WO2013064509A1 - Securing data communications in a communications network - Google Patents
Securing data communications in a communications network Download PDFInfo
- Publication number
- WO2013064509A1 WO2013064509A1 PCT/EP2012/071508 EP2012071508W WO2013064509A1 WO 2013064509 A1 WO2013064509 A1 WO 2013064509A1 EP 2012071508 W EP2012071508 W EP 2012071508W WO 2013064509 A1 WO2013064509 A1 WO 2013064509A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- node
- network
- data
- information
- secure
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
Definitions
- the present invention relates to securing data communications in a communications network.
- the present invention relates particularly, but not exclusively, to securing machine type data communications.
- Machine-to-machine (M2M) communication refers to the exchange of information between devices substantially without the need for human intervention. Such communication may be facilitated by the data services offered by existing mobile communication networks.
- a domestic electricity meter may be coupled to a mobile device (with SIM card installed) in order to periodically send electricity meter readings to a central server of an electricity supply company, via a mobile communication network to which the mobile device has access.
- a UE 10 is in communication with an MTC Server 20 and MTC Application 30 via a 3GPP network 40.
- a UE in this context is typically an MTC device which is used for MTC purposes; in Figure 1 the UE 10 is shown as running an MTC Application 12.
- the UE 10 is not necessarily a typical mobile phone held by a human user, but the user is typically communicating with the UE/MTC device 10 via the MTC Application 12 and therefore over the 3GPP network.
- the term UE is used herein for simplicity, and would include, for example and without limitation, mobile telecommunication devices, portable or handheld computing devices and desktop or installed computers.
- arrows A1 , A2 and A3 show possible endpoints of access security between the UE 10 and the 3GPP network 40. In the MTC architecture, these will likely re-use (as far as possible) the currently specified access security mechanisms for 3GPP and non-3GPP accesses.
- Arrows B1 and B2 in Figure 1 show possible endpoints of security between the MTC Server/Application 20/30 and the 3GPP network 40. In 3GPP this is referred to as "External interface security". It is likely that currently-specified NDS/IP (Network Domain Security / Internet Protocol) mechanisms, like IPsec, can be re-used here.
- NDS/IP Network Domain Security / Internet Protocol
- Arrows C1 and C2 represent so-called “Secure Connections", with application layer security between the UE 10 and MTC Server/Application 20/30. It is currently specified that the 3GPP operator may assist with key management for the Secure Connection, e.g. with the help of GBA (Generic Bootstrapping Architecture), but otherwise the Secure Connection is assumed to be transparent to the 3GPP network and out of scope for 3GPP to specify. Therefore in principle any security mechanisms can be used for the Secure Connection, including for example mechanisms being developed in ETSI TC M2M.
- GBA Generic Bootstrapping Architecture
- the UE 10 and MTC Server/Application 20/30 communicate over the 3GPP network and there can be several layers of security in between.
- the application layer security provided by the Secure Connection (arrows C1 and C2) is assumed to be independent of the access security (arrows A1/A2/A3) and External interface security (arrows B1/B2).
- a method is proposed of securing data communications between a first node attached to a first network and a second node attached to a second network.
- First information is received at the second node on whether the first network has a secure network layer path to the first node or is known to use a secure network layer path to attached nodes.
- Second information is received at the second node on whether the second node has a secure network layer path to the second network or is known to use a secure network layer path to the second network.
- Third information is received at the second node on whether the first network has a secure internal network layer path and, where the first and second networks are different, on whether the first network has a secure network layer path to the second network or is known to use a secure network layer path to the second network.
- Data are received at the second node from the first node without application layer security, or data are prepared at the second node to be sent to the first node. It is determined at the second node from the first, second and third information whether the entire path between the first node and the second node is secured at the network layer level.
- the determination is that the entire path between the first node and the second node is not secured at the network layer level, then: (i) in the case of having prepared data to be sent to the first node, application layer security is established at the second node with the first node, and the prepared data is sent from the second node to the first node using the established application layer security; or (ii) in the case of having received data from the first node without application layer security, the received data is discarded at the second node and application layer security is established at the second node with the first node to enable the data to be re-sent by the first node using the established application layer security.
- the determination is that the entire path between the first node and the second node is secured at the network layer level, then: (i) in the case of having prepared data to be sent to the first node, the prepared data is sent from the second node to the first node without application layer security; or (ii) in the case of having received data from the first node without application layer security, the received data is accepted at the second node.
- a method is proposed of securing data communications between a first node attached to a first network and a second node attached to a second network.
- first, second and third information are received from the second node or an indication is received from the second node derived from such information.
- the first information comprises information on whether the first network has a secure network layer path to the first node or is known to use a secure network layer path to attached nodes.
- the second information comprises information on whether the second node has a secure network layer path to the second network or is known to use a secure network layer path to the second network.
- the third information comprises information on whether the first network has a secure internal network layer path and, where the first and second networks are different, on whether the first network has a secure network layer path to the second network or is known to use a secure network layer path to the second network.
- Data are received at the first node from the second node without application layer security, or data are prepared at the first node to be sent to the second node. It is determined at the first node from the received first, second and third information or from the received indication whether the entire path between the first node and the second node is secured at the network layer level.
- the determination is that the entire path between the first node and the second node is not secured at the network layer level then: (i) in the case of having prepared data to be sent to the second node, application layer security is established at the first node with the second node, and the prepared data is sent from the first node to the second node using the established application layer security; or (ii) in the case of having received data from the second node without application layer security, the received data is discarded at the first node and application layer security is established at the first node with the second node to enable the data to be re-sent by the second node using the established application layer security. If the determination is that the entire path between the first node and the second node is secured at the network layer level, then:
- the first, second and third information may be received by a protocol procedure.
- the method may comprise receiving the determination or the first, second and third information from the second node during a registration or re-registration of the first node with the second node.
- At least the determining step may be performed at registration or re-registration of the first node with the second node.
- the method may comprise receiving the first information from the other node during the registration or re-registration.
- the first information may be information on whether the first network has a secure network layer path to the first node.
- the method may comprise caching the result of the determining step, and using the cached result when sending or receiving additional data to/from the other node.
- the method may comprise performing the determining step for each set or batch of data to be sent to or received from the other node.
- the data being sent to or received at the first node may comprise a trigger indication for triggering the first node to establish data communication with the second node.
- the first information may comprise a list of networks each of which networks is known to use a secure network layer path to attached nodes.
- the method may comprise, as part of the determining step, determining whether the first network has a secure network layer path to the first node by determining whether the first network is in the list of the first information.
- the second information may comprise a list of nodes each of which nodes is known to use a secure network layer path to the second network.
- the method may comprise, as part of the determining step, determining whether the second node has a secure network layer path to the second network by determining whether the second node is in the list of the second information.
- the third information may comprise a list of networks each of which networks is known to have a secure internal network layer path and each of which networks is, where different to the second network, known to have a secure network layer path to the second network.
- the method may comprise, as part of the determining step, determining whether the first network has a secure internal network layer path and, where the first and second networks are different, whether the first network has a secure network layer path to the second network by determining whether the first network is in the list of the third information.
- the second network may be the same as the first network; this is a non-roaming scenario. Or, the second network may different to the first network; this is a roaming scenario.
- the third information may comprise an assumption that the first network has a secure internal network layer path, at least where the second network is the same as the first network. Thus, the third information may be implicit or pre-configured.
- the second network may be assumed to have a secure internal network layer path or the method may comprise, as part of the determining step, determining whether the second network has a secure internal network layer path.
- the first, second and third information may be received by a configuration procedure.
- the configuration procedure at the first node may comprise receiving the first, second and third information at the first node from a core part of the second network in a Non Access Stratum related message, such as an Attach Accept message, a Routing Area Update Accept message, a Location Update Accept message, a Tracking Area Update Accept message, or a Security Mode Command message.
- the configuration procedure at the first node may comprise the first node triggering a network server in the second network to send the first, second and third information, the triggering being performed as part of an attach or location update or routing area update or tracking area update or similar procedure, and receiving the first, second and third information from the network server in a push message.
- the configuration procedure at the first node may comprise the first node receiving a trigger message from a network server in the second network for retrieving the first, second and third information, the trigger message being received following or as part of an attach or location update or routing area update or tracking area update or similar procedure, and retrieving or pulling the first, second and third information from the network server in response to receipt of the trigger message.
- the configuration procedure at the first node may comprise receiving the first, second and third information over a radio access layer at establishment of a connection to a radio access part of the first network.
- the configuration procedure at the first node may comprise receiving the first, second and third information from an access network discovery and selection function, or from an Open Mobile Alliance device management server, or from the second node.
- the configuration procedure at the first node may comprise physically loading a subscriber identity module containing the first, second and third information into the first node, or receiving a downloadable subscriber identity module from the first or second network.
- One or both of the first and second networks may be a mobile communications network, a wireless network or a wireline network.
- the second network may be a registered or home network of the first node.
- the first network may be a visited network.
- the first and second networks may be 3GPP networks.
- the first node may be a User Equipment and the second node may be a server.
- the first node may be a server and the second node may be a User Equipment.
- the first and second nodes may be User Equipments.
- the first and second nodes may be servers.
- the second node may be or may comprise a Machine Type Communication Server or Application.
- the first node may comprise a Machine Type Communication Application.
- the data may be machine type data.
- An apparatus is proposed for use in a method of securing data communications between a first node attached to a first network and a second node attached to a second network.
- the apparatus comprises at the second node a receiver, a controller and a transmitter.
- the receiver is arranged to receive first information on whether the first network has a secure network layer path to the first node or is known to use a secure network layer path to attached nodes.
- the receiver is arranged to receive second information on whether the second node has a secure network layer path to the second network or is known to use a secure network layer path to the second network.
- the receiver is arranged to receive third information on whether the first network has a secure internal network layer path and, where the first and second networks are different, on whether the first network has a secure network layer path to the second network or is known to use a secure network layer path to the second network.
- the receiver is arranged to receive data from the first node without application layer security, or the controller is arranged to prepare data to be sent to the first node.
- the controller is arranged to determine from the first, second and third information whether the entire path between the first node and the second node is secured at the network layer level.
- the controller is arranged to establish application layer security with the first node, and the transmitter is arranged to send the prepared data to the first node using the established application layer security; or (ii) in the case of having received data from the first node without application layer security, the controller is arranged to discard the received data and to establish application layer security with the first node to enable the data to be re-sent by the first node using the established application layer security.
- the transmitter in the case of having prepared data to be sent to the first node, the transmitter is arranged to send the prepared data to the first node without application layer security; or (ii) in the case of having received data from the first node without application layer security, the controller is arranged to accept the received data.
- An apparatus for use in a method of securing data communications between a first node attached to a first network and a second node attached to a second network.
- the apparatus comprises at the first node a receiver, a controller and a transmitter.
- the receiver is arranged to receive first, second and third information or to receive an indication from the second node derived from such information.
- the first information comprises information on whether the first network has a secure network layer path to the first node or is known to use a secure network layer path to attached nodes.
- the second information comprises information on whether the second node has a secure network layer path to the second network or is known to use a secure network layer path to the second network.
- the third information comprises information on whether the first network has a secure internal network layer path and, where the first and second networks are different, on whether the first network has a secure network layer path to the second network or is known to use a secure network layer path to the second network.
- the receiver is arranged to receive data from the second node without application layer security, or the controller is arranged to prepare data to be sent to the second node.
- the controller is arranged to determine from the received first, second and third information or from the received indication whether the entire path between the first node and the second node is secured at the network layer level.
- the controller is arranged to establish application layer security with the second node, and the transmitter is arranged to send the prepared data to the second node using the established application layer security; or (ii) in the case of having received data from the second node without application layer security, the controller is arranged to discard the received data and to establish application layer security with the second node to enable the data to be re-sent by the second node using the established application layer security.
- the transmitter is arranged to send the prepared data to the second node without application layer security; or (ii) in the case of having received data from the second node without application layer security, the controller is arranged to accept the received data.
- the controller may be arranged to cache the determination, and to use the cached result when sending or receiving additional data to/from the other node.
- the controller may be arranged to perform the determination for each set or batch of data to be sent to or received from the other node.
- the first information may comprises a list of networks each of which networks is known to use a secure network layer path to attached nodes.
- the controller may be arranged, as part of its determination, to determine whether the first network has a secure network layer path to the first node by determining whether the first network is in the list of the first information.
- the second information may comprise a list of nodes each of which nodes is known to use a secure network layer path to the second network.
- the controller may be arranged, as part of its determination, to determine whether the second node has a secure network layer path to the second network by determining whether the second node is in the list of the second information.
- the third information may comprise a list of networks each of which networks is known to have a secure internal network layer path and each of which networks is, where different to the second network, known to have a secure network layer path to the second network.
- the controller may be arranged, as part of its determination, to determine whether the first network has a secure internal network layer path and, where the first and second networks are different, whether the first network has a secure network layer path to the second network by determining whether the first network is in the list of the third information.
- the receiver may be arranged to receive the first, second and third information by a configuration procedure. As part of the configuration procedure at the first node, the receiver may be arranged to receive the first, second and third information at the first node from a core part of the second network in a Non Access Stratum related message, such as an Attach Accept message, a Routing Area Update Accept message, a Location Update Accept message, a Tracking Area Update Accept message, or a Security Mode Command message.
- a Non Access Stratum related message such as an Attach Accept message, a Routing Area Update Accept message, a Location Update Accept message, a Tracking Area Update Accept message, or a Security Mode Command message.
- the controller may be arranged to trigger a network server in the second network to send the first, second and third information, the triggering being performed as part of an attach or location update or routing area update or tracking area update or similar procedure, and wherein the receiver is arranged to receive the first, second and third information from the network server in a push message.
- the receiver may be arranged to receive a trigger message from a network server in the second network for retrieving the first, second and third information, the trigger message being received following or as part of an attach or location update or routing area update or tracking area update or similar procedure, and wherein the controller is arranged to retrieve or pull the first, second and third information from the network server in response to receipt of the trigger message.
- the receiver may be arranged to receive the first, second and third information over a radio access layer at establishment of a connection to a radio access part of the first network.
- the receiver may be arranged physically to receive a subscriber identity module containing the first, second and third information, or to receive a downloadable subscriber identity module from the first or second network.
- One or both of the first and second networks may be a mobile communications network, a wireless network or a wireline network.
- a communications node is proposed that comprises such an apparatus as described above.
- a program is also proposed for controlling an apparatus to perform a method as herein proposed, or which, when loaded into an apparatus, causes the apparatus to become an apparatus as herein proposed.
- the program may be carried on a carrier medium.
- the carrier medium may be a storage medium.
- the carrier medium may be a transmission medium.
- An apparatus programmed by such a program is also envisaged, as is a storage medium containing such a program.
- Use of an embodiment of the present invention enables lower usage of resources when application layer security is not applied to application data. Use of an embodiment of the present invention can result in less signalling in the system. Use of an embodiment of the present invention can result in a lower energy consumption for a UE/MTC device, which is particularly beneficial where the UE/MTC device is a portable or mobile device having a restricted battery capacity. It is also possible to manufacture less expensive UEs without any support for application layer security if these UEs would only connect to the network if there is sufficient lower layer security available.
- FIG. 1 discussed hereinbefore, illustrates a system architecture for MTC from 3GPP;
- Figure 2 illustrates hop-by-hop security showing the paths in a non-roaming situation
- Figure 3 illustrates hop-by-hop security showing the paths in a roaming situation
- Figure 4 is a schematic flow chart illustrating a method performed by first and second nodes (UE and MTC Server/Application) in an embodiment of the present invention
- Figure 5 is a schematic block diagram illustrating apparatus for performing a method embodying the present invention
- Figure 6 is a schematic illustration of a node in which a method embodying the present invention can be implemented
- Figure 7 illustrates, in a first embodiment of the present invention, the sending of a registration from the UE to the MTC Server/Application
- Figure 8 illustrates, in the first embodiment of the present invention, the sending of data from the MTC Server/Application to the UE after the initial registration
- Figure 9 illustrates, in the first embodiment of the present invention, the sending of data from the UE to the MTC Server/Application after the initial registration
- Figure 10 illustrates, in the first embodiment of the present invention, the sending of a re-registration from the UE to the MTC Server/Application
- Figure 1 1 illustrates, in a second embodiment of the present invention, triggering of the UE from the MTC Server/Application
- Figure 12 illustrates, in the second embodiment of the present invention, the sending of data from the UE to the MTC Server/Application
- Figure 13 illustrates, in the second embodiment of the present invention, the sending of data from the MTC Server/Application to the UE;
- Figure 14 illustrates, in the second embodiment of the present invention, an example signalling flow for delivery of relevant data to the UE by the core network;
- Figure 15 illustrates, in the second embodiment of the present invention, an example signalling flow for delivery of relevant data to the UE by a push method
- Figure 16 illustrates, in the second embodiment of the present invention, an example signalling flow for delivery of relevant data to the UE by a pull method
- Figure 17 illustrates schematically a network in which an embodiment of the present invention can be implemented
- Figure 18 illustrates schematically a user terminal according to an embodiment of the present invention
- Figure 19 illustrates schematically a base station according to an embodiment of the present invention.
- a technique is proposed herein aims to allow data to be sent securely without the need to set up application layer security in a situation where the UE 10 can trust the communication path between the UE 10 and the MTC Server/Application 20/30 to be secured by lower layers.
- the communication path between the UE 10 and MTC Server/Application 20/30 can be considered to comprise three paths as illustrated in Figure 2, and as summarised below.
- a first path (“path A") is that from the UE 10 to the 3GPP network 40.
- a second path (“path B") is that from the 3GPP network 40 to the MTC Server/Application 20/30. It is typically assumed that the MTC Server/Application 20/30 is connected to the Home PLMN (HPLMN or Home Public Land Mobile Network) of the UE 10, but this is not always the case.
- PLMN Home Public Land Mobile Network
- a third path is the intermediate path within the 3GPP network 40 between paths A and B. It should be noted that the intermediate path as illustrated in Figure 2 is an internal path and includes paths between Radio Access Network (RAN) nodes and between Core Network (CN) nodes.
- RAN Radio Access Network
- CN Core Network
- the paths are considered to be logical paths, and they may themselves include intermediate nodes.
- the intermediate path between the two operators within the 3GPP network domain does not have to consist of one transmission link but can consist of several hops, and these hops may be secured in a hop-by-hop fashion, as is illustrated in Figure 3.
- Figure 3 illustrates a scenario in which the 3GPP network 40 includes both a visited and home network, i.e. a roaming scenario. In this case the intermediate path spans over two operators' networks.
- the UE 10 and MTC Server/Application 20/30 determine when sufficient hop-by-hop lower layer security (i.e. lower than application layer level, for example at the network layer level) is available and therefore when application layer security does not need to be established.
- the relevant data on security properties can be considered to consist of the following information: First information on whether the 3GPP network 40 to which the UE 10 is connected (identified for example with a PLMN-ID) has a secure path A.
- An example of a secure path A is where air interface encryption and/or integrity protection is used.
- An example of a secure path B is where External interface security according to TR 33.868 is set up. Traffic within the HPLMN is also regarded as being secure. Since a UE used for MTC purposes would typically communicate with a limited set of MTC Servers/Applications, this information should be limited in length.
- Third information on whether the intermediate path between path A and path B is secure For example, in case of roaming traffic within the visited PLMN (VPLMN) and also traffic between the VPLMN and HPLMN is secure, encryption and/or integrity protection may be used.
- the relevant data can be organized into three lists as follows:
- a first list (referred to herein as "List 1 ”) contains those PLMNs which are known to use secure path A (for example where air interface encryption and/or integrity protection is used).
- a second list (referred to herein as "List 2") contains those MTC Server/Application server(s) (identified e.g. by FQDN) which have established secure path B with the 3GPP network, i.e. typically the UE's HPLMN.
- a third list (referred to herein as "List 3") contains those VPLMNs which have a secure internal path and a secure intermediate path to HPLMN. (The HPLMN can be regarded as being secure.)
- the security properties of the three paths can be provided to the UE 10 and MTC Server/Application 20/30 in several different ways, and two of these are described herein in detail as first and second embodiments of the present invention, respectively.
- the security properties of the three paths are provided to the UE and MTC Server/Application by a protocol-based method, while in the second embodiment of the present invention the security properties of the three paths are provided to the UE and MTC Server/Application by a configuration- based method.
- An embodiment of the present invention provides a means of securing data communications between a first node 10 attached to a first network 40-1 and a second node 20/30) attached to a second network 40-2.
- Figure 4 is for use in illustrating the steps performed by the first node 10 and the second node 20/30
- Figure 5 is for use in illustrating components of both the first node 10 and the second node 20/30 for performing the steps illustrated in Figure 4.
- the first node 10 and the second node 20/30 each comprise a receiver 1 10, a controller 120 and a transmitter 130.
- the receiver 1 10 comprises components P1 , P2, P3, P4r and (at least in the case of the first node 10) P13; these components are arranged respectively to perform steps S1 , S2, S3, S4r and S13 of Figure 4.
- the controller 120 comprises components P4t, P5, P6t, P6r, P7r and P8r arranged to perform steps S4t, S5, S6t, S6r, S7r and S8r respectively of Figure 4.
- the transmitter 130 comprises components P7t and P8t arranged to perform steps S7t and S8t respectively of Figure 4. These components can be considered either to be logical or physical components, or a combination of these.
- step S1 first information 11 is received at the receiver component P1 .
- the first information 11 specifies whether the first network 40-1 has a secure network layer path to the first node 10 or is known to use a secure network layer path to attached nodes.
- step S2 second information I2 is received at the receiver component P2.
- the second information I2 specifies whether the second node 20/30 has a secure network layer path to the second network 40-2 or is known to use a secure network layer path to the second network 40-2.
- step S3 third information I3 is received at the receiver component P3.
- the third information I3 specifies whether the first network 40-1 has a secure internal network layer path and, where the first and second networks 40-1 , 40-2 are different, on whether the first network 40-1 has a secure network layer path to the second network 40-2 or is known to use a secure network layer path to the second network 40-2.
- a roaming case is where the first network 40-1 is different to the second network 40-2
- a non-roaming case is where the first network 40-1 is the same as the second network 40-2; the description with reference to Figures 4 and 5 covers both roaming and non-roaming cases.
- the second network 40-2 would be a registered or home network of the first node 10 and the first network 40-1 would be a visited network.
- the first network 40-1 and the second network 40-2 are one and the same: the registered or home network of the first node 10.
- step S4t the controller component P4t is arranged to prepare data for sending to the first node 10.
- step S5 the controller component P5 is arranged to determine from the first, second and third information 11 , I2, 13 whether the entire path between the first node 10 and the second node 20/30 is secured at the network layer level.
- step S6t the controller component P6t arranges for application layer security to be established with the first node 10, and in step S7t the prepared data is sent by the transmitter component P7t to the first node 10 using the established application layer security.
- step S8t the prepared data is sent by the transmitter component P8t to the first node 10 without application layer security.
- step S4r data is received at the receiver component P4r from the first node 10 without application layer security.
- This alternative is presented on the right-hand side of Figure 4 (steps S4r, S6r, S7r and S8r).
- step S5 the controller component P5 determines from the first, second and third information 11 , I2, I3 whether the entire path between the first node 10 and the second node 20/30 is secured at the network layer level. If the determination from step S5 is that the entire path between the first node 10 and the second node 20/30 is not secured at the network layer level, then in step S6r the controller component P6r arranges for the received data to be discarded. In step S7r the controller component P7r arranges for application layer security to be established with the first node 10 to enable the data to be re-sent by the first node 10 using the established application layer security.
- step S8r the controller component P8r is arranged to accept the received data.
- first, second and third information 11 , I2, I3 is received respectively at the receiver components P1 , P2 and P3.
- an indication derived from such information is received in step S13 at the receiver component P13 from the second node 20/30.
- the first information 11 comprises information on whether the first network 40-1 has a secure network layer path to the first node 10 or is known to use a secure network layer path to attached nodes.
- the second information I2 comprises information on whether the second node 20/30 has a secure network layer path to the second network 40-2 or is known to use a secure network layer path to the second network 40-2.
- the third information I3 comprises information on whether the first network 40-1 has a secure internal network layer path and, where the first and second networks 40-1 , 40-2 are different, on whether the first network 40-1 has a secure network layer path to the second network 40-2 or is known to use a secure network layer path to the second network 40-2.
- a roaming case is where the first network 40-1 is different to the second network 40-2
- a non- roaming case is where the first network 40-1 is the same as the second network 40-2.
- step S4t the controller component P4t is arranged to prepare data for sending to the second node 20/30.
- step S5 the controller component P5 is arranged to determine from the first, second and third information 11 , I2, I3 (received in steps S1 , S2 and S3) or from the indication (received in step S13) whether the entire path between the first node 10 and the second node 20/30 is secured at the network layer level.
- step S6t the controller component P6t arranges for application layer security to be established with the second node 20/30, and in step S7t the prepared data is sent by the transmitter component P7t to the second node 20/30 using the established application layer security.
- step S8t the prepared data is sent by the transmitter component P8t to the second node 20/30 without application layer security.
- step S4r data is received at the receiver component P4r from the second node 20/30 without application layer security.
- the controller component P5 determines from the first, second and third information 11 , I2, I3 (received in steps S1 , S2 and S3) or from the indication (received in step S13) whether the entire path between the first node 10 and the second node 20/30 is secured at the network layer level.
- step S6r the controller component P6r arranges for the received data to be discarded.
- step S7r the controller component P7r arranges for application layer security to be established with the second node 20/30 to enable the data to be re-sent by the 20/30 node 10 using the established application layer security.
- step S8r the controller component P8r is arranged to accept the received data.
- the first node 10 may be configured to perform steps S5 onwards only in the case of having data prepared for sending to the second node 20/30 (step S4t), or only in the case of having received unsecured data from the second node 20/30 (step S4r), or it may be configured to perform steps S5 onwards in both of these cases.
- the second node 20/30 may be configured to perform steps S5 onwards only in the case of having data prepared for sending to the first node 10 (step S4t), or only in the case of having received unsecured data from the first node 10 (step S4r), or it may be configured to perform steps S5 onwards in both of these cases.
- operation of one or more of the above-described components can be provided in the form of one or more processors or processing units, which processing unit or units could be controlled or provided at least in part by a program operating on the device or apparatus.
- the function of several depicted components may in fact be performed by a single component.
- a single processor or processing unit may be arranged to perform the function of multiple components.
- Such an operating program can be stored on a computer-readable medium, or could, for example, be embodied in a signal such as a downloadable data signal provided from an Internet website. Any appended claims now or in future are to be interpreted as covering an operating program by itself, or as a record on a carrier, or as a signal, or in any other form.
- FIG. 6 is a schematic illustration of a node 200 in which a method embodying the present invention can be implemented.
- a computer program for controlling the node 200 to carry out a method embodying the present invention is stored in a program storage 230.
- a computer-readable storage medium containing the computer program such as a CD-ROM 235, may be used to load the computer program into the program storage 230.
- Data used during the performance of a method embodying the present invention is stored in a data storage 220.
- program steps are fetched from the program storage 230 and executed by a Central Processing Unit (CPU) 210, retrieving data as required from the data storage 220.
- CPU Central Processing Unit
- Output information resulting from performance of a method embodying the present invention can be stored back in the data storage 220, or sent to an Input/Output (I/O) interface 240, which may comprise a transmitter for transmitting data to other nodes, as required.
- the Input/Output (I/O) interface 240 may comprise a receiver for receiving data from other nodes, for example for use by the CPU 210.
- the UE 10 first registers in the 3GPP access network and determines the registered PLMN and whether 3GPP access security is enabled.
- the technique is also applicable to a non-3GPP access to EPC setting where the UE connects to a PLMN (HPLMN or VPLMN) as well but via so called trusted or untrusted non-3GPP access network (see TR 33.402 at http://www.3gpp.org/ftp/Specs/html-info/33.402.htm) instead of 3GPP radio access.
- PLMN HPLMN or VPLMN
- TR 33.402 at http://www.3gpp.org/ftp/Specs/html-info/33.402.htm
- the UE 10 then initiates application layer communication with the MTC Server/Application 20/30 and provides in a protected message (security credentials for this will have already been set up, for example pre-provisioned or at some initial application layer registration) either information concerning whether access security is enabled on the local link the UE 10 sees (e.g. the 3GPP access), or information concerning which PLMN the UE 10 is registered to, or both. Additional parameters might also be communicated at this time, for example what type of security is used on the local link. Authentication may be performed as well.
- the MTC Server/Application 20/30 decides whether security needs to be set up for data communication between the UE 10 and the MTC Server/Application 20/30 based on the information received from the UE 10 and the previously-mentioned lists which will have been configured in the MTC Server/Application 20/30.
- the MTC Server/Application 20/30 could be configured with the lists (relevant data) at any time and in any manner, e.g. by the MTC user, the 3GPP operator or some other entity.
- relevant data is provisioned, followed by use of the relevant data to determine if application layer security is required.
- Relevant data can be provisioned (provided) to the UE 10 when the UE is configured online or off-line.
- the UE 10 could fetch the data from a configuration server periodically or when intending to set up a connection to a new network.
- the MTC Server/Application 20/30 could be configured with the relevant data any time, or the MTC Server/Application 20/30 can receive the relevant data from the 3GPP network to which it is connected.
- the UE 10 and the MTC Server/Application 20/30 receive the relevant data by way of a configuration procedure, rather than by way of a protocol procedure as in the first embodiment.
- the UE 10 checks the ID (PLMN-ID) of the PLMN to which the UE is connected, e.g. from the radio level information. The UE 10 checks if the PLMN-ID is found in List 1 . The UE 10 can also locally check if air interface protection is in use. The UE 10 checks if the FQDN of the MTC Server/Application 20/30 (i.e. HPLMN-ID ⁇ > FQDN pair) is found in List 2. The UE 10 checks if the PLMN-ID to which the UE is connected is found in list 3. If all checks are successful, then it is determined that there is no need to establish application layer security. If any of the checks fails, it is determined that application layer security needs to be established.
- PLMN-ID the ID of the PLMN to which the UE is connected
- the MTC server/Application 20/30 checks the ID of the PLMN (the PLMN-ID) to which the UE 10 is connected.
- the MTC Server/Application 20/30 may request or get this information from the 3GPP network (e.g. from the MTC Interworking Function, MTC-IWF, or from the Home Subscriber Server, HSS), or it may be pre-configured to the MTC Server/Application 20/30 in some cases if the UE 10 is known to be stationary.
- the MTC Server/Application 20/30 checks if the PLMN-ID is found in List 1.
- the MTC server/Application may also request or get this information from the 3GPP network (e.g.
- the MTC Server/Application 20/30 checks if the FQDN of the MTC Server/Application 20/30 (i.e. HPLMN-ID ⁇ > FQDN pair) is found in List 2.
- the MTC Server/Application 20/30 may also locally check if security is used between the MTC server/Application and the HPLMN.
- the MTC Server/Application 20/30 checks if the PLMN-ID to which the UE 10 is connected is found in List 3.
- the MTC Server/Application 20/30 may also request or get this information from the 3GPP network (e.g. from the MTC-IWF or from the HSS).
- a first phase involving UE registration in the MTC Server/Application (see Figure 7); a second phase involving the sending of data after initial registration (see Figures 8 and 9); and a third phase involving re-registration (see Figure 10).
- the UE 10 initially does not have available to it the relevant data described above, i.e. List 1 , List 2 and List 3.
- the MTC Server/Application 20/30 may have access to the relevant data, i.e. List 1 , List 2 and List 3, or access to something similar.
- the UE 10 establishes an application layer session to the MTC Server/Application 20/30.
- the UE 10 and MTC Server/Application 20/30 mutually authenticate (using credentials which are out of scope of this disclosure) and negotiate between them as to whether end-to-end application layer security needs to be established depending on the security provided by the lower layers (this could be seen as the network providing the UE 10 with the relevant data, but those only contain the entry valid for current access used); the negotiation is done securely.
- the MTC Server/Application 20/30 can, during the application registration phase, provide the relevant data (e.g. List 1 , List 2 and List 3) setting out which access networks are to be trusted when access layer security is enabled.
- the MTC Server/Application 20/30 may be configured with the relevant data (Lists 1 , 2 and 3).
- the MTC Server/Application 20/30 is identified with a FQDN.
- the configuration can be done by an entity in the home PLMN of the UE 10, or by a third party.
- the UE 10 wishes to send a registration message to the MTC Server/Application 20/30 in order to send and receive data to/from the MTC Server/Application 20/30.
- the UE 10 checks under which PLMN the UE 10 is attached, e.g. from the cell information.
- step 3 of Figure 7 the UE 10 determines whether or not access layer security (for example encryption and/or integrity protection) is enabled at the access layer in this PLMN.
- access layer security for example encryption and/or integrity protection
- the checking or negotiation with the MTC Server/Application 20/30 by the UE 10 to determine whether or not application layer security is required may not be needed every time data is sent by UE 10, but is always needed at least once, typically at registration.
- the determination as to whether application layer security is needed could be cached and it could be associated to a data session, e.g. an RTP (Real-time Transport Protocol) session.
- RTP Real-time Transport Protocol
- step 4 of Figure 7 the UE 10 establishes an application layer session with the MTC Server/Application 20/30 and initiates communication with the MTC Server/Application 20/30 in order to register and in order to negotiate with the MTC Server/Application 20/30 as to whether or not application layer security is to be used.
- the UE 10 could send the actual data to the MTC Server/Application 20/30, but the UE 10 could also wait to send the actual data until after the negotiation has taken place.
- the UE 10 could provide one or more of the following pieces of information to the MTC Server/Application 20/30 as part of the negotiation: (a) a UE-ID.
- This is some form of private identity such as an International Mobile Subscriber Identity (IMSI) or IP Multimedia Private Identity (IMPI);
- IMSI International Mobile Subscriber Identity
- IMPI IP Multimedia Private Identity
- access layer security e.g. encryption and/or integrity
- This information could be pre-configured in the Mobile Equipment (ME) by e.g. OMA (Open Mobile Alliance) Device Management (OMA DM), or e.g. in the Universal Integrated Circuit Card (UICC);
- OMA Open Mobile Alliance
- OMA DM Device Management
- UICC Universal Integrated Circuit Card
- any other information required by the MTC Server/Application 20/30 from the UE 10 may be sent as well in this negotiation.
- Application layer security should be setup for the initial registration in order to allow that the negotiation will be secure.
- the MTC Server/Application 20/30 checks the PLMN-ID in which the UE 10 is currently registered. This could be done by checking the received message from the UE 10 or by checking with the 3GPP network (e.g. using 3GPP monitor functionality which enables the MTC Server/Application 20/30 to subscribe to 3GPP events related to the UE 10). The MTC Server/Application 20/30 could also double check that the PLMN-ID provided by UE 10 matches the information received from the 3GPP network. If monitor functionality is not available, just the UE-provided information can be used (possibly checking the MTC Server/Application 20/30 configured information as to whether the UE 10 is allowed to roam to the PLMN provided by the UE 10).
- the MTC Server/Application 20/30 determines whether application layer security is needed. In doing so, the MTC Server/Application 20/30 checks if the UE 10 has indicated that access layer security is enabled, and may also check if the PLMN-ID is found in List 1. It also checks if the relevant PLMN-ID ⁇ > FQDN pair is found in List 2.
- the MTC Server/Application 20/30 determines that application layer security is not needed, in step 7 of Figure 7 it indicates to the UE 10 that no application layer security is needed from now on and therefore that the UE 10 can send data without application layer security mechanisms. If access layer encryption is disabled in the UE 10, the UE 10 could be configured so that it does not accept the use of no application layer security. However, there could also be MTC Server/Applications that do not require end-to-end security. That could be preconfigured in the UE 10 for this specific MTC Server/Application 20/30.
- the MTC Server/Application 20/30 determines that application layer security is needed, it indicates to the UE 10 to use application layer security. If the MTC Server/Application 20/30 would subsequently receive data unprotected from this UE 10, the MTC Server/Application 20/30 discards the data received from the UE 10; this could be due to an attack.
- the MTC Server/Application 20/30 and the UE 10 respectively store the information whether application layer security is to be applied in subsequent communications e.g. sending data.
- Figure 8 illustrates the sending of data from the MTC Server/Application 20/30 to the UE 10 after the initial registration
- Figure 9 illustrates the sending of data from the UE 10 to the MTC Server/Application 20/30 after the initial registration.
- step 1 of Figure 8 the MTC Server/Application 20/30 wishes to send data to the UE 10, and checks whether security is required based on last registration information (see Figure 7).
- step 2 of Figure 8 the MTC Server/Application 20/30 initiates data sending either with or without application layer security (confidentiality/integrity protection), depending on the determination from step 1 of Figure 8.
- step 3 of Figure 8 the UE 10 receives the data and if security has not been applied, the UE 10 may perform a check as to whether the sending of unprotected data was appropriate. If not, the UE 10 can choose to discard the received data.
- step 4 of Figure 8 if the data is accepted, the UE 10 acknowledges receipt of the data.
- step 1 of Figure 9 the sending of data from the UE 10 to the MTC Server/Application 20/30 after the initial registration
- the UE 10 wishes to send data to the MTC Server/Application 20/30, and checks whether security is required based on last registration information (see Figure 7).
- step 2 of Figure 9 the UE 10 initiates data sending either with or without application layer security (confidentiality/integrity protection), depending on the determination from step 1 of Figure 9.
- the MTC Server/Application 20/30 receives the data and if security has not been applied, the MTC Server/Application 20/30 may perform a check as to whether the sending of unprotected data was appropriate. If not, the MTC Server/Application 20/30 can choose to discard the received data.
- step 4 of Figure 9 if the data is accepted, the MTC Server/Application 20/30 acknowledges receipt of the data.
- the third phase relates to a re-registr procedure.
- a new access, access security is changed (e.g. from security applied to not applied) or a registration timer expires (for M2M applications the application layer registration timer is assumed to be very long)
- the UE 10 may initiate a re-registration; this is illustrated in Figure 10 as step 1 .
- the MTC Server/Application 20/30 may also trigger a re-registration e.g. in a case where Service Level Agreements have changed (not shown in Figure 10).
- a re-registration is not initiated for some events, then initiating application layer security may be required e.g. access security disabled at the UE 10 and the MTC Server/Application 20/30 initiates a trigger towards the UE 10 (as MTC Server/Application 20/30 wants to send data), then the UE 10 ensures application layer security is enabled for the communication.
- the UE 10 initiates data communication including applying application layer security as e.g. access security been disabled at the UE 10 (or other event meaning the "agreement is not valid anymore"). This option may be suitable to avoid too many re- registrations and therefore limit the signalling load.
- Whether a re-registration is to be initiated or not is up to application layer logic.
- step 1 of Figure 10 the UE 10 moves to a new PLMN or some other event occurs which requires a re-registration to be performed.
- Step 2 of Figure 10 is equivalent to steps 2 to 4 of Figure 7, i.e. the UE 10 checks under which PLMN the UE 10 is attached, determines whether or not access layer security is enabled at the access layer in this PLMN, establishes an application layer session with the MTC Server/Application 20/30 and initiates communication with the MTC Server/Application 20/30 in order to re-register and in order to negotiate with the MTC Server/Application 20/30 as to whether or not application layer security is to be used.
- Step 3 of Figure 10 is equivalent to steps 5 and 6 of Figure 7, i.e.
- the MTC Server/Application 20/30 performs checks to determine whether application layer security is needed. Steps 4, 5a and 5b of Figure 10 are equivalent to steps 7, 8a and 8b of Figure 7, i.e. the MTC Server/Application 20/30 indicates to the UE 10 whether or not application layer security is needed from now on, with the MTC Server/Application 20/30 and the UE 10 each storing the information as to whether application layer security is to be applied in subsequent communications e.g. sending data.
- the above-mentioned second embodiment will now be described in more detail with reference to Figures 1 1 to 16. The second embodiment fits within the overall framework described above with reference to Figures 4 and 5.
- a first phase involving triggering the UE 10 from the MTC Server/Application 20/30 (see Figure 1 1 ); a second phase involving the sending of data from the UE 10 to the MTC Server/Application 20/30 (see Figure 12); and a third phase involving the sending of data from the MTC Server/Application 20/30 to the UE 10 (see Figure 13).
- the MTC Server/Application 20/30 when the MTC Server/Application 20/30 wishes to communicate with the UE 10, the MTC Server/Application 20/30 "pokes" the UE 10 with some kind of indication. This is called triggering in the 3GPP MTC work. As a result, the UE 10 is triggered to establish a connection to the MTC Server/Application 20/30.
- the trigger indication should include an identification or address of the MTC Server/Application 20/30 which the UE 10 should contact (or the UE 10 may be pre-provisioned with address of the MTC Server/Application 20/30).
- the main triggering mechanisms being proposed are triggering via Non Access Stratum (NAS) signalling (e.g. a new information element in an existing NAS message or a new NAS message) and triggering via Short Message Service (SMS).
- NAS Non Access Stratum
- SMS Short Message Service
- the SMS trigger is sent from the network to the MTC device using NAS as a transport, the SMS trigger will also benefit from the integrity protection of NAS signalling in LTE.
- the solution applies equally to a User Plane triggering solution.
- FIG. 1 1 illustrates triggering of UE 10 from the MTC Server/Application 20/30.
- the UE 10 and MTC Server/Application 20/30 are configured with (receive) Lists 1 , 2 and 3.
- the MTC Server/Application 20/30 is identified with e.g. a FQDN.
- the UE 10 can be configured online or off-line. Or the UE 10 could fetch the data from a configuration server periodically or when intending to set-up a connection to a new network.
- the MTC Server/Application 20/30 could be configured with the relevant data any time, e.g. by the MTC user, the 3GPP operator or some other entity.
- the MTC Server/Application 20/30 wants to trigger the UE 10. It checks any stored information about the UE 10, e.g. UE 10 might be fixed to a location/PLMN and not able to roam or PLMN-ID might be reported by the UE 10 to the MTC Server/Application 20/30 in case the PLMN-ID changes (e.g. from trustworthy PLMN to non-trustworthy PLMN), or the 3GPP network could report the current PLMN of the UE 10 to the MTC Server/Application 20/30 dynamically via so called monitoring function. In any case, the PLMN-ID could be known at this point.
- PLMN-ID could be known at this point.
- the MTC Server/Application 20/30 determines if application layer security is needed. In doing so, it checks if the relevant PLMN-ID is found in List 1 and if the HPLMN-ID ⁇ > FQDN pair is found in List 2, and if the relevant PLMN-ID is found in List 3.
- the MTC Server/Application 20/30 can send the trigger indication without applying any end-to-end security. This means that the MTC Server/Application 20/30 can rely on the 3GPP network to securely forward the trigger indication to the UE 10. If the PLMN-ID is not known the MTC Server/Application 20/30 could apply end-to-end integrity protection on the trigger using e.g. pre-provisioned application layer key.
- the trigger indication is forwarded within the 3GPP network.
- the UE 10 receives the trigger indication. The UE 10 determines if it can accept the trigger indication.
- the UE 10 checks if the trigger indication is integrity protected by access layer security mechanisms, e.g. by LTE NAS or AS security. If not, the UE 10 marks the trigger as not protected by access layer and may look deeper into the trigger to determine if end-to-end protection was applied. If there is access security integrity protection, the UE 10 will check it.
- access layer security mechanisms e.g. by LTE NAS or AS security.
- the UE 10 discards the trigger.
- the UE 10 determines if it can trust the 3GPP network to convey the trigger securely from the MTC Server/Application 20/30. This means, to have a secured interface from the MTC Server/Application 20/30 to the 3GPP network, and the 3GPP network is trusted to ensure that only trigger indications received from authorized MTC Server/Applications will lead to triggering of MTC Devices "belonging" to that MTC Server/Application.
- the UE 10 checks if the relevant PLMN-ID is found in List 1 and if the relevant PLMN-ID ⁇ > FQDN pair is found in List 2, and in case of roaming if the relevant PLMN-ID is found in List 3.
- the UE 10 accepts the trigger indication, and acts accordingly, e.g. it may establish a connection to the MTC Server/Application 20/30. If any of the checks fail, the UE 10 may discard the trigger indication, or it may look deeper into the trigger to determine if end-to-end protection was applied anyway, and e.g. check the end-to-end integrity protection.
- the UE 10 would normally establish an application layer session to the MTC Server/Application 20/30. This can happen with or without a preceding trigger indication from the MTC Server/Application 20/30.
- An application layer session may consist of one or more data packets.
- a way is provided to send data securely without needing to set up application layer security, since the UE 10 can trust the path from the UE 10 to the MTC Server/Application 20/30 to be secured by the lower layers.
- Figure 12 illustrates the second phase, involving the sending of data from the UE 10 to the MTC Server/Application 20/30.
- the UE 10 and MTC Server/Application 20/30 are configured with (receive) Lists 1 , 2 and 3.
- the MTC Server/Application 20/30 is identified with a FQDN.
- the configuration can be done by an entity, e.g. in the UE 10's home PLMN or a third party.
- step 2 of Figure 12 the UE 10 wants to send data to or start a communication session with the MTC Server/Application 20/30.
- the UE 10 checks under which PLMN the UE 10 is.
- the UE 10 determines if application layer security is needed. In doing so, the UE 10 determines if security is enabled at the access layer, e.g. by determining if the relevant PLMN-ID (i.e. the ID of the PLMN to which the UE 10 is connected) is found in List 1 . In case of roaming, the UE 10 also determines if the relevant PLMN-ID (i.e. the ID of the PLMN to which the UE 10 is connected) is found in List 3 (this determines if the link between VPLMN and HPLMN is secured).
- the relevant PLMN-ID i.e. the ID of the PLMN to which the UE 10 is connected
- the UE 10 also determines if a secure path is set up between the HPLMN and MTC Server/Application 20/30 and the 3GPP network is trustworthy, i.e. whether the relevant PLMN-ID ⁇ > FQDN pair is found in List 2.
- the processing continues to the next step. If any of the checks fails, the UE 10 should establish application layer security with the MTC Server/Application 20/30.
- checking of all lists may not be needed every time data is sent. Instead, the determination as to whether application layer security is needed could be cached and it could be associated to a data session, e.g. an RTP session.
- the UE 10 may establish an application layer session (which may include application layer authentication) and starts to send data to the MTC Server/Application 20/30 without applying any application layer (end to end) security to the data.
- an application layer session which may include application layer authentication
- step 5 of Figure 12 the data is forwarded within the 3GPP network.
- the MTC Server/Application 20/30 receives the data.
- the MTC Server/Application 20/30 determines if application layer security is needed. In doing so, the MTC Server/Application 20/30 checks under which PLMN the UE 10 is (this information can be received, e.g. from the 3GPP network).
- the MTC Server/Application 20/30 also checks if the relevant PLMN-ID is found in List 1 (this information can be received e.g. from the 3GPP network, which can have an up-to-date status of the security of path A for this UE 10). In case of roaming, the MTC Server/Application 20/30 checks if the relevant PLMN-ID is found in List 3, and if the relevant PLMN-ID ⁇ > FQDN pair is found in List 2.
- the MTC Server/Application 20/30 accepts the data. If any of the checks fails, the MTC Server/Application 20/30 does not accept the data and establishes application layer security with the UE 10.
- the MTC Server/Application 20/30 would accept the request even if List 1 indicates that the PLMN is trustworthy.
- a precondition is that that the UE 10 has been triggered (see Figure 1 1 ) or that the UE 10 has autonomously contacted the MTC Server/Application 20/30 (see Figure 12). Data can be sent securely without needing to set up application layer security since the MTC Server/Application 20/30 can trust the path to the UE 10 to be secured by the lower layers.
- Figure 13 illustrates the sending of data from the MTC Server/Application 20/30 to the UE 10 in the third phase.
- the UE 10 and MTC Server/Application 20/30 are configured with (receive) Lists 1 , 2 and 3.
- the MTC Server/Application 20/30 is identified with a FQDN. The configuration can be done by an entity in the UE 10's home PLMN or a third party.
- the MTC Server/Application 20/30 wishes to send data to the UE 10.
- the MTC Server/Application 20/30 checks under which PLMN the UE 10 is.
- the MTC Server/Application 20/30 determines if application layer security is needed.
- the MTC Server/Application 20/30 checks if the relevant PLMN-ID is found in List 1 and if the relevant PLMN-ID is found in List 3 and if the relevant PLMN-ID ⁇ > FQDN pair is found in List 2. If all checks are successful, the processing continues in the next step. If any of the checks fails, the MTC Server/Application 20/30 should establish application layer security with the UE 10.
- step 4 of Figure 13 the MTC Server/Application 20/30 establishes a connection and starts to send data to the UE 10 without applying any end-to-end security. This means that the MTC Server/Application 20/30 can rely on the 3GPP network to securely forward the data to the UE 10.
- the data is forwarded within the 3GPP network.
- the UE 10 receives the data.
- the UE 10 determines if application layer security is needed. In doing so, the UE 10 checks if encryption is enabled at the access layer, and if the relevant PLMN-ID is trustworthy, i.e. it is found in List 1 .
- the UE 10 checks if a secure path is set up between the PLMN and MTC Server/Application 20/30, i.e. if the relevant PLMN-ID ⁇ > FQDN pair is found in List 2.
- the UE 10 checks if the relevant PLMN-ID is found in List 3. If all checks are successful, the UE 10 accepts the data.
- the UE 10 does not accept the data and establishes application layer security with the MTC Server/Application 20/30. It is to be noted that a thorough checking of both lists may not be needed every time data is received. Instead, the determination as to whether application layer security is needed could be cached and it could be associated to a data session, e.g. an RTP session.
- Configuration and management of the Lists 1 , 2 and 3 in the UE 10 will now be described with reference to Figures 10 to 12. These Lists are also referred to above as relevant data, and below as Configuration Data.
- the Configuration Data could be stored either on the Subscriber Identity Module, which for example can be a Universal Subscriber Identity Module (USIM), or on the ME part of the device (i.e.
- USIM Universal Subscriber Identity Module
- the Configuration Data is stored on a Subscriber Identity Module, then it is envisioned that this data may be stored on the Subscriber Identity Module from the start. If the Configuration Data is stored in the ME, then the Configuration Data typically needs to be updated remotely by the network.
- M2M application being taken into use by the device
- a switch of subscription to a different operator operator enabling/disabling access layer security or operator enabling/disabling external interface security
- new PLMN-IDs need to be added or deleted, and so on.
- FIG 14 illustrates an example in which Configuration Data is delivered by Core Network MME/MSC/SGSN.
- the Configuration Data could be delivered to the UE 10 by the core network (MME, MSC or SGSN) in Non Access Stratum (NAS) protocols.
- a new optional information element (IE) could be added to any NAS procedure in the NAS protocol from the network to UE 10 direction (e.g. Attach Accept, Routing Area Update Accept, Location Update Accept, Tracking Area Update Accept, Security Mode Command etc.).
- an Attach Request is send from the UE 10 to an eNodeB.
- step 2 the Attach Request is forwarded from the eNodeB to the new MME, which then sends in step 3 an Identification Request to the old MME (or SGSN); the old MME (or SGSN) responds to the new MME with an Identification Response in step 4.
- the new MME sends an Identity Request to the UE 10 in step 5, and the UE 10 responds to the new MME with an Identity Response in step 6.
- Authentication is performed between the UE 10 and the HSS in step 7, and in step 8 the new MME sends an Attach Accept to the UE 10, including the Configuration Data. It would also be possible to deliver the Configuration Data to roaming users.
- Configuration Data is delivered by the Radio Access Layer (e.g. a Radio Resource Control or RRC layer in the eNB).
- RRC layer e.g. a Radio Resource Control or RRC layer in the eNB.
- RRC layer e.g. a Radio Resource Control or RRC layer in the eNB.
- RRC layer e.g. a Radio Resource Control or RRC layer in the eNB.
- RRC layer e.g. a Radio Resource Control or RRC layer in the eNB.
- RRC layer in the eNB may be based around the RRC layer at RRC connection establishment, where either the RRC layer in eNodeB includes the Configuration Data of the selected MME node to the UE 10 in the RRCConnectionSetup message, or the RRC layer includes new Configuration Data in some other message, from the network to the UE 10. It would also be possible to deliver the Configuration Data to roaming users.
- Configuration Data is delivered by an Access Network Discovery and Selection Function (ANDSF).
- ANDSF Access Network Discovery and Selection Function
- the UE 10 may initiate communication (IP-tunnel) with the ANDSF server for operator preferred access network discovery. After communicating with the ANDSF server, the UE 10 may be provided with updated inter- system policy and information about available access networks in the vicinity of the UE 10. Configuration Data, as described herein, could be provided as well by the ANDSF server to the UE 10. Even when the UE 10 is roaming in a visited PLMN, the UE 10 may use DNS lookup to discover the IP address of V-ANDSF and in order to access the ANDSF in a visited PLMN.
- FIG 15 illustrates an example in which Configuration Data is delivered by a push method.
- the HLR/HSS could trigger a network server (which is either managing the update of the Configuration Data itself or connected to the network server providing the Configuration Data) to send the Configuration Data to the UE 10 in an OMA DM bootstrap message in a WAP Push message using SMS.
- a network server which is either managing the update of the Configuration Data itself or connected to the network server providing the Configuration Data
- a network server which is either managing the update of the Configuration Data itself or connected to the network server providing the Configuration Data
- a network server which is either managing the update of the Configuration Data itself or connected to the network server providing the Configuration Data
- a network server which is either managing the update of the Configuration Data itself or connected to the network server providing the Configuration Data
- an OMA DM bootstrap message in a WAP Push message using SMS.
- GBA Push would be even more secure to use in the push method.
- VNO Virtual Network Operator
- IMSI Update
- a Device Detection (IMSI, IMEISV) message is sent from the HSS to the network server, which triggers the server to send a WAP push message (over SMS) to the UE 10, with the push message containing the Configuration Data. It would also be possible to deliver the Configuration Data to roaming users.
- Configuration Data is delivered by OMA DM server.
- OMA DM server One option would be to allow the OMA DM server to configure the Configuration Data in the UE 10, either in ME or on a Subscriber Identity Module such as a USIM.
- Figure 16 illustrates an example in which Configuration Data is delivered by a pull method.
- Such an approach may involve triggering the UE 10 to contact the network server residing the Configuration Data Function via IP connectivity and retrieving the Configuration Data from the Configuration Function over a secured HTTPS link.
- the HLR/HSS could trigger the Configuration Function to send a trigger message to the UE 10 in an OMA DM bootstrap message in a WAP Push message using SMS.
- GBA Push could be used. This trigger would command the UE 10 to connect to the network server residing the Configuration Data Function in order to pull or retrieve Configuration Data from the network server residing the Configuration data.
- Steps 1 to 4 of Figure 16 are analogous to the correspondingly-numbered steps in Figure 15, except the push message sent in step 4 of Figure 16 does not actually contain the Configuration Data, but instead contains a trigger for triggering the UE 10 to fetch the Configuration Data. Having received the trigger message, the UE 10 fetches the Configuration Data in steps 5 and 6 of Figure 16, sending a HTTPS GET message to the network server in step 5, to which the network server responds with a HTTPS 200 OK message containing the Configuration Data.
- the UE 10 could also be preconfigured by the home operator with the IP address of the network server residing the Configuration Data.
- Configuration Data is delivered to a Subscriber Identity Module on a physical UlCC.
- the Configuration Data can be delivered to the Subscriber Identity Module, for example a USIM or ISIM or any other SIM application held by a physical UlCC card, using e.g. the OTA protocol from the OTA system.
- Configuration can be by way of the MTC Server/Application 20/30. With such an approach, the initial contact with the MTC Server/Application 20/30 could include provisioning of the Configuration Data. Initial communication would then have to be secured by application layer security, but subsequent communication could then rely on access layer security.
- Configuration Data is delivered to any 'downloadable USIM' (e.g.
- any solution which is downloaded remotely by the network e.g. eUICC in ETSI SCP or Remote Subscription Management in 3GPP2 or MCIM in 3GPP
- e.g. 'Downloadable USIM' is meant to include any downloadable Subscriber Identity Module.
- the example network may include one or more instances of user equipment (UEs) and one or more base stations capable of communicating with these UEs, along with any additional elements suitable to support communication between UEs or between a UE and another communication device (such as a landline telephone).
- UEs user equipment
- the illustrated UEs may represent communication devices that include any suitable combination of hardware and/or software, these UEs may, in particular embodiments, represent devices such as the example UE illustrated in greater detail by Figure 18.
- the illustrated base stations may represent network nodes that include any suitable combination of hardware and/or software, these base stations may, in particular embodiments, represent devices such as the example base station illustrated in greater detail by Figure 19.
- the example UE includes a processor, a memory, a transceiver, and an antenna.
- some or all of the functionality described above as being provided by mobile communication devices or other forms of UE may be provided by the UE processor executing instructions stored on a computer-readable medium, such as the memory shown in Figure 18.
- Alternative embodiments of the UE may include additional components beyond those shown in Figure 18 that may be responsible for providing certain aspects of the UE's functionality, including any of the functionality described above and/or any functionality necessary to support the solution described above.
- the example base station includes a processor, a memory, a transceiver, and an antenna.
- some or all of the functionality described above as being provided by a mobile base station, a base station controller, a node B, an enhanced node B, and/or any other type of mobile communications node may be provided by the base station processor executing instructions stored on a computer-readable medium, such as the memory shown in Figure 19.
- Alternative embodiments of the base station may include additional components responsible for providing additional functionality, including any of the functionality identified above and/or any functionality necessary to support the solution described above.
- the nodes assigned for 3GPP network could include in the RAN side, e.g. GERAN nodes like BTS, BSC, UTRAN nodes like RNC and NodeB, or E-UTRAN nodes like eNodeB, or some other nodes.
- the Core Network side e.g. MME, SGSN, HSS, GGSN, P-GW could be involved.
- the role of UE could be taken by any mobile terminal including e.g. an MTC device or e.g. an MTC GW relying traffic between the mobile network and sensors in a local network.
- the invention is not applicable only to mobile networks. It can also be applied e.g. to fixed networks such as BBF Broadband Forum networks as well as other types of mobile networks such as 3GPP2 networks. Additionally, the invention is not specific to M2M applications, but can be applied to any other kind of communication type such as voice traffic, and/or IP communication.
- any message which is shown or described as being sent from node A to node B implicitly includes the step of node A sending the message as well as the step of node B receiving the message, and means at nodes A and B for performing those steps. It will be appreciated by the person of skill in the art that various modifications may be made to the above described embodiments without departing from the scope of the present invention.
- TR23.888 http://www.3gpp.org/ftp/Specs/html-info/23888.htm
- TR 33.868 http://www.3gpp.orq/ftp/Specs/html-info/33868.htm
- TR 33.402 http://www.3gpp.org/ftp/Specs/html-info/33402.htm
- TR 24.312 http://www.3gpp.org/ftp/Specs/html-info/24312.htm
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/354,615 US9420001B2 (en) | 2011-10-31 | 2012-10-30 | Securing data communications in a communications network |
EP12790807.7A EP2774402B1 (en) | 2011-10-31 | 2012-10-30 | Securing data communications in a communications network |
SG11201401209SA SG11201401209SA (en) | 2011-10-31 | 2012-10-30 | Securing data communications in a communications network |
BR112014010428-0A BR112014010428B1 (en) | 2011-10-31 | 2012-10-30 | Method for securing data communication, apparatus for use in a method for securing data communication, communication node, and storage medium |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201161553317P | 2011-10-31 | 2011-10-31 | |
US61/553,317 | 2011-10-31 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013064509A1 true WO2013064509A1 (en) | 2013-05-10 |
Family
ID=47222020
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2012/071508 WO2013064509A1 (en) | 2011-10-31 | 2012-10-30 | Securing data communications in a communications network |
Country Status (5)
Country | Link |
---|---|
US (1) | US9420001B2 (en) |
EP (1) | EP2774402B1 (en) |
BR (1) | BR112014010428B1 (en) |
SG (1) | SG11201401209SA (en) |
WO (1) | WO2013064509A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2017200194A (en) * | 2013-05-22 | 2017-11-02 | コンヴィーダ ワイヤレス, エルエルシー | Access network support type boot strapping |
EP3624474A1 (en) * | 2014-08-12 | 2020-03-18 | Vodafone IP Licensing limited | Machine-to-machine cellular communication security |
Families Citing this family (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013089452A1 (en) * | 2011-12-13 | 2013-06-20 | 엘지전자 주식회사 | Method and device for providing a proximity service in a wireless communication system |
BR112014032565A2 (en) | 2012-06-29 | 2017-06-27 | Nec Corp | mtc device trigger delivery optimization |
US8898769B2 (en) * | 2012-11-16 | 2014-11-25 | At&T Intellectual Property I, Lp | Methods for provisioning universal integrated circuit cards |
WO2014097572A1 (en) * | 2012-12-21 | 2014-06-26 | 日本電気株式会社 | Mtc-iwf entity, scs entity, signaling method, and computer-readable medium |
US9036820B2 (en) | 2013-09-11 | 2015-05-19 | At&T Intellectual Property I, Lp | System and methods for UICC-based secure communication |
GB2518256A (en) * | 2013-09-13 | 2015-03-18 | Vodafone Ip Licensing Ltd | Communicating with a machine to machine device |
US9240994B2 (en) | 2013-10-28 | 2016-01-19 | At&T Intellectual Property I, Lp | Apparatus and method for securely managing the accessibility to content and applications |
EP3116251A4 (en) | 2014-03-07 | 2017-08-02 | Kyocera Corporation | Communication control method, management server, and user terminal |
JP6512798B2 (en) * | 2014-11-19 | 2019-05-15 | キヤノン株式会社 | Communication apparatus, control method, and program |
US10999289B2 (en) * | 2015-10-30 | 2021-05-04 | Convida Wireless, Llc | System and methods for achieving end-to-end security for hop-by-hop services |
WO2017195201A1 (en) * | 2016-05-10 | 2017-11-16 | FirstPoint Mobile Guard Ltd. | System and method for securing communication and information of mobile devices through a controlled cellular communication network |
ES2821833T3 (en) * | 2016-10-14 | 2021-04-27 | Ntt Docomo Inc | Method of establishing a connection from a mobile terminal to a mobile radio communication network and radio access network component |
US11038923B2 (en) * | 2018-02-16 | 2021-06-15 | Nokia Technologies Oy | Security management in communication systems with security-based architecture using application layer security |
WO2019197339A1 (en) * | 2018-04-09 | 2019-10-17 | Nokia Technologies Oy | Method and apparatus for remote provisioning of protection policies in an edge node based on signaling between edge nodes |
US10944796B2 (en) | 2018-09-27 | 2021-03-09 | Palo Alto Networks, Inc. | Network slice-based security in mobile networks |
EP4080916B1 (en) * | 2018-09-27 | 2024-06-26 | Palo Alto Networks, Inc. | Network slice-based security in mobile networks |
WO2021033022A1 (en) * | 2019-08-16 | 2021-02-25 | Lenovo ( Singapore) Pte. Ltd. | Security capabilities in an encryption key request |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100499451C (en) * | 2003-08-26 | 2009-06-10 | 中兴通讯股份有限公司 | Network communication safe processor and its data processing method |
GB2422995B (en) * | 2003-11-04 | 2007-07-18 | Ntt Comm Corp | Method, apparatus and program for establishing encrypted communication channel between apparatuses |
US8213408B1 (en) * | 2005-09-16 | 2012-07-03 | Genband Us Llc | Providing security in a multimedia network |
US7877506B2 (en) * | 2006-05-26 | 2011-01-25 | International Business Machines Corporation | System, method and program for encryption during routing |
US7990947B2 (en) * | 2007-06-12 | 2011-08-02 | Robert W. Twitchell, Jr. | Network watermark |
US8635440B2 (en) * | 2007-12-13 | 2014-01-21 | Microsoft Corporation | Proxy with layer 3 security |
US20100005179A1 (en) * | 2008-07-03 | 2010-01-07 | Raytheon Company | Multi-Level Secure Network |
US8935529B2 (en) * | 2009-11-30 | 2015-01-13 | Telefonaktiebolaget L M Ericsson (Publ) | Methods and systems for end-to-end secure SIP payloads |
-
2012
- 2012-10-30 WO PCT/EP2012/071508 patent/WO2013064509A1/en active Application Filing
- 2012-10-30 US US14/354,615 patent/US9420001B2/en active Active
- 2012-10-30 BR BR112014010428-0A patent/BR112014010428B1/en active IP Right Grant
- 2012-10-30 SG SG11201401209SA patent/SG11201401209SA/en unknown
- 2012-10-30 EP EP12790807.7A patent/EP2774402B1/en active Active
Non-Patent Citations (2)
Title |
---|
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Service requirements for Machine-Type Communications (MTC); Stage 1 (Release 11)", 3GPP STANDARD; 3GPP TS 22.368, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG1, no. V11.3.0, 30 September 2011 (2011-09-30), pages 1 - 24, XP050554259 * |
3GPP: "3rd Generation Partnership Project;Technical Specification Group Services and System Aspects; Security aspects of Machine-Type Communications;(Release 11)", REVISION OF 3GPP STANDARD; 3GPP TR 33.868, July 2011 (2011-07-01), XP002692212, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/tsg_sa/WG3_Security/> * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2017200194A (en) * | 2013-05-22 | 2017-11-02 | コンヴィーダ ワイヤレス, エルエルシー | Access network support type boot strapping |
US10243954B2 (en) | 2013-05-22 | 2019-03-26 | Convida Wireless, Llc | Access network assisted bootstrapping |
US11677748B2 (en) | 2013-05-22 | 2023-06-13 | Interdigital Patent Holdings, Inc. | Machine-to-machine network assisted bootstrapping |
EP3624474A1 (en) * | 2014-08-12 | 2020-03-18 | Vodafone IP Licensing limited | Machine-to-machine cellular communication security |
CN112887970A (en) * | 2014-08-12 | 2021-06-01 | 沃达方Ip许可有限公司 | Machine-to-machine cellular communication security |
Also Published As
Publication number | Publication date |
---|---|
BR112014010428B1 (en) | 2022-04-05 |
EP2774402B1 (en) | 2015-12-30 |
US9420001B2 (en) | 2016-08-16 |
BR112014010428A2 (en) | 2017-04-18 |
EP2774402A1 (en) | 2014-09-10 |
US20140304777A1 (en) | 2014-10-09 |
SG11201401209SA (en) | 2014-07-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2774402B1 (en) | Securing data communications in a communications network | |
US11737156B2 (en) | Establishing a session or cellular Internet of Things packet transmission | |
US20230337322A1 (en) | Network exposure function and wireless device with releasable connection | |
EP2923280B1 (en) | Systems and methods for accessing a network | |
US9204416B2 (en) | Gateway apparatus, control method therefor and computer program | |
US8594628B1 (en) | Credential generation for automatic authentication on wireless access network | |
AU2019293046B2 (en) | Handling failure of Non-3GPP access to 5GCN not being allowed | |
US20170289883A1 (en) | Emergency services handover between untrusted wlan access and cellular access | |
EP3275149B1 (en) | Configuration of liveness check timeout using ike messages | |
US20230262637A1 (en) | User equipment (ue) and communication control method | |
CN110249648B (en) | System and method for session establishment performed by unauthenticated user equipment | |
TW201507526A (en) | Trusted wireless local area network (WLAN) access scenarios | |
EP4156785A1 (en) | User equipment (ue) and communication control method | |
US20090305674A1 (en) | Device management in visited network | |
WO2020217224A1 (en) | Amf and scp behavior in delegated discovery of pcf | |
WO2022107783A1 (en) | User equipment (ue) | |
KR102103320B1 (en) | Mobile terminal, network node server, method and computer program | |
WO2022107782A1 (en) | User equipment (ue) | |
WO2022107781A1 (en) | User equipment (ue) | |
WO2022107780A1 (en) | User equipment (ue) | |
US20240163783A1 (en) | User equipment (ue) and communication control method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12790807 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2012790807 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14354615 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112014010428 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: 112014010428 Country of ref document: BR Kind code of ref document: A2 Effective date: 20140430 |