WO2010151182A1 - Procédé et système de gestion de la sécurité dans un système de télécommunications - Google Patents

Procédé et système de gestion de la sécurité dans un système de télécommunications Download PDF

Info

Publication number
WO2010151182A1
WO2010151182A1 PCT/SE2009/050777 SE2009050777W WO2010151182A1 WO 2010151182 A1 WO2010151182 A1 WO 2010151182A1 SE 2009050777 W SE2009050777 W SE 2009050777W WO 2010151182 A1 WO2010151182 A1 WO 2010151182A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
radio base
policy
network
group
Prior art date
Application number
PCT/SE2009/050777
Other languages
English (en)
Inventor
Mats NÄSLUND
Kiran Thakare
Original Assignee
Telefonaktiebolaget L M Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget L M Ericsson (Publ) filed Critical Telefonaktiebolaget L M Ericsson (Publ)
Priority to PCT/SE2009/050777 priority Critical patent/WO2010151182A1/fr
Publication of WO2010151182A1 publication Critical patent/WO2010151182A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information

Definitions

  • the present invention relates generally to security management in a telecommunications system, and more particularly to an arrangement and a method of handling security when a user equipment performs a handover from a serving base station to a target base station.
  • security of mobile terminals is important not only to mobile users but also to service providers and to network operators.
  • Security algorithms are often used to achieve authentication and consequently a basis for authorisation between the mobile terminal or the user equipment (UE) and one or several network nodes.
  • UE user equipment
  • These security algorithms often rely upon a secret that is shared between the mobile terminal and one or more network nodes that permits the user to be authenticated.
  • this shared secret is embodied in the form of a cryptographic key.
  • the handling of security between a mobile terminal and a network node generally occurs when the mobile terminal attaches to the network and may also occur when the mobile terminal requests service. In general, triggering of authentication can be based on the operator's policy and may in principle take place at any time.
  • Security check involving authentication and authorization is typically also performed when a mobile terminal is to be handed over from one access node (e.g. a serving base station) to another access node (e.g. a target base station).
  • a UE needs to authenticate itself to the network each time the UE encounters a new cell or a new radio base station, hi other words, although the UE moves or is handed over to a new radio base station within the same radio access technology, mutual authentication is needed to be performed.
  • a handover within the same WiMAX access system is also known as an inter BS/ASN (Base Station/Access Service Network) handover.
  • BS/ASN Base Station/Access Service Network
  • a UE In a multi-access system that supports a plurality of access technologies such as WiMAX, LTE, UMTS, GSM, WLAN, etc. authentication and authorization of a UE that is moving from a serving base station of a first access system (e.g. LTE (Long Term Evolution)) to a target base station of a second access system (e.g. WiMAX) is also required.
  • a mutual authentication and authorization process is performed between the UE and the target system when a decision to handover the UE has been made.
  • a new security key is generated and shared between the UE and the target base station.
  • an additional mutual authentication and authorization process may be required between the UE and the new radio base station. This process is invoked for each handover situation. This results in performance degradation such as higher signalling load and an increase in delays experienced by the UE especially if the UE is having an ongoing call or service. Repeated invocation of authentication and authorization procedures also puts strain on the battery life of the UE.
  • LTE Long Term Evolution
  • a LTE system will most likely include radio base stations of different types: macro, pico and femto base stations and these will provide different levels of protection for the security keys and other sensitive data stored therein.
  • macro base stations generally provide adequate level of protection compared to that provided by pico base stations or femto base stations. This implies that handover between macro base stations will most likely be more secure (i.e. higher level of protection) than a handover between a femto base station and a macro base station, and more secure than a handover between two pico base stations or between two femto base stations.
  • the above stated problems are solved by means of a method of handling security in a telecommunications system that comprises one or several network areas, each network area is partitioned into a plurality of network groups and wherein a user equipment (UE) that is served by a first radio base station of a first network group, performs a handover to a second radio base station.
  • UE user equipment
  • the method of handling security comprises the steps of: applying, if the second radio base station belongs to the first network group, a first authentication and authorization (AA) policy between the UE and the second radio base station to allow the UE to associate to the second radio base station independently of the radio access technology used by the second radio base station; and applying, if the second radio base station belongs to another network group that is different from the first network group, a second AA policy between the UE and the second radio base station independently of the radio access technology used by the second radio base station.
  • AA authentication and authorization
  • application of the first AA policy comprises authorizing the UE to associate to the second radio base station.
  • the UE in accordance with this exemplary embodiment of the present invention, is not required to perform an AA procedure.
  • applying the first AA policy comprises instructing the UE to update the security key prior to authorizing the UE to associate to the second radio base station.
  • the UE in accordance with this exemplary embodiment, is instructed to update it security key.
  • applying of the second AA policy comprises enforcing the AA procedure between the UE and the second radio base station. This AA procedure resulting in AA information shared between the UE and the network.
  • the enforcing of the second AA policy may further comprise instructing the UE to update its key in addition to requiring a full authentication.
  • the above stated problems are solved by means of an arrangement in a network node for handling security in a telecommunications system comprising a network area that is partitioned into a plurality of network groups, and wherein a UE that is served by a first radio base station of a first network group performs a handover to a second radio base station.
  • the arrangement is configured to apply, if the second radio base station belongs to first network group, a first AA policy between the UE and the second radio base station to allow the UE to associate to the second radio base station independently of the radio access network used by the second radio base station. If the second radio base station belongs to another network group, the arrangement is configured to apply a second AA policy between the UE and the second radio base station independently of the radio access network used by the second radio base station.
  • An advantage with embodiments of the present invention is to facilitate security handling (i.e. AA handling) during handover of a UE from a serving base station to a target base station independently of the radio access technology used by the involved radio base stations.
  • Another advantage with embodiments of the present invention is to reduce the signalling load and to reduce the latency introduced by AA procedures.
  • a further another advantage with embodiments of the present invention is to avoid reducing the battery life of the UE.
  • Yet another advantage with embodiments of the present invention is that by introducing the network group concept, an increase in security is achieved in cases where the handover is between radio base stations of the same access technology but the serving and/or the target base station provide different protection levels.
  • Figure 1 is a schematic diagram of a network architecture comprising network groups and network areas wherein the exemplary embodiments of the present invention can be applied.
  • Figure 2 is a diagram illustrating a network scenario wherein the exemplary embodiment of the present invention can be applied.
  • Figure 3 is a diagram illustrating another network scenario wherein the exemplary embodiment of the present invention can be applied.
  • FIG. 4 is a flowchart of a method of handling security in accordance with exemplary embodiments of the present invention
  • the architecture 100 comprises one or several network areas of which only two network areas 110, 120 are shown. Since the exemplary embodiments of the present invention relate to security handling involving authorization and authentication procedures, each network area is here denoted an AA area (Authentication and Authorization area).
  • AA areal 110 is partitioned into a plurality of network groups denoted AA groups of which only three groups are shown, AA group 1 111, AA group2 112 and AA group3 113.
  • AA area2 120 is shown partitioned into AA group 1 121 and AA group2 122. It should be noted that the exemplary embodiments of the present invention are not restricted to any particular number of AA areas and/or AA groups.
  • each AA group comprises at least one radio base station, denoted BS.
  • AA groupl 111 is shown comprising base stations BSl 11 IA, BS2 11 IB, and BS3 111C;
  • AA group2 112 is shown including base station BSl 112A;
  • AA group3 113 is shown comprising base station BSl 113A.
  • AA groupl 121 comprises BSl 121 A and
  • AA group2 122 comprises BS2 122A
  • the exemplary embodiments of the present invention are not restricted to any particular number of base stations per AA group.
  • An AA group may comprise BSs from various access technologies such as GSM, UMTS, LTE, WiMAX, GPRS, WLAN, that are logically or physically grouped together e.g. by geographical proximity to form an AA group.
  • An AA group may comprise BSs of a particular access technology and of a particular type of base stations, regardless of their physical location.
  • an AA group may comprise macro base station(s) and/or femto base station(s) and/or pico radio base station(s) belonging to single network operator. Note that in this case, the AA group may not be based on physical proximity.
  • An AA group may comprise BSs of only a single access technology e.g. WiMAX/WIBRO (Wireless Broadband) or LTE or UMTS etc.
  • WiMAX/WIBRO Wireless Broadband
  • An AA group may comprise BSs of a particular access technology and of a particular type of base stations, regardless of their physical location.
  • an AA group may comprise macro base station(s) and/or femto base station(s) and/or pico radio base station(s) belonging to single network operator.
  • the AA group may not be based on physical proximity, and
  • An AA group may comprise BSs of a particular ownership/administration.
  • the jointly owned/administrated base stations could form a specific AA group, separate from those base stations owned/administrated by a single operator.
  • An AA area may be an entire serving network or some suitable part thereof e.g. determined geographically in terms of a number of radio base stations and/or a number of cells.
  • Several operators may jointly control the AA area.
  • a single operator controls the AA area.
  • the AA area could also coincide with existing concepts such as Location Area (LA, used in GSM), Routing Area (RA, used in GPRS) or Tracking Area (TA, used in LTE) and an AA area would in such case consist of only a part of a network.
  • LA Location Area
  • RA Routing Area
  • TA Tracking Area
  • a location register 114 that can e.g. store parameters defining the AA areas, parameters defining the AA groups and the logical mapping of the BSs with respect to AA group/area.
  • the parameters defining AA group/area may or may not be related to location.
  • the mapping of BSs to AA group could for instance be a list of pairs of form (BS_ID, AA group ID), where BS ID is an identifier for the BS and AA group ID similarly is an identifier for the AA group.
  • Each AA area can have it dedicated location register 114 as shown in figure 1.
  • AA areas may also share a location register 114. It should be mentioned that the location register 114 is not necessarily a VLR (visitor location register) and/or a HLR (home location register).
  • Figure 1 also shows a UE 115 that is here assumed to be served by BS3 111C of AA groupl 11 IA of AA areal 110.
  • the network 100 may comprise additional network nodes and UEs not illustrated in figure 1, e.g. core network nodes for control (such as AAA (Authentication Authorization and Accounting) servers (or AAA nodes) or mobility management nodes), or user plane data handling nodes (e.g. gateways).
  • core network nodes for control such as AAA (Authentication Authorization and Accounting) servers (or AAA nodes) or mobility management nodes), or user plane data handling nodes (e.g. gateways).
  • the location register 114 may further store the location of UE(s).
  • a first AA policy is applied between the UE 115 and the second radio base station to allow the UE 115 to associate to the second radio base station independently of the radio access technology used by the second radio base station.
  • a first AA policy is applied between UE 115 and BS2 11 IB.
  • This first AA policy may comprise a rule to apply an implicit authentication in the sense that the UE 115 implicitly proves its authenticity by being able to use the correct AA information related to the UE i.e. the correct security parameter (e.g. a security key of ciphering and/or data/signalling integrity).
  • the UE 115 already has knowledge of the identification information (or identifier) of AA group 1, although this is not necessary.
  • the information or this identifier may for instance have been communicated to the UE 115 prior to the initiation of the handover procedure.
  • the information may have been communicated when the UE 115 initially attached to the serving BS3 111C or when the UE 115 initially performed an AA procedure with the serving BS3 H lC or during security establishment (for enabling air interface ciphering etc.) and radio bearer establishment.
  • the UE 115 will generally be made aware of e.g.
  • the information included in the broadcast message may comprise the identifier of the AA group to which the BS2 11 IB belongs.
  • the information may also include the identifier of the AA area that includes AA group 1 I HA.
  • the broadcast information indicates to the UE 115 whether it can expect to authenticate if/when attaching to the target base station. In this case, both the source and the target base stations belong to the same network group AA group 1 11 IA.
  • the UE 115 is thus already known to AA group 1 and therefore the AA policy to be applied is that no explicit authentication is necessary when the UE 115 performs the handover to BS2 11 IB. Instead, the UE 115 may for example implicitly proves its authenticity by using the correct AA information (security key of ciphering and/or data/signalling integrity) related to the UE and associates to the target base station.
  • AA information security key of ciphering and/or data/signalling integrity
  • Km some master key
  • K3 HASH(Km, BS3)
  • HASH indicates a hash function which can be any appropriate hash function.
  • the target and serving base stations belong to the same AA group no explicit authentication and authorization procedure is necessary independently of the radio access technology used by the target base station.
  • the base stations of the same AA group have similar security level and share the same AA policy. This will facilitate security handling (i.e. AA handling) during handover of a UE, independently of the radio access technology used by the involved radio base stations. This will also reduce signalling load and the latency introduced by AA procedures.
  • application of the first AA policy may also (or alternatively) comprise issuing an instruction to the UE to perform some other security measures e.g. to update the UE 's security key prior to authorize the UE to associate to the target base station.
  • the update of the security key is due to the desire to limit "wear" of the key. The longer the key is used (e.g. the more data that is processed by it), the greater is the risk that the key is compromised. Therefore, updating/replacing the key according to some pre-determined scheme will mean that security is improved.
  • the UE 115 can be instructed (in e.g.
  • K2 Hash (Km, BS2).
  • the target base station BS2 11 IB is provided with K2 in connection to the signalling involved during the handover.
  • K2 can be provides with K2 from an arrangement in the serving base station BS3 111C or can be provided from arrangement in another network node (e.g. AAA server, an AA controller node, a central node or any suitable network node).
  • the second radio base station i.e. target base station
  • a second AA policy is applied between the UE 115 and the second radio base station independently of the radio access technology used by the second base station.
  • the target radio base station is informed of (or provided with) AA information that is related to the UE 115, and an explicit AA procedure (e.g. explicit authentication) is enforced between the UE 115 and the target base station.
  • a second AA policy is applied between the UE 115 and BSl 112A which involves an explicit authentication and authorization of the UE 115.
  • the authentication may be based on the UE 's USIM (Universal Subscriber Identity Module) and the AKA (Authentication and Key Agreement) protocol.
  • USIM Universal Subscriber Identity Module
  • AKA Authentication and Key Agreement
  • a AAA node have explicitly performed mutual authentication and authorization between each other and in the event of successful authentication/authorization of the UE 115, at least the new serving base station is provided with necessary AA information related to UE 115, e.g. security key(s).
  • This AA information can be provided by an arrangement in a network node such as the serving base station and/or another network node (e.g. an AAA node).
  • the radio base stations belonging to the second AA group i.e. AA group2 112 may be informed of the AA information (e.g. security key) related the UE 115 through multicasting of said information within the second group.
  • An AA group may be provided with a policy to apply an AA cycle of AA procedure(s) interval(s).
  • the UE and it serving base station may initiate a AA procedure.
  • security can be based on an implicit authentication (or update of the security key) so that the UE can prove knowledge of the key.
  • the first scenario which is also illustrated in figure 2, relates to a case where both the first and second base stations are LTE base stations (i.e. eNBs).
  • a UE 20 is considered here attaching to the first base station eNBl 21 (Step 1).
  • MME 23 mobility management entity
  • HSS 25 home subscriber server
  • EPS Evolved Packet System
  • the UE 20 can, at this stage, be informed (securely) about the AA group to which eNBl 21 belongs (i.e. AA group ID of eNBl). However, this is not necessary.
  • data traffic can flow between UE 20 and eNBl 21 (Step 4) i.e. eNBl 21 is now the serving base station.
  • the data traffic is forwarded via a Serving Gateway (SGW) 24 e.g. to/from the Internet.
  • SGW Serving Gateway
  • Step 5 indicates that a new eNB is discovered. This is done by radio signal measurements on broadcast messages from the second base station eNB2 22.
  • the broadcast message comprises cell identifiers associated with eNB2 22 and may also comprise information about the AA group to which eNB2 22 belongs (i.e. AA group ID of eNB2).
  • Step 6 a handover decision is made (handover preparation procedure).
  • X2- handover denotes the direct interface between eNBl and eNB2
  • Sl denotes the interface between a eNB and central node in the network e.g. the MME 23 or the SGW 24.
  • eNBl 21 and eNB2 22 mutually check between each other if they belong to the same AA group or not.
  • the arrangement for handling the checking and security and enforcing AA policy is distributed between the eNBl 21 and the eNB2 22.
  • eNBl 21 and eNB2 22 belong to the same AA group, then they have similar security level and they share the same AA policy.
  • the AA information e.g. keys
  • eNBl 21 provides eNB2 22 with said AA information over the aforementioned X2-interface.
  • the MME 23 is involved and can perform the AA group check i.e. checking if eNBl 21 and eNB2 22 belong to the same group or not.
  • the arrangement for handling the checking and security may be implemented in the central node MME 23.
  • the AA information e.g. keys
  • the UE 20 is sent from MME 23 to eNB2 22.
  • Step 6 the UE 20 may be informed (in Step 6) about the AA group to which eNB2 22 belongs, unless this was performed earlier. However, the UE 20 does not need to know of the AA group ID of eNB2.
  • Step 7 a selected AA policy is applied (AA policy application). If eNBl and eNB2 belong to the same AA group, then a first AA policy is applied, as previously described. If eNBl and eNB2 belong to different AA groups, then a second AA policy is applied, as described earlier.
  • Step 8 Handover Completion Procedure The handover procedure is then completed (Step 8 Handover Completion Procedure) and data traffic can be exchanged between UE 20 and the new serving base station eNB2 22 (Step 9).
  • the AA information e.g. the key(s)
  • the UE can be provided to radio base stations (through multicast or broadcast or unicast) belonging to the same group as that of eNB2, based on the location information of the UE.
  • FIG 3 there is illustrated the second scenario wherein exemplary embodiments of the present invention can be applied. In this scenario, also within the context of a 3GPP EPS network, two different access technologies are however used.
  • the first radio base station eNB 31 is considered to represent a LTE base station which can be a macro LTE base station or a femto LTE base station or a pico LTE base station.
  • the second radio base station BS 32 is considered to represent a WiMAX base station. Other combinations of access technologies are of course also possible.
  • a UE 30 attaches to eNBl 31 (Step 1).
  • an initial AA procedure takes place between the UE 30 and the MME 33 (Step 2), followed by a security establishment and a bearer establishment (Step 3).
  • the UE 30 can, at this stage, be informed (securely) about the AA group to which eNB 31 belongs (i.e. AA group ID of eNB). However, this is not necessary.
  • data traffic can flow between UE 30 and eNB 31 (Step 4) i.e. eNBl 31 is now the serving base station.
  • non-3GPP access technologies such as WiMAX are, in the current technical specifications such as 3GPP TS 23.402: " Architecture enhancements for non-3GPP access ", integrated in EPS (Evolved Packet System) in a slightly different way than 3GPP native technologies.
  • EPS Evolved Packet System
  • a network function called ANDSF (Access Network Discovery Function) 35 is used to inform the UE 30 about available networks.
  • the UE is informed (Step 5 BS discovery) by the ANDSF 35 about a nearby WiMAX base station BS 32.
  • the information can include the identity of BS 32 and also information of the AA group to which BS 32 belong.
  • the information is sent through the LTE access because UE 30 is currently served by eNB 31.
  • a handover preparation procedure is started (Step 6).
  • an arrangement for checking whether eNB 31 and BS 32 belong to the same or different groups is provided in e.g. central node such as the HSS node 36 (or HSS/AAA node) or alternatively the ANDSF 35. If eNB 31 and BS 32 belong to the same AA group, a first AA policy is applied as previously described (Step 7. AA Policy application). Thus in this case eNB 31 and BS 32 have similar security level and they share the same AA policy.
  • the AA information e.g. keys
  • the AA information e.g. keys
  • HSS/AAA 36 provides BS 32 with said AA information.
  • the arrangement for security handling i.e. application of the first AA policy
  • eNB 31 and BS 32 belong to different AA groups
  • a second AA policy is applied at Step 7 as previously described.
  • the necessary AA information e.g. key(s)
  • the arrangement in the HSS/AAA 36 node can notify the UE 30 about the properties of the WiMAX network.
  • the HSS/AAA 36 can inform the UE 30 of the AA group ID of BS 32.
  • the old LTE access is terminated and the HSS/AAA 36 is notified with a "cancel old location" notification etc.
  • data traffic can be exchanged between the UE 30 and the new serving base station BS 32 (Step. 9).
  • the base stations that belong to the same AA group as BS 32 are provided with UE related AA information.
  • additional nodes are shown such as a MME 33 and a gateway GW 34 which can be a SGW or a Packet Data Network Gateway (PGW).
  • PGW Packet Data Network Gateway
  • the system comprises a network area partitioned into a plurality of network groups (i.e. AA groups), and wherein a UE that is served by a first radio base station (BSl) of a first network group, performs a handover to a second radio base station (BS2).
  • AA groups network groups
  • BSl radio base station
  • BS2 second radio base station
  • the first and second radio base stations belong to the same network group or if they belong to different network group, if the first base station and the second base station belong to the same network group (401) applying a first AA policy between the UE and the second base station to allow the UE to associate to the second radio base station independently of the radio access technology used by the second radio base station. If the second base station belongs to another network group that is different from the network group to which the first base station belongs to, a second AA policy is applied (402) between the UE and the second base station independently of the radio access technology used by the second radio base station. Details concerning the different exemplary embodiments of the present invention have already been described are therefore not repeated again.
  • the exemplary embodiment of the present invention also relate to an arrangement in a network node for handling security in a telecommunications system comprising a network area that is partitioned into a plurality of network groups, and wherein a UE that is served by a first radio base station of a first network group, performs a handover to a second radio base station.
  • the arrangement can be implemented in a network node corresponding to the first radio base station and/or in the second radio base station and/or in a central network node of the system and/or in any suitable node.
  • the arrangement is configured to check if the second base station belongs to the first network group. This checking can be performed by a processor or processing means.
  • the processing means of the arrangement selects the AA policy to be used, which in this case, corresponds to the first AA policy.
  • the arrangement is configured to apply the first AA policy between the UE and the second radio base station to allow the UE to associate to the second radio base station independently of the radio access technology used by the second radio base station.
  • the application of the first AA policy may include a rule indicating that the UE is authorized to associate to the second radio base station (implicit AA procedure).
  • the application of the first AA policy may instead include a rule indicating that the UE has to update its security key before it is authorized to associate to the second radio base station.
  • the arrangement is configured to select and apply a second AA policy between the UE and the second radio base station independently of the radio access technology used by the second radio base station.
  • the arrangement is also configured to provide the second radio base station with AA information related to the UE (e.g. key(s)).
  • the application of the second AA policy comprises enforcement of said policy.
  • the arrangement is also configured to multicast the AA information related to the UE, to at least one radio base station belonging to the same group as that of the second base station.
  • the arrangement can also provide the AA information related to the UE to at least one additional radio base station belonging to the group, based on location information of the UE.
  • processors of the arrangement in associations with software and hardware means may be used.
  • one embodiment of the present invention includes a computer-readable medium having instructions stored thereon that are executable by the arrangement in associations with hardware means. The instructions when executed perform the method steps as set forth in the claims.
  • the exemplary embodiments of the present invention may be implemented in any type of wireless communications system.
  • the exemplary embodiments of the present invention may be implemented in a non-limiting general context in relation to a 3 G LTE concept and/or UMTS and/or WiMAX and/or HSPA and/or HSDPA (high speed downlink packet access) and/or HSUPA, GSM, UMTS; GPRS, WLAN, etc.
  • 3 G LTE concept and/or UMTS and/or WiMAX and/or HSPA and/or HSDPA (high speed downlink packet access) and/or HSUPA, GSM, UMTS; GPRS, WLAN, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Les modes de réalisation de la présente invention se rapportent à un système dans un nœud de réseau et à un procédé de gestion de la sécurité dans un système de télécommunications. Selon l'invention, une pluralité de groupes de réseau sont fournis, chaque groupe comprenant au moins une station de base radio, et un UE desservi par une première station de base qui exécute un transfert intercellulaire vers une seconde station de base. Si les première et seconde stations de base appartiennent au même groupe de réseau, une première politique AA est appliquée entre l'UE et la seconde station de base indépendamment de la technologie d'accès utilisée par la seconde station de base. Si les première et seconde stations de base appartiennent à des groupes différents, une seconde politique AA est appliquée indépendamment de la technologie d'accès utilisée par la seconde station de base.
PCT/SE2009/050777 2009-06-22 2009-06-22 Procédé et système de gestion de la sécurité dans un système de télécommunications WO2010151182A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/SE2009/050777 WO2010151182A1 (fr) 2009-06-22 2009-06-22 Procédé et système de gestion de la sécurité dans un système de télécommunications

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SE2009/050777 WO2010151182A1 (fr) 2009-06-22 2009-06-22 Procédé et système de gestion de la sécurité dans un système de télécommunications

Publications (1)

Publication Number Publication Date
WO2010151182A1 true WO2010151182A1 (fr) 2010-12-29

Family

ID=42289080

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2009/050777 WO2010151182A1 (fr) 2009-06-22 2009-06-22 Procédé et système de gestion de la sécurité dans un système de télécommunications

Country Status (1)

Country Link
WO (1) WO2010151182A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014075238A1 (fr) * 2012-11-14 2014-05-22 华为技术有限公司 Procédé de traitement de sécurité pour des communications mobiles, macro-station de base, micro-station de base et équipement d'utilisateur
WO2015066429A1 (fr) * 2013-11-01 2015-05-07 Interdigital Patent Holdings, Inc. Support de fonction de recherche et de sélection de réseau d'accès (andsf) destiné aux facilitateurs de services de communication de groupe (gcse)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6418130B1 (en) * 1999-01-08 2002-07-09 Telefonaktiebolaget L M Ericsson (Publ) Reuse of security associations for improving hand-over performance
US20040053613A1 (en) * 2002-09-12 2004-03-18 Broadcom Corporation Controlling and enhancing handoff between wireless access points
US20070064647A1 (en) * 2003-09-12 2007-03-22 Ntt Docomo, Inc. Secure intra-and inter-domain handover
US20080207170A1 (en) * 2007-02-26 2008-08-28 Amit Khetawat Femtocell Integration into the Macro Network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6418130B1 (en) * 1999-01-08 2002-07-09 Telefonaktiebolaget L M Ericsson (Publ) Reuse of security associations for improving hand-over performance
US20040053613A1 (en) * 2002-09-12 2004-03-18 Broadcom Corporation Controlling and enhancing handoff between wireless access points
US20070064647A1 (en) * 2003-09-12 2007-03-22 Ntt Docomo, Inc. Secure intra-and inter-domain handover
US20080207170A1 (en) * 2007-02-26 2008-08-28 Amit Khetawat Femtocell Integration into the Macro Network

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014075238A1 (fr) * 2012-11-14 2014-05-22 华为技术有限公司 Procédé de traitement de sécurité pour des communications mobiles, macro-station de base, micro-station de base et équipement d'utilisateur
CN103959833A (zh) * 2012-11-14 2014-07-30 华为技术有限公司 移动通信的安全处理方法、宏基站、微基站和用户设备
CN103959833B (zh) * 2012-11-14 2018-03-13 华为技术有限公司 移动通信的安全处理方法、宏基站、微基站和用户设备
WO2015066429A1 (fr) * 2013-11-01 2015-05-07 Interdigital Patent Holdings, Inc. Support de fonction de recherche et de sélection de réseau d'accès (andsf) destiné aux facilitateurs de services de communication de groupe (gcse)

Similar Documents

Publication Publication Date Title
CN110268734B (zh) 使用不可信网络的互通功能
EP3195642B1 (fr) Interfonctionnement et intégration de différents réseaux d'accès radio
TWI620449B (zh) 加速鏈結設置方法及裝置
EP2569894B1 (fr) Procédé et système permettant de positionner une station mobile dans une procédure de transfert intercellulaire
KR102178000B1 (ko) 통신 네트워크에서 사용하기 위한 네트워크 노드, 통신 디바이스 및 이를 동작시키는 방법들
US20100002883A1 (en) Security procedure and apparatus for handover in a 3gpp long term evolution system
EP3371993B1 (fr) Procédé, équipement d'utilisateur et noeud de réseau pour la protection de la confidentialité de l'utilisateur dans des réseaux
US20200092771A1 (en) User Equipment, Network Node and Methods in a Wireless Communications Network
EP2730126B1 (fr) Procédé permettant d'éviter l'échec du transfert intercellulaire
WO2018170617A1 (fr) Procédé d'authentification d'accès au réseau basé sur un réseau non 3gpp, et dispositif et système associés
US20130189955A1 (en) Method for context establishment in telecommunication networks
KR20090005971A (ko) 이종망간 핸드오버시 빠른 보안연계 설정방법
US20150189558A1 (en) Method and apparatus for wireless communication in a heterogenous network
US8665825B2 (en) Method and apparatus for supporting idle mode handover in heterogeneous wireless communication
WO2010151182A1 (fr) Procédé et système de gestion de la sécurité dans un système de télécommunications
US11678236B2 (en) User equipment, network node and methods in a wireless communications network
US11206539B2 (en) User equipment, network node and methods in a wireless communications network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09788573

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09788573

Country of ref document: EP

Kind code of ref document: A1