WO2014161155A1 - Methods and apparatus for securing device-to-device communications - Google Patents

Methods and apparatus for securing device-to-device communications Download PDF

Info

Publication number
WO2014161155A1
WO2014161155A1 PCT/CN2013/073658 CN2013073658W WO2014161155A1 WO 2014161155 A1 WO2014161155 A1 WO 2014161155A1 CN 2013073658 W CN2013073658 W CN 2013073658W WO 2014161155 A1 WO2014161155 A1 WO 2014161155A1
Authority
WO
WIPO (PCT)
Prior art keywords
user equipment
key
random number
request
network element
Prior art date
Application number
PCT/CN2013/073658
Other languages
French (fr)
Inventor
Yang Liu
Da Jiang ZHANG
Original Assignee
Nokia Corporation
Nokia (China) Investment Co. Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Corporation, Nokia (China) Investment Co. Ltd. filed Critical Nokia Corporation
Priority to PCT/CN2013/073658 priority Critical patent/WO2014161155A1/en
Publication of WO2014161155A1 publication Critical patent/WO2014161155A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/14Direct-mode setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/75Temporary identity

Definitions

  • the present invention generally relates to network-controlled device-to-device communications. More specifically, the invention relates to methods and apparatus for securing device-to-device (herein after also referred to as "D2D") communications when D2D user equipments stay in idle mode.
  • D2D device-to-device
  • next generation wireless communication systems such as 3GPP (third Generation Partnership Project) LTE (long term evolution) and beyond system, IMT-A (International Mobile Telecommunications - Advanced) system etc.
  • 3GPP third Generation Partnership Project
  • LTE long term evolution
  • IMT-A International Mobile Telecommunications - Advanced
  • QoS Quality of Service
  • UE user equipments
  • terminals directly communicate with each other, instead of conveying data from one device to the other via the cellular network (in particular via an access node or base station thereof), wherein primary control and configurations, such as channel/bearer configurations, are carried out by the cellular network.
  • Security protection may be an issue for the network-controlled D2D communications, for example, because malicious users may be able to eavesdrop on the D2D communication if no strong security protection between peer UEs conducting a direct D2D communication is used.
  • the security related procedures have not been fully specified for network-controlled D2D communications, especially for a scenario that one peer UE or two peer UEs of the D2D communication are stay in idle mode.
  • the disclosure provides an approach for efficiently securing D2D communications between D2D user equipments when at least one of the D2D user equipments stays in idle mode.
  • a method comprises receiving at a user equipment, a notification of device-to-device services from a peer user equipment which stays in idle mode.
  • the method further comprises sending a request for a derivation of device-to-device key to a network element of a core network, the request comprising an identity of the peer user equipment.
  • the method further comprises receiving a random number and a device-to-device key in response to the request, wherein the device-to-device key is derived by the network element based on the random number and a key shared between the network element and the peer user equipment.
  • the method further comprises forwarding the random number to the peer user equipment.
  • the notification of device-to-device services can be received by detecting physical layer beacons broadcasted from the peer user equipment.
  • the method can further comprise establishing a device-to-device connection with the peer user equipment based on the device-to-device key.
  • the method can further comprise in response to receiving the notification, initiate a radio resource control connection setup procedure, to enable the sending of the request.
  • an apparatus comprising at least one processor, and at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause, at least in part, the apparatus to receive at a user equipment, a notification of device-to-device services from a peer user equipment which stays in idle mode.
  • the apparatus is further caused to send a request for a derivation of device-to-device key to a network element of a core network, the request comprising an identity of the peer user equipment.
  • the apparatus is further caused to receive a random number and a device-to-device key in response to the request, wherein the device-to-device key is derived by the network element based on the random number and a key shared between the network element and the peer user equipment.
  • the apparatus is further caused to forward the random number to the peer user equipment.
  • a computer-readable storage medium carrying one or more sequences of one or more instructions which, when executed by one or more processors, cause, at least in part, an apparatus to receive at a user equipment, a notification of device-to-device services from a peer user equipment which stays in idle mode; send a request for a derivation of device-to-device key to a network element of a core network, the request comprising an identity of the peer user equipment; receive a random number and a device-to-device key in response to the request, wherein the device-to-device key is derived by the network element based on the random number and a key shared between the network element and the peer user equipment; and forward the random number to the peer user equipment.
  • an apparatus comprises means for receiving at a user equipment, a notification of device-to-device services from a peer user equipment which stays in idle mode.
  • the apparatus also comprises means for sending a request for a derivation of device-to-device key to a network element of a core network, the request comprising an identity of the peer user equipment.
  • the apparatus also comprises means for receiving a random number and a device-to-device key in response to the request, wherein the device-to-device key is derived by the network element based on the random number and a key shared between the network element and the peer user equipment.
  • the apparatus also comprises means for forwarding the random number to the peer user equipment.
  • a method comprises receiving at a network element of a core network, a request for a derivation of device-to-device key from a user equipment, the request comprising an identity of a peer user equipment of the user equipment.
  • the method further comprises in response to the request, deriving a device-to-device key based on a key shared between the network element and the peer user equipment and a random number.
  • the method further comprises sending the random number and the device-to-device key to the user equipment.
  • the network element can be a mobility management entity.
  • a method comprises sending at a user equipment in idle mode, a notification of device-to-device services to a peer user equipment.
  • the method further comprises receiving a random number from the peer user equipment.
  • the method further comprises deriving a device-to-device key based on the random number and a key shared between a network element of a core network and the user equipment.
  • the notification of device-to-device services is broadcasted in physical layer beacons, and the beacons comprise an indication that the user equipment stays in idle mode.
  • the method further comprises establishing a device-to-device connection with the peer user equipment based on the device-to-device key.
  • the key can be an access security management entity key shared between the network element and the user equipment.
  • a procedure of security key derivation between device-to-device user equipments can be performed when one or both of the device-to-device user equipments stay in idle mode, with no need to invoke the idle mode user equipment to transfer to a connected mode.
  • This can decrease an implementation complexity and reduces the power consumption for the device-to-device user equipments, while the device-to-device user equipments are able to share a common device-to-device key.
  • FIG. 1 is a wireless communication system in which at least one embodiment of the present invention can be implemented
  • FIG. 2 depicts an example timing diagram illustrating a procedure of security key derivation between D2D user equipments according to an embodiment of the present invention
  • FIG. 3 depicts an example timing diagram illustrating a procedure of security key derivation between D2D user equipments according to another embodiment of the present invention
  • FIG. 4 is a flowchart of a process for security key derivations for a network-controlled D2D communication, according to one embodiment
  • FIG. 5 is a flowchart of a process for security key derivations for a network-controlled D2D communication, according to one embodiment
  • FIG. 6 is a flowchart of a process for security key derivations for a network-controlled D2D communication, according to one embodiment.
  • FIG. 7 is a simplified block diagram of various devices that are suitable for use in practicing various exemplary embodiments of the present invention.
  • FIG. 1 is a wireless communication system in which at least one embodiment of the present invention can be implemented.
  • the wireless communication system 100 includes a base station 120 supporting a corresponding service or coverage area 122 (also referred to as a cell).
  • the base station 120 is also capable of communicating with wireless devices, such as user equipments 110A, HOB, within the coverage area.
  • FIG. 1 depicts one base station 120, and two user equipments 110A, HOB, other quantities of base stations and user equipments may be implemented as well.
  • the base station 120 can be implemented as an evolved Node B (eNB) type base station consistent with standards, including the Long Term Evolution (LTE) standards.
  • eNB evolved Node B
  • LTE Long Term Evolution
  • the user equipments 11 OA, 110B may be mobile and/or stationary.
  • the user equipments 110A, HOB may be referred to as, for example, devices, mobile stations, mobile units, subscriber stations, wireless terminals, terminals, or the like.
  • the user equipment may be implemented as, for example, a wireless handheld device, a wireless plug-in accessory, or the like.
  • the user equipment may take the form of a wireless phone, a computer with a wireless connection to a network, or the like.
  • the user equipment may include one or more of the following: at least one processor, at least one computer-readable storage medium (e.g., memory, storage, and the like), a radio access mechanism, and a user interface.
  • the wireless communication system 100 may include a core network 130.
  • the core network 130 comprises the conventional network elements and function of a cellular communication network, such as MME 132 (Mobility Management Entity), HSS (Home Subscriber Server) 134, etc.
  • Network elements in the core network can be organized in a basic structure and operate in a basic way well known to one skilled in the art.
  • the wireless communication system 100 is configured to further support network-controlled D2D communications.
  • a D2D feature is integrated into the public land mobile systems, such as the 3rd Generation Partnership Project (3GPP) as well as subsequent generations of cellular communication systems.
  • the cellular communication systems such as the eNB 120, MME 132 or other network elements, may be used to aid in the establishment and ongoing control of the D2D communications, e.g., radio resources allocation of the D2D communications, switch control, etc.
  • the UEs can communicate with each other either via the cellular communication system (in particular via eNB 120), or via a direct D2D communication.
  • the security protection of the direct D2D communications can be also provided by virtue of the sophisticate security mechanism of the cellular communication system.
  • key derivations for securing the direct D2D communications between UEl 110A and UE2 HOB may be controlled by the MME 132 and HSS 134. This idea can be easily realized when UEl and UE2 are both in a connection with the radio access network of the cellular communication system, e.g. stay in RRC connected mode. However, when one peer or both peers of the D2D communication are not in a connection with the radio access network, e.g.
  • FIG. 1 illustrates an example of such scenario, in which one D2D peer (UE2) is in a RRC connected mode while the other D2D peer (UEl) is in a RRC idle mode.
  • UE2D peer UE2
  • UEl D2D peer
  • NAS Non Access Stratum
  • MME 132 may maintain a valid Access Security Management Entity key (denoted as K asme ) for UEl.
  • K asme may be generated through an AKA (Authentication and Key Agreement) procedure when UEl is registered to the cellular communication system.
  • AKA Authentication and Key Agreement
  • a consistence of security keys can be achieved between UEl and UE2 for D2D communications, without pushing the idle mode UEl into RRC connected mode.
  • a new approach is provided to efficiently share a common security key for D2D communications between UEl and UE2, by virtue of the valid security context.
  • FIG. 2 depicts an example timing diagram illustrating a procedure of security key derivation between D2D user equipments in idle mode according to an embodiment of the present invention.
  • UEl 110A and UE2 HOB choose a suitable cell of a cellular communication system to perform a network-controlled D2D communication.
  • UEl and UE2 can camp on the cell 122 of eNB 120.
  • UEl stays in idle mode, for example for the lowest energy consumption.
  • UEl may stay in a RRC idle mode as specified in LTE protocols.
  • UEl can broadcast notifications for D2D services even if it stays in a RRC idle mode.
  • UEl broadcasts a notification for D2D services in a physical layer beacon, which comprises its identity, e.g. an IMEI (International Mobile Equipment Identity), an IMSI (International Mobile Subscriber Identity), or a S-IMSI (Short- Temporary Mobile Subscriber Identity) of UEl.
  • the S-IMSI may be allocated to UEl when UEl camps on the cell 122 of eNB 120.
  • UEl can also broadcast its current mode in the beacon, for example with an indication that it is staying in a RRC idle mode.
  • one or more peer D2D UEs may detect the broadcasted notification of D2D service from UEl and decide to establish a D2D connection with UEl, at 220. From information in the detected notification, UE2 may learn that UEl is staying in a RRC idle mode, and then initiate a procedure of key derivation for the D2D connection according to various embodiments of the present invention. In some exemplary embodiments, UE2 may have an activate RRC connection to the eNB 120 at that moment. For example, as shown at 210B, UE2 can stay in a RRC connected mode.
  • UE2 HOB peer D2D UEs
  • UE2 can send a request for key derivations of the D2D connection to the core network (e.g. MME 132) by utilizing the activate RRC connection between UE2 and eNB 120.
  • the request comprises the identity of UEl, e.g. S-TMSI of UEl, which may be obtained from the detected beacon.
  • the request may be transmitted to eNB 120 through an uplink RRC message, and in turn be forwarded from the eNB 120 to the MME 132 through a Sl-AP (Application Protocol) message.
  • the request may be delivered to MME 132 as a NAS message which is transparent to eNB 120.
  • MME 132 can provide to UE2 a key for the D2D connection (also called as D2D key) and parameter(s) for deriving the D2D key.
  • the D2D key is derived based on the parameter(s) and a key shared between UEl and the core network.
  • the parameter(s) for deriving the D2D key can be the S-TMSI of UE2.
  • MME 132 can generate a random number (denoted as RAND), and then derive the D2D key (denoted as d2d) from the RAND and a key which is shared between the core network and UEl.
  • the parameter(s) for deriving the D2D key can be provided or generated according to the identity of UEl.
  • the core network i.e. non-access stratum
  • the core network can register the UEl and achieve a consistence of NAS security (e.g. sharing a common NAS key) between the UEl and the core network.
  • NAS security e.g. sharing a common NAS key
  • the NAS key shared between the UEl and the MME 132 may be a K asme of UEl, which may be retrieved based on the identity of UEl. Then, MME 132 sends the RAND and the Kd2d to UE2 via eNB 120, as shown in 240 and 245.
  • the RAND and Kd2d can be ciphered and integrity protected by a NAS key of UE2. Similar as the NAS key of UEl, the NAS key of UE2 is a key that are shared between the core network and UE2.
  • UE2 receives the parameter(s) (e.g. the RAND) for deriving the D2D key and Kd2d from MME 132 via eNB 120, and then stores the Kd2d for securing D2D communications between UEl and UE2. Then, UE2 forwards the parameter(s) (e.g. the RAND) for deriving the D2D key to UEl, as shown at 255.
  • the parameter(s) e.g. the RAND
  • the UEl can derive a Kd2d from the K asme and the parameter(s) (e.g. the RAND).
  • a common D2D key, Kd2d can be shared between UEl and UE2 without pushing UEl from a RRC idle mode into a RRC connected state.
  • the D2D key, Kd2d can be used directly for securing the D2D communications between UEl and UE2.
  • Kd2d can be utilized for deriving other keys which are used for securing the D2D communication between Ul and UE2.
  • FIG. 3 depicts an example in such scenario. Most steps in the procedure of FIG. 3 are similar as corresponding steps in the procedure of FIG. 2, except that UE2 stays in idle mode when detecting a notification of D2D services from UEl and deciding to establish a D2D connection with UEl. Then, UE2 needs to transfer to a RRC connected mode by initiating a RRC connection setup procedure to eNB 120, as shown at 325, Through the established RRC connection, UE2 can request for key derivation to MME 132 via eNB 120 based on the same method illustrated in FIG. 2.
  • the identity of UEl can be also included in messages for initiating the RRC connection setup procedure.
  • the S-TMSI of UEl can be transmitted to MME 132 in a RRC connection setup complete message, to request MME 132 to generate the required D2D security keys.
  • the cause value can be different from the legacy ones, such as service request, TAU (Tracking Area Update), attach, etc. Instead, it could be a new cause value, e.g.
  • D2D key derivation procedure to indicate that the RRC connection setup procedure is merely for a derivation of D2D keys, so that the radio access network and the core network (especially, eNB 120 and MME 132) need not to perform any extra operations beyond enabling the derivation of D2D keys.
  • FIGs. 4, 5 and 6 are logic flow flowcharts that illustrate the operations of methods, and a result of executions of computer program instructions, in accordance with the example embodiments of this invention for security key derivations for a network-controlled D2D communication. More specifically, FIGs. 4, 5 and 6 are descriptive of a process flow between a D2D peer user equipment, such as the UEl and UE2, and a network element of the core network, such as the MME 132. In such an embodiment, the processes can be implemented in, for instance, a chip set including a processor and a memory as shown in FIG. 7.
  • a user equipment can provide means for accomplishing various parts of the process 400 and/or 500 as well as means for accomplishing other processes in conjunction with other components
  • a network element of the core network can provide means for accomplishing various parts of the process 600 as well as means for accomplishing other processes in conjunction with other components.
  • a user equipment receives a notification of D2D services from a peer user equipment (such as UEl 110A) which stays in idle mode.
  • the notification of D2D services can be received by detecting physical layer beacons broadcasted from UEl. From the notification, UE2 can determine that UEl stays in idle mode.
  • the UE2 sends a request for a derivation of D2D key to a network element of a core network (such as MME 132).
  • the request comprises an identity of UEl.
  • step 430 in response to the request, the UE2 receives a random number and a D2D key, wherein the D2D key is derived by the network element based on the random number and a key, such as K asme , shared between MME 132 and UEl.
  • the D2D key is derived by the network element based on the random number and a key, such as K asme , shared between MME 132 and UEl.
  • step 440 UE2 forwards the random number to UEl, so that UEl can derive a common D2D key from the random number and K asme . Then, a D2D connection can be established between UEl and UE2 and the D2D communications between UEl and UE2 can be secured based on the common D2D key.
  • a network element (such as MME 132) of a core network receives a request for a derivation of D2D key from a user equipment (such as UE2), the request comprising an identity of a peer user equipment (such as UEl).
  • MME 132 can generate a random number, and derive a D2D key based on the random number and a key (e.g. K asme ) shared between MME 132 and UEl.
  • MME 132 sends the random number and the D2D key to UE2.
  • a user equipment (such as UEl) which stays in idle mode, sends a notification of D2D services to a peer user equipment (such as UE2).
  • the notification of D2D services can be broadcasted in physical layer beacons to UE2, and the beacons can comprise an indication that the user equipment is in idle mode.
  • UEl receives a random number from UE2, and then derives a D2D key based on the random number and a key (such as K asme ) shared between a network element (such as MME 132) of a core network and UEl. Based on the D2D key, a D2D connection between UEl and UE2 can be established.
  • a key such as K asme
  • a wireless communication network 700 may be adapted for communication with user equipments (such as UEs 110A and HOB), via a base station (such as an eNB 120).
  • the network 700 may further include a network element (such as MME 132) for providing a NAS security for the user equipments.
  • the UEs 11 OA and 110B can perform a cellular communication under the control of MME 132, via the eNB 120.
  • the UEl 11 OA and UE2 110B can perform a D2D communication directly between each other. The security of the D2D communication can be provided for UEs in idle mode according to the exemplary embodiments of the present invention as discussed above.
  • the UEl 110A includes a data processor (DP) 71 OA, a memory (MEM) 710B that stores a program (PROG) 7 IOC, and a suitable radio frequency (RF) transceiver 710D for wireless communications with the eNB 120 via one or more antennas.
  • the transceiver 710D in the UEl 11 OA can be used for D2D communications in both licensed band (e.g. cellular band) and unlicensed band (e.g. WLAN band).
  • the transceiver 710D can comprise separate components to support D2D communications in licensed band (e.g. cellular band) and unlicensed band (e.g. WLAN band) respectively.
  • the UE2 HOB also includes a DP 720A, a MEM 720B that stores a PROG 720C, and a suitable RF transceiver 720D.
  • the transceiver 720D in the eNB 120 can be used for D2D communications in both licensed band (e.g. cellular band) and unlicensed band (e.g. WLAN band).
  • the transceiver 720D can comprise separate components to support D2D communications in licensed band (e.g. cellular band) and unlicensed band (e.g. WLAN band) respectively.
  • the MME 132 also includes a DP 740A, a MEM 740B that stores a PROG 740C, and a suitable communication interface 740E.
  • the communication interface 740E may be able to communicate with UEl and UE2 via eNB 120. In some examples, the communication interface 740E may be used to transmit and receive information using protocols and methods associated with the network-controlled D2D communication.
  • Some functions of the eNB 120 may be implemented with a digital signal processor, memory, and computer programs for executing computer processes.
  • the basic structure and operation of the eNB 120 are known to one skilled in the art, and thus it is shown as a block in order to avoid unnecessarily obscuring the invention.
  • At least one of the PROGs 7 IOC, 720C, 740C is assumed to include program instructions that, when executed by the associated DP, enable the electronic device to operate in accordance with the exemplary embodiments of this invention, as discussed above. That is, the exemplary embodiments of this invention may be implemented at least in part by computer software executable by the DP 710A of the UEl 110A, by the DP 720A of the UE2 HOB, and by the DP 740A of the MME 132, or by hardware, or by a combination of software and hardware.
  • the basic structure and operation of UEl 110A, UE HOB, and MME 132 are known to one skilled in the art.
  • the various embodiments of the UEl 110A and UE2 HOB can include, but are not limited to, cellular telephones, personal digital assistants (PDAs) having cellular wireless communication capabilities, portable computers having cellular wireless communication capabilities, image capture devices such as digital cameras having wireless communication capabilities, gaming devices having cellular wireless communication capabilities, music storage and playback appliances having cellular wireless communication capabilities, Internet appliances permitting cellular wireless Internet access and browsing, as well as portable units or terminals that incorporate combinations of such functions.
  • PDAs personal digital assistants
  • portable computers having cellular wireless communication capabilities
  • image capture devices such as digital cameras having wireless communication capabilities
  • gaming devices having cellular wireless communication capabilities
  • music storage and playback appliances having cellular wireless communication capabilities
  • Internet appliances permitting cellular wireless Internet access and browsing, as well as portable units or terminals that incorporate combinations of such functions.
  • the MEMs 710B, 720B, 740B may be of any type suitable to the local technical environment and may be implemented using any suitable data storage technology, such as semiconductor based memory devices, flash memory, magnetic memory devices and systems, optical memory devices and systems, fixed memory and removable memory.
  • the DPs 720A, 720A, 740A may be of any type suitable to the local technical environment, and may include one or more of general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multi-core processor architectures, as non-limiting examples.
  • the various exemplary embodiments may be implemented in hardware or special purpose circuits, software, logic or any combination thereof.
  • some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device, although the invention is not limited thereto.
  • firmware or software which may be executed by a controller, microprocessor or other computing device, although the invention is not limited thereto.
  • While various aspects of the exemplary embodiments of this invention may be illustrated and described as block diagrams, flow charts, or using some other pictorial representation, it is well understood that these blocks, apparatus, systems, techniques or methods described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
  • the exemplary embodiments of the inventions may be practiced in various components such as integrated circuit chips and modules. It should thus be appreciated that the exemplary embodiments of this invention may be realized in an apparatus that is embodied as an integrated circuit, where the integrated circuit may comprise circuitry (as well as possibly firmware) for embodying at least one or more of a data processor, a digital signal processor, baseband circuitry and radio frequency circuitry that are configurable so as to operate in accordance with the exemplary embodiments of this invention.
  • exemplary embodiments of the inventions may be embodied in computer-executable instructions, such as in one or more program modules, executed by one or more computers or other devices.
  • program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types when executed by a processor in a computer or other device.
  • the computer executable instructions may be stored on a computer readable medium such as a hard disk, optical disk, removable storage media, solid state memory, RAM, etc.
  • the function of the program modules may be combined or distributed as desired in various embodiments.
  • the function may be embodied in whole or in part in firmware or hardware equivalents such as integrated circuits, field programmable gate arrays (FPGA), and the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Methods and apparatus are provided for securing device-to-device communications. A method can comprise: receiving at a user equipment, a notification of device-to-device services from a peer user equipment which stays in idle mode; sending a request for a derivation of device-to-device key to a network element of a core network, the request comprising an identity of the peer user equipment; receiving a random number and a device-to-device key in response to the request, wherein the device-to-device key is derived by the network element based on the random number and a key shared between the network element and the peer user equipment; and forwarding the random number to the peer user equipment.

Description

METHODS AND APPARATUS FOR SECURING DEVICE-TO-DEVICE COMMUNICATIONS
FIELD OF THE INVENTION
[0001] The present invention generally relates to network-controlled device-to-device communications. More specifically, the invention relates to methods and apparatus for securing device-to-device (herein after also referred to as "D2D") communications when D2D user equipments stay in idle mode.
BACKGROUND
[0002] With the development of the future service, next generation wireless communication systems, such as 3GPP (third Generation Partnership Project) LTE (long term evolution) and beyond system, IMT-A (International Mobile Telecommunications - Advanced) system etc., are introduced to satisfy high speed, large capacity, and a high QoS (Quality of Service) for billions of subscribers. In this regard, efforts have been made to realize network-controlled D2D communications for reducing the load on the cellular communication network. Examples of such D2D communications include direct communications among a cluster of proximity devices, and autonomous D2D communications in a cellular network. In such network-controlled D2D communications, devices such as user equipments (UE) or terminals directly communicate with each other, instead of conveying data from one device to the other via the cellular network (in particular via an access node or base station thereof), wherein primary control and configurations, such as channel/bearer configurations, are carried out by the cellular network. Security protection may be an issue for the network-controlled D2D communications, for example, because malicious users may be able to eavesdrop on the D2D communication if no strong security protection between peer UEs conducting a direct D2D communication is used. However, currently the security related procedures have not been fully specified for network-controlled D2D communications, especially for a scenario that one peer UE or two peer UEs of the D2D communication are stay in idle mode.
[0003] In view of this, it would be advancement in the art to provide a way to allow for efficiently securing D2D communications, especially for D2D UEs in idle mode. SOME EXAMPLE EMBODIMENTS
[0004] To overcome limitations described above, and to overcome other limitations that will be apparent upon reading and understanding the present specification, the disclosure provides an approach for efficiently securing D2D communications between D2D user equipments when at least one of the D2D user equipments stays in idle mode.
[0005] According to one embodiment, a method comprises receiving at a user equipment, a notification of device-to-device services from a peer user equipment which stays in idle mode. The method further comprises sending a request for a derivation of device-to-device key to a network element of a core network, the request comprising an identity of the peer user equipment. The method further comprises receiving a random number and a device-to-device key in response to the request, wherein the device-to-device key is derived by the network element based on the random number and a key shared between the network element and the peer user equipment. The method further comprises forwarding the random number to the peer user equipment.
[0006] In some exemplary embodiments, the notification of device-to-device services can be received by detecting physical layer beacons broadcasted from the peer user equipment.
[0007] In some exemplary embodiments, the method can further comprise establishing a device-to-device connection with the peer user equipment based on the device-to-device key. In an exemplary embodiment, the method can further comprise in response to receiving the notification, initiate a radio resource control connection setup procedure, to enable the sending of the request.
[0008] According to another embodiment, an apparatus comprising at least one processor, and at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause, at least in part, the apparatus to receive at a user equipment, a notification of device-to-device services from a peer user equipment which stays in idle mode. The apparatus is further caused to send a request for a derivation of device-to-device key to a network element of a core network, the request comprising an identity of the peer user equipment. The apparatus is further caused to receive a random number and a device-to-device key in response to the request, wherein the device-to-device key is derived by the network element based on the random number and a key shared between the network element and the peer user equipment. The apparatus is further caused to forward the random number to the peer user equipment.
[0009] According to another embodiment, a computer-readable storage medium carrying one or more sequences of one or more instructions which, when executed by one or more processors, cause, at least in part, an apparatus to receive at a user equipment, a notification of device-to-device services from a peer user equipment which stays in idle mode; send a request for a derivation of device-to-device key to a network element of a core network, the request comprising an identity of the peer user equipment; receive a random number and a device-to-device key in response to the request, wherein the device-to-device key is derived by the network element based on the random number and a key shared between the network element and the peer user equipment; and forward the random number to the peer user equipment.
[0010] According to another embodiment, an apparatus comprises means for receiving at a user equipment, a notification of device-to-device services from a peer user equipment which stays in idle mode. The apparatus also comprises means for sending a request for a derivation of device-to-device key to a network element of a core network, the request comprising an identity of the peer user equipment. The apparatus also comprises means for receiving a random number and a device-to-device key in response to the request, wherein the device-to-device key is derived by the network element based on the random number and a key shared between the network element and the peer user equipment. The apparatus also comprises means for forwarding the random number to the peer user equipment.
[0011] According to one embodiment, a method comprises receiving at a network element of a core network, a request for a derivation of device-to-device key from a user equipment, the request comprising an identity of a peer user equipment of the user equipment. The method further comprises in response to the request, deriving a device-to-device key based on a key shared between the network element and the peer user equipment and a random number. The method further comprises sending the random number and the device-to-device key to the user equipment.
[0012] In an exemplary embodiment, the network element can be a mobility management entity.
[0013] According to one embodiment, a method comprises sending at a user equipment in idle mode, a notification of device-to-device services to a peer user equipment. The method further comprises receiving a random number from the peer user equipment. The method further comprises deriving a device-to-device key based on the random number and a key shared between a network element of a core network and the user equipment.
[0014] In an exemplary embodiment, the notification of device-to-device services is broadcasted in physical layer beacons, and the beacons comprise an indication that the user equipment stays in idle mode. In an exemplary embodiment, the method further comprises establishing a device-to-device connection with the peer user equipment based on the device-to-device key. The key can be an access security management entity key shared between the network element and the user equipment.
[0015] Accordingly, a procedure of security key derivation between device-to-device user equipments can be performed when one or both of the device-to-device user equipments stay in idle mode, with no need to invoke the idle mode user equipment to transfer to a connected mode. This can decrease an implementation complexity and reduces the power consumption for the device-to-device user equipments, while the device-to-device user equipments are able to share a common device-to-device key.
[0016] Still other aspects, features, and advantages of the invention are readily apparent from the following detailed description, simply by illustrating a number of particular embodiments and implementations, including the best mode contemplated for carrying out the invention. The invention is also capable of other and different embodiments, and its several details can be modified in various obvious respects, all without departing from the spirit and scope of the invention. Accordingly, the drawings and description are to be regarded as illustrative in nature, and not as restrictive. BRIEF DESCRIPTION OF THE DRAWINGS
[0017] The embodiments of the invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings:
[0018] FIG. 1 is a wireless communication system in which at least one embodiment of the present invention can be implemented;
[0019] FIG. 2 depicts an example timing diagram illustrating a procedure of security key derivation between D2D user equipments according to an embodiment of the present invention;
[0020] FIG. 3 depicts an example timing diagram illustrating a procedure of security key derivation between D2D user equipments according to another embodiment of the present invention;
[0021] FIG. 4 is a flowchart of a process for security key derivations for a network-controlled D2D communication, according to one embodiment;
[0022] FIG. 5 is a flowchart of a process for security key derivations for a network-controlled D2D communication, according to one embodiment;
[0023] FIG. 6 is a flowchart of a process for security key derivations for a network-controlled D2D communication, according to one embodiment; and
[0024] FIG. 7 is a simplified block diagram of various devices that are suitable for use in practicing various exemplary embodiments of the present invention.
DESCRIPTION OF SOME EMBODIMENTS
[0025] Examples of a method, apparatus, and computer program for securing D2D communications for D2D user equipments in idle mode are disclosed. In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the invention. It is apparent, however, to one skilled in the art that the embodiments of the invention may be practiced without these specific details or with an equivalent arrangement. In other instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the embodiments of the invention. Like reference numerals refer to like elements throughout.
[0026] FIG. 1 is a wireless communication system in which at least one embodiment of the present invention can be implemented. As shown in FIG. 1, the wireless communication system 100 includes a base station 120 supporting a corresponding service or coverage area 122 (also referred to as a cell). The base station 120 is also capable of communicating with wireless devices, such as user equipments 110A, HOB, within the coverage area. Although FIG. 1 depicts one base station 120, and two user equipments 110A, HOB, other quantities of base stations and user equipments may be implemented as well.
[0027] In some implementations, the base station 120 can be implemented as an evolved Node B (eNB) type base station consistent with standards, including the Long Term Evolution (LTE) standards. The user equipments 11 OA, 110B may be mobile and/or stationary. Moreover, the user equipments 110A, HOB may be referred to as, for example, devices, mobile stations, mobile units, subscriber stations, wireless terminals, terminals, or the like. The user equipment may be implemented as, for example, a wireless handheld device, a wireless plug-in accessory, or the like. For example, the user equipment may take the form of a wireless phone, a computer with a wireless connection to a network, or the like. In some cases, the user equipment may include one or more of the following: at least one processor, at least one computer-readable storage medium (e.g., memory, storage, and the like), a radio access mechanism, and a user interface. The wireless communication system 100 may include a core network 130. The core network 130 comprises the conventional network elements and function of a cellular communication network, such as MME 132 (Mobility Management Entity), HSS (Home Subscriber Server) 134, etc. Network elements in the core network can be organized in a basic structure and operate in a basic way well known to one skilled in the art.
[0028] In embodiments of the present invention, the wireless communication system 100 is configured to further support network-controlled D2D communications. In this regard, a D2D feature is integrated into the public land mobile systems, such as the 3rd Generation Partnership Project (3GPP) as well as subsequent generations of cellular communication systems. The cellular communication systems, such as the eNB 120, MME 132 or other network elements, may be used to aid in the establishment and ongoing control of the D2D communications, e.g., radio resources allocation of the D2D communications, switch control, etc. In other words, the UEs can communicate with each other either via the cellular communication system (in particular via eNB 120), or via a direct D2D communication.
[0029] In addition, the security protection of the direct D2D communications can be also provided by virtue of the sophisticate security mechanism of the cellular communication system. For example, key derivations for securing the direct D2D communications between UEl 110A and UE2 HOB may be controlled by the MME 132 and HSS 134. This idea can be easily realized when UEl and UE2 are both in a connection with the radio access network of the cellular communication system, e.g. stay in RRC connected mode. However, when one peer or both peers of the D2D communication are not in a connection with the radio access network, e.g. in a RRC (Radio Resource Control) idle mode, it will be complex as a D2D peer UE is required to change to a RRC connected mode just for key derivations for D2D communication. Furthermore, it is indeed unpractical to keep both D2D UEs always in RRC connected mode, because this will increase the power consumption which is a bottle-neck for D2D UEs.
[0030] Accordingly, in a scenario that one peer UE or two peer UEs of a D2D communication is in idle mode, the security provision for a D2D communication becomes an issue. Figure 1 illustrates an example of such scenario, in which one D2D peer (UE2) is in a RRC connected mode while the other D2D peer (UEl) is in a RRC idle mode. It is appreciated that although there is no RRC connection between UEl and eNB 120, there exists a valid security context (e.g. NAS (Non Access Stratum) security context) for UEl in the core network 130. In this regard, there may exist common keys shared between UEl and the core network 130. For example, MME 132 may maintain a valid Access Security Management Entity key (denoted as Kasme) for UEl. This valid Kasme may be generated through an AKA (Authentication and Key Agreement) procedure when UEl is registered to the cellular communication system. By virtue of the valid security context maintained in the cellular communication system, a consistence of security keys can be achieved between UEl and UE2 for D2D communications, without pushing the idle mode UEl into RRC connected mode. In various embodiments, a new approach is provided to efficiently share a common security key for D2D communications between UEl and UE2, by virtue of the valid security context. Some exemplary embodiments will be illustrated with reference to FIG. 2 and 3.
[0031] FIG. 2 depicts an example timing diagram illustrating a procedure of security key derivation between D2D user equipments in idle mode according to an embodiment of the present invention. Referring to FIG. 2, UEl 110A and UE2 HOB choose a suitable cell of a cellular communication system to perform a network-controlled D2D communication. UEl and UE2 can camp on the cell 122 of eNB 120.
[0032] Then at 210A, UEl stays in idle mode, for example for the lowest energy consumption. In other words, there is no RRC connection established between UEl and eNB 120. For example, UEl may stay in a RRC idle mode as specified in LTE protocols. As a device capable of D2D communication, UEl can broadcast notifications for D2D services even if it stays in a RRC idle mode. For example at 215, while staying in idle mode, UEl broadcasts a notification for D2D services in a physical layer beacon, which comprises its identity, e.g. an IMEI (International Mobile Equipment Identity), an IMSI (International Mobile Subscriber Identity), or a S-IMSI (Short- Temporary Mobile Subscriber Identity) of UEl. The S-IMSI may be allocated to UEl when UEl camps on the cell 122 of eNB 120. Furthermore, UEl can also broadcast its current mode in the beacon, for example with an indication that it is staying in a RRC idle mode.
[0033] Then, one or more peer D2D UEs (e.g. UE2 HOB) may detect the broadcasted notification of D2D service from UEl and decide to establish a D2D connection with UEl, at 220. From information in the detected notification, UE2 may learn that UEl is staying in a RRC idle mode, and then initiate a procedure of key derivation for the D2D connection according to various embodiments of the present invention. In some exemplary embodiments, UE2 may have an activate RRC connection to the eNB 120 at that moment. For example, as shown at 210B, UE2 can stay in a RRC connected mode. As such, UE2 can send a request for key derivations of the D2D connection to the core network (e.g. MME 132) by utilizing the activate RRC connection between UE2 and eNB 120. The request comprises the identity of UEl, e.g. S-TMSI of UEl, which may be obtained from the detected beacon. In some exemplary embodiments, the request may be transmitted to eNB 120 through an uplink RRC message, and in turn be forwarded from the eNB 120 to the MME 132 through a Sl-AP (Application Protocol) message. In other exemplary embodiments, the request may be delivered to MME 132 as a NAS message which is transparent to eNB 120.
[0034] In response to receiving the request for key derivation, MME 132 can provide to UE2 a key for the D2D connection (also called as D2D key) and parameter(s) for deriving the D2D key. The D2D key is derived based on the parameter(s) and a key shared between UEl and the core network. In some exemplary embodiments, the parameter(s) for deriving the D2D key can be the S-TMSI of UE2. In some exemplary embodiments, MME 132 can generate a random number (denoted as RAND), and then derive the D2D key (denoted as d2d) from the RAND and a key which is shared between the core network and UEl. For example the parameter(s) for deriving the D2D key can be provided or generated according to the identity of UEl. For example, when UEl first camped on the cell of eNB 120 after power on, the core network (i.e. non-access stratum) can register the UEl and achieve a consistence of NAS security (e.g. sharing a common NAS key) between the UEl and the core network. In this regard, there will be a valid NAS security context for UEl comprising the common NAS key maintained in the core network, for example in MME 132 or HSS 134. For example, the NAS key shared between the UEl and the MME 132 may be a Kasme of UEl, which may be retrieved based on the identity of UEl. Then, MME 132 sends the RAND and the Kd2d to UE2 via eNB 120, as shown in 240 and 245. The RAND and Kd2d can be ciphered and integrity protected by a NAS key of UE2. Similar as the NAS key of UEl, the NAS key of UE2 is a key that are shared between the core network and UE2.
[0035] At 250, UE2 receives the parameter(s) (e.g. the RAND) for deriving the D2D key and Kd2d from MME 132 via eNB 120, and then stores the Kd2d for securing D2D communications between UEl and UE2. Then, UE2 forwards the parameter(s) (e.g. the RAND) for deriving the D2D key to UEl, as shown at 255.
[0036] With the received parameter(s) (e.g. RAND) for deriving the D2D key from UE2, the UEl can derive a Kd2d from the Kasme and the parameter(s) (e.g. the RAND). As such, a common D2D key, Kd2d can be shared between UEl and UE2 without pushing UEl from a RRC idle mode into a RRC connected state. The D2D key, Kd2d can be used directly for securing the D2D communications between UEl and UE2. Alternatively or additionally, Kd2d can be utilized for deriving other keys which are used for securing the D2D communication between Ul and UE2.
[0037] In some embodiments, when the D2D peer user equipments need to establish a D2D connection, they are both in idle mode. FIG. 3 depicts an example in such scenario. Most steps in the procedure of FIG. 3 are similar as corresponding steps in the procedure of FIG. 2, except that UE2 stays in idle mode when detecting a notification of D2D services from UEl and deciding to establish a D2D connection with UEl. Then, UE2 needs to transfer to a RRC connected mode by initiating a RRC connection setup procedure to eNB 120, as shown at 325, Through the established RRC connection, UE2 can request for key derivation to MME 132 via eNB 120 based on the same method illustrated in FIG. 2.
[0038] In some exemplary embodiments, the identity of UEl can be also included in messages for initiating the RRC connection setup procedure. For example, the S-TMSI of UEl can be transmitted to MME 132 in a RRC connection setup complete message, to request MME 132 to generate the required D2D security keys. In this example, since the RRC connection setup procedure is woken up just for a derivation of D2D keys, the cause value can be different from the legacy ones, such as service request, TAU (Tracking Area Update), attach, etc. Instead, it could be a new cause value, e.g. "D2D key derivation procedure", to indicate that the RRC connection setup procedure is merely for a derivation of D2D keys, so that the radio access network and the core network (especially, eNB 120 and MME 132) need not to perform any extra operations beyond enabling the derivation of D2D keys.
[0039] FIGs. 4, 5 and 6, are logic flow flowcharts that illustrate the operations of methods, and a result of executions of computer program instructions, in accordance with the example embodiments of this invention for security key derivations for a network-controlled D2D communication. More specifically, FIGs. 4, 5 and 6 are descriptive of a process flow between a D2D peer user equipment, such as the UEl and UE2, and a network element of the core network, such as the MME 132. In such an embodiment, the processes can be implemented in, for instance, a chip set including a processor and a memory as shown in FIG. 7. As such, a user equipment can provide means for accomplishing various parts of the process 400 and/or 500 as well as means for accomplishing other processes in conjunction with other components, and a network element of the core network can provide means for accomplishing various parts of the process 600 as well as means for accomplishing other processes in conjunction with other components.
[0040] In step 410, a user equipment (such as UE2 HOB) receives a notification of D2D services from a peer user equipment (such as UEl 110A) which stays in idle mode. The notification of D2D services can be received by detecting physical layer beacons broadcasted from UEl. From the notification, UE2 can determine that UEl stays in idle mode.
[0041] In step 420, the UE2 sends a request for a derivation of D2D key to a network element of a core network (such as MME 132). The request comprises an identity of UEl.
[0042] Next in step 430, in response to the request, the UE2 receives a random number and a D2D key, wherein the D2D key is derived by the network element based on the random number and a key, such as Kasme, shared between MME 132 and UEl.
[0043] Next in step 440, UE2 forwards the random number to UEl, so that UEl can derive a common D2D key from the random number and Kasme. Then, a D2D connection can be established between UEl and UE2 and the D2D communications between UEl and UE2 can be secured based on the common D2D key.
[0044] In step 510, a network element (such as MME 132) of a core network receives a request for a derivation of D2D key from a user equipment (such as UE2), the request comprising an identity of a peer user equipment (such as UEl). Next in step 520, in response to the request, MME 132 can generate a random number, and derive a D2D key based on the random number and a key (e.g. Kasme) shared between MME 132 and UEl. Next in step 530, MME 132 sends the random number and the D2D key to UE2.
[0045] In step 610, a user equipment (such as UEl) which stays in idle mode, sends a notification of D2D services to a peer user equipment (such as UE2). The notification of D2D services can be broadcasted in physical layer beacons to UE2, and the beacons can comprise an indication that the user equipment is in idle mode.
[0046] Next in step 620, UEl receives a random number from UE2, and then derives a D2D key based on the random number and a key (such as Kasme) shared between a network element (such as MME 132) of a core network and UEl. Based on the D2D key, a D2D connection between UEl and UE2 can be established.
[0047] Now reference is made to FIG. 7 illustrating a simplified block diagram of various electronic devices that are suitable for use in practicing the exemplary embodiments of the present invention. In FIG. 7, a wireless communication network 700 may be adapted for communication with user equipments (such as UEs 110A and HOB), via a base station (such as an eNB 120). The network 700 may further include a network element (such as MME 132) for providing a NAS security for the user equipments. The UEs 11 OA and 110B can perform a cellular communication under the control of MME 132, via the eNB 120. Furthermore, the UEl 11 OA and UE2 110B can perform a D2D communication directly between each other. The security of the D2D communication can be provided for UEs in idle mode according to the exemplary embodiments of the present invention as discussed above.
[0048] The UEl 110A includes a data processor (DP) 71 OA, a memory (MEM) 710B that stores a program (PROG) 7 IOC, and a suitable radio frequency (RF) transceiver 710D for wireless communications with the eNB 120 via one or more antennas. In an exemplary embodiment, the transceiver 710D in the UEl 11 OA can be used for D2D communications in both licensed band (e.g. cellular band) and unlicensed band (e.g. WLAN band). Alternatively, the transceiver 710D can comprise separate components to support D2D communications in licensed band (e.g. cellular band) and unlicensed band (e.g. WLAN band) respectively.
[0049] The UE2 HOB also includes a DP 720A, a MEM 720B that stores a PROG 720C, and a suitable RF transceiver 720D. In an exemplary embodiment, the transceiver 720D in the eNB 120 can be used for D2D communications in both licensed band (e.g. cellular band) and unlicensed band (e.g. WLAN band). Alternatively, the transceiver 720D can comprise separate components to support D2D communications in licensed band (e.g. cellular band) and unlicensed band (e.g. WLAN band) respectively. [0050] The MME 132 also includes a DP 740A, a MEM 740B that stores a PROG 740C, and a suitable communication interface 740E. The communication interface 740E may be able to communicate with UEl and UE2 via eNB 120. In some examples, the communication interface 740E may be used to transmit and receive information using protocols and methods associated with the network-controlled D2D communication.
[0051] Some functions of the eNB 120 may be implemented with a digital signal processor, memory, and computer programs for executing computer processes. The basic structure and operation of the eNB 120 are known to one skilled in the art, and thus it is shown as a block in order to avoid unnecessarily obscuring the invention.
[0052] At least one of the PROGs 7 IOC, 720C, 740C is assumed to include program instructions that, when executed by the associated DP, enable the electronic device to operate in accordance with the exemplary embodiments of this invention, as discussed above. That is, the exemplary embodiments of this invention may be implemented at least in part by computer software executable by the DP 710A of the UEl 110A, by the DP 720A of the UE2 HOB, and by the DP 740A of the MME 132, or by hardware, or by a combination of software and hardware. The basic structure and operation of UEl 110A, UE HOB, and MME 132 are known to one skilled in the art.
[0053] In general, the various embodiments of the UEl 110A and UE2 HOB can include, but are not limited to, cellular telephones, personal digital assistants (PDAs) having cellular wireless communication capabilities, portable computers having cellular wireless communication capabilities, image capture devices such as digital cameras having wireless communication capabilities, gaming devices having cellular wireless communication capabilities, music storage and playback appliances having cellular wireless communication capabilities, Internet appliances permitting cellular wireless Internet access and browsing, as well as portable units or terminals that incorporate combinations of such functions.
[0054] The MEMs 710B, 720B, 740B may be of any type suitable to the local technical environment and may be implemented using any suitable data storage technology, such as semiconductor based memory devices, flash memory, magnetic memory devices and systems, optical memory devices and systems, fixed memory and removable memory. The DPs 720A, 720A, 740A may be of any type suitable to the local technical environment, and may include one or more of general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multi-core processor architectures, as non-limiting examples.
[0055] In general, the various exemplary embodiments may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. For example, some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device, although the invention is not limited thereto. While various aspects of the exemplary embodiments of this invention may be illustrated and described as block diagrams, flow charts, or using some other pictorial representation, it is well understood that these blocks, apparatus, systems, techniques or methods described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
[0056] As such, it should be appreciated that at least some aspects of the exemplary embodiments of the inventions may be practiced in various components such as integrated circuit chips and modules. It should thus be appreciated that the exemplary embodiments of this invention may be realized in an apparatus that is embodied as an integrated circuit, where the integrated circuit may comprise circuitry (as well as possibly firmware) for embodying at least one or more of a data processor, a digital signal processor, baseband circuitry and radio frequency circuitry that are configurable so as to operate in accordance with the exemplary embodiments of this invention.
[0057] It should be appreciated that at least some aspects of the exemplary embodiments of the inventions may be embodied in computer-executable instructions, such as in one or more program modules, executed by one or more computers or other devices. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types when executed by a processor in a computer or other device. The computer executable instructions may be stored on a computer readable medium such as a hard disk, optical disk, removable storage media, solid state memory, RAM, etc. As will be appreciated by one of skill in the art, the function of the program modules may be combined or distributed as desired in various embodiments. In addition, the function may be embodied in whole or in part in firmware or hardware equivalents such as integrated circuits, field programmable gate arrays (FPGA), and the like.
[0058] The present invention includes any novel feature or combination of features disclosed herein either explicitly or any generalization thereof. Various modifications and adaptations to the foregoing exemplary embodiments of this invention may become apparent to those skilled in the relevant arts in view of the foregoing description, when read in conjunction with the accompanying drawings. However, any and all modifications will still fall within the scope of the non-Limiting and exemplary embodiments of this invention.

Claims

CLAIMS WHAT IS CLAIMED IS:
1. A method, comprising:
receiving at a user equipment, a notification of device-to-device services from a peer user equipment which stays in idle mode;
sending a request for a derivation of device-to-device key to a network element of a core network, the request comprising an identity of the peer user equipment;
receiving a random number and a device-to-device key in response to the request, wherein the device-to-device key is derived by the network element based on the random number and a key shared between the network element and the peer user equipment; and
forwarding the random number to the peer user equipment.
2. A method of claim 1, wherein the notification of device-to-device services is received by detecting physical layer beacons broadcasted from the peer user equipment.
3. A method of claim 1, further comprises:
establishing a device-to-device connection with the peer user equipment based on the device-to-device key.
4. A method of claim 1, further comprises:
in response to receiving the notification, initiate a radio resource control connection setup procedure, to enable the sending of the request.
5. A method, comprising: receiving at a network element of a core network, a request for a derivation of device-to-device key from a user equipment, the request comprising an identity of a peer user equipment of the user equipment;
in response to the request, deriving a device-to-device key based on a key shared between the network element and the peer user equipment and a random number; and
sending the random number and the device-to-device key to the user equipment.
6. A method of claim 5, wherein the network element is a mobility management entity.
7. A method, comprising:
sending at a user equipment in idle mode, a notification of device-to-device services to a peer user equipment;
receiving a random number from the peer user equipment; and
deriving a device-to-device key based on the random number and a key shared between a network element of a core network and the user equipment.
8. A method of claim 7, wherein the notification of device-to-device services is broadcasted in physical layer beacons.
9. A method of claim 7, further comprises:
establishing a device-to-device connection with the peer user equipment based on the device-to-device key.
10. An apparatus comprising:
at least one processor; and
at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following:
receiving at a user equipment, a notification of device-to-device services from a peer user equipment which stays in idle mode;
send a request for a derivation of device-to-device key to a network element of a core network, the request comprising an identity of the peer user equipment;
receive a random number and a device-to-device key in response to the request, wherein the device-to-device key is derived by the network element based on the random number and a key shared between the network element and the peer user equipment; and
forward the random number to the peer user equipment.
11. An apparatus of claim 10, wherein the notification of device-to-device services is received by detecting physical layer beacons broadcasted from the peer user equipment.
12. An apparatus of claim 10, wherein the apparatus is further caused to establish a device-to-device connection with the peer user equipment based on the device-to-device key.
13. An apparatus of claim 10, wherein the apparatus is further caused to in response to receiving the notification, initiate a radio resource control connection setup procedure, to enable the sending of the request.
14. An apparatus comprising:
at least one processor; and
at least one memory including computer program code,
the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following: receive at a network element of a core network, a request for a derivation of device-to-device key from a user equipment, the request comprising an identity of a peer user equipment of the user equipment;
in response to the request, derive a device-to-device key based on a key shared between the network element and the peer user equipment and a random number; and
send the random number and the device-to-device key to the user equipment.
15. An apparatus of claim 14, wherein the network element is a mobility management entity.
16. An apparatus comprising:
at least one processor; and
at least one memory including computer program code,
the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following:
send at a user equipment in idle mode, a notification of device-to-device services to a peer user equipment;
receive a random number from the peer user equipment; and
derive a device-to-device key based on the random number and a key shared between a network element of a core network and the user equipment.
17. An apparatus of claim 16, wherein the notification of device-to-device services is broadcasted in physical layer beacons.
18. An apparatus of claim 16, the apparatus is further caused to establish a device-to-device connection with the peer user equipment based on the device-to-device key.
19. A computer-readable storage medium carrying one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus to at least perform the following:
receiving at a user equipment, a notification of device-to-device services from a peer user equipment which stays in idle mode;
sending a request for a derivation of device-to-device key to a network element of a core network, the request comprising an identity of the peer user equipment;
receiving a random number and a device-to-device key in response to the request, wherein the device-to-device key is derived by the network element based on the random number and a key shared between the network element and the peer user equipment; and
forwarding the random number to the peer user equipment.
20. A computer-readable storage medium carrying one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus to at least perform the following:
receiving at a network element of a core network, a request for a derivation of device-to-device key from a user equipment, the request comprising an identity of a peer user equipment of the user equipment;
in response to the request, deriving a device-to-device key based on a key shared between the network element and the peer user equipment and a random number; and
sending the random number and the device-to-device key to the user equipment.
21. A computer-readable storage medium carrying one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus to at least perform the following:
sending at a user equipment in idle mode, a notification of device-to-device services to a peer user equipment;
receiving a random number from the peer user equipment; and deriving a device-to-device key based on the random number and a key shared between a network element of a core network and the user equipment.
22. An apparatus comprising:
means for receiving at a user equipment, a notification of device-to-device services from a peer user equipment which stays in idle mode;
means for sending a request for a derivation of device-to-device key to a network element of a core network, the request comprising an identity of the peer user equipment; means for receiving a random number and a device-to-device key in response to the request, wherein the device-to-device key is derived by the network element based on the random number and a key shared between the network element and the peer user equipment; and
means for forwarding the random number to the peer user equipment.
23. An apparatus comprising:
means for receiving at a network element of a core network, a request for a derivation of device-to-device key from a user equipment, the request comprising an identity of a peer user equipment of the user equipment;
means for in response to the request, deriving a device-to-device key based on a key shared between the network element and the peer user equipment and a random number; and means for sending the random number and the device-to-device key to the user equipment.
24. An apparatus comprising:
means for sending at a user equipment in idle mode, a notification of device-to-device services to a peer user equipment;
means for receiving a random number from the peer user equipment; and means for deriving a device-to-device key based on the random number and a key shared between a network element of a core network and the user equipment.
25. A computer program product including one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus to at least perform the steps of a method of any one of claims 1-9.
PCT/CN2013/073658 2013-04-02 2013-04-02 Methods and apparatus for securing device-to-device communications WO2014161155A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2013/073658 WO2014161155A1 (en) 2013-04-02 2013-04-02 Methods and apparatus for securing device-to-device communications

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2013/073658 WO2014161155A1 (en) 2013-04-02 2013-04-02 Methods and apparatus for securing device-to-device communications

Publications (1)

Publication Number Publication Date
WO2014161155A1 true WO2014161155A1 (en) 2014-10-09

Family

ID=51657406

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/073658 WO2014161155A1 (en) 2013-04-02 2013-04-02 Methods and apparatus for securing device-to-device communications

Country Status (1)

Country Link
WO (1) WO2014161155A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9660804B2 (en) 2013-06-26 2017-05-23 Nokia Technologies Oy Methods and apparatus for generating keys in device-to-device communications
US10462660B2 (en) 2014-05-12 2019-10-29 Nokia Technologies Oy Method, network element, user equipment and system for securing device-to-device communication in a wireless network
WO2020146974A1 (en) * 2019-01-14 2020-07-23 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for security

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1713207A (en) * 2005-07-15 2005-12-28 旭德数字股份有限公司 Data fetcher with multiple verifying functions and verifying system
CN1787513A (en) * 2004-12-07 2006-06-14 上海鼎安信息技术有限公司 System and method for safety remote access
CN101202621A (en) * 2006-12-13 2008-06-18 联想(北京)有限公司 Method and system for security verification of data among non-contact equipments

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1787513A (en) * 2004-12-07 2006-06-14 上海鼎安信息技术有限公司 System and method for safety remote access
CN1713207A (en) * 2005-07-15 2005-12-28 旭德数字股份有限公司 Data fetcher with multiple verifying functions and verifying system
CN101202621A (en) * 2006-12-13 2008-06-18 联想(北京)有限公司 Method and system for security verification of data among non-contact equipments

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9660804B2 (en) 2013-06-26 2017-05-23 Nokia Technologies Oy Methods and apparatus for generating keys in device-to-device communications
US10462660B2 (en) 2014-05-12 2019-10-29 Nokia Technologies Oy Method, network element, user equipment and system for securing device-to-device communication in a wireless network
WO2020146974A1 (en) * 2019-01-14 2020-07-23 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for security

Similar Documents

Publication Publication Date Title
US9660804B2 (en) Methods and apparatus for generating keys in device-to-device communications
CN108990038B (en) Operator-assisted device-to-device (D2D) discovery
US9386617B2 (en) Discovery and operation of hybrid wireless wide area and wireless local area networks
US9674682B2 (en) Enabling D2D functionality for public safety applications
US20180026958A1 (en) Fast-accessing method and apparatus
EP3143785B1 (en) Securing device-to-device communication in a wireless network
EP3050374B1 (en) Methods and apparatus of key pairing for d2d devices under different d2d areas
KR102415681B1 (en) Communication method and communication device
EP2936876B1 (en) Methods and apparatus for differencitating security configurations in a radio local area network
GB2497579A (en) Sending a message about a change of capability of a device in D2D communication to a base station and whether the change is temporal or periodical
WO2017113063A1 (en) Nas message processing and cell list updating methods and devices
US11283770B2 (en) Deriving a security key for relayed communication
US20230209416A1 (en) Wireless communication method, terminal device, and network device
TW201804840A (en) Method and device for transmitting information
WO2014161155A1 (en) Methods and apparatus for securing device-to-device communications
CN116235570A (en) Methods and apparatus for initial uplink transmission at a user equipment in wireless communication using an inactive state of a pre-configured grant
GB2621559A (en) Apparatus, method and computer program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13881288

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13881288

Country of ref document: EP

Kind code of ref document: A1