WO2017026930A1 - Procédés et dispositifs permettant une amélioration de confidentialité dans des réseaux - Google Patents

Procédés et dispositifs permettant une amélioration de confidentialité dans des réseaux Download PDF

Info

Publication number
WO2017026930A1
WO2017026930A1 PCT/SE2015/050865 SE2015050865W WO2017026930A1 WO 2017026930 A1 WO2017026930 A1 WO 2017026930A1 SE 2015050865 W SE2015050865 W SE 2015050865W WO 2017026930 A1 WO2017026930 A1 WO 2017026930A1
Authority
WO
WIPO (PCT)
Prior art keywords
access point
sta
mac address
message
encryption
Prior art date
Application number
PCT/SE2015/050865
Other languages
English (en)
Inventor
Guido Hiertz
Filip MESTANOV
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/SE2015/050865 priority Critical patent/WO2017026930A1/fr
Publication of WO2017026930A1 publication Critical patent/WO2017026930A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0827Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/20Selecting an access point
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the proposed technology generally relates to methods and devices and computer programs for operating mobile stations and access points. It relates more specifically to methods, devices and computer programs that enhance security features in Wireless Local Area Networks, WLANs. BACKGROUND
  • Wi-Fi also known as WLAN and these terms will be used interchangeably throughout this document, is standardized in the 802.1 1 specifications [4].
  • Wi-Fi is a technology that currently mainly operates in the 2.4 GHz or the 5 GHz band.
  • the IEEE 802.1 1 specifications regulate the access points' or wireless terminals' physical layer, its Medium Access Control, MAC, layer and other aspects in order to secure compatibility and inter-operability between access points and portable terminals, herefrom referred to as STA's.
  • STA's Medium Access Control
  • Wi-Fi generally operates in unlicensed bands.
  • Wi-Fi is commonly used as wireless extensions to fixed broadband access, e.g., in domestic environments and hotspots, like airports, train stations, and restaurants.
  • the MAC address of a station is a unique identifier that is assigned to the wireless network interface.
  • the MAC address has a length of 6 bytes, organized as shown in FIG. 1 .
  • the STA's MAC address is exposed every time a STA decides to transmit a frame. In that sense, a WLAN network node can obtain the MAC address of the STA with every frame that is received from that STA.
  • the MAC address associated to a particular mobile device is in general kept unchanged. However, recent events have shown that in some situations, the use of the same MAC address might compromise privacy and allow for user location tracking. In order to overcome this drawback, some mobile device vendors have come up with mechanisms that allow the mobile device to change its MAC address in order to prevent user location tracking.
  • the STA will need to use its permanent MAC address in order to enable smart network functionality, while in others it will need to change its MAC address to prevent user tracking.
  • a method for operating a mobile station, STA having an assigned MAC address.
  • the method comprises the step of obtaining an access point's public key for encryption, the access point being an access point with which the STA intends to exchange data.
  • the method also comprises the step of encrypting the MAC address assigned to the STA by utilizing at least the obtained public key for encryption.
  • the method also comprises the step of creating, based on the encrypted MAC address, a message for transmission to the access point to enable the access point to decrypt the encrypted MAC address to obtain the MAC address assigned to the STA.
  • a method for operating an access point comprises the step of providing the access point's public key for encryption to a mobile station, STA, that intends to exchange data with the access point.
  • the method also comprises the step of receiving a message from the STA, the received message being based on a MAC address that has been encrypted by utilizing at least the access point's public key.
  • the method also comprises the step of decrypting, by utilizing at least the access point's private key, at least part of the message in order to obtain the MAC address assigned to the STA.
  • a mobile station having an assigned MAC address.
  • the STA is configured to obtain an access point's public key for encryption, the access point being an access point with which the STA intends to exchange data.
  • the STA is also configured to encrypt the MAC address assigned to the STA by utilizing at least the obtained public key for encryption.
  • the STA is also configured to create, based on the encrypted MAC address, a message for transmission to the access point to enable the access point to decrypt the encrypted MAC address to obtain the MAC address assigned to the STA.
  • an access point that is configured to provide the access point's public key for encryption to a mobile station, STA, that intends to exchange data with the access point.
  • the access point is also configured to receive a message from the STA, where the message is based on a MAC address that has been encrypted by utilizing at least the access point's public key.
  • the access point is also configured to decrypt, by utilizing at least the access point's private key, at least part of the message in order to obtain the MAC address assigned to the STA.
  • the computer program comprises instructions, which when executed by at least one processor, cause the processor(s) to:
  • the computer program comprises instructions, which when executed by at least one processor, cause the processor(s) to:
  • read a message from the STA, said message being based on a MAC address that has been encrypted by utilizing at least the access point's public key;
  • a STA comprises an input module for obtaining an access point's public key for encryption, the access point being an access point with which the STA intends to exchange data.
  • the STA also comprises an encryption module for encrypting the MAC address assigned to the STA by utilizing at least the obtained public key for encryption.
  • the STA also comprises a message creating module for creating, based on the encrypted MAC address, a message for transmission to the access point to enable the access point to decrypt the encrypted MAC address to obtain the MAC address assigned to the STA.
  • an access point comprises an output module for outputting to the access point's public key for encryption to be provided to a mobile station, STA, that intends to exchange data with the access point.
  • the access point also comprises a reading module for reading a message received from the STA the message being based on a MAC address that has been encrypted by utilizing at least the access point's public key.
  • the access point also comprises a decrypting module for decrypting, by utilizing at least the access point's private key, at least part of the read message in order to obtain the MAC address assigned to the STA.
  • FIG. 1 a is a schematic illustration of the organization of a MAC address.
  • FIG. 1 b is a schematic illustration of a common encryption procedure.
  • FIG. 2 is a flow diagram illustrating a method for operating a mobile station, STA, according to the proposed technology.
  • FIG. 3 is a signaling diagram illustrating the signaling for a particular embodiment of the proposed technology, wherein the access point's public key for encryption is provided to the STA by means of a management frame.
  • FIG. 4 is a signaling diagram illustrating an alternative embodiment of the proposed technology, wherein the STA in addition to the public key uses random data, also known as salt, to encrypt the MAC address, the random data used is transmitted to the access point by means of a management frame.
  • random data also known as salt
  • FIG. 5 is a signaling diagram illustrating a particular embodiment of the proposed technology wherein the public key is requested by means of a probe request transmitted from the STA. The public key is then transmitted to the STA by means of a probe response. A message comprising the encrypted MAC address is then transmitted to the access point.
  • FIG. 6 is a schematic flow diagram illustrating a method for operating an access point according to the proposed technology.
  • FIG. 7 is a signaling diagram illustrating the initial connection between a mobile station, STA, and an access point, in this particular case a Wi-Fi access point.
  • FIG. 8 is a signaling diagram illustrating a possible connection procedure for a particular embodiment of the proposed technology.
  • FIG. 9 is a signaling diagram illustrating a possible connection procedure for another particular embodiment of the proposed technology.
  • FIG. 10 is a signaling diagram illustrating a possible connection procedure for still another particular embodiment of the proposed technology.
  • FIG. 1 1 is a signaling diagram illustrating a possible connection procedure for yet another particular embodiment of the proposed technology.
  • FIG. 12 is a block diagram illustrating a possible embodiment for either a STA or an access point according to the proposed technology.
  • FIG. 13 is a block diagram illustrating another possible embodiment for either a STA or an access point according to the proposed technology
  • FIG. 14 is a block diagram illustrating how a computer program and a computer program product according to the proposed technology can be used in a STA.
  • FIG. 15 is a block diagram illustrating how a computer program and a computer program product according to the proposed technology can be used in an access point.
  • FIG. 16 is an illustration of an alternative embodiment of a mobile station according to the proposed technology.
  • FIG.17 is an illustration of an alternative embodiment of an access point according to the proposed technology.
  • Public-key cryptography also known as asymmetric cryptography, is a class of cryptographic algorithms which requires two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked.
  • the public key is used to encrypt plaintext or to verify a digital signature; whereas the private key is used to decrypt cipher text or to create a digital signature.
  • asymmetric stems from the use of different keys to perform these opposite functions, each the inverse of the other - as contrasted with conventional "symmetric" cryptography which relies on the same key to perform both.
  • the process of sending the information from the Sender to the Recipient, shown in FIG.1 B, has in an example scenario the following steps: 1
  • the Sender has Plaintext information that it would like to send to the Recipient, without anybody else being able to understand the information
  • the Sender uses the Recipient's Public key to encrypt its Plaintext information, and the result is an Encrypted message that could be send over unsecured communication channel
  • the Recipient receives the Encrypted message, decrypts it with its Private key and thus it obtains the original Plaintext message send by the Sender.
  • Wi-Fi devices tend to use the same identifier (i.e., MAC address) when connecting to different networks and this identifier does not change over time.
  • some Wi-Fi device vendors have lately adopted measures in order to improve user privacy by periodically changing the MAC address of the device.
  • One such example is Apple's iOS 8 feature for MAC address randomization every time a new connection is initiated, i Phones change their MAC address in probe frames when searching for networks close by. Once a wanted network is found, the i Phone connects using its MAC address, see ref [6].
  • Some networks require the device to use the same identifier every time it connects in order to fetch previously stored information associated with that device (i.e., device's or user's context).
  • the method according to the proposed technology encrypts the device's true MAC address so that a random MAC address can be used as a placeholder.
  • the random MAC address is visible to the outside and can be observed by an attacker.
  • the device's true MAC address is never exposed and is used to provide a mapping to the current, random MAC address.
  • the STA uses a public key to encrypt its MAC address.
  • the public key may be obtained from the network, to which the STA would like to connect to. It is however foreseeable that the public key can be obtained from some other public provider. The important feature is that the STA gets hold of the public key of the network, to which the STA would like to connect to.
  • the proposed method provides the device with the opportunity to use apparently random MAC addresses, while at the same time providing the network with a means to always be able to obtain the device's true MAC address, to which it can associate a user context. Therefore, two different things are achieved at the same time: the user's privacy is improved, since a random MAC address can be used for WLAN association and only the random MAC address is visible to an external observer, and the network has means of obtaining the device's true MAC address, so that the network can use stored user context in order to improve the user experience.
  • the proposed technology provides, in broad terms, methods that make it possible to anonymize a mobile station, STA, and its unique MAC address while at the same time providing a unique identifier to an access point, AP, resp. a network.
  • the network, AP uses the unique identifier to provide or to enable certain configuration with this STA.
  • an outside attacker cannot identify the STA and/or trace it, since the STA has the ability to select a different MAC address with every network that it connects and/for the duration of its connection to the network and/or change it at arbitrary times and inform the AP about this change.
  • the proposed technology provides a method for operating a mobile station, STA, having an assigned MAC address.
  • the method comprises the step S1 of obtaining an access point's public key for encryption, the access point being an access point with which the STA intends to exchange data.
  • the method also comprises the step S2 of encrypting the MAC address assigned to the STA by utilizing at least the obtained public key for encryption.
  • the method also comprises the step S3 of creating, based on the encrypted MAC address, a message for transmission to the access point to enable the access point to decrypt the encrypted MAC address to obtain the MAC address assigned to the STA.
  • the method has been illustrated in flow diagram form in FIG.2.
  • a STA 100 gets hold of the public encryption key of an access point 200 with which it intends to communicate and exchange data. This is done in step S1 .
  • the key could for example be obtained from the access point 200, this will be described in detail below, or it could be obtained in some other way, it could for example be obtained from the STAs own memory where is may have been stored from an earlier visit.
  • the method proceeds and encrypts, in a step S2, the MAC address that is assigned to the STA 100.
  • the address to be encrypted is the true MAC address of the STA 100 and the unencrypted MAC address is the proper identifier of the STA.
  • the method proceeds and creates S3 a message to be transmitted to the access point.
  • the created message carries information about the encrypted MAC address and by providing the access point with such a message will enable the access point to decrypt the encrypted MAC address in order to identify the true, or originally assigned, MAC address of the STA.
  • the access point Having obtained the true identity of the STA the access point has all that is needed to utilize information stored about the particular STA in order to provide a smart and quick network functionality.
  • the method provides a secure procedure by utilizing encrypted MAC addresses while at the same time enabling the same smart network functionality that can be used to MAC addresses that are initially known to the access point.
  • the step S1 of obtaining the access point's public key for encryption comprises to extract the access points public key from a management frame transmitted from the access point.
  • Management frames are used mostly for configuration. These configurations could therefore be seen as pre-requisite to become able to communicate with each other. Management frames may therefore be seen as frames that enables stations to communicate with each other.
  • One particular examples of such a frames is a beacon frame.
  • the access point will periodically send a beacon frame to announce its presence and relay information, such as timestamp, SSID, and other parameters regarding the access point to STAs that are within range.
  • the STAs will continually scan radio channels and listen for beacons as the basis for choosing a particular access point to associate with.
  • the beacon frame may therefore carry the access point ' s public key for encryption.
  • a management frame is a probe request frame.
  • a mobile station, STA sends a probe request frame when it needs to obtain information from an AP or another station. For example, a STA may send a probe request to determine which access points are within range. A station will respond to the probe request with a probe response frame. This frame may contain capability information, etc.
  • the access point's public encryption key may be provided by means of a beacon frame that has been transmitted from the access point and received by the STA.
  • a signaling diagram illustrating the signaling between a STA 100 and an access point 200 is illustrated in FIG.3.
  • the proposed technology provides a method wherein the step S1 of obtaining the access point's public key for encryption comprises to perform a probe request in order to obtain the access point's public key for encryption via a probe response frame.
  • Probe request and probe response frames provide other examples of management frames.
  • a mobile station, STA sends a probe request frame when it needs to obtain information from another station or AP.
  • a STA may send a probe request to determine which access points are within range.
  • An AP will respond to the probe request with a probe response frame. This frame may contain capability information, etc.
  • a STA may send a probe request to an access point, the access point will interpret the probe request as, among other things, a request for obtaining the access point's public key for encryption.
  • the access point may thus respond by sending a probe response frame that comprises the public key.
  • a signaling diagram illustrating this is provided by FIG.5.
  • An optional embodiment of the proposed technology provides a method wherein the step S2 of encrypting the MAC address assigned to the STA comprises to utilize random data, also referred to as salt, in addition to the access point's public key for encryption to be able to generate different encrypted MAC addresses for each distinct encryption of the MAC address.
  • random data also referred to as salt
  • a possible version of the above embodiment provides a method wherein the method further comprises to communicate the random data to the access point in a message where the identifier of the STA is the encrypted MAC address. That is, the STA encrypts its MAC address in a step S2, it then proceeds and creates a message that has as an identifier the encrypted MAC address. This message also comprises the random data, salt, that is used to encrypt the MAC address. The STA then transmit the data to the access points thus enabling the access point to extract the random data and decrypt the MAC address of the transmitter.
  • a signaling diagram illustrating this is given in FIG. 4.
  • Another possible embodiment provides a method wherein the random data is communicated to the access point via a management frame.
  • a particular example is given by a management frame in the form of a probe request. The general procedure was described above.
  • step S2 of encrypting the MAC address assigned to the STA comprises to utilize the STAs private key for encryption in addition to the access point's public key for encryption.
  • a method that further comprises to provide STAs public key for encryption to the access point.
  • a possible exemplary embodiment of the proposed technology provides a method wherein the STAs public key for encryption is provided to the access point in the form of an information element added to a management frame.
  • the step S3 of creating a message for transmission to the access point comprises to create a message having the encrypted MAC address as an identifier to enable the access point to decrypt the encrypted MAC address and identify the MAC address assigned to the STA.
  • the method creates, in a step S3, a message to be transmitted to the access point.
  • the created message has as an identifier the encrypted MAC address.
  • the access point will be able to determine the proper, or originally assigned, true MAC address of the STA by decrypting the MAC address used as an identifier in the received message. If the encrypted MAC address is decrypted the access point will be able to identify the true STA and utilize information stored for this STA to provide a quicker and smarter network functionality.
  • the step S3 of creating a message for transmission to the access point comprises to create a message that comprises the encrypted MAC address and utilizes a generated random MAC address as identifier to enable the access point to decrypt the encrypted MAC address and obtain a mapping between the MAC address and the generated random MAC address used as an identifier.
  • the encrypted MAC address could be added to the message in the form of an information element comprising the encrypted MAC address.
  • a STA utilizes a randomly generated MAC address to be used as an identifier in a message to be transmitted to the access point.
  • the message is then created and the message comprises the encrypted MAC address, the true or originally assigned, MAC address of the STA.
  • the access point will receive the message and decrypt the relevant part of the message, the part that carries the encrypted MAC address, to obtain the information needed to correctly identify the STA.
  • the access point is able to obtain or construct a mapping between the randomly generated MAC address used by the STA and the correct, or true, MAC address of the STA. The access point may then utilize this mapping to correctly identify the STA in future communication.
  • Still another possible embodiment provides a method that comprises the further step of transmitting the created message to the access point with which the STA intends to exchange data.
  • the proposed technology provides a method for operating an access point.
  • the method comprises the step S10 of providing the access point's public key for encryption to a mobile station, STA, that intends to exchange data with the access point.
  • the method also comprises the step S20 of receiving a message from the STA, the received message being based on a MAC address that has been encrypted by utilizing at least the access point's public key.
  • the method also comprises the step S30 of decrypting, by utilizing at least the access point's private key, at least part of the message in order to obtain the MAC address assigned to the STA.
  • a flow diagram illustrating the proposed method is given in FIG.6.
  • an access point provides its public key for encryption to a mobile station, STA.
  • the public key should be used by the STA to encrypt the STAs MAC address.
  • the method than proceeds and the access point receives a message from the STA.
  • the method comprises a MAC address that has been encrypted by utilizing at least the public key. After having received the message the method proceeds and decrypts the encrypted MAC address, using the private key of the access point. Having decrypted the MAC address the access point is able to correctly identify the STA behind the encrypted MAC address and utilize information about the STA to improve the network functionality.
  • the method is a complementary method to the method for operating a mobile station as described earlier. As such it provides the same overarching advantages.
  • the access point's public key for encryption is provided to the STA by means of a public communication channel.
  • Another possible embodiment of the proposed technology provides a method wherein the access point's public key for encryption is provided to the STA by means of a management frame transmitted to the STA. It could for example be provided by means of an information element added to the particular management frame.
  • Yet another possible embodiment of the proposed method provides a method wherein the step S20 of receiving a message from the STA comprises to receive a message comprising the STAs private key for encryption.
  • the step S30 of decrypting comprises to decrypt the encrypted MAC address of the STA utilizing both the private key of the access point and the received private key of the STA.
  • a particular embodiment of the proposed technology provides for a method wherein the step S30 of decrypting the message comprises to decrypt, by utilizing the access point's private key, the MAC address of the received message in order to find the MAC address assigned to the STA. That is, by decrypting the MAC address of the received message is the access point able to correctly identify the STA behind the encrypted MAC address.
  • the proposed technology also provides for an embodiment of a method wherein the step S30 of decrypting the message comprises to decrypt, by utilizing the access point's private key, a part of the message that comprises the encrypted MAC address to obtain the MAC address assigned to the STA. This particular embodiment is useful when the STA has used a random MAC address as an identifier in the message.
  • the true, or originally assigned, MAC address is encrypted and comprised in the message.
  • the proposed method will decrypt the MAC address comprised in the message in order to correctly identify the STA behind the randomly selected MAC address used as an identifier in the message.
  • the encrypted MAC address could be provided in an information element comprised in the message.
  • a version of the proposed method provides a method that comprises the further step of obtaining a mapping between the MAC address assigned to the STA and the MAC address used as an identifier in the received message. That is, by associating the true MAC address of the STA, as obtained by decrypting the MAC address comprised in the message, with the randomly selected MAC address the access point will obtain a mapping between the true MAC address and the randomly selected MAC address. This may be useful if the same randomly selected MAC address is used for future communication. In a scenario where the STA uses several different randomly selected MAC addresses, the access point can provide a mapping between all of them and the true, or originally assigned, MAC address of the STA to facilitate future communication between the access point and the STA.
  • FIG. 7 illustrates the initial connection procedure between a STA and an access point.
  • a STA connects to a WLAN, it performs the procedures shown in A in FIG.7.
  • the STA may optionally also perform the procedures in B-D presented in Fig.7 as well.
  • the STA receives a Beacon frame revealing (among other parameters) the security features associated with the ESS the AP belongs to
  • the STA can generate a Probe Request and send it to the AP. This procedure is called active scanning and by performing it, the STA can receive from the AP (via a Probe Response frame) the same information as it would have from a Beacon message
  • the STA then sends an Association Request (or Reassociation Request if the STA has been previously associated), indicating the security parameters to be used later
  • Part B - 802.1 1 i authentication (EAP-SIM/AKA/AKA'/TLS/etc.)
  • the STA authenticates to the back-end authentication server using 802.1 1 i mechanism (EAP-SIM/AKA/AKA'/TLS, etc.). Master keys are sent to the AP and generated in the STA.
  • 802.1 1 i mechanism EAP-SIM/AKA/AKA'/TLS, etc.
  • the STA and AP can now exchange encrypted data.
  • FIG. 8 illustrates how a STA encrypts the true MAC address with the access point's public key, AP's PublKey.
  • a STA uses the AP's PublKey in order to encrypt its true MAC address before sending any frames to the AP.
  • the STA uses the encrypted MAC address.
  • the encrypted MAC address replaces the STA's MAC address.
  • the STA uses this newly generated MAC for all the frames it sends to the AP.
  • the AP's PublKey is broadcasted in the AP's beacon frames. In typical 802.1 1 deployments, beacon frames are transmitted every 102.4 ms.
  • the STA's message to associate with the AP will be different every time the STA sends the message. Thus, an attacker will not be able to recognize a STA by its connection message.
  • FIG. 9 illustrates the procedure of a STA encrypting its true MAC address and a publicly known random salt number using the AP's Public Key.
  • the STA uses a random number, which is usually referred to as salt, in addition to the AP's PublKey.
  • salt a random number
  • the STA indicates the salt in clear to the AP. Therefore the salt may be included as an element of, for example, the probe request message.
  • the addition of a random salt prevents that the STA's association message, including the STA's true MAC address, is mapped to the same encrypted MAC address as long as the AP's public key does not change.
  • the AP uses its PrivKey in order to decrypt the STA's initial or one of the STA's association messages to learn of the STA's true MAC address.
  • the STA uses a random salt the AP considers this known random salt in its process to reveal the STA's true MAC address.
  • the AP needs to perform the decryption only once, in the beginning of the communication between itself and the STA.
  • One example would be for the AP to decrypt the STA's MAC address either during the active probing, that is by means of exchange of a Probe Request or a Probe Respond, during the Authentication or during the Association procedures.
  • Yet another exemplary embodiment of the proposed technology relates to the case where the AP provides its PublKey via means of public communication channel so that STAs is able to obtain it.
  • One way of implementing this is via enhancing the currently existing 802.1 1 signalling to include consideration for the AP's PublKey.
  • IE Information Element
  • FILS discovery frames could also carry information about the AP's PublKey.
  • the AP could also include the PublKey in Probe Response, Association Response frames.
  • FIG. 10 illustrates how a STA encrypts the true MAC address with the AP's PublKey and the STA's PrivKey.
  • This particular embodiment of the proposed technology relates to a case where the STA uses a combination of the AP's PublKey and the STA's PrivKey in order to encrypt the true MAC address.
  • the STA has to provide the STA's PublKey to the AP, so that the AP can decrypt the received encrypted MAC address with a combination of the STA's PublKey and the AP's PrivKey (this combination is usually referred to as AP's and STA's shared secret).
  • AP's and STA's shared secret this combination is usually referred to as AP's and STA's shared secret.
  • the STA needs to generate a public-private pair of keys with every AP it attempts to associate with. Otherwise the STA's unique public key can be used by an attacker to identify the STA. An example of this procedure is shown in FIG. 10.
  • the STA provides the STA's PublKey during the initial message exchange with the AP. This could, for example, be done by introducing a new IE and adding it to the Probe Request frame. Alternatively, the STA could add the IE to the Association or Authentication Request frames. It should be noted that the STA needs to generate a public-private pair of keys with every AP it attempts to associate with. Otherwise the STA's unique public key can be used by an attacker to identify the STA. Reference is now made to FIG.1 1 which illustrates how a STA may indicate its true MAC address by means of an encrypted MAC address provided by means of a, for example, an Information Element comprised in the message.
  • This exemplary embodiment of the present invention relates to a scenario where the STA uses a random MAC address for its initial and all subsequent messages of a communication thread with an AP.
  • the STA may indicate its true MAC address in an Information Element (IE).
  • This IE contains the encrypted true MAC address of the STA.
  • the STA uses the AP's public key to encrypt its MAC address.
  • the IE may or may not contain an unencrypted, random salt that is used to obfuscate the encrypted true MAC so that the true MAC address maps to different encrypted MAC addresses each time the STA identifies itself to the AP for the first time, see FIG. 1 1 .
  • the unencrypted salt may be carried in a separate IE.
  • STAs and AP may use a Public Key Infrastructure (PKI).
  • PKI Public Key Infrastructure
  • WFA's Wi-Fi Alliance's
  • Embedding a PKI into a STA allows a STA to check the AP's PublKey before trying to associate with or connect to the AP.
  • the STA can avoid that its real MAC address be revealed to an AP that it wants to hide from or does not trust.
  • PKI involves some complexity only mobile computing devices may provide the necessary performance. These devices include tablets, smartphones, and laptops for example. Simpler sensor type devices, however, might be stationary anyway.
  • the proposed technology therefore provides a mobile station, STA, 100 having an assigned MAC address.
  • the STA 100 is configured to obtain an access point's public key for encryption, the access point 200 being an access point with which the STA 100 intends to exchange data.
  • the STA 100 is also configured to encrypt the MAC address assigned to the STA 100 by utilizing at least the obtained public key for encryption.
  • the STA 100 is also configured to create, based on the encrypted MAC address, a message for transmission to the access point to enable the access point 200 to decrypt the encrypted MAC address to obtain the MAC address assigned to the STA 100.
  • a STA 100 where the STA 100 is configured to obtain the access point's public key for encryption by extracting the access points 200 public key from a management frame received from the access point.
  • An exemplary management frame may be a beacon frame.
  • Another possible embodiment of a STA 100 provides a STA 100 that is configured to obtain the access point's public key for encryption by performing a probe request in order to obtain the access point's public key for encryption via a probe response frame.
  • Still another possible embodiment of a STA 100 provides a STA 100 that is configured to encrypt the MAC address assigned to the STA 100 by also utilizing random data, also referred to as salt, in addition to the access point's public key for encryption to be able to generate different encrypted MAC addresses for each distinct encryption of the MAC address.
  • random data also referred to as salt
  • An exemplary embodiment of a STA 100 relates to a STA 100 that is also configured to communicate the random data to the access point 200 in a message where the identifier of the STA 100 is the encrypted MAC address.
  • Another exemplary embodiment provides a STA 100 that is configured to communicate the random data to the access point 200 via a management frame.
  • a possible example of a management frame may be a probe request.
  • the proposed technology provides a STA 100 that is configured to provide the STAs public key for encryption to the access point 200 in the form of an information element added to a management frame.
  • a possible exemplary embodiment of a STA 100 provides a STA 100 that is configured to create a message for transmission to the access point 200 by creating a message having the encrypted MAC address as an identifier to enable the access point 200 to decrypt the encrypted MAC address and identify the MAC address assigned to the STA 100.
  • Another possible exemplary embodiment provides a STA 100 that is configured to create a message for transmission to the access point 200 by creating a message that comprises the encrypted MAC address and utilizes a generated random MAC address as identifier to enable the access point 200 to decrypt the encrypted MAC address and obtain a mapping between the MAC address and the generated random MAC address used as an identifier.
  • FIG.12 illustrates a STA 100 that comprises a processor 120 and a memory 130.
  • the memory 130 comprising instructions executable by the processor 130, whereby the STA is operative to:
  • processors including one or more processors.
  • the processor(s) and memory are interconnected to each other to enable normal software execution.
  • An optional input/output device may also be interconnected to the processor(s) and/or the memory to enable input and/or output of relevant data such as input parameter(s) and/or resulting output parameter(s).
  • processor' should be interpreted in a general sense as any system or device capable of executing program code or computer program instructions to perform a particular processing, determining or computing task.
  • the processing circuitry including one or more processors is thus configured to perform, when executing the computer program, well-defined processing tasks such as those described herein.
  • the processing circuitry does not have to be dedicated to only execute the above- described steps, functions, procedure and/or blocks, but may also execute other tasks.
  • Still another embodiment provides a STA 100 that also comprises communication circuitry 1 10.
  • a STA is illustrated in FIG.13. That is, the STA, may in particular embodiments also include a communication circuit 1 10.
  • the communication circuit may include functions for wired and/or wireless communication with other devices and/or network nodes in the network. In a particular example, the communication circuit may be based on radio circuitry for communication with one or more other nodes, including transmitting and/or receiving information.
  • the communication circuit may be interconnected to the processor and/or memory. It should be noted that the proposed method could be implemented in a STA in the form of a computer program to be executed by one or more processors.
  • the proposed technology therefore provides a computer program 155 comprising instructions, which when executed by at least one processor, cause the processor(s) to:
  • the proposed technology also provides a carrier comprising the computer program, wherein the carrier is one of an electronic signal, an optical signal, an electromagnetic signal, a magnetic signal, an electric signal, a radio signal, a microwave signal, or a computer-readable storage medium.
  • the software or computer program 155 may be realized as a computer program product 165, which is normally carried or stored on a computer- readable medium, in particular a non-volatile medium. The use of a computer program product 165 comprising a computer program 155 is illustrated in FIG. 14.
  • the proposed technology also provides a network node in the form of an access point 200.
  • the access point 200 is configured to provide the access point's public key for encryption to a mobile station, STA, 100 that intends to exchange data with the access point.
  • the access point 200 is also configured to receive a message from the STA 100, where the message is based on a MAC address that has been encrypted by utilizing at least the access point's public key.
  • the access point 200 is also configured to decrypt, by utilizing at least the access point's private key, at least part of the message in order to obtain the MAC address assigned to the STA 100.
  • a particular embodiment of an access point 200 provides an access point 200 that is configured to provide the access point's public key for encryption to the STA 100 by means of a public communication channel.
  • Another possible embodiment provides an access point 200 that is configured to provide the access point's public key for encryption to the STA 100 by means of an information element added to a management frame transmitted to the STA 100.
  • an access point provides an access point 200 that is configured to receive a message from the STA 100 that comprises the STAs private key for encryption.
  • Yet another embodiment provides an access point 200 that is configured to decrypt the encrypted MAC address of the STA 100 utilizing both the private key of the access point and the received private key of the STA.
  • the proposed technology provides an access point 200 that is configured to decrypt, by utilizing the access point's private key, the MAC address of the received message in order to find the MAC address assigned to the STA 100.
  • An exemplary embodiment of the proposed access point 200 relates to an access point 200 that is configured to decrypt, by utilizing the access point's private key, a part of the message that comprises the encrypted MAC address to obtain the MAC address assigned to the STA 100.
  • Another exemplary embodiment of an access point 200 provides an access point 200 that is further configured to obtain a mapping between the MAC address assigned to the STA 100 and the MAC address used as an identifier in the received message.
  • FIG. 12 A particular embodiment of an access point according to the proposed technology is illustrated in FIG. 12.
  • An access point is illustrated that comprises a memory 230 and a processor 220.
  • FIG.13 illustrates an access point 200 that comprises a processor 210 and a memory 220 and a communication circuitry 210, said memory comprising instructions executable by the processor, whereby the access point is operative to:
  • processors including one or more processors.
  • the processor(s) and memory are interconnected to each other to enable normal software execution.
  • An optional input/output device may also be interconnected to the processor(s) and/or the memory to enable input and/or output of relevant data such as input parameter(s) and/or resulting output parameter(s).
  • processors should be interpreted in a general sense as any system or device capable of executing program code or computer program instructions to perform a particular processing, determining or computing task.
  • the processing circuitry including one or more processors is thus configured to perform, when executing the computer program, well-defined processing tasks such as those described herein.
  • the processing circuitry does not have to be dedicated to only execute the above- described steps, functions, procedure and/or blocks, but may also execute other tasks.
  • the access point also include a communication circuit 210.
  • the communication circuit 210 may include functions for wired and/or wireless communication with other devices and/or network nodes in the network.
  • the communication circuit may be based on radio circuitry for communication with one or more other nodes, including transmitting and/or receiving information.
  • the communication circuit may be interconnected to the processor and/or memory. Such an access point is illustrated in FIG.13
  • the proposed method could be implemented in an access point in the form of a computer program to be executed by one or more processors.
  • the proposed technology therefor provides a computer program 255 comprising instructions, which when executed by at least one processor, cause the processor(s) to:
  • read a message from the STA, said message being based on a MAC address that has been encrypted by utilizing at least the access point's public key;
  • the proposed technology also provides a carrier comprising the computer program, wherein the carrier is one of an electronic signal, an optical signal, an electromagnetic signal, a magnetic signal, an electric signal, a radio signal, a microwave signal, or a computer-readable storage medium.
  • the software or computer program 255 may be realized as a computer program product 265, which is normally carried or stored on a computer- readable medium, in particular a non-volatile medium. The use of a computer program product 265 comprising a computer program 255 is illustrated in FIG. 15.
  • the computer-readable medium may include one or more removable or nonremovable memory devices including, but not limited to a Read-Only Memory, ROM, a Random Access Memory, RAM, a Compact Disc, CD, a Digital Versatile Disc, DVD, a Blu-ray disc, a Universal Serial Bus, USB, memory, a Hard Disk Drive, HDD, storage device, a flash memory, a magnetic tape, or any other conventional memory device.
  • the computer program may thus be loaded into the operating memory of a computer or equivalent processing device for execution by the processing circuitry thereof.
  • STA and “wireless device” may refer to a mobile phone, a cellular phone, a Personal Digital Assistant, PDA, equipped with radio communication capabilities, a smart phone, a laptop or Personal Computer, PC, equipped with an internal or external mobile broadband modem, a tablet PC with radio communication capabilities, a target device, a device to device User Equipment, UE, a machine type UE or UE capable of machine to machine communication, table computer such as iPAD, customer premises equipment, CPE, laptop embedded equipment, LEE, laptop mounted equipment, LME, USB dongle, a portable electronic radio communication device, a sensor device equipped with radio communication capabilities or the like.
  • PDA Personal Digital Assistant
  • smart phone a laptop or Personal Computer
  • PC equipped with an internal or external mobile broadband modem
  • a tablet PC with radio communication capabilities a target device
  • UE User Equipment
  • UE machine type UE or UE capable of machine to machine communication
  • table computer such as iPAD, customer premises equipment, CPE, laptop embedded equipment, LEE, laptop mounted equipment,
  • STA short term
  • UE UE
  • wireless device should be interpreted as non-limiting terms comprising any type of wireless device communicating with a radio network node in a cellular or mobile communication system or any device equipped with radio circuitry for wireless communication according to any relevant standard for communication within a cellular or mobile communication system.
  • radio network node may refer to base stations, network control nodes such as network controllers, radio network controllers, base station controllers, and the like.
  • base station may encompass different types of radio base stations including standardized base station functions such as Node Bs, or evolved Node Bs, eNBs, and also macro/micro/pico radio base stations, home base stations, also known as femto base stations, relay nodes, repeaters, radio access points, base transceiver stations, BTSs, and even radio control nodes controlling one or more Remote Radio Units, RRUs, or the like.
  • Particular examples include one or more suitably configured digital signal processors and other known electronic circuits, e.g. discrete logic gates interconnected to perform a specialized function, or Application Specific Integrated Circuits, ASICs.
  • At least some of the steps, functions, procedures, modules and/or blocks described herein may be implemented in software such as a computer program for execution by suitable processing circuitry such as one or more processors or processing units.
  • processing circuitry includes, but is not limited to, one or more microprocessors, one or more Digital Signal Processors, DSPs, one or more Central Processing Units, CPUs, video acceleration hardware, and/or any suitable programmable logic circuitry such as one or more Field Programmable Gate Arrays, FPGAs, or one or more Programmable Logic Controllers, PLCs.
  • the proposed software or computer program may be realized as a computer program product, which is normally carried or stored on a computer-readable medium, in particular a non-volatile medium.
  • the computer-readable medium may include one or more removable or non-removable memory devices including, but not limited to a Read-Only Memory, ROM, a Random Access Memory, RAM, a Compact Disc, CD, a Digital Versatile Disc, DVD, a Blu-ray disc, a Universal Serial Bus, USB, memory, a Hard Disk Drive, HDD, storage device, a flash memory, a magnetic tape, or any other conventional memory device.
  • the computer program may thus be loaded into the operating memory of a computer or equivalent processing device for execution 5 by the processing circuitry thereof.
  • a corresponding mobile station, STA may thus be defined as a group of function modules, where
  • each step performed by the processor corresponds to a function module.
  • the function modules are implemented as a computer program running on the processor.
  • FIG. 16 illustrates such a group of function modules for a STA.
  • the STA comprises an input module 1 100 for obtaining an access point's 200, 2000 public key for encryption, the access point being an access point with which the STA 1000
  • the STA 15 intends to exchange data.
  • the STA also comprises an encryption module 1200 for encrypting the MAC address assigned to the STA 1000 by utilizing at least the obtained public key for encryption.
  • the STA also comprises a message creating module 1300 for creating, based on the encrypted MAC address, a message for transmission to the access point 200, 2000 to enable the access point to decrypt the
  • FIG. 17 illustrates an access point 2000.
  • the access point comprises an output module (2100) for outputting to the access point's public key for
  • the access point also comprises a reading module 2200 for reading a message received from the STA 100, 1000, the message being based on a MAC address that has been encrypted by utilizing at least the access point's public key.
  • the access point also comprises a decrypting module
  • the computer program residing in memory may thus be organized as appropriate function modules configured to perform, when executed by the processor, at least part of the steps and/or tasks described herein. Alternatively it is possibly to realize the modules in FIGs 16 and 17 predominantly by hardware modules, or alternatively by hardware, with suitable interconnections between relevant modules. Particular examples include one or more suitably configured digital signal processors and other known electronic circuits, e.g. discrete logic gates interconnected to perform a specialized function, and/or Application Specific Integrated Circuits, ASICs, as previously mentioned.
  • WI-FI ALLIANCE "HOTSPOT 2.0 (RELEASE 1 ) TECHNICAL SPECIFICATION,” VERSION 1 .0, MAY 12TM, 2012.
  • WI-FI ALLIANCE "HOTSPOT 2.0 (RELEASE 2) TECHNICAL SPECIFICATION,” VERSION 1 .1 .0, FEBRUARY 3 rd , 2015.
  • HTTPS / /WWW.IETF.ORG/ PROCEEDINGS/93/ SLIDES/ SLIDES-93- INTAREA-5.PDF

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne des procédés de fonctionnement de stations mobiles et de points d'accès. Des dispositifs et des programmes d'ordinateur correspondants sont également divulgués. Le procédé de fonctionnement d'une station mobile comprend une étape (S1) pour obtenir une clé publique pour un chiffrement, une étape (S2) pour chiffrer l'adresse de contrôle d'accès au support (MAC) affectée à la station (STA) par utilisation de la clé publique obtenue pour un chiffrement et une étape (S3) pour créer, sur la base de l'adresse MAC chiffrée, un message pour une transmission au point d'accès pour permettre au point d'accès de déchiffrer l'adresse MAC chiffrée. Le procédé de fonctionnement d'un point d'accès comprend une étape (S10) pour fournir une clé publique pour un chiffrement à une station mobile, une étape (S20) pour recevoir un message à partir de la STA, sur la base d'une adresse MAC qui a été chiffrée et l'étape (S30) pour déchiffrer, par utilisation au moins de la clé privée du point d'accès, au moins une partie du message de façon à obtenir l'adresse MAC affectée à la STA. La technologie proposée permet une communication sécurisée tout en conservant une fonctionnalité de réseau intelligente.
PCT/SE2015/050865 2015-08-11 2015-08-11 Procédés et dispositifs permettant une amélioration de confidentialité dans des réseaux WO2017026930A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/SE2015/050865 WO2017026930A1 (fr) 2015-08-11 2015-08-11 Procédés et dispositifs permettant une amélioration de confidentialité dans des réseaux

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SE2015/050865 WO2017026930A1 (fr) 2015-08-11 2015-08-11 Procédés et dispositifs permettant une amélioration de confidentialité dans des réseaux

Publications (1)

Publication Number Publication Date
WO2017026930A1 true WO2017026930A1 (fr) 2017-02-16

Family

ID=57983316

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2015/050865 WO2017026930A1 (fr) 2015-08-11 2015-08-11 Procédés et dispositifs permettant une amélioration de confidentialité dans des réseaux

Country Status (1)

Country Link
WO (1) WO2017026930A1 (fr)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108632028A (zh) * 2017-03-17 2018-10-09 夏桂根 认证网络
CN110113747A (zh) * 2017-06-08 2019-08-09 上海掌门科技有限公司 一种用于连接隐藏无线接入点的方法与设备
US20200280542A1 (en) * 2019-02-28 2020-09-03 Arris Enterprises Llc Method to Anonymize Client MAC Addresses for Cloud Reporting
CN112602345A (zh) * 2018-07-05 2021-04-02 交互数字专利控股公司 用于ieee 802.11网络中的动态mac地址分配的方法和过程
WO2023044792A1 (fr) * 2021-09-24 2023-03-30 Oppo广东移动通信有限公司 Procédé de communication sans fil, dispositif de station et dispositif de point d'accès
US11700527B2 (en) 2021-05-25 2023-07-11 Cisco Technology, Inc. Collaborative device address rotation
US11902775B2 (en) 2021-05-28 2024-02-13 Cisco Technology, Inc. Encrypted nonces as rotated device addresses

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060274643A1 (en) * 2005-06-03 2006-12-07 Alcatel Protection for wireless devices against false access-point attacks
WO2007086705A1 (fr) * 2006-01-27 2007-08-02 Lg Electronic Inc. Procede de communication pour reseau sans fil, et systeme de reseaux sans fil
WO2011003352A1 (fr) * 2009-07-08 2011-01-13 中兴通讯股份有限公司 Procédé et dispositif pour protéger une confidentialité de terminal
US20120213211A1 (en) * 2011-02-17 2012-08-23 Remaker Phillip A Wireless access point mac address privacy

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060274643A1 (en) * 2005-06-03 2006-12-07 Alcatel Protection for wireless devices against false access-point attacks
WO2007086705A1 (fr) * 2006-01-27 2007-08-02 Lg Electronic Inc. Procede de communication pour reseau sans fil, et systeme de reseaux sans fil
WO2011003352A1 (fr) * 2009-07-08 2011-01-13 中兴通讯股份有限公司 Procédé et dispositif pour protéger une confidentialité de terminal
US20120213211A1 (en) * 2011-02-17 2012-08-23 Remaker Phillip A Wireless access point mac address privacy

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YOUNGMI, LEE ET AL.: "Untraceable Blind Packet Forwarding Using Centralized Path Control'';", 2014 IEEE MILITARY COMMUNICATIONS CONFERENCE;, XP032686547 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108632028A (zh) * 2017-03-17 2018-10-09 夏桂根 认证网络
CN110113747A (zh) * 2017-06-08 2019-08-09 上海掌门科技有限公司 一种用于连接隐藏无线接入点的方法与设备
CN110113747B (zh) * 2017-06-08 2023-05-09 上海掌门科技有限公司 一种用于连接隐藏无线接入点的方法与设备
CN112602345A (zh) * 2018-07-05 2021-04-02 交互数字专利控股公司 用于ieee 802.11网络中的动态mac地址分配的方法和过程
US20200280542A1 (en) * 2019-02-28 2020-09-03 Arris Enterprises Llc Method to Anonymize Client MAC Addresses for Cloud Reporting
US11606340B2 (en) * 2019-02-28 2023-03-14 Arris Enterprises Llc Method to anonymize client MAC addresses for cloud reporting
US11700527B2 (en) 2021-05-25 2023-07-11 Cisco Technology, Inc. Collaborative device address rotation
US11902775B2 (en) 2021-05-28 2024-02-13 Cisco Technology, Inc. Encrypted nonces as rotated device addresses
WO2023044792A1 (fr) * 2021-09-24 2023-03-30 Oppo广东移动通信有限公司 Procédé de communication sans fil, dispositif de station et dispositif de point d'accès

Similar Documents

Publication Publication Date Title
EP3506669B1 (fr) Procédé d'authentification de réseau, et dispositif et système associés
WO2017026930A1 (fr) Procédés et dispositifs permettant une amélioration de confidentialité dans des réseaux
US9654972B2 (en) Secure provisioning of an authentication credential
CN109413645B (zh) 接入认证的方法和装置
WO2018137351A1 (fr) Procédé, dispositif et système pertinents de traitement de clé de réseau
WO2018201946A1 (fr) Procédé de génération de clé d'ancrage, dispositif et système
US10009760B2 (en) Providing network credentials
US20220408243A1 (en) Subscription concealed identifier privacy
JP2016178668A (ja) ピア・トゥ・ピア無線通信ネットワークのためのエンハンスされたシステム・アクセス制御のための方法および装置
KR20070120176A (ko) 키 머티리얼의 교환
CN108990048B (zh) 确定终端设备的标识的方法和装置
CN109496412B (zh) 使用隐私识别码的验证
CN114762290B (zh) 对数字密钥进行管理的方法和电子装置
US9693332B2 (en) Identification of a wireless device in a wireless communication environment
JP7398030B2 (ja) Ue、ネットワーク装置、ueの方法、及びネットワーク装置の方法
EP3158785A1 (fr) Procédés et agencements pour l'identification d'équipements d'utilisateur à des fins d'authentification
CN106550362B (zh) 智能设备安全接入无线局域网络的方法和系统
WO2020216047A1 (fr) Procédé de traitement d'informations d'authentification, terminal, et dispositif de réseau
US20220312199A1 (en) Home Controlled Network Slice Privacy
WO2020147602A1 (fr) Procédé, appareil et système d'authentification
JP6499315B2 (ja) 移動通信システム及び通信網
US20220159457A1 (en) Providing ue capability information to an authentication server
WO2023160716A1 (fr) Procédé et appareil de transfert intercellulaire
US20230362631A1 (en) Secure storage and processing of sim data
US20200396066A1 (en) Method of establishing a cryptographic key shared between a first and a second terminal

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15901100

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15901100

Country of ref document: EP

Kind code of ref document: A1