols for LTE-based device to device communication." Computing, Networking and Communications (ICNC), 2013 International Conference on. IEEE, 2013. *
Tsai, Yi-Hsueh, et al. "Proximity-Based service beyond 4g network: Peer-aware discovery and communication using E-UTRAN and WLAN." Trust, Security and Privacy in Computing and Communications (TrustCom), 2013 12th IEEE International Conference on. IEEE, 2013. *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11310114B2 (en) * 2019-08-14 2022-04-19 Cisco Technology, Inc. Industrial machine configuration using private wireless networking
US11184736B2 (en) * 2019-10-08 2021-11-23 International Business Machines Corporation Digital person and digital persona verification

Also Published As

Publication number Publication date
CN105340310A (zh) 2016-02-17
WO2014208034A1 (en) 2014-12-31
JP6512111B2 (ja) 2019-05-15
CN108990063A (zh) 2018-12-11
JP2016530732A (ja) 2016-09-29
US20200228543A1 (en) 2020-07-16
EP3014916A1 (en) 2016-05-04
US20200099697A1 (en) 2020-03-26
US20170324754A1 (en) 2017-11-09

Similar Documents

Publication Publication Date Title
US20220029975A1 (en) Authentication and authorization in proximity based service communication using a group key
US20200228543A1 (en) Secure group creation in proximity based service communication
US20160381543A1 (en) Secure discovery for proximity based service communication
US20160164875A1 (en) Secure system and method of making secure communication
CN105706390B (zh) 在无线通信网络中执行设备到设备通信的方法和装置
WO2018079690A1 (ja) 通信システム、ネットワーク装置、認証方法、通信端末、及びセキュリティ装置
WO2018079692A1 (ja) 通信システム、基地局、制御方法、及びコンピュータ可読媒体
WO2009012052A1 (en) Fast transitioning resource negotiation
WO2022247812A1 (zh) 一种鉴权方法、通信装置和系统
KR102209289B1 (ko) 이동 통신 시스템 환경에서 프록시미티 기반 서비스를 위한 보안 및 정보 지원 방법 및 시스템
CN114650532A (zh) 一种协议数据单元会话建立方法及装置

Legal Events

Date Code Title Description
AS Assignment

Owner name: NEC CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ZHANG, XIAOWEI;PRASAD, ANAND RAGHAWA;REEL/FRAME:038293/0824

Effective date: 20160401

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION