WO2018202941A1 - Fourniture d'informations de sécurité - Google Patents

Fourniture d'informations de sécurité Download PDF

Info

Publication number
WO2018202941A1
WO2018202941A1 PCT/FI2018/050290 FI2018050290W WO2018202941A1 WO 2018202941 A1 WO2018202941 A1 WO 2018202941A1 FI 2018050290 W FI2018050290 W FI 2018050290W WO 2018202941 A1 WO2018202941 A1 WO 2018202941A1
Authority
WO
WIPO (PCT)
Prior art keywords
user equipment
new
security keys
new parameter
processor
Prior art date
Application number
PCT/FI2018/050290
Other languages
English (en)
Inventor
Jarkko Koskela
Jussi-Pekka Koskinen
Samuli Turtinen
Original Assignee
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy filed Critical Nokia Technologies Oy
Priority to CN201880028751.0A priority Critical patent/CN110574334B/zh
Priority to JP2019558659A priority patent/JP7074991B2/ja
Publication of WO2018202941A1 publication Critical patent/WO2018202941A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/20Manipulation of established connections
    • H04W76/27Transitions between radio resource control [RRC] states
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/19Connection re-establishment

Definitions

  • Embodiments of the invention generally relate to wireless or mobile communications networks, such as, but not limited to, the Universal Mobile Telecommunications System (UMTS) Terrestrial Radio Access Network (UTRAN), Long Term Evolution (LTE) Evolved UTRAN (E-UTRAN), LTE-Advanced (LTE- A), LTE-A Pro, and/or 5G radio access technology or new radio access technology (NR).
  • UMTS Universal Mobile Telecommunications System
  • UTRAN Universal Mobile Telecommunications System
  • LTE Long Term Evolution
  • E-UTRAN Evolved UTRAN
  • LTE-A LTE-Advanced
  • LTE-A Pro LTE-A Pro
  • 5G radio access technology or new radio access technology NR.
  • Universal Mobile Telecommunications System (UMTS) Terrestrial Radio Access Network refers to a communications network including base stations, or Node Bs, and for example radio network controllers (RNC).
  • UTRAN allows for connectivity between the user equipment (UE) and the core network.
  • the RNC provides control functionalities for one or more Node Bs.
  • the RNC and its corresponding Node Bs are called the Radio Network Subsystem (RNS).
  • RNC Radio Network Subsystem
  • E-UTRAN enhanced UTRAN
  • no RNC exists and radio access functionality is provided by an evolved Node B (eNodeB or eNB) or many eNBs. Multiple eNBs are involved for a single UE connection, for example, in case of Coordinated Multipoint Transmission (CoMP) and in dual connectivity.
  • CoMP Coordinated Multipoint Transmission
  • LTE Long Term Evolution
  • E-UTRAN refers to improvements of the UMTS through improved efficiency and services, lower costs, and use of new spectrum opportunities.
  • LTE is a 3GPP standard that provides for uplink peak rates of at least, for example, 75 megabits per second (Mbps) per carrier and downlink peak rates of at least, for example, 300 Mbps per carrier.
  • LTE supports scalable carrier bandwidths from 20 MHz down to 1.4 MHz and supports both Frequency Division Duplexing (FDD) and Time Division Duplexing (TDD).
  • FDD Frequency Division Duplexing
  • TDD Time Division Duplexing
  • LTE may also improve spectral efficiency in networks, allowing carriers to provide more data and voice services over a given bandwidth. Therefore, LTE is designed to fulfill the needs for high-speed data and media transport in addition to high capacity voice support. Advantages of LTE include, for example, high throughput, low latency, FDD and TDD support in the same platform, an improved end-user experience, and a simple architecture resulting in low operating costs.
  • LTE-A LTE- Advanced
  • LTE- A is directed toward extending and optimizing the 3 GPP LTE radio access technologies.
  • a goal of LTE-A is to provide significantly enhanced services by means of higher data rates and lower latency with reduced cost.
  • LTE-A is a more optimized radio system fulfilling the international telecommunication union-radio (ITU-R) requirements for IMT-Advanced while maintaining backward compatibility.
  • ITU-R international telecommunication union-radio
  • 5G or new radio (NR) wireless systems refer to the next generation (NG) of radio systems and network architecture. It is estimated that 5G will provide bitrates on the order of 10-20 Gbit/s. 5G will support at least enhanced mobile broadband (eMBB) and ultra-reliable low-latency-communication (URLLC). 5G is also expected to increase network expandability up to hundreds of thousands of connections. The signal technology of 5G is anticipated to be improved for greater coverage as well as spectral and signaling efficiency. 5G is expected to deliver extreme broadband and ultra-robust, low latency connectivity and massive networking to support the Internet of Things (IoT).
  • IoT Internet of Things
  • the node B or eNB may be referred to as a next generation node B (gNB).
  • gNB next generation node B
  • One embedment is directed to a method that may include transmitting in advance, by a network node, a new parameter used to generate security keys to at least one user equipment.
  • the method may also include performing an integrity check to determine whether the at least one user equipment is using a correct parameter to generate the security keys.
  • Another embodiment is directed to an apparatus that may include at least one processor and at least one memory including computer program code.
  • the at least one memory and the computer program code are configured, with the at least one processor, to cause the apparatus at least to transmit in advance a new parameter used to generate security keys to at least one user equipment, and to perform an integrity check to determine whether the at least one user equipment is using a correct parameter to generate the security keys.
  • Another embodiment is directed to an apparatus that may include transmitting means for transmitting in advance, by a network node, a new parameter used to generate security keys to at least one user equipment, and performing means for performing an integrity check to determine whether the at least one user equipment is using a correct parameter to generate the security keys.
  • Another embodiment is directed to a non-transitory computer readable medium comprising program instructions stored thereon for performing at least the following: transmitting in advance, by a network node, a new parameter used to generate security keys to at least one user equipment, and performing an integrity check to determine whether the at least one user equipment is using a correct parameter to generate the security keys.
  • Another embodiment is directed to a method that may include receiving in advance, from a network node, a new parameter used to generate security keys for a user equipment.
  • the method may also include generating, by the user equipment, new security keys based on at least one of the new parameter or a cell identifier of a cell that the user equipment is camped on.
  • Another embodiment is directed to an apparatus that may include at least one processor and at least one memory including computer program code.
  • the at least one memory and the computer program code are configured, with the at least one processor, to cause the apparatus at least to receive in advance, from a network node, a new parameter used to generate security keys for the apparatus, and to generate new security keys based on at least one of the new parameter or a cell identifier of a cell that the apparatus is camped on.
  • Another embodiment is directed to an apparatus that may include receiving means for receiving in advance, from a network node, a new parameter used to generate security keys for the apparatus, and generating means for generating new security keys based on at least one of the new parameter or a cell identifier of a cell that the apparatus is camped on.
  • Another embodiment is directed to a non- transitory computer readable medium comprising program instructions stored thereon for performing at least the following: receiving in advance, from a network node, a new parameter used to generate security keys for a user equipment, and generating, by the user equipment, new security keys based on at least one of the new parameter or a cell identifier of a cell that the user equipment is camped on.
  • FIG. 1 illustrates a block diagram depicting an example of a UE state machine and state transitions in N ;
  • FIG. 2a illustrates an example block diagram of an apparatus, according to an embodiment
  • FIG. 2b illustrates an example block diagram of an apparatus, according to another embodiment
  • FIG. 3a illustrates an example flow diagram of a method, according to an embodiment
  • Fig. 3b illustrates an example flow diagram of a method, according to another embodiment.
  • Fig. 1 illustrates a block diagram depicting an example of a UE state machine and state transitions in NR.
  • NR radio resource control may include three states models: RRC IDLE, RRC CONNECTED, and RRC INACTIVE.
  • RRC IDLE there is cell re-selection mobility (it is to be determined if the UE AS context is not stored in any gNB or in the UE), paging is initiated by the core network (CN), and paging area is managed by CN.
  • RRC_INACTIVE there is cell re-selection mobility, CN - NR RAN connection (both C/U-planes) has been established for UE, the UE AS context is stored in at least one gNB and the UE, paging is initiated by NR RAN, RAN-based notification area is managed by NR RAN, and NR RAN knows the RAN-based notification area which the UE belongs to.
  • RRC CONNECTED the UE has an NR RRC connection, the UE has an AS context in NR, NR RAN knows the cell which the UE belongs to, transfer of unicast data to/from the UE, and network controlled mobility, i.e., handover within NR and to/from E-UTRAN.
  • Certain embodiments of the present disclosure may relate to NR RRC INACTIVE state and security handling.
  • a UE is given new NCC or equivalent parameter used to generate keys when the UE moves to a CONNECTED state and/or has activated the security for the current connection.
  • the UE experiences, for example, RLF or HO failure or reconfiguration failure or any other radio failure and it resumes/re-establishes the RRC connection it can use new keys generated based on the new NCC already from the start, such as for generating proper MAC-I/short MAC-I for the resume message from which the network can determine the integrity of the UE's RRC message and authenticate the UE, and the COMPLETE message sending (i.e., msg5) can be omitted.
  • This may also enable the UE to transmit new data already along with the resume message as the new keys can be applied for the data encryption.
  • the network may update the NCC, for instance, with RRCConnectionReconfiguration message and confirm the reception of the new NCC with the UE's RRCConnectionReconfigurationComplete message.
  • the failure event such as RLF, HO failure, reconfiguration failure, etc. may serve as a trigger for the UE to apply a new NCC.
  • the UE may apply a new NCC only if it selected or re-selected a new cell after the failure event and/or upon RRC connection resume. This may enable the old security key to be used when there is no need to change the key (i.e., when the serving network node is the same).
  • the network may configure a UE with a cell list and/or a RAN notification area list (which may be a list of RAN notification area IDs) within which the UE may not apply a new NCC or shall apply a new NCC once selecting or re-selecting a cell belonging to one of the lists.
  • the UE may apply a new NCC if it determines that the cell it has selected or re-selected belongs to a different network node than the cell it was served previously (i.e., before the failure event or inactivation).
  • the UE may be able to determine this from a network node ID and/or gNB ID broadcasted in the system information.
  • the network may update the NCC in the Resume message it sends to the UE, and this may trigger the UE to send a RRCConnectionResumeComplete message to the network.
  • the network may determine that the UE did not use the correct NCC with an integrity check. This may require that both the old and new NCC are forwarded by the previous gNB to the new gNB upon context fetch. Alternatively, the network may reject the UE's resume request in which case the UE will go to IDLE mode and start its connection establishment attempt from scratch.
  • apparatus 10 may be a node, host, or server in a communications network or serving such a network.
  • apparatus 10 may be a base station, a node B, an evolved node B, 5G node B or access point, next generation node B (NG-NB or gNB), WLAN access point, mobility management entity (MME), or subscription server associated with a radio access network, such as a GSM network, LTE network, 5G or NR.
  • NG-NB or gNB next generation node B
  • MME mobility management entity
  • subscription server associated with a radio access network, such as a GSM network, LTE network, 5G or NR.
  • apparatus 10 may be comprised of an edge cloud server as a distributed computing system where the server and the radio node may be stand-alone apparatuses communicating with each other via a radio path or via a wired connection, or they may be located in a same entity communicating via a wired connection. It should be noted that one of ordinary skill in the art would understand that apparatus 10 may include components or features not shown in Fig. 2a. [0035] As illustrated in Fig. 2a, apparatus 10 may include a processor 12 for processing information and executing instructions or operations. Processor 12 may be any type of general or specific purpose processor.
  • processor 12 may include one or more of general-purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs), field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), and processors based on a multi-core processor architecture, as examples. While a single processor 12 is shown in Fig. 2a, multiple processors may be utilized according to other embodiments.
  • apparatus 10 may include two or more processors that may form a multiprocessor system (i.e., in this case processor 12 represents a multiprocessor) that may support multiprocessing.
  • the multiprocessor system may be tightly coupled or loosely coupled (e.g., to form a computer cluster).
  • Processor 12 may perform functions associated with the operation of apparatus 10 which may include, for example, precoding of antenna gain/phase parameters, encoding and decoding of individual bits forming a communication message, formatting of information, and overall control of the apparatus 10, including processes related to management of communication resources.
  • Apparatus 10 may further include or be coupled to a memory 14 (internal or external), which may be coupled to processor 12, for storing information and instructions that may be executed by processor 12.
  • Memory 14 may be one or more memories and of any type suitable to the local application environment, and may be implemented using any suitable volatile or nonvolatile data storage technology such as a semiconductor-based memory device, a magnetic memory device and system, an optical memory device and system, fixed memory, and removable memory.
  • memory 14 can be comprised of any combination of random access memory (RAM), read only memory (ROM), static storage such as a magnetic or optical disk, hard disk drive (HDD), or any other type of non-transitory machine or computer readable media.
  • the instructions stored in memory 14 may include program instructions or computer program code that, when executed by processor 12, enable the apparatus 10 to perform tasks as described herein.
  • apparatus 10 may further include or be coupled to (internal or external) a drive or port that is configured to accept and read an external computer readable storage medium, such as an optical disc, USB drive, flash drive, or any other storage medium.
  • an external computer readable storage medium such as an optical disc, USB drive, flash drive, or any other storage medium.
  • the external computer readable storage medium may store a computer program or software for execution by processor 12 and/or apparatus 10.
  • apparatus 10 may also include or be coupled to one or more antennas 15 for transmitting and receiving signals and/or data to and from apparatus 10.
  • Apparatus 10 may further include or be coupled to a transceiver 18 configured to transmit and receive information.
  • the transceiver 18 may include, for example, a plurality of radio interfaces that may be coupled to the antenna(s) 15.
  • the radio interfaces may correspond to a plurality of radio access technologies including one or more of GSM, NB-IoT, LTE, 5G, WLAN, Bluetooth, BT-LE, NFC, radio frequency identifier (RFID), ultrawideband (UWB), and the like.
  • the radio interface may include components, such as filters, converters (for example, digital-to-analog converters and the like), mappers, a Fast Fourier Transform (FFT) module, and the like, to generate symbols for a transmission via one or more downlinks and to receive symbols (for example, via an uplink).
  • transceiver 18 may be configured to modulate information on to a carrier waveform for transmission by the antenna(s) 15 and demodulate information received via the antenna(s) 15 for further processing by other elements of apparatus 10.
  • transceiver 18 may be capable of transmitting and receiving signals or data directly.
  • memory 14 may store software modules that provide functionality when executed by processor 12.
  • the modules may include, for example, an operating system that provides operating system functionality for apparatus 10.
  • the memory may also store one or more functional modules, such as an application or program, to provide additional functionality for apparatus 10.
  • the components of apparatus 10 may be implemented in hardware, or as any suitable combination of hardware and software.
  • apparatus 10 may be a network node or RAN node, such as a base station, access point, node B, eNB, 5G or new radio node B (gNB) or access point, WLAN access point, or the like. According to certain embodiments, apparatus 10 may be controlled by memory 14 and processor 12 to perform the functions associated with any of the embodiments described herein.
  • a network node or RAN node such as a base station, access point, node B, eNB, 5G or new radio node B (gNB) or access point, WLAN access point, or the like.
  • apparatus 10 may be controlled by memory 14 and processor 12 to perform the functions associated with any of the embodiments described herein.
  • apparatus 10 may be controlled by memory 14 and processor 12 to transmit, to a UE, a new NCC in advance (e.g., during a previous RRC connection), for example in a RRCConnectionReconfiguration message, SecurityModeCommand message, RRCConnectionSetup message, or RRCConnectionResume message.
  • apparatus 10 may be controlled by memory 14 and processor 12 to immediately transmit, to the UE, the new NCC when the UE moves to a connected state. Then, the UE can immediately apply a new security key calculated based on the pre -provisioned new NCC and a cell ID of the cell that the UE is camped on.
  • the UE may calculate the new key when UE switches from an inactive mode (e.g., RRC INACTIVE mode) to a connected mode (e.g., RRC CONNECTED mode), or when UE transmits small data via a ResumeRequest message in inactive mode without switching to a connected mode, or when the UE meets radio failures like RLF or HO failure.
  • an inactive mode e.g., RRC INACTIVE mode
  • a connected mode e.g., RRC CONNECTED mode
  • ResumeRequest message in inactive mode without switching to a connected mode
  • the UE meets radio failures like RLF or HO failure.
  • the new NCC was not provided to the UE in advance, the UE would need to use the old key to encrypt data to be sent along with the ResumeRequest message. This would mean that the old RAN node (i.e., apparatus 10) is the only one allowed to decrypt the data packet.
  • the UE can immediately apply the new key for the data to send along
  • apparatus 10 may be controlled by memory 14 and processor 12 to determine whether the UE used the correct NCC by using an integrity check.
  • apparatus 10 may be controlled by memory 14 and processor 12 to perform the integrity check in a CConnection esume message.
  • the RRCResumeComplete message served the purpose of verifying the UE integrity since the NCC would be included in the Resume message.
  • the integrity verification may be made from the RRCConnectionResume message and the RRCResumeComplete message can be omitted.
  • Fig. 2b illustrates an example of an apparatus 20 according to another embodiment.
  • apparatus 20 may be a node or element in a communications network or associated with such a network, such as a UE, mobile equipment (ME), mobile station, mobile device, stationary device, IoT device, or other device.
  • UE may alternatively be referred to as, for example, a mobile station, mobile equipment, mobile unit, mobile device, user device, subscriber station, wireless terminal, tablet, smart phone, IoT device or NB- IoT device, or the like.
  • apparatus 20 may be implemented in, for instance, a wireless handheld device, a wireless plug-in accessory, or the like.
  • apparatus 20 may include one or more processors, one or more computer-readable storage medium (for example, memory, storage, and the like), one or more radio access components (for example, a modem, a transceiver, and the like), and/or a user interface.
  • apparatus 20 may be configured to operate using one or more radio access technologies, such as GSM, LTE, LTE-A, NR, 5G, WLAN, WiFi, NB-IoT, Bluetooth, NFC, and any other radio access technologies. It should be noted that one of ordinary skill in the art would understand that apparatus 20 may include components or features not shown in Fig. 2b.
  • apparatus 20 may include or be coupled to a processor 22 for processing information and executing instructions or operations.
  • processor 22 may be any type of general or specific purpose processor.
  • processor 22 may include one or more of general-purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs), field- programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), and processors based on a multi-core processor architecture, as examples. While a single processor 22 is shown in Fig. 2b, multiple processors may be utilized according to other embodiments.
  • apparatus 20 may include two or more processors that may form a multiprocessor system (i.e., in this case processor 22 represents a multiprocessor) that may support multiprocessing.
  • processor 22 represents a multiprocessor
  • the multiprocessor system may be tightly coupled or loosely coupled (e.g., to form a computer cluster).
  • Processor 22 may perform functions associated with the operation of apparatus 20 including, without limitation, precoding of antenna gain/phase parameters, encoding and decoding of individual bits forming a communication message, formatting of information, and overall control of the apparatus 20, including processes related to management of communication resources.
  • Apparatus 20 may further include or be coupled to a memory 24 (internal or external), which may be coupled to processor 22, for storing information and instructions that may be executed by processor 22.
  • Memory 24 may be one or more memories and of any type suitable to the local application environment, and may be implemented using any suitable volatile or nonvolatile data storage technology such as a semiconductor-based memory device, a magnetic memory device and system, an optical memory device and system, fixed memory, and removable memory.
  • memory 24 can be comprised of any combination of random access memory (RAM), read only memory (ROM), static storage such as a magnetic or optical disk, or any other type of non-transitory machine or computer readable media.
  • the instructions stored in memory 24 may include program instructions or computer program code that, when executed by processor 22, enable the apparatus 20 to perform tasks as described herein.
  • apparatus 20 may further include or be coupled to (internal or external) a drive or port that is configured to accept and read an external computer readable storage medium, such as an optical disc, USB drive, flash drive, or any other storage medium.
  • an external computer readable storage medium such as an optical disc, USB drive, flash drive, or any other storage medium.
  • the external computer readable storage medium may store a computer program or software for execution by processor 22 and/or apparatus 20.
  • apparatus 20 may also include or be coupled to one or more antennas 25 for receiving a downlink signal and for transmitting via an uplink from apparatus 20.
  • Apparatus 20 may further include a transceiver 28 configured to transmit and receive information.
  • the transceiver 28 may also include a radio interface (e.g., a modem) coupled to the antenna 25.
  • the radio interface may correspond to a plurality of radio access technologies including one or more of GSM, LTE, LTE-A, 5G, NR, WLAN, NB-IoT, Bluetooth, BT-LE, NFC, RFID, UWB, and the like.
  • the radio interface may include other components, such as filters, converters (for example, digital-to-analog converters and the like), symbol demappers, signal shaping components, an Inverse Fast Fourier Transform (IFFT) module, and the like, to process symbols, such as OFDMA symbols, carried by a downlink or an uplink.
  • filters for example, digital-to-analog converters and the like
  • symbol demappers for example, digital-to-analog converters and the like
  • signal shaping components for example, an Inverse Fast Fourier Transform (IFFT) module, and the like
  • IFFT Inverse Fast Fourier Transform
  • transceiver 28 may be configured to modulate information on to a carrier waveform for transmission by the antenna(s) 25 and demodulate information received via the antenna(s) 25 for further processing by other elements of apparatus 20.
  • transceiver 28 may be capable of transmitting and receiving signals or data directly.
  • Apparatus 20 may further include a user interface, such as a graphical user interface or touchscreen.
  • memory 24 stores software modules that provide functionality when executed by processor 22.
  • the modules may include, for example, an operating system that provides operating system functionality for apparatus 20.
  • the memory may also store one or more functional modules, such as an application or program, to provide additional functionality for apparatus 20.
  • the components of apparatus 20 may be implemented in hardware, or as any suitable combination of hardware and software.
  • apparatus 20 may be a UE, mobile device, mobile station, ME, IoT device and/or NB-IoT device, for example.
  • apparatus 20 may be controlled by memory 24 and processor 22 to perform the functions associated with embodiments described herein.
  • apparatus 20 may be configured to perform one or more of the processes depicted in any of the flow charts or signaling diagrams described herein.
  • apparatus 20 may be controlled by memory 24 and processor 22 to receive a new NCC in advance, for instance, during a previous C connection.
  • the new NCC may be received in a RRCConnectionReconfiguration message, SecurityModeCommand message, RRCConnectionSetup message, or RRCConnectionResume message.
  • apparatus 20 may be controlled by memory 24 and processor 22 to calculate or generate a new security key(s) based on the pre- provisioned new NCC and/or a cell ID of the cell that apparatus 20 is camped on.
  • apparatus 20 may also be controlled by memory 24 and processor 22 to apply the new security key(s), for example, when apparatus 20 switches from an inactive state (e.g., RRC_INACTIVE mode) to a connected state (e.g., RRC_CONNECTED mode), or when apparatus 20 transmits small data via ResumeRequest message in inactive mode without switching to RRC CONNECTED mode, or when apparatus 20 meets radio failures such as RLF or HO failure.
  • an inactive state e.g., RRC_INACTIVE mode
  • a connected state e.g., RRC_CONNECTED mode
  • ResumeRequest message in inactive mode without switching to RRC CONNECTED mode
  • apparatus 20 meets radio failures such as RLF or HO failure.
  • apparatus 20 can seek to re-establish a RRC connection with a Resume procedure and may immediately apply the new security key(s) based on the pre -provisioned new NCC and the network connection can be re-established more quickly, as well as allow for data multiplexing.
  • Fig. 3a illustrates an example flow diagram of a method, according to one embodiment.
  • the method of Fig. 3a may be performed, for example, by a network node, such as a base station, access point, eNB, gNB, or the like.
  • the method may include, at 300, transmitting in advance, to one or more UEs, a new NCC (e.g., during a previous C connection).
  • the transmitting of the new NCC may include transmitting the new NCC in a RRCConnectionReconfiguration message, SecurityModeCommand message, RRCConnectionSetup message, or RRCConnectionResume message.
  • the UE(s) can immediately apply a new security key calculated based on the pre- provisioned new NCC and a cell ID of the cell that the UE is camped on. For instance, the UE(s) may calculate the new security key when the UE(s) switches from an inactive mode (e.g., RRC INACTIVE mode) to a connected mode (e.g., RRC_CONNECTED mode), or when the UE(s) transmits small data via a ResumeRequest message in inactive mode without switching to a connected mode, or when the UE(s) meets radio failures like RLF or HO failure. In one embodiment, the method may also include, at 310, using an integrity check to determine whether the UE used the correct NCC.
  • an integrity check to determine whether the UE used the correct NCC.
  • the using step may include performing the integrity check in a RRCConnectionResume message. Since, according to certain embodiments of the present disclosure, the NCC may be provided during the previous RRC connection, the integrity verification may be made from the RRCConnectionResume message and a RRCResumeComplete message can be omitted.
  • Fig. 3b illustrates an example flow diagram of a method, according to one embodiment.
  • the method of Fig. 3b may be performed, for example, by a UE, mobile station, mobile device, IoT device, MTC device, or the like.
  • the method may include, at 350, receiving a new NCC in advance, for instance, during a previous RRC connection.
  • the new NCC may be received in a RRCConnectionReconfiguration message, SecurityModeCommand message, RRCConnectionSetup message, or RRCConnectionResume message.
  • the method may also include, at 360, calculating or generating a new security key(s) based on the pre- provisioned new NCC and/or a cell ID of the cell that the UE is camped on.
  • the method may also include, at 370, applying the new security key(s), for example, when the UE switches from an inactive state (e.g., RRC_INACTIVE mode) to a connected state (e.g., C_CONNECTED mode), or when the UE transmits small data via ResumeRequest message in inactive mode without switching to a connected mode, or when the UE meets radio failures such as RLF or HO failure.
  • an inactive state e.g., RRC_INACTIVE mode
  • a connected state e.g., C_CONNECTED mode
  • embodiments of the invention provide several technical effects and/or improvements and/or advantages. For example, certain embodiments can reduce latencies even in case of RLF, for example, by allowing for the omission of msg5. Also, according to certain embodiments, key refresh after the initial RRC messages is not required and data transmission can take place immediately (even multiplexed with the first RRC message) by the UE. As a result, certain embodiments can improve performance and throughput of network nodes including, for example, base stations, eNBs, gNBs and/or UEs. Accordingly, the use of embodiments of the invention result in improved functioning of communications networks and their nodes.
  • any of the methods, processes, signaling diagrams, or flow charts described herein may be implemented by software and/or computer program code or portions of code stored in memory or other computer readable or tangible media, and executed by a processor.
  • an apparatus may be included or be associated with at least one software application, module, unit or entity configured as arithmetic operation(s), or as a program or portions of it (including an added or updated software routine), executed by at least one operation processor.
  • Programs also called computer program products or computer programs, including software routines, applets and macros, may be stored in any apparatus-readable data storage medium and include program instructions to perform particular tasks.
  • a computer program product may comprise one or more computer- executable components which, when the program is run, are configured to carry out embodiments described herein.
  • the one or more computer-executable components may include at least one software code or portions of code. Modifications and configurations required for implementing the functionality of an embodiment may be performed as routine(s), which may be implemented as added or updated software routine(s). In some embodiments, software routine(s) may be downloaded into the apparatus.
  • Software or a computer program code or portions of code may be in a source code form, object code form, or in some intermediate form, and may be stored in some sort of carrier, distribution medium, or computer readable medium, which may be any entity or device capable of carrying the program.
  • Such carriers include a record medium, computer memory, read-only memory, photoelectrical and/or electrical carrier signal, telecommunications signal, and/or software distribution package, for example.
  • the computer program may be executed in a single electronic digital device or it may be distributed amongst a number of devices or computers.
  • the computer readable medium or computer readable storage medium may be a non-transitory medium.
  • the functionality may be performed by hardware, for example through the use of an application specific integrated circuit (ASIC), a programmable gate array (PGA), a field programmable gate array (FPGA), or any other combination of hardware and software.
  • ASIC application specific integrated circuit
  • PGA programmable gate array
  • FPGA field programmable gate array
  • the functionality may be implemented as a signal, a non-tangible means that can be carried by an electromagnetic signal downloaded from the Internet or other network.
  • an apparatus such as a node, device, or a corresponding component, may be configured as a computer or a microprocessor, such as single-chip computer element, or as a chipset, including at least a memory for providing storage capacity used for arithmetic operation(s) and an operation processor for executing the arithmetic operation.
  • a microprocessor such as single-chip computer element, or as a chipset, including at least a memory for providing storage capacity used for arithmetic operation(s) and an operation processor for executing the arithmetic operation.
  • One embodiment is directed to a method that may include a network node transmitting in advance, to one or more UEs, a new NCC.
  • the transmitting in advance may comprise transmitting the new NCC during a previous C connection.
  • the method may also include using an integrity check to determine whether the UE(s) used a correct NCC.
  • Another embodiment is directed to an apparatus that may include at least one processor and at least one memory including computer program code.
  • the at least one memory and the computer program code are configured, with the at least one processor, to cause the apparatus at least to transmit in advance, to one or more UEs, a new NCC.
  • the transmitting in advance may comprise transmitting the new NCC during a previous C connection.
  • the at least one memory and the computer program code may be further configured, with the at least one processor, to cause the apparatus at least to use an integrity check to determine whether the UE(s) used a correct NCC.
  • Another embodiment is directed to a method that may include receiving, at a UE, a new NCC in advance, for example, during a previous RRC connection.
  • the method may also include calculating or generating new security key(s) based on the new NCC and/or a cell ID of the cell that the UE is camped on, and applying the new security key(s), for example, when the UE switches from an inactive state to a connected state.
  • Another embodiment is directed to an apparatus that may include at least one processor and at least one memory including computer program code.
  • the at least one memory and the computer program code are configured, with the at least one processor, to cause the apparatus at least to receive a new NCC in advance, for example, during a previous RRC connection, to calculate or generate new security key(s) based on the new NCC and/or a cell ID of the cell that the apparatus is camped on, and to apply the new security key(s), for example, when the apparatus switches from an inactive state to a connected state.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne des systèmes, des procédés, des appareils et des produits programmes informatiques se rapportant à la fourniture d'informations de sécurité, par exemple, dans une technologie d'accès 5G ou nouvelle radio (NR). Un procédé peut comprendre la transmission anticipée, par un nœud de réseau, d'un nouveau paramètre utilisé pour générer des clés de sécurité à au moins un équipement utilisateur. Le procédé peut également consister à effectuer un contrôle d'intégrité pour déterminer si le ou les équipements utilisateurs utilisent un paramètre correct pour générer les clés de sécurité.
PCT/FI2018/050290 2017-05-05 2018-04-24 Fourniture d'informations de sécurité WO2018202941A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201880028751.0A CN110574334B (zh) 2017-05-05 2018-04-24 提供安全信息
JP2019558659A JP7074991B2 (ja) 2017-05-05 2018-04-24 セキュリティ情報の提供

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201762502002P 2017-05-05 2017-05-05
US62/502,002 2017-05-05

Publications (1)

Publication Number Publication Date
WO2018202941A1 true WO2018202941A1 (fr) 2018-11-08

Family

ID=62152579

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2018/050290 WO2018202941A1 (fr) 2017-05-05 2018-04-24 Fourniture d'informations de sécurité

Country Status (3)

Country Link
JP (1) JP7074991B2 (fr)
CN (1) CN110574334B (fr)
WO (1) WO2018202941A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108924829A (zh) * 2017-04-07 2018-11-30 中兴通讯股份有限公司 一种发送、处理上行数据和认证的方法及装置
WO2020032850A1 (fr) * 2018-08-06 2020-02-13 Telefonaktiebolaget Lm Ericsson (Publ) Équipement d'utilisateur et procédé dans un réseau de communication sans fil
WO2021096411A1 (fr) * 2019-11-11 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) Protection d'intégrité de message de commande de ressources radio

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021203439A1 (fr) * 2020-04-10 2021-10-14 Oppo广东移动通信有限公司 Procédé de transmission de données, dispositif terminal et dispositif réseau
WO2022141025A1 (fr) * 2020-12-29 2022-07-07 华为技术有限公司 Procédé et appareil de transmission de données
CN114449514B (zh) * 2021-12-27 2024-04-26 中国电信股份有限公司 一种密钥生成方法、装置、设备及介质

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100042841A1 (en) * 2008-08-15 2010-02-18 Neal King Updating and Distributing Encryption Keys

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101400059B (zh) * 2007-09-28 2010-12-08 华为技术有限公司 一种active状态下的密钥更新方法和设备
WO2010105442A1 (fr) * 2009-03-20 2010-09-23 深圳华为通信技术有限公司 Procédé, appareil et système de génération de paramètres-clés d'évolution
AU2014226165B2 (en) * 2013-03-04 2016-07-21 Apple Inc. Re-establishment in hetnet robustness by use of overlay macro cell as re-establishment candidate
EP3664487B1 (fr) * 2015-09-14 2022-10-05 Telefonaktiebolaget LM Ericsson (publ) N uds d'accès radio et dispositifs de terminal dans un réseau de communication
JP6123009B1 (ja) * 2015-11-05 2017-04-26 株式会社Nttドコモ ユーザ装置、基地局、及び接続確立方法

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100042841A1 (en) * 2008-08-15 2010-02-18 Neal King Updating and Distributing Encryption Keys

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "Key refresh in NR", vol. RAN WG2, no. Spokane, USA; 20170403 - 20170407, 3 April 2017 (2017-04-03), XP051244571, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Meetings_3GPP_SYNC/RAN2/Docs/> [retrieved on 20170403] *
INTEL CORPORATION: "Security handling for resumption, re-establishment and handover", vol. RAN WG2, no. Berlin, Germany; 20170821 - 20170825, 20 August 2017 (2017-08-20), XP051318607, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Meetings_3GPP_SYNC/RAN2/Docs/> [retrieved on 20170820] *
INTEL CORPORATION: "Security optimizations when resuming or re-establishing", vol. RAN WG2, no. Qingdao, China; 20170627 - 20170629, 26 June 2017 (2017-06-26), XP051301536, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Meetings_3GPP_SYNC/RAN2/Docs/> [retrieved on 20170626] *
NOKIA ET AL: "Principal signalling procedures for RRC connection control", vol. RAN WG2, no. Spokane, USA; 20170403 - 20170407, 3 April 2017 (2017-04-03), XP051244750, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Meetings_3GPP_SYNC/RAN2/Docs/> [retrieved on 20170403] *
NOKIA ET AL: "RRC connection establishment, re-establishment and resume", vol. RAN WG2, no. Hangzhou, China; 20170515 - 20170519, 14 May 2017 (2017-05-14), XP051275716, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Meetings_3GPP_SYNC/RAN2/Docs/> [retrieved on 20170514] *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108924829A (zh) * 2017-04-07 2018-11-30 中兴通讯股份有限公司 一种发送、处理上行数据和认证的方法及装置
CN108924829B (zh) * 2017-04-07 2022-05-24 中兴通讯股份有限公司 一种发送、处理上行数据和认证的方法及装置
WO2020032850A1 (fr) * 2018-08-06 2020-02-13 Telefonaktiebolaget Lm Ericsson (Publ) Équipement d'utilisateur et procédé dans un réseau de communication sans fil
WO2021096411A1 (fr) * 2019-11-11 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) Protection d'intégrité de message de commande de ressources radio

Also Published As

Publication number Publication date
CN110574334B (zh) 2023-07-11
JP7074991B2 (ja) 2022-05-25
JP2020519088A (ja) 2020-06-25
CN110574334A (zh) 2019-12-13

Similar Documents

Publication Publication Date Title
EP3498014B1 (fr) Améliorations de connexion de lumière de technologie d&#39;évolution à long terme (lte) pour interfonctionnement de nouvelle technologie d&#39;accès (nr) avec une technologie d&#39;évolution à long terme (lte)
TWI822826B (zh) Rrc 非活躍模式中的下行鏈路資料傳輸
US11160130B2 (en) User equipment measurements upon secondary radio link failure for long term evolution—new radio tight interworking
CN110574334B (zh) 提供安全信息
US11889304B2 (en) Next generation key set identifier
US10952177B2 (en) Dynamic subscription handling in 5G and long term evolution (LTE)
US11218891B2 (en) Enhanced radio link monitoring for user equipment
US10581495B2 (en) Physical layer configuration continuity during radio resource control restoration
EP3556062B1 (fr) Sélection de fonction de stockage de données
US11291074B2 (en) Radio beam management reporting operation with connected mode discontinuous reception
US10187860B2 (en) User equipment context handling with user equipment autonomous mobility
US11363450B2 (en) Paging area update failure handling
US20230127705A1 (en) Link failure monitoring at a multi-sim device in a wireless network
WO2018197659A1 (fr) Déclencheur basé sur le retard permettant d&#39;activer une division de liaison montante
EP3569028A1 (fr) Marquage de paquets de liaison descendante contrôlé
EP4240100A1 (fr) Restauration de service de diffusion pour service de diffusion/multidiffusion lors d&#39;une défaillance ou d&#39;un redémarrage d&#39;un noeud d&#39;accès radio
US20230216776A1 (en) Methods and apparatuses for configuration of user device(s) for reception of point-to-multipoint transmission
EP4068894A1 (fr) Signaux de sondage et d&#39;entretien pour service de diffusion/multidiffusion multimédia

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18724300

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2019558659

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18724300

Country of ref document: EP

Kind code of ref document: A1