WO2011152665A2 - Method and system of securing group communication in a machine-to-machine communication environment - Google Patents

Method and system of securing group communication in a machine-to-machine communication environment Download PDF

Info

Publication number
WO2011152665A2
WO2011152665A2 PCT/KR2011/004021 KR2011004021W WO2011152665A2 WO 2011152665 A2 WO2011152665 A2 WO 2011152665A2 KR 2011004021 W KR2011004021 W KR 2011004021W WO 2011152665 A2 WO2011152665 A2 WO 2011152665A2
Authority
WO
WIPO (PCT)
Prior art keywords
mtc
group
unique
group key
key information
Prior art date
Application number
PCT/KR2011/004021
Other languages
French (fr)
Other versions
WO2011152665A3 (en
Inventor
Rajavelsamy Rajadurai
Han-Na Lim
Original Assignee
Samsung Electronics Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co., Ltd. filed Critical Samsung Electronics Co., Ltd.
Priority to US13/701,696 priority Critical patent/US9729314B2/en
Priority to KR1020127034455A priority patent/KR101877733B1/en
Priority to EP11790023.3A priority patent/EP2578007B1/en
Publication of WO2011152665A2 publication Critical patent/WO2011152665A2/en
Publication of WO2011152665A3 publication Critical patent/WO2011152665A3/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]

Definitions

  • the present invention relates to the field of machine to machine (M2M) communication, and more particularly relates to group communication in a M2M environment.
  • M2M machine to machine
  • Machine-to-Machine (M2M) communication (also referred to as “machine-type communications” or “MTC”) is a form of data communication between devices that do not necessarily need human interaction (commonly known as MTC devices).
  • MTC devices such as a sensor or meter
  • MTC device may capture an event data which is then relayed through an operator network to an application residing in a MTC server for analysis and necessary action.
  • the MTC device and the MTC server communicate with each other using an operator network based on network technologies such as Third Generation Partnership Project (3GPP) technologies such as Global System for Mobile Communications (GSM), Universal Mobile Telecommunications System (UMTS), Long Term Evolution (LTE), and so on.
  • 3GPP Third Generation Partnership Project
  • GSM Global System for Mobile Communications
  • UMTS Universal Mobile Telecommunications System
  • LTE Long Term Evolution
  • M2M communication may be used in a variety of areas such as smart metering systems (e.g., in applications related to power, gas, water, heating, grid control, and industrial metering), surveillance systems, order management, gaming machines, and health care communication. Additionally, M2M communication based on machine type communication (MTC) technology may be used in areas such as customer service.
  • MTC machine type communication
  • Recent advancement in M2M communication has enabled grouping of MTC devices together such that the operator of MTC devices can easily manage MTC devices belonging to the same group.
  • a MTC server can be linked to production plants (employing MTC devices) together to monitor and maximize production.
  • the MTC devices belonging to the same group can be in a same location, have same MTC features and/or belong to the same MTC user. This provides flexibility to allocate a group and hence may provide easier mode to control/update/charge the MTC devices in a granularity of a group. Thus, redundant signalling may be significantly reduced to avoid congestion.
  • MTC group In a MTC group, it is desirable that the MTC devices are securely addressed for control, management, or charging facilities.
  • one or more group messages are broadcasted to the MTC devices in an insecure manner, which may sometimes lead to spoofing of group messages.
  • An aspect of the present invention is to provide a method and system for securing group communication in a machine-to-machine communication environment.
  • a method for securing group communication in a machine-to-machine (M2M) communication environment wherein the M2M communication environment comprises a plurality of machine type communication (MTC) groups, and wherein each of the plurality of MTC groups comprises a plurality of MTC devices
  • the method comprises generating a unique group key for securing communication with MTC devices associated with a MTC group in a M2M communication environment, securely providing the unique group key information to the MTC devices associated with the MTC group, and securely communicating one or more broadcast group messages with the MTC devices using the unique group key information.
  • the machine-to-machine communication system comprises a plurality of machine type communication (MTC) devices, wherein the plurality of MTC devices are belong to one or more MTC groups, a MTC server communicatively coupled with the plurality of MTC devices, and a network entity for securing group communication between the MTC server and the plurality of MTC devices, wherein network entity comprises a group key module for generating a unique group key for securing communication with one or more of the plurality of MTC devices associated with at least one MTC group, securely providing the unique group key information to the one or more of the plurality of MTC devices associated with the at least one MTC group, and securely communicating one or more broadcast group messages with the one or more of plurality of MTC devices using the unique group key information.
  • MTC machine type communication
  • FIG. 1 is a block diagram illustrating a machine-to-machine (M2M) communication environment for securing group communication with machine type communication (MTC) devices belonging to a MTC group, according to one embodiment.
  • M2M machine-to-machine
  • MTC machine type communication
  • Figure 2 is a process flowchart illustrating an exemplary method of securing group communication between a MTC server and the MTC devices belonging to the MTC group, according to one embodiment.
  • FIGa and 3b are a flow diagram illustrating distributing a unique group key to MTC devices in a MTC group using a non-access stratum (NAS) security mode command (SMC) procedure in a long term evolution (LTE) network, according to one embodiment.
  • NAS non-access stratum
  • SMC security mode command
  • Figure 4a and 4b are a flow diagram illustrating distributing a unique group key to MTC devices in a MTC group using a NAS SMC procedure, according to another embodiment.
  • Figure 5a and 5b are a flow diagram illustrating distributing a unique group key to MTC devices in a MTC group using a protocol configuration options (PCO), according to another embodiment.
  • PCO protocol configuration options
  • the present invention provides a method and system for securing communication in a machine-to-machine (M2M) communication environment.
  • M2M machine-to-machine
  • FIG. 1 is a block diagram illustrating a M2M communication environment 100 for securing group communication with MTC devices belonging to a MTC group, according to one embodiment.
  • the M2M communication environment 100 includes an operator network 102, MTC groups 104A-N and a MTC server 106.
  • the operator network 102 illustrated herein is a long term evolution network and hence includes a mobile management entity (MME) (e.g., a network entity) 104, a home subscriber server (HSS) 106, a serving gateway 108, a packet data network (PDN) gateway 110, one or more eNB terminals 112A-N.
  • MME mobile management entity
  • HSS home subscriber server
  • PDN packet data network
  • the operator network 102 can be a Global System for Mobile Communications (GSM) network, a Universal Mobile Telecommunications System (UMTS) network, a Worldwide Interoperability for Microwave Access (WiMAX) network and the like.
  • GSM Global System for Mobile Communications
  • the MTC groups 104A-N are formed by grouping a plurality of MTC devices associated with the operator network 102.
  • the operator network 102 may form a MTC group 114A including MTC devices 116A-N and a MTC group 114B including MTC devices 118A-N based on user, location and features associated with the MTC devices 116A-N and 118A-N.
  • the MTC server 120 communicates with the MTC devices 116A-N and 118A-N based on MTC group(s) to which it belongs. It can be noted that, one or more MTC devices may belong to more than one MTC group.
  • the operator network 102 enables the MTC server 120 or any other network entity to securely communicate with MTC devices belonging to the MTC groups 114A-N.
  • a group key module 112 in the MME 104 identifies a MTC group associated with the MTC devices 116A-N.
  • the group key module 112 may identifies the MTC group 114A by obtaining the information associated with the MTC group 114A from the HSS 106 or a source MME or Serving GPRS Support Node (SGSN). If the MTC group 114A is formed by the HSS 106, then the information associated with the MTC group 114A is obtained from the HSS 106.
  • the group key module 112 generates a unique group key based on the information (e.g., group identifier) associated with the MTC group 114A.
  • the unique group key identifier may be provided with a validity period. The validity period indicates duration of time for which the unique group key is valid.
  • the group key module 112 securely distributes the unique group key information to the MTC devices 116A-N associated with the MTC group 114A via an associated eNB (e.g., the eNB 112A).
  • the unique group key information includes unique group key, an index value associated with the unique group key, validity period associated with the unique group key, and selected security algorithm for group message protection.
  • the unique group key information is securely distributed to the MTC devices 116A-N using a non access stratum (NAS) security mode command (SMC) procedure, a new MTC group SMC procedure, or a protocol configuration options (PCO) as will be illustrated in Figures 3 through 5.
  • NAS non access stratum
  • SMC security mode command
  • PCO protocol configuration options
  • the eNB 114 encrypts the group message(s) using the unique group key information and broadcast the encrypted group message(s) to the MTC devices 116A-N.
  • the group message(s) are protected from spoofing.
  • each of the MTC devices 116A-N receives the encrypted group message(s)
  • each of the MTC devices 116A-N decrypts the encrypted group message(s) using the unique group key information received from the operator network 102 for further processing. In this manner, data communication of group messages is performed in a secured manner using the unique group key information.
  • the group key module 122 generates a new group key and an index associated with the new group key and distributes the same prior to expiry of the validity period as the manner explained above.
  • FIG. 2 is a process flowchart illustrating an exemplary method 200 of securing group communication between the MTC server 120 and the MTC devices 116A-N belonging to the MTC group 114A, according to one embodiment.
  • a unique group key is generated for securing communication between the MTC server 120 and the MTC devices 116A-N associated with the MTC group 114A in the M2M communication environment.
  • the unique group key is generated based upon receipt of non-access stratum (NAS) attach request message from one of the MTC devices 116A-N (e.g., a first member of the MTC group 114A) and performing a network access authentication procedure.
  • NAS non-access stratum
  • the unique group key information is securely provided to the MTC devices 116A-N associated with the MTC group 114A.
  • the unique group key information is encrypted using a non-access stratum (NAS) security context established between said one of the MTC device 116A-N and the MME 104.
  • NAS non-access stratum
  • one or more broadcast group messages are securely communicated between the MTC server 120 and the MTC devices 116A-N using the unique group key information.
  • FIG. 3a and 3b are a flow diagram 300 illustrating distributing a unique group key to MTC devices in a MTC group using a non-access stratum (NAS) security mode command (SMC) procedure in a LTE network, according to one embodiment.
  • a MTC device 116A sends a NAS attach request message to an eNB 112A.
  • the NAS attach request message is sent at the end of a radio resource control (RRC) connection set procedure.
  • RRC radio resource control
  • the eNB 112A forwards the NAS attach request message to the MME 104.
  • the MME 104 performs a network access authentication procedure with the MTC device 116A.
  • the MME 104 downloads subscription information from the HSS 106.
  • the subscription information includes a group identifier associated with a MTC group to which the MTC belongs to.
  • the MME 104 generates a unique group key per group (Gkey) and assigns a group key index (Gki) to the unique group key (e.g., if the key is not generated previously for the MTC group). Alternatively, if the unique group key is already generated, the MME 104 retrieves the previously stored unique group key for the MTC device 116A. Also, at step 308, the MME 104 stores the group information for NAS level protection of group messages for the MTC group 114A. In one embodiment, the MME 104 may derive cryptographic keys from the unique group key for userplane, NAS and AS message protection. In another embodiment, the MME 104 may dynamically form a new group based on the subscriber information and MTC feature subscribed. For example, the MME creates the MTC group for MTC devices accessing the MTC server 120 from a particular location.
  • Gki group key index
  • the MME 104 performs a NAS SMC procedure with the MTC device 116A to activate integrity protection and NAS ciphering.
  • the MME 104 securely communicates the unique group key information (e.g., group identifier, Gkey, and Gki) in a group SMC message to the MTC device 116A.
  • the group SMC message including the unique group key information can also be sent during the NAS SMC procedure.
  • the unique group key information is protected by a NAS security context established between the MTC device 116A and the MME 104.
  • the unique group key information is encrypted by the NAS security context such that only the MTC device 116A can decrypt it.
  • the group SMC message also includes selected security algorithms (integrity protection and encryption algorithms) for group message protection.
  • the MME 104 is also capable of initiating a group SMC procedure at any point of time to refresh or to assign a new group key (Gkey) and related information. It is understood that, the decision to refresh the unique group key based on validity period or based on number of messages protected or based on number of MTC devices attached or detached or wrap-around of a count value. Moreover, the unique group key is refreshed based on configuration option and operator policy.
  • the MME 104 sends an update location request to the HSS 106.
  • the HSS 106 sends an update location acknowledgment including subscription information associated with the MTC device 116A to the MME 104.
  • the MME 104 sends a create session request to the serving gateway 108 for creating a default bearer.
  • the create session request may include IMSI, E-RAB setup list (E-RAB ID), and Group ID.
  • the serving gateway 108 forwards the create session request to the PDN gateway 110.
  • the forwarded create session request may include IMSI, E-RAB ID, Group ID, S5 downlink information and so on.
  • the S5 downlink information includes internet protocol (IP) address of the serving gateway 108 and GTP-U TEID.
  • IP internet protocol
  • the PDN gateway 110 sends a create session response (e.g., including Enhanced Radio Access Bearer Identity (E-RAB ID ), common S5 uplink information, etc.) to the serving gateway 108 in response to the create session request.
  • the serving gateway 108 then forwards the create session response (e.g., including E-RAB ID, common S1 uplink information, etc.) to the MME 104, at step 324.
  • the MME 104 sends a context setup message (including NAS attach accept, E-RAB setup list, unique group key information, S1 uplink information, etc.) to the eNB 112A.
  • the eNB 112A stores the unique group key information for group message protection.
  • the eNB 112A performs a RRC connection reconfiguration procedure with the MTC device 116A.
  • the MTC device 116A sends a RRC connection reconfiguration complete message to the eNB 112A.
  • the eNB 112A sends a context setup response including E-RAB setup list (e.g., E-RAB ID, S1 downlink information and so on) to the MME 104, at step 334.
  • E-RAB setup list e.g., E-RAB ID, S1 downlink information and so on
  • the S1 downlink information includes Internet Protocol (IP) address of the eNB 112A and General Packet Radio Service (GPRS) Tunnelling Protocol Tunnel Endpoint Identifier (GTP-U TEID).
  • IP Internet Protocol
  • GPRS General Packet Radio Service
  • the MME 104 sends an update session request (e.g., IMSI, E-RAB ID, S1 downlink information, etc.) to the serving gateway 108. Accordingly, at step 338, the serving gateway 108 sends an update session response to the MME 104 in response to the update session request.
  • uplink and downlink data transmission between the MTC server 120 and the MTC device 116A is performed in a secured manner using the unique group key information, as explained in Figure 1. It can be noted that, the MTC device 116A deletes the unique group key information when the MTC device detaches from the operator network 102.
  • FIG. 4a and 4b are a flow diagram 400 illustrating distributing a unique group key to MTC devices in a MTC group using a NAS SMC procedure, according to another embodiment.
  • a MTC device 116A sends a NAS attach request message to an eNB 112A.
  • the NAC attach request message is sent at the end of a radio resource control (RRC) connection set procedure.
  • the eNB 112A forwards the NAS attach request message to the MME 104.
  • the MME 104 performs a network access authentication procedure with the MTC device 116A.
  • the MME 104 downloads subscription information from the HSS 106.
  • the subscription information includes a group identifier indicating a MTC group to which the MTC belongs to.
  • the MME 104 performs a NAS SMC procedure with the MTC device 116A to activate integrity protection and NAS ciphering.
  • the MME 104 sends an update location request to the HSS 106.
  • the HSS 106 sends an update location acknowledgment including subscription information associated with the MTC device 116A to the MME 104.
  • the MME 104 generates a unique group key per group (Gkey) and assigns a group key index (Gki) (if not generated previously for the MTC group 114A). Also, at step 414, the MME 104 stores the group information for NAS level protection of group messages for the MTC group 114A. At step 416, the MME 104 securely communicates the unique group key information (e.g., group identifier, Gkey, and Gki) in a group SMC message to the MTC device 116A. In one embodiment, the unique group key information is protected using a NAS security context established between the MTC device 116A and the MME 104.
  • Gkey group key index
  • the MME 104 stores the group information for NAS level protection of group messages for the MTC group 114A.
  • the MME 104 securely communicates the unique group key information (e.g., group identifier, Gkey, and Gki) in a group SMC message to the MTC device 116A.
  • the unique group key information
  • the MME 104 sends a create session request to the serving gateway 108 for creating a default bearer.
  • the create session request may include IMSI, E-RAB setup list (E-RAB ID), and Group ID.
  • the serving gateway 108 forwards the create session request to the PDN gateway 110.
  • the forwarded create session request may include IMSI, E-RAB ID, Group ID, S5 downlink information and so on.
  • the S5 downlink information includes internet protocol (IP) address of the serving gateway 108 and GTP-U TEID.
  • IP internet protocol
  • the PDN gateway 110 sends a create session response (e.g., including E-RAB ID, common S5 uplink information, etc.) to the serving gateway 108 in response to the create session request.
  • the serving gateway 108 then forwards the create session response (e.g., including E-RAB ID, common S1 uplink information, etc.) to the MME 104, at step 424.
  • the MME 104 sends a context setup message (including NAS attach accept, E-RAB setup list, unique group key information, S1 uplink information, etc.) to the eNB 112A.
  • the eNB 112A stores the unique group key information for group message protection.
  • the eNB 112A performs a RRC connection reconfiguration procedure with the MTC device 116A.
  • the MTC device 116A sends a RRC connection reconfiguration complete message to the eNB 112A.
  • the eNB 112A sends a context setup response including E-RAB setup list (e.g., E-RAB ID, S1 downlink information and so on) to the MME 104, at step 434.
  • E-RAB setup list e.g., E-RAB ID, S1 downlink information and so on
  • the S1 downlink information includes IP address of the eNB 112A and GTP-U TEID.
  • the MME 104 sends an update session request (e.g., IMSI, E-RAB ID, S1 downlink information, etc.) to the serving gateway 108. Accordingly, at step 438, the serving gateway 108 sends an update session response to the MME 104 in response to the update session request.
  • the MTC server 120 and the MTC device 116A is performed in a secured manner using the unique group key information, as explained in Figure 1.
  • FIG. 5a and 5b is a flow diagram 500 illustrating distributing a unique group key to MTC devices in a MTC group using a PCO, according to another embodiment.
  • a MTC device 116A sends a NAS attach request message to an eNB 112A.
  • the NAS attach request message is sent at the end of a radio resource control (RRC) connection set procedure.
  • the eNB 112A forwards the NAS attach request message to the MME 104.
  • the MME 104 performs a network access authentication procedure with the MTC device 116A.
  • the MME 104 request authentication vectors for an Authentication and Key Agreement (AKA) procedure from the HSS 106.
  • AKA Authentication and Key Agreement
  • the HSS 106 can send one or more authentication vectors to the MME104.
  • the MME 104 performs a NAS SMC procedure with the MTC device 116A to activate integrity protection and NAS ciphering.
  • the MME 104 sends an update location request to the HSS 106.
  • the HSS 106 sends an update location acknowledgment including subscription information associated with the MTC device 116A to the MME 104.
  • the HSS 106 indicates a group ID to which the MTC device 116 belongs to.
  • the MME 104 generates a unique group key per group (Gkey) and assigns a group key index (Gki) or retrieves the unique group key per group (Gkey) and assigns a group key index (Gki) if already generated and stored previously for the MTC group 114A. Also, at step 514, the MME 104 stores the newly generated group information for NAS level protection of group messages for the MTC group 114A. At step 516, the MME 104 sends a create session request to the serving gateway 108 for creating a default bearer.
  • the create session request may include IMSI, E-RAB setup list (E-RAB ID), Group ID, Gkey, Gki, supported algorithms for group message protection or MTC device capabilities for group communication, and key for group message protection at the PDN gateway 110.
  • the serving gateway 108 forwards the create session request to the PDN gateway 110.
  • the forwarded create session request may include IMSI, E-RAB ID, Group ID, S5 downlink information and so on.
  • the S5 downlink information includes internet protocol (IP) address of the serving gateway 108 and GTP-U TEID.
  • IP internet protocol
  • the PDN gateway 110 checks whether a common S5 uplink bearer for the MTC group 114A is existing or not. If there is no common S5 uplink bearer for the MTC group 114A, then the PDN gateway 110 creates a S5 uplink bearer.
  • the PDN gateway 110 manages the MTC group 114A by assigning a particular group IP address for the MTC group 114A. Also, the PDN gateway 110 may protect the content received from the MTC subscriber at the IP layer or above the IP layer. The PDN gateway 110 also selects algorithms from the selected algorithms.
  • the PDN gateway 110 sends a create session response to the serving gateway 108 in response to the create session request.
  • the create session response includes E-RAB ID, common S5 uplink information, and unique group key information in a PCO.
  • the PCO contains IP address (multi-cast or unicast), group identifier, selected algorithms for group based protection, Gkey, and Gki.
  • the serving gateway 108 Upon receiving the create session response, the serving gateway 108 checks whether a common S1 uplink bearer for the MTC group 114A is existing or not. If there is no common S1 uplink bearer for the MTC group 114A, then the serving gateway 108 creates a S1 uplink bearer.
  • the serving gateway 108 then forwards the create session response (e.g., including E-RAB ID, common S1 uplink bearer, PCO, etc.) to the MME 104, at step 524.
  • the common S1 uplink bearer includes IP address of the serving gateway 108, and GTP-U TEID.
  • the MME 104 sends a context setup message (including NAS attach accept, E-RAB setup list, unique group key information, and S1 uplink information, etc.) to the eNB 112A.
  • the eNB 112A stores the unique group key information for group message protection. It can be noted that, the unique group key for group message protection is encrypted by the eNB 112A using an AS security context (AS ciphering).
  • AS ciphering AS security context
  • the eNB 112A performs a RRC connection reconfiguration procedure with the MTC device 116A.
  • the MTC device 116A sends a RRC connection reconfiguration complete message to the eNB 112A.
  • the RRC connection reconfiguration complete message includes the PCO.
  • the eNB 112A sends a context setup response including E-RAB setup list (e.g., E-RAB ID, S1 downlink information and so on) to the MME 104, at step 534.
  • E-RAB setup list e.g., E-RAB ID, S1 downlink information and so on
  • the S1 downlink information includes IP address of the eNB 112A and GTP-U TEID.
  • the MME 104 sends an update session request (e.g., IMSI, E-RAB ID, S1 downlink information, etc.) to the serving gateway 108. Accordingly, at step 538, the serving gateway 108 sends an update session response to the MME 104 in response to the update session request.
  • the MTC server 120 and the MTC device 116A is performed in a secured manner using the unique group key information, as explained in Figure 1.
  • the various devices, modules, selectors, estimators, and the like described herein may be enabled and operated using hardware circuitry, for example, complementary metal oxide semiconductor based logic circuitry, firmware, software and/or any combination of hardware, firmware, and/or software embodied in a machine readable medium.
  • the various electrical structure and methods may be embodied using transistors, logic gates, and electrical circuits, such as application specific integrated circuit.

Abstract

The present invention provides a method and system for securing group communication in a machine-to-machine communication environment. In one embodiment, a non-access stratum attach request message is received from a MTC device associated with a MTC group. The MTC device is then authenticated based on subscription data associated with the MTC device. Accordingly, a unique group key is generated for securing group communication with the MTC device associated with a MTC group in a M2M communication environment. The unique group key information is then securely provided to the MTC device and to an associated enhanced node B. The unique group key information may include a unique group key, an index value associated with the unique group key, selected security algorithm, and key validity period. Based on the unique group key information, broadcast group messages are securely communicated between a MTC server or a network entity and the MTC device.

Description

METHOD AND SYSTEM OF SECURING GROUP COMMUNICATION IN A MACHINE-TO-MACHINE COMMUNICATION ENVIRONMENT
The present invention relates to the field of machine to machine (M2M) communication, and more particularly relates to group communication in a M2M environment.
Machine-to-Machine (M2M) communication (also referred to as "machine-type communications" or "MTC") is a form of data communication between devices that do not necessarily need human interaction (commonly known as MTC devices). For example, in an M2M communication, a MTC device (such as a sensor or meter) may capture an event data which is then relayed through an operator network to an application residing in a MTC server for analysis and necessary action. Typically, the MTC device and the MTC server communicate with each other using an operator network based on network technologies such as Third Generation Partnership Project (3GPP) technologies such as Global System for Mobile Communications (GSM), Universal Mobile Telecommunications System (UMTS), Long Term Evolution (LTE), and so on.
M2M communication may be used in a variety of areas such as smart metering systems (e.g., in applications related to power, gas, water, heating, grid control, and industrial metering), surveillance systems, order management, gaming machines, and health care communication. Additionally, M2M communication based on machine type communication (MTC) technology may be used in areas such as customer service.
Recent advancement in M2M communication has enabled grouping of MTC devices together such that the operator of MTC devices can easily manage MTC devices belonging to the same group. For example, a MTC server can be linked to production plants (employing MTC devices) together to monitor and maximize production. The MTC devices belonging to the same group can be in a same location, have same MTC features and/or belong to the same MTC user. This provides flexibility to allocate a group and hence may provide easier mode to control/update/charge the MTC devices in a granularity of a group. Thus, redundant signalling may be significantly reduced to avoid congestion.
In a MTC group, it is desirable that the MTC devices are securely addressed for control, management, or charging facilities. However, currently, one or more group messages are broadcasted to the MTC devices in an insecure manner, which may sometimes lead to spoofing of group messages.
An aspect of the present invention is to provide a method and system for securing group communication in a machine-to-machine communication environment.
In accordance with one aspect of the present invention, there is provided a method for securing group communication in a machine-to-machine (M2M) communication environment, wherein the M2M communication environment comprises a plurality of machine type communication (MTC) groups, and wherein each of the plurality of MTC groups comprises a plurality of MTC devices, the method comprises generating a unique group key for securing communication with MTC devices associated with a MTC group in a M2M communication environment, securely providing the unique group key information to the MTC devices associated with the MTC group, and securely communicating one or more broadcast group messages with the MTC devices using the unique group key information.
In accordance with another aspect of the present invention, there is provided a machine-to-machine communication system. The machine-to-machine communication system comprises a plurality of machine type communication (MTC) devices, wherein the plurality of MTC devices are belong to one or more MTC groups, a MTC server communicatively coupled with the plurality of MTC devices, and a network entity for securing group communication between the MTC server and the plurality of MTC devices, wherein network entity comprises a group key module for generating a unique group key for securing communication with one or more of the plurality of MTC devices associated with at least one MTC group, securely providing the unique group key information to the one or more of the plurality of MTC devices associated with the at least one MTC group, and securely communicating one or more broadcast group messages with the one or more of plurality of MTC devices using the unique group key information.
The above and other aspects, features and advantages of certain exemplary embodiments of the present invention will be more apparent from the following description taken in conjunction with the accompanying drawings, in which:
Figure 1 is a block diagram illustrating a machine-to-machine (M2M) communication environment for securing group communication with machine type communication (MTC) devices belonging to a MTC group, according to one embodiment.
Figure 2 is a process flowchart illustrating an exemplary method of securing group communication between a MTC server and the MTC devices belonging to the MTC group, according to one embodiment.
Figure 3a and 3b are a flow diagram illustrating distributing a unique group key to MTC devices in a MTC group using a non-access stratum (NAS) security mode command (SMC) procedure in a long term evolution (LTE) network, according to one embodiment.
Figure 4a and 4b are a flow diagram illustrating distributing a unique group key to MTC devices in a MTC group using a NAS SMC procedure, according to another embodiment.
Figure 5a and 5b are a flow diagram illustrating distributing a unique group key to MTC devices in a MTC group using a protocol configuration options (PCO), according to another embodiment.
The drawings described herein are for illustration purposes only and are not intended to limit the scope of the present disclosure in any way.
The present invention provides a method and system for securing communication in a machine-to-machine (M2M) communication environment. In the following detailed description of the embodiments of the invention, reference is made to the accompanying drawings that form a part hereof, and in which are shown by way of illustration specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention, and it is to be understood that other embodiments may be utilized and that changes may be made without departing from the scope of the present invention. The following detailed description is, therefore, not to be taken in a limiting sense, and the scope of the present invention is defined only by the appended claims.
Figure 1 is a block diagram illustrating a M2M communication environment 100 for securing group communication with MTC devices belonging to a MTC group, according to one embodiment. In Figure 1, the M2M communication environment 100 includes an operator network 102, MTC groups 104A-N and a MTC server 106. The operator network 102 illustrated herein is a long term evolution network and hence includes a mobile management entity (MME) (e.g., a network entity) 104, a home subscriber server (HSS) 106, a serving gateway 108, a packet data network (PDN) gateway 110, one or more eNB terminals 112A-N. It can be understood that, the operator network 102 can be a Global System for Mobile Communications (GSM) network, a Universal Mobile Telecommunications System (UMTS) network, a Worldwide Interoperability for Microwave Access (WiMAX) network and the like.
The MTC groups 104A-N are formed by grouping a plurality of MTC devices associated with the operator network 102. For example, the operator network 102 may form a MTC group 114A including MTC devices 116A-N and a MTC group 114B including MTC devices 118A-N based on user, location and features associated with the MTC devices 116A-N and 118A-N.
In some embodiments, the MTC server 120 communicates with the MTC devices 116A-N and 118A-N based on MTC group(s) to which it belongs. It can be noted that, one or more MTC devices may belong to more than one MTC group. In these embodiments, the operator network 102 enables the MTC server 120 or any other network entity to securely communicate with MTC devices belonging to the MTC groups 114A-N.
For the purpose of illustration, consider that the MTC server 120 has to send a group message to the MTC devices 116A-N belonging to the MTC group 114A via the operator network 102. In order to securely communicate the group message, a group key module 112 in the MME 104 identifies a MTC group associated with the MTC devices 116A-N. The group key module 112 may identifies the MTC group 114A by obtaining the information associated with the MTC group 114A from the HSS 106 or a source MME or Serving GPRS Support Node (SGSN). If the MTC group 114A is formed by the HSS 106, then the information associated with the MTC group 114A is obtained from the HSS 106. Accordingly, the group key module 112 generates a unique group key based on the information (e.g., group identifier) associated with the MTC group 114A. In one embodiment, the unique group key identifier may be provided with a validity period. The validity period indicates duration of time for which the unique group key is valid.
Then, the group key module 112 securely distributes the unique group key information to the MTC devices 116A-N associated with the MTC group 114A via an associated eNB (e.g., the eNB 112A). For example, the unique group key information includes unique group key, an index value associated with the unique group key, validity period associated with the unique group key, and selected security algorithm for group message protection. In some embodiments, the unique group key information is securely distributed to the MTC devices 116A-N using a non access stratum (NAS) security mode command (SMC) procedure, a new MTC group SMC procedure, or a protocol configuration options (PCO) as will be illustrated in Figures 3 through 5. Upon secured distribution, the group key module 112 also communicates the unique group key information associated with the MTC group 114A to the associated eNB 112A, whereby the eNB 112A stores the unique group key information in its memory for further use.
Accordingly, when a group message(s) is received from the MTC server 120, the eNB 114 encrypts the group message(s) using the unique group key information and broadcast the encrypted group message(s) to the MTC devices 116A-N. Thus, the group message(s) are protected from spoofing. When each of the MTC devices 116A-N receives the encrypted group message(s), each of the MTC devices 116A-N decrypts the encrypted group message(s) using the unique group key information received from the operator network 102 for further processing. In this manner, data communication of group messages is performed in a secured manner using the unique group key information. It can be noted that, if the unique group key is carrying a validity period, the group key module 122 generates a new group key and an index associated with the new group key and distributes the same prior to expiry of the validity period as the manner explained above.
Figure 2 is a process flowchart illustrating an exemplary method 200 of securing group communication between the MTC server 120 and the MTC devices 116A-N belonging to the MTC group 114A, according to one embodiment. At step 202, a unique group key is generated for securing communication between the MTC server 120 and the MTC devices 116A-N associated with the MTC group 114A in the M2M communication environment. In one exemplary implementation, the unique group key is generated based upon receipt of non-access stratum (NAS) attach request message from one of the MTC devices 116A-N (e.g., a first member of the MTC group 114A) and performing a network access authentication procedure.
At step 204, the unique group key information is securely provided to the MTC devices 116A-N associated with the MTC group 114A. In one embodiment, the unique group key information is encrypted using a non-access stratum (NAS) security context established between said one of the MTC device 116A-N and the MME 104. At step 206, one or more broadcast group messages are securely communicated between the MTC server 120 and the MTC devices 116A-N using the unique group key information.
Figure 3a and 3b are a flow diagram 300 illustrating distributing a unique group key to MTC devices in a MTC group using a non-access stratum (NAS) security mode command (SMC) procedure in a LTE network, according to one embodiment. At step 302, a MTC device 116A sends a NAS attach request message to an eNB 112A. For example, the NAS attach request message is sent at the end of a radio resource control (RRC) connection set procedure. At step 304, the eNB 112A forwards the NAS attach request message to the MME 104. At step 306, the MME 104 performs a network access authentication procedure with the MTC device 116A. During the authentication procedure, the MME 104 downloads subscription information from the HSS 106. For example, the subscription information includes a group identifier associated with a MTC group to which the MTC belongs to.
At step 308, the MME 104 generates a unique group key per group (Gkey) and assigns a group key index (Gki) to the unique group key (e.g., if the key is not generated previously for the MTC group). Alternatively, if the unique group key is already generated, the MME 104 retrieves the previously stored unique group key for the MTC device 116A. Also, at step 308, the MME 104 stores the group information for NAS level protection of group messages for the MTC group 114A. In one embodiment, the MME 104 may derive cryptographic keys from the unique group key for userplane, NAS and AS message protection. In another embodiment, the MME 104 may dynamically form a new group based on the subscriber information and MTC feature subscribed. For example, the MME creates the MTC group for MTC devices accessing the MTC server 120 from a particular location.
At step 310, the MME 104 performs a NAS SMC procedure with the MTC device 116A to activate integrity protection and NAS ciphering. At step 312, the MME 104 securely communicates the unique group key information (e.g., group identifier, Gkey, and Gki) in a group SMC message to the MTC device 116A. It can be noted that, the group SMC message including the unique group key information can also be sent during the NAS SMC procedure. In some embodiments, the unique group key information is protected by a NAS security context established between the MTC device 116A and the MME 104. In these embodiments, the unique group key information is encrypted by the NAS security context such that only the MTC device 116A can decrypt it. In one embodiment, the group SMC message also includes selected security algorithms (integrity protection and encryption algorithms) for group message protection. It is appreciated that, the MME 104 is also capable of initiating a group SMC procedure at any point of time to refresh or to assign a new group key (Gkey) and related information. It is understood that, the decision to refresh the unique group key based on validity period or based on number of messages protected or based on number of MTC devices attached or detached or wrap-around of a count value. Moreover, the unique group key is refreshed based on configuration option and operator policy.
At step 314, the MME 104 sends an update location request to the HSS 106. At step 316, the HSS 106 sends an update location acknowledgment including subscription information associated with the MTC device 116A to the MME 104. At step 318, the MME 104 sends a create session request to the serving gateway 108 for creating a default bearer. The create session request may include IMSI, E-RAB setup list (E-RAB ID), and Group ID. At step 320, the serving gateway 108 forwards the create session request to the PDN gateway 110. The forwarded create session request may include IMSI, E-RAB ID, Group ID, S5 downlink information and so on. The S5 downlink information includes internet protocol (IP) address of the serving gateway 108 and GTP-U TEID.
Accordingly, at step 322, the PDN gateway 110 sends a create session response (e.g., including Enhanced Radio Access Bearer Identity (E-RAB ID ), common S5 uplink information, etc.) to the serving gateway 108 in response to the create session request. The serving gateway 108 then forwards the create session response (e.g., including E-RAB ID, common S1 uplink information, etc.) to the MME 104, at step 324. At step 326, the MME 104 sends a context setup message (including NAS attach accept, E-RAB setup list, unique group key information, S1 uplink information, etc.) to the eNB 112A. At step 328, the eNB 112A stores the unique group key information for group message protection.
At step 330, the eNB 112A performs a RRC connection reconfiguration procedure with the MTC device 116A. At step 332, the MTC device 116A sends a RRC connection reconfiguration complete message to the eNB 112A. Upon completion, the eNB 112A sends a context setup response including E-RAB setup list (e.g., E-RAB ID, S1 downlink information and so on) to the MME 104, at step 334. For example, the S1 downlink information includes Internet Protocol (IP) address of the eNB 112A and General Packet Radio Service (GPRS) Tunnelling Protocol Tunnel Endpoint Identifier (GTP-U TEID).
At step 336, the MME 104 sends an update session request (e.g., IMSI, E-RAB ID, S1 downlink information, etc.) to the serving gateway 108. Accordingly, at step 338, the serving gateway 108 sends an update session response to the MME 104 in response to the update session request. At step 340, uplink and downlink data transmission between the MTC server 120 and the MTC device 116A is performed in a secured manner using the unique group key information, as explained in Figure 1. It can be noted that, the MTC device 116A deletes the unique group key information when the MTC device detaches from the operator network 102.
Figure 4a and 4b are a flow diagram 400 illustrating distributing a unique group key to MTC devices in a MTC group using a NAS SMC procedure, according to another embodiment. At step 402, a MTC device 116A sends a NAS attach request message to an eNB 112A. For example, the NAC attach request message is sent at the end of a radio resource control (RRC) connection set procedure. At step 404, the eNB 112A forwards the NAS attach request message to the MME 104. At step 406, the MME 104 performs a network access authentication procedure with the MTC device 116A. During the authentication procedure, the MME 104 downloads subscription information from the HSS 106. For example, the subscription information includes a group identifier indicating a MTC group to which the MTC belongs to.
At step 408, the MME 104 performs a NAS SMC procedure with the MTC device 116A to activate integrity protection and NAS ciphering. At step 410, the MME 104 sends an update location request to the HSS 106. At step 412, the HSS 106 sends an update location acknowledgment including subscription information associated with the MTC device 116A to the MME 104.
At step 414, the MME 104 generates a unique group key per group (Gkey) and assigns a group key index (Gki) (if not generated previously for the MTC group 114A). Also, at step 414, the MME 104 stores the group information for NAS level protection of group messages for the MTC group 114A. At step 416, the MME 104 securely communicates the unique group key information (e.g., group identifier, Gkey, and Gki) in a group SMC message to the MTC device 116A. In one embodiment, the unique group key information is protected using a NAS security context established between the MTC device 116A and the MME 104. At step 418, the MME 104 sends a create session request to the serving gateway 108 for creating a default bearer. The create session request may include IMSI, E-RAB setup list (E-RAB ID), and Group ID. At step 420, the serving gateway 108 forwards the create session request to the PDN gateway 110. The forwarded create session request may include IMSI, E-RAB ID, Group ID, S5 downlink information and so on. The S5 downlink information includes internet protocol (IP) address of the serving gateway 108 and GTP-U TEID.
Accordingly, at step 422, the PDN gateway 110 sends a create session response (e.g., including E-RAB ID, common S5 uplink information, etc.) to the serving gateway 108 in response to the create session request. The serving gateway 108 then forwards the create session response (e.g., including E-RAB ID, common S1 uplink information, etc.) to the MME 104, at step 424. At step 426, the MME 104 sends a context setup message (including NAS attach accept, E-RAB setup list, unique group key information, S1 uplink information, etc.) to the eNB 112A. At step 428, the eNB 112A stores the unique group key information for group message protection.
At step 430, the eNB 112A performs a RRC connection reconfiguration procedure with the MTC device 116A. At step 432, the MTC device 116A sends a RRC connection reconfiguration complete message to the eNB 112A. Upon completion, the eNB 112A sends a context setup response including E-RAB setup list (e.g., E-RAB ID, S1 downlink information and so on) to the MME 104, at step 434. For example, the S1 downlink information includes IP address of the eNB 112A and GTP-U TEID.
At step 436, the MME 104 sends an update session request (e.g., IMSI, E-RAB ID, S1 downlink information, etc.) to the serving gateway 108. Accordingly, at step 438, the serving gateway 108 sends an update session response to the MME 104 in response to the update session request. At step 440, communication of group messages between the MTC server 120 and the MTC device 116A is performed in a secured manner using the unique group key information, as explained in Figure 1.
Figure 5a and 5b is a flow diagram 500 illustrating distributing a unique group key to MTC devices in a MTC group using a PCO, according to another embodiment. At step 502, a MTC device 116A sends a NAS attach request message to an eNB 112A. For example, the NAS attach request message is sent at the end of a radio resource control (RRC) connection set procedure. At step 504, the eNB 112A forwards the NAS attach request message to the MME 104. At step 506, the MME 104 performs a network access authentication procedure with the MTC device 116A. During the authentication procedure, the MME 104 request authentication vectors for an Authentication and Key Agreement (AKA) procedure from the HSS 106. It can be noted that, the HSS 106 can send one or more authentication vectors to the MME104.
At step 508, the MME 104 performs a NAS SMC procedure with the MTC device 116A to activate integrity protection and NAS ciphering. At step 510, the MME 104 sends an update location request to the HSS 106. At step 512, the HSS 106 sends an update location acknowledgment including subscription information associated with the MTC device 116A to the MME 104. In one embodiment, the HSS 106 indicates a group ID to which the MTC device 116 belongs to.
At step 514, the MME 104 generates a unique group key per group (Gkey) and assigns a group key index (Gki) or retrieves the unique group key per group (Gkey) and assigns a group key index (Gki) if already generated and stored previously for the MTC group 114A. Also, at step 514, the MME 104 stores the newly generated group information for NAS level protection of group messages for the MTC group 114A. At step 516, the MME 104 sends a create session request to the serving gateway 108 for creating a default bearer. The create session request may include IMSI, E-RAB setup list (E-RAB ID), Group ID, Gkey, Gki, supported algorithms for group message protection or MTC device capabilities for group communication, and key for group message protection at the PDN gateway 110. At step 518, the serving gateway 108 forwards the create session request to the PDN gateway 110. The forwarded create session request may include IMSI, E-RAB ID, Group ID, S5 downlink information and so on. The S5 downlink information includes internet protocol (IP) address of the serving gateway 108 and GTP-U TEID. Upon receiving the create session request, the PDN gateway 110 checks whether a common S5 uplink bearer for the MTC group 114A is existing or not. If there is no common S5 uplink bearer for the MTC group 114A, then the PDN gateway 110 creates a S5 uplink bearer.
At step 520, the PDN gateway 110 manages the MTC group 114A by assigning a particular group IP address for the MTC group 114A. Also, the PDN gateway 110 may protect the content received from the MTC subscriber at the IP layer or above the IP layer. The PDN gateway 110 also selects algorithms from the selected algorithms. At step 522, the PDN gateway 110 sends a create session response to the serving gateway 108 in response to the create session request. The create session response includes E-RAB ID, common S5 uplink information, and unique group key information in a PCO. For group based MTC feature, the PCO contains IP address (multi-cast or unicast), group identifier, selected algorithms for group based protection, Gkey, and Gki. Upon receiving the create session response, the serving gateway 108 checks whether a common S1 uplink bearer for the MTC group 114A is existing or not. If there is no common S1 uplink bearer for the MTC group 114A, then the serving gateway 108 creates a S1 uplink bearer.
The serving gateway 108 then forwards the create session response (e.g., including E-RAB ID, common S1 uplink bearer, PCO, etc.) to the MME 104, at step 524. The common S1 uplink bearer includes IP address of the serving gateway 108, and GTP-U TEID. At step 526, the MME 104 sends a context setup message (including NAS attach accept, E-RAB setup list, unique group key information, and S1 uplink information, etc.) to the eNB 112A. At step 528, the eNB 112A stores the unique group key information for group message protection. It can be noted that, the unique group key for group message protection is encrypted by the eNB 112A using an AS security context (AS ciphering).
At step 530, the eNB 112A performs a RRC connection reconfiguration procedure with the MTC device 116A. At step 532, the MTC device 116A sends a RRC connection reconfiguration complete message to the eNB 112A. In one embodiment, the RRC connection reconfiguration complete message includes the PCO. Upon completion, the eNB 112A sends a context setup response including E-RAB setup list (e.g., E-RAB ID, S1 downlink information and so on) to the MME 104, at step 534. For example, the S1 downlink information includes IP address of the eNB 112A and GTP-U TEID.
At step 536, the MME 104 sends an update session request (e.g., IMSI, E-RAB ID, S1 downlink information, etc.) to the serving gateway 108. Accordingly, at step 538, the serving gateway 108 sends an update session response to the MME 104 in response to the update session request. At step 540, communication of group messages between the MTC server 120 and the MTC device 116A is performed in a secured manner using the unique group key information, as explained in Figure 1.
The present embodiments have been described with reference to specific example embodiments, it will be evident that various modifications and changes may be made to these embodiments without departing from the broader spirit and scope of the various embodiments. Furthermore, the various devices, modules, selectors, estimators, and the like described herein may be enabled and operated using hardware circuitry, for example, complementary metal oxide semiconductor based logic circuitry, firmware, software and/or any combination of hardware, firmware, and/or software embodied in a machine readable medium. For example, the various electrical structure and methods may be embodied using transistors, logic gates, and electrical circuits, such as application specific integrated circuit.

Claims (15)

  1. A method of securing group communication in a machine-to-machine (M2M) communication environment, wherein the M2M communication environment comprises a plurality of machine type communication (MTC) groups, and wherein each of the plurality of MTC groups comprises a plurality of MTC devices, the method comprising:
    generating a unique group key for securing communication with MTC devices associated with a MTC group in a M2M communication environment;
    securely providing the unique group key information to the MTC devices associated with the MTC group; and
    securely communicating one or more broadcast group messages with the MTC devices using the unique group key information.
  2. The method of claim 1, wherein the unique group key information comprises a unique group key per group, an index value associated with the unique group key, validity period associated with the unique group key, and selected security algorithm for group message protection.
  3. The method of claim 1, generating the unique group key for securing communication with the MTC devices associated with the MTC group comprises:
    receiving a non access stratum (NAS) attach request from a MTC device;
    retrieving group identifier information associated with the MTC device, wherein the group identifier information includes at least one group identifier associated with at least one MTC group associated with the MTC device; and
    generating a unique group key and assigning a group key index to the unique group key for securing communication with the MTC device associated with the at least one MTC group.
  4. The method of claim 1, wherein securely communicating the one or more broadcast group messages with the MTC devices using the unique group key information comprises:
    receiving one or more broadcast group messages intended for the MTC devices associated with the MTC group;
    encrypting the one or more broadcast group messages using the unique group key information; and
    broadcasting the one or more encrypted broadcast group messages to the MTC devices associated with the MTC group.
  5. The method of claim 4, wherein securely communicating the one or more broadcast group messages with the MTC devices using the unique group key information further comprises:
    receiving the one or more encrypted broadcast group messages from an operator network associated with the MTC group; and
    decrypting, by each of the MTC devices, the one or more encrypted broadcast messages using the unique group key information.
  6. The method of claim 1, wherein securely providing the unique group key information to the MTC devices associated with the MTC group comprises:
    securely distributing the unique group key information substantially simultaneously to the MTC devices associated with the MTC group using a non-access stratum (NAS) security mode command procedure.
  7. The method of claim 1, wherein securely providing the unique group key information to the MTC devices associated with the MTC group comprises:
    securely distributing the unique group key information substantially simultaneously to the MTC devices associated with the MTC group using a MTC group security mode command procedure.
  8. The method of claim 1, wherein securely providing the unique group key information to the MTC devices associated with the MTC group comprises:
    securely distributing the unique group key information substantially simultaneously to the MTC devices associated with the MTC group using Protocol Configuration Options (PCO).
  9. The method of claim 6 or 7, wherein in securely distributing the unique group key information substantially simultaneously to the MTC devices associated with the MTC group, the unique group key information is secured using a NAS security context.
  10. A machine-to-machine communication system comprising:
    a plurality of machine type communication (MTC) devices, wherein the plurality of MTC devices are belong to one or more MTC groups;
    a MTC server communicatively coupled with the plurality of MTC devices; and
    a network entity for securing group communication between the MTC server and the plurality of MTC devices, wherein network entity comprises a group key module for:
    generating a unique group key for securing communication with one or more of the plurality of MTC devices associated with at least one MTC group;
    securely providing the unique group key information to the one or more of the plurality of MTC devices associated with the at least one MTC group; and
    securely communicating one or more broadcast group messages with the one or more of plurality of MTC devices using the unique group key information.
  11. The system of claim 10, wherein the unique group key information comprises a unique group key per group, an index value associated with the unique group key, validity period for the unique group key, and selected security algorithm for group message protection.
  12. The system of claim 10, wherein securely providing the unique group key information to the one or more of the plurality of MTC devices associated with the at least one MTC group comprises:
    securely distributing the unique group key information substantially simultaneously to the plurality of MTC devices associated with the MTC group using a non access stratum (NAS) security mode command procedure.
  13. The system of claim 10, wherein securely providing the unique group key information to the one or more of the plurality of MTC devices associated with the at least one MTC group comprises:
    securely distributing the unique group key information substantially simultaneously to the one or more of the plurality of MTC devices associated with the at least one MTC group using a MTC group security mode command procedure.
  14. The system of claim 10, wherein securely providing the unique group key information to the one or more of plurality of MTC devices associated with the at least one MTC group comprises:
    securely distributing the unique group key information substantially simultaneously to the one or more of plurality of MTC devices associated with the at least one MTC group using protocol configuration options.
  15. The method of claim 12 or 13, wherein in securely distributing the unique group key information substantially simultaneously to the MTC devices associated with the MTC group, the unique group key information is secured using a non-access stratum (NAS) security context.
PCT/KR2011/004021 2010-06-01 2011-06-01 Method and system of securing group communication in a machine-to-machine communication environment WO2011152665A2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US13/701,696 US9729314B2 (en) 2010-06-01 2011-06-01 Method and system of securing group communication in a machine-to-machine communication environment
KR1020127034455A KR101877733B1 (en) 2010-06-01 2011-06-01 Method and system of securing group communication in a machine-to-machine communication environment
EP11790023.3A EP2578007B1 (en) 2010-06-01 2011-06-01 Securing group communication in a machine-to-machine communication environment

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN1508/CHE/2010 2010-06-01
IN1508CH2010 2010-06-01

Publications (2)

Publication Number Publication Date
WO2011152665A2 true WO2011152665A2 (en) 2011-12-08
WO2011152665A3 WO2011152665A3 (en) 2012-02-23

Family

ID=45067194

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2011/004021 WO2011152665A2 (en) 2010-06-01 2011-06-01 Method and system of securing group communication in a machine-to-machine communication environment

Country Status (4)

Country Link
US (1) US9729314B2 (en)
EP (1) EP2578007B1 (en)
KR (1) KR101877733B1 (en)
WO (1) WO2011152665A2 (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013169073A1 (en) * 2012-05-10 2013-11-14 Samsung Electronics Co., Ltd. Method and system for connectionless transmission during uplink and downlink of data packets
EP2723114A1 (en) * 2011-06-17 2014-04-23 Huawei Technologies Co., Ltd Method and device for negotiating algorithms of machine type communication device group
WO2014087643A1 (en) * 2012-12-06 2014-06-12 Nec Corporation Mtc key management for sending key from network to ue
KR101431214B1 (en) 2012-08-31 2014-08-19 성균관대학교산학협력단 Mutual authentication method and system with network in machine type communication, key distribution method and system, and uicc and device pair authentication method and system in machine type communication
US8873757B2 (en) 2012-10-19 2014-10-28 Qualcom Incorporated Methods and apparatus for providing network-assisted key agreement for D2D communications
WO2015036055A1 (en) * 2013-09-16 2015-03-19 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for providing user equipment (ue) connectivity
EP2929711A1 (en) * 2012-12-06 2015-10-14 Nec Corporation Group authentication and key management for mtc
US9380430B2 (en) 2012-06-14 2016-06-28 Sierra Wireless, Inc. Method and system for wireless communication with machine-to-machine devices
WO2016101579A1 (en) * 2014-12-23 2016-06-30 中兴通讯股份有限公司 Key negotiation method and system, network entity and computer storage medium
US9445302B2 (en) 2012-06-14 2016-09-13 Sierra Wireless, Inc. Method and system for wireless communication with machine-to-machine devices
EP3122079A4 (en) * 2014-03-17 2017-02-22 ZTE Corporation Method of establishing small data secure transmission connection for mtc device group, and hss and system
US9866554B2 (en) 2015-04-30 2018-01-09 Research & Business Foundation Sungkyunkwan University Mutual authentication method and system with network in machine type communication
WO2018072150A1 (en) * 2016-10-19 2018-04-26 中兴通讯股份有限公司 Secure machine-type communication method, apparatus, and system
US11729619B2 (en) 2015-11-17 2023-08-15 Qualcomm Incorporated Methods and apparatus for wireless communication using a security model to support multiple connectivity and service contexts

Families Citing this family (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011025876A1 (en) * 2009-08-27 2011-03-03 Interdigital Patent Holdings, Inc. Method and apparatus for solving limited addressing space in machine-to-machine (m2m) environments
US20130189955A1 (en) * 2010-09-17 2013-07-25 Nokia Siemens Networks Oy Method for context establishment in telecommunication networks
WO2014046686A1 (en) * 2012-09-24 2014-03-27 Nokia Siemens Networks Oy Group messaging in a communication network
CN104219655A (en) * 2013-06-04 2014-12-17 中兴通讯股份有限公司 Method for selecting security algorithms for interfaces in wireless communication systems and MME (mobility management entity)
WO2015015714A1 (en) * 2013-07-31 2015-02-05 Nec Corporation Devices and method for mtc group key management
CN104581704B (en) * 2013-10-25 2019-09-24 中兴通讯股份有限公司 A kind of method and network entity for realizing secure communication between equipment for machine type communication
US9706396B2 (en) * 2014-08-08 2017-07-11 Samsung Electronics Co., Ltd. System and method of counter management and security key update for device-to-device group communication
TWI572238B (en) * 2014-11-17 2017-02-21 財團法人資訊工業策進會 Method of identifying mobile device according to information feature of applications of mobile device and system thereof
JP2016122887A (en) * 2014-12-24 2016-07-07 富士通株式会社 Radio base station, radio device, radio communication system and radio communication control method
JP6533085B2 (en) 2015-03-31 2019-06-19 Line株式会社 Terminal, information processing method, and program
CN106162515B (en) * 2015-04-14 2020-07-07 中兴通讯股份有限公司 Method, device and system for machine type communication safety communication
US9681473B2 (en) * 2015-05-29 2017-06-13 Huawei Technologies Co., Ltd. MTC service management using NFV
CN105187376B (en) * 2015-06-16 2018-04-17 西安电子科技大学 The safety communicating method of automotive interior network in car networking
CN106452770B (en) * 2015-08-12 2020-10-13 深圳市腾讯计算机系统有限公司 Data encryption method, data decryption method, device and system
US10320786B2 (en) 2015-09-14 2019-06-11 Samsung Electronics Co., Ltd. Electronic apparatus and method for controlling the same
CN105262587B (en) * 2015-10-30 2018-05-25 西安电子科技大学 Machine type communication group key distribution method based on proxy re-encryption
US9596079B1 (en) * 2016-04-14 2017-03-14 Wickr Inc. Secure telecommunications
EP3923607A1 (en) * 2016-06-15 2021-12-15 Apple Inc. Services provisioning for internet-of-things devices in cellular networks
US11343673B2 (en) 2016-07-14 2022-05-24 Telefonaktiebolaget Lm Ericsson (Publ) Enhanced aggregated re-authentication for wireless devices
US10405158B2 (en) 2017-02-27 2019-09-03 Oracle International Corporation Methods, systems and computer readable media for providing service capability exposure function (SCEF) as a diameter routing agent (DRA) feature
US10506403B2 (en) 2017-02-27 2019-12-10 Oracle International Corporation Methods, systems and computer readable media for providing integrated service capability exposure function (SCEF), service capability server (SCS) and application server (AS) services
US10530599B2 (en) 2017-02-27 2020-01-07 Oracle International Corporation Methods, systems and computer readable media for providing service capability exposure function (SCEF) as a cloud service
US11025596B1 (en) * 2017-03-02 2021-06-01 Apple Inc. Cloud messaging system
WO2018194971A1 (en) * 2017-04-17 2018-10-25 Intel Corporation Group based context and security for massive internet of things devices
US10448449B2 (en) 2017-07-13 2019-10-15 Oracle International Corporation Methods, systems, and computer readable media for dynamically provisioning session timeout information in a communications network
US10334419B2 (en) 2017-08-16 2019-06-25 Oracle International Corporation Methods, systems, and computer readable media for optimizing machine type communication (MTC) device signaling
US10313883B2 (en) * 2017-11-06 2019-06-04 Oracle International Corporation Methods, systems, and computer readable media for using authentication validation time periods
EP3531654A1 (en) * 2018-02-23 2019-08-28 Gemalto Sa Method for using authentication failure messages to transmit payload data
CN108616354B (en) * 2018-04-27 2021-10-26 北京信息科技大学 Key negotiation method and device in mobile communication
US11146577B2 (en) 2018-05-25 2021-10-12 Oracle International Corporation Methods, systems, and computer readable media for detecting and mitigating effects of abnormal behavior of a machine type communication (MTC) device
US10616802B2 (en) 2018-09-04 2020-04-07 Oracle International Corporation Methods, systems and computer readable media for overload and flow control at a service capability exposure function (SCEF)
US11381955B2 (en) 2020-07-17 2022-07-05 Oracle International Corporation Methods, systems, and computer readable media for monitoring machine type communications (MTC) device related information
US11700510B2 (en) 2021-02-12 2023-07-11 Oracle International Corporation Methods, systems, and computer readable media for short message delivery status report validation

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6049878A (en) * 1998-01-20 2000-04-11 Sun Microsystems, Inc. Efficient, secure multicasting with global knowledge
EP1727329A1 (en) 2005-05-23 2006-11-29 Siemens S.p.A. Method and system for the remote management of a machine via IP links of an IP multimedia subsystem, IMS
US7774008B2 (en) 2006-12-22 2010-08-10 Cellco Partnership MDN-less SMS messaging (network solution) for wireless M2M application
KR100924835B1 (en) * 2007-09-19 2009-11-03 한국전자통신연구원 Method and system for allocating Ipv6 global address
KR100975038B1 (en) * 2008-01-17 2010-08-11 고려대학교 산학협력단 System of Broadcast Encryption and Method thereof
US8407769B2 (en) * 2008-02-22 2013-03-26 Telefonaktiebolaget Lm Ericsson (Publ) Methods and apparatus for wireless device registration
US8965338B2 (en) * 2008-06-09 2015-02-24 Apple Inc Network access control methods and apparatus
CN102187599B (en) * 2008-08-15 2015-04-01 三星电子株式会社 Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system
US8737989B2 (en) 2008-08-29 2014-05-27 Apple Inc. Methods and apparatus for machine-to-machine based communication service classes
EP2415288B1 (en) * 2009-04-03 2017-05-31 Panasonic Intellectual Property Corporation of America Mobile communication method, mobile communication system, and corresponding apparatus
KR101317117B1 (en) * 2010-04-28 2013-10-11 엘지전자 주식회사 Congestion control of mtc data in mobile communications system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
See also references of EP2578007A4
THE MULTICAST GROUP SECURITY ARCHITECTURE, 2004
ZTE: "The group bearer for MTC", 3GPP TSG SA WG2 MEETING #77, 18 January 2010 (2010-01-18)

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2723114A4 (en) * 2011-06-17 2014-06-04 Huawei Tech Co Ltd Method and device for negotiating algorithms of machine type communication device group
EP2723114A1 (en) * 2011-06-17 2014-04-23 Huawei Technologies Co., Ltd Method and device for negotiating algorithms of machine type communication device group
CN104272671A (en) * 2012-05-10 2015-01-07 三星电子株式会社 Method and system for connectionless transmission during uplink and downlink of data packets
US10306596B2 (en) 2012-05-10 2019-05-28 Samsung Electronics Co., Ltd Method and system for connectionless transmission during uplink and downlink of data packets
US11051277B2 (en) 2012-05-10 2021-06-29 Samsung Electronics Co., Ltd Method and system for connectionless transmission during uplink and downlink of data packets
CN104272671B (en) * 2012-05-10 2018-01-30 三星电子株式会社 The method and system of connectionless transport during the up-link and downlink of packet
US10652862B2 (en) 2012-05-10 2020-05-12 Samsung Electronics Co., Ltd Method and system for connectionless transmission during uplink and downlink of data packets
WO2013169073A1 (en) * 2012-05-10 2013-11-14 Samsung Electronics Co., Ltd. Method and system for connectionless transmission during uplink and downlink of data packets
US9445302B2 (en) 2012-06-14 2016-09-13 Sierra Wireless, Inc. Method and system for wireless communication with machine-to-machine devices
EP2862374A4 (en) * 2012-06-14 2016-12-21 Sierra Wireless Inc Method and system for wireless communication with machine-to-machine devices
US9380430B2 (en) 2012-06-14 2016-06-28 Sierra Wireless, Inc. Method and system for wireless communication with machine-to-machine devices
KR101431214B1 (en) 2012-08-31 2014-08-19 성균관대학교산학협력단 Mutual authentication method and system with network in machine type communication, key distribution method and system, and uicc and device pair authentication method and system in machine type communication
US8873757B2 (en) 2012-10-19 2014-10-28 Qualcom Incorporated Methods and apparatus for providing network-assisted key agreement for D2D communications
JP2016503590A (en) * 2012-12-06 2016-02-04 日本電気株式会社 MTC key management for transmitting keys from the network to the UE
EP2929711A1 (en) * 2012-12-06 2015-10-14 Nec Corporation Group authentication and key management for mtc
US11388568B2 (en) 2012-12-06 2022-07-12 Nec Corporation MTC key management for sending key from network to UE
CN104854891A (en) * 2012-12-06 2015-08-19 日本电气株式会社 Mtc key management for sending key from network to ue
WO2014087643A1 (en) * 2012-12-06 2014-06-12 Nec Corporation Mtc key management for sending key from network to ue
US10412579B2 (en) 2012-12-06 2019-09-10 Nec Corporation MTC key management for sending key from network to UE
WO2015036055A1 (en) * 2013-09-16 2015-03-19 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for providing user equipment (ue) connectivity
EP3122079A4 (en) * 2014-03-17 2017-02-22 ZTE Corporation Method of establishing small data secure transmission connection for mtc device group, and hss and system
WO2016101579A1 (en) * 2014-12-23 2016-06-30 中兴通讯股份有限公司 Key negotiation method and system, network entity and computer storage medium
US10454909B2 (en) 2014-12-23 2019-10-22 Zte Corporation Key negotiation method and system, network entity and computer storage medium
US9866554B2 (en) 2015-04-30 2018-01-09 Research & Business Foundation Sungkyunkwan University Mutual authentication method and system with network in machine type communication
US11729619B2 (en) 2015-11-17 2023-08-15 Qualcomm Incorporated Methods and apparatus for wireless communication using a security model to support multiple connectivity and service contexts
WO2018072150A1 (en) * 2016-10-19 2018-04-26 中兴通讯股份有限公司 Secure machine-type communication method, apparatus, and system

Also Published As

Publication number Publication date
US9729314B2 (en) 2017-08-08
US20130080782A1 (en) 2013-03-28
KR20130080804A (en) 2013-07-15
EP2578007B1 (en) 2020-04-15
EP2578007A2 (en) 2013-04-10
WO2011152665A3 (en) 2012-02-23
EP2578007A4 (en) 2017-03-15
KR101877733B1 (en) 2018-08-09

Similar Documents

Publication Publication Date Title
WO2011152665A2 (en) Method and system of securing group communication in a machine-to-machine communication environment
EP2903322B1 (en) Security management method and apparatus for group communication in mobile communication system
CN107710801B (en) Authorization-free transmission method, user equipment, access network equipment and core network equipment
CN107018676B (en) Mutual authentication between user equipment and evolved packet core
CN105706390B (en) Method and apparatus for performing device-to-device communication in a wireless communication network
CN107786966B (en) Update for security of group-based features in M2M
US20150319172A1 (en) Group authentication and key management for mtc
US20130189955A1 (en) Method for context establishment in telecommunication networks
US20200112428A1 (en) System and Method for Wireless Network Access Protection and Security Architecture
US8842832B2 (en) Method and apparatus for supporting security in muliticast communication
US20150229620A1 (en) Key management in machine type communication system
WO2012084484A1 (en) Operator-assisted key establishment
Fang et al. Security requirement and standards for 4G and 5G wireless systems
CN101867931B (en) Device and method for realizing non access stratum in wireless communication system
EP3622736B1 (en) Privacy key in a wireless communication system
CN106797560B (en) Method, server, base station and communication system for configuring security parameters
WO2020246860A1 (en) Method and apparatus for initiating a communication session using mission critical services
KR101002829B1 (en) Method for protecting mbms service data in multimedia broadcast/multicast service system
KR20120074234A (en) Method and apparatus for supproting security in muliticast communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11790023

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 13701696

Country of ref document: US

WWE Wipo information: entry into national phase

Ref document number: 2011790023

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 20127034455

Country of ref document: KR

Kind code of ref document: A