WO2006064410A1 - Method and device for securing handover between wwan and wlan - Google Patents
Method and device for securing handover between wwan and wlan Download PDFInfo
- Publication number
- WO2006064410A1 WO2006064410A1 PCT/IB2005/054091 IB2005054091W WO2006064410A1 WO 2006064410 A1 WO2006064410 A1 WO 2006064410A1 IB 2005054091 W IB2005054091 W IB 2005054091W WO 2006064410 A1 WO2006064410 A1 WO 2006064410A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- base information
- key
- information
- generating
- communication
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000004891 communication Methods 0.000 claims abstract description 118
- 230000005540 biological transmission Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 4
- 230000001413 cellular effect Effects 0.000 description 2
- 238000007796 conventional method Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/14—Reselecting a network or an air interface
- H04W36/144—Reselecting a network or an air interface over a different radio air interface technology
- H04W36/1446—Reselecting a network or an air interface over a different radio air interface technology wherein at least one of the networks is unlicensed
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Definitions
- the present invention relates generally to a communication network technique, and more particularly, to a method and device for securing handover between WWAN and WLAN.
- Wireless Local Area Network is a flexible data communication system, and generally deployed at so-called hotspots such as airports and hotels, to provide data transmission services. People can use wireless terminals, such as mobile phones or laptops, to access to the network resources in a WLAN in wireless access way, and access the resources on Internet connected to the WLAN.
- Wireless Wide Area Network is a communication system with broader coverage range, and deployed to provide voice and data services to people.
- GSM Global System for Mobile Communication
- GSM General Packet Radio
- WWAN provides voice service while WLAN provides data service.
- WLAN provides data service.
- IP-based VoIP is also becoming a new spotlight in WLAN.
- Fig. l is a schematic diagram showing the conventional application of WLAN and WWAN, wherein a WWAN service area and a WLAN service area may be overlaid or may not, as shown in Fig.l.
- a mobile user outside the WLAN service area performs voice communication through the WWAN service
- the mobile user enters into a WLAN service area due to the change of its location if both communicating users are in the WLAN service area, neither of the communication charges for the two users can be reduced if the WWAN service is still adopted at that time.
- WLAN service is then switched back to WWAN service, to guarantee the proceeding of the communication.
- a communication method and device for handover between WWAN and WLAN is disclosed in the patent application filed by KONINKLIJKE PHILIPS ELECTRONICS N. V. on Sept. 19, 2003, Application Serial No. 03124909.4.
- the method and device not only seamless roaming can be implemented between WWAN and WLAN, but also the communication charges of the users can be reduced effectively and the network resources for WWAN can be saved as well, and incorporated herein as reference.
- IETF has released security standard IPSec based on the network layer, which has been applied to firewall and VPN products, for example, so as to enhance network security, but it is a primary problem for network safeguards to have to face that how to make two UEs exchange a set of keys, which is used in subsequent communications securely and reliably before traffic data is transferred.
- An object of the present invention is to provide a method and device for securing handover between WWAN and WLAN, with which two communicating parties exchange a key mutually through a secure channel before communicating via WLAN to guarantee the security of the data transmission in WLAN.
- a method to be executed by a UE communicating with another communication device via a first communication network comprising the steps of: detecting whether to be able to communicate with the another communication device via a second communication network; if said second communication network is available, negotiating with the another communication device for base information that is used to generate a key via the first communication network; generating the key based on the negotiated base information according to a predetermined encryption algorithm; sending the information encrypted with the key to the another communication device via the second communication network.
- a method to be executed by a communication device communicating with another UE via a first communication network comprising the steps of: receiving the candidate base information for generating a key from the another UE; negotiating with the another UE for the base information that is used to generate a key according to the candidate base information; generating the key based on the negotiated base information according to a predetermined encryption algorithm; receiving the encrypted information from the another UE via the second communication network; decrypting the encrypted information with the key.
- an encryption method for use in communication in accordance with the present invention comprising the steps of: negotiating with the other party of the communication for the base information for generating a key via a communication channel; generating the key based on the negotiated base information according to a predetermined encryption algorithm; sending information encrypted with the key to the other party via another communication channel.
- a decryption method for use in communication comprising the steps of: receiving the candidate base information for generating a key from the other party via a communication channel; negotiating with the other party for the base information that is used to generate the key according to the candidate base information; generating the key based on the negotiated base information according to a predetermined encryption algorithm; receiving the encrypted information transferred via another communication channel from the other party; decrypting the encrypted information with the key.
- an encryption device for use in communication in accordance with the present invention, comprising: a negotiating unit, for negotiating with the other party of the communication for the base information that is used to generate a key, via a communication channel; a generating unit, for generating the key based on the negotiated base information according to a predetermined encryption algorithm; a sending unit, for sending the information encrypted with the key to the other party via another communication channel.
- a decryption device for use in communication in accordance with the present invention, comprising: a receiving unit, for receiving the candidate base information for generating a key from the other party via a communication channel; a negotiating unit, for negotiating with the other party for the base information that is used to generate the key according to the candidate base information; a generating unit, for generating the key based on the negotiated base information according to a predetermined encryption algorithm; a decrypting unit, for decrypting the encrypted information with the key when the receiving unit receives the encrypted information transferred from the other party via another communication channel.
- Fig.l illustrates a schematic diagram of a conventional integrated application between WWAN and WLAN
- Fig.2 illustrates a diagram of a UE with both WWAN interface and WLAN interface, according to an embodiment of the present invention
- Fig.3 illustrates a flowchart of the method for securing handover between WWAN and WLAN, according to an embodiment of the present invention
- Fig.4 illustrates a flowchart of the method for securing handover between WWAN and WLAN, according to another embodiment of the present invention
- Fig.5 illustrates a block diagram of the configurations of the encryption device and the decryption device, according to an embodiment of the present invention.
- the two communicating parties can exchange parts of base information that is used to generate a key in advance with the help of the relatively stable security performance of WWAN before communicating via WLAN, thus only the two communicating parties can generate the key according to the base information exchanged in advance when switching to WLAN, while the third party eavesdropping the communication via WLAN can't generate the key and thus can't pirate the information transferred via WLAN.
- Fig.2 illustrates a UE with two radio interfaces as WWAN and WLAN. It's assumed that two users Alice and Bob communicate via WWAN such as cellular network by using the UEs respectively as shown in Fig.2. If Alice and Bob enter a same WLAN coverage area during communication, apparently it's more advantageous for Alice and Bob to communicate via WLAN to save communication charges.
- step SlO Alice communicating via WWAN
- step SlO Alice negotiates with Bob via WWAN for the base information that is used to generate a key.
- Alice sends to Bob via WWAN interface a set of candidate base information, each of which includes a pair of prime numbers p and g to be used in executing Diffie-Hellman encryption algorithm (step S20).
- step S30 After receiving the set of candidate base information from Alice via WWAN interface, if Bob can use at least one pair of prime numbers p and g therein to execute Diffie-Hellman encryption algorithm, Bob will select a pair of suitable prime numbers p and g as a selection message of feedback and send it to Alice via a WWAN interface (step S30).
- Alice and Bob After determining the value of the pair of prime numbers p and g to be used in executing Diffie-Hellman encryption algorithm through negotiation, Alice and Bob switch from WWAN to WLAN respectively (step SlOO and S200) and carry out an authentication procedure via the WLAN interface.
- step S500 Alice calculates with the expression (T B ) A mod p, that is (g B mod p) A mod p, to get a shared key g AB mod p (step S500), and sends the shared key to Bob so as to make sure that the message is from the real user Alice rather than an unauthorized third party who gets the information illegally (step S60); and at UE Bob, Bob calculates with the expression (T A ) B mod p, that is (g A mod p) B mod p, to get a shared key g AB mod p (step S600), and sends the shared key to Alice so as to make sure that the message is from the real user Bob rather than an unauthorized third party who gets the information illegally(step S70).
- WLAN doesn't know the numerical base g used for exponential operation and the divisor p used for modular operation, thus it's possible to avoid the bucket brigade attack in conventional IPSec protocol when Alice and Bob switch to communicate via
- the two users can use the shared key to encrypt the information transferred in subsequent traffic communication; or any one of the both parties such as Alice can select a session key and use the shared key to encrypt the session key (step S700), and then send the encrypted session key to Bob (step S80) so that the two parties use the session key to encrypted the information to be transferred in subsequent communication (step S90).
- Alice and Bob exchange the values of the base information g and p used for generating their respective private key T A and T B in WWAN, and then generate the shared key and the session key with Diffie-Hellman encryption algorithm according to the values g and p predetermined in WLAN, to encrypt the traffic data in subsequent communication.
- the two communicating parties can switch to WLAN after the shared key and the session key are generated in WWAN, and this procedure is shown in Fig. 4.
- Alice and Bob not only negotiate with each other to determine the values of the base information g and p used for generating their respective private key T A and T B in WWAN, but also perform the above authentication procedure via WWAN to generate the shared key g AB mod p or the session key.
- Alice and Bob will encrypt the traffic data to be transferred directly with the shared key g AB mod p or the session key that has been generated in WWAN.
- Alice and Bob exchange parts of the information for generating the private key through the secure channel in WWAN so as to guarantee the communication security in WLAN.
- it substantially adopts an enhanced IPSec key exchange procedure.
- the key for IPSec is negotiated via a secure communication channel and then the information encrypted with the key is transferred via another communication channel.
- the key exchange method proposed in the present invention optimizes and simplifies the IPSec key generation procedure and guarantees the security of data transmission between two communication parties as well, compared with the conventional method for key negotiation and encrypted information transmission adopting the same communication channel and the conventional method for distributing keys to the two communication parties by using key distribution center.
- Diffie-Hellman algorithm is taken as an example to describe the key exchange procedure through WWAN channel.
- other algorithms can be used in the key exchange procedure, such as public key algorithm like RSA, to exchange parts of the base information for generating the public key via WWAN channel.
- the third party can't get the private key for decryption through decrypting the public key, and thus the data transmission security can be guaranteed.
- the method and device for securing handover between WLAN and WWAN as provided in the present invention can be used for handover between other different communication networks, such as between a wire communication network and a wireless communication network or between two wire communication networks, to guarantee the security of communication data during handover from a communication network to another communication network.
- FIG.5 illustrates the configurations of the encryption device in Alice and the decryption device in Bob in accordance with an embodiment of the present invention, wherein the components same as those in conventional encryption device and decryption device are not shown.
- sending unit 30 in encryption device 100 of Alice sends the candidate base information for generating a key to Bob, via a communication channel such as the above WWAN link; and negotiating unit 10 negotiates with the other party (namely, Bob) of the communication for the base information that is used to generate a key via the communication channel (that is WWAN link).
- Receiving unit 210 in decryption device 200 of Bob receives the candidate base information from Alice via the communication channel; and negotiating unit 220 negotiates with Alice for the base information that is used to generate the key according to the candidate base information.
- Generating unit 20 in Alice generates the key based on the negotiated base information, according to a predetermined encryption algorithm.
- the predetermined encryption algorithm can use Diffie-Hellman algorithm or RSA algorithm.
- the base information at least includes the numerical base for performing exponential operation and the divisor for performing modular operation.
- the base information at least includes the parameters for generating the public key.
- generating unit 230 in Bob generates the corresponding decryption key based on the negotiated base information according to the predetermined encryption algorithm.
- sending unit 30 in Alice sends the information encrypted with the key to Bob via the above WLAN link.
- Receiving unit 210 in Bob provides the received encrypted information to decrypting unit 240.
- the decrypting unit 240 decrypts the encrypted information with the decryption key generated by the generating unit 230.
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200410102012 | 2004-12-17 | ||
CN200410102012.1 | 2004-12-17 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006064410A1 true WO2006064410A1 (en) | 2006-06-22 |
Family
ID=35892441
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2005/054091 WO2006064410A1 (en) | 2004-12-17 | 2005-12-07 | Method and device for securing handover between wwan and wlan |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2006064410A1 (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0535863A2 (en) * | 1991-10-02 | 1993-04-07 | AT&T Corp. | A cryptographic protocol for secure communications |
EP1274194A1 (en) * | 2001-07-05 | 2003-01-08 | Kabushiki Kaisha Toshiba | Method and apparatus for wireless data communication, using an encryption unit |
EP1328086A1 (en) * | 2000-10-16 | 2003-07-16 | Link Evolution Co., Ltd. | Communication apparatus, communication system and communication method |
-
2005
- 2005-12-07 WO PCT/IB2005/054091 patent/WO2006064410A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0535863A2 (en) * | 1991-10-02 | 1993-04-07 | AT&T Corp. | A cryptographic protocol for secure communications |
EP1328086A1 (en) * | 2000-10-16 | 2003-07-16 | Link Evolution Co., Ltd. | Communication apparatus, communication system and communication method |
EP1274194A1 (en) * | 2001-07-05 | 2003-01-08 | Kabushiki Kaisha Toshiba | Method and apparatus for wireless data communication, using an encryption unit |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5597676B2 (en) | Key material exchange | |
JP4286224B2 (en) | Method for secure and confidential communication used in a wireless local area network (WLAN) | |
CN104661216B (en) | The method and WTRU of NAS message are transmitted in WTRU | |
EP1841260B1 (en) | Authentication system comprising a wireless terminal and an authentication device | |
US9231759B2 (en) | Internet key exchange protocol using security associations | |
US7236477B2 (en) | Method for performing authenticated handover in a wireless local area network | |
JP4688808B2 (en) | Enhanced security configuration for encryption in mobile communication systems | |
TWI343733B (en) | Method and apparatus for simultaneous communication utilizing multiple wireless communication systems | |
EP1374533B1 (en) | Facilitating legal interception of ip connections | |
WO2005027559A1 (en) | Fast authentication method and apparatus for inter-domain handover | |
JP2002232418A (en) | System and method for converting key | |
WO2007136440A2 (en) | Apparatus and method for establishing a vpn tunnel between a wireless device and a lan | |
CN1602611A (en) | Lawful interception of end-to-end encrypted data traffic | |
MX2007012852A (en) | Session key management for public wireless lan supporting multiple virtual operators . | |
JP2003524353A (en) | Integrity check in communication systems | |
WO2008006312A1 (en) | A realizing method for push service of gaa and a device | |
US20050025315A1 (en) | Method and apparatus for secure communications among portable communication devices | |
JP2007538470A (en) | Method for managing access to a virtual private network of a portable device without a VPN client | |
WO2012024905A1 (en) | Method, terminal and ggsn for encrypting and decrypting data in mobile communication network | |
JP2005236490A (en) | Mobile communication terminal and network connection apparatus in mobile communication network system, and update method of shared private key, and update program of shared private key | |
Kim et al. | MoTH: mobile terminal handover security protocol for HUB switching based on 5G and beyond (5GB) P2MP backhaul environment | |
CN112672345A (en) | Communication authentication method and related equipment | |
WO2006102565A2 (en) | Optimized derivation of handover keys in mobile ipv6 | |
Lin et al. | Authentication in wireless communications | |
CA3190801A1 (en) | Key management method and communication apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KN KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 05822948 Country of ref document: EP Kind code of ref document: A1 |