WO2019028698A1 - Subscriber identity privacy protection - Google Patents

Subscriber identity privacy protection Download PDF

Info

Publication number
WO2019028698A1
WO2019028698A1 PCT/CN2017/096610 CN2017096610W WO2019028698A1 WO 2019028698 A1 WO2019028698 A1 WO 2019028698A1 CN 2017096610 W CN2017096610 W CN 2017096610W WO 2019028698 A1 WO2019028698 A1 WO 2019028698A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
wireless network
network entity
ephemeral
cellular wireless
Prior art date
Application number
PCT/CN2017/096610
Other languages
French (fr)
Inventor
Lijia Zhang
Xiangying Yang
Dawei Zhang
Huarui Liang
Original Assignee
Apple Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Apple Inc. filed Critical Apple Inc.
Priority to PCT/CN2017/096610 priority Critical patent/WO2019028698A1/en
Publication of WO2019028698A1 publication Critical patent/WO2019028698A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the described embodiments set forth techniques for protecting subscriber identity in messages communicated between a wireless device and a cellular wireless network entity by using ephemeral asymmetric keys to achieve perfect forward secrecy (PFS) .
  • PFS forward secrecy
  • each UICC includes at least a microprocessor and a read-only memory (ROM) , where the ROM is configured to store an MNO profile that the wireless device can use to register and interact with an MNO to obtain wireless services via a cellular wireless network.
  • ROM read-only memory
  • a UICC takes the form of a small removable card, (commonly referred to as a Subscriber Identity Module (SIM) card) , which is configured to be inserted into a UICC-receiving bay included in a wireless device.
  • SIM Subscriber Identity Module
  • UICCs are being embedded directly into system boards of wireless devices.
  • eUICCs embedded UICCs
  • Some eUICCs include a rewritable memory that can facilitate installation, modification, and/or deletion of one or more eSIMs, which can provide for new and/or different services and/or updates for accessing extended features provided by MNOs.
  • An eUICC can store a number of MNO profiles—also referred to herein as eSIMs—and can eliminate the need to include UICC-receiving bays in wireless devices.
  • An MNO profile includes an International Mobile Subscriber Identity (IMSI) by which a user that subscribes to services provided by the MNO can be identified uniquely by cellular wireless networks.
  • the IMSI includes a mobile country code (MCC) , a mobile network code (MNC) , and a Mobile Subscriber Identification Number (MSIN) .
  • MCC mobile country code
  • MNC mobile network code
  • MSIN Mobile Subscriber Identification Number
  • Certain messages sent between the cellular wireless network and the wireless device may include the IMSI in a clear, readable, unencrypted format, and as such the IMSI is open to snooping by passive listening or active request and reply capture techniques.
  • Representative embodiments set forth techniques for protecting subscriber identity, such as a mobile subscriber identifier, in messages communicated between a wireless device and a cellular wireless network entity by using ephemeral asymmetric keys to achieve perfect forward secrecy (PFS) .
  • the wireless device such as a user equipment (UE) , determines an ephemeral UE public and secret key pair and generates an encryption key based on the ephemeral UE secret key and a static network public key that can be preconfigured in the UE.
  • UE user equipment
  • the UE encrypts a mobile subscriber identifier, such as an MSIN portion of the UE’s IMSI, using the encryption key and sends an uplink (UL) message to a cellular wireless network entity, such as to an evolved NodeB (eNodeB) or to a next generation NodeB (gNB) , the UL message including the ephemeral UE public key and the encrypted mobile subscriber identifier, which the cellular wireless network entity can decrypt by generating the encryption key using the ephemeral UE public key and a static network secret key that corresponds to the static network public key.
  • a cellular wireless network entity such as to an evolved NodeB (eNodeB) or to a next generation NodeB (gNB)
  • eNodeB evolved NodeB
  • gNB next generation NodeB
  • the cellular wireless network entity generates an ephemeral network public and secret key pair and sends a downlink (DL) message to the UE that includes the ephemeral network public key and a corresponding signature signed with a secret network key.
  • DL downlink
  • the UE can store the ephemeral network public key to use in combination with a newly generated ephemeral UE secret key to generate a new encryption key to encrypt the mobile subscriber identifier included in a subsequent message.
  • the UE and the cellular wireless network entity can generate ephemeral public and secret key pairs for each message sent that includes the mobile subscriber identifier or to use for a particular communication session or to use within a certain time period.
  • the cellular wireless network entity communicates an initial DL message to the UE, the initial DL message including an ephemeral network public key for the UE to use in place of the static network public key.
  • the UE generates, based on an elliptic curve Diffie-Hellman (ECDH) key agreement protocol, a first shared secret using the ephemeral UE secret key and the ephemeral network public key and a second shared secret using the ephemeral UE secret key and the static network public key. Subsequently, the UE derives the encryption key based on the first and second shared secrets.
  • ECDH elliptic curve Diffie-Hellman
  • the cellular wireless network entity generates, based on the ECDH key agreement protocol, the first shared secret using the ephemeral UE public key and the ephemeral network secret key and the second shared secret using the ephemeral UE public key and the static network secret key, and subsequently derives the encryption key based on the first and second shared secrets.
  • the UE and the cellular wireless network entity can each generate new ephemeral public and secret key pairs to use to generate new encryption keys with which to encrypt the mobile subscriber identifier in different messages.
  • PFS is achieved by using ephemeral network key pairs rather than only static network key pairs.
  • FIG. 1 illustrates a block diagram of different components of an exemplary system configured to implement the various techniques described herein, according to some embodiments.
  • FIGS. 2A and 2B illustrate flow diagrams of a prior art encryption technique to protect a subscriber identity.
  • FIG. 3 illustrates an exemplary message exchange of a first technique to protect the privacy of a subscriber identity, according to some embodiments.
  • FIG. 4 illustrates an exemplary message exchange of a second technique to protect the privacy of a subscriber identity, according to some embodiments.
  • FIG. 5 illustrates an exemplary message exchange of a variant of the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments.
  • FIG. 6 illustrates an exemplary message exchange of a variant of the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments.
  • FIG. 7 illustrates a block diagram of an example of overlapping time periods for the use of keys.
  • FIGS. 8A and 8B illustrate exemplary flow diagrams of actions performed by a UE to implement the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments.
  • FIGS. 9A and 9B illustrate exemplary flow diagrams of actions performed by a cellular wireless network entity to implement the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments.
  • FIG. 10 illustrates an exemplary flow diagram of actions performed by a UE to implement the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments.
  • FIG. 11 illustrates an exemplary flow diagram of actions performed by a cellular wireless network entity to implement the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments.
  • FIGS. 12A and 12B illustrate exemplary flow diagrams of actions performed by a UE to implement the first variant technique of FIG. 5 to protect the privacy of a subscriber identity, according to some embodiments.
  • FIGS. 13A and 13B illustrate exemplary flow diagrams of actions performed by a cellular wireless network entity to implement the first variant technique of FIG. 5 to protect the privacy of a subscriber identity, according to some embodiments.
  • FIG. 14 illustrates an exemplary flow diagram of actions performed by a UE to implement the second variant technique of FIG. 6 to protect the privacy of a subscriber identity, according to some embodiments.
  • FIG. 15 illustrates an exemplary flow diagram of actions performed by a cellular wireless network entity to implement the second variant technique of FIG. 6 to protect the privacy of a subscriber identity, according to some embodiments.
  • FIG. 16 illustrates a detailed view of a representative computing device that can be used to implement various methods described herein, according to some embodiments.
  • wireless communication device wireless device, ” “mobile device, ” “mobile station, ” and “user equipment” (UE) may be used interchangeably herein to describe one or more common consumer electronic devices that may be capable of performing procedures associated with various embodiments of the disclosure.
  • UE user equipment
  • any one of these consumer electronic devices may relate to: a cellular phone or a smart phone, a tablet computer, a laptop computer, a notebook computer, a personal computer, a netbook computer, a media player device, an electronic book device, a device, a wearable computing device, as well as any other type of electronic computing device having wireless communication capability that can include communication via one or more wireless communication protocols such as used for communication on: a wireless wide area network (WWAN) , a wireless metro area network (WMAN) a wireless local area network (WLAN) , a wireless personal area network (WPAN) , a near field communication (NFC) , a cellular wireless network, a fourth generation (4G) Long Term Evolution (LTE) , LTE Advanced (LTE-A) , and/or fifth generation (5G) or other present or future developed advanced cellular wireless networks.
  • WWAN wireless wide area network
  • WMAN wireless metro area network
  • WLAN wireless local area network
  • WPAN wireless personal area network
  • NFC near field communication
  • the wireless communication device can also operate as part of a wireless communication system, which can include a set of client devices, which can also be referred to as stations, client wireless devices, or client wireless communication devices, interconnected to an access point (AP) , e.g., as part of a WLAN, and/or to each other, e.g., as part of a WPAN and/or an “ad hoc” wireless network.
  • client device can be any wireless communication device that is capable of communicating via a WLAN technology, e.g., in accordance with a wireless local area network communication protocol.
  • the WLAN technology can include a Wi-Fi (or more generically a WLAN) wireless communication subsystem or radio
  • the Wi-Fi radio can implement an Institute of Electrical and Electronics Engineers (IEEE) 802.11 technology, such as one or more of:IEEE 802.11a; IEEE 802.11b; IEEE 802.11g; IEEE 802.11-2007; IEEE 802.11n; IEEE 802.11-2012; IEEE 802.11ac; or other present or future developed IEEE 802.11 technologies.
  • IEEE 802.11 technology such as one or more of:IEEE 802.11a; IEEE 802.11b; IEEE 802.11g; IEEE 802.11-2007; IEEE 802.11n; IEEE 802.11-2012; IEEE 802.11ac; or other present or future developed IEEE 802.11 technologies.
  • a multi-mode user equipment can be configured to prefer attachment to LTE networks offering faster data rate throughput, as compared to other 3G legacy networks offering lower data rate throughputs.
  • a multi-mode UE may be configured to fall back to a 3G legacy network, e.g., an Evolved High Speed Packet Access (HSPA+) network or a Code Division Multiple Access (CDMA) 2000 Evolution-Data Only (EV-DO) network, when LTE and LTE-Anetworks are otherwise unavailable.
  • HSPA+ Evolved High Speed Packet Access
  • CDMA Code Division Multiple Access 2000 Evolution-Data Only
  • Representative embodiments of methods and apparatus presented herein set forth techniques for protecting subscriber identity in messages communicated between a wireless device and a cellular wireless network entity by using ephemeral asymmetric keys to achieve perfect forward secrecy (PFS) .
  • PFS is achieved by using ephemeral network key pairs rather than a static network key pair (and/or by limiting the use of a static network key pair) .
  • the cellular wireless network entity such as an evolved NodeB (eNodeB)
  • eNodeB evolved NodeB
  • UE user equipment
  • the cellular wireless network entity generates an ephemeral network public key and an ephemeral network secret key and sends to the UE a downlink (DL) message that includes the ephemeral network public key and a signature of the ephemeral public network key signed by the static network secret key.
  • DL downlink
  • the UE When the signature is verified using the static network public key, the UE generates an ephemeral UE public key and an ephemeral UE secret key and derives an encryption key based on the ephemeral UE secret key and the ephemeral network public key.
  • the UE encrypts a mobile subscriber identifier, such as a mobile subscriber identification number (MSIN) portion of the UE’s IMSI, using the encryption key and sends to the cellular wireless network entity an uplink (UL) message that includes the ephemeral UE public key and the encrypted mobile subscriber identifier, which the cellular wireless network entity can decrypt by generating the encryption key using the ephemeral UE public key and the ephemeral network secret key.
  • the cellular wireless network entity can then generate a new ephemeral network public and secret key pair and provide the new ephemeral network public key along with a signature to the UE.
  • the UE can store the new ephemeral network public key to use in combination with a newly generated ephemeral UE secret key to generate a new encryption key to encrypt the mobile subscriber identifier included in a subsequent message.
  • the UE and the cellular wireless network entity can generate ephemeral public and secret key pairs for each message sent that includes the mobile subscriber identifier or to use for a particular communication session or to use within a certain time period.
  • the cellular wireless network entity communicates an initial DL message to the UE, the initial DL message including an ephemeral network public key for the UE to use in place of the static network public key.
  • the encryption key can be derived as an Advanced Encryption Standard (AES) key.
  • DL messages sent to the UE by the cellular wireless network entity include both an ephemeral network public key and a signature with which to verify the ephemeral network public key.
  • UL messages sent to the cellular wireless network entity by the UE include an ephemeral UE public key, an encrypted mobile subscriber identifier, and a key identifier (ID) , which can include an ephemeral network public key, a hash of the ephemeral network public key, or a count value.
  • ID key identifier
  • the inclusion of a key ID can be optional.
  • the UE generates an initial AES encryption key using a pre-configured static network public key and an ephemeral UE secret key generated by the UE.
  • the UE can encrypt the mobile subscriber identifier using the initial AES encryption key and send the encrypted MSIN to the cellular wireless network entity along with an ephemeral UE public key that corresponds to the ephemeral UE secret key.
  • the cellular wireless network entity can derive the initial AES encryption key using the ephemeral UE public key received from the UE and a static network secret key that corresponds to the static network public key.
  • the cellular wireless network entity can decrypt the mobile subscriber identifier using the initial AES encryption key and subsequently generate an ephemeral network public key and an ephemeral network secret key pair.
  • the cellular wireless network entity can send the ephemeral network public key and a signature for verification to the UE, which can store the ephemeral network public key when the signature is verified. Subsequently, the UE can use the ephemeral network public key and a newly generated ephemeral UE secret key to derive a new AES encryption key with which to encrypt the mobile subscriber identifier and send to the cellular wireless network entity.
  • the cellular wireless network entity can derive the new AES encryption key based on the previously generated ephemeral network secret key and the ephemeral UE public key received from the UE, where the new AES encryption key can be used to decrypt the mobile subscriber identifier.
  • the process can continue with newly generated ephemeral keys for each message sent or by reusing the ephemeral keys for a particular communication session between the UE and the cellular wireless network entity or to use within a certain time period.
  • the UE and the cellular wireless network entity derive AES encryption keys based on pairs of shared secrets.
  • the UE can generate, based on an elliptic curve Diffie-Hellman (ECDH) key agreement protocol, a first shared secret using an ephemeral UE secret key and an ephemeral network public key (received from the cellular wireless network entity in a DL message) and a second shared secret using the ephemeral UE secret key and a pre-configured static network public key.
  • the UE can derive the AES encryption key based on the generated first and second shared secrets.
  • the cellular wireless network entity can generate, based on the ECDH key agreement protocol, the first shared secret using an ephemeral UE public key (received from the UE in a UL message) and an ephemeral network secret key (corresponding to the ephemeral network public key sent to the UE in the DL message) and the second shared secret using the ephemeral UE public key and the pre-configured static network secret key.
  • the cellular wireless network entity can derive the AES encryption key based on the derived first and second shared secrets and can decrypt an mobile subscriber identifier that was encrypted by the UE using the same AES encryption key.
  • the UE and the cellular wireless network entity can each generate new ephemeral public and secret key pairs to use to generate new AES encryption keys with which to encrypt the mobile subscriber identifier in different messages.
  • DL messages sent from the cellular wireless network entity to the UE include ephemeral network public keys with signatures for verification.
  • DL messages sent from the cellular wireless network entity to the UE include ephemeral network public keys without signatures for verification.
  • UL messages sent from the UE to the cellular wireless network entity include a key ID (which can include an ephemeral public network key received form the cellular wireless network entity or a hash thereof, or a count value) to allow the cellular wireless network entity to ascertain the ephemeral network public key used by the UE to generate the encryption key.
  • the use of the key ID can be optional for a particular communication session when a particular ephemeral network public key and ephemeral network secret key pair is established for use during the communication session.
  • static network public keys (and corresponding static network secret keys) can be rotated over time, such as by providing an over the air (OTA) update using a secure communication channel from the cellular wireless network entity to the UE.
  • OTA over the air
  • use of static network key pairs and/or of ephemeral network key pairs can overlap for a limited period of time.
  • a previous network key pair (static or ephemeral) can be used for a limited period of time by the UE after receipt of a new network key pair (static or ephemeral) .
  • Either the previous “old” network key pair or the “new” network key pair can be used during the overlapping limited period of time. This allows for rotation of the network key pairs with robustness, as a failure of communication of the newest network key pair can be corrupted in transit and require retransmission or the UE can fail during processing and thus not properly receive and update the network key pair.
  • FIG. 1 illustrates a block diagram of different components of a system 100 that is configured to implement the various techniques described herein, according to some embodiments.
  • the system 100 includes a UE 102, which includes an IMSI 104 by which a subscription for a user of the UE 102 can be uniquely identified, in communication with an evolved NodeB (eNodeB) 106.
  • eNodeB evolved NodeB
  • the UE 102 and the cellular wireless network entity 350 can communicate via a Uu interface, which for some messages or for certain periods of time, such as prior to establishment of a secure connection between the UE 102 and the eNodeB 106, can be subject to eavesdropping by a third party.
  • the eNodeB 106 While the eNodeB 106 connects to a Mobility Management Entity (MME) 108 of the core network via a secure S1-MME interface, and the MME 108 connects to a Home Subscriber Server (HSS) 110 via a secure S6a interface, the eNodeB 106 can send some messages to and receive some messages from the UE 102 “in the clear” , in some instances.
  • MME Mobility Management Entity
  • HSS Home Subscriber Server
  • RRC Radio Resource Control
  • RRC network access stratum (NAS) messages send from the UE 102 to the eNodeB 106 can also include the IMSI 104 of the UE 102 without encryption to protect the IMSI 104 value from eavesdroppers.
  • Example RRC NAS messages include an RRC Attach Request message, a UE originating RRC Detach Request message, and an RRC Identity Response message.
  • a passive eavesdropping entity such as passive IMSI catcher 112 can listen for communication sent from the eNodeB 106, such as paging messages, or sent from the UE 102, such as attach/detach request messages, and ascertain the IMSI 104 of the UE 102.
  • an active eavesdropping entity such as active IMSI catcher 114, can mimic communication from the eNodeB 106 and send a Request Identity message to the UE 102 and receive an Identity Response message that includes the IMSI 104 of the UE 102.
  • the Uu interface between the UE 102 and the eNodeB 106 is susceptible to IMSI exposure due to passive and/or active attacks.
  • the IMSI 104 can be protected from eavesdropping.
  • the IMSI 104 can be protected from future decryption as well, thereby achieving perfect forward secrecy should a secret key be compromised.
  • a wireless network entity examples include a radio access network entity, such as the eNodeB 106 or a next generation NodeB (also referred to as a gNodeB or gNB) , or a core network entity, such as the MME 108, the HSS 110, an authentication server function (AUSF) , or an access and mobility function (AMF) .
  • a radio access network entity such as the eNodeB 106 or a next generation NodeB (also referred to as a gNodeB or gNB)
  • a core network entity such as the MME 108, the HSS 110, an authentication server function (AUSF) , or an access and mobility function (AMF) .
  • AUSF authentication server function
  • AMF access and mobility function
  • the messages may include a mobile subscriber identifier, such as the MSIN of the IMSI 104, which can be encrypted securely with perfect forward secrecy as described further herein to protect privacy of the mobile subscriber identifier.
  • Mobile subscriber identifiers other than the MSIN or the IMSI 104 can be similarly encrypted and decrypted using combinations of keys as described further herein to protect them from eavesdropping when communicated between the UE 102 and a cellular wireless network entity.
  • FIGS. 2A and 2B illustrate flow diagrams 200/250 of a prior art encryption technique to protect a subscriber identity.
  • the UE 102 For the UE side encryption flow diagram 200, the UE 102 generates ephemeral key pairs, which include an ephemeral UE public key that can be provided to another party, such as to a network side entity, e.g., the cellular wireless network entity 350, and an ephemeral UE private key (which can also be referred to as a secret key) .
  • a network side entity e.g., the cellular wireless network entity 350
  • an ephemeral UE private key which can also be referred to as a secret key
  • the UE 102 can generate a shared key (which can also be referred to as a shared secret) based on ephemeral UE private key and a static public network key (also referred as a public ECC key for the Home Public Land Mobile Network or HPLMN) .
  • the network side entity e.g., the eNodeB 106, can generate the shared key based on the key agreement using the ephemeral UE public key provided by the UE 102 to the network side entity and a static private network key that corresponds to the static public network key known to the UE 102.
  • the UE 102 and the network side entity can use a common key derivation technique to determine an ephemeral encryption key with which to encrypt/decrypt the MSIN portion of an IMSI of the UE 102.
  • the MCC/MNC portion of the IMSI can remain unencrypted.
  • Both the UE side encryption and the network side encryption can be based on an Elliptic Curve Integrated Encryption Scheme (ECIES) .
  • ECIES Elliptic Curve Integrated Encryption Scheme
  • FIGS. 2A and 2B uses static network public and private (secret) keys and as such, should the static network private key be compromised, previous communications that include the MSIN encrypted with the static network public key can be decrypted. Thus, perfect forward secrecy cannot be achieved with the use of static network public keys. As discussed herein, using ephemeral network public keys overcomes this deficiency.
  • FIG. 3 illustrates an exemplary message exchange 300 of a first technique to protect the privacy of a subscriber identity, according to some embodiments.
  • the UE 102 can be pre-configured with a static network public key (PKnw)
  • the cellular wireless network entity 350 can be pre-configured with a corresponding network secret key (SKnw) and PKnw.
  • secret key is used herein synonymously for the term “private key”
  • the cellular wireless network entity 350 can generate an ephemeral key pair, namely an ephemeral network public key (ePKnw) and a corresponding ephemeral network secret key (eSKnw) .
  • the cellular wireless network entity 350 can send to the UE 102 a first downlink (DL) message that includes ePKnw and a signature of ePKnw signed with the pre-configured SKnw.
  • the UE 102 can verify the signature of ePKnw using the pre-configured PKnw. When the signature is verified, the UE 102 can generate its own ephemeral key pair, namely an ephemeral UE public key (ePKue) and a corresponding ephemeral UE secret key (eSKue) .
  • the UE 102 pre-generates the ephemeral UE key pair (ePKue, eSKue) to reduce processing time required after receipt of the first DL message.
  • the UE 102 derives an encryption key, e.g., an Advanced Encryption Standard (AES) encryption key (K AES ) using the UE-generated eSKue and the cellular wireless network entity-generated ePKnw.
  • AES Advanced Encryption Standard
  • K AES Advanced Encryption Standard
  • the UE 102 uses K AES to encrypt a mobile subscriber identifier, such as the MSIN portion of the IMSI 104 of the UE 102.
  • the UE 102 sends to the cellular wireless network entity 350 a first uplink (UL) message that includes ePKue and the MSIN encrypted using the derived K AES .
  • the first UL message also includes a key identifier (ID) , such as the previously received ePKnw, a hash of ePKnw, or a count value, where the cellular wireless network entity 350 can ascertain which ephemeral network public key the UE 102 used to generate the encryption key with which the MSIN is encrypted.
  • ID key identifier
  • the use of a key ID can be optional based on an explicit link of an ephemeral network key pair to a communication session, e.g., when the ephemeral network key pair is generated per communication session and used only for that communication session.
  • the cellular wireless network entity 350 derives the encryption key K AES based on ePKue received from the UE 102 and the previously generated eSKnw.
  • the cellular wireless network entity 350 decrypts the MSIN using the derived encryption key K AES .
  • the cellular wireless network entity 350 generates a second ephemeral network key pair, namely a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) , where the newly generated ephemeral keys are used to encrypt the MSIN in a subsequent message.
  • the cellular wireless network entity 350 sends to the UE 102 a second DL message that includes ePKnw’and a corresponding signature of ePKnw’signed by SKnw.
  • the UE 102 can verify the signature of ePKnw’using the pre-configured PKnw and store ePKnw’when the signature is verified. Subsequently, at 318, the UE 102 can generate a second ephemeral UE key pair, namely a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) .
  • ePKue second ephemeral UE public key
  • eSKue’ second ephemeral UE secret key
  • the UE 102 can derive a second AES encryption key (K AES ’) to encrypt the MSIN included in a subsequent UL message sent to the cellular wireless network entity 350.
  • K AES AES encryption key
  • the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the MSIN encrypted with K AES ’.
  • the cellular wireless network entity 350 can derive K AES ’using ePKue’and eSKnw’and decrypt the MSIN.
  • the second UL message includes a second key ID to indicate which ephemeral network public key was used by the UE 102 to generate the encryption key used to encrypt the MSIN included in the second UL message.
  • the process from 312 to 316 can repeat again with a new ephemeral network key pair generated and stored for used in a subsequent message that includes an encrypted MSIN.
  • the cellular wireless network entity 350 includes the eNodeB 106.
  • a mobile subscriber identifier other than the MSIN can be encrypted and decrypted in the sequence of messages communicated between the UE 102 and the cellular wireless network entity 350.
  • FIG. 4 illustrates an exemplary message exchange 400 of a second technique to protect the privacy of a subscriber identity, according to some embodiments.
  • the UE 102 can be pre-configured with a static network public key (PKnw)
  • the cellular wireless network entity 350 can be pre-configured with a corresponding network secret key (SKnw) and PKnw.
  • PKnw static network public key
  • SKnw network secret key
  • the cellular wireless network entity 350 does not generate an initial ephemeral network public/secret key pair and send the ephemeral network public key to the UE 102.
  • the UE 102 uses for an initial encoding the static network public key PKnw.
  • the UE 102 pre-generates an ephemeral UE key pair (ePKue, eSKue) .
  • the UE 102 derives a first AES encryption key K AES , using the UE-generated ephemeral secret key eSKue and the pre-configured static network public key PKnw, and uses K AES to encrypt a mobile subscriber identifier, such as the MSIN of the IMSI 104 of the UE 102.
  • the UE 102 sends to the cellular wireless network entity 350 a first uplink (UL) message that includes the ePKue and the MSIN encrypted using the derived K AES .
  • UL uplink
  • the cellular wireless network entity 350 derives the encryption key K AES based on ePKue received from the UE 102 and the pre-configured static SKnw.
  • the cellular wireless network entity 350 decrypts the MSIN using the derived encryption key K AES .
  • the cellular wireless network entity 350 generates a first ephemeral network key pair, namely a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) .
  • the cellular wireless network entity 350 sends to the UE 102 a DL message that includes ePKnw and a corresponding signature of ePKnw signed by SKnw.
  • the UE 102 can verify the signature of ePKnw using the pre-configured PKnw and store ePKnw when the signature is verified. Subsequently, at 414, the UE 102 can generate a second ephemeral UE key pair, namely a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . Using ePKnw received from the cellular wireless network entity 350 and the newly generated eSKue’, the UE 102 can derive a second AES encryption key (K AES ’) to encrypt the MSIN included in a second UL message sent to the cellular wireless network entity 350.
  • K AES second AES encryption key
  • the UE sends to the cellular wireless network entity 350 the second UL message that includes a key ID, ePKue’, and the MSIN encrypted with K AES ’.
  • the cellular wireless network entity 350 can derive K AES ’using ePKue’and eSKnw and decrypt the MSIN.
  • the key ID included in the second UL message indicates which ephemeral network public key was used by the UE 102 to generate the encryption key used to encrypt the MSIN included in the second UL message.
  • the process from 408 to 418 can repeat again with a new ephemeral network key pair generated and stored for used in a subsequent message that includes an encrypted MSIN.
  • the cellular wireless network entity 350 includes the eNodeB 106.
  • a mobile subscriber identifier other than the MSIN can be encrypted and decrypted in the sequence of messages communicated between the UE 102 and the cellular wireless network entity 350.
  • FIG. 5 illustrates an exemplary message exchange 500 of a variant of the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments.
  • the UE 102 can be pre-configured with a static network public key (PKnw)
  • the cellular wireless network entity 350 can be pre-configured with a corresponding network secret key (SKnw) and PKnw.
  • the cellular wireless network entity 350 can generate an ephemeral key pair, namely an ephemeral network public key (ePKnw) and a corresponding ephemeral network secret key (eSKnw) .
  • ePKnw ephemeral network public key
  • eSKnw corresponding ephemeral network secret key
  • the cellular wireless network entity 350 can send to the UE 102 a first DL message that includes ePKnw.
  • the UE 102 generates its own ephemeral key pair, namely an ephemeral UE public key (ePKue) and a corresponding ephemeral UE secret key (eSKue) .
  • the UE 102 pre-generates the ephemeral UE key pair (ePKue, eSKue) to reduce processing time required after receipt of the first DL message.
  • the UE 102 derives an encryption key, e.g., an Advanced Encryption Standard (AES) encryption key (K AES ) using the UE-generated eSKue, the pre-configured static PKnw, and the cellular wireless network entity-generated ephemeral ePKnw.
  • the UE 102 derives a first shared secret SHS1 using an Elliptic Curve Diffie-Hellman (ECDH) key agreement based on eSKue and ePKnw and a second shared secret SHS2 using the ECDH key agreement based on eSKue and PKnw.
  • AES Advanced Encryption Standard
  • K AES Advanced Encryption Standard
  • the UE 102 then derives the AES encryption key K AES , using a key derivation function (KDF) using SHS1 and SHS2, and encrypts a mobile subscriber identifier, such as the MSIN of the IMSI 104 of the UE 102, using K AES .
  • KDF key derivation function
  • the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and the MSIN encrypted using the derived K AES .
  • the first UL message also includes a key identifier (ID) , such as the previously received ePKnw, a hash of ePKnw, or a count value, where the cellular wireless network entity 350 can ascertain which ephemeral network public key the UE 102 used to generate the encryption key with which the MSIN is encrypted.
  • ID key identifier
  • the use of a key ID can be optional based on an explicit link of an ephemeral network key pair to a communication session, e.g., when the ephemeral network key pair is generated per communication session and used only for that communication session.
  • the cellular wireless network entity 350 derives the encryption key K AES using the KDF on the shared secrets SHS1 and SHS2 derived from ePKue, received form the UE 102, the previously generated eSKnw (for SHS1) , and the pre-configured SKnw (for SHS2) .
  • the cellular wireless network entity 350 decrypts the MSIN using the derived encryption key K AES .
  • the cellular wireless network entity 350 generates a second ephemeral network key pair, namely a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) , where the newly generated ephemeral keys are used to encrypt the MSIN in a subsequent message.
  • the cellular wireless network entity 350 sends to the UE 102 a second DL message that includes ePKnw’.
  • the UE 102 stores ePKnw’.
  • the UE 102 generates a second ephemeral UE key pair, namely a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) .
  • ePKnw second ephemeral UE public key
  • eSKue second ephemeral UE secret key
  • K AES second AES encryption key
  • the UE 102 uses the ECDH key agreement to derive new shared secrets SHS1’from eSKue’and ePKnw’and SHS2’from eSKue’and PKnw and the KDF to derive the second AES encryption key K AES ’.
  • the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the MSIN encrypted with K AES ’.
  • the cellular wireless network entity 350 can derive K AES ’using ePKue’, eSKnw’, and eSKnw and decrypt the MSIN.
  • the second UL message includes a second key ID to indicate which ephemeral network public key was used by the UE 102 to generate the encryption key used to encrypt the MSIN included in the second UL message.
  • the process from 512 to 516 can repeat again with a new ephemeral network key pair generated and stored for used in a subsequent message that includes an encrypted MSIN.
  • the cellular wireless network entity 350 includes the eNodeB 106.
  • a mobile subscriber identifier other than the MSIN can be encrypted and decrypted in the sequence of messages communicated between the UE 102 and the cellular wireless network entity 350.
  • FIG. 6 illustrates an exemplary message exchange 600 of a variant of the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments.
  • the UE 102 can be pre-configured with a static network public key (PKnw)
  • the cellular wireless network entity 350 can be pre-configured with a corresponding network secret key (SKnw) and PKnw.
  • the UE 102 pre-generates an ephemeral UE key pair (ePKue, eSKue) .
  • the UE 102 derives a first AES encryption key K AES , using the UE-generated eSKue and the pre-configured static PKnw, and encrypts a mobile subscriber identifier, such as the MSIN of the IMSI 104 of the UE 102, using K AES .
  • the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and the MSIN encrypted using the derived K AES .
  • the cellular wireless network entity 350 derives the encryption key K AES based on ePKue received from the UE 102 and the pre-configured static SKnw.
  • the cellular wireless network entity 350 decrypts the MSIN using the derived encryption key K AES . Subsequently, the cellular wireless network entity 350 generates a first ephemeral network key pair, namely a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) . At 610, the cellular wireless network entity 350 sends to the UE 102 a DL message that includes ePKnw. At 612, the UE 102 stores ePKnw received from the cellular wireless network entity 350.
  • ePKnw first ephemeral network public key
  • eSKnw first ephemeral network secret key
  • the UE 102 can generate a second ephemeral UE key pair, namely a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) .
  • ePKnw received from the cellular wireless network entity 350
  • eSKue second ephemeral UE public key
  • eSKue second ephemeral UE secret key
  • K AES second AES encryption key
  • the UE 102 derives a first shared secret SHS1 using an Elliptic Curve Diffie-Hellman (ECDH) key agreement based on eSKue’and ePKnw and a second shared secret SHS2 using the ECDH key agreement based on eSKue’and PKnw.
  • the UE 102 then derives the AES encryption key K AES ’using a key derivation function (KDF) using SHS1 and SHS2.
  • KDF key derivation function
  • the UE sends to the cellular wireless network entity 350 the second UL message that includes a key ID, ePKue’, and the MSIN encrypted with K AES ’.
  • the cellular wireless network entity 350 derives K AES ’using the KDF on shared secrets SHS1 and SHS2 derived from ePKue’, received from the UE 102, the previously generated eSKnw (for SHS1) , and the pre-configured SKnw (for SHS2) .
  • the cellular wireless network entity 350 decrypts the MSIN using the derived K AES ’.
  • the key ID included in the second UL message indicates which ephemeral network public key was used by the UE 102 to generate the encryption key used to encrypt the MSIN included in the second UL message.
  • the key ID includes ePKnw, a hash of ePKnw, or a count value.
  • the use of the key ID is optional, e.g., when ephemeral network key pairs are shared with more than one UE 102.
  • the process can repeat for each additional message that includes an MSIN, with the cellular wireless network entity 350 generating an ephemeral network key pair (as at 608) , communicating the ephemeral network public key to the UE 102 (as at 610) , the UE 102 generating its own ephemeral key pair to use with the most recent ephemeral network public key and the static network public key to derive a new encryption key (as at 614) to encrypt the MSIN and send to the cellular wireless network entity 350 (as at 616) .
  • the cellular wireless network entity 350 can derive the new encryption key (as at 618) to decrypt the MSIN.
  • the cellular wireless network entity 350 includes the eNodeB 106.
  • a mobile subscriber identifier other than the MSIN can be encrypted and decrypted in the sequence of messages communicated between the UE 102 and the cellular wireless network entity 350.
  • FIG. 7 illustrates a block diagram 700 of an example of overlapping time periods for the use of keys.
  • a first key K 1 is established for use over a time period indicated as the K 1 lifetime.
  • a lifetime of a previous key can overlap with a lifetime of a newest key.
  • the second key K 2 is established for use over a time period indicated as the K 2 lifetime.
  • the K 1 and K 2 lifetimes span an overlapping time period 712, where both the first key K 1 and the second key K 2 can be validly used before the first key K 1 expires at time 706.
  • static network key pairs can be updated by the cellular wireless network entity 350, using an over-the-air (OTA) secure connection between the cellular wireless network entity 350 and the UE 102.
  • OTA over-the-air
  • the ephemeral network key pairs can overlap in time to allow for unplanned interruptions of transfer of the ephemeral network public key from the cellular wireless network entity 350 to the UE 102 and for delays in updating the ephemeral network public key at the UE 102.
  • Robust key rotation can be achieved by keeping both old and new keys live (e.g., valid for use by the UE 102) during overlapping lifetimes.
  • some UL messages from the UE 102 can include a key ID to indicate which ephemeral network public key was used by the UE 102 when deriving the encryption key with which the mobile subscriber identifier, such as the MSIN of the IMSI 104 of the UE 102, was encrypted.
  • FIGS. 8A and 8B illustrate exemplary flow diagrams 800 and 820 of actions performed by a UE 102 to implement the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments.
  • the UE 102 receives, from a cellular wireless network entity 350, a first DL message that includes a first ephemeral network public key (ePKnw) and a signature of ePKnw signed using a network secret key SKnw (which can be pre-configured in some embodiments and/or static and/or semi-static lasting for a period of time before replacement by the cellular wireless network entity 350) .
  • ePKnw ephemeral network public key
  • SKnw network secret key
  • the UE 102 determines whether the signature can be verified using a corresponding network public key (PKnw) .
  • the UE 102 generates a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) .
  • the UE 102 determines a first encryption key (K AES ) using eSKue and ePKnw.
  • the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and a mobile subscriber identifier encrypted with K AES .
  • the UE 102 receives from the cellular wireless network entity 350 a second DL message that includes a second ephemeral network public key (ePKnw’) and a signature of ePKnw’s igned using SKnw.
  • the UE 102 determines whether the signature can be verified using PKnw.
  • the UE stores ePKnw.
  • the UE 102 generates a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) .
  • the UE 102 determines a second encryption key (K AES ) using eSKue’and ePKnw’.
  • the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the mobile subscriber identifier encrypted with K AES ’.
  • the cellular wireless network entity 350 includes the eNodeB 106.
  • the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
  • FIGS. 9A and 9B illustrate exemplary flow diagrams 900 and 920 of actions performed by a cellular wireless network entity 350 to implement the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments.
  • the cellular wireless network entity 350 generates a first ephemeral network public key (ePKnw) and a second ephemeral network secret key (eSKnw) .
  • the cellular wireless network entity 350 sends to the UE 102 a first DL message that includes ePKnw and a signature of ePKnw signed using a network secret key (SKnw) , which can be pre-configured and/or static in some embodiments.
  • ePKnw ephemeral network public key
  • eSKnw network secret key
  • the cellular wireless network entity 350 receives from the UE 102 a first UL message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier (of the UE 102) encrypted with a first encryption key (K AES ) .
  • the cellular wireless network entity 350 determines K AES using ePKue and eSKnw.
  • the cellular wireless network entity 350 decryptes the mobile subscriber identifier using K AES .
  • the cellular wireless network entity 350 generates a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) .
  • the cellular wireless network entity 350 sends to the UE 102 a second DL message that includes ePKnw’and a signature of ePKnw’signed using SKnw.
  • the cellular wireless network entity 350 receives from the UE 102 a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier of the UE 102 encrypted with a second encryption key K AES ’.
  • the cellular wireless network entity 350 determines K AES ’using ePKue’received from the UE 102 and eSKnw’.
  • the cellular wireless network entity 350 decrypts the mobile subscriber identifier using K AES ’.
  • the cellular wireless network entity 350 includes the eNodeB 106.
  • the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
  • FIG. 10 illustrates an exemplary flow diagram 1000 of actions performed by a UE 102 to implement the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments.
  • the UE 102 generates a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) .
  • the UE 102 determines a first encryption key (K AES ) using eSKue and a public network key (PKnw) .
  • K AES first encryption key
  • PKnw public network key
  • the UE is pre-configured with PKnw.
  • the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and an MSIN of the UE 102 encrypted with K AES .
  • the UE 102 receives from the cellular wireless network entity 350 a first DL message that includes a first ephemeral network public key (ePKnw) and a signature of ePKnw signed using a network secret key (SKnw) .
  • ePKnw ephemeral network public key
  • SKnw network secret key
  • the UE 102 determines with the signature can be verified using PKnw.
  • the UE 102 stores ePKnw.
  • the UE 102 generates a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) .
  • the UE 102 determines a second encryption key K AES ’using eSKue’and ePKnw.
  • the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and a mobile subscriber identifier of the UE 102 encrypted with K AES ’.
  • the cellular wireless network entity 350 includes the eNodeB 106.
  • the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
  • FIG. 11 illustrates an exemplary flow diagram 1100 of actions performed by a cellular wireless network entity 350 to implement the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments.
  • the cellular wireless network entity 350 recieves from the UE 102 a first UL message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE 102 encrypted with a first encryption key (K AES ) .
  • the cellular wireless network entity 350 determines K AES using ePKue receive from the UE 102 and a network secret key (SKnw) .
  • K AES ephemeral UE public key
  • the cellular wireless network entity 350 is pre-configured with PKnw and SKnw. In some embodiments, PKnw and SKnw are static or infrequently updated by the cellular wireless network entity 350.
  • the cellular wireless network entity 350 decrypts the mobile subscriber identifier using K AES .
  • the cellular wireless network entity 350 generates a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) .
  • the cellular wireless network entity 350 sends to the UE 102 a first downlink (DL) message that includes ePKnw and a signature of ePKnw signed using SKnw.
  • DL downlink
  • the cellular wireless network entity 350 receives from the UE 102 a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier of the UE 102 encrypted with a second encryption key (K AES ’) .
  • the cellular wireless network entity 350 determines K AES ’using ePKue’received from the UE 102 and eSKnw.
  • the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102 using K AES ’.
  • the cellular wireless network entity 350 includes the eNodeB 106.
  • the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
  • FIGS. 12A and 12B illustrate exemplary flow diagrams 1200 and 1220 of actions performed by a UE 102 to implement the first variant technique of FIG. 5 to protect the privacy of a subscriber identity, according to some embodiments.
  • a UE 102 receives from a cellular wireless network entity 350 a first DL message that includes a first ephemeral network public key (ePKnw) .
  • the UE 102 generates a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) .
  • the UE 102 generates a first shared secret (SHS1) using ePKnw and eSKue.
  • SHS1 shared secret
  • the UE 102 generates a second shared secret (SHS2) using a network public key (PKnw) and eSKue.
  • PKnw network public key
  • eSKue network public key
  • the UE 102 is pre-configured with PKnw.
  • the UE 102 generates SHS1 and SHS2 using an Elliptic Curve Diffie-Hellman (ECDH) key agreement.
  • the UE 102 determines a first encryption key (K AES ) using SHS1 and SHS2.
  • K AES first encryption key
  • the UE 102 determines K AES using a key derivation function (KDF) .
  • KDF key derivation function
  • the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and a mobile subscriber identifier of the UE 102 encrypted with K AES .
  • the UE 102 receives from the cellular wireless network entity 350 a second DL message that includes a second ephemeral network public key (ePKnw’) .
  • the UE 102 stores ePKnw’.
  • the UE 102 generates a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) .
  • the UE 102 generates a third shared secret (SHS1’) using ePKnw’and eSKue’.
  • the UE 102 generates a fourth shared secret (SHS2’) using PKnw and eSKue’.
  • the UE 102 determines a second encryption key (K AES ’) using SHS1’and SHS2’.
  • the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the mobile subscriber identifier of the UE 102 encrypted with K AES ’.
  • the cellular wireless network entity 350 includes the eNodeB 106.
  • the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
  • FIGS. 13A and 13B illustrate exemplary flow diagrams 1300 and 1320 of actions performed by a cellular wireless network entity 350 to implement first variant technique of FIG. 5 to protect the privacy of a subscriber identity, according to some embodiments.
  • the cellular wireless network entity 350 the cellular wireless network entity 350 generates a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) .
  • ePKnw ephemeral network public key
  • eSKnw first ephemeral network secret key
  • the cellular wireless network entity 350 sends to a UE 102 a first DL message that includes ePKnw.
  • the cellular wireless network entity 350 receives from the UE 102 a first Ul message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE 102 encrypted with a first encryption key (K AES ) .
  • the cellular wireless network entity 350 generates a first shared secret (SHS1) using ePKue and eSKnw.
  • the cellular wireless network entity 350 generates a second shared secret (SHS2) using ePKue and SKnw.
  • the cellular wireless network entity 350 is pre-configured with SKnw.
  • the cellular wireless network entity 350 determines K AES using SHS1 and SHS2.
  • the cellular wireless network entity 350 generates SHS1 and SHS2 using an ECDH key agreement. In some embodiments, the cellular wireless network entity 350 generates K AES using a key derivation function (KDF) . At 1314, the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102 using K AES . At 1316, the cellular wireless network entity 350 generates a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) . At 1318, the cellular wireless network entity 350 sends to the UE 102 a second DL message that includes ePKnw’.
  • KDF key derivation function
  • the cellular wireless network entity 350 receives from the UE 102 a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier of the UE 102 encrypted with a second encryption key (K AES ’) .
  • the cellular wireless network entity 350 generates a third shared secret (SHS1’) using ePKue’and eSKnw’.
  • the cellular wireless network entity 350 generates and a fourth shared secret (SHS2’) using ePKue’and SKnw.
  • the cellular wireless network entity 350 determines SHS1’and SHS2’using the ECDH key agreement.
  • the cellular wireless network entity 350 determines K AES ’using SHS1’and SHS2’.
  • the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102 using K AES ’.
  • the cellular wireless network entity 350 includes the eNodeB 106.
  • the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
  • FIG. 14 illustrates an exemplary flow diagram 1400 of actions performed by a UE 102 to implement the second variant technique of FIG. 6 to protect the privacy of a subscriber identity, according to some embodiments.
  • the UE 102 generates a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) .
  • the UE 102 determines a first encryption key (K AES ) using eSKue and a network public key (PKnw) .
  • K AES first encryption key
  • PKnw network public key
  • the UE 102 is pre-configured with PKnw.
  • the UE 102 sends to a cellular wireless network entity 350 a first Ul message that includes ePKue and mobile subscriber identifier of the UE 102 encrypted with K AES .
  • the UE 102 receives from the cellular wireless network entity 350 a first DL message that includes a first ephemeral network public key (ePKnw) .
  • the UE 102 stores ePKnw.
  • the UE 102 generates a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) .
  • the UE 102 generates a first shared secret (SHS1) using ePKnw and eSKue’.
  • the UE 102 generates a second shared secret (SHS2) using PKnw and eSKue’.
  • the UE 102 generates SHS1 and SHS2 using an ECDH key agreement.
  • the UE 102 determines a second encryption key (K AES ’) using SHS1 and SHS2.
  • the UE 102 determines K AES ’from SHS1 and SHS2 using a key derivation function (KDF) .
  • KDF key derivation function
  • the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the mobile subscriber identifier of the UE 102 encrypted with K AES ’.
  • the cellular wireless network entity 350 includes the eNodeB 106.
  • the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
  • FIG. 15 illustrates an exemplary flow diagram 1500 of actions performed by a cellular wireless network entity 350 to implement the second variant technique of FIG. 6 to protect the privacy of a subscriber identity, according to some embodiments.
  • the cellular wireless network entity 350 receives from a UE 102 a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE 102 encrypted with a first encryption key (K AES ) .
  • K AES first encryption key
  • the cellular wireless network entity 350 determines the K AES using ePKue and a network secret key (SKnw) .
  • the cellular wireless network entity 350 is pre-configured with SKnw.
  • the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102 using K AES .
  • the cellular wireless network entity 350 generates a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) .
  • the cellular wireless network entity 350 sends to the UE 102 a first DL message that includes ePKnw.
  • the cellular wireless network entity 350 receives from the UE 102 a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier of the UE 102 encrypted with a second encryption key (K AES ) .
  • the cellular wireless network entity 350 generates a first shared secret (SHS1) using ePKue’and eSKnw.
  • the cellular wireless network entity 350 generates a second shared secret (SHS2) using ePKue’and SKnw.
  • the cellular wireless network entity 350 determines K AES ’using SHS1 and SHS2.
  • the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102 using K AES ’.
  • the cellular wireless network entity 350 includes the eNodeB 106.
  • the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
  • FIG. 16 illustrates a detailed view of a representative computing device 1600 that can be used to implement various methods described herein, according to some embodiments.
  • the computing device 1600 can include a processor 1602 that represents a microprocessor or controller for controlling the overall operation of computing device 1600.
  • the computing device 1600 can also include a user input device 1608 that allows a user of the computing device 1600 to interact with the computing device 1600.
  • the user input device 1608 can take a variety of forms, such as a button, keypad, dial, touch screen, audio input interface, visual/image capture input interface, input in the form of sensor data, etc.
  • the computing device 1600 can include a display 1610 (screen display) that can be controlled by the processor 1602 to display information to the user.
  • a data bus 1616 can facilitate data transfer between at least a storage device 1640, the processor 1602, and a controller 1613.
  • the controller 1613 can be used to interface with and control different equipment through and equipment control bus 1614.
  • the computing device 1600 can also include a network/bus interface 1611 that couples to a data link 1612. In the case of a wireless connection, the network/bus interface 1611 can include a wireless transceiver.
  • the computing device 1600 also includes a storage device 1640, which can comprise a single disk or a plurality of disks (e.g., hard drives) , and includes a storage management module that manages one or more partitions within the storage device 1640.
  • storage device 1640 can include flash memory, semiconductor (solid state) memory or the like.
  • the computing device 1600 can also include a Random Access Memory (RAM) 1620 and a Read-Only Memory (ROM) 1622.
  • the ROM 1622 can store programs, utilities or processes to be executed in a non-volatile manner.
  • the RAM 1620 can provide volatile data storage, and stores instructions related to the operation of the computing device 1600.
  • the computing device 1600 can further include a secure element 1650, which can represent a eUICC of the UE 102.
  • the various aspects, embodiments, implementations or features of the described embodiments can be used separately or in any combination.
  • Software, hardware, or a combination of hardware and software can implement various aspects of the described embodiments.
  • the described embodiments can also be embodied as computer readable code on a non-transitory computer readable medium.
  • the non-transitory computer readable medium is any data storage device that can store data, which can thereafter be read by a computer system. Examples of the non-transitory computer readable medium include read-only memory, random-access memory, CD-ROMs, DVDs, magnetic tape, hard disk drives, solid state drives, and optical data storage devices.

Abstract

Techniques to protect subscriber identity in messages communicated between a user equipment (UE) and a cellular wireless network entity by using ephemeral asymmetric keys to achieve perfect forward secrecy (PFS) are disclosed. The UE determines ephemeral UE public and secret key pairs, while the cellular wireless network entity determines ephemeral network public and secret key pairs. A static network public and secret key pair can be used in conjunction with the ephemeral network keys. Encryption keys based on the ephemeral UE keys and the ephemeral network keys are used to encrypt a mobile subscriber identifier, such as a mobile subscriber identification number (MSIN) portion of the UE's International Mobile Subscriber Identity (IMSI), using the encryption keys for messages communicated between the UE and the cellular wireless network entity. In some embodiments, encryption keys are generated based on an elliptic curve Diffie-Hellman (ECDH) key agreement protocol.

Description

SUBSCRIBER IDENTITY PRIVACY PROTECTION FIELD
The described embodiments set forth techniques for protecting subscriber identity in messages communicated between a wireless device and a cellular wireless network entity by using ephemeral asymmetric keys to achieve perfect forward secrecy (PFS) .
BACKGROUND
Many wireless devices are configured to use removable Universal Integrated Circuit Cards (UICCs) that enable the wireless devices to access services provided by Mobile Network Operators (MNOs) . In particular, each UICC includes at least a microprocessor and a read-only memory (ROM) , where the ROM is configured to store an MNO profile that the wireless device can use to register and interact with an MNO to obtain wireless services via a cellular wireless network. Typically, a UICC takes the form of a small removable card, (commonly referred to as a Subscriber Identity Module (SIM) card) , which is configured to be inserted into a UICC-receiving bay included in a wireless device. In more recent implementations, UICCs are being embedded directly into system boards of wireless devices. These embedded UICCs (eUICCs) can provide several advantages over traditional, removable UICCs. For example, some eUICCs include a rewritable memory that can facilitate installation, modification, and/or deletion of one or more eSIMs, which can provide for new and/or different services and/or updates for accessing extended features provided by MNOs. An eUICC can store a number of MNO profiles—also referred to herein as eSIMs—and can eliminate the need to include UICC-receiving bays in wireless devices.
An MNO profile includes an International Mobile Subscriber Identity (IMSI) by which a user that subscribes to services provided by the MNO can be identified uniquely by cellular wireless networks. The IMSI includes a mobile country code (MCC) , a mobile network code (MNC) , and a Mobile Subscriber Identification Number (MSIN) . Certain messages sent between the cellular wireless network and the wireless device may include the IMSI in a clear, readable, unencrypted format, and as such the IMSI is open to snooping by passive listening or active request and reply capture techniques.
SUMMARY
Representative embodiments set forth techniques for protecting subscriber identity, such as a mobile subscriber identifier, in messages communicated between a wireless device and a cellular wireless network entity by using ephemeral asymmetric keys to achieve perfect forward secrecy (PFS) . The wireless device, such as a user equipment (UE) , determines an ephemeral UE public and secret key pair and generates an encryption key based on the ephemeral UE secret key and a static network public key that can be preconfigured in the UE. The UE encrypts a mobile subscriber identifier, such as an MSIN portion of the UE’s IMSI, using the encryption key and sends an uplink (UL) message to a cellular wireless network entity, such as to an evolved NodeB (eNodeB) or to a next generation NodeB (gNB) , the UL message including the ephemeral UE public key and the encrypted mobile subscriber identifier, which the cellular wireless network entity can decrypt by generating the encryption key using the ephemeral UE public key and a static network secret key that corresponds to the static network public key. The cellular wireless network entity generates an ephemeral network public and secret key pair and sends a downlink (DL) message to the UE that includes the ephemeral network public key and a corresponding signature signed with a secret network key. When the signature is verified, the UE can store the ephemeral network public key to use in combination with a newly generated ephemeral UE secret key to generate a new encryption key to encrypt the mobile subscriber identifier included in a subsequent message. The UE and the cellular wireless network entity can generate ephemeral public and secret key pairs for each message sent that includes the mobile subscriber identifier or to use for a particular communication session or to use within a certain time period. In some embodiments, the cellular wireless network entity communicates an initial DL message to the UE, the initial DL message including an ephemeral network public key for the UE to use in place of the static network public key. In some embodiments, the UE generates, based on an elliptic curve Diffie-Hellman (ECDH) key agreement protocol, a first shared secret using the ephemeral UE secret key and the ephemeral network public key and a second shared secret using the ephemeral UE secret key and the static network public key. Subsequently, the UE derives the encryption key based on the first and second shared secrets. Similarly, in some embodiments, the cellular wireless network entity generates, based on the ECDH key agreement protocol, the first shared secret using the ephemeral UE public key and the ephemeral network  secret key and the second shared secret using the ephemeral UE public key and the static network secret key, and subsequently derives the encryption key based on the first and second shared secrets. The UE and the cellular wireless network entity can each generate new ephemeral public and secret key pairs to use to generate new encryption keys with which to encrypt the mobile subscriber identifier in different messages. PFS is achieved by using ephemeral network key pairs rather than only static network key pairs.
This Summary is provided merely for purposes of summarizing some example embodiments so as to provide a basic understanding of some aspects of the subject matter described herein. Accordingly, it will be appreciated that the above-described features are merely examples and should not be construed to narrow the scope or spirit of the subject matter described herein in any way. Other features, aspects, and advantages of the subject matter described herein will become apparent from the following Detailed Description, Figures, and Claims.
Other aspects and advantages of the embodiments described herein will become apparent from the following detailed description taken in conjunction with the accompanying drawings which illustrate, by way of example, the principles of the described embodiments.
BRIEF DESCRIPTION OF THE DRAWINGS
The included drawings are for illustrative purposes and serve only to provide examples of possible structures and arrangements for the disclosed inventive apparatuses and methods for providing wireless computing devices. These drawings in no way limit any changes in form and detail that may be made to the embodiments by one skilled in the art without departing from the spirit and scope of the embodiments. The embodiments will be readily understood by the following detailed description in conjunction with the accompanying drawings, wherein like reference numerals designate like structural elements.
FIG. 1 illustrates a block diagram of different components of an exemplary system configured to implement the various techniques described herein, according to some embodiments.
FIGS. 2A and 2B illustrate flow diagrams of a prior art encryption technique to protect a subscriber identity.
FIG. 3 illustrates an exemplary message exchange of a first technique to protect the privacy of a subscriber identity, according to some embodiments.
FIG. 4 illustrates an exemplary message exchange of a second technique to protect the privacy of a subscriber identity, according to some embodiments.
FIG. 5 illustrates an exemplary message exchange of a variant of the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments.
FIG. 6 illustrates an exemplary message exchange of a variant of the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments.
FIG. 7 illustrates a block diagram of an example of overlapping time periods for the use of keys.
FIGS. 8A and 8B illustrate exemplary flow diagrams of actions performed by a UE to implement the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments.
FIGS. 9A and 9B illustrate exemplary flow diagrams of actions performed by a cellular wireless network entity to implement the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments.
FIG. 10 illustrates an exemplary flow diagram of actions performed by a UE to implement the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments.
FIG. 11 illustrates an exemplary flow diagram of actions performed by a cellular wireless network entity to implement the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments.
FIGS. 12A and 12B illustrate exemplary flow diagrams of actions performed by a UE to implement the first variant technique of FIG. 5 to protect the privacy of a subscriber identity, according to some embodiments.
FIGS. 13A and 13B illustrate exemplary flow diagrams of actions performed by a cellular wireless network entity to implement the first variant technique of FIG. 5 to protect the privacy of a subscriber identity, according to some embodiments.
FIG. 14 illustrates an exemplary flow diagram of actions performed by a UE to implement the second variant technique of FIG. 6 to protect the privacy of a subscriber identity, according to some embodiments.
FIG. 15 illustrates an exemplary flow diagram of actions performed by a cellular wireless network entity to implement the second variant technique of FIG. 6 to protect the privacy of a subscriber identity, according to some embodiments.
FIG. 16 illustrates a detailed view of a representative computing device that can be used to implement various methods described herein, according to some embodiments.
DETAILED DESCRIPTION
Representative applications of apparatuses and methods according to the presently described embodiments are provided in this section. These examples are being provided solely to add context and aid in the understanding of the described embodiments. It will thus be apparent to one skilled in the art that the presently described embodiments can be practiced without some or all of these specific details. In other instances, well known process steps have not been described in detail in order to avoid unnecessarily obscuring the presently described embodiments. Other applications are possible, such that the following examples should not be taken as limiting.
In accordance with various embodiments described herein, the terms “wireless communication device, ” “wireless device, ” “mobile device, ” “mobile station, ” and “user equipment” (UE) may be used interchangeably herein to describe one or more common consumer electronic devices that may be capable of performing procedures associated with various embodiments of the disclosure. In accordance with various implementations, any one of these consumer electronic devices may relate to: a cellular phone or a smart phone, a tablet computer, a laptop computer, a notebook computer, a personal computer, a netbook computer, a media player device, an electronic book device, a
Figure PCTCN2017096610-appb-000001
device, a wearable computing device, as well as any other type of electronic computing device having wireless communication capability that can include communication via one or more wireless communication protocols such as used for communication on: a wireless wide area network (WWAN) , a wireless metro area network (WMAN) a wireless local area network (WLAN) , a wireless personal area network (WPAN) , a near field communication (NFC) , a cellular wireless network, a fourth generation (4G) Long Term Evolution (LTE) , LTE Advanced (LTE-A) , and/or fifth generation (5G) or other present or future developed advanced cellular wireless networks.
The wireless communication device, in some embodiments, can also operate as part of a wireless communication system, which can include a set of client devices, which can also be referred to as stations, client wireless devices, or client wireless communication devices, interconnected to an access point (AP) , e.g., as part of a WLAN, and/or to each other, e.g., as part of a WPAN and/or an “ad hoc” wireless network. In some embodiments, the client device can be any wireless communication device that is capable of communicating via a WLAN technology, e.g., in accordance with a wireless local area network communication protocol. In some embodiments, the WLAN technology can include a Wi-Fi (or more generically a WLAN) wireless communication subsystem or radio, the Wi-Fi radio can implement an Institute of Electrical and Electronics Engineers (IEEE) 802.11 technology, such as one or more of:IEEE 802.11a; IEEE 802.11b; IEEE 802.11g; IEEE 802.11-2007; IEEE 802.11n; IEEE 802.11-2012; IEEE 802.11ac; or other present or future developed IEEE 802.11 technologies.
Additionally, it should be understood that some UEs described herein may be configured as multi-mode wireless communication devices that are also capable of communicating via different third generation (3G) and/or second generation (2G) RATs. In these scenarios, a multi-mode user equipment (UE) can be configured to prefer attachment to LTE networks offering faster data rate throughput, as compared to other 3G legacy networks offering lower data rate throughputs. For instance, in some implementations, a multi-mode UE may be configured to fall back to a 3G legacy network, e.g., an Evolved High Speed Packet Access (HSPA+) network or a Code Division Multiple Access (CDMA) 2000 Evolution-Data Only (EV-DO) network, when LTE and LTE-Anetworks are otherwise unavailable.
Representative embodiments of methods and apparatus presented herein set forth techniques for protecting subscriber identity in messages communicated between a wireless device and a cellular wireless network entity by using ephemeral asymmetric keys to achieve perfect forward secrecy (PFS) . PFS is achieved by using ephemeral network key pairs rather than a static network key pair (and/or by limiting the use of a static network key pair) .
In some embodiments, the cellular wireless network entity, such as an evolved NodeB (eNodeB) , is pre-configured with a static network public key and a static network secret key, while the wireless device, such as a user equipment (UE) , is pre-configured with the static network public key. The cellular wireless network  entity generates an ephemeral network public key and an ephemeral network secret key and sends to the UE a downlink (DL) message that includes the ephemeral network public key and a signature of the ephemeral public network key signed by the static network secret key. When the signature is verified using the static network public key, the UE generates an ephemeral UE public key and an ephemeral UE secret key and derives an encryption key based on the ephemeral UE secret key and the ephemeral network public key. The UE encrypts a mobile subscriber identifier, such as a mobile subscriber identification number (MSIN) portion of the UE’s IMSI, using the encryption key and sends to the cellular wireless network entity an uplink (UL) message that includes the ephemeral UE public key and the encrypted mobile subscriber identifier, which the cellular wireless network entity can decrypt by generating the encryption key using the ephemeral UE public key and the ephemeral network secret key. The cellular wireless network entity can then generate a new ephemeral network public and secret key pair and provide the new ephemeral network public key along with a signature to the UE. When the signature is verified, the UE can store the new ephemeral network public key to use in combination with a newly generated ephemeral UE secret key to generate a new encryption key to encrypt the mobile subscriber identifier included in a subsequent message.
The UE and the cellular wireless network entity can generate ephemeral public and secret key pairs for each message sent that includes the mobile subscriber identifier or to use for a particular communication session or to use within a certain time period. In some embodiments, the cellular wireless network entity communicates an initial DL message to the UE, the initial DL message including an ephemeral network public key for the UE to use in place of the static network public key. The encryption key can be derived as an Advanced Encryption Standard (AES) key. In some embodiments, DL messages sent to the UE by the cellular wireless network entity include both an ephemeral network public key and a signature with which to verify the ephemeral network public key. In some embodiments, UL messages sent to the cellular wireless network entity by the UE include an ephemeral UE public key, an encrypted mobile subscriber identifier, and a key identifier (ID) , which can include an ephemeral network public key, a hash of the ephemeral network public key, or a count value. In some embodiments, when an ephemeral network public and secret key pair are explicitly linked to a communication session, such as generated specifically for a particular communication session, the inclusion of a key ID can be optional.
In some embodiments, the UE generates an initial AES encryption key using a pre-configured static network public key and an ephemeral UE secret key generated by the UE. The UE can encrypt the mobile subscriber identifier using the initial AES encryption key and send the encrypted MSIN to the cellular wireless network entity along with an ephemeral UE public key that corresponds to the ephemeral UE secret key. The cellular wireless network entity can derive the initial AES encryption key using the ephemeral UE public key received from the UE and a static network secret key that corresponds to the static network public key. The cellular wireless network entity can decrypt the mobile subscriber identifier using the initial AES encryption key and subsequently generate an ephemeral network public key and an ephemeral network secret key pair. The cellular wireless network entity can send the ephemeral network public key and a signature for verification to the UE, which can store the ephemeral network public key when the signature is verified. Subsequently, the UE can use the ephemeral network public key and a newly generated ephemeral UE secret key to derive a new AES encryption key with which to encrypt the mobile subscriber identifier and send to the cellular wireless network entity. The cellular wireless network entity can derive the new AES encryption key based on the previously generated ephemeral network secret key and the ephemeral UE public key received from the UE, where the new AES encryption key can be used to decrypt the mobile subscriber identifier. The process can continue with newly generated ephemeral keys for each message sent or by reusing the ephemeral keys for a particular communication session between the UE and the cellular wireless network entity or to use within a certain time period.
In some embodiments, the UE and the cellular wireless network entity derive AES encryption keys based on pairs of shared secrets. The UE can generate, based on an elliptic curve Diffie-Hellman (ECDH) key agreement protocol, a first shared secret using an ephemeral UE secret key and an ephemeral network public key (received from the cellular wireless network entity in a DL message) and a second shared secret using the ephemeral UE secret key and a pre-configured static network public key. The UE can derive the AES encryption key based on the generated first and second shared secrets. Similarly, the cellular wireless network entity can generate, based on the ECDH key agreement protocol, the first shared secret using an ephemeral UE public key (received from the UE in a UL message) and an ephemeral network secret key (corresponding to the ephemeral network public key sent to the  UE in the DL message) and the second shared secret using the ephemeral UE public key and the pre-configured static network secret key. The cellular wireless network entity can derive the AES encryption key based on the derived first and second shared secrets and can decrypt an mobile subscriber identifier that was encrypted by the UE using the same AES encryption key. The UE and the cellular wireless network entity can each generate new ephemeral public and secret key pairs to use to generate new AES encryption keys with which to encrypt the mobile subscriber identifier in different messages.
In some embodiments, DL messages sent from the cellular wireless network entity to the UE include ephemeral network public keys with signatures for verification. In some embodiments, DL messages sent from the cellular wireless network entity to the UE include ephemeral network public keys without signatures for verification. In some embodiments, UL messages sent from the UE to the cellular wireless network entity include a key ID (which can include an ephemeral public network key received form the cellular wireless network entity or a hash thereof, or a count value) to allow the cellular wireless network entity to ascertain the ephemeral network public key used by the UE to generate the encryption key. In some embodiments, the use of the key ID can be optional for a particular communication session when a particular ephemeral network public key and ephemeral network secret key pair is established for use during the communication session.
In some embodiments, static network public keys (and corresponding static network secret keys) can be rotated over time, such as by providing an over the air (OTA) update using a secure communication channel from the cellular wireless network entity to the UE. In some embodiments, use of static network key pairs and/or of ephemeral network key pairs can overlap for a limited period of time. Thus, a previous network key pair (static or ephemeral) can be used for a limited period of time by the UE after receipt of a new network key pair (static or ephemeral) . Either the previous “old” network key pair or the “new” network key pair can be used during the overlapping limited period of time. This allows for rotation of the network key pairs with robustness, as a failure of communication of the newest network key pair can be corrupted in transit and require retransmission or the UE can fail during processing and thus not properly receive and update the network key pair.
These and other embodiments are discussed below with reference to FIGS. 1 through 16; however, those skilled in the art will readily appreciate that the detailed  description given herein with respect to these figures is for explanatory purposes only and should not be construed as limiting.
FIG. 1 illustrates a block diagram of different components of a system 100 that is configured to implement the various techniques described herein, according to some embodiments. The system 100 includes a UE 102, which includes an IMSI 104 by which a subscription for a user of the UE 102 can be uniquely identified, in communication with an evolved NodeB (eNodeB) 106. The UE 102 and the cellular wireless network entity 350 can communicate via a Uu interface, which for some messages or for certain periods of time, such as prior to establishment of a secure connection between the UE 102 and the eNodeB 106, can be subject to eavesdropping by a third party. While the eNodeB 106 connects to a Mobility Management Entity (MME) 108 of the core network via a secure S1-MME interface, and the MME 108 connects to a Home Subscriber Server (HSS) 110 via a secure S6a interface, the eNodeB 106 can send some messages to and receive some messages from the UE 102 “in the clear” , in some instances. For example, a Radio Resource Control (RRC) paging message sent from the eNodeB 106 to the UE 102 can include the IMSI 104 of the UE 102 in an unprotected manner. Similarly, certain RRC network access stratum (NAS) messages send from the UE 102 to the eNodeB 106 can also include the IMSI 104 of the UE 102 without encryption to protect the IMSI 104 value from eavesdroppers. Example RRC NAS messages include an RRC Attach Request message, a UE originating RRC Detach Request message, and an RRC Identity Response message. A passive eavesdropping entity, such as passive IMSI catcher 112, can listen for communication sent from the eNodeB 106, such as paging messages, or sent from the UE 102, such as attach/detach request messages, and ascertain the IMSI 104 of the UE 102. In addition an active eavesdropping entity, such as active IMSI catcher 114, can mimic communication from the eNodeB 106 and send a Request Identity message to the UE 102 and receive an Identity Response message that includes the IMSI 104 of the UE 102. The Uu interface between the UE 102 and the eNodeB 106 is susceptible to IMSI exposure due to passive and/or active attacks. By having the UE 102 and the eNodeB 106 securely encrypt at least a portion of the IMSI 104, such as the mobile subscriber identification number (MSIN) , when communicating over an insecure communication link, the IMSI 104 can be protected from eavesdropping. Moreover, with the use of ephemeral public/secret key pairs, the  IMSI 104 can be protected from future decryption as well, thereby achieving perfect forward secrecy should a secret key be compromised.
More generally, the techniques presented herein can apply to any messages that include a mobile subscriber identifier and are communicated between the UE 102 and a cellular wireless network entity, including over insecure connections susceptible to eavesdropping. Examples of a wireless network entity include a radio access network entity, such as the eNodeB 106 or a next generation NodeB (also referred to as a gNodeB or gNB) , or a core network entity, such as the MME 108, the HSS 110, an authentication server function (AUSF) , or an access and mobility function (AMF) . The messages may include a mobile subscriber identifier, such as the MSIN of the IMSI 104, which can be encrypted securely with perfect forward secrecy as described further herein to protect privacy of the mobile subscriber identifier. Mobile subscriber identifiers other than the MSIN or the IMSI 104 can be similarly encrypted and decrypted using combinations of keys as described further herein to protect them from eavesdropping when communicated between the UE 102 and a cellular wireless network entity.
FIGS. 2A and 2B illustrate flow diagrams 200/250 of a prior art encryption technique to protect a subscriber identity. For the UE side encryption flow diagram 200, the UE 102 generates ephemeral key pairs, which include an ephemeral UE public key that can be provided to another party, such as to a network side entity, e.g., the cellular wireless network entity 350, and an ephemeral UE private key (which can also be referred to as a secret key) . Based on a key agreement, which both the UE 102 and the cellular wireless network entity 350 know, the UE 102 can generate a shared key (which can also be referred to as a shared secret) based on ephemeral UE private key and a static public network key (also referred as a public ECC key for the Home Public Land Mobile Network or HPLMN) . Similarly the network side entity, e.g., the eNodeB 106, can generate the shared key based on the key agreement using the ephemeral UE public key provided by the UE 102 to the network side entity and a static private network key that corresponds to the static public network key known to the UE 102. The UE 102 and the network side entity can use a common key derivation technique to determine an ephemeral encryption key with which to encrypt/decrypt the MSIN portion of an IMSI of the UE 102. As shown, the MCC/MNC portion of the IMSI can remain unencrypted. Both the UE side encryption and the network side encryption can be based on an Elliptic Curve Integrated  Encryption Scheme (ECIES) . The encryption technique illustrated in FIGS. 2A and 2B uses static network public and private (secret) keys and as such, should the static network private key be compromised, previous communications that include the MSIN encrypted with the static network public key can be decrypted. Thus, perfect forward secrecy cannot be achieved with the use of static network public keys. As discussed herein, using ephemeral network public keys overcomes this deficiency.
FIG. 3 illustrates an exemplary message exchange 300 of a first technique to protect the privacy of a subscriber identity, according to some embodiments. Initially, the UE 102 can be pre-configured with a static network public key (PKnw) , while the cellular wireless network entity 350 can be pre-configured with a corresponding network secret key (SKnw) and PKnw. (Note that the term “secret key” is used herein synonymously for the term “private key” ) . At 304, the cellular wireless network entity 350 can generate an ephemeral key pair, namely an ephemeral network public key (ePKnw) and a corresponding ephemeral network secret key (eSKnw) . At 306, the cellular wireless network entity 350 can send to the UE 102 a first downlink (DL) message that includes ePKnw and a signature of ePKnw signed with the pre-configured SKnw. At 308, the UE 102 can verify the signature of ePKnw using the pre-configured PKnw. When the signature is verified, the UE 102 can generate its own ephemeral key pair, namely an ephemeral UE public key (ePKue) and a corresponding ephemeral UE secret key (eSKue) . In some embodiments, at 302, the UE 102 pre-generates the ephemeral UE key pair (ePKue, eSKue) to reduce processing time required after receipt of the first DL message. The UE 102 derives an encryption key, e.g., an Advanced Encryption Standard (AES) encryption key (KAES) using the UE-generated eSKue and the cellular wireless network entity-generated ePKnw. The UE 102 uses KAES to encrypt a mobile subscriber identifier, such as the MSIN portion of the IMSI 104 of the UE 102. At 310, the UE 102 sends to the cellular wireless network entity 350 a first uplink (UL) message that includes ePKue and the MSIN encrypted using the derived KAES. In some embodiments, the first UL message also includes a key identifier (ID) , such as the previously received ePKnw, a hash of ePKnw, or a count value, where the cellular wireless network entity 350 can ascertain which ephemeral network public key the UE 102 used to generate the encryption key with which the MSIN is encrypted. In some embodiments, the use of a key ID can be optional based on an explicit link of an ephemeral network key pair to a communication session, e.g., when the ephemeral network key pair is generated per  communication session and used only for that communication session. At 312, the cellular wireless network entity 350 derives the encryption key KAES based on ePKue received from the UE 102 and the previously generated eSKnw. The cellular wireless network entity 350 decrypts the MSIN using the derived encryption key KAES. Subsequently, the cellular wireless network entity 350 generates a second ephemeral network key pair, namely a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) , where the newly generated ephemeral keys are used to encrypt the MSIN in a subsequent message. At 314, the cellular wireless network entity 350 sends to the UE 102 a second DL message that includes ePKnw’and a corresponding signature of ePKnw’signed by SKnw. At 316, the UE 102 can verify the signature of ePKnw’using the pre-configured PKnw and store ePKnw’when the signature is verified. Subsequently, at 318, the UE 102 can generate a second ephemeral UE key pair, namely a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . Using ePKnw’received from the cellular wireless network entity 350 and the newly generated eSKue’, the UE 102 can derive a second AES encryption key (KAES’) to encrypt the MSIN included in a subsequent UL message sent to the cellular wireless network entity 350. At 320, the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the MSIN encrypted with KAES’. The cellular wireless network entity 350 can derive KAES’using ePKue’and eSKnw’and decrypt the MSIN. In some embodiments, the second UL message includes a second key ID to indicate which ephemeral network public key was used by the UE 102 to generate the encryption key used to encrypt the MSIN included in the second UL message. The process from 312 to 316 can repeat again with a new ephemeral network key pair generated and stored for used in a subsequent message that includes an encrypted MSIN. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, a mobile subscriber identifier other than the MSIN can be encrypted and decrypted in the sequence of messages communicated between the UE 102 and the cellular wireless network entity 350.
FIG. 4 illustrates an exemplary message exchange 400 of a second technique to protect the privacy of a subscriber identity, according to some embodiments. Initially, the UE 102 can be pre-configured with a static network public key (PKnw) , while the cellular wireless network entity 350 can be pre-configured with a corresponding network secret key (SKnw) and PKnw. Unlike, the first  technique illustrated in FIG. 3, the cellular wireless network entity 350 does not generate an initial ephemeral network public/secret key pair and send the ephemeral network public key to the UE 102. Instead, the UE 102 uses for an initial encoding the static network public key PKnw. At 402, the UE 102 pre-generates an ephemeral UE key pair (ePKue, eSKue) . At 404, the UE 102 derives a first AES encryption key KAES, using the UE-generated ephemeral secret key eSKue and the pre-configured static network public key PKnw, and uses KAES to encrypt a mobile subscriber identifier, such as the MSIN of the IMSI 104 of the UE 102. At 406, the UE 102 sends to the cellular wireless network entity 350 a first uplink (UL) message that includes the ePKue and the MSIN encrypted using the derived KAES. At 408, the cellular wireless network entity 350 derives the encryption key KAES based on ePKue received from the UE 102 and the pre-configured static SKnw. The cellular wireless network entity 350 decrypts the MSIN using the derived encryption key KAES. Subsequently, the cellular wireless network entity 350 generates a first ephemeral network key pair, namely a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) . At 410, the cellular wireless network entity 350 sends to the UE 102 a DL message that includes ePKnw and a corresponding signature of ePKnw signed by SKnw. At 412, the UE 102 can verify the signature of ePKnw using the pre-configured PKnw and store ePKnw when the signature is verified. Subsequently, at 414, the UE 102 can generate a second ephemeral UE key pair, namely a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . Using ePKnw received from the cellular wireless network entity 350 and the newly generated eSKue’, the UE 102 can derive a second AES encryption key (KAES’) to encrypt the MSIN included in a second UL message sent to the cellular wireless network entity 350. At 416, the UE sends to the cellular wireless network entity 350 the second UL message that includes a key ID, ePKue’, and the MSIN encrypted with KAES’. At 418, the cellular wireless network entity 350 can derive KAES’using ePKue’and eSKnw and decrypt the MSIN. The key ID included in the second UL message indicates which ephemeral network public key was used by the UE 102 to generate the encryption key used to encrypt the MSIN included in the second UL message. The process from 408 to 418 can repeat again with a new ephemeral network key pair generated and stored for used in a subsequent message that includes an encrypted MSIN. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, a mobile subscriber identifier other than the  MSIN can be encrypted and decrypted in the sequence of messages communicated between the UE 102 and the cellular wireless network entity 350.
FIG. 5 illustrates an exemplary message exchange 500 of a variant of the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments. Initially, the UE 102 can be pre-configured with a static network public key (PKnw) , while the cellular wireless network entity 350 can be pre-configured with a corresponding network secret key (SKnw) and PKnw. At 504, the cellular wireless network entity 350 can generate an ephemeral key pair, namely an ephemeral network public key (ePKnw) and a corresponding ephemeral network secret key (eSKnw) . At 506, the cellular wireless network entity 350 can send to the UE 102 a first DL message that includes ePKnw. At 508, the UE 102 generates its own ephemeral key pair, namely an ephemeral UE public key (ePKue) and a corresponding ephemeral UE secret key (eSKue) . In some embodiments, at 502, the UE 102 pre-generates the ephemeral UE key pair (ePKue, eSKue) to reduce processing time required after receipt of the first DL message. The UE 102 derives an encryption key, e.g., an Advanced Encryption Standard (AES) encryption key (KAES) using the UE-generated eSKue, the pre-configured static PKnw, and the cellular wireless network entity-generated ephemeral ePKnw. The UE 102 derives a first shared secret SHS1 using an Elliptic Curve Diffie-Hellman (ECDH) key agreement based on eSKue and ePKnw and a second shared secret SHS2 using the ECDH key agreement based on eSKue and PKnw. The UE 102 then derives the AES encryption key KAES, using a key derivation function (KDF) using SHS1 and SHS2, and encrypts a mobile subscriber identifier, such as the MSIN of the IMSI 104 of the UE 102, using KAES. At 510, the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and the MSIN encrypted using the derived KAES. In some embodiments, the first UL message also includes a key identifier (ID) , such as the previously received ePKnw, a hash of ePKnw, or a count value, where the cellular wireless network entity 350 can ascertain which ephemeral network public key the UE 102 used to generate the encryption key with which the MSIN is encrypted. In some embodiments, the use of a key ID can be optional based on an explicit link of an ephemeral network key pair to a communication session, e.g., when the ephemeral network key pair is generated per communication session and used only for that communication session. At 512, the cellular wireless network entity 350 derives the encryption key KAES using the KDF on the shared secrets SHS1 and SHS2 derived  from ePKue, received form the UE 102, the previously generated eSKnw (for SHS1) , and the pre-configured SKnw (for SHS2) . The cellular wireless network entity 350 decrypts the MSIN using the derived encryption key KAES. Subsequently, the cellular wireless network entity 350 generates a second ephemeral network key pair, namely a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) , where the newly generated ephemeral keys are used to encrypt the MSIN in a subsequent message. At 514, the cellular wireless network entity 350 sends to the UE 102 a second DL message that includes ePKnw’. At 316, the UE 102 stores ePKnw’. Subsequently, at 518, the UE 102 generates a second ephemeral UE key pair, namely a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . Using ePKnw’received from the cellular wireless network entity 350 and the newly generated eSKue’, the UE 102 derives a second AES encryption key (KAES’) to encrypt the MSIN included in a subsequent UL message sent to the cellular wireless network entity 350. The UE 102 uses the ECDH key agreement to derive new shared secrets SHS1’from eSKue’and ePKnw’and SHS2’from eSKue’and PKnw and the KDF to derive the second AES encryption key KAES’. At 520, the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the MSIN encrypted with KAES’. The cellular wireless network entity 350 can derive KAES’using ePKue’, eSKnw’, and eSKnw and decrypt the MSIN. In some embodiments, the second UL message includes a second key ID to indicate which ephemeral network public key was used by the UE 102 to generate the encryption key used to encrypt the MSIN included in the second UL message. The process from 512 to 516 can repeat again with a new ephemeral network key pair generated and stored for used in a subsequent message that includes an encrypted MSIN. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, a mobile subscriber identifier other than the MSIN can be encrypted and decrypted in the sequence of messages communicated between the UE 102 and the cellular wireless network entity 350.
FIG. 6 illustrates an exemplary message exchange 600 of a variant of the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments. Initially, the UE 102 can be pre-configured with a static network public key (PKnw) , while the cellular wireless network entity 350 can be pre-configured with a corresponding network secret key (SKnw) and PKnw. At 602, the UE 102 pre-generates an ephemeral UE key pair (ePKue, eSKue) . At 604, the UE 102  derives a first AES encryption key KAES, using the UE-generated eSKue and the pre-configured static PKnw, and encrypts a mobile subscriber identifier, such as the MSIN of the IMSI 104 of the UE 102, using KAES. At 606, the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and the MSIN encrypted using the derived KAES. At 608, the cellular wireless network entity 350 derives the encryption key KAES based on ePKue received from the UE 102 and the pre-configured static SKnw. The cellular wireless network entity 350 decrypts the MSIN using the derived encryption key KAES. Subsequently, the cellular wireless network entity 350 generates a first ephemeral network key pair, namely a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) . At 610, the cellular wireless network entity 350 sends to the UE 102 a DL message that includes ePKnw. At 612, the UE 102 stores ePKnw received from the cellular wireless network entity 350. Subsequently, at 614, the UE 102 can generate a second ephemeral UE key pair, namely a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . Using ePKnw received from the cellular wireless network entity 350, the newly generated eSKue’, and the pre-configured static PKnw, the UE 102 derives a second AES encryption key (KAES’) to encrypt the MSIN included in a second UL message sent to the cellular wireless network entity 350. The UE 102 derives a first shared secret SHS1 using an Elliptic Curve Diffie-Hellman (ECDH) key agreement based on eSKue’and ePKnw and a second shared secret SHS2 using the ECDH key agreement based on eSKue’and PKnw. The UE 102 then derives the AES encryption key KAES’using a key derivation function (KDF) using SHS1 and SHS2. At 616, the UE sends to the cellular wireless network entity 350 the second UL message that includes a key ID, ePKue’, and the MSIN encrypted with KAES’. The cellular wireless network entity 350 derives KAES’using the KDF on shared secrets SHS1 and SHS2 derived from ePKue’, received from the UE 102, the previously generated eSKnw (for SHS1) , and the pre-configured SKnw (for SHS2) . The cellular wireless network entity 350 decrypts the MSIN using the derived KAES’. The key ID included in the second UL message indicates which ephemeral network public key was used by the UE 102 to generate the encryption key used to encrypt the MSIN included in the second UL message. In some embodiments, the key ID includes ePKnw, a hash of ePKnw, or a count value. In some embodiments, the use of the key ID is optional, e.g., when ephemeral network key pairs are shared with more than one UE 102. The process can repeat for each additional message that  includes an MSIN, with the cellular wireless network entity 350 generating an ephemeral network key pair (as at 608) , communicating the ephemeral network public key to the UE 102 (as at 610) , the UE 102 generating its own ephemeral key pair to use with the most recent ephemeral network public key and the static network public key to derive a new encryption key (as at 614) to encrypt the MSIN and send to the cellular wireless network entity 350 (as at 616) . The cellular wireless network entity 350 can derive the new encryption key (as at 618) to decrypt the MSIN. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, a mobile subscriber identifier other than the MSIN can be encrypted and decrypted in the sequence of messages communicated between the UE 102 and the cellular wireless network entity 350.
FIG. 7 illustrates a block diagram 700 of an example of overlapping time periods for the use of keys. At a time indicated by 702, a first key K1 is established for use over a time period indicated as the K1 lifetime. When changing between different keys, such as when updating ephemeral keys, a lifetime of a previous key can overlap with a lifetime of a newest key. For example, at a time indicated by 704, the second key K2 is established for use over a time period indicated as the K2 lifetime. As indicated in FIG. 7, the K1 and K2 lifetimes span an overlapping time period 712, where both the first key K1 and the second key K2 can be validly used before the first key K1 expires at time 706. The overlap allows for a variable time that the UE 102 can use to switch from using the first key K1 to using the second key K2. Similarly when a third key K3 is established at time 708, the lifetime of the third key K3 overlaps for the time period 714 until expiration of the second key K2 at time 710. In some embodiments, static network key pairs can be updated by the cellular wireless network entity 350, using an over-the-air (OTA) secure connection between the cellular wireless network entity 350 and the UE 102. Similarly, in some embodiments, the ephemeral network key pairs can overlap in time to allow for unplanned interruptions of transfer of the ephemeral network public key from the cellular wireless network entity 350 to the UE 102 and for delays in updating the ephemeral network public key at the UE 102. Robust key rotation can be achieved by keeping both old and new keys live (e.g., valid for use by the UE 102) during overlapping lifetimes. As discussed herein, some UL messages from the UE 102 can include a key ID to indicate which ephemeral network public key was used by the UE 102 when  deriving the encryption key with which the mobile subscriber identifier, such as the MSIN of the IMSI 104 of the UE 102, was encrypted.
FIGS. 8A and 8B illustrate exemplary flow diagrams 800 and 820 of actions performed by a UE 102 to implement the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments. At 802, the UE 102 receives, from a cellular wireless network entity 350, a first DL message that includes a first ephemeral network public key (ePKnw) and a signature of ePKnw signed using a network secret key SKnw (which can be pre-configured in some embodiments and/or static and/or semi-static lasting for a period of time before replacement by the cellular wireless network entity 350) . At 804, the UE 102 determines whether the signature can be verified using a corresponding network public key (PKnw) . When the signature is verified, at 806, the UE 102 generates a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) . At 808, the UE 102 determines a first encryption key (KAES) using eSKue and ePKnw. At 810, the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and a mobile subscriber identifier encrypted with KAES. At 812, the UE 102 receives from the cellular wireless network entity 350 a second DL message that includes a second ephemeral network public key (ePKnw’) and a signature of ePKnw’s igned using SKnw. At 814, the UE 102 determines whether the signature can be verified using PKnw. When the signature is verified, at 816, the UE stores ePKnw. At 822, the UE 102 generates a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . At 824, the UE 102 determines a second encryption key (KAES) using eSKue’and ePKnw’. At 826, the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the mobile subscriber identifier encrypted with KAES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
FIGS. 9A and 9B illustrate exemplary flow diagrams 900 and 920 of actions performed by a cellular wireless network entity 350 to implement the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments. At 902, the cellular wireless network entity 350 generates a first ephemeral network public key (ePKnw) and a second ephemeral network secret key (eSKnw) . At 904, the cellular wireless network entity 350 sends to the UE 102 a first  DL message that includes ePKnw and a signature of ePKnw signed using a network secret key (SKnw) , which can be pre-configured and/or static in some embodiments. At 906, the cellular wireless network entity 350 receives from the UE 102 a first UL message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier (of the UE 102) encrypted with a first encryption key (KAES) . At 908, the cellular wireless network entity 350 determines KAES using ePKue and eSKnw. At 910, the cellular wireless network entity 350 decryptes the mobile subscriber identifier using KAES. At 912, the cellular wireless network entity 350 generates a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) . At 914, the cellular wireless network entity 350 sends to the UE 102 a second DL message that includes ePKnw’and a signature of ePKnw’signed using SKnw. At 922, the cellular wireless network entity 350 receives from the UE 102 a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier of the UE 102 encrypted with a second encryption key KAES’. At 924, the cellular wireless network entity 350 determines KAES’using ePKue’received from the UE 102 and eSKnw’. At 926, the cellular wireless network entity 350 decrypts the mobile subscriber identifier using KAES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
FIG. 10 illustrates an exemplary flow diagram 1000 of actions performed by a UE 102 to implement the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments. At 1002, the UE 102 generates a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) . At 1004, the UE 102 determines a first encryption key (KAES) using eSKue and a public network key (PKnw) . In some embodiments the UE is pre-configured with PKnw. At 1006, the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and an MSIN of the UE 102 encrypted with KAES. At 1008, the UE 102 receives from the cellular wireless network entity 350 a first DL message that includes a first ephemeral network public key (ePKnw) and a signature of ePKnw signed using a network secret key (SKnw) . At 1010, the UE 102 determines with the signature can be verified using PKnw. When the signature is verified, at 1012, the UE 102 stores ePKnw. At 1014, the UE 102 generates a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) .  At 1016, the UE 102 determines a second encryption key KAES’using eSKue’and ePKnw. At 1018, the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and a mobile subscriber identifier of the UE 102 encrypted with KAES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
FIG. 11 illustrates an exemplary flow diagram 1100 of actions performed by a cellular wireless network entity 350 to implement the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments. At 1102, the cellular wireless network entity 350 recieves from the UE 102 a first UL message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE 102 encrypted with a first encryption key (KAES) . At 1104, the cellular wireless network entity 350 determines KAES using ePKue receive from the UE 102 and a network secret key (SKnw) . In some embodiments, the cellular wireless network entity 350 is pre-configured with PKnw and SKnw. In some embodiments, PKnw and SKnw are static or infrequently updated by the cellular wireless network entity 350. At 1106, the cellular wireless network entity 350 decrypts the mobile subscriber identifier using KAES. At 1108, the cellular wireless network entity 350 generates a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) . At 1110, the cellular wireless network entity 350 sends to the UE 102 a first downlink (DL) message that includes ePKnw and a signature of ePKnw signed using SKnw. At 1112, the cellular wireless network entity 350 receives from the UE 102 a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier of the UE 102 encrypted with a second encryption key (KAES’) . At 1114, the cellular wireless network entity 350 determines KAES’using ePKue’received from the UE 102 and eSKnw. At 1116, the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102 using KAES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
FIGS. 12A and 12B illustrate exemplary flow diagrams 1200 and 1220 of actions performed by a UE 102 to implement the first variant technique of FIG. 5 to protect the privacy of a subscriber identity, according to some embodiments. At 1202, a UE 102 receives from a cellular wireless network entity 350 a first DL message that  includes a first ephemeral network public key (ePKnw) . At 1204, the UE 102 generates a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) . At 1206, the UE 102 generates a first shared secret (SHS1) using ePKnw and eSKue. At 1208, the UE 102 generates a second shared secret (SHS2) using a network public key (PKnw) and eSKue. In some embodiments, the UE 102 is pre-configured with PKnw. In some embodiments, the UE 102 generates SHS1 and SHS2 using an Elliptic Curve Diffie-Hellman (ECDH) key agreement. At 1210, the UE 102 determines a first encryption key (KAES) using SHS1 and SHS2. In some embodiments, the UE 102 determines KAES using a key derivation function (KDF) . At 1212, the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and a mobile subscriber identifier of the UE 102 encrypted with KAES. At 1214, the UE 102 receives from the cellular wireless network entity 350 a second DL message that includes a second ephemeral network public key (ePKnw’) . At 1216, the UE 102 stores ePKnw’. At 1222, the UE 102 generates a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . At 1224, the UE 102 generates a third shared secret (SHS1’) using ePKnw’and eSKue’. At 1226, the UE 102 generates a fourth shared secret (SHS2’) using PKnw and eSKue’. At 1228, the UE 102 determines a second encryption key (KAES’) using SHS1’and SHS2’. At 1230, the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the mobile subscriber identifier of the UE 102 encrypted with KAES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
FIGS. 13A and 13B illustrate exemplary flow diagrams 1300 and 1320 of actions performed by a cellular wireless network entity 350 to implement first variant technique of FIG. 5 to protect the privacy of a subscriber identity, according to some embodiments. At 1302, the cellular wireless network entity 350, the cellular wireless network entity 350 generates a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) . At 1304, the cellular wireless network entity 350 sends to a UE 102 a first DL message that includes ePKnw. At 1306, the cellular wireless network entity 350 receives from the UE 102 a first Ul message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE 102 encrypted with a first encryption key (KAES) . At 1308, the cellular wireless network entity 350 generates a first shared secret (SHS1) using ePKue and  eSKnw. At 1310, the cellular wireless network entity 350 generates a second shared secret (SHS2) using ePKue and SKnw. In some embodiments, the cellular wireless network entity 350 is pre-configured with SKnw. At 1312, the cellular wireless network entity 350 determines KAES using SHS1 and SHS2. In some embodiments, the cellular wireless network entity 350 generates SHS1 and SHS2 using an ECDH key agreement. In some embodiments, the cellular wireless network entity 350 generates KAES using a key derivation function (KDF) . At 1314, the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102 using KAES. At 1316, the cellular wireless network entity 350 generates a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) . At 1318, the cellular wireless network entity 350 sends to the UE 102 a second DL message that includes ePKnw’. At 1322, the cellular wireless network entity 350 receives from the UE 102 a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier of the UE 102 encrypted with a second encryption key (KAES’) . At 1324, the cellular wireless network entity 350 generates a third shared secret (SHS1’) using ePKue’and eSKnw’. At 1326, the cellular wireless network entity 350 generates and a fourth shared secret (SHS2’) using ePKue’and SKnw. In some embodiments, the cellular wireless network entity 350 determines SHS1’and SHS2’using the ECDH key agreement. At 1328, the cellular wireless network entity 350 determines KAES’using SHS1’and SHS2’. At 1330, the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102 using KAES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
FIG. 14 illustrates an exemplary flow diagram 1400 of actions performed by a UE 102 to implement the second variant technique of FIG. 6 to protect the privacy of a subscriber identity, according to some embodiments. At 1402, the UE 102 generates a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) . At 1404, the UE 102 determines a first encryption key (KAES) using eSKue and a network public key (PKnw) . In some embodiments, the UE 102 is pre-configured with PKnw. At 1406, the UE 102 sends to a cellular wireless network entity 350 a first Ul message that includes ePKue and mobile subscriber identifier of the UE 102 encrypted with KAES. At 1408, the UE 102 receives from the cellular wireless network entity 350 a first DL message that includes a first ephemeral  network public key (ePKnw) . At 1410, the UE 102 stores ePKnw. At 1412, the UE 102 generates a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . At 1414, the UE 102 generates a first shared secret (SHS1) using ePKnw and eSKue’. At 1416, the UE 102 generates a second shared secret (SHS2) using PKnw and eSKue’. In some embodiments, the UE 102 generates SHS1 and SHS2 using an ECDH key agreement. At 1418, the UE 102 determines a second encryption key (KAES’) using SHS1 and SHS2. In some embodiments, the UE 102 determines KAES’from SHS1 and SHS2 using a key derivation function (KDF) . At 1420, the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the mobile subscriber identifier of the UE 102 encrypted with KAES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
FIG. 15 illustrates an exemplary flow diagram 1500 of actions performed by a cellular wireless network entity 350 to implement the second variant technique of FIG. 6 to protect the privacy of a subscriber identity, according to some embodiments. At 1502, the cellular wireless network entity 350 receives from a UE 102 a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE 102 encrypted with a first encryption key (KAES) . At 1504, the cellular wireless network entity 350 determines the KAES using ePKue and a network secret key (SKnw) . In some embodiments, the cellular wireless network entity 350 is pre-configured with SKnw. At 1506, the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102 using KAES. At 1508, the cellular wireless network entity 350 generates a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) . At 1510, the cellular wireless network entity 350 sends to the UE 102 a first DL message that includes ePKnw. At 1512, the cellular wireless network entity 350 receives from the UE 102 a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier of the UE 102 encrypted with a second encryption key (KAES) . At 1514, the cellular wireless network entity 350 generates a first shared secret (SHS1) using ePKue’and eSKnw. At 1516, the cellular wireless network entity 350 generates a second shared secret (SHS2) using ePKue’and SKnw. At 1518, the cellular wireless network entity 350 determines KAES’using SHS1 and SHS2. At 1520, the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102  using KAES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
FIG. 16 illustrates a detailed view of a representative computing device 1600 that can be used to implement various methods described herein, according to some embodiments. In particular, the detailed view illustrates various components that can be included in the UE 102 illustrated in FIG. 1. As shown in FIG. 16, the computing device 1600 can include a processor 1602 that represents a microprocessor or controller for controlling the overall operation of computing device 1600. The computing device 1600 can also include a user input device 1608 that allows a user of the computing device 1600 to interact with the computing device 1600. For example, the user input device 1608 can take a variety of forms, such as a button, keypad, dial, touch screen, audio input interface, visual/image capture input interface, input in the form of sensor data, etc. Still further, the computing device 1600 can include a display 1610 (screen display) that can be controlled by the processor 1602 to display information to the user. A data bus 1616 can facilitate data transfer between at least a storage device 1640, the processor 1602, and a controller 1613. The controller 1613 can be used to interface with and control different equipment through and equipment control bus 1614. The computing device 1600 can also include a network/bus interface 1611 that couples to a data link 1612. In the case of a wireless connection, the network/bus interface 1611 can include a wireless transceiver.
The computing device 1600 also includes a storage device 1640, which can comprise a single disk or a plurality of disks (e.g., hard drives) , and includes a storage management module that manages one or more partitions within the storage device 1640. In some embodiments, storage device 1640 can include flash memory, semiconductor (solid state) memory or the like. The computing device 1600 can also include a Random Access Memory (RAM) 1620 and a Read-Only Memory (ROM) 1622. The ROM 1622 can store programs, utilities or processes to be executed in a non-volatile manner. The RAM 1620 can provide volatile data storage, and stores instructions related to the operation of the computing device 1600. The computing device 1600 can further include a secure element 1650, which can represent a eUICC of the UE 102.
The various aspects, embodiments, implementations or features of the described embodiments can be used separately or in any combination. Software,  hardware, or a combination of hardware and software can implement various aspects of the described embodiments. The described embodiments can also be embodied as computer readable code on a non-transitory computer readable medium. The non-transitory computer readable medium is any data storage device that can store data, which can thereafter be read by a computer system. Examples of the non-transitory computer readable medium include read-only memory, random-access memory, CD-ROMs, DVDs, magnetic tape, hard disk drives, solid state drives, and optical data storage devices.
The foregoing description, for purposes of explanation, used specific nomenclature to provide a thorough understanding of the described embodiments. However, it will be apparent to one skilled in the art that the specific details are not required in order to practice the described embodiments. Thus, the foregoing descriptions of specific embodiments are presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the described embodiments to the precise forms disclosed. It will be apparent to one of ordinary skill in the art that many modifications and variations are possible in view of the above teachings.

Claims (90)

  1. A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising:
    by the UE:
    receiving from a cellular wireless network entity a first downlink (DL) message that includes a first ephemeral network public key (ePKnw) and a signature of ePKnw signed using a network secret key (SKnw) ;
    determining whether the signature of ePKnw is verified using a network public key (PKnw) that corresponds to SKnw; and
    when the signature of ePKnw is verified:
    generating a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) ;
    determining a first encryption key using eSKue and ePKnw; and
    sending to the cellular wireless network entity a first uplink (UL) message that includes ePKue and an encrypted version of a mobile subscriber identifier of the UE encrypted with the first encryption key.
  2. The method of claim 1, further comprising:
    by the UE:
    receiving from the cellular wireless network entity a second DL message that includes a second ephemeral network public key (ePKnw’) and a signature of ePKnw’signed using SKnw;
    determining whether the signature of ePKnw’is verified using PKnw; and
    when the signature of ePKnw’is verified, storing ePKnw’to use for future encryption of the mobile subscriber identifier of the UE.
  3. The method of claim 2, further comprising:
    by the UE:
    generating a second ephemeral UE public key (ePKue’) and a second UE secret key (eSKue’) ;
    determining a second encryption key using eSKue’and previously stored ePKnw’; and
    sending to the cellular wireless network entity a second UL message that includes ePKue’and the mobile subscriber identifier of the UE encrypted with the second encryption key.
  4. The method of claim 1, wherein the UE is pre-configured with PKnw.
  5. The method of claim 1, wherein the first encryption key is an Advanced Encryption Standard (AES) encryption key.
  6. The method of claim 1, wherein the UE pre-generates ePKue and eSKue before receipt of the first DL message from the cellular wireless network entity.
  7. The method of claim 1, wherein the first UL message includes a key identifier (ID) that indicates to the cellular wireless network entity which ephemeral public network key the UE used to determine the first encryption key.
  8. The method of claim 7, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
  9. The method of claim 1, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
  10. The method of claim 1, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
  11. An apparatus configurable for operation in a user equipment (UE) , the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 1 to 10.
  12. A user equipment (UE) comprising:
    wireless circuitry configurable for wireless communication with a wireless network; and processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 1 to 10.
  13. A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising:
    by a cellular wireless network entity:
    generating a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) ;
    sending to the UE a first downlink (DL) message that includes ePKnw and a signature of ePKnw signed using a network secret key (SKnw) ;
    receiving from the UE a first uplink (UL) message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE encrypted with a first encryption key;
    determining the first encryption key using ePKue and eSKnw; and
    decrypting the mobile subscriber identifier using the first encryption key.
  14. The method of claim 13, further comprising:
    by the cellular wireless network entity:
    generating a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) ; and
    sending to the UE a second DL message that includes ePKnw’and a signature of ePKnw’signed using SKnw,
    wherein ePKnw’is to be used by the UE for encryption of a subsequently communicated message that includes the mobile subscriber identifier.
  15. The method of claim 14, further comprising:
    by the cellular wireless network entity:
    receiving from the UE a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier encrypted with a second encryption key;
    determining the second encryption key using ePKue’and eSKnw’; and
    decrypting the mobile subscriber identifier using the second encryption key.
  16. The method of claim 13, wherein the cellular wireless network entity is pre-configured with PKnw and SKnw.
  17. The method of claim 13, wherein the first encryption key is an Advanced Encryption Standard (AES) encryption key.
  18. The method of claim 13, wherein the first UL message includes a key identifier (ID) and the method further comprises:
    by the cellular wireless network entity:
    determining to use eSKnw to determine the first encryption key based on the key ID.
  19. The method of claim 18, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
  20. The method of claim 13, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
  21. The method of claim 13, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
  22. An apparatus configurable for operation in a cellular wireless network entity, the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 13 to 21.
  23. A cellular wireless network entity comprising:
    wireless circuitry configurable for wireless communication with a user equipment (UE) ; and
    processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 13 to 21.
  24. A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising:
    by the UE:
    generating a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) ;
    determining a first encryption key using eSKue and a network public key (PKnw) ;
    sending to a cellular wireless network entity a first uplink (UL) message that includes ePKue and an encrypted version of a mobile subscriber identifier of the UE encrypted with the first encryption key;
    receiving from the cellular wireless network entity a first downlink (DL) message that includes a first ephemeral network public  key (ePKnw) and a signature of ePKnw signed using a network secret key (SKnw) that corresponds to PKnw;
    determining whether the signature of ePKnw is verified using PKnw; and
    storing ePKnw, when the signature of ePKnw is verified.
  25. The method of claim 24, further comprising:
    by the UE:
    generating a second ephemeral UE public key (ePKue’) and a second UE secret key (eSKue’) ;
    determining a second encryption key using eSKue’and ePKnw; and
    sending to the cellular wireless network entity a second UL message that includes ePKue’and the mobile subscriber identifier of the UE encrypted with the second encryption key.
  26. The method of claim 25, wherein the second UL message includes a key identifier (ID) that indicates to the cellular wireless network entity which ephemeral public network key the UE used to determine the second encryption key.
  27. The method of claim 26, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
  28. The method of claim 24, wherein the UE is pre-configured with PKnw.
  29. The method of claim 24, wherein the first encryption key is an Advanced Encryption Standard (AES) encryption key.
  30. The method of claim 24, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
  31. The method of claim 24, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
  32. An apparatus configurable for operation in a user equipment (UE) , the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 24 to 31.
  33. A user equipment (UE) comprising:
    wireless circuitry configurable for wireless communication with a wireless network; and processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that,  when executed by the processor, cause the UE to perform the method of any one of claims 24 to 31.
  34. A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising:
    by a cellular wireless network entity:
    receiving from the UE a first uplink (UL) message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE encrypted with a first encryption key;
    determining the first encryption key using ePKue and a network secret key (SKnw) ;
    decrypting the mobile subscriber identifier using the first encryption key;
    generating a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) ; and
    sending to the UE a first downlink (DL) message that includes ePKnw and a signature of ePKnw signed using SKnw.
  35. The method of claim 34, further comprising:
    by the cellular wireless network entity:
    receiving from the UE a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier encrypted with a second encryption key;
    determining the second encryption key using ePKue’and eSKnw; and
    decrypting the mobile subscriber identifier using the second encryption key.
  36. The method of claim 35, wherein the second UL message includes a key identifier (ID) and the method further comprises:
    by the cellular wireless network entity:
    determining to use eSKnw to determine the second encryption key based on the key ID.
  37. The method of claim 36, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
  38. The method of claim 34, wherein the cellular wireless network entity is pre-configured with PKnw and SKnw.
  39. The method of claim 34, wherein the first encryption key is an Advanced Encryption Standard (AES) encryption key.
  40. The method of claim 34, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
  41. The method of claim 34, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
  42. An apparatus configurable for operation in a cellular wireless network entity, the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 34 to 41.
  43. A cellular wireless network entity comprising:
    wireless circuitry configurable for wireless communication with a user equipment (UE) ; and
    processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 34 to 41.
  44. A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising:
    by the UE:
    receiving from a cellular wireless network entity a first downlink (DL) message that includes a first ephemeral network public key (ePKnw) ;
    generating a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) ;
    generating a first shared secret (SHS1) using ePKnw and eSKue;
    generating a second shared secret (SHS2) using PKnw and eSKue;
    determining a first encryption key using SHS1 and SHS2; and
    sending to the cellular wireless network entity a first uplink (UL) message that includes ePKue and an encrypted version of a mobile subscriber identifier of the UE encrypted with the first encryption key.
  45. The method of claim 44, further comprising:
    by the UE:
    receiving from the cellular wireless network entity a second DL message that includes a second ephemeral network public key (ePKnw’) ; and
    storing ePKnw’to use for future encryption of the mobile subscriber identifier of the UE.
  46. The method of claim 45, further comprising:
    by the UE:
    generating a second ephemeral UE public key (ePKue’) and a second UE secret key (eSKue’) ;
    generating a third shared secret (SHS1’) using ePKnw’and eSKue’;
    generating a fourth shared secret (SHS2’) using PKnw and eSKue’;
    determining a second encryption key using SHS1’and SHS2’; and
    sending to the cellular wireless network entity a second UL message that includes ePKue’and the mobile subscriber identifier of the UE encrypted with the second encryption key.
  47. The method of claim 44, wherein the UE is pre-configured with PKnw.
  48. The method of claim 44, wherein the first encryption key is an Advanced Encryption Standard (AES) encryption key determined using a key derivation function (KDF) that includes SHS1 and SHS2 as inputs.
  49. The method of claim 44, wherein SHS1 and SHS2 are generated using an Elliptic Curve Diffie-Hellman (ECDH) key agreement.
  50. The method of claim 44, wherein the UE pre-generates ePKue and eSKue before receipt of the first DL message from the cellular wireless network entity.
  51. The method of claim 44, wherein the first UL message includes a key identifier (ID) that indicates to the cellular wireless network entity which ephemeral public network key the UE used to determine the first encryption key.
  52. The method of claim 51, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
  53. The method of claim 44, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
  54. The method of claim 44, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
  55. An apparatus configurable for operation in a user equipment (UE) , the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 44 to 54.
  56. A user equipment (UE) comprising:
    wireless circuitry configurable for wireless communication with a wireless network; and processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 44 to 54.
  57. A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising:
    by a cellular wireless network entity:
    generating a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) ;
    sending to the UE a first downlink (DL) message that includes ePKnw;
    receiving from the UE a first uplink (UL) message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE encrypted with a first encryptionkey;
    generating a first shared secret (SHS1) using ePKue and eSKnw;
    generating a second shared secret (SHS2) using ePKue and SKnw;
    determining the first encryption key using SHS1 and SHS2; and
    decrypting the mobile subscriber identifier using the first encryption key.
  58. The method of claim 57, further comprising:
    by the cellular wireless network entity:
    generating a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) ; and
    sending to the UE a second DL message that includes ePKnw’,
    wherein ePKnw’is to be used by the UE for encryption of a subsequently communicated message that includes the mobile subscriber identifier.
  59. The method of claim 58, further comprising:
    by the cellular wireless network entity:
    receiving from the UE a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier encrypted with a second encryption key;
    generating a third shared secret (SHS1’) using ePKue’and eSKnw’;
    generating a fourth shared secret (SHS2’) using ePKue’and SKnw;
    determining the second encryption key using SHS1’and SHS2’; and
    decrypting the mobile subscriber identifier using the second encryption key.
  60. The method of claim 57, wherein the cellular wireless network entity is pre-configured with PKnw and SKnw.
  61. The method of claim 57, wherein the first encryption key is an Advanced Encryption Standard (AES) encryption key determined using a key derivation function (KDF) that includes SHS1 and SHS2 as inputs.
  62. The method of claim 57, wherein SHS1 and SHS2 are generated using an Elliptic Curve Diffie-Hellman (ECDH) key agreement.
  63. The method of claim 57, wherein the first UL message includes a key identifier (ID) and the method further comprises:
    by the cellular wireless network entity:
    determining to use eSKnw to determine the first encryption key based on the key ID.
  64. The method of claim 63, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
  65. The method of claim 57, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
  66. The method of claim 57, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
  67. An apparatus configurable for operation in a cellular wireless network entity, the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 57 to 66.
  68. A cellular wireless network entity comprising:
    wireless circuitry configurable for wireless communication with a user equipment (UE) ; and
    processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 57 to 66.
  69. A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising:
    by the UE:
    generating a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) ;
    determining a first encryption key using eSKue and a network public key (PKnw) ;
    sending to a cellular wireless network entity a first uplink (UL) message that includes ePKue and an encrypted version of a mobile subscriber identifier of the UE encrypted with the first encryption key;
    receiving from the cellular wireless network entity a first downlink (DL) message that includes a first ephemeral network public key (ePKnw) ; and
    storing ePKnw.
  70. The method of claim 69, further comprising:
    by the UE:
    generating a second ephemeral UE public key (ePKue’) and a second UE secret key (eSKue’) ;
    generating a first shared secret (SHS1) using ePKnw and eSKue’;
    generating a second shared secret (SHS2) using PKnw and eSKue’;
    determining a second encryption key using SHS1 and SHS2; and
    sending to the cellular wireless network entity a second UL message that includes ePKue’and the mobile subscriber identifier of the UE encrypted with the second encryption key.
  71. The method of claim 70, wherein the second UL message includes a key identifier (ID) that indicates to the cellular wireless network entity which ephemeral public network key the UE used to determine the second encryption key.
  72. The method of claim 71, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
  73. The method of claim 70, wherein the second encryption key is an Advanced Encryption Standard (AES) encryption key determined using a key derivation function (KDF) that includes SHS1 and SHS2 as inputs.
  74. The method of claim 70, wherein SHS1 and SHS2 are generated using an Elliptic Curve Diffie-Hellman (ECDH) key agreement.
  75. The method of claim 69, wherein the UE is pre-configured with PKnw.
  76. The method of claim 69, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
  77. The method of claim 69, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
  78. An apparatus configurable for operation in a user equipment (UE) , the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 69 to 77.
  79. A user equipment (UE) comprising:
    wireless circuitry configurable for wireless communication with a wireless network; and processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 69 to 77.
  80. A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising:
    by a cellular wireless network entity:
    receiving from the UE a first uplink (UL) message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE encrypted with a first encryption key;
    determining the first encryption key using ePKue and a network secret key (SKnw) ;
    decrypting the mobile subscriber identifier using the first encryption key;
    generating a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) ;
    sending to the UE a first downlink (DL) message that includes ePKnw and a signature of ePKnw signed using SKnw;
    receiving from the UE a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier encrypted with a second encryption key;
    generating a first shared secret (SHS1) using ePKue’and eSKnw;
    generating a second shared secret (SHS2) using ePKue’and SKnw;
    determining the second encryption key using SHS1 and SHS2; and
    decrypting the mobile subscriber identifier using the second encryption key.
  81. The method of claim 80, wherein the second UL message includes a key identifier (ID) and the method further comprises:
    by the cellular wireless network entity:
    determining to use eSKnw to determine SHS1 based on the key ID.
  82. The method of claim 81, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
  83. The method of claim 80, wherein the cellular wireless network entity is pre-configured with PKnw and SKnw.
  84. The method of claim 80, wherein the first encryption key is an Advanced Encryption Standard (AES) encryption key.
  85. The method of claim 80, wherein the second encryption key is an Advanced Encryption Standard (AES) encryption key determined using a key derivation function (KDF) that includes SHS1 and SHS2 as inputs.
  86. The method of claim 80, wherein SHS1 and SHS2 are generated using an Elliptic Curve Diffie-Hellman (ECDH) key agreement.
  87. The method of claim 80, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
  88. The method of claim 80, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
  89. An apparatus configurable for operation in a cellular wireless network entity, the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 80 to 88.
  90. A cellular wireless network entity comprising:
    wireless circuitry configurable for wireless communication with a user equipment (UE) ; and
    processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 80 to 88.
PCT/CN2017/096610 2017-08-09 2017-08-09 Subscriber identity privacy protection WO2019028698A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/096610 WO2019028698A1 (en) 2017-08-09 2017-08-09 Subscriber identity privacy protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/096610 WO2019028698A1 (en) 2017-08-09 2017-08-09 Subscriber identity privacy protection

Publications (1)

Publication Number Publication Date
WO2019028698A1 true WO2019028698A1 (en) 2019-02-14

Family

ID=65273237

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/096610 WO2019028698A1 (en) 2017-08-09 2017-08-09 Subscriber identity privacy protection

Country Status (1)

Country Link
WO (1) WO2019028698A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111327605A (en) * 2020-01-23 2020-06-23 北京无限光场科技有限公司 Method, terminal, server and system for transmitting private information
CN112134831A (en) * 2019-06-25 2020-12-25 中兴通讯股份有限公司 Method and device for sending and processing access request
WO2021247120A1 (en) * 2020-06-02 2021-12-09 Microsoft Technology Licensing, Llc Ephemeral cryptography keys for authenticating computing services
CN114258693A (en) * 2019-08-18 2022-03-29 苹果公司 Mobile device authentication without Electronic Subscriber Identity Module (ESIM) credentials
WO2022135399A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method, authentication access controller, request device, storage medium, program, and program product
WO2023025411A1 (en) * 2021-08-23 2023-03-02 Giesecke+Devrient Mobile Security Gmbh Method in a secure element

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101552668A (en) * 2008-03-31 2009-10-07 展讯通信(上海)有限公司 Certificating method, user equipment and base station for accessing user equipment into network
US20140219448A1 (en) * 2011-08-24 2014-08-07 Deutsche Telekom Ag Authenticating a telecommunication terminal in a telecommunication network
US20140358777A1 (en) * 2013-05-31 2014-12-04 How Kiap Gueh Method for secure atm transactions using a portable device
US20160302061A1 (en) * 2015-04-08 2016-10-13 Samsung Electronics Co., Ltd. Method and apparatus for downloading a profile in a wireless communication system
WO2016167551A1 (en) * 2015-04-13 2016-10-20 삼성전자 주식회사 Technique for managing profile in communication system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101552668A (en) * 2008-03-31 2009-10-07 展讯通信(上海)有限公司 Certificating method, user equipment and base station for accessing user equipment into network
US20140219448A1 (en) * 2011-08-24 2014-08-07 Deutsche Telekom Ag Authenticating a telecommunication terminal in a telecommunication network
US20140358777A1 (en) * 2013-05-31 2014-12-04 How Kiap Gueh Method for secure atm transactions using a portable device
US20160302061A1 (en) * 2015-04-08 2016-10-13 Samsung Electronics Co., Ltd. Method and apparatus for downloading a profile in a wireless communication system
WO2016167551A1 (en) * 2015-04-13 2016-10-20 삼성전자 주식회사 Technique for managing profile in communication system

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112134831A (en) * 2019-06-25 2020-12-25 中兴通讯股份有限公司 Method and device for sending and processing access request
CN112134831B (en) * 2019-06-25 2023-02-21 中兴通讯股份有限公司 Method and device for sending and processing access request
CN114258693A (en) * 2019-08-18 2022-03-29 苹果公司 Mobile device authentication without Electronic Subscriber Identity Module (ESIM) credentials
CN114258693B (en) * 2019-08-18 2024-02-06 苹果公司 Mobile device authentication without Electronic Subscriber Identity Module (ESIM) credentials
CN111327605A (en) * 2020-01-23 2020-06-23 北京无限光场科技有限公司 Method, terminal, server and system for transmitting private information
WO2021247120A1 (en) * 2020-06-02 2021-12-09 Microsoft Technology Licensing, Llc Ephemeral cryptography keys for authenticating computing services
US11310059B2 (en) 2020-06-02 2022-04-19 Microsoft Technology Licensing, Llc Ephemeral cryptography keys for authenticating computing services
WO2022135399A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method, authentication access controller, request device, storage medium, program, and program product
WO2023025411A1 (en) * 2021-08-23 2023-03-02 Giesecke+Devrient Mobile Security Gmbh Method in a secure element

Similar Documents

Publication Publication Date Title
US11863982B2 (en) Subscriber identity privacy protection against fake base stations
US11297492B2 (en) Subscriber identity privacy protection and network key management
US11856402B2 (en) Identity-based message integrity protection and verification for wireless communication
CN112566112B (en) Apparatus, method, and storage medium for wireless communication
KR102255079B1 (en) Identity privacy in wireless networks
EP3340690B1 (en) Access method, device and system for user equipment (ue)
US11877149B2 (en) Protection of initial non-access stratum protocol message in 5G systems
US10057760B2 (en) Apparatus and methods for Electronic Subscriber Identity Module (ESIM) installation notification
WO2019028698A1 (en) Subscriber identity privacy protection
US20170359719A1 (en) Key generation method, device, and system
CN113016202A (en) Protection of initial non-access stratum protocol messages in 5G systems
EP3485693B1 (en) Method and apparatus for authentication with privacy identity
EP3700245B1 (en) Communication method and device
WO2019210461A1 (en) Wireless network service access control with subscriber identity protection
CN115988487A (en) Security establishing method, terminal device and network device
US20220295276A1 (en) Mobile device authentication without electronic subscriber identity module (esim) credentials
US20220399993A1 (en) Electronic subscriber identity module transfer credential wrapping
US20230362631A1 (en) Secure storage and processing of sim data

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17920790

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17920790

Country of ref document: EP

Kind code of ref document: A1