WO2001022685A1 - Procede et systeme d'etablissement de connexions protegees - Google Patents

Procede et systeme d'etablissement de connexions protegees Download PDF

Info

Publication number
WO2001022685A1
WO2001022685A1 PCT/SE2000/001795 SE0001795W WO0122685A1 WO 2001022685 A1 WO2001022685 A1 WO 2001022685A1 SE 0001795 W SE0001795 W SE 0001795W WO 0122685 A1 WO0122685 A1 WO 0122685A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
access
network
access point
key
Prior art date
Application number
PCT/SE2000/001795
Other languages
English (en)
Inventor
Andras Gergely Valko
Istvan Maricza
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to AU76942/00A priority Critical patent/AU7694200A/en
Publication of WO2001022685A1 publication Critical patent/WO2001022685A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information

Definitions

  • This invention is concerned with a method and arrangement in a communication network for establishing a secure connection between one or more access points and a terminal in a network.
  • the invention is especially advantageous at handover processes in wireless packet based networks for communication with a mobile terminal .
  • a security risk in wireless communication is that the information can be listened in to or intercepted by- unauthorised entities. Therefore, most wireless networks include some kind of built-in security functions. In the network there are of course, in addition to the different built-in security functions, access points which may require passwords and other information for entering the wireless network.
  • a risk in a packet data based network is that the packets transferred in the network may arrive at or be caught by wrong terminals. Another risk is that a terminal may impersonate another one and send packets on behalf thereof .
  • wireless packet data systems include the security risks of both wireless communication and packet data networks. These risks can potentially make the system highly vulnerable to security attacks. Reliable security functions are essential in getting wireless packet data networks widely accepted.
  • wireless access networks In wireless access networks, however, packets exchanged between mobile terminals - and wireless access points also carry important control information related to mobile users. This represents a potential security risk enabling malicious users to listen to or forge control information. Forged packets could interfere with routing, charging, location management or other functions associated with the attacked user. In addition to end-to-end security functions, wireless access networks therefore have local mechanisms to authenticate and encrypt packets exchanged between mobile devices and wireless access points .
  • decoupling local authentication and encryption mechanisms from end-to-end security support it is ensured that charging and authentication information related to a particular mobile user remains protected even when the user is engaged in a "regular", i.e. unprotected session.
  • decoupling allows mobile users to run secure data sessions over a secure wireless network without sharing end-to-end secret keys with the access network. It is furthermore advantageous if the endpoint of this local secure relationship at any time is the access point to which the mobile terminal is actually connected. This allows packets originating from mobile units to be authenticated as soon as they enter the access network. This is important because packets originating from mobile units may trigger actions related to charging and routing information associated with the sending mobile device .
  • Symmetric methods rely on a secret key shared by two or more entities. This key must be exchanged between the communicating parties prior to communication and the same key is used for both encryption and decryption.
  • the sender uses the secret key to compute an authentication field or to encrypt a payload.
  • the receiver uses the same key to verify the authentication field or to decrypt the packet.
  • An example of a method of exchanging secret keys is disclosed in the RFC 2409 standard concerned with Internet Key Exchange.
  • a secret key based packet authentication mechanism is presented in P. Metzger, : Simpson, "IP Authentication using Keyed MD5" , Internet RFC 1828, August 1995.
  • Asymmetric security solutions rely on pairs of public and private keys.
  • An entity willing to send authenticated packets uses its own private, e.g. secret, key to generate the authentication field.
  • the sender advertises the public key associated with its private key. Authentication data generated by a given private key can only be decoded using the associated public key. This allows receivers having the public key to determine whether the packet was really transmitted by the claimed sender.
  • PGP digital signatures are an example of asymmetric authentication.
  • two binary numbers are generated, the public and the private key. These are saved in a separate file, but the public key is converted to ASCII format so that it can be distributed to everyone that intends to send messages to the user.
  • the private key shall be kept secret and it is even encrypted before saving.
  • both symmetric and asymmetric security techniques require the receiver to have some kind of security information associated with the sender.
  • this information is the shared secret key, whereas in asymmetric solutions it is the sender's public key.
  • Security information must either be available to the sender and the receiver prior to communication or it must be obtained when the communication session is established.
  • a mobile terminal is allowed to roam large areas while maintaining connectivity to a wired network.
  • the terminals may migrate from one access point to another during active communication sessions by means of handover methods.
  • the access point through which the communication is performed is changed.
  • Security considerations require the mobile terminal to have a secure relationship with the access point to which it is actually attached.
  • Another solution for the access points is to obtain security information from an adjacent access point, to which the mobile terminal has been connected prior to handover. Whereas this solution eliminates the scalability problems represented by the server approach, it has similar disadvantages in terms of the requirement of relying on explicit signalling messages. In addition, some access networks may not support direct communication between access points .
  • MOTOROLA INC. discloses an example of a prior art handover method in the published International Patent Application WO 96/36191. It describes a system in which handover involves exchanging control messages between access points and (semi) - centralised control points. This system also gives a possibility for security information related to the mobile device to be exchanged in the same way. In the method disclosed in this prior patent application, there is a need for centralised control and for control messaging at handover. Another example of a method that involves control messages between access points at handover is disclosed in the published European Patent Application 0 851 633, filed by LUCENT TECHNOLOGIES INC.
  • GSM Global System for Mobile Telecommunications
  • the object of the present invention is to provide a method in which the mobile device is not required to act as a relay station thereby avoiding that the constrained radio resource and power available for the mobile device are used for this purpose.
  • relaying through the mobile device only works if the mobile spends a sufficient amount of time within the area in which the two access points are reachable by wireless communication.
  • the method disclosed in the cited International Patent Application WO 97/01943 is only capable of providing authentication once, when handover is performed.
  • An object of this invention is to find a more general method in which any message sent between a mobile device and an access point can use the shared secret for security.
  • the general object of the invention is to provide a method that allows mobile terminals to establish secure relationships in a very short time at handover.
  • the object of the invention is to provide a method that does not presuppose the use of any signalling messages for handover.
  • a method is provided to be used in a packet based communication network for establishing a secure communication between an access point and an entity, the network comprising an access network having access points for two or more entities belonging to the access network.
  • a first access point is contacted in an access network with the intention to initiate a session from an entity in the network.
  • a secret key is generated from the information obtained from the entity at the first access point using a converter known by two or more access points of the network.
  • the secret key is sent from the first access point to the entity using encryption which is decrypted at the entity.
  • the secret key is then used as a shared security key in communication between the mobile terminal and any access point of the network knowing the converter .
  • a function is stored in the access points for generating a secret key from identification information of the entities in the access network.
  • Initial authentication can be performed by the entity and then the initial authentication can be carried out by communicating identification information of the entity to a first access point in the network to prove the identity of the entity.
  • the identification information is non-encrypted or encrypted using a key that is shared by all entities in the access network.
  • the generation of the secret key in the converter can be carried out by means of a function f or by means of a secret number shared by the access points which use it as a parameter for a pre-defined, well-known function generating the secret key.
  • the function f can be stored by the access point in a mathematical form or as a lookup table.
  • the input of the function f could be the identification information of the first entity and the output is an arbitrary password.
  • An important benefit of the invention is that a secure communication between an access point in the access network and the mobile terminal can be achieved without any previous signalling about the identity of the mobile terminal . Even if each access point does not know the password of each mobile device, authentication and/or encryption can be achieved between a mobile device and any access point or base station in this method. This is achieved with the function f, which is used to generate a password for each mobile terminal. For the mobile device, the password appears to be random, but from the point of view of the access point, it is not random as it is generated by the same function.
  • the method can support any secret based authentication or encryption algorithm, for example CAST or IDEA.
  • CAST is described in the Internet RFC 2144.
  • IDEA is the "International Data Encryption Algorithm described at http: /www. ascom. ch/infosec/idea.html .
  • No signalling messages in the access network are required, except for the initial distribution of the generated secret key. The avoiding of signalling messages at handover makes handover smoother because the only handover delay caused is the time that it takes to derive the secret key and the actual security calculation associated therewith.
  • the method described herein can be combined with other security techniques, e.g. mobile terminals may use generated secret keys to authenticate packets and at the same time use the public key of the access network to encrypt the same packets. Due to the low cost involved, it can be used to authenticate each data packet if necessary. In this case, it is advantageous for the access point to temporarily store generated secret keys associated with devices currently connected to it.
  • the method described herein scales to almost an arbitrary number of access points and mobile terminals. In systems in which handover does not need control information exchange between the old and new access points or between access points and central controllers, it becomes a burden if the security key must be explicitly exchanged between these entities. The method as described herein is especially important in these systems .
  • the invention is, in addition to wireless access networks, applicable to all scenarios in which an entity needs to establish secure relationship with a set of entities, which are in secure relationship with one another.
  • the main idea is that, one entity can perform some initial security negotiation with one of the other entities and after the initial security negotiation, the entity must be able to start secure communication without further negotiation and without the entities having to communicate with one another in forehand.
  • FIG. 1 is a schematic view of a network allowing a secure communication between an access point and an entity
  • FIG. 2 is a general block scheme of a method performed in the network of Figure 1 for establishing the secure communication
  • a network 14 comprising an access network 13 having access points 10, through which mobile terminals 11 can establish communication with the access network.
  • the network also comprises a server 12 storing information on the mobile terminals belonging to the access network.
  • the access network 13 represents a single administrative domain and its access points 10 and potentially other entities may have shared secrets, like public encryption keys.
  • an encryption system comprising public and private keys is used.
  • all the entities in the access network share the public encryption keys for encryption of their messages, whereas every entity has an own private key for decryption.
  • the function f can be almost any function as long as each access point knows it .
  • the input of the function is the identifier or identification information of the mobile terminal and its output is a number.
  • the function f It should not be easy, e.g. to an intruder, to determine the function f, but it does not have to be a cryptographically strong function.
  • An example of the function f is to compute the MD5hash, described in R. Rivest, "MD5 Digest Algorithm", RFC 1321, April 1992, from the concatenation of the mobile terminal identifier and the secret password of the access network, which can be any secret shared by the access points .
  • the access points can share a secret number and use it as a parameter for a pre-defined, well-known function.
  • Outputs of f may be fixed or have variable lengths.
  • it is required for f to be known by all access points of the network and to be unknown to entities not belonging to the access- network.
  • Access points will typically store f either in a mathematical form as an algorithm or as a lookup table.
  • a mobile terminal 11 first performs initial authentication and thereafter connecting to an access network according to step 1.
  • This step may be omitted in access networks that allow any device to connect to it.
  • the initial authentication process may be identical to authentication solutions generally used in the Internet, because it is performed only once and delay requirements can be relaxed.
  • the access network uses its secret function f to convert the mobile terminal identifier to an output that here will be called the generated secret key in accordance with step 2.
  • This output is then communicated to the mobile terminal in accordance with step 3 using encryption so that other terminals cannot capture it.
  • communication between the mobile terminal and the access point can take place using the generated secret key.
  • the mobile terminal can send messages via the access point and messages from the access point can be sent using the generated secret key.
  • the generated secret key can be used for encryption of packets.
  • Other aspects of security are authentication, data integrity, and non-repudiation.
  • encryption means protecting the content of messages so that only those users who have the right key can read it.
  • authentication the receiver verifies that the message was transmitted by the claimed origin and was not transmitted by somebody else.
  • non-repudiation the receiver proves that the sender transmitted the message or the receiver received the message .
  • a mobile terminal 11 When a mobile terminal 11 starts a session, it first communicates its global mobile terminal identifier to an access point 10 of the access network in step 1' . This allows the access network to find and contact a server 12 in step 2 ' that contains security information related to the mobile terminal 11.
  • the access network downloads the public cryptographic key of the mobile terminal 11 sent from the sender 12 in step 3' and uses it to encrypt the generated secret key in step 5' .
  • the access point can obtain a private encryption key and use it to encrypt the generated secret key, as a message can be encrypted using either the public or private encryption key.
  • the access network can obtain the secret private key of the mobile terminal if the access network has a secure relationship with the "home" of the mobile terminal or with any server that knows this secret private key. Then it can get the secret private key and use it for encryption.
  • the access network can have a central unit that does this .
  • this access point informs the central unit server on the mobile device having come in contact .
  • the central unit contacts the home of the mobile terminal and gets the secret key if there is trust among access networks.
  • it encrypts the generated secret key using the private key and sends it to the terminal .
  • the encrypted generated secret key is transmitted over the wireless channel to the mobile terminal 11 as is indicated in step 6' . If the mobile terminal 11 is indeed the device that it claimed to be, it can decrypt the generated secret key in accordance with reference number 7' using its private encryption key. The transmitted message is useless for any other mobile terminal . The mobile terminal 11 can now use the generated secret key to authenticate or encrypt its packets in accordance with reference number 8' and send them to any access point in the access network.
  • the mobile terminal shares a secret with all access points of the access network. This is achieved without the mobile terminal ever having contacted the access points, and hence the method is scalable to very large networks .
  • the mobile terminal and the access points can now use any shared secret based security technique available.
  • the access network has different secrets to share with different mobile terminals.
  • the mobile terminal can use the generated secret key to authenticate and/or encrypt its packets, using the generated secret key never encrypts the identifier of the mobile terminal .
  • the identifier is either not encrypted at all or it is encrypted using another key that is shared by all mobile terminals, e.g. the public encryption key of the access network. This allows the access points to identify the claimed sender of received packets . The access point then uses f to compute the generated secret key of the claimed sender.
  • the mobile terminal can then decode the authentication information to verify the identity of the sender and/or it can decrypt the packet.
  • access points can use the generated secret key to encrypt or authenticate a packet transmitted to a given mobile terminal, which can then decrypt or verify the packet using its own generated secret key.
  • the access point may temporarily store the mapping of mobile terminal identifiers to generate secret keys later in order to avoid frequent recomputing of generated secret keys .
  • the transmission of plain text mobile terminal identifiers is not acceptable if the identity of attached mobile devices should be kept secret.
  • the initial authentication process can include the assignment of a possible random, temporary identifier to the mobile terminal or encrypting the real identifier using the public cryptographic key of the access network can generate a temporary identifier.
  • the secret key will then be generated using the temporary identifier, but in other aspects, the mechanism remains the same.
  • Some wireless channels have built-in security, whereas other ones have no such functionality. In the latter case, higher layers will provide security information.
  • the invention is applicable for both cases.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

On décrit un procédé qui permet d'établir une communication protégée dans un réseau par paquets comprenant un réseau d'accès (13) doté de points d'accès (10) destinés à au moins deux terminaux mobiles (11) appartenant au réseau d'accès. Dans le procédé selon l'invention, un premier point d'accès est appelé par un terminal mobile avec l'intention d'initier une session à partir du terminal mobile. Une clé secrète est générée au moyen d'une fonction f stockée dans le point d'accès qui s'applique sur les informations partant du terminal mobile au niveau du premier point d'accès par un convertisseur connu par au moins deux points d'accès. La clé secrète est envoyée du premier point d'accès au terminal mobile avec un chiffrement qui est déchiffré au niveau du terminal mobile. La clé secrète est ensuite utilisée en tant que code de sécurité partagé pour les communications passées entre le terminal mobile et n'importe quel point d'accès connaissant le convertisseur.
PCT/SE2000/001795 1999-09-20 2000-09-15 Procede et systeme d'etablissement de connexions protegees WO2001022685A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU76942/00A AU7694200A (en) 1999-09-20 2000-09-15 Method and arrangement for communications security

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE9903370-6 1999-09-20
SE9903370A SE519471C2 (sv) 1999-09-20 1999-09-20 Metod för att etablera en säker förbindelse mellan accesspunkter och en mobilterminal i ett paketförmedlat nät

Publications (1)

Publication Number Publication Date
WO2001022685A1 true WO2001022685A1 (fr) 2001-03-29

Family

ID=20417062

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2000/001795 WO2001022685A1 (fr) 1999-09-20 2000-09-15 Procede et systeme d'etablissement de connexions protegees

Country Status (3)

Country Link
AU (1) AU7694200A (fr)
SE (1) SE519471C2 (fr)
WO (1) WO2001022685A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2374497A (en) * 2001-04-03 2002-10-16 Ericsson Telefon Ab L M Facilitating legal interception of IP connections
EP1322091A1 (fr) * 2001-12-19 2003-06-25 Canon Kabushiki Kaisha Système de communication, dispositif serveur, dispositif client et méthode de commande
WO2004034717A1 (fr) * 2002-09-30 2004-04-22 Siemens Aktiengesellschaft Verification d'une habilitation d'enregistrement par jeton d'habilitation d'acces
KR100628566B1 (ko) * 2005-04-25 2006-09-26 삼성전자주식회사 무선랜에서 보안 정보 형성 방법
WO2010127806A1 (fr) * 2009-05-06 2010-11-11 Heinrich-Heine-Universität Düsseldorf Procédé d'utilisation conjointe de points d'accès sans fil à un réseau de communication

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1997001943A1 (fr) * 1995-06-29 1997-01-16 Ericsson Inc. Procedes d'authentification et de transfert et systemes de communications radio personnelles
WO1997012461A1 (fr) * 1995-09-27 1997-04-03 Telefonaktiebolaget Lm Ericsson (Publ) Procede de codage d'informations
US5850444A (en) * 1996-09-09 1998-12-15 Telefonaktienbolaget L/M Ericsson (Publ) Method and apparatus for encrypting radio traffic in a telecommunications network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1997001943A1 (fr) * 1995-06-29 1997-01-16 Ericsson Inc. Procedes d'authentification et de transfert et systemes de communications radio personnelles
WO1997012461A1 (fr) * 1995-09-27 1997-04-03 Telefonaktiebolaget Lm Ericsson (Publ) Procede de codage d'informations
US5850444A (en) * 1996-09-09 1998-12-15 Telefonaktienbolaget L/M Ericsson (Publ) Method and apparatus for encrypting radio traffic in a telecommunications network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MOLVA R ET AL: "AUTHENTICATION OF MOBILE USERS", IEEE NETWORK: THE MAGAZINE OF COMPUTER COMMUNICATIONS,US,IEEE INC. NEW YORK, vol. 8, no. 2, 1 March 1994 (1994-03-01), pages 26 - 34, XP000515077, ISSN: 0890-8044 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2374497A (en) * 2001-04-03 2002-10-16 Ericsson Telefon Ab L M Facilitating legal interception of IP connections
GB2374497B (en) * 2001-04-03 2003-03-12 Ericsson Telefon Ab L M Facilitating legal interception of IP connections
EP1322091A1 (fr) * 2001-12-19 2003-06-25 Canon Kabushiki Kaisha Système de communication, dispositif serveur, dispositif client et méthode de commande
US7424605B2 (en) 2001-12-19 2008-09-09 Canon Kabushiki Kaisha Communication system, server device, client device and method for controlling the same
WO2004034717A1 (fr) * 2002-09-30 2004-04-22 Siemens Aktiengesellschaft Verification d'une habilitation d'enregistrement par jeton d'habilitation d'acces
US7171202B2 (en) 2002-09-30 2007-01-30 Siemens Aktiengesellschaft Verifying check-in authentication by using an access authentication token
KR100628566B1 (ko) * 2005-04-25 2006-09-26 삼성전자주식회사 무선랜에서 보안 정보 형성 방법
WO2010127806A1 (fr) * 2009-05-06 2010-11-11 Heinrich-Heine-Universität Düsseldorf Procédé d'utilisation conjointe de points d'accès sans fil à un réseau de communication

Also Published As

Publication number Publication date
AU7694200A (en) 2001-04-24
SE9903370D0 (sv) 1999-09-20
SE9903370L (sv) 2001-03-21
SE519471C2 (sv) 2003-03-04

Similar Documents

Publication Publication Date Title
US8295488B2 (en) Exchange of key material
US8254581B2 (en) Lightweight key distribution and management method for sensor networks
JP3816337B2 (ja) テレコミュニケーションネットワークの送信に対するセキュリティ方法
EP1025675B1 (fr) Securite de commutations de donnees
JP4112623B2 (ja) 電気通信網における無線トラフィック暗号化方法および装置
WO2017185999A1 (fr) Procédé, appareil et système de distribution et d'authentification de clés de chiffrement
US20020118674A1 (en) Key distribution mechanism for IP environment
EP1374533B1 (fr) Procede permettant de faciliter l'interception legale de connexions ip
US20090276629A1 (en) Method for deriving traffic encryption key
CN103155512A (zh) 用于对服务提供安全访问的系统和方法
KR20080089500A (ko) 모바일 네트워크를 기반으로 하는 엔드 투 엔드 통신에서의 인증을 위한 방법, 시스템 및 인증 센터
CA2703719A1 (fr) Procede et systeme pour l'etablissement de session securisee a l'aide de cryptage fonde sur l'identite (vdtls)
WO2011041962A1 (fr) Procédé et système de négociation de clé de session de bout en bout prenant en charge les interceptions légales
KR20180130203A (ko) 사물인터넷 디바이스 인증 장치 및 방법
CN110808834A (zh) 量子密钥分发方法和量子密钥分发系统
CN112602344A (zh) 漫游5g-nr通信的端到端安全性
CN108882233B (zh) 一种imsi的加密方法、核心网和用户终端
US20190281530A1 (en) X2 service transmission method and network device
WO2001022685A1 (fr) Procede et systeme d'etablissement de connexions protegees
US8359470B1 (en) Increased security during network entry of wireless communication devices
CN115567195A (zh) 安全通信方法、客户端、服务器、终端和网络侧设备
CN1996838A (zh) 一种多主机WiMAX系统中的AAA认证优化方法
CN113765900B (zh) 协议交互信息输出传输方法、适配器装置及存储介质
CN116321158A (zh) 基于证书的本地ue认证
CN115766172A (zh) 基于dpu和国密的报文转发方法、装置、设备及介质

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP