WO2013113647A1 - Call handover between cellular communication system nodes that support different security contexts - Google Patents

Call handover between cellular communication system nodes that support different security contexts Download PDF

Info

Publication number
WO2013113647A1
WO2013113647A1 PCT/EP2013/051550 EP2013051550W WO2013113647A1 WO 2013113647 A1 WO2013113647 A1 WO 2013113647A1 EP 2013051550 W EP2013051550 W EP 2013051550W WO 2013113647 A1 WO2013113647 A1 WO 2013113647A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
client
cryptographic key
sgsn
generate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2013/051550
Other languages
English (en)
French (fr)
Inventor
Karl Norrman
Monika WIFVESSON
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Priority to JP2014553747A priority Critical patent/JP6085615B2/ja
Priority to IN6111DEN2014 priority patent/IN2014DN06111A/en
Priority to EP13702958.3A priority patent/EP2810463B1/en
Priority to RU2014135463A priority patent/RU2630175C2/ru
Priority to CA2861941A priority patent/CA2861941A1/en
Priority to CN201380007316.7A priority patent/CN104067648B/zh
Publication of WO2013113647A1 publication Critical patent/WO2013113647A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0055Transmission or use of information for re-establishing the radio link
    • H04W36/0066Transmission or use of information for re-establishing the radio link of control information between different types of networks in order to establish a new radio link in the target network

Definitions

  • the present invention relates to cellular communication systems, and more particularly to the handover of calls between cellular communication systems that support different security contexts.
  • Cellular communication systems typically comprise a land-based network that provides wireless coverage to mobile terminals that can continue to receive service while moving around within the network's coverage area.
  • the term “cellular” derives from the fact that the entire coverage area is divided up into so-called “cells”, each of which is typically served by a particular radio transceiver station (or equivalent) associated with the land-based network.
  • Such transceiver stations are often generically referred to as “base stations”, even when particular communication standards setting bodies apply different terminology (e.g., "NodeB” in WCDMA, and “eNodeB” in LTE) for the purpose of very precisely pointing out the distinctive capabilities and architectures of their version of the base station.
  • FIG. 1 illustrates a cellular communication system providing a system coverage area 101 by means of a plurality of cells 103.
  • UE User Equipment
  • UE The mobile communication equipment
  • UE must operate in a way that is compatible with the system with which it is expected to communicate.
  • UEs are often designed to be compatible with more than one system. In one respect, this enables a user to continue using the UE as it is carried from a geographical area covered by one type of communication system into another area, served by a different type of communication system.
  • FIG. 2 depicts a portion of a cellular communication system in which a UE 201 is presently being served within a first cell 203 that is supported by equipment 205 that conforms to an older communications standard (e.g., one of the 2G - e.g., GERAN - or 3G - e.g., UTRAN - standards).
  • an older communications standard e.g., one of the 2G - e.g., GERAN - or 3G - e.g., UTRAN - standards.
  • the UE 201 is in the vicinity of a second (neighboring) cell 207 that is supported by equipment 209 that conforms to a newer communication standard (e.g., a 4G specification, such as E-UTRAN which is also known as "Long Term Evolution" or "LTE").
  • a newer communication standard e.g., a 4G specification, such as E-UTRAN which is also known as "Long Term Evolution" or "LTE"
  • the foregoing and other objects are achieved in, for example, methods and apparatuses for operating a first node to generate a security context for a client in a cellular communication system, wherein the first node comprises processing circuitry.
  • Such operation includes the first node receiving at least one cryptographic key from a second node, and receiving identities of security algorithms supported by the client from a third node. The at least one cryptographic key and the identities are used to generate the security context for the client.
  • the first and third nodes are packet switched nodes and the second node is a circuit switched node.
  • the first node can be an MME
  • the second node can be an MSC
  • the third node can be an SGSN.
  • the first node is a first SGSN
  • the second node is an MSC
  • the third node is a second SGSN.
  • operation further comprises the first node receiving one or more authentication vectors from the second node.
  • the authentication vectors received from the second node are then discarded.
  • operation comprises using one or more of the at least one cryptographic key to protect traffic between a fourth node and the client.
  • operation includes deriving a key for an Access Security Management Entity (K_ASME) from one or more of the at least one cryptographic key.
  • K_ASME Access Security Management Entity
  • operation includes receiving, from the third node, packet switched encryption keys for use in a packet switched connection, and discarding the packet switched encryption keys.
  • operation includes receiving at least one authentication vector from the third node and storing the received at least one authentication vector.
  • operation includes receiving additional information from the third node, and in some of these embodiments using the at least one cryptographic key and the identities to generate the security context for the client includes using the at least one
  • Some embodiments cover operation in both the first and second nodes, such that the second node generates at least one new cryptographic key from at least one existing key associated with the client and a nonce generated by the second node, and communicates the at least one new cryptographic key to the first node.
  • the first node then receives identities of security algorithms supported by the client from a third node and uses the at least one cryptographic key and the identities to generate the security context for the client.
  • FIG. 1 illustrates a cellular communication system providing a system coverage area by means of a plurality of cells.
  • FIG. 2 depicts a portion of a cellular communication system in which a UE is presently being served within a first cell that is supported by equipment that conforms to an older communications standard (e.g., one of the 2G or 3G standards) and that should be handed over to a second cell that is supported by equipment that conforms to a newer communications standard.
  • an older communications standard e.g., one of the 2G or 3G standards
  • FIG. 3 depicts aspects of signaling involved in the handover of a call from source UTRAN or GERA supporting equipment operating in the circuit switched domain to target UTRAN/GERAN supporting equipment operating in the PS domain.
  • FIG. 4 depicts aspects of signaling involved in the handover of a call from source UTRAN or GERA supporting equipment operating in the CS domain to target E-UTRAN (i.e., 4G equipment) supporting equipment operating in the PS domain.
  • E-UTRAN i.e., 4G equipment
  • FIG. 5 is, in one respect, a flow chart of steps/processes performed by a target PS node in accordance with some but not necessarily all exemplary embodiments of a handover mechanism consistent with the invention.
  • FIG. 6 is a signaling diagram of aspects of one embodiment of handover signaling and steps consistent with the invention.
  • FIG. 7 is a signaling diagram of an alternative embodiment of handover signaling and steps consistent with the invention.
  • FIG. 8 is a block diagram of a target node (e.g., SGSN/MME) that operates in the PS domain.
  • a target node e.g., SGSN/MME
  • circuitry configured to perform one or more described actions is used herein to refer to any such embodiment (i.e., one or more specialized circuits and/or one or more programmed processors).
  • the invention can additionally be considered to be embodied entirely within any form of computer readable carrier, such as solid- state memory, magnetic disk, or optical disk containing an appropriate set of computer instructions that would cause a processor to carry out the techniques described herein.
  • any such form of embodiments as described above may be referred to herein as "logic configured to” perform a described action, or alternatively as “logic that” performs a described action.
  • 3GPP TSG SA WG3 (3rd Generation Partnership Project Technical Specification Group System Architecture Work Group 3)
  • E-UTRAN Evolved-Universal Terrestrial Radio Access Network
  • HSS Home Subscriber Server
  • IMS IP Multimedia Subsystem
  • IMSI International Mobile Subscriber Identity
  • ISDN Integrated Services Digital Network
  • LA Lication Area
  • MSC Mobile Switching Centre
  • MSISDN Mobile Subscriber ISDN
  • NONCE Numberer Used Once
  • PLMN Public Land Mobile Network
  • PRNG Pulseudo Random Number Generator
  • RNC Radio Network Controller
  • SIM Subscriber Identity Module
  • SRNC Serving RNC
  • SRVCC Single Radio Voice Call Continuity
  • ⁇ UTRAN Universal Terrestrial Radio Access Network
  • the 4G network node to which a call is to be handed over should receive information indicating what the UE's 4G security parameters (e.g., keys, selected and supported ciphering algorithms, etc.) are. But consider what happens during a conventional handover from 2G/3G equipment to 4G equipment:
  • Any 2G/3G call (which can operate in either circuit switched - CS - or packet switched -
  • PS - mode PS - mode
  • 4G equipment which operates exclusively in a PS mode
  • SGSN PS equipment
  • MSC CS equipment
  • the UE attaches to the network in the packet switched domain it provides the SGSN with the so-called "UE Network capabilities", which includes the security algorithms that the terminal supports in E-UTRAN.
  • UE Network capabilities includes the security algorithms that the terminal supports in E-UTRAN.
  • Clause 6.14 of 3GPP TS 23.060 VI 0.6.0 (2011 -12) specifies that the "radio access classmark" contains the "UE Network capability.”
  • the "UE Network capability” contains the E-UTRAN security algorithms supported by the UE.
  • clause 6.14.1 of 3GPP TS 23.060 states that the UE (referred to in the specification as “MS”, “Mobile Station” for historical reasons) sends the radio access capability to the network.
  • the interested reader can refer to 3GPP TS 23.060 for more information about this aspect.
  • the UE does not provide the "UE Network capability" to the network (in this case, the MSC), but instead only provides its 2G/3G
  • the Packet Switched Inter RAT handover from UTRAN (3G) to E-UTRAN (4G) is described in clause 5.5.2.2 of 3GPP TS 23.401 VIO.6.0 (2011-12).
  • step 3 Forward relocation request
  • the security parameters e.g., keys, selected and supported ciphering algorithms, etc.
  • the MM context contains security related information, such as UE
  • the UE Network capabilities includes the E-UTRAN security capabilities, which include for example the identities of the LTE encryption and integrity algorithms the UE supports (these algorithm identifiers are called EPS encryption algorithms and EPS integrity protection algorithms in the LTE security specification TS 33.401).
  • the Packet Switched Inter RAT handover from GERAN to E-UTRAN is described in clause 5.5.2.4 of 3GPP TS 23.401.
  • the principle of having the source node (SGSN for the PS domain) forward the UE Network capabilities to the target node is exactly the same as the specified handover procedure when the call originates in the CS domain.
  • the source node is an MSC which, as mentioned above, does not have the UE's E-UTRAN security capabilities.
  • FIG. 3 depicts aspects of signaling involved in the handover of a call from source UTRAN or GERAN supporting equipment operating in the CS domain to target UTRAN supporting equipment operating in the PS domain.
  • the illustrated components that participate in this signaling are a UE 301, a source BSC/RNC 303, a target RNC 305, an MSC server 307, a source SGSN/MME 309, and a target SGSN 311.
  • the UE 301 is engaged in a CS call, supported by the various source UTRAN or GEPvAN equipment.
  • a decision being made to perform the CS (UTRAN or
  • step 1 the source BSC/RNC 303 sends a "HO required" message to the MSC server 307.
  • the MSC server 307 then generates (step 313) a NONCE M sc, and uses this to generate a cryptographic key in accordance with:
  • IK' P S KDF(CKcs, HC CS , NONCE M sc), where the symbol "
  • step 2 the MSC server 307 communicates a "CS to PS HO request" to the target SGSN 31 1 , and includes the generated cryptographic key (CK' PS
  • step 3 the target SGSN 311 sends a "Context request" to the source SGSN/MME 309 for the purpose of requesting context information for the UE 301.
  • the SGSN/MME 309 then sends a "Context response" (including the requested information) back to the target SGSN 311 (step 4).
  • the target SGSN 31 1 receives a GPRS Kc * and a CKSN* PS from the MSC server 307 enhanced for SRVCC, then the target SGSN 31 1 computes (step 315) CK' PS and IK' PS from the GPRS Kc'.
  • the target SGSN 311 associates the CK PS and IK PS with KSI' PS , which is set equal to CKSN'ps received from the source MSC server 307 enhanced for SRVCC.
  • the target SGSN 311 then sends the CK PS , IK' PS to the target RNC 305 (step 5).
  • the target RNC 305 sends an Allocate resources response (step 6).
  • step 7 the target SGSN 311 sends a CS to PS HO Response message to the source MSC server 307.
  • step 8 the MSC server 307 sends a CS to PS HO Response to the source BSC/RNC 303.
  • This CS to PS HO Response includes, among other things, the NONCE M sc-
  • step 9 the source BSC/RNC 303 sends a CS to PS HO command to the UE 301.
  • This command includes, among other things, the NONCE M sc-
  • the UE 301 uses the received NONCE MSC to derive CK' PS and IK' PS using key derivation formulas specified by the applicable standard (step 317).
  • step 10 the UE 301 returns a CS to PS HO Confirmation to the target RNC 305.
  • FIG. 4 depicts aspects of signaling involved in the handover of a call from source UTRAN or GERAN supporting equipment operating in the CS domain to target E-UTRAN (i.e., 4G equipment) supporting equipment operating in the PS domain.
  • the illustrated components that participate in this signaling are a UE 401 , a source BSC/RNC 403, a target eNB 405, an MSC server 407, a source SGSN/MME 409, and a target MME 41 1.
  • the UE 401 is engaged in a CS call, supported by the various source UTRAN or GERAN equipment.
  • the source BSC/RNC 403 sends a "HO required" message to the MSC server 407.
  • the MSC server 407 then generates (step 413) a NONCE M sc, and uses this to generate a cryptographic key in accordance with:
  • IK' P S KDF(CKcs, HC CS , NONCE M sc), where the symbol "
  • step 2' the MSC server 407 communicates a "CS to PS HO request" to the target
  • MME 411 includes the generated cryptographic key (CK' PS
  • step 3' the target MME 411 sends a "Context request" to the source SGSN/MME 409 for the purpose of requesting context information for the UE 401.
  • the SGSN/MME 409 then sends a "Context response" (including the requested information) back to the target MME 411 (step 4') ⁇
  • the target MME 411 creates a mapped EPS security context by setting the K' ASME of the mapped EPS security context equal to the concatenation CK' PS
  • the target MME 41 1 further associates the K' A S ME with a KSISGSN- The value of the KSISGSN is the same as the value of the KSI'ps received in the CS to PS handover request.
  • the target MME 41 1 derives K eNB by applying the KDF as defined in the applicable standard, using the mapped key K' ASME and 2 32 -l as the value of the uplink NAS COUNT parameter.
  • the uplink and downlink NAS COUNT values for the mapped EPS security context are set to start value (i.e., 0) in the target MME 411.
  • the target MME 41 1 then sends the K eNB and NAS parameters to the target eNB 405
  • step 5 the target eNB 405 sends an Allocate resources response (step 6').
  • step 7' the target MME 41 1 sends a CS to PS HO Response message to the source MSC server 407.
  • step 8 ' the MSC server 407 sends a CS to PS HO Response to the source BSC/RNC 403.
  • This CS to PS HO Response includes, among other things, the NONCE M sc-
  • step 9' the source BSC/RNC 403 sends a CS to PS HO command to the UE 401.
  • This command includes, among other things, the NONCE M sc- The UE 401 uses the received
  • NONCE M SC to derive K' A S ME , associate it with KSISGSN received in the NAS Security Transparent Container IE and derive NAS keys and Ke B following the same key derivations as the MSC server 407 and target MME 411 performed in steps 2', 3' and 4' (step 417), all as specified by the applicable standard.
  • step 10' the UE 401 returns a CS to PS HO Confirmation to the target eNB 405.
  • the mapped EPS security context established as above becomes the current EPS security context at AS.
  • FIG. 5 is a flow chart of steps/processes performed by a target PS node (e.g., a Target SGSN or Target MME) in accordance with some but not necessarily all exemplary embodiments of the invention.
  • FIG. 5 can be considered to depict exemplary means 500 comprising the various illustrated circuitry (e.g., hard-wired and/or suitably programmed processor) configured to perform the described functions.
  • the target PS node can, in the context of this processing, be considered a "first node" that generates a security context for a client in a cellular communication system.
  • the first node receives at least one cryptographic key from a second node (step 501).
  • the second node can be a source CS node such as an MSC.
  • the first node solicits from a third node (e.g., a source SGSN), and in response receives, identities of security algorithms supported by the client (step 503).
  • a third node e.g., a source SGSN
  • the first node may also receive other information such as one or more authentication vectors and/or cryptographic key(s).
  • the first node then uses the at least one cryptographic key received from the second node and the security algorithm identities to generate the security context for the client (step 505).
  • authentication vectors received from the second node may be used as well.
  • the first node has generated the security context for the client.
  • the first node may perform any one or combination of additional functions, such as but not limited to:
  • the target PS node is an SGSN
  • saving e.g., if the target PS node is an MME
  • additional information received from the second and/or third nodes e.g., authentication vectors received from the second and/or third nodes.
  • Saving the authentication vectors can be useful, for example, if the target PS node is an MME and a later handover will be made to the exact same source SGSN from which they were received (in which case, the authentication vectors are returned to the SGSN at the time of that later handover).
  • FIG. 6 is a signaling diagram of one embodiment consistent with the invention.
  • this diagram focuses on aspects that support a target PS node being able to create a security context for a client as part of a handover of a call from source UTRAN or GERAN supporting equipment operating in the CS domain to target UTRAN supporting equipment operating in the PS domain.
  • An aspect of the illustrated embodiment is that the target PS node collects security related information from the source PS node and also from the source CS node, and selected parts of the collected information are combined to generate a new set of security related information. This is described in greater detail in the following.
  • the illustrated components that participate in the signaling of this exemplary embodiment are a UE 601 (client), a source BSC/RNC 603, a target RNC 605, an MSC server 607, a source SGSN/MME 609, and a target SGSN 61 1.
  • the UE 601 is engaged in a CS call, supported by the various source UTRAN or GERAN equipment.
  • the source BSC/RNC 603 sends a "HO required" message to the MSC server 607.
  • the MSC server 607 then generates (step 613) a ONCE M sc, and uses this and existing keys shared with the UE 601 to generate a cryptographic key in accordance with:
  • IK' P S KDF(CKcs, IK CS , NONCE M sc), where the symbol "
  • step 2 the MSC server 607 communicates a "CS to PS HO request" to the target
  • SGSN 611 includes the generated cryptographic key (CK' PS
  • step 3 the target SGSN 611 sends a "Context request" to the source SGSN/MME 609 for the purpose of requesting context information for the UE 601.
  • dashed lines used here and in other representations of signaling represent an optional step.
  • SGSN/MME 609 then sends a "Context response" (including the requested information which includes the PS cryptographic keys and other security parameters such as the IDs of security algorithms supported by the UE 601) back to the target SGSN 611 (step 4").
  • Context response including the requested information which includes the PS cryptographic keys and other security parameters such as the IDs of security algorithms supported by the UE 601
  • step 615 the target SGSN 611 performs:
  • the data in the AVs may be used to re- authenticate the UE 601
  • step 615 the signaling is in accordance with steps 5, 6, 7, 8, 9, and 10 such as are shown in FIG. 3 and described in FIG. 3's supporting text above.
  • FIG. 7 is a signaling diagram of an alternative embodiment consistent with the invention.
  • this diagram focuses on aspects that support a target PS node being able to create a security context for a client as part of a handover of a call from source UTRAN or GERAN supporting equipment operating in the CS domain to target E-UTRAN (i.e., 4G) supporting equipment operating in the PS domain.
  • the illustrated components that participate in this signaling are a UE 701 (client), a source BSC/RNC 703, a target eNB 705, an MSC server 707, a source SGSN/MME 709, and a target MME 711.
  • the UE 701 is engaged in a CS call, supported by the various source UTRAN or
  • the source BSC/RNC 703 sends a "HO required" message to the MSC server 707.
  • the MSC server 707 then generates (step 713) a NONCEMSc, and uses this to generate new cryptographic keys from existing keys shared with the UE 701.
  • This key derivation is in accordance with:
  • IK' P S KDF(CKcs, HC CS , NONCE M sc), where the symbol "
  • the MSC server 707 communicates a "CS to PS HO request" to the target MME 711 , and includes the newly generated cryptographic keys (CK' PS 11 IK' PS ) and AVs in this message. It will be observed that the MSC server 707 does not have LTE security parameters, so none are (or can be) transferred in this communication.
  • the target MME 711 sends a "Context request" to the source SGSN/MME 709 for the purpose of requesting context information for the UE 701.
  • the SGSN/MME 709 then sends a "Context response" (including the requested information) back to the target MME 711 (step 4"').
  • This requested information includes PS keys and LTE security parameters (i.e., IDs of LTE security algorithms that are supported by the UE 701). In the context of a source SGSN 709, such information is available if the source SGSN 709 complies with Release 8 or newer of the LTE standard.
  • step 715 the target MME 711 performs:
  • MME 711 derives Ke NB by applying the KDF as defined in the applicable standard, using the mapped key K'ASME and 2 -1 as the value of the uplink NAS COUNT parameter.
  • the uplink and downlink NAS COUNT values for the mapped EPS security context are set to start value (i.e., 0) in the target MME 71 1.
  • AVs received from a source SGSN 709. There will not be any AVs received from a source MME 709.
  • These stored AVs can later be used if there is to be a PS IRAT HO back to the very same source SGSN 709 as the one from which they were received (in which case they are transferred back to that SGSN at the time of that later handover).
  • KSI KSI or the CKSN, each of which is a 3-bit long string.
  • the MME 711 can use the KSI/CKSN to identify the security context in LTE.
  • step 715 the signaling is in accordance with steps 5', 6', 7', 8', 9', and 10' such as are shown in FIG. 4 and described in FIG. 4's supporting text above.
  • FIG. 8 is a block diagram of a target node 800 (e.g., SGSN/MME) that operates in the PS domain, wherein the target node 800 comprises a controller 801 that is circuitry configured to carry out, in addition to typical communications system node functionality, any one or any combination of the aspects described in connection with any one or combination of FIGS. 5 through 7 above.
  • Such circuitry could, for example, be entirely hard-wired circuitry (e.g., one or more ASICs).
  • programmable circuitry comprising a processor 803 coupled to one or more memory devices 805 (e.g., Random Access Memory, Magnetic Disc Drives, Optical Disk Drives, Read Only Memory, etc.).
  • the memory device(s) 805 store program means 807 (e.g., a set of processor instructions) configured to cause the processor 803 to control other node circuitry/hardware components 809 so as to carry out any of the functions described above.
  • the memory 805 may also store data 811 representing various constant and variable parameters as may be received, generated, and/or otherwise needed by the processor 803 when carrying out its functions such as those specified by the program means 807.
  • the various aspects such as obtaining some information from a source CS node and other information from a source PS node and filtering and/or processing this information to derive a security context that is useful in the target PS node are applicable even when some other details have changed.
  • embodiments can be foreseen in which, instead of having an MSC generate a NONCE that is communicated to the target PS node (e.g., target SGSN or MME), the target node (target MME) can generate a NONCE itself, and then derive cryptographic keys from this generated NONCE.
  • the target PS node e.g., target SGSN or MME

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
PCT/EP2013/051550 2012-01-30 2013-01-28 Call handover between cellular communication system nodes that support different security contexts Ceased WO2013113647A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
JP2014553747A JP6085615B2 (ja) 2012-01-30 2013-01-28 異なる機密保護コンテキストをサポートする複数のセルラ通信システムノード間の呼のハンドオーバ
IN6111DEN2014 IN2014DN06111A (enExample) 2012-01-30 2013-01-28
EP13702958.3A EP2810463B1 (en) 2012-01-30 2013-01-28 Call handover between cellular communication system nodes that support different security contexts
RU2014135463A RU2630175C2 (ru) 2012-01-30 2013-01-28 Передача обслуживания вызовов между узлами системы сотовой связи, поддерживающими различные контексты безопасности
CA2861941A CA2861941A1 (en) 2012-01-30 2013-01-28 Call handover between cellular communication system nodes that support different security contexts
CN201380007316.7A CN104067648B (zh) 2012-01-30 2013-01-28 在支持不同安全性上下文的蜂窝通信系统节点之间的呼叫切换

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201261592126P 2012-01-30 2012-01-30
US61/592,126 2012-01-30
US13/677,451 US10433161B2 (en) 2012-01-30 2012-11-15 Call handover between cellular communication system nodes that support different security contexts
US13/677,451 2012-11-15

Publications (1)

Publication Number Publication Date
WO2013113647A1 true WO2013113647A1 (en) 2013-08-08

Family

ID=48870232

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2013/051550 Ceased WO2013113647A1 (en) 2012-01-30 2013-01-28 Call handover between cellular communication system nodes that support different security contexts

Country Status (8)

Country Link
US (1) US10433161B2 (enExample)
EP (1) EP2810463B1 (enExample)
JP (1) JP6085615B2 (enExample)
CN (1) CN104067648B (enExample)
CA (1) CA2861941A1 (enExample)
IN (1) IN2014DN06111A (enExample)
RU (1) RU2630175C2 (enExample)
WO (1) WO2013113647A1 (enExample)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200252795A1 (en) * 2017-10-23 2020-08-06 Huawei Technologies Co., Ltd. Key generation method, apparatus, and system

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101309500B (zh) * 2007-05-15 2011-07-20 华为技术有限公司 不同无线接入技术间切换时安全协商的方法和装置
US10433161B2 (en) * 2012-01-30 2019-10-01 Telefonaktiebolaget Lm Ericsson (Publ) Call handover between cellular communication system nodes that support different security contexts
US9414223B2 (en) * 2012-02-17 2016-08-09 Nokia Technologies Oy Security solution for integrating a WiFi radio interface in LTE access network
CN104041177A (zh) * 2012-12-03 2014-09-10 华为技术有限公司 无线接入网信息获取方法和无线接入网控制器
US9655012B2 (en) 2012-12-21 2017-05-16 Qualcomm Incorporated Deriving a WLAN security context from a WWAN security context
GB2509937A (en) 2013-01-17 2014-07-23 Nec Corp Providing security information to a mobile device in which user plane data and control plane signalling are communicated via different base stations
US9730074B2 (en) * 2014-01-16 2017-08-08 Telefonaktiebolaget Lm Ericsson (Publ) System, methods and apparatuses for providing network access security control
WO2015172288A1 (en) * 2014-05-12 2015-11-19 Nokia Technologies Oy Method, network element, user equipment and system for securing device-to-device communication in a wireless network
GB2537377B (en) * 2015-04-13 2021-10-13 Vodafone Ip Licensing Ltd Security improvements in a cellular network
CN106714254B (zh) * 2015-11-17 2020-02-21 中国移动通信集团公司 一种音视频业务应用网络的切换方法、终端及应用服务器
JP7074759B2 (ja) * 2017-01-06 2022-05-24 華為技術有限公司 ネットワーク・ハンドオーバー方法および関係した装置
CN111133732B (zh) * 2017-09-26 2022-10-04 瑞典爱立信有限公司 在无线通信系统中切换时管理安全上下文并执行密钥导出
CN109803263A (zh) * 2017-11-17 2019-05-24 华为技术有限公司 一种安全保护的方法及装置
CN113473646B (zh) * 2017-11-21 2022-04-12 华为技术有限公司 一种通信方法及装置
US12052358B2 (en) * 2018-01-12 2024-07-30 Qualcomm Incorporated Method and apparatus for multiple registrations
US11418961B2 (en) * 2018-02-19 2022-08-16 Telefonaktiebolaget Lm Ericsson (Publ) Supporting interworking and/or mobility between different wireless communication systems
CN110366241B (zh) 2018-04-09 2024-09-17 华为技术有限公司 通信方法、装置和系统
CN110691427B (zh) * 2018-07-05 2021-10-19 华为技术有限公司 一种业务传输方法及装置
EP3925289A1 (en) * 2019-02-14 2021-12-22 Telefonaktiebolaget Lm Ericsson (Publ) Network node, ue and method for handling handover with parameter for deriving security context
CN112020067B (zh) 2019-05-31 2021-12-10 荣耀终端有限公司 获取安全上下文的方法、装置和通信系统
CN112087297B (zh) * 2019-06-14 2022-05-24 华为技术有限公司 一种获取安全上下文的方法、系统及设备

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1926281A2 (en) * 2006-11-21 2008-05-28 Innovative Sonic Limited Method and related apparatus for ciphering algorithm change in a wireless communications system

Family Cites Families (65)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US2139260A (en) * 1936-10-16 1938-12-06 United Shoe Machinery Corp Manufacture of shoes and insoles therefor
FI110558B (fi) * 2000-05-24 2003-02-14 Nokia Corp Menetelmä matkaviestinverkon kautta pakettidataverkkoon kytketyn päätelaitteen paikkatiedon käsittelemiseksi
US8606084B2 (en) * 2001-06-27 2013-12-10 Knapp Investment Company Limited Method and system for providing a personal video recorder utilizing network-based digital media content
US20040003081A1 (en) * 2002-06-26 2004-01-01 Microsoft Corporation System and method for providing program credentials
FR2847401A1 (fr) * 2002-11-14 2004-05-21 France Telecom Procede d'acces a un service avec authentification rapide et anonymat revocable et systeme d'ouverture et de maintien de session
DE202005021930U1 (de) * 2005-08-01 2011-08-08 Corning Cable Systems Llc Faseroptische Auskoppelkabel und vorverbundene Baugruppen mit Toning-Teilen
EP1911316B1 (en) 2005-08-01 2017-09-06 Ubiquisys Limited Handover information sent over a public wide area network (e . g . internet)
US8781442B1 (en) * 2006-09-08 2014-07-15 Hti Ip, Llc Personal assistance safety systems and methods
US8094817B2 (en) * 2006-10-18 2012-01-10 Telefonaktiebolaget Lm Ericsson (Publ) Cryptographic key management in communication networks
US8520850B2 (en) * 2006-10-20 2013-08-27 Time Warner Cable Enterprises Llc Downloadable security and protection methods and apparatus
US8281378B2 (en) * 2006-10-20 2012-10-02 Citrix Systems, Inc. Methods and systems for completing, by a single-sign on component, an authentication process in a federated environment to a resource not supporting federation
US8089339B2 (en) * 2006-12-21 2012-01-03 Cingular Wireless Ii, Llc Wireless device as programmable vehicle key
RU2429590C2 (ru) * 2007-04-30 2011-09-20 Интердиджитал Текнолоджи Корпорейшн ДОМАШНИЙ (е)NODE-B С НОВОЙ ФУНКЦИОНАЛЬНОЙ ВОЗМОЖНОСТЬЮ
CN101309500B (zh) * 2007-05-15 2011-07-20 华为技术有限公司 不同无线接入技术间切换时安全协商的方法和装置
US8341104B2 (en) * 2007-08-16 2012-12-25 Verizon Patent And Licensing Inc. Method and apparatus for rule-based masking of data
WO2010003464A1 (en) * 2008-07-11 2010-01-14 Infineon Technologies Ag Mobile radio communication devices having a trusted processing environment and method for processing a computer program therein
PT2382826T (pt) * 2009-01-23 2018-01-15 Ericsson Telefon Ab L M Método e configuração numa rede de comunicações
US9253643B2 (en) * 2009-03-05 2016-02-02 Interdigital Patent Holdings, Inc. Method and apparatus for H(e)NB integrity verification and validation
US8675863B2 (en) * 2009-12-22 2014-03-18 Trueposition, Inc. Passive system for recovering cryptography keys
EP3002965B1 (en) * 2010-01-28 2019-08-21 Koninklijke KPN N.V. Efficient terminal authentication in telecommunication networks
CN102804826B (zh) * 2010-03-17 2016-03-02 瑞典爱立信有限公司 用于srns重定位的增强密钥管理
US9084110B2 (en) 2010-04-15 2015-07-14 Qualcomm Incorporated Apparatus and method for transitioning enhanced security context from a UTRAN/GERAN-based serving network to an E-UTRAN-based serving network
SG184878A1 (en) 2010-04-16 2012-11-29 Qualcomm Inc Apparatus and method for transitioning from a serving network node that supports an enhanced security context to a legacy serving network node
CN101835152A (zh) 2010-04-16 2010-09-15 中兴通讯股份有限公司 终端移动到增强utran时建立增强密钥的方法及系统
CN102948112B (zh) 2010-05-04 2016-03-23 高通股份有限公司 创建或更新共享电路交换安全性上下文的方法及装置
US9264957B2 (en) 2010-05-10 2016-02-16 Nokia Technologies Oy Key derivation during inter-network handover
CN101860862B (zh) 2010-05-17 2015-05-13 中兴通讯股份有限公司 终端移动到增强utran时建立增强密钥的方法及系统
US8712056B2 (en) * 2010-06-03 2014-04-29 At&T Intellectual Property I, L.P. Secure mobile ad hoc network
US9595072B2 (en) * 2010-12-08 2017-03-14 At&T Intellectual Property I, L.P. Security social network
KR20140109478A (ko) * 2010-12-30 2014-09-15 인터디지탈 패튼 홀딩스, 인크 통신 핸드오프 시나리오를 위한 인증 및 보안 채널 설정
WO2012129503A1 (en) * 2011-03-23 2012-09-27 Interdigital Patent Holdings, Inc. Systems and methods for securing network communications
EP2884812B1 (en) * 2011-04-01 2016-12-28 Interdigital Patent Holdings, Inc. Apparatus and method for sharing a common PDP context
US8978030B2 (en) * 2011-04-07 2015-03-10 Infosys Limited Elastic provisioning of resources via distributed virtualization
EP2702741B1 (en) * 2011-04-27 2015-10-14 Telefonaktiebolaget L M Ericsson (publ) Authenticating a device in a network
US9295082B2 (en) * 2011-04-27 2016-03-22 At&T Mobility Ii Llc Distributed machine-to-machine connectivity
US8504004B2 (en) * 2011-06-03 2013-08-06 At&T Mobility Ii Llc Automatic control of rate of notifications for UMTS and other simultaneous voice/data networks
US8489075B2 (en) * 2011-11-16 2013-07-16 At&T Intellectual Property I, L.P. System and method for augmenting features of visual voice mail
US8687556B2 (en) * 2011-11-18 2014-04-01 Cisco Technology, Inc. Method for correlating connection information with mobile device identity
US8472983B1 (en) * 2011-12-07 2013-06-25 Cisco Technology, Inc. Selective location-aware paging
US8526932B2 (en) * 2011-12-08 2013-09-03 At&T Intellectual Property I, L.P. Performance zones
US20130155954A1 (en) * 2011-12-14 2013-06-20 Interdigital Patent Holdings, Inc. Method and apparatus for triggering machine type communications applications
US8744419B2 (en) * 2011-12-15 2014-06-03 At&T Intellectual Property, I, L.P. Media distribution via a scalable ad hoc geographic protocol
US10433161B2 (en) * 2012-01-30 2019-10-01 Telefonaktiebolaget Lm Ericsson (Publ) Call handover between cellular communication system nodes that support different security contexts
US9032496B2 (en) * 2012-02-28 2015-05-12 Citrix Systems, Inc. Secure single sign-on
US20130298209A1 (en) * 2012-05-02 2013-11-07 Interdigital Patent Holdings, Inc. One round trip authentication using sngle sign-on systems
WO2014047135A2 (en) * 2012-09-18 2014-03-27 Interdigital Patent Holdings, Inc. Generalized cryptographic framework
US9693366B2 (en) * 2012-09-27 2017-06-27 Interdigital Patent Holdings, Inc. End-to-end architecture, API framework, discovery, and access in a virtualized network
PL3018850T3 (pl) * 2013-01-30 2017-10-31 Ericsson Telefon Ab L M Generowanie klucza bezpieczeństwa dla połączeń podwójnych
KR20150139602A (ko) * 2013-04-05 2015-12-11 인터디지탈 패튼 홀딩스, 인크 보안화 피어-투-피어 및 그룹 통신들
US10219305B2 (en) * 2013-11-21 2019-02-26 Bao Tran Communication apparatus
US10659960B2 (en) * 2013-12-23 2020-05-19 Koninklijke Kpn N.V. Method and system for providing security from a radio access network
EP4247034A3 (en) * 2013-12-23 2023-11-08 Koninklijke KPN N.V. Method and system for providing security from a radio access network
US11146956B2 (en) * 2014-02-19 2021-10-12 Convida Wireless, Llc Serving gateway extensions for inter-system mobility
CN116980998A (zh) * 2014-06-23 2023-10-31 交互数字专利控股公司 在集成无线网络中的系统间移动性
US9258117B1 (en) * 2014-06-26 2016-02-09 Amazon Technologies, Inc. Mutual authentication with symmetric secrets and signatures
JP6393398B2 (ja) * 2014-07-07 2018-09-19 コンヴィーダ ワイヤレス, エルエルシー マシンタイプ通信グループベースサービスのための調整されたグループ化
US20170171782A1 (en) * 2014-07-14 2017-06-15 Convida Wireless, Llc Network-initiated handover in integrated small cell and wifi networks
CN111586647B (zh) * 2014-09-29 2024-03-19 交互数字专利控股公司 网络上的装置
JP6695362B2 (ja) * 2015-06-29 2020-05-20 コンヴィーダ ワイヤレス, エルエルシー 場所ベースのコンテキスト配信
WO2017121482A1 (en) * 2016-01-14 2017-07-20 Telefonaktiebolaget Lm Ericsson (Publ) Methods, nodes and communication device for establishing a key related to at least two network instances
KR102663043B1 (ko) * 2016-05-12 2024-05-10 인터디지탈 패튼 홀딩스, 인크 가상화된 모바일 코어 네트워크들에의 접속
US20190150225A1 (en) * 2016-05-17 2019-05-16 Convida Wireless, Llc Method and apparatus for indicating that connection enables routing of data between pdn gateway and local gateway
US10863494B2 (en) * 2018-01-22 2020-12-08 Apple Inc. Control signaling for uplink multiple input multiple output, channel state information reference signal configuration and sounding reference signal configuration
US10986602B2 (en) * 2018-02-09 2021-04-20 Intel Corporation Technologies to authorize user equipment use of local area data network features and control the size of local area data network information in access and mobility management function
US10848974B2 (en) * 2018-12-28 2020-11-24 Intel Corporation Multi-domain trust establishment in edge cloud architectures

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1926281A2 (en) * 2006-11-21 2008-05-28 Innovative Sonic Limited Method and related apparatus for ciphering algorithm change in a wireless communications system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Security architecture (Release 11)", 3GPP STANDARD; 3GPP TS 33.102, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. V11.0.0, 26 September 2011 (2011-09-26), pages 1 - 71, XP050554024 *
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3GPP System Architecture Evolution (SAE); Security architecture (Release 10)", 3GPP STANDARD; 3GPP TS 33.401, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. V10.1.1, 23 June 2011 (2011-06-23), pages 1 - 115, XP050553490 *
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access (Release 10)", 3GPP STANDARD; 3GPP TS 23.401, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. V10.5.0, 24 August 2011 (2011-08-24), pages 1 - 282, XP050553747 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200252795A1 (en) * 2017-10-23 2020-08-06 Huawei Technologies Co., Ltd. Key generation method, apparatus, and system
US11576038B2 (en) * 2017-10-23 2023-02-07 Huawei Technologies Co., Ltd. Key generation method, apparatus, and system
US11882436B2 (en) 2017-10-23 2024-01-23 Huawei Technologies Co., Ltd. Key generation method, apparatus, and system

Also Published As

Publication number Publication date
JP6085615B2 (ja) 2017-02-22
RU2014135463A (ru) 2016-03-20
CA2861941A1 (en) 2013-08-08
CN104067648A (zh) 2014-09-24
IN2014DN06111A (enExample) 2015-08-14
US20130195268A1 (en) 2013-08-01
EP2810463A1 (en) 2014-12-10
RU2630175C2 (ru) 2017-09-05
EP2810463B1 (en) 2019-01-16
JP2015512181A (ja) 2015-04-23
CN104067648B (zh) 2018-12-11
US10433161B2 (en) 2019-10-01

Similar Documents

Publication Publication Date Title
US10433161B2 (en) Call handover between cellular communication system nodes that support different security contexts
EP2192804B1 (en) Method of handling handover security configuration and related communication device
AU2016243284B2 (en) Authentication and key agreement with perfect forward secrecy
US11523308B2 (en) Methods, apparatuses, and systems for voice service handover
EP2187561B1 (en) Method, system and devices for negotiating security capabilities while a terminal is moving
US11438809B2 (en) Handover method and mobility management network element
US20190274072A1 (en) Communication system, security device, communication terminal, and communication method
EP2416598B2 (en) Method, device and system for deducing keys
US10687213B2 (en) Secure establishment method, system and device of wireless local area network
CN102158855B (zh) 处理单一无线语音通话连续性交递安全的方法及通讯装置
JP5746358B2 (ja) 通信のための方法及び装置
CN101552983A (zh) 密钥生成方法、密钥生成装置、移动管理实体与用户设备
CN114642014B (zh) 一种通信方法、装置及设备
US9161221B2 (en) Method, apparatus and computer program for operating a user equipment
EP2685751B1 (en) Handover method, base station, user equipment and mobility management entity
CN101610147A (zh) 密钥处理方法、系统、设备及终端
CN101645877A (zh) 密钥衍生函数的协商方法、系统及网络节点
JP6473171B2 (ja) Msc間ハンドオーバのためのmapを介したimeisvの指示
US20130072156A1 (en) Prevention of mismatch of authentication parameter in hybrid communication system
Song et al. Reduction of authentication cost based on key caching for inter-MME handover support
WO2014048455A1 (en) Method for moving back a ue to a preferred communication network after the completion of a cs fallback call
Hwang et al. Reduction of Authentication Cost Based on Key Caching for Inter-MME Handover Support
WO2018141114A1 (en) Method and device for identifying pdn connection for ims service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13702958

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2861941

Country of ref document: CA

ENP Entry into the national phase

Ref document number: 2014553747

Country of ref document: JP

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2014/2112

Country of ref document: KE

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2013702958

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2014135463

Country of ref document: RU