WO2009030155A1 - Method, system and apparatus for negotiating the security ability when a terminal is moving - Google Patents
Method, system and apparatus for negotiating the security ability when a terminal is moving Download PDFInfo
- Publication number
- WO2009030155A1 WO2009030155A1 PCT/CN2008/072165 CN2008072165W WO2009030155A1 WO 2009030155 A1 WO2009030155 A1 WO 2009030155A1 CN 2008072165 W CN2008072165 W CN 2008072165W WO 2009030155 A1 WO2009030155 A1 WO 2009030155A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- key
- nas
- mme
- authentication vector
- vector related
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
- H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0492—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload by using a location-limited connection, e.g. near-field communication or limited proximity of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/24—Negotiation of communication capabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
- H04W36/0033—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
- H04W36/0038—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/02—Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/061—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
Definitions
- the present invention relates to a wireless communication technology, and in particular, to a method, system, and mobility management entity and user equipment for negotiating security capabilities when a terminal moves.
- the wireless network includes a wireless access network and a core network.
- the future evolution of the wireless network core network includes a Mobile Management Entity (MME), which functions as a GPRS (General Packet Radio Service) Support Node (SGSN) for 2G/3G networks. Similarly, it mainly completes mobility management, user authentication, and so on.
- MME Mobile Management Entity
- SGSN General Packet Radio Service Support Node
- NAS non-access signaling
- Security capabilities include NAS signaling encryption algorithm, corresponding NAS integrity protection key Knas-int, NAS integrity protection algorithm and corresponding NAS confidentiality protection key Knas-enc, used by UE and system to transmit signaling To ensure the normal reception of UE signaling and the security of the communication system.
- GERAN Global Mobile Telecommunications Edge Access Network
- UTRAN 3G Universal Terrestrial Radio Access Network
- GERAN Global Mobile Telecommunications Edge Access Network
- UTRAN 3G Universal Terrestrial Radio Access Network
- GERAN Global Mobile Telecommunications Edge Access Network
- UTRAN 3G Universal Terrestrial Radio Access Network
- GERAN Global Mobile Telecommunications Edge Access Network
- UTRAN 3G Universal Terrestrial Radio Access Network
- GERAN Global Mobile Telecommunications Edge Access Network
- UTRAN 3G Universal Terrestrial Radio Access Network
- the security capability negotiation process needs to be re-executed to ensure subsequent Security during the interaction between the UE and the network in the process.
- the security capability negotiation here includes for the LTE network: NAS confidentiality protection algorithm and NAS integrity protection algorithm, and radio resource control (RRC, Radio Resource Control) confidentiality protection algorithm and RRC integrity protection algorithm, user plane (UP, User Plane) confidentiality protection algorithm.
- RRC Radio Resource Control
- UP User Plane
- the NAS confidentiality protection algorithm For the TAU process initiated by the UE in the idle state, the NAS confidentiality protection algorithm, the NAS integrity protection algorithm negotiation, and the negotiation of the corresponding NAS protection key need to be solved.
- the embodiments of the present invention provide a method for negotiating security capability when a terminal moves, so that a UE in an idle state can perform security capability negotiation when moving from a 2G/3G network to an LTE network.
- the embodiment of the present invention further provides a system for negotiating a security capability of a terminal, so that when an idle UE moves from a 2G/3G network to an LTE network, security capability negotiation can be performed.
- the embodiment of the present invention further provides an MME device, which enables security capability negotiation when a UE in an idle state moves from a 2G/3G network to an LTE network.
- the embodiment of the present invention further provides a UE apparatus, so that a UE in an idle state can perform security capability negotiation when moving from a 2G/3G network to an LTE network.
- a method for negotiating security capabilities when a terminal moves includes:
- the mobility management entity MME receives the tracking area update request message sent by the user equipment UE, acquires the non-access signaling NAS security algorithm supported by the UE, and the authentication vector related key or the root key derived from the authentication vector related key. ;
- the MME selects a NAS security algorithm according to the NAS security algorithm supported by the UE; derives a NAS protection key according to the authentication vector related key or the root key; and sends the selected NAS security to the UE Algorithmic message;
- the UE derives the NAS protection key according to its own authentication vector related key.
- a system for negotiating security capability when a terminal moves including a user equipment UE and a mobility management entity MME,
- the UE is configured to send a tracking area update request message to the MME, receive a message that is sent by the MME and carry the selected non-access signaling NAS security algorithm, and derive a NAS protection key according to the authentication vector related key;
- the MME is configured to receive a tracking area update request message sent by the UE, obtain an authentication vector related key or a root key derived according to the authentication vector related key, and a NAS security algorithm supported by the UE, according to the UE
- the supported NAS security algorithm selects the NAS security algorithm, generates and sends a message carrying the selected NAS security algorithm to the UE, and derives the NAS protection key according to the obtained authentication vector related key or the root key.
- a mobility management entity MME including an obtaining module, a selecting module, and a key deriving module, where the acquiring module is configured to receive a tracking area update request message sent by the user equipment UE, obtain an authentication vector related key or according to an authentication vector The root key derived by the relevant key, and the non-access signaling NAS security algorithm supported by the UE;
- the selecting module is configured to: according to the NAS security algorithm supported by the UE acquired by the acquiring module, select a NAS security algorithm, generate a message carrying the selected NAS security algorithm, and send the message to the UE;
- the key derivation module is configured to obtain, according to an authentication vector related key acquired by the acquiring module or a root key derived according to an authentication vector related key, and a NAS security algorithm selected by the selecting module, NAS protection key.
- a user equipment including an update module, a key derivation module, a storage module, and an inspection module, where the update module is configured to send a tracking area update request message to the mobility management entity MME, where the UE supports the security supported by the storage module. Capability information; receiving a message sent by the MME that carries the selected non-access signaling NAS security algorithm;
- the key derivation module is configured to derive a NAS protection key according to the authentication vector related key and the NAS security algorithm received by the update module;
- the storage module is configured to save security capability information supported by the UE
- the checking module is configured to check, according to security capability information supported by the UE received from the MME When the information related to the security capabilities supported by the storage module is inconsistent, it is determined that there is a degraded attack.
- the MME receives the tracking area update request message sent by the UE, obtains an authentication vector related key or a root key derived according to the authentication vector related key, and a NAS security algorithm supported by the UE. Then, according to the NAS security algorithm supported by the UE, the NAS security algorithm is selected; and a message carrying the selected NAS security algorithm is generated and sent to the UE, so as to achieve the purpose of sharing the NAS security algorithm between the UE and the MME.
- the MME derives the NAS protection key according to the authentication vector related key or the root key derived from the authentication vector related key
- the UE derives the NAS protection key according to the authentication vector related key to implement the shared NAS protection.
- the purpose of the key when the UE moves from the 2G/3G network to the LTE network, the NAS security algorithm and the NAS protection key can be negotiated with the MME, so as to implement the security capability negotiation process in the TAU process between the heterogeneous networks, and ensure that the subsequent UE interacts with the network. Safety.
- the embodiment of the present invention can also be applied to the security capability negotiation process when the UE moves inside the LTE network.
- FIG. 1 is a flowchart of a method for negotiating security capability when a terminal moves according to an embodiment of the present invention
- FIG. 2 is a flowchart of a method for negotiating security capability of a terminal when moving according to a second embodiment of the present invention
- Method flow chart of capability negotiation
- FIG. 4 is a system structural diagram of security capability negotiation when a terminal moves in an embodiment of the present invention.
- the MME receives the tracking area update request message sent by the UE, acquires the NAS security algorithm supported by the UE, and authenticates the method. a vector correlation key or a root key derived from an authentication vector related key; and then selecting a NAS security algorithm according to a NAS security algorithm supported by the UE; the MME is related according to the authentication vector related key or according to an authentication vector.
- the root key derived by the key derives the NAS protection key; sends a message carrying the selected NAS security algorithm to the UE; and the UE derives the NAS protection key according to the authentication vector related key.
- the UE has accessed the network through UTRAN/GERAN when in the idle state, and when moving to the tracking area of LTE, the UE initiates a TAU procedure.
- FIG. 1 is a flowchart of a method for negotiating security capability when a terminal moves according to an embodiment of the present invention. As shown in Figure 1, the method includes the following steps:
- Step 100 The UE sends a TAU request to the MME.
- the UE sends a tracking area update request to the new MME through an evolved Node B (eNB) of the evolved radio access network.
- eNB evolved Node B
- the following description simplifies communication between the UE and the MME through the eNB to communicate between the UE and the MME.
- the TAU request sent by the UE to the MME may carry some parameters that are known to those skilled in the art, such as Temporary Mobile Subscriber Identity (TMSI), and may also carry the security capability information supported by the UE.
- TMSI Temporary Mobile Subscriber Identity
- NAS security algorithm NAS integrity protection algorithm and / or NAS confidentiality protection algorithm
- RRC security algorithm RRC integrity protection algorithm and / or RRC confidentiality protection algorithm
- UP security algorithm UP confidentiality
- Step 101 to Step 102 The MME acquires a NAS security algorithm supported by the UE, and sends a mobility management context request (context request) message to the SGSN. After receiving the SGSN, the SGSN sends a mobility management context carrying the authentication vector related key to the MME. Response (message response) message.
- the SGSN queries the NAS security algorithm supported by the UE after receiving the mobility management context request message, and sends the mobility to the MME.
- the NAS management algorithm supports the NAS security algorithm supported by the query.
- the NAS security algorithm is a NAS integrity protection algorithm and/or a NAS confidentiality protection algorithm.
- the SGSN in the process is the SGSN of the 2G network, where the authentication vector related key includes at least the encryption key Kc, or the value Kc obtained by unidirectional transformation of Kc.
- the SGSN is an SGSN of a 3G network, where the authentication vector related key includes at least an integrity key IK and an encryption key CK, or values IK' and CK' obtained by unidirectional transformation of IK and CK.
- Unidirectional transformation refers to the transformation of the original parameters by an algorithm to obtain the target parameters, but the transformation of the original parameters cannot be derived from the destination parameters.
- Kc is obtained by the algorithm f ( Kc ), but Kc cannot be derived backward from Kc by any inverse algorithm, this transformation is a one-way transformation.
- Step 103 The MME selects a new NAS security algorithm according to the NAS security algorithm supported by the UE, the NAS security algorithm supported by the NAS, and the NAS security algorithm supported by the system; derives the root key Kasme according to the authentication vector related key; and then according to Kasme
- the NAS protection key is derived, including the NAS integrity protection key Knas-int and/or the NAS confidentiality protection key Knas-enc.
- Step 104 The MME generates a Tracking Area Update Accept (TAU accept) message carrying the selected NAS security algorithm.
- TAU accept Tracking Area Update Accept
- the MME may also perform NAS integrity protection on the TAU accept message, for example, using the information of the NAS integrity protection key Knas-int, TAU accept derived in step 103, and the NAS in the selected NAS security algorithm.
- the integrity protection algorithm derives the NAS integrity-protected message authentication code (NAS-MAC) value, and then attaches the value to the TAU accept message for transmission to the UE.
- NAS-MAC NAS integrity-protected message authentication code
- the TAU accept message in this step may also carry the security capability information supported by the UE.
- Step 105 The UE receives the TAU accept message carrying the NAS security algorithm selected by the MME, and obtains the negotiated NAS security algorithm; and then according to its current authentication vector related key (for example, the source network is IK and CK at 3G or according to IK and CK derived by IK and CK, or Kc when the source network is 2G or Kc' derived from Kc) derive the root key Kasme, and then derive the NAS protection key from the root key, including NAS. Integrity protection key Knas-int and/or NAS confidentiality protection key Knas-enc.
- the current authentication vector related key for example, the source network is IK and CK at 3G or according to IK and CK derived by IK and CK, or Kc when the source network is 2G or Kc' derived from Kc
- the step may further include the UE checking whether the integrity protection of the TAU accept message is correct. If the discovery is incorrect, it is determined that the security capability negotiation fails, and the security capability negotiation may be re-initiated. Process. For example, the UE derives the NAS-MAC according to the derived NAS confidentiality protection key Knas-enc, the information in the TAU accept, and the NAS integrity protection algorithm carried in the TAU accept message, and then the UE compares the derived NAS-MAC with Whether the NAS-MAC carried in the TAU accept message is the same, indicating that the message has not been changed during the transmission process, otherwise the message is considered to be changed during the transmission process, thereby determining that the security capability negotiation fails.
- the UE derives the NAS-MAC according to the derived NAS confidentiality protection key Knas-enc, the information in the TAU accept, and the NAS integrity protection algorithm carried in the TAU accept message, and then the UE compares the derived NAS-MAC with Whether the NAS-
- the step further includes the UE comparing the security capability information supported by the UE carried in the TAU accept message with the security capability information supported by the UE. If they are consistent, it is determined that there is no degraded attack. If the inconsistency is determined, it is determined that there is a degraded attack. If the security capability negotiation fails, the security capability negotiation process may be re-initiated, so that the purpose of preventing the degraded attack can be achieved.
- the degraded attack refers to: Assume that the UE supports two security algorithms at the same time: the high-intensity algorithm A1 and the low-intensity algorithm A2, and the MME also supports both algorithms. In this way, the high-strength algorithm A1 should be negotiated between the UE and the MME. However, if the UE sends the security capability information supported by the UE to the path of the MME, the attacker modifies the security capability information of the UE, for example, only the low-intensity algorithm A2 is retained. The MME will only select the low-intensity algorithm A2 and send the UE to the UE.
- the low-strength algorithm A2 is negotiated between the UE and the MME, instead of the high-intensity algorithm A1, so that the attacker is more likely to break, that is, the so-called degraded attack is achieved.
- the MME sends the security capability information supported by the UE to the UE, so that the UE checks whether it is consistent with the security capability information supported by the UE, thereby achieving the purpose of detecting and preventing the degradation attack.
- the process in which the MME finally derives the NAS protection key according to the authentication vector related key and the execution of the step 104 and the step 105 in the step 103 does not limit the time sequence.
- the process may be performed before step 104, or may be performed in step 104 and step 105. Execution may also be performed after step 105.
- the MME and the UE may directly derive the NAS protection key according to the authentication vector related key, without first deriving the root key, and then deriving the NAS protection according to the root key. Key.
- the derivation method of the NAS protection key derived by the UE according to the authentication vector related key and the derivation of the NAS protection key by the network side based on the authentication vector related key are derived.
- the method is the same.
- the UE can share the NAS security algorithm and the NAS protection key with the MME, thereby implementing negotiation of the NAS security capability.
- FIG. 2 is a flowchart of a method for negotiating security capability of a terminal when moving according to Embodiment 2 of the present invention. As shown in Figure 2, the method includes the following steps:
- Step 200 is the same as step 100, and details are not described herein again.
- Step 201 to step 203 The MME obtains the NAS security algorithm supported by the UE, and sends a context request message to the SGSN. After receiving the SGSN, the SGSN derives the root key according to the authentication key of the authentication vector, and then sends the root key to the MME. The context response message of the key.
- the SGSN queries the NAS security algorithm supported by the UE after receiving the mobility management context request message. And carrying the NAS security algorithm supported by the queried UE in the mobility management context response message sent to the MME.
- the NAS security algorithm is a NAS integrity protection algorithm and/or a NAS confidentiality protection algorithm.
- the SGSN in the process is the SGSN of the 2G network, and the root key is the Kc' obtained by the SGSN after one-way transformation according to Kc or Kc, and the derived root key.
- Kasme When the UE moves from the 3G network to the tracking area of the LTE network, the SGSN in this process is the SGSN of the 3G network, and the root key is the IK' obtained by the SGSN according to IK and CK, or IK and CK after one-way transformation. And CK', derived from Kasme.
- Step 204 The MME selects a new NAS security algorithm according to the NAS security algorithm supported by the UE, the NAS security algorithm supported by the NAS, and the NAS security algorithm supported by the system.
- the NAS protection key is derived according to the root key, including the NAS integrity protection key.
- Step 205 The MME generates a TAU accept message carrying the selected NAS security algorithm.
- the MME may also perform NAS integrity protection on the TAU accept message.
- the TAU accept message in this step may also carry the security capability information supported by the UE.
- Step 206 The UE receives the TAU accept message carrying the NAS security algorithm selected by the MME, and obtains the negotiated NAS security algorithm. Then, according to its current authentication vector related key (for example, the source network is IK and CK at 3G or according to IK and CK derived by IK and CK, or Kc when the source network is 2G or Kc' derived from Kc) derive the root key Kasme, and then derive the NAS protection key from the root key, including NAS. Integrity protection key Knas-int and/or NAS confidentiality protection key Knas-enc.
- the current authentication vector related key for example, the source network is IK and CK at 3G or according to IK and CK derived by IK and CK, or Kc when the source network is 2G or Kc' derived from Kc
- the step may further include the UE checking whether the integrity protection of the TAU accept message is correct. If the discovery is incorrect, it is determined that the security capability negotiation fails, and the security capability negotiation process may be re-initiated.
- the step 205 may further include: the UE supports the security capability information supported by the UE carried in the TAU accept message and the self-supported If the security capability information is compared, if it is consistent, it is determined that there is no degraded attack. If the inconsistency is determined, it is determined that there is a degraded attack. If the security capability negotiation fails, the security capability negotiation process may be re-initiated, so as to prevent the degraded attack. purpose.
- the process in which the MME derives the NAS protection key according to the root key and the execution of the steps 205 and 206 in the step 204 does not limit the time sequence.
- the process may be performed before step 205, or may be performed in step 205. Executing with step 206 may also be performed after step 206.
- step 206 may also be performed after step 206.
- the UE can share the NAS security algorithm and the NAS protection key with the MME, thereby implementing negotiation of the NAS security capability.
- FIG. 3 is a flowchart of a method for negotiating security capability of a terminal when moving according to an embodiment of the present invention. As shown in Figure 3, the method includes the following steps:
- Step 300 is the same as step 100 and will not be described in detail herein.
- Step 301 to step 302 The MME acquires a NAS security algorithm supported by the UE from the SGSN by using a mobility management context request and response message.
- the SGSN queries the NAS security algorithm supported by the UE after receiving the mobility management context request message. And carrying the NAS security algorithm supported by the queried UE in the mobility management context response message sent to the MME.
- the NAS security algorithm is a NAS integrity protection algorithm and/or a NAS confidentiality protection algorithm.
- Step 303 The MME obtains a root key Kasme derived from the authentication vector related key from the HSS through an authentication and key agreement (AKA) process.
- AKA authentication and key agreement
- Step 304 The MME selects a new NAS security algorithm according to the NAS security algorithm supported by the UE, the NAS security algorithm supported by the NAS, and the NAS security algorithm supported by the system. According to Kasme, other NAS protection keys, including the NAS integrity protection key, are derived. Knas-int and NAS confidentiality protection key Knas-enc.
- Step 305 The MME generates a NAS Security Mode Command (SMC) request message carrying the selected NAS security algorithm, and sends the message to the UE.
- SMC NAS Security Mode Command
- the SMC request message may be included in the TAU accept message.
- the MME may perform NAS integrity protection on the SMC request message, for example, using the NAS integrity protection key Knas-int and SMC request message derived in step 304.
- the information and the NAS integrity protection algorithm in the selected NAS security algorithm derive the message integrity code (NAS-MAC) value of the NAS integrity protection, and then attach the value to the SMC request message and send it to the UE.
- NAS-MAC message integrity code
- the SMC request message in this step may also carry the security capability information supported by the UE.
- Step 306 The UE receives the SMC request message carrying the NAS security algorithm selected by the MME, and obtains the NAS security algorithm selected by the MME that is supported by the MME. Then, the UE obtains the root security according to the current authentication vector related key obtained in the AKA process. The key is derived from the root key to obtain the NAS protection key, including the NAS integrity protection key Knas-int and the NAS confidentiality protection key Knas-enc.
- the step may further include the UE checking whether the integrity protection of the TAU accept message is correct. If the fault is found to be incorrect, it is determined that the security capability negotiation fails, and the security capability negotiation process may be restarted.
- the UE derives the NAS-MAC according to the derived NAS confidentiality protection key Knas-enc, the information in the TAU accept and the NAS integrity protection algorithm carried in the TAU accept message, and then the UE compares the derived NAS-MAC with Whether the NAS-MAC carried in the TAU accept message is the same, indicating that the message has not been changed during the transmission process, otherwise the message is considered to be changed during the transmission process, thereby determining that the security capability negotiation fails.
- the step 305 further includes the security capability information supported by the UE in the SMC request message
- the step may further include: the UE supports the security capability information supported by the UE carried in the SMC request message, and the self-supported If the security capability information is the same, if it is the same, it is determined that there is no degraded attack. If it is not the same, it is determined that there is a degraded attack. If the security capability negotiation fails, the security capability negotiation process may be re-initiated, so that the anti-degradation attack can be prevented. the goal of.
- Step 307 The UE sends an SMC completion response message to the MME.
- the SMC completion response message may be included in the TAU completion (complete) message.
- Step 308 The MME replies to the TAU accept message.
- the SMC request message is included in the TAU in step 305.
- this step and step 305 are merged.
- Step 309 The UE replies to the TAU complete message.
- step 307 when the SMC Completion Response message is included in the TAU complete message in step 307, this step and step 307 are merged.
- FIG. 4 is a structural diagram of a system for negotiating security capabilities when a terminal moves according to an embodiment of the present invention. As shown in FIG. 4, the system includes a UE and an MME.
- the UE is configured to send a tracking area update request message to the MME, receive a message that is sent by the MME and carry the selected NAS security algorithm, and derive the NAS protection key according to the authentication vector related key.
- the MME is configured to receive a tracking area update request message sent by the UE, obtain an authentication vector related key or a root key derived according to the authentication vector related key, and a NAS security algorithm supported by the UE, according to the NAS security algorithm supported by the UE. Selecting a NAS security algorithm, generating and transmitting a message carrying the selected NAS security algorithm to the UE; deriving the NAS protection key according to the obtained authentication vector related key or the root key derived from the authentication vector related key key.
- the MME further obtains the security capability information supported by the UE, and further carries the security capability information supported by the UE in the message that is sent to the UE and carries the selected NAS security algorithm.
- the UE further performs the security capability information supported by the UE according to the MME. Check whether the security capability information supported by itself is consistent and determine whether there is a degraded attack.
- the MME includes an obtaining module, a selecting module, and a key deriving module.
- the acquiring module is configured to receive a tracking area update request message sent by the UE, obtain an authentication vector related key or a root key derived according to the authentication vector related key, and a NAS security algorithm supported by the UE.
- a selection module configured to acquire a NAS security algorithm supported by the UE according to the obtaining module, The NAS security algorithm is selected to generate a message carrying the selected NAS security algorithm and sent to the UE.
- the key derivation module is configured to derive the NAS protection key according to the authentication vector related key obtained by the obtaining module or the root key derived according to the authentication vector related key, and the selected NAS security algorithm.
- the acquiring module further obtains the security capability information supported by the UE, and the selection module further carries the security capability information supported by the UE obtained by the acquiring module in the message carrying the selected NAS security algorithm.
- the UE includes an update module, a key derivation module, a storage module, and an inspection module.
- the update module is configured to send a tracking area update request message to the mobility management entity MME, where the security capability information supported by the UE saved by the storage module is carried, and the message carrying the selected NAS security algorithm sent by the MME is received; the key derivation module, And a method for deriving a NAS protection key according to the selected vector security key received by the update module and the selected NAS security algorithm; the storage module is configured to save security capability information supported by the UE; and the checking module is configured to check, receive, receive from the MME When the security capability information supported by the UE is inconsistent with the security capability information saved by the storage module, it is determined that there is a degraded attack.
- the update module further carries the security capability information supported by the UE in the message that is sent by the MME and carries the selected non-access signaling NAS security algorithm.
- the MME receives the tracking area update request message sent by the UE, acquires the NAS security algorithm supported by the UE, and the authentication vector related key or the confidentiality according to the authentication vector. Key derived from the key; then, according to the NAS security algorithm supported by the UE, the NAS security algorithm is selected; and a message carrying the selected NAS security algorithm is generated and sent to the UE, so as to achieve the purpose of sharing the NAS security algorithm between the UE and the MME. Then, the UE and the MME derive the NAS protection key according to the authentication vector related key or the root key derived from the authentication vector related key, thereby realizing the purpose of NAS protection key sharing.
- the NAS security algorithm and the NAS protection key can be negotiated with the MME, so as to implement the security capability negotiation process in the TAU process between the heterogeneous networks, and ensure that the subsequent UE interacts with the network. Safety.
- the embodiment of the present invention can further prevent the degradation attack: the MME passes the TAU accept message.
- the security capability information supported by the UE is also returned for the UE to check whether it is consistent with the security capability information currently supported by the UE. If the security capability negotiation is successful, the negotiated NAS security algorithm and the NAS protection key can be used. It is determined that a degraded attack has occurred. This security capability negotiation fails, and security capability negotiation may need to be re-established.
- the foregoing solution can be used to detect whether the security capability information supported by the UE has been attacked before the MME obtains the security capability information supported by the UE, thereby preventing the degradation attack and ensuring the security of the subsequent UE when interacting with the network.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Databases & Information Systems (AREA)
- Mobile Radio Communication Systems (AREA)
Description
Claims
Priority Applications (11)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PL08784154T PL2139175T6 (pl) | 2007-08-31 | 2008-08-27 | Sposób, system i urządzenie do negocjacji zdolności bezpieczeństwa podczas przemieszczania się terminala |
JP2010513633A JP4976548B2 (ja) | 2007-08-31 | 2008-08-27 | 端末が移動するときにセキュリティ機能を折衝するための方法、システム、および装置 |
ES08784154.0T ES2401039T7 (es) | 2007-08-31 | 2008-08-27 | Método, sistema y dispositivo para negociar la capacidad de la seguridad cuando se desplaza un terminal |
EP08784154.0A EP2139175B3 (en) | 2007-08-31 | 2008-08-27 | Method, system and apparatus for negotiating the security ability when a terminal is moving |
US12/633,948 US8656169B2 (en) | 2007-08-31 | 2009-12-09 | Method, system and device for negotiating security capability when terminal moves |
US14/147,179 US8812848B2 (en) | 2007-08-31 | 2014-01-03 | Method, system and device for negotiating security capability when terminal moves |
US14/303,146 US9241261B2 (en) | 2007-08-31 | 2014-06-12 | Method, system and device for negotiating security capability when terminal moves |
US14/873,504 US9538373B2 (en) | 2007-08-31 | 2015-10-02 | Method and device for negotiating security capability when terminal moves |
US14/957,338 US9497625B2 (en) | 2007-08-31 | 2015-12-02 | Method for negotiating security capability when terminal moves |
US15/372,093 US10015669B2 (en) | 2007-08-31 | 2016-12-07 | Communication method and device |
US16/023,324 US10595198B2 (en) | 2007-08-31 | 2018-06-29 | Communication method and device |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200710145703 | 2007-08-31 | ||
CN200710145703.3 | 2007-08-31 | ||
CN2007101517000A CN101378591B (zh) | 2007-08-31 | 2007-09-26 | 终端移动时安全能力协商的方法、系统及装置 |
CN200710151700.0 | 2007-09-26 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/633,948 Continuation US8656169B2 (en) | 2007-08-31 | 2009-12-09 | Method, system and device for negotiating security capability when terminal moves |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2009030155A1 true WO2009030155A1 (en) | 2009-03-12 |
Family
ID=40421872
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2008/072165 WO2009030155A1 (en) | 2007-08-31 | 2008-08-27 | Method, system and apparatus for negotiating the security ability when a terminal is moving |
Country Status (8)
Country | Link |
---|---|
US (7) | US8656169B2 (zh) |
EP (2) | EP2549701B1 (zh) |
JP (1) | JP4976548B2 (zh) |
CN (1) | CN101378591B (zh) |
ES (1) | ES2401039T7 (zh) |
PL (1) | PL2139175T6 (zh) |
RU (1) | RU2435319C2 (zh) |
WO (1) | WO2009030155A1 (zh) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101505479A (zh) * | 2009-03-16 | 2009-08-12 | 中兴通讯股份有限公司 | 一种认证过程中安全上下文协商方法和系统 |
JP2010109954A (ja) * | 2008-10-31 | 2010-05-13 | Ntt Docomo Inc | 移動局 |
JP2013533656A (ja) * | 2010-05-10 | 2013-08-22 | 中興通訊股▲ふん▼有限公司 | システム間の再選択フリークエンシーの統計方法及び装置 |
US9398459B2 (en) | 2011-03-14 | 2016-07-19 | Alcatel Lucent | Prevention of eavesdropping type of attack in hybrid communication system |
Families Citing this family (69)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101378591B (zh) | 2007-08-31 | 2010-10-27 | 华为技术有限公司 | 终端移动时安全能力协商的方法、系统及装置 |
CN101400059B (zh) * | 2007-09-28 | 2010-12-08 | 华为技术有限公司 | 一种active状态下的密钥更新方法和设备 |
CN101926188B (zh) * | 2008-01-22 | 2016-08-03 | 艾利森电话股份有限公司 | 对通信终端的安全策略分发 |
EP2399423B1 (en) * | 2009-02-17 | 2012-10-31 | Telefonaktiebolaget L M Ericsson (publ) | Method for controlling a communication network, servers, systems including servers, and computer programs |
CN101854625B (zh) * | 2009-04-03 | 2014-12-03 | 华为技术有限公司 | 安全算法选择处理方法与装置、网络实体及通信系统 |
CN101557589A (zh) * | 2009-05-04 | 2009-10-14 | 中兴通讯股份有限公司 | 防止空完整性保护算法用于正常通信的方法和系统 |
ES2488132T3 (es) * | 2009-10-05 | 2014-08-26 | Telefonaktiebolaget L M Ericsson (Publ) | Método y disposición en un sistema de telecomunicación |
CN101720118B (zh) * | 2009-12-15 | 2013-04-24 | 华为技术有限公司 | 接入网络的方法、设备和系统 |
DE102010011022A1 (de) * | 2010-03-11 | 2012-02-16 | Siemens Aktiengesellschaft | Verfahren zur sicheren unidirektionalen Übertragung von Signalen |
US9197669B2 (en) | 2010-04-15 | 2015-11-24 | Qualcomm Incorporated | Apparatus and method for signaling enhanced security context for session encryption and integrity keys |
US9084110B2 (en) * | 2010-04-15 | 2015-07-14 | Qualcomm Incorporated | Apparatus and method for transitioning enhanced security context from a UTRAN/GERAN-based serving network to an E-UTRAN-based serving network |
CN101835151B (zh) * | 2010-04-16 | 2016-03-30 | 中兴通讯股份有限公司 | 空中接口密钥的更新方法及无线接入系统 |
MY154249A (en) | 2010-04-16 | 2015-05-29 | Qualcomm Inc | Apparatus and method for transitioning from a serving network node that supports an enhanced security context to a legacy serving network node |
CN102244862A (zh) | 2010-05-10 | 2011-11-16 | 北京三星通信技术研究有限公司 | 一种获取安全密钥的方法 |
GB2481395A (en) | 2010-06-21 | 2011-12-28 | Nec Casio Mobile Comm Ltd | Call set-up management in a mobile radio communications network |
CN102625300B (zh) | 2011-01-28 | 2015-07-08 | 华为技术有限公司 | 密钥生成方法和设备 |
CA2832067C (en) | 2011-04-01 | 2019-10-01 | Interdigital Patent Holdings, Inc. | Method and apparatus for controlling connectivity to a network |
WO2012103708A1 (zh) * | 2011-06-27 | 2012-08-09 | 华为技术有限公司 | 媒体访问控制mac地址保护方法和交换机 |
CN103179559B (zh) * | 2011-12-22 | 2016-08-10 | 华为技术有限公司 | 一种低成本终端的安全通信方法、装置及系统 |
CN103297958B (zh) * | 2012-02-22 | 2017-04-12 | 华为技术有限公司 | 建立安全上下文的方法、装置及系统 |
CN107509199B (zh) | 2012-05-10 | 2020-10-20 | 三星电子株式会社 | 在无线蜂窝网络中通过用户设备进行数据消息传输的方法 |
KR101444434B1 (ko) | 2012-07-10 | 2014-09-24 | 주식회사 케이티 | 트래킹 영역 업데이트 방법, 페이징 방법 및 이를 지원하는 디지털 신호 처리 장치 |
US9591679B2 (en) | 2012-09-17 | 2017-03-07 | Blackberry Limited | Initiation of inter-device communication in wireless communication systems |
US9826381B2 (en) | 2012-09-18 | 2017-11-21 | Blackberry Limited | Device handshake/discovery for inter-device communication in wireless communication systems |
US9014113B2 (en) | 2012-09-21 | 2015-04-21 | Blackberry Limited | User equipment architecture for inter-device communication in wireless communication systems |
US8982895B2 (en) | 2012-09-21 | 2015-03-17 | Blackberry Limited | Inter-device communication in wireless communication systems |
US10154467B2 (en) | 2012-09-26 | 2018-12-11 | Blackberry Limited | Transmit power adjustment for inter-device communication in wireless communication systems |
US9137836B2 (en) * | 2012-10-15 | 2015-09-15 | Blackberry Limited | Inter-device communication authorization and data sniffing in wireless communication systems |
US8930700B2 (en) * | 2012-12-12 | 2015-01-06 | Richard J. Wielopolski | Remote device secure data file storage system and method |
KR101807487B1 (ko) * | 2013-01-10 | 2017-12-11 | 닛본 덴끼 가부시끼가이샤 | Ue 및 네트워크 양자에서의 키 도출을 위한 mtc 키 관리 |
EP2952027B1 (en) * | 2013-01-30 | 2017-03-29 | Telefonaktiebolaget LM Ericsson (publ) | Security activation for dual connectivity |
FR3010273B1 (fr) * | 2013-09-04 | 2015-08-14 | Thales Sa | Procede de traitement de cles d'authentification dans un systeme de telecommunications sans fil et systeme de telecommunication associe |
CN104683981B (zh) * | 2013-12-02 | 2019-01-25 | 华为技术有限公司 | 一种验证安全能力的方法、设备及系统 |
WO2015097980A1 (en) | 2013-12-24 | 2015-07-02 | Nec Corporation | Apparatus, system and method for sce |
CN104754577B (zh) * | 2013-12-31 | 2019-05-03 | 华为技术有限公司 | 一种选择认证算法的方法、装置及系统 |
WO2015177398A1 (en) * | 2014-05-20 | 2015-11-26 | Nokia Technologies Oy | Cellular network authentication control |
US9693219B2 (en) | 2014-10-24 | 2017-06-27 | Ibasis, Inc. | User profile conversion to support roaming |
US9930598B2 (en) * | 2015-08-21 | 2018-03-27 | Samsung Electronics Co., Ltd. | Method and apparatus for offload operation of the idle mode in a cellular device |
US9883385B2 (en) | 2015-09-15 | 2018-01-30 | Qualcomm Incorporated | Apparatus and method for mobility procedure involving mobility management entity relocation |
US10555177B2 (en) | 2015-10-05 | 2020-02-04 | Telefonaktiebolaget Lm Ericsson (Publ) | Method of operation of a terminal device in a cellular communications network |
EP3371950B1 (en) | 2015-11-02 | 2021-03-03 | Telefonaktiebolaget LM Ericsson (PUBL) | Wireless communications |
WO2017084043A1 (en) * | 2015-11-18 | 2017-05-26 | Alcatel-Lucent Shanghai Bell Co., Ltd. | Handover between e-utran and wlan |
WO2017104980A1 (ko) * | 2015-12-14 | 2017-06-22 | 엘지전자 주식회사 | 무선 통신 시스템에서 단말의 잠재적인 오동작을 방지하기 위한 동작 방법 및 이를 위한 장치 |
BR112018013812A2 (zh) * | 2016-01-05 | 2018-12-11 | Huawei Technologies Co., Ltd. | Mobile communication method, device and device |
KR102358918B1 (ko) * | 2016-07-04 | 2022-02-07 | 삼성전자 주식회사 | 무선 통신 시스템에서 서비스에 따른 보안 관리 방법 및 장치 |
WO2018006215A1 (zh) * | 2016-07-04 | 2018-01-11 | 华为技术有限公司 | 管理终端设备的imsi状态的方法、装置及系统 |
WO2018010186A1 (zh) * | 2016-07-15 | 2018-01-18 | 华为技术有限公司 | 密钥获取方法及装置 |
WO2018037149A1 (en) * | 2016-08-22 | 2018-03-01 | Nokia Technologies Oy | Security procedure |
WO2018132952A1 (zh) * | 2017-01-17 | 2018-07-26 | 华为技术有限公司 | 无线通信的方法和装置 |
CN108616881A (zh) * | 2017-01-24 | 2018-10-02 | 中兴通讯股份有限公司 | 连接重建的认证方法、基站、用户设备、核心网及系统 |
BR112019015387B1 (pt) | 2017-01-30 | 2020-11-03 | Telefonaktiebolaget Lm Ericsson (Publ) | manuseio de contexto de segurança em 5g durante modo conectado |
US11172359B2 (en) * | 2017-08-09 | 2021-11-09 | Lenovo (Singapore) Pte. Ltd. | Method and apparatus for attach procedure with security key exchange for restricted services for unauthenticated user equipment |
US11297502B2 (en) | 2017-09-08 | 2022-04-05 | Futurewei Technologies, Inc. | Method and device for negotiating security and integrity algorithms |
US10512005B2 (en) | 2017-09-29 | 2019-12-17 | Nokia Technologies Oy | Security in intersystem mobility |
EP4366354A2 (en) * | 2017-10-30 | 2024-05-08 | Huawei Technologies Co., Ltd. | Method and device for obtaining ue security capabilities |
WO2019174015A1 (zh) | 2018-03-15 | 2019-09-19 | Oppo广东移动通信有限公司 | 处理数据的方法、接入网设备和核心网设备 |
CN112738804B (zh) * | 2017-11-17 | 2021-12-21 | 华为技术有限公司 | 一种安全保护的方法及装置 |
US10542428B2 (en) | 2017-11-20 | 2020-01-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Security context handling in 5G during handover |
CN110099382B (zh) | 2018-01-30 | 2020-12-18 | 华为技术有限公司 | 一种消息保护方法及装置 |
US11418961B2 (en) | 2018-02-19 | 2022-08-16 | Telefonaktiebolaget Lm Ericsson (Publ) | Supporting interworking and/or mobility between different wireless communication systems |
US20190261136A1 (en) * | 2018-02-22 | 2019-08-22 | Mediatek Singapore Pte. Ltd. | Tracking Area Update Procedure For Intersystem Change In Mobile Communications |
CN111385090B (zh) * | 2018-12-29 | 2023-03-10 | 山东量子科学技术研究院有限公司 | 基于多密钥组合量子密钥中继的密钥分发方法及其系统 |
CN113302962B (zh) * | 2019-01-15 | 2024-04-09 | 瑞典爱立信有限公司 | 无线装置的无线电接入能力 |
US11470473B2 (en) * | 2019-01-18 | 2022-10-11 | Qualcomm Incorporated | Medium access control security |
CN110336771A (zh) * | 2019-04-09 | 2019-10-15 | 生迪智慧科技有限公司 | 组网方法、装置及计算机可读存储介质 |
CN111866974B (zh) * | 2019-04-29 | 2022-12-06 | 华为技术有限公司 | 用于移动注册的方法和装置 |
CN113098688B (zh) * | 2020-01-09 | 2022-05-06 | 大唐移动通信设备有限公司 | 一种aka方法及装置 |
CN113381966B (zh) * | 2020-03-09 | 2023-09-26 | 维沃移动通信有限公司 | 信息上报方法、信息接收方法、终端及网络侧设备 |
US11895159B2 (en) * | 2021-06-30 | 2024-02-06 | International Business Machines Corporation | Security capability determination |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1801698A (zh) * | 2005-01-07 | 2006-07-12 | 华为技术有限公司 | 在ip多媒体业务子系统网络中保障媒体流安全性的方法 |
CN1983921A (zh) * | 2005-12-16 | 2007-06-20 | 华为技术有限公司 | 一种端到端媒体流安全的实现方法及系统 |
WO2007078159A1 (en) * | 2006-01-04 | 2007-07-12 | Samsung Electronics Co., Ltd. | Method and apparatus for transmitting sip data of idle mode ue in a mobile communication system |
Family Cites Families (62)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6028933A (en) * | 1997-04-17 | 2000-02-22 | Lucent Technologies Inc. | Encrypting method and apparatus enabling multiple access for multiple services and multiple transmission modes over a broadband communication network |
US6671507B1 (en) | 2000-06-16 | 2003-12-30 | Siemens Aktiengesellschaft | Authentication method for inter-system handover between at least two radio communications systems |
US7181012B2 (en) * | 2000-09-11 | 2007-02-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Secured map messages for telecommunications networks |
FI111423B (fi) | 2000-11-28 | 2003-07-15 | Nokia Corp | Järjestelmä kanavanvaihdon jälkeen tapahtuvan tietoliikenteen salauksen varmistamiseksi |
US6857075B2 (en) * | 2000-12-11 | 2005-02-15 | Lucent Technologies Inc. | Key conversion system and method |
RU2174924C1 (ru) | 2001-03-01 | 2001-10-20 | Архипов Кирилл Леонидович | Система безопасности мобильных объектов |
US20030028644A1 (en) | 2001-08-02 | 2003-02-06 | Patrick Maguire | System and method for load sharing within a core network |
US20030139180A1 (en) * | 2002-01-24 | 2003-07-24 | Mcintosh Chris P. | Private cellular network with a public network interface and a wireless local area network extension |
WO2003077581A1 (en) | 2002-03-08 | 2003-09-18 | Sony Ericsson Mobile Communications Ab | Security protection for data communication |
US20030235305A1 (en) * | 2002-06-20 | 2003-12-25 | Hsu Raymond T. | Key generation in a communication system |
US7310307B1 (en) | 2002-12-17 | 2007-12-18 | Cisco Technology, Inc. | System and method for authenticating an element in a network environment |
CN1186906C (zh) * | 2003-05-14 | 2005-01-26 | 东南大学 | 无线局域网安全接入控制方法 |
GB0311921D0 (en) | 2003-05-23 | 2003-06-25 | Ericsson Telefon Ab L M | Mobile security |
WO2005043282A2 (en) | 2003-10-31 | 2005-05-12 | Electronics And Telecommunications Research Institute | Method for authenticating subscriber station, method for configuring protocol thereof, and apparatus thereof in wireless portable internet system |
CN100415034C (zh) | 2004-09-30 | 2008-08-27 | 西安西电捷通无线网络通信有限公司 | 一种使移动节点实现自代理功能的方法 |
WO2006085207A1 (en) * | 2005-02-11 | 2006-08-17 | Nokia Corporation | Method and apparatus for providing bootstrapping procedures in a communication network |
JP3829862B1 (ja) | 2005-04-04 | 2006-10-04 | トヨタ自動車株式会社 | 3次元モデル変形システム及びプログラム |
ATE520276T1 (de) * | 2005-04-26 | 2011-08-15 | Vodafone Plc | Schneller benutzerebenenaufbau in einem telekommunikationsnetzwerk |
CN100373991C (zh) * | 2005-06-30 | 2008-03-05 | 中国科学院计算技术研究所 | 一种分组网络中语音通信的加密协商方法 |
WO2007004051A1 (en) * | 2005-07-06 | 2007-01-11 | Nokia Corporation | Secure session keys context |
US7843900B2 (en) * | 2005-08-10 | 2010-11-30 | Kineto Wireless, Inc. | Mechanisms to extend UMA or GAN to inter-work with UMTS core network |
EP1764970A1 (en) * | 2005-09-19 | 2007-03-21 | Matsushita Electric Industrial Co., Ltd. | Multiple interface mobile node with simultaneous home- and foreign network connection |
CN1937487A (zh) | 2005-09-22 | 2007-03-28 | 北京三星通信技术研究有限公司 | Lte中鉴权和加密的方法 |
US8122240B2 (en) * | 2005-10-13 | 2012-02-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and apparatus for establishing a security association |
US20070117563A1 (en) | 2005-10-28 | 2007-05-24 | Interdigital Technology Corporation | Call setup procedure in an evolved third generation radio access network |
EP1784035A1 (en) * | 2005-11-07 | 2007-05-09 | Alcatel Lucent | A method for connection re-establishment in a mobile communication system |
WO2007063420A2 (en) | 2005-12-01 | 2007-06-07 | Nokia Corporation | Authentication in communications networks |
US7929703B2 (en) * | 2005-12-28 | 2011-04-19 | Alcatel-Lucent Usa Inc. | Methods and system for managing security keys within a wireless network |
US7483409B2 (en) | 2005-12-30 | 2009-01-27 | Motorola, Inc. | Wireless router assisted security handoff (WRASH) in a multi-hop wireless network |
US7911943B2 (en) | 2006-01-13 | 2011-03-22 | Nokia Corporation | Optimization of PDP context usage |
DE102006006485A1 (de) | 2006-02-10 | 2007-08-23 | T-Mobile International Ag & Co. Kg | Verfahren zur Durchführung eines Pagings in einem zellularen Mobilkommunikationssystem |
CN101390435B (zh) * | 2006-02-28 | 2012-06-27 | 诺基亚公司 | 通信网络中的切换 |
WO2007108660A1 (en) * | 2006-03-22 | 2007-09-27 | Lg Electronics Inc. | Asymmetric cryptography for wireless systems |
EP1997294A4 (en) * | 2006-03-22 | 2014-08-27 | Lg Electronics Inc | SECURITY CONSIDERATIONS FOR UMTS LTE |
WO2007110748A2 (en) * | 2006-03-27 | 2007-10-04 | Nokia Corporation | Apparatus, method and computer program product providing unified reactive and proactive handovers |
US8462742B2 (en) | 2006-03-31 | 2013-06-11 | Samsung Electronics Co., Ltd | System and method for optimizing authentication procedure during inter access system handovers |
KR20070099849A (ko) * | 2006-04-05 | 2007-10-10 | 삼성전자주식회사 | 이동통신 시스템의 공통 라우팅 영역에 위치한 아이들사용자 단말기에게 회선교환 호를 전달하기 위한 방법 및장치 |
TW200746760A (en) | 2006-04-19 | 2007-12-16 | Interdigital Tech Corp | Method and apparatus for supporting routing area update procedures in a long term evolution general packet radio service tunneling protocol-based system |
US8682357B2 (en) | 2006-05-02 | 2014-03-25 | Intellectual Ventures Holding 81 Llc | Paging in a wireless network |
GB0608612D0 (en) * | 2006-05-02 | 2006-06-14 | Vodafone Plc | Telecommunications networks |
US20070271458A1 (en) * | 2006-05-22 | 2007-11-22 | Peter Bosch | Authenticating a tamper-resistant module in a base station router |
EP2030468B1 (en) * | 2006-06-16 | 2023-05-17 | Nokia Technologies Oy | Changing lte specific anchor with simple tunnel switching |
EP2036382B1 (en) * | 2006-06-16 | 2019-07-24 | Nokia Technologies Oy | An apparatus and method for transferring pdp context information for a terminal in the case of intersystem handover |
TWI425801B (zh) * | 2006-06-19 | 2014-02-01 | Interdigital Tech Corp | 初始傳信訊息中原始用戶識別碼安全保護的方法及裝置 |
US20080045262A1 (en) | 2006-08-16 | 2008-02-21 | Vanvinh Phan | Method and Apparatus for Providing Service-Based Cell Reselection |
US8295243B2 (en) | 2006-08-21 | 2012-10-23 | Qualcomm Incorporated | Method and apparatus for random access in an orthogonal multiple-access communication system |
CN1953374A (zh) | 2006-09-21 | 2007-04-25 | 中国船舶重工集团公司第七○九研究所 | 移动自组织网络中用于分布式身份认证的安全引导模型 |
EP1914930A1 (en) * | 2006-10-17 | 2008-04-23 | Matsushita Electric Industrial Co., Ltd. | User plane entity selection in a mobile communication system having overlapping pool areas |
EP3761598B1 (en) | 2006-10-20 | 2023-12-20 | Nokia Technologies Oy | Generating keys for protection in next generation mobile networks |
KR101614993B1 (ko) | 2006-10-30 | 2016-04-22 | 인터디지탈 테크날러지 코포레이션 | Lte 시스템에서 추적 영역 업데이트 및 셀 재선택을 구현하는 방법 및 장치 |
FI20070095A0 (fi) * | 2007-02-02 | 2007-02-02 | Nokia Corp | Turva-avainten luominen langatonta viestintää varten |
CN101242630B (zh) | 2007-02-05 | 2012-10-17 | 华为技术有限公司 | 安全算法协商的方法、装置及网络系统 |
FI20070157A0 (fi) * | 2007-02-23 | 2007-02-23 | Nokia Corp | Nopea päivityssanomien autentikointi avainderivaatiolla mobiileissa IP-järjestelmissä |
CN101304600B (zh) * | 2007-05-08 | 2011-12-07 | 华为技术有限公司 | 安全能力协商的方法及系统 |
CN101309500B (zh) | 2007-05-15 | 2011-07-20 | 华为技术有限公司 | 不同无线接入技术间切换时安全协商的方法和装置 |
US8533455B2 (en) * | 2007-05-30 | 2013-09-10 | Telefonaktiebolaget L M Ericsson (Publ) | Method and apparatus for combining internet protocol authentication and mobility signaling |
US20090016334A1 (en) | 2007-07-09 | 2009-01-15 | Nokia Corporation | Secured transmission with low overhead |
US8699711B2 (en) | 2007-07-18 | 2014-04-15 | Interdigital Technology Corporation | Method and apparatus to implement security in a long term evolution wireless device |
US20090046674A1 (en) | 2007-08-17 | 2009-02-19 | Chun Yan Gao | Method and apparatus for providing channel feedback information |
GB2452698B (en) | 2007-08-20 | 2010-02-24 | Ipwireless Inc | Apparatus and method for signaling in a wireless communication system |
CN101378591B (zh) | 2007-08-31 | 2010-10-27 | 华为技术有限公司 | 终端移动时安全能力协商的方法、系统及装置 |
EP2214444A1 (en) * | 2009-01-30 | 2010-08-04 | Nec Corporation | Method for optimizing the reduction of mobility signalling at inter-rat change |
-
2007
- 2007-09-26 CN CN2007101517000A patent/CN101378591B/zh active Active
-
2008
- 2008-08-27 WO PCT/CN2008/072165 patent/WO2009030155A1/zh active Application Filing
- 2008-08-27 RU RU2009146555A patent/RU2435319C2/ru active
- 2008-08-27 JP JP2010513633A patent/JP4976548B2/ja active Active
- 2008-08-27 EP EP20120188170 patent/EP2549701B1/en active Active
- 2008-08-27 PL PL08784154T patent/PL2139175T6/pl unknown
- 2008-08-27 EP EP08784154.0A patent/EP2139175B3/en active Active
- 2008-08-27 ES ES08784154.0T patent/ES2401039T7/es active Active
-
2009
- 2009-12-09 US US12/633,948 patent/US8656169B2/en active Active
-
2014
- 2014-01-03 US US14/147,179 patent/US8812848B2/en active Active
- 2014-06-12 US US14/303,146 patent/US9241261B2/en active Active
-
2015
- 2015-10-02 US US14/873,504 patent/US9538373B2/en active Active
- 2015-12-02 US US14/957,338 patent/US9497625B2/en active Active
-
2016
- 2016-12-07 US US15/372,093 patent/US10015669B2/en active Active
-
2018
- 2018-06-29 US US16/023,324 patent/US10595198B2/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1801698A (zh) * | 2005-01-07 | 2006-07-12 | 华为技术有限公司 | 在ip多媒体业务子系统网络中保障媒体流安全性的方法 |
CN1983921A (zh) * | 2005-12-16 | 2007-06-20 | 华为技术有限公司 | 一种端到端媒体流安全的实现方法及系统 |
WO2007078159A1 (en) * | 2006-01-04 | 2007-07-12 | Samsung Electronics Co., Ltd. | Method and apparatus for transmitting sip data of idle mode ue in a mobile communication system |
Non-Patent Citations (9)
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2010109954A (ja) * | 2008-10-31 | 2010-05-13 | Ntt Docomo Inc | 移動局 |
CN101505479A (zh) * | 2009-03-16 | 2009-08-12 | 中兴通讯股份有限公司 | 一种认证过程中安全上下文协商方法和系统 |
CN101505479B (zh) * | 2009-03-16 | 2014-04-30 | 中兴通讯股份有限公司 | 一种认证过程中安全上下文协商方法和系统 |
JP2013533656A (ja) * | 2010-05-10 | 2013-08-22 | 中興通訊股▲ふん▼有限公司 | システム間の再選択フリークエンシーの統計方法及び装置 |
US9398459B2 (en) | 2011-03-14 | 2016-07-19 | Alcatel Lucent | Prevention of eavesdropping type of attack in hybrid communication system |
Also Published As
Publication number | Publication date |
---|---|
US9241261B2 (en) | 2016-01-19 |
US20100095123A1 (en) | 2010-04-15 |
US20140120879A1 (en) | 2014-05-01 |
US20160028703A1 (en) | 2016-01-28 |
EP2139175B1 (en) | 2012-12-26 |
CN101378591A (zh) | 2009-03-04 |
EP2139175B3 (en) | 2017-10-04 |
RU2435319C2 (ru) | 2011-11-27 |
RU2009146555A (ru) | 2011-06-20 |
ES2401039T3 (es) | 2013-04-16 |
US20160088472A1 (en) | 2016-03-24 |
US9497625B2 (en) | 2016-11-15 |
US10595198B2 (en) | 2020-03-17 |
CN101378591B (zh) | 2010-10-27 |
PL2139175T6 (pl) | 2018-04-30 |
JP4976548B2 (ja) | 2012-07-18 |
US20170094506A1 (en) | 2017-03-30 |
US9538373B2 (en) | 2017-01-03 |
EP2549701B1 (en) | 2014-03-26 |
PL2139175T3 (pl) | 2013-05-31 |
US20180310170A1 (en) | 2018-10-25 |
EP2139175A4 (en) | 2010-05-19 |
US8656169B2 (en) | 2014-02-18 |
US20140295800A1 (en) | 2014-10-02 |
ES2401039T7 (es) | 2018-01-30 |
EP2139175A1 (en) | 2009-12-30 |
US10015669B2 (en) | 2018-07-03 |
JP2010533390A (ja) | 2010-10-21 |
US8812848B2 (en) | 2014-08-19 |
EP2549701A1 (en) | 2013-01-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2009030155A1 (en) | Method, system and apparatus for negotiating the security ability when a terminal is moving | |
JP6185017B2 (ja) | セキュアユーザプレーンロケーション(supl)システムにおける認証 | |
JP5462411B2 (ja) | セキュリティ設定の同期を支援する方法および装置 | |
AU2007232622B2 (en) | System and method for optimizing authentication procedure during inter access system handovers | |
JP5784776B2 (ja) | 認証能力のセキュアなネゴシエーション | |
US9060268B2 (en) | Negotiating security capabilities during movement of UE | |
WO2009030164A1 (fr) | Procédé, système et dispositif pour empêcher l'attaque par dégradation pendant qu'un terminal se déplace | |
WO2007121669A1 (fr) | Procédé, dispositif et système pour établir une connexion hertzienne | |
WO2019029531A1 (zh) | 触发网络鉴权的方法及相关设备 | |
WO2015100974A1 (zh) | 一种终端认证的方法、装置及系统 | |
WO2013185709A1 (zh) | 一种呼叫认证方法、设备和系统 | |
WO2013152740A1 (zh) | 用户设备的认证方法、装置及系统 | |
WO2018126791A1 (zh) | 一种认证方法及装置、计算机存储介质 | |
EP3146742B1 (en) | Exception handling in cellular authentication | |
WO2014113921A1 (zh) | 移动通信系统的安全认证的方法和网络设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 08784154 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 3913/KOLNP/2009 Country of ref document: IN |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2008784154 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2010513633 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2009146555 Country of ref document: RU |
|
NENP | Non-entry into the national phase |
Ref country code: DE |