WO2013064716A1 - Security mechanism for external code - Google Patents

Security mechanism for external code Download PDF

Info

Publication number
WO2013064716A1
WO2013064716A1 PCT/FI2011/050953 FI2011050953W WO2013064716A1 WO 2013064716 A1 WO2013064716 A1 WO 2013064716A1 FI 2011050953 W FI2011050953 W FI 2011050953W WO 2013064716 A1 WO2013064716 A1 WO 2013064716A1
Authority
WO
WIPO (PCT)
Prior art keywords
naf
server
external code
key
bootstrapping key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/FI2011/050953
Other languages
English (en)
French (fr)
Inventor
Silke Holtmanns
Pekka Johannes Laitinen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Inc
Original Assignee
Nokia Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US14/354,904 priority Critical patent/US20150163669A1/en
Priority to CA2853867A priority patent/CA2853867A1/en
Priority to JP2014539369A priority patent/JP2015501613A/ja
Priority to KR1020147014546A priority patent/KR20140095523A/ko
Priority to IN3915CHN2014 priority patent/IN2014CN03915A/en
Priority to EP11875098.3A priority patent/EP2774068A4/en
Priority to BR112014010472A priority patent/BR112014010472A2/pt
Priority to AU2011380272A priority patent/AU2011380272A1/en
Priority to AP2014007624A priority patent/AP3955A/en
Priority to UAA201405037A priority patent/UA108957C2/ru
Priority to RU2014118918/08A priority patent/RU2582863C2/ru
Application filed by Nokia Inc filed Critical Nokia Inc
Priority to SG11201401950PA priority patent/SG11201401950PA/en
Priority to CN201180076059.3A priority patent/CN104011730A/zh
Priority to PCT/FI2011/050953 priority patent/WO2013064716A1/en
Priority to PH1/2014/500964A priority patent/PH12014500964A1/en
Priority to MX2014005223A priority patent/MX2014005223A/es
Publication of WO2013064716A1 publication Critical patent/WO2013064716A1/en
Priority to IL232374A priority patent/IL232374A0/en
Anticipated expiration legal-status Critical
Priority to ZA2014/03900A priority patent/ZA201403900B/en
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention generally relates to security mechanism for an external code provided by an application web server.
  • the invention relates particularly, though not exclusively, to how a server, a phone browser and an operating system may enable secure usage of cellular based credentials from a browser via the external code, such as JavaScript code.
  • Scripting commands within web content such as an HTML document, written in JavaScript or a similar scripting language, are used.
  • Scripting commands executed on a PC-based browser may generate some or all of the information content available to a user of the PC-based browser.
  • the new multimedia capable mobile terminals provide an open development platform for application developers, allowing independent application developers to design new services and applications for the multimedia environment.
  • the users may, in turn, download the new applications/services to their mobile terminals and use them therein.
  • interaction of a security management module of the mobile terminal with an application web server is important for the overall security.
  • An improved solution for using the security management module of the mobile terminal, for web content comprising external code, such as JavaScript, retrieved from an external source, is needed.
  • a method for providing a security mechanism for an external code comprising:
  • Ks_NAF server specific bootstrapping key
  • NAF-ld determining a server identifier (NAF-ld) and generating the server specific bootstrapping key (Ks_NAF) based on the server identifier (NAF-ld);
  • KsJs_NAF an external code specific bootstrapping key
  • KsJs_NAF external code specific bootstrapping key
  • the method further comprises determining the security token using a first random challenge (RAND1 ) and a second random challenge (RAND2).
  • the method may further comprise transmitting the second random challenge (RAND2) and the external code specific bootstrapping key (KsJs_NAF) to an application server for validation of the external code specific bootstrapping key (KsJs_NAF).
  • a response external code comprising the second random challenge (RAND2) and the external code specific bootstrapping key (KsJs_NAF) may be transmitted.
  • the method further comprises:
  • Ks_NAF server specific bootstrapping key
  • JS-GBA-API application programming interface
  • Ks_NAF server specific bootstrapping key
  • JS-GBA-API application programming interface
  • KsJs_NAF external code specific bootstrapping key
  • a transport layer security (TLS) tunnel may be established between a browser application of an apparatus and an application server.
  • the server identifier (NAF- Id) may be determined including a domain name (FQDN) and a security protocol identifier.
  • the security protocol identifier may be formed using a ciphersuite of a transport layer security (TLS).
  • the method further comprises generating the external code specific bootstrapping key (KsJs_NAF) with a key derivation function.
  • the external code may comprise a JavaScript code.
  • the method further comprises determining the security token using a transport layer security (TLS) master key.
  • TLS transport layer security
  • an apparatus comprising:
  • Ks_NAF server specific bootstrapping key
  • NAF-ld server identifier
  • Ks_NAF server specific bootstrapping key
  • KsJs_NAF server specific bootstrapping key
  • KsJs_NAF external code specific bootstrapping key
  • the security token may be determined using a first random challenge (RAND1 ) and a second random challenge (RAND2).
  • the at least one memory and the computer program code being further configured to, with the at least one processor, cause the apparatus at least to:
  • server identifier NAF-ld
  • JS-GBA-API application programming interface
  • Ks_NAF server specific bootstrapping key
  • JS-GBA-API application programming interface
  • Ks_NAF server specific bootstrapping key
  • JS-GBA-API application programming interface
  • KsJs_NAF external code specific bootstrapping key
  • JS-GBA-API application programming interface
  • the server identifier may be determined by including a domain name (FQDN) and a security protocol identifier.
  • the security token may be determined using a transport layer security (TLS) master key.
  • a computer program embodied on a computer readable medium comprising computer executable program code which, when executed by at least one processor of an apparatus, causes the apparatus to:
  • Ks_NAF server specific bootstrapping key
  • NAF-ld determines a server identifier (NAF-ld) and generate a server specific bootstrapping key (Ks_NAF) based on the server identifier (NAF-ld);
  • KsJs_NAF server specific bootstrapping key
  • a method for providing a security mechanism for an external code comprising: transmitting the external code, wherein the external code comprising a request for a server specific bootstrapping key (Ks_NAF);
  • Ks_NAF server specific bootstrapping key
  • NAF-ld server identifier
  • KsJs_NAF an external code specific bootstrapping key
  • KsJs_NAF external code specific bootstrapping key
  • the method further comprising:
  • Ks_NAF server specific bootstrapping key
  • NAF-ld server identifier
  • FQDN domain name
  • security protocol identifier a security protocol identifier
  • the method further comprising:
  • an application server comprising:
  • Ks_NAF server specific bootstrapping key
  • Ks_NAF server specific bootstrapping key
  • NAF-ld server identifier
  • KsJs_NAF server specific bootstrapping key
  • KsJs_NAF external code specific bootstrapping key
  • a computer program embodied on a computer readable medium comprising computer executable program code which, when executed by at least one processor of an application server, causes the application server to:
  • Ks_NAF server specific bootstrapping key
  • Ks_NAF server specific bootstrapping key
  • NAF-ld server identifier
  • KsJs_NAF server specific bootstrapping key
  • KsJs_NAF external code specific bootstrapping key
  • Any foregoing memory medium may comprise a digital data storage such as a data disc or diskette, optical storage, magnetic storage, holographic storage, opto- magnetic storage, phase-change memory, resistive random access memory, magnetic random access memory, solid-electrolyte memory, ferroelectric random access memory, organic memory or polymer memory.
  • the memory medium may be formed into a device without other substantial functions than storing memory or it may be formed as part of a device with other functions, including but not limited to a memory of a computer, a chip set, and a sub assembly of an electronic device.
  • Fig. 1 shows some details of the system architecture in which various embodiments of the invention may be applied
  • Fig. 2 shows some details of the system elements, in which various embodiments of the invention may be applied;
  • FIG. 3 shows a messaging diagram according to an embodiment of the invention
  • Fig. 4 presents an example block diagram of an application server in which various embodiments of the invention may be applied;
  • Fig. 5 presents an example block diagram of a user apparatus in which various embodiments of the invention may be applied;
  • Fig. 6 shows a flow diagram showing operations in a user apparatus in accordance with an example embodiment of the invention.
  • Fig. 7 shows a flow diagram showing operations in an application server in accordance with an example embodiment of the invention.
  • GAA Generic Authentication Architecture
  • GBA Generic Bootstrapping Architecture
  • Variants of GAA GBA are standardized by Open Mobile Alliance (OMA) and CableLabs.
  • GAA GBA is based on mobile algorithms AKA (Authentication and Key Agreement) for 3GPP.
  • the original purpose of the GAA/GBA procedures is to authenticate user equipment or a subscriber.
  • the GAA/GBA is used for improving security between an application server, a mobile terminal browser and an operating system of the mobile terminal.
  • secure usage of cellular based credentials is enabled from the browser via an external code that is downloaded from a server to the user apparatus within a webpage, for example.
  • the external code may comprise a JavaScript code, for example.
  • GAA GBA is a multipurpose enabler that is used for example for Mobile TV and presence. By using this existing mechanism and associated infrastructure one may achieve the benefit that administrative costs and the amount of investment that needs to be made may be reduced.
  • an application server may be a web server providing a web service for a user.
  • the application server may also be untrusted by the network operator and comprise a network application function (NAF).
  • NAF network application function
  • Fig. 1 shows some details of the system architecture 100, in which various embodiments of the invention may be applied.
  • the system comprises a user apparatus, such as a user equipment (UE) 1 10, and an application server 120 providing web service(s). Additionally the system comprises a bootstrapping server function (BSF) 130 and a subscriber database 140, such as a home subscriber server (HSS) or home location register (HLR).
  • the apparatus 1 10 further comprises a GBA (Generic Bootstrapping Architecture) function block 150 configured to co-operate with the bootstrapping server function (BSF) and a network application function (NAF) client 160 configured to co-operate with the application server 120.
  • the network application function (NAF) client may comprise for example a browser.
  • the application server 120 may be administered by a different party compared to the bootstrapping server function (BSF) 130 and subscriber database 140, or they may be administered by the same party (which is typically the operator of the communication network in question).
  • BSF bootstrapping server function
  • a generic bootstrapping server function (BSF) 130 and the user equipment (UE) 1 10 shall mutually authenticate using the authentication and key agreement (AKA) protocol, and agree on keys that are afterwards applied between user equipment (UE) 1 10 and a network application function (NAF) of a server 120.
  • the network application function (NAF) is a functional module located in the service providing server 120.
  • transport layer security (TLS) and legacy authentication may be used.
  • GBA Generic bootstrapping architecture
  • HBA hypertext transfer protocol
  • SIP session initiation protocol
  • Main functions of the network application function (NAF) module of the server 120 are service/user management (e.g., service subscription and unsubscription) and service key management (e.g., service key generation and delivery).
  • the bootstrapping server function (BSF) 130 shall restrict the applicability of the key material to a specific network application function (NAF) of a server 120 by using a key derivation procedure.
  • the key derivation procedure may be used with multiple network application functions (NAF) during the lifetime of the key material.
  • the lifetime of the key material is set according to the local policy of the bootstrapping server function (BSF) 130.
  • the bootstrapping server function (BSF) 130 is allowed to fetch any required authentication information, security information and subscriber profile information from a home subscriber system (HSS) 140.
  • the bootstrapping server function (BSF) 130 may interact with the home location register (HLR) instead of the home subscriber system (HSS) 140.
  • HLR home location register
  • the external code may be downloaded to the user apparatus and the concern may be that the secret of the GBA module is sent to the web server as-is.
  • Fig. 2 shows some details of the system elements, in which various embodiments of the invention may be applied.
  • the external code may comprise any code downloaded to an apparatus and potentially used or executed locally.
  • the external codes may be executed in installed applications, such as browsers or widgets, for example.
  • One example of external codes is JavaScript code.
  • JavaScript code For simplicity, the following example embodiments are described using the JavaScript but the embodiments are not limited to JavaScript and any external code may apply.
  • JavaScript may be used in the form of client-side JavaScript processed in a user equipment (UE) 1 10.
  • Running JavaScript 280 may be implemented as part of a web browser 210 in order to provide enhanced user interfaces and dynamic websites. This enables programmatic access to computational objects within a host environment.
  • the JavaScript 280 may be also used in applications outside web pages, for example in documents, site-specific browsers, and desktop widgets. JavaScript is also used for server-side web applications.
  • An application programming interface (API) is a particular set of rules ('code') and specifications that software programs can follow to communicate with each other. API serves as an interface between different software programs and facilitates their interaction.
  • a GBA API may be created, named as JS-GBA-API 220 in Fig.
  • the browser 210 of the user equipment (UE) 1 10 may communicate with a network application function (NAF) server 120 operating as an application service server for web content, for example.
  • the network application function (NAF) server 120 may comprise a GBA NAF module 250 and a server application 260, for example.
  • the interaction of a user apparatus security management module (GBA module, that is part of the OS) with an application web server is provided.
  • the security mechanism enables a secure usage of the security management module 240 from a browser 210 with JavaScript 280 coming from an external source 120.
  • Ks and NAF specific keys derived from the Ks When referring to GBA keys, the following keys are intended: Ks and NAF specific keys derived from the Ks.
  • Ks_ext/int_NAF in GBA U context
  • Ks NAF in GBA_ME context
  • Ks_ext_NAF is the same key as Ks_NAF, i.e., the NAF specific key used in the ME.
  • the Ks_ext_NAF is derived in the UlCC in GBA_U context and given to the ME
  • Ks_NAF is derived in the ME in GBA_ME context. They may be both used the same way in the ME regardless of the context.
  • the Ks_int_NAF is derived in the UlCC and it is used in the UlCC.
  • the Ks_int_NAF is never given out from the UlCC.
  • KsJs_NAF key the JavaScript key for the JavaScript code and the application server used instead of Ks_NAF or Ks_ext_NAF is intended.
  • the UE and the network application function (NAF) first have to agree whether to use the GBA.
  • a UE When a UE wants to interact with a network application function (NAF), but it does not know if the network application function (NAF) requires the use of shared keys obtained by means of the GBA, the UE shall contact the network application function (NAF) for further instructions.
  • Fig. 3 shows a messaging diagram according to an embodiment of the invention. Not all messages and items showed, need to be performed, order of messages may vary, and more messages may be performed, not limiting to those messages and items showed in Fig. 3.
  • a user apparatus such as a user equipment (UE) may start communication over reference point Ua with an application server, such as network application function (NAF) server without any generic bootstrapping architecture (GBA) related parameters.
  • GBA generic bootstrapping architecture
  • a web browser 210 is considered to be a trusted application in the sense that a user trusts the browser 210 to handle security related functions properly and not leaking sensitive information like passwords to third parties.
  • the web browser 210 is divided into three functional blocks: An engine module 310, a JavaScript module 320 and a GBA-API module 330.
  • the engine module 310 handles basic functionalities for the web browser 210 like setting up transport layer security (TLS) with web servers 120, downloading web resources, and providing user interface information for the user.
  • TLS transport layer security
  • the GBA API module 330 offers the application programming interface (API) towards any JavaScript code executing in the web browser 210.
  • API application programming interface
  • the web browser 210 and the GBA API 330 should not reveal any sensitive information to the JavaScript, nor should they accept any sensitive information from the JavaScript more than necessary.
  • the JavaScript module 320 executes the downloaded JavaScript. Any JavaScript code executed in the web browser 210 should be considered not trusted and should not be granted access to sensitive resources or the access to such resources should be controlled.
  • the depicted sequence flow diagram of Fig.3 may be executed within a server authenticated transport layer security (TLS). Also, the web browser 210 may be in the process of downloading a html page, in which one of the linked JavaScript resources is called "gba.js".
  • TLS transport layer security
  • the browser application 210 and the web server 120 establish a server authenticated transport layer security (TLS) tunnel.
  • TLS transport layer security
  • a content download is requested by a browser application 210 of a user apparatus, such as a user equipment (UE).
  • the content may be, for example a web page provided by an application server 120, such as a web server.
  • the request of item 1 may comprise for example a HTTP request.
  • the web server 120 dynamically constructs the JavaScript code "gba.js" file by generating a server random challenge (RAND1 ) that is to be included to the JavaScript code and provided to GBA API 330 of the browser 210.
  • the RAND1 is also locally stored in the web server 120.
  • a JavaScript GBA application programming interface (API) 220 may be used to request and obtain a JavaScript specific GBA key (KsJs_NAF).
  • KsJs_NAF JavaScript specific GBA key
  • a random challenge RAND1 is included in the GBA API request in item 2.
  • the JavaScript specific GBA key (KsJs_NAF) request may also be forwarded to the GBA module 240 when received at the browser 210 and forwarded by the GBA module 240 to the GBA API 220 for further processing.
  • the web page with a JavaScript code 280 is loaded from the server 120 in item 3, as a HTTP response, for example.
  • the engine 310 of the web browser 210 starts to execute the JavaScript code "gba.js" in the JavaScript module 320.
  • the JavaScript code "gba.js” comes to a point where a call to GBA API 330 is made.
  • the call contains RAND1 as one of the parameters.
  • the JavaScript GBA API 330 stores the received RAND1 .
  • the GBA API 330 also locates the relevant information about the JavaScript code, for example what html page it is executing, from what url was the html page downloaded from, and which TLS ciphersuite is used in the TLS tunnel.
  • a domain name (FQDN) of the web server (NAF) 120 may be extracted from the url of the web page, and the Ua security protocol identifier can be derived from the used TLS ciphersuite.
  • the domain name (FQDN) of the NAF server 120 and the Ua security protocol identifier form the network application function identifier (NAF-ld).
  • the GBA API module 330 makes a call to the GBA module 240 with the NAF-ld derived in item 6.
  • the GBA module 240 bootstraps with the bootstrapping function (BSF), in case there is no valid GBA master key Ks. From the Ks a NAF specific key (Ks_ext_NAF) is derived using the NAF-ld.
  • BSF bootstrapping function
  • the UlCC 270 gives the CK and IK to the GBA module 240, which generates Ks from them by concatenating CK and IK, for example. Furthermore, the GBA module 240 generates the Ks_NAF using the Ks NAF-ld.
  • the UlCC 270 keeps the CK and IK to itself, and generates the Ks_ext_NAF, which is then given to the GBA module 240.
  • GBA_ME GBA specific functionality
  • GBA_U GBA_U case part of the GBA functionality is implemented in the UlCC 270.
  • Mainly Ks is kept in the UlCC 270 and only the derived Ks_(ext)_NAF is given to the GBA Module 240.
  • GBA "master key" Ks is either generated in the ME (GBAJV1E case) or in the UlCC 270 (GBAJJ case).
  • An application getting a required GBA key only deals with the GBA Module 240, and the GBA key is either Ks NAF in GBA_ME case and Ks ext NAF in GBA U case, respectively.
  • the application may then use the GBA key Ks_(ext)_NAF, regardless of the source.
  • the GBA module 240 returns the NAF specific key (Ks_ext_NAF) to browser's GBA API 330 with a bootstrapping transaction identifier (B-TID), and key lifetime, for example.
  • the GBA API 330 may generate a client side random challenge RAND2.
  • a security token may be determined using random challenge RAND1 and random challenge RAND2.
  • a JavaScript specific GBA key KsJs_NAF
  • Ks_ext_NAF server specific bootstrapping key
  • a key derivation function KDF may be used to produce the JavaScript specific GBA key as following:
  • KsJs_NAF KDF (Ks_ext_NAF, RAND1
  • the RAND1 is the random challenge received from the server 120 and RAND2 is generated by the GBA API 330.
  • the Ks_(ext)_NAF may be processed to the GBA API 330 in JavaScript level.
  • the JavaScript function may be called for example GBA.getNAFKey(RANDI ) and the function then returns KsJs_NAF and RAND2.
  • the GBA API 330 returns JavaScript specific KsJs_NAF key, RAND2, B-TID and key lifetime to the executing JavaScript module 320.
  • the JavaScript module 320 continues, in item 12, to execute and uses the KsJs_NAF key the way web server 120 has instructed (via JavaScript code "gba.js").
  • the JavaScript module 320 makes a request (e.g. HTTP request) to the web server 120.
  • This request may contain at least KsJs_NAF, RAND2, and B-TID.
  • the web server 120 may fetch the Ks_ext_NAF from the bootstrapping function (BSF), and then derive the KsJs_NAF with the received RAND2 and the stored RAND1 .
  • the web server 120 may compare the received KsJs_NAF with the locally derived one for validation. If the received KsJs_NAF is valid, the web server 120 will continue to process the request made in item 13 and return the result to the JavaScript module 320 of the web browser 120 in item 15. Furthermore, the web server 120 may continue to execute the JavaScript code.
  • the NAF specific key (Ks_NAF) is not sent to server as such, which improves the security mechanism.
  • the JavaScript specific key (KsJs_NAF) is changed every time the GBA API 330 is used, because RAND1 and RAND2 are changed. Such mechanism provides further security and replay protection, for example.
  • a different security token is used.
  • the web server 120 selects the JavaScript code "gba.js" file to be provided to GBA API 330 of the browser 210.
  • a JavaScript GBA application programming interface (API) 220 may be used to request and obtain a JavaScript specific GBA key (KsJs_NAF).
  • the JavaScript specific GBA key (KsJs_NAF) request may also be forwarded to the GBA module 240 when received at the browser 210 and forwarded by the GBA module 240 to the GBA API 220 for further processing.
  • the web page with a JavaScript code 280 is loaded from the server 120 in item 3, as a HTTP response, for example.
  • the engine 310 of the web browser 210 starts to execute the JavaScript code "gba.js" in the JavaScript module 320.
  • the JavaScript code "gba.js" comes to a point where a call to GBA API 330 is made.
  • the JavaScript GBA API 330 locates the relevant information about the JavaScript code, for example what html page it is executing, from what url was the html page downloaded from, and which transport layer security (TLS) ciphersuite is used in the TLS tunnel.
  • a domain name (FQDN) of the web server (NAF) 120 may be extracted from the url of the web page, and the Ua security protocol identifier can be derived from the used TLS ciphersuite.
  • the domain name (FQDN) of the NAF server 120 and the Ua security protocol identifier form the network application function identifier (NAF-ld).
  • the GBA API module 330 makes a call to the GBA module 240 with the NAF-ld derived in item 6.
  • the GBA module 240 bootstraps with the bootstrapping function (BSF), in case there is no valid GBA master key Ks. From the Ks a NAF specific key (Ks_ext_NAF) is derived using the NAF-ld.
  • BSF bootstrapping function
  • the UlCC 270 gives the CK and IK to the GBA module 240, which generates Ks from them by concatenating CK and IK, for example. Furthermore, the GBA module 240 generates the Ks_NAF using the Ks NAF-ld. In GBA U case, the UlCC 270 keeps the CK and IK to itself, and generates the Ks_ext_NAF, which is then given to the GBA module 240.
  • GBA_ME case all GBA specific functionality is implemented in the ME, and in GBA_U case part of the GBA functionality is implemented in the UlCC 270. Mainly Ks is kept in the UlCC 270 and only the derived Ks_(ext)_NAF is given to the GBA Module 240. In other words, GBA "master key" Ks is either generated in the ME (GBAJV1E case) or in the UlCC 270 (GBAJJ case).
  • GBA Module 240 An application getting a required GBA key only deals with the GBA Module 240, and the GBA key is either Ks NAF in GBA_ME case and Ks ext NAF in GBA U case, respectively. The application may then use the GBA key Ks_(ext)_NAF, regardless of the source.
  • the GBA module 240 returns the NAF specific key (Ks_(ext)_NAF) to browser's GBA API 330 with a bootstrapping transaction identifier (B-TID), and key lifetime, for example.
  • the browser's GBA API 330 may determine a security token.
  • the security token (TLS_MK_Extr) may be extracted from the transport layer security (TLS) master key using an exported function.
  • the label for the exported function may be "EXPORTER_3GPP_GBA_WEB", for example.
  • the security token (TLS_MK_Extr) may be used to derive a JavaScript specific key KsJs_NAF that is bound to the server authenticated TLS tunnel.
  • the GBA API 330 returns JavaScript specific KsJs_NAF key, B-TID and key lifetime to the executing JavaScript module 320.
  • the JavaScript module 320 continues, in item 12, to execute and uses the KsJs_NAF key the way web server 120 has instructed (via JavaScript code "gba.js").
  • the JavaScript module 320 makes a request (e.g. HTTP request) to the web server 120.
  • This request may contain at least KsJs_NAF and B-TID.
  • the web server 120 may fetch the Ks_(ext)_NAF from the bootstrapping function (BSF) and determine the security token (TLS_MK_Extr), as done in item 10. The web server 120 may then derive the KsJs_NAF with the security token (TLS_MK_Extr). The web server 120 may compare the received KsJs_NAF with the locally derived one for validation. If the received KsJs_NAF is valid, the web server 120 will continue to process the request made in item 13 and return the result to the JavaScript module 320 of the web browser 120 in item 15. Furthermore, the web server 120 may continue to execute the JavaScript code.
  • the communication interface module 450 implements at least part of the data transmission discussed in connection with various embodiments of the invention.
  • the communication interface module 450 may be, e.g., a radio interface module, such as a WLAN, Bluetooth, GSM/GPRS, CDMA, WCDMA, or LTE (Long Term Evolution) radio module.
  • the communication interface module 450 may be integrated into the application server 400 or into an adapter, card or the like that may be inserted into a suitable slot or port of the application server 400.
  • the communication interface module 450 may support one radio interface technology or a plurality of technologies.
  • Fig. 4 shows one communication interface module 450, but the application server 400 may comprise a plurality of communication interface modules 550.
  • the communication interface module 450 provides data communication, for example, with a bootstrapping function (BSF), a home subscriber server (HSS), and an external content server.
  • BSF bootstrapping function
  • HSS home subscriber server
  • the processor 410 may be, e.g., a central processing unit (CPU), a microprocessor, a digital signal processor (DSP), a graphics processing unit, or the like.
  • Fig. 4 shows one processor 410, but the application server 400 may comprise a plurality of processors.
  • the memory 420 may be for example a non-volatile or a volatile memory, such as a read-only memory (ROM), a programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), a random-access memory (RAM), a flash memory, a data disk, an optical storage, a magnetic storage, a smart card, or the like.
  • the application server 400 may comprise a plurality of memories.
  • the memory 420 may be constructed as a part of the application server 400 or it may be inserted into a slot, port, or the like of the application server 400.
  • the memory 420 may serve the sole purpose of storing data, or it may be constructed as a part of an apparatus serving other purposes, such as processing data.
  • a general bootstrapping architecture module (GBA) 440 may comprise a network application function (NAF).
  • GBA may be used between the network application function (NAF) and the UE for authentication purposes, and for securing the communication path between the UE and the network application function (NAF).
  • NAF network application function
  • the UE and the network application function (NAF) can run some application specific protocol where the authentication of messages will be based on those session keys generated during the mutual authentication between the UE and the bootstrapping server function (BSF).
  • BSF bootstrapping server function
  • the application server 400 may comprise other elements, such as additional circuitry such as input/output (I/O) circuitry, memory chips, application-specific integrated circuits (ASIC), processing circuitry for specific purposes such as source coding/decoding circuitry, channel coding/decoding circuitry, ciphering/deciphering circuitry, and the like.
  • additional circuitry such as input/output (I/O) circuitry, memory chips, application-specific integrated circuits (ASIC), processing circuitry for specific purposes such as source coding/decoding circuitry, channel coding/decoding circuitry, ciphering/deciphering circuitry, and the like.
  • Fig. 5 presents an example block diagram of a user apparatus 500 in which various embodiments of the invention may be applied.
  • This may be a user equipment (UE), user device or apparatus, such as a mobile terminal, a laptop, a tablet, or other communication device.
  • UE user equipment
  • user device or apparatus such as a mobile terminal, a laptop, a tablet, or other communication device.
  • the general structure of the user apparatus 500 comprises a communication interface module 550, a processor 510 coupled to the communication interface module 550, and a memory 520 coupled to the processor 510.
  • the user apparatus further comprises software 530 stored in the memory 520 and operable to be loaded into and executed in the processor 510.
  • the software 530 may comprise one or more software modules and can be in the form of a computer program product.
  • the user apparatus 500 further comprises a user interface controller 560 coupled to the processor 510.
  • the communication interface module 550 implements at least part of the user data radio discussed in connection with various embodiments of the invention.
  • the communication interface module 550 may be, e.g., a radio interface module, such as a WLAN, Bluetooth, GSM/GPRS, CDMA, WCDMA, or LTE (Long Term Evolution) radio module.
  • the communication interface module 550 may be integrated into the user apparatus 500 or into an adapter, card or the like that may be inserted into a suitable slot or port of the user apparatus 500.
  • the communication interface module 550 may support one radio interface technology or a plurality of technologies.
  • Fig. 5 shows one communication interface module 550, but the user apparatus 500 may comprise a plurality of communication interface modules 550.
  • the processor 510 may be, e.g., a central processing unit (CPU), a microprocessor, a digital signal processor (DSP), a graphics processing unit, or the like.
  • Fig. 5 shows one processor 510, but the user apparatus 500 may comprise a plurality of processors.
  • the memory 520 may be for example a non-volatile or a volatile memory, such as a read-only memory (ROM), a programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), a random-access memory (RAM), a flash memory, a data disk, an optical storage, a magnetic storage, a smart card, or the like.
  • the user apparatus 500 may comprise a plurality of memories.
  • the memory 520 may be constructed as a part of the apparatus 500 or it may be inserted into a slot, port, or the like of the user apparatus 500 by a user.
  • the memory 520 may serve the sole purpose of storing data, or it may be constructed as a part of an apparatus serving other purposes, such as processing data.
  • a universal integrated circuit card (UICC) 540 may be included as a smart card used in the user apparatus 500.
  • the universal integrated circuit card (UICC) 540 ensures the integrity and security of certain personal data.
  • the universal integrated circuit card (UICC) 540 may contain its unique serial number, internationally unique number of the mobile user (IMSI), security authentication and ciphering information, temporary information related to the local network, a list of the services the user has access to and passwords (PIN for usual use and PUK for unlocking).
  • the universal integrated circuit card (UICC) 540 may further comprise several applications, making it possible for the same smart card to give access to different networks, and also provide storage of a phone book and other applications.
  • the system may utilize an embedded security module for the key storage and processing.
  • the user interface controller 560 may comprise circuitry for receiving input from a user of the user apparatus 500, e.g., via a keyboard, graphical user interface shown on the display of the user apparatus 500, speech recognition circuitry, or an accessory device, such as a headset, and for providing output to the user via, e.g., a graphical user interface or a loudspeaker.
  • the user apparatus 500 may comprise other elements, such as microphones, displays, as well as additional circuitry such as input/output (I/O) circuitry, memory chips, application-specific integrated circuits (ASIC), processing circuitry for specific purposes such as source coding/decoding circuitry, channel coding/decoding circuitry, ciphering/deciphering circuitry, and the like. Additionally, the user apparatus 500 may comprise a disposable or rechargeable battery (not shown) for powering the user apparatus 500 when external power if external power supply is not available.
  • I/O input/output
  • ASIC application-specific integrated circuits
  • processing circuitry for specific purposes such as source coding/decoding circuitry, channel coding/decoding circuitry, ciphering/deciphering circuitry, and the like.
  • the user apparatus 500 may comprise a disposable or rechargeable battery (not shown) for powering the user apparatus 500 when external power if external power supply is not available.
  • Fig. 6 shows a flow diagram showing operations in a user apparatus in accordance with an example embodiment of the invention.
  • the method is started.
  • an external code comprising a request for a server specific bootstrapping key (Ks_NAF) is received.
  • a server identifier NAF-ld
  • a server specific bootstrapping key Ks_NAF
  • Ks_NAF server specific bootstrapping key
  • a security token is determined.
  • an external code specific bootstrapping key KsJs_NAF
  • KsJs_NAF is generated using the server specific bootstrapping key (Ks_NAF) and the security token.
  • the external code specific bootstrapping key (KsJs_NAF) is used for the security mechanism of the external code in step 660.
  • the method ends in step 670.
  • Fig. 7 shows a flow diagram showing operations in an application server in accordance with an example embodiment of the invention.
  • the method is started.
  • a script code comprising a request for a script code specific bootstrapping key (KsJs_NAF) is transmitted.
  • a server identifier (NAF-ld) is determined in step 720.
  • a server specific bootstrapping key (Ks_NAF) is generated using the server identifier (NAF-ld).
  • a security token is determined.
  • the script code specific bootstrapping key (KsJs_NAF) is generated using the server specific bootstrapping key (Ks_NAF) and the security token.
  • the script code specific bootstrapping key (KsJs_NAF) is used for the security mechanism of the script code in step 760.
  • the method ends in step 770.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Information Transfer Between Computers (AREA)
  • Telephonic Communication Services (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
PCT/FI2011/050953 2011-10-31 2011-10-31 Security mechanism for external code Ceased WO2013064716A1 (en)

Priority Applications (18)

Application Number Priority Date Filing Date Title
RU2014118918/08A RU2582863C2 (ru) 2011-10-31 2011-10-31 Механизм обеспечения безопасности для внешнего кода
JP2014539369A JP2015501613A (ja) 2011-10-31 2011-10-31 外部コードのためのセキュリティ機構
KR1020147014546A KR20140095523A (ko) 2011-10-31 2011-10-31 외부 코드에 대한 보안 메커니즘
IN3915CHN2014 IN2014CN03915A (https=) 2011-10-31 2011-10-31
EP11875098.3A EP2774068A4 (en) 2011-10-31 2011-10-31 Security mechanism for external code
BR112014010472A BR112014010472A2 (pt) 2011-10-31 2011-10-31 método para proporcionar um mecanismo de segurança para um código externo; aparelho; programa de computador incorporado em um meio legível por computador; e servidor de aplicação
AU2011380272A AU2011380272A1 (en) 2011-10-31 2011-10-31 Security mechanism for external code
AP2014007624A AP3955A (en) 2011-10-31 2011-10-31 Security mechanism for external code
SG11201401950PA SG11201401950PA (en) 2011-10-31 2011-10-31 Security mechanism for external code
US14/354,904 US20150163669A1 (en) 2011-10-31 2011-10-31 Security mechanism for external code
CA2853867A CA2853867A1 (en) 2011-10-31 2011-10-31 Security mechanism for external code
UAA201405037A UA108957C2 (uk) 2011-10-31 2011-10-31 Механізм безпеки для зовнішнього програмного коду
CN201180076059.3A CN104011730A (zh) 2011-10-31 2011-10-31 外部代码安全机制
PCT/FI2011/050953 WO2013064716A1 (en) 2011-10-31 2011-10-31 Security mechanism for external code
PH1/2014/500964A PH12014500964A1 (en) 2011-10-31 2011-10-31 Security mechanism for external code
MX2014005223A MX2014005223A (es) 2011-10-31 2011-10-31 Mecanismo de seguridad para codigo externo.
IL232374A IL232374A0 (en) 2011-10-31 2014-04-30 Security mechanism for external code
ZA2014/03900A ZA201403900B (en) 2011-10-31 2014-05-28 Security mechanism for external code

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI2011/050953 WO2013064716A1 (en) 2011-10-31 2011-10-31 Security mechanism for external code

Publications (1)

Publication Number Publication Date
WO2013064716A1 true WO2013064716A1 (en) 2013-05-10

Family

ID=48191420

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2011/050953 Ceased WO2013064716A1 (en) 2011-10-31 2011-10-31 Security mechanism for external code

Country Status (18)

Country Link
US (1) US20150163669A1 (https=)
EP (1) EP2774068A4 (https=)
JP (1) JP2015501613A (https=)
KR (1) KR20140095523A (https=)
CN (1) CN104011730A (https=)
AP (1) AP3955A (https=)
AU (1) AU2011380272A1 (https=)
BR (1) BR112014010472A2 (https=)
CA (1) CA2853867A1 (https=)
IL (1) IL232374A0 (https=)
IN (1) IN2014CN03915A (https=)
MX (1) MX2014005223A (https=)
PH (1) PH12014500964A1 (https=)
RU (1) RU2582863C2 (https=)
SG (1) SG11201401950PA (https=)
UA (1) UA108957C2 (https=)
WO (1) WO2013064716A1 (https=)
ZA (1) ZA201403900B (https=)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015014171A1 (zh) * 2013-07-31 2015-02-05 华为技术有限公司 认证方法、生成信任状的方法及相关装置
CN108702615A (zh) * 2016-02-12 2018-10-23 瑞典爱立信有限公司 保护接口以及用于建立安全通信链路的过程
EP3718330A4 (en) * 2017-11-29 2021-05-26 Telefonaktiebolaget LM Ericsson (publ) MEETING KEY STRUCTURE

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014067543A1 (en) * 2012-10-29 2014-05-08 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for securing a connection in a communications network
US9253185B2 (en) * 2012-12-12 2016-02-02 Nokia Technologies Oy Cloud centric application trust validation
WO2015057116A1 (en) * 2013-10-15 2015-04-23 Telefonaktiebolaget L M Ericsson (Publ) Establishing a secure connection between a master device and a slave device
CN105814834B (zh) 2013-12-20 2019-12-20 诺基亚技术有限公司 用于公共云应用的基于推送的信任模型
US9736686B2 (en) * 2015-01-19 2017-08-15 Telefonaktiebolaget Lm Ericsson (Publ) Methods and apparatus for direct communication key establishment
CN106487501B (zh) * 2015-08-27 2020-12-08 华为技术有限公司 密钥分发和接收方法、密钥管理中心、第一和第二网元
US10129235B2 (en) 2015-10-16 2018-11-13 Qualcomm Incorporated Key hierarchy for network slicing
FR3077175A1 (fr) * 2018-01-19 2019-07-26 Orange Technique de determination d'une cle destinee a securiser une communication entre un equipement utilisateur et un serveur applicatif
CN110831002B (zh) * 2018-08-10 2021-12-03 华为技术有限公司 一种密钥推演的方法、装置及计算存储介质
US20220086632A1 (en) * 2019-01-14 2022-03-17 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for security
CN113015159B (zh) * 2019-12-03 2023-05-09 中国移动通信有限公司研究院 初始安全配置方法、安全模块及终端
US12500744B2 (en) * 2021-09-17 2025-12-16 Qualcomm Incorporated Securing application communication

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060236106A1 (en) 2005-04-18 2006-10-19 Sarvar Patel Providing fresh session keys
US20070234041A1 (en) * 2006-03-28 2007-10-04 Nokia Corporation Authenticating an application
WO2010095988A1 (en) * 2009-02-18 2010-08-26 Telefonaktiebolaget L M Ericsson (Publ) User authentication

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100379315C (zh) * 2005-06-21 2008-04-02 华为技术有限公司 对用户终端进行鉴权的方法
CN1929370A (zh) * 2005-09-05 2007-03-14 华为技术有限公司 用户接入认证代理时确定认证使用的密钥的方法及系统
US20070101122A1 (en) * 2005-09-23 2007-05-03 Yile Guo Method and apparatus for securely generating application session keys
US20070086590A1 (en) * 2005-10-13 2007-04-19 Rolf Blom Method and apparatus for establishing a security association
CN103001940A (zh) * 2007-10-05 2013-03-27 交互数字技术公司 由wtru使用的用于建立安全本地密钥的方法
WO2009070075A1 (en) * 2007-11-30 2009-06-04 Telefonaktiebolaget Lm Ericsson (Publ) Key management for secure communication
CN102379114B (zh) * 2009-04-01 2015-10-07 瑞典爱立信有限公司 基于ims的多媒体广播和多播服务(mbms)中的安全密钥管理
RU101231U1 (ru) * 2010-03-02 2011-01-10 Закрытое акционерное общество "Лаборатория Касперского" Система управления безопасностью мобильного вычислительного устройства
EP2695410B1 (en) * 2011-04-01 2017-04-19 Telefonaktiebolaget LM Ericsson (publ) Methods and apparatuses for avoiding damage in network attacks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060236106A1 (en) 2005-04-18 2006-10-19 Sarvar Patel Providing fresh session keys
US20070234041A1 (en) * 2006-03-28 2007-10-04 Nokia Corporation Authenticating an application
WO2010095988A1 (en) * 2009-02-18 2010-08-26 Telefonaktiebolaget L M Ericsson (Publ) User authentication

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS) (Release 10)", 3GPP TS 33.222 V10.0.0 (2010-10), 8 October 2010 (2010-10-08), XP050459860, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Specs/html-info/33222.htm> [retrieved on 20120821] *
ERICSSON ET AL., SECURITY ENHANCEMENT FOR USAGE OF GBA FROM BROWSER
NOKIA ET AL., GBA USAGE WITH WEB BROWSER
See also references of EP2774068A4

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015014171A1 (zh) * 2013-07-31 2015-02-05 华为技术有限公司 认证方法、生成信任状的方法及相关装置
CN104348801A (zh) * 2013-07-31 2015-02-11 华为技术有限公司 认证方法、生成信任状的方法及相关装置
CN104348801B (zh) * 2013-07-31 2018-05-04 华为技术有限公司 认证方法、生成信任状的方法及相关装置
CN108702615A (zh) * 2016-02-12 2018-10-23 瑞典爱立信有限公司 保护接口以及用于建立安全通信链路的过程
EP3718330A4 (en) * 2017-11-29 2021-05-26 Telefonaktiebolaget LM Ericsson (publ) MEETING KEY STRUCTURE

Also Published As

Publication number Publication date
AU2011380272A1 (en) 2014-05-22
MX2014005223A (es) 2014-09-01
EP2774068A4 (en) 2015-08-05
US20150163669A1 (en) 2015-06-11
BR112014010472A2 (pt) 2017-04-18
AP2014007624A0 (en) 2014-05-31
EP2774068A1 (en) 2014-09-10
SG11201401950PA (en) 2014-09-26
RU2582863C2 (ru) 2016-04-27
IL232374A0 (en) 2014-06-30
RU2014118918A (ru) 2015-12-10
JP2015501613A (ja) 2015-01-15
KR20140095523A (ko) 2014-08-01
IN2014CN03915A (https=) 2015-10-16
CN104011730A (zh) 2014-08-27
AP3955A (en) 2016-12-22
UA108957C2 (uk) 2015-06-25
CA2853867A1 (en) 2013-05-10
PH12014500964A1 (en) 2014-06-30
ZA201403900B (en) 2017-05-31

Similar Documents

Publication Publication Date Title
US20150163669A1 (en) Security mechanism for external code
CN103004244B (zh) 结合Web应用和网页的通用引导架构使用
US10013548B2 (en) System and method for integrating two-factor authentication in a device
CN111327583B (zh) 一种身份认证方法、智能设备及认证服务器
US8943321B2 (en) User identity management for permitting interworking of a bootstrapping architecture and a shared identity service
US8606234B2 (en) Methods and apparatus for provisioning devices with secrets
JP5599870B2 (ja) 特権署名を用いてセキュアなウェブブラウジング環境を作成するための方法および装置
US11910194B2 (en) Secondary device authentication proxied from authenticated primary device
US20110264913A1 (en) Method and apparatus for interworking with single sign-on authentication architecture
EP2416540A1 (en) Using a trusted-platform-based shared-secret derivation and WWAN infrastructure-based enrollment to establish a secure local channel
WO2009130370A1 (en) Methods, apparatuses, and computer program products for providing a single service sign-on
US11570620B2 (en) Network profile anti-spoofing on wireless gateways
CN103733591B (zh) 将可移除模块绑定到接入终端
CN109286933B (zh) 认证方法、装置、系统、计算机设备和存储介质
US8091122B2 (en) Computer program product, apparatus and method for secure HTTP digest response verification and integrity protection in a mobile terminal
Rath et al. Encryption-based second authentication factor solutions for qualified server-side signature creation
JP2020173642A (ja) 変換プログラム、変換装置及び変換方法
CN101317181B (zh) 用于移动终端中安全鉴权响应的设备以及方法
CN118265031B (zh) 信息安全方法、装置、通信设备和存储介质
KR101046102B1 (ko) 악성 코드 처리 방법 및 이를 위한 장치 및 시스템
CN118803762A (zh) 认证能力开放方法、装置、设备、系统、介质及程序产品
CN108684034A (zh) 数据传输方法及装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11875098

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2853867

Country of ref document: CA

ENP Entry into the national phase

Ref document number: 2014539369

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2014001151

Country of ref document: CL

Ref document number: 232374

Country of ref document: IL

Ref document number: MX/A/2014/005223

Country of ref document: MX

ENP Entry into the national phase

Ref document number: 2011380272

Country of ref document: AU

Date of ref document: 20111031

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 2011875098

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 20147014546

Country of ref document: KR

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2014118918

Country of ref document: RU

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 14354904

Country of ref document: US

REG Reference to national code

Ref country code: BR

Ref legal event code: B01A

Ref document number: 112014010472

Country of ref document: BR

ENP Entry into the national phase

Ref document number: 112014010472

Country of ref document: BR

Kind code of ref document: A2

Effective date: 20140430