WO2020070371A1 - Method and apparatus for security context handling during inter-system change - Google Patents

Method and apparatus for security context handling during inter-system change

Info

Publication number
WO2020070371A1
WO2020070371A1 PCT/FI2018/050714 FI2018050714W WO2020070371A1 WO 2020070371 A1 WO2020070371 A1 WO 2020070371A1 FI 2018050714 W FI2018050714 W FI 2018050714W WO 2020070371 A1 WO2020070371 A1 WO 2020070371A1
Authority
WO
WIPO (PCT)
Prior art keywords
eps
security context
nas
amf
mobility management
Prior art date
Application number
PCT/FI2018/050714
Other languages
French (fr)
Inventor
Sung Hwan Won
Original Assignee
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy filed Critical Nokia Technologies Oy
Priority to PCT/FI2018/050714 priority Critical patent/WO2020070371A1/en
Priority to JP2021517968A priority patent/JP7192107B2/en
Priority to CN201880099980.1A priority patent/CN113170369B/en
Priority to BR112021006297A priority patent/BR112021006297A2/en
Priority to EP18936081.1A priority patent/EP3861791A4/en
Priority to US17/281,778 priority patent/US20210385722A1/en
Publication of WO2020070371A1 publication Critical patent/WO2020070371A1/en
Priority to PH12021550731A priority patent/PH12021550731A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/24Reselection being triggered by specific parameters
    • H04W36/32Reselection being triggered by specific parameters by location or mobility data, e.g. speed data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/108Source integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • H04W60/06De-registration or detaching

Definitions

  • Various example embodiments relate to security context handling during inter-system change.
  • 3GPP 5G will enhance wireless data transfer speeds also by reducing cell size, which inherently leaves more gaps between cells.
  • the 4G technology will operate as a fallback to provide adequate data access where no 5G is available.
  • there may be repeated hand-overs between the 4G and 5G networks so signaling, both in the core network and in the radio access may be rapidly multiplied ln addition, emergency services may not be provided by the 5G network while the 4G network is capable of supporting emergency services especially during early phases of the 5G network deployment ln this case, it is desirable to use the 4G technology as a fallback.
  • a method in user equipment, UE, on idle mode inter-system change, while the UE is in a single registration mode comprising:
  • condition a) the source cellular network is an evolved Universal Terrestrial Radio Access Network, e-UTRAN; and the target cellular network is a Next Generation Radio Access Network, ng-RAN; and the UE does not have a valid native 5G NAS security context; and the UE has a packet data network, PDN, connection for emergency bearer services; and the UE has a current Evolved Packet System, EPS, security context including NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm; and the UE has received an indication that the source cellular network does not support interworking with the target cellular network without a signaling channel between mobility management entities of the source and target cellular networks;
  • EPS Evolved Packet System
  • condition b) the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE has received an indication that the source cellular network does not support interworking with the target cellular network without a signaling channel between mobility management entities of the source and target cellular networks;
  • condition c) the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE does not support sending an ATTACH REQUEST message containing a PDN CONNECT1V1TY REQUEST message with request type set to "handover" to transfer a Protocol Data Unit, PDU, session from N1 mode to SI mode;
  • condition d) the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE has received an indication that the source cellular network supports interworking with the target cellular network without a signaling channel between mobility management entities of the source and target cellular networks; and the UE supports sending an ATTACH REQUEST message containing a PDN CONNECT1V1TY REQUEST message with request type set to "handover" to transfer a PDU session from N1 mode to SI mode; and the UE has a valid native EPS security context.
  • the method of the first example aspect may exclude any of following conditions: a); b); c); d); a) and b); a) and c); a) and d); b) and c); b) and d); a) and b) and c); a) and c) and d); b) and c) and d).
  • the SI mode may be a mode of a UE allowing access to a 4G core network via a 4G access network.
  • the N 1 mode may be a mode of a UE allowing access to a 5G core network via a 5G access network.
  • the signaling channel between the mobility management entities of the source and target cellular networks may be an N26 interface.
  • the mobility management entity in the 5G network may correspond to the access and mobility management function, AMF.
  • the cryptographic protection may be integrity protecting (and partially ciphering, which can be optional) a REG1STRAT10NREQUEST message with a 5G NAS security context mapped from current EPS security context.
  • the indication defined in condition a) may be received from any of: the source cellular network; the target cellular network; or both the source cellular network and the target cellular network.
  • the null integrity protection algorithm may be E1A0.
  • the null ciphering algorithm may be EEA0.
  • condition b) the cryptographic protection may be integrity protecting a TRACK1NG AREA UPDATE REQUEST message with current 5G NAS security context.
  • the indication defined in condition b) may be received from any of: the source cellular network; the target cellular network; or both the source cellular network and the target cellular network.
  • condition c the cryptographic protection may be integrity protecting a TRACK1NG AREA UPDATE REQUEST message with current 5G NAS security context.
  • condition d the cryptographic protection may be integrity protecting an ATTACH REQUEST message with the valid native EPS security context.
  • the indication defined in condition d) may be received from any of: the source cellular network; the target cellular network; or both the source cellular network and the target cellular network.
  • the ng-RAN may be compliant with 3GPP 5G release 15.
  • AMF Access and Mobility Management Function
  • NAS Non-Access Stratum
  • security context from a source cellular network that is an Evolved Packet System, EPS, security context maintained by a source Mobility Management Entity of the EPS, in an idle mode inter system change, if any one or more of following conditions are met:
  • condition 1) the AMF has received from a UE a REG1STRAT10N REQUEST message without integrity protection and encryption; and the REG1STRAT10N REQUEST message comprises a Key Set ldentifier for Next Generation Radio Access Network, ngKSl, indicating a mapped 5G NAS security context value "000";
  • condition 2) interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from a Mobility Management Entity, MME, of the EPS includes the NAS security algorithms set to null integrity protection algorithm and null ciphering algorithm, such as E1A0 and EEA0;
  • condition 3 interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from the source MME does not include the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm;
  • condition 4 interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from the source MME includes the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm.
  • the method may comprise, before the deriving of the mapped security context, receiving the REGISTRATION REQUEST message without integrity protection and encryption.
  • the method may further comprise that, after receiving the REG1STRAT10N REQUEST message without integrity protection and encryption, the AMF either creates a fresh mapped 5G NAS security context or trigger a primary authentication and key agreement procedure to create a fresh native 5G NAS security context ln particular, if conditions 1) and 3) are met, the AMF may choose between creating a fresh mapped 5G NAS security context and triggering a primary authentication and key agreement procedure to create a fresh native 5G NAS security context.
  • the method of the second example aspect may exclude any of following conditions: 1); 2); 3); 4); 1) and 2); 1) and 3); 1) and 4); 2) and 3); 2) and 4); 1) and 2) and 3); 1) and 3) and 4); 2) and 3) and 4).
  • user equipment comprising at least one processor and a memory comprising computer executable program code which, when executed by the at least one processor, is configured to cause the user equipment to perform the method of the first example aspect.
  • an Access and Mobility Management Function comprising at least one processor and a memory comprising computer executable program code which, when executed by the at least one processor, is configured to cause the AMF to perform the method of the second example aspect.
  • an Access and Mobility Management Function configured to handle an idle mode inter-system change of User Equipment, UE, from an evolved universal terrestrial radio access network, e-UTRAN to a Next Generation Radio Access Network, ng-RAN, while the UE is in a single registration mode connection, the AMF comprising:
  • EPS Evolved Packet System
  • [0035] means for deriving a mapped Next Generation Radio Access Network, ng- RAN, Non-Access Stratum, NAS, security context from a source cellular network that is an Evolved Packet System, EPS, security context maintained by a source Mobility Management Entity of the EPS, in an idle mode inter-system change, if any one or more of following conditions are met:
  • condition 1) the AMF has received from a UE a REG1STRAT10N REQUEST message without integrity protection and encryption; and the REG1STRAT10N REQUEST message comprises a Key Set ldentifier for Next Generation Radio Access Network, ngKSl, indicating a mapped 5G NAS security context value "000";
  • condition 2) interworking without a signaling channel between mobility management entities of the EPS and the ng-RAN is not supported; and an EPS security context received from a Mobility Management Entity, MME, of the EPS includes the NAS security algorithms set to null integrity protection algorithm and null ciphering algorithm;
  • condition 3 interworking without a signaling channel between mobility management entities of the EPS and the ng-RAN is not supported; and an EPS security context received from the source MME does not include the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm;
  • condition 4 interworking without a signaling channel between mobility management entities of the EPS and the ng-RAN is not supported; and an EPS security context received from the source MME includes the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm.
  • the AMF of the fifth or sixth example aspect may be implemented using virtualization. At least some of the structures implementing the AMF may be provided by a virtualization server.
  • the AMF of the fifth or sixth example aspect may be implemented using clustered processing. At least some of the structures implementing the AMF may be provided by a cluster processing equipment.
  • the AMF of the fifth or sixth example aspect may be implemented using cloud computing. At least some of the structures implementing the AMF may be provided by a cloud computing system.
  • a seventh example aspect of the present invention there is provided a system comprising the UE of the fourth example aspect and the AMF of the fifth or sixth example aspect.
  • the system may further comprise a Mobility Management Entity of the evolved universal terrestrial radio access network.
  • a computer program comprising computer executable program code configured to execute any method of the first or second example aspect.
  • the computer program may be stored in a computer readable memory medium.
  • Any foregoing memory medium may comprise a digital data storage such as a data disc or diskette, optical storage, magnetic storage, holographic storage, opto- magnetic storage, phase-change memory, resistive random access memory, magnetic random access memory, solid-electrolyte memory, ferroelectric random access memory, organic memory or polymer memory.
  • the memory medium may be formed into a device without other substantial functions than storing memory or it may be formed as part of a device with other functions, including but not limited to a memory of a computer, a chip set, and a sub assembly of an electronic device.
  • FIG. 1 shows an architectural drawing of a system of an example embodiment
  • FIG. 2 shows a flow chart of a process of an example embodiment in user equipment
  • FIG. 3 shows a flow chart of a process of an example embodiment in an Access and Mobility Management Function
  • Fig. 4 shows a block diagram of an apparatus of an example embodiment.
  • Fig. 1 shows an architectural drawing of a system 100 of an example embodiment.
  • Fig. 1 shows non-roaming architecture for interworking between 5GS and EPC/E-UTRAN, but suitably demonstrates various network parts and interfaces useful to explain some example embodiments.
  • Fig. 1 shows corresponding parts of Evolved Packet System, EPS, 160 and of a fifth Generation System, 5GS, 170 that are related to EPS and 5GS interworking lt should be appreciated that in practice, the EPS and the 5GS need not comprise functionalities of each other, although it is also possible to implement shared functionalities by shared execution platform, for example.
  • user equipment 110 are in radio access to respective cellular networks that comprise an evolved Universal Terrestrial Radio Access Network, e- UTRAN, 120 and a Next Generation Radio Access Network, ng-RAN, 130.
  • the EPS comprises the e-UTRAN 120 and Evolved Core Network, EPC, parts such as a Mobility Management Entity, MME, 140.
  • the 5GS 170 comprises the ng-RAN 130 and a 5G core network that comprises, for example, an access and mobility management function, AMF 150.
  • FIG. 2 shows a flow chart of a process 200 of an example embodiment in user equipment, UE, on idle mode inter-system change, while the UE is in a single registration mode, comprising:
  • condition a) 220 the source cellular network is an e-UTRAN; and the target cellular network is an ng-RAN; and the UE does not have a valid native 5G NAS security context; and the UE has a packet data network, PDN, connection for emergency bearer services; and the UE has a current EPS security context including NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm; and the UE has received an indication that the source cellular network does not support interworking with the target cellular network without a signaling channel between mobility management entities of the source and target cellular networks;
  • condition b) 230 the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE has received an indication that the source cellular network does not support interworking with the target cellular network without a signaling channel between mobility management entities of the source and target cellular networks;
  • condition c) 240 the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE does not support sending an ATTACH REQUEST message containing a PDN CONNECT1V1TY REQUEST message with request type set to "handover" to transfer a PDU session from N1 mode to SI mode;
  • condition d) 250 the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE has received an indication that the source cellular network supports interworking with the target cellular network without a signaling channel between mobility management entities of the source and target cellular networks; and the UE supports sending an ATTACH REQUEST message containing a PDN CONNECT1V1TY REQUEST message with request type set to "handover" to transfer a PDU session from N1 mode to SI mode; and the UE has a valid native EPS security context.
  • FIG. 3 shows a flow chart of a process of an example embodiment in the AMF, for handling an idle mode inter-system change of the UE, from an e-UTRAN to an ng- RAN, while the UE is in a single registration mode connection, comprising:
  • Condition 1) 320 the AMF has received from a UE a REG1STRAT10N REQUEST message without integrity protection and encryption; and the REG1STRAT10N REQUEST message comprises a Key Set ldentifier for Next Generation Radio Access Network, ngKSl, indicating a mapped 5G NAS security context value "000";
  • condition 2) 330 interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from an MME of the EPS includes the NAS security algorithms set to null integrity protection algorithm and null ciphering algorithm, such as E1A0 and EEA0;
  • condition 3 340 interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from the source MME does not include the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm;
  • condition 4 350 interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from the source MME includes the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm.
  • the method may comprise, before the deriving of the mapped security context, receiving 360 the REG1STRAT10N REQUEST message without integrity protection and encryption.
  • FIG. 4 shows a block diagram of an apparatus 300 according to an embodiment of the invention.
  • the apparatus 400 comprises a memory 440 including a persistent computer program code 450.
  • the apparatus 400 further comprises a processor 420 for controlling the operation of the apparatus 400 using the computer program code 440, a communication unit 410 for communicating with other nodes.
  • the communication unit 410 comprises, for example, a local area network (LAN) port; a wireless local area network (WLAN) unit; Bluetooth unit; cellular data communication unit; or satellite data communication unit.
  • the processor 420 comprises, for example, any one or more of: a master control unit (MCU); a microprocessor; a digital signal processor (DSP); an application specific integrated circuit (AS1C); a field programmable gate array; and a microcontroller.
  • the apparatus may further comprise a user interface (U/l) 430.
  • NAS security related parameters encapsulated in the AS signaling from the AMF to the UE triggering the inter-system change in 5GMM- CONNECTED mode.
  • the UE uses these parameters to generate the mapped 5G NAS security context; and b) after the inter-system change in 5GMM-CONNECTED mode, the transmission of a REG1STRAT10N REQUEST message from the UE to the AMF.
  • the UE shall send this message integrity protected using the mapped 5G NAS security context, but unciphered.
  • the UE shall transmit a REG1STRAT10N REQUEST message integrity protected with the native 5G NAS security context.
  • the UE shall include the ngKSl indicating the native 5G NAS security context value in the REG1STRAT10N REQUEST message.
  • the AMF After receiving the REG1STRAT10N REQUEST message including the ngKSl indicating a native 5G NAS security context value, the AMF shall check whether the ngKSl included in the REG1STRAT10N REQUEST message belongs to a 5G NAS security context available in the AMF, and shall verify the MAC of the REG1STRAT10N REQUEST message lf the verification is successful, the AMF deletes the EPS security context received from the source MME if any, and the AMF re-establishes the secure exchange of NAS messages by either: i) replying with a REG1STRAT10N ACCEPT message that is integrity protected and ciphered using the native 5G NAS security context.
  • the UE shall send the REG1STRAT10N REQUEST message without integrity protection and encryption.
  • the AMF shall either create a fresh mapped 5G NAS security context or trigger a primary authentication and key agreement procedure to create a fresh native 5G NAS security context; or 2) if interworking without N26 is supported, the AMF shall trigger a primary authentication and key agreement procedure.
  • the newly created 5G NAS security context is taken into use by initiating a security mode control procedure and this context becomes the current 5G NAS security context in both the UE and the AMF. This re-establishes the secure exchange of NAS messages; or ii) if the UE has a PDN connection for emergency bearer services, the UE has a current EPS security context including the NAS security algorithms set to E1A0 and EEA0, and the UE received an "interworking without N26 not supported" indication from the network, the UE shall derive a mapped 5G NAS security from the current EPS security context and transmit a
  • REG1STRAT10N REQUEST message integrity protected with the mapped 5G NAS security context The UE shall include the ngKSl indicating the mapped 5G NAS security context value in the REG1STRAT10N REQUEST message.
  • the AMF not supporting interworking without N26 shall derive a mapped 5G NAS security context from the EPS security context and check whether the ngKSl included in the REG1STRAT10N REQUEST message matches the ngKSl of the mapped 5G NAS security context lf the check is successful, the AMF re-establishes the secure exchange of NAS messages by replying with a REG1STRAT10N ACCEPT message that is integrity protected and ciphered using the mapped 5G NAS security context. b) if the UE operating in single-registration mode has no valid native 5G NAS security context, the UE shall send the REG1STRAT10N REQUEST message without integrity protection and encryption.
  • the AMF shall either create a fresh mapped 5G NAS security context or trigger a primary authentication and key agreement procedure to create a fresh native 5G NAS security context; or 2) if an EPS security context received from the source MME includes the NAS security algorithms set to E1A0 and EEA0, the AMF shall create a fresh mapped 5G NAS security; or ii) if interworking without N26 is supported, the AMF shall trigger a primary authentication and key agreement procedure.
  • the newly created 5G NAS security context is taken into use by initiating a security mode control procedure and this context becomes the current 5G NAS security context in both the UE and the AMF. This re-establishes the secure exchange of NAS messages.
  • NAS security related parameters encapsulated in the AS signaling from the AMF to the UE triggering the inter-system change in 5GMM- CONNECTED mode.
  • the UE uses these parameters to generate the mapped EPS security context; and b) after the inter-system change in 5GMM-CONNECTED mode, the transmission of a TRACKING AREA UPDATE REQUEST message from the UE to the MME.
  • the UE shall send this message integrity protected using the mapped EPS security context, but unciphered.
  • the UE shall transmit a TRACKING AREA UPDATE REQUEST message integrity protected with the current 5G NAS security context and the UE shall derive a mapped EPS security context.
  • the UE shall include the eKSl indicating the mapped EPS security context value in the TRACK1NG AREA UPDATE REQUEST message.
  • the MME After receiving the TRACK1NG AREA UPDATE REQUEST message including the eKSl, the MME forwards the TRACK1NG AREA UPDATE REQUEST message to the source AMF.
  • the source AMF shall use the eKSl value field to identify a 5G NAS security context available in the AMF, and shall verify the MAC of the TRACK1NG AREA UPDATE REQUEST message using the 5G NAS security context lf the verification is successful, the AMF shall derive a mapped EPS security context from the 5G NAS security context and send the mapped EPS security context to the MME.
  • the MME re-establishes the secure exchange of NAS messages by either: i) replying with a TRACK1NG AREA UPDATE ACCEPT message that is integrity protected and ciphered using the mapped 5G NAS security context. From this time onward, all NAS messages exchanged between the UE and the MME are sent integrity protected and except for the messages such as ATTACH
  • the UE b) if the UE received an "interworking without N26 supported" indication from the network and the UE supports sending an ATTACH REQUEST message containing a PDN CONNECT1V1TY REQUEST message with request type set to "handover" to transfer a PDU session from N1 mode to SI mode and: i) if the UE has a valid native EPS security context, the UE shall send an ATTACH REQUEST message integrity protected with the native EPS security context. The UE shall include the eKSl indicating the native EPS security context value in the ATTACH REQUEST message. ii) if the UE has no valid native EPS security context, the UE shall send an ATTACH REQUEST message without integrity protection and encryption.
  • the MME After receiving the ATTACH REQUEST message, the MME shall proceed with the attach procedure.
  • NAS security related parameters encapsulated in the AS signaling from the target AMF to the UE triggering the N 1 mode to N1 mode handover.
  • the UE uses these parameters to create a new 5G NAS security context.
  • the secure exchange of NAS messages shall be continued after N1 mode to N1 mode handover lt is terminated after inter-system change from N1 mode to SI mode in 5GMM-CONNECTED mode or when the NAS signaling connection is released.
  • the UE When a UE in 5GMM-1DLE mode establishes a new NAS signaling connection and has a valid current 5G NAS security context, the UE shall transmit the initial NAS message integrity protected with the current 5G NAS security context, but unciphered.
  • the UE shall include the ngKSl indicating the current 5G NAS security context value in the initial NAS message.
  • the AMF shall check whether the ngKSl included in the initial NAS message belongs to a 5G NAS security context available in the AMF, and shall verify the MAC of the NAS message lf the verification is successful, the AMF may re establish the secure exchange of NAS messages:
  • circuitry may refer to one or more or all of the following:
  • software e.g., firmware
  • circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
  • circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
  • a technical effect of one or more of the example embodiments disclosed herein is that it may be possible to avoid unnecessary 5GMM procedures being initiated which results in worsening user experience for a critical call.
  • Another technical effect of one or more of the example embodiments disclosed herein is that radio interface and/or core network signaling may be reduced.
  • security may be improved by increasing use of previously established security contexts so that clear text transmission of data may be reduced over radio interface and/or in one or more core networks.
  • Embodiments of the present invention may be implemented in software, hardware, application logic or a combination of software, hardware and application logic ln an example embodiment, the application logic, software or an instruction set is maintained on any one of various conventional computer-readable media ln the context of this document, a "computer-readable medium" may be any non-transitory media or means that can contain, store, communicate, propagate or transport the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer, with one example of a computer described and depicted in Fig. 4.
  • a computer-readable medium may comprise a computer- readable storage medium that may be any media or means that can contain or store the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

Method and apparatus for deriving a cryptographic protection to a new initial non-access stratum, NAS, message for a target network from an existing security context in an idle mode inter-system change when one or more of conditions a) to d) is met, and for deriving a mapped 5G NAS security context from a source cellular network that is an EPS security context maintained by a source MME of the EPS, in an idle mode inter-system change, when one or more of conditions 1) to 4) is met, optionally after receiving a REGISTRATION REQUEST message without integrity protection and encryption.

Description

METHOD AND APPARATUS FOR SECURITY CONTEXT HANDLING DURING INTERSYSTEM CHANGE
TECHNICAL FIELD
[0001] Various example embodiments relate to security context handling during inter-system change.
BACKGROUND
[0002] This section illustrates useful background information without admission of any technique described herein representative of the state of the art.
[0003] Cellular phones have evolved from mobile voice transfer device to omnipotent computers. Wireless data transfer, particularly lnternet use, require high data transfer capacity. This trend has driven the development of new cellular telecommunication standards from 2G with GSM towards the 5G that will have exceedingly fast data transfer and now also functions as services that communicate with each other.
[0004] Common to previous generations, also in the 5G the privacy and accountability of cellular telecommunications have remained essential. These have been safeguarded by use of cryptography to authenticate the subscriber, authorize telecommunications (and associated charging) and to protect the communications. These measures require signaling in both a core network that contains and manages the infrastructure of a cellular network and also over a radio interface between the mobile stations and the cellular network. All such signaling comes with a computation cost and use of limited signaling resources. The signaling resources are particularly valuable in the radio interface where every symbol used for anything else than transfer of user data reduces the capacity to transfer user data.
[0005] 3GPP 5G will enhance wireless data transfer speeds also by reducing cell size, which inherently leaves more gaps between cells. The 4G technology will operate as a fallback to provide adequate data access where no 5G is available. At fringes of 5G cells, there may be repeated hand-overs between the 4G and 5G networks so signaling, both in the core network and in the radio access may be rapidly multiplied ln addition, emergency services may not be provided by the 5G network while the 4G network is capable of supporting emergency services especially during early phases of the 5G network deployment ln this case, it is desirable to use the 4G technology as a fallback.
SUMMARY
[0006] Various aspects of examples of the invention are set out in the claims.
[0007] According to a first example aspect of the present invention, there is provided a method in user equipment, UE, on idle mode inter-system change, while the UE is in a single registration mode, comprising:
[0008] deriving a cryptographic protection to a new initial non-access stratum, NAS, message for a target network from an existing security context in an idle mode inter-system change, if any one or more of following conditions are met:
[0009] condition a) the source cellular network is an evolved Universal Terrestrial Radio Access Network, e-UTRAN; and the target cellular network is a Next Generation Radio Access Network, ng-RAN; and the UE does not have a valid native 5G NAS security context; and the UE has a packet data network, PDN, connection for emergency bearer services; and the UE has a current Evolved Packet System, EPS, security context including NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm; and the UE has received an indication that the source cellular network does not support interworking with the target cellular network without a signaling channel between mobility management entities of the source and target cellular networks;
[0010] condition b) the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE has received an indication that the source cellular network does not support interworking with the target cellular network without a signaling channel between mobility management entities of the source and target cellular networks;
[0011] condition c) the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE does not support sending an ATTACH REQUEST message containing a PDN CONNECT1V1TY REQUEST message with request type set to "handover" to transfer a Protocol Data Unit, PDU, session from N1 mode to SI mode;
[0012] condition d) the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE has received an indication that the source cellular network supports interworking with the target cellular network without a signaling channel between mobility management entities of the source and target cellular networks; and the UE supports sending an ATTACH REQUEST message containing a PDN CONNECT1V1TY REQUEST message with request type set to "handover" to transfer a PDU session from N1 mode to SI mode; and the UE has a valid native EPS security context.
[0013] The method of the first example aspect may exclude any of following conditions: a); b); c); d); a) and b); a) and c); a) and d); b) and c); b) and d); a) and b) and c); a) and c) and d); b) and c) and d).
[0014] The SI mode may be a mode of a UE allowing access to a 4G core network via a 4G access network. The N 1 mode may be a mode of a UE allowing access to a 5G core network via a 5G access network.
[0015] The signaling channel between the mobility management entities of the source and target cellular networks may be an N26 interface. The mobility management entity in the 5G network may correspond to the access and mobility management function, AMF.
[0016] ln case of condition a), the cryptographic protection may be integrity protecting (and partially ciphering, which can be optional) a REG1STRAT10NREQUEST message with a 5G NAS security context mapped from current EPS security context. The indication defined in condition a) may be received from any of: the source cellular network; the target cellular network; or both the source cellular network and the target cellular network. The null integrity protection algorithm may be E1A0. The null ciphering algorithm may be EEA0.
[0017] ln case of condition b), the cryptographic protection may be integrity protecting a TRACK1NG AREA UPDATE REQUEST message with current 5G NAS security context. The indication defined in condition b) may be received from any of: the source cellular network; the target cellular network; or both the source cellular network and the target cellular network.
[0018] ln case of condition c), the cryptographic protection may be integrity protecting a TRACK1NG AREA UPDATE REQUEST message with current 5G NAS security context. [0019] ln case of condition d), the cryptographic protection may be integrity protecting an ATTACH REQUEST message with the valid native EPS security context. The indication defined in condition d) may be received from any of: the source cellular network; the target cellular network; or both the source cellular network and the target cellular network.
[0020] The ng-RAN may be compliant with 3GPP 5G release 15.
[0021] According to a second example aspect of the present invention, there is provided a method in an Access and Mobility Management Function, AMF, for handling an idle mode inter-system change of User Equipment, UE, from an evolved universal terrestrial radio access network, e-UTRAN to a Next Generation Radio Access Network, ng-RAN, while the UE is in a single registration mode connection, comprising:
[0022] deriving a mapped 5G Non-Access Stratum, NAS, security context from a source cellular network that is an Evolved Packet System, EPS, security context maintained by a source Mobility Management Entity of the EPS, in an idle mode inter system change, if any one or more of following conditions are met:
[0023] condition 1) the AMF has received from a UE a REG1STRAT10N REQUEST message without integrity protection and encryption; and the REG1STRAT10N REQUEST message comprises a Key Set ldentifier for Next Generation Radio Access Network, ngKSl, indicating a mapped 5G NAS security context value "000";
[0024] condition 2) interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from a Mobility Management Entity, MME, of the EPS includes the NAS security algorithms set to null integrity protection algorithm and null ciphering algorithm, such as E1A0 and EEA0;
[0025] condition 3) interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from the source MME does not include the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm;
[0026] condition 4) interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from the source MME includes the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm. [0027] The method may comprise, before the deriving of the mapped security context, receiving the REGISTRATION REQUEST message without integrity protection and encryption.
[0028] The method may further comprise that, after receiving the REG1STRAT10N REQUEST message without integrity protection and encryption, the AMF either creates a fresh mapped 5G NAS security context or trigger a primary authentication and key agreement procedure to create a fresh native 5G NAS security context ln particular, if conditions 1) and 3) are met, the AMF may choose between creating a fresh mapped 5G NAS security context and triggering a primary authentication and key agreement procedure to create a fresh native 5G NAS security context.
[0029] The method of the second example aspect may exclude any of following conditions: 1); 2); 3); 4); 1) and 2); 1) and 3); 1) and 4); 2) and 3); 2) and 4); 1) and 2) and 3); 1) and 3) and 4); 2) and 3) and 4).
[0030] According to a third example aspect, there is provided a process comprising the first and second example aspects.
[0031] According to a fourth example aspect, there is provided user equipment comprising at least one processor and a memory comprising computer executable program code which, when executed by the at least one processor, is configured to cause the user equipment to perform the method of the first example aspect.
[0032] According to a fifth example aspect, there is provided an Access and Mobility Management Function, AMF comprising at least one processor and a memory comprising computer executable program code which, when executed by the at least one processor, is configured to cause the AMF to perform the method of the second example aspect.
[0033] According to a sixth example aspect, there is provided an Access and Mobility Management Function, AMF, configured to handle an idle mode inter-system change of User Equipment, UE, from an evolved universal terrestrial radio access network, e-UTRAN to a Next Generation Radio Access Network, ng-RAN, while the UE is in a single registration mode connection, the AMF comprising:
[0034] means for communicating with an Evolved Packet System, EPS, that comprises the e-UTRAN and for communicating with the UE; and
[0035] means for deriving a mapped Next Generation Radio Access Network, ng- RAN, Non-Access Stratum, NAS, security context from a source cellular network that is an Evolved Packet System, EPS, security context maintained by a source Mobility Management Entity of the EPS, in an idle mode inter-system change, if any one or more of following conditions are met:
[0036] condition 1) the AMF has received from a UE a REG1STRAT10N REQUEST message without integrity protection and encryption; and the REG1STRAT10N REQUEST message comprises a Key Set ldentifier for Next Generation Radio Access Network, ngKSl, indicating a mapped 5G NAS security context value "000";
[0037] condition 2) interworking without a signaling channel between mobility management entities of the EPS and the ng-RAN is not supported; and an EPS security context received from a Mobility Management Entity, MME, of the EPS includes the NAS security algorithms set to null integrity protection algorithm and null ciphering algorithm;
[0038] condition 3) interworking without a signaling channel between mobility management entities of the EPS and the ng-RAN is not supported; and an EPS security context received from the source MME does not include the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm;
[0039] condition 4) interworking without a signaling channel between mobility management entities of the EPS and the ng-RAN is not supported; and an EPS security context received from the source MME includes the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm.
[0040] The AMF of the fifth or sixth example aspect may be implemented using virtualization. At least some of the structures implementing the AMF may be provided by a virtualization server.
[0041] The AMF of the fifth or sixth example aspect may be implemented using clustered processing. At least some of the structures implementing the AMF may be provided by a cluster processing equipment.
[0042] The AMF of the fifth or sixth example aspect may be implemented using cloud computing. At least some of the structures implementing the AMF may be provided by a cloud computing system.
[0043] According to a seventh example aspect of the present invention, there is provided a system comprising the UE of the fourth example aspect and the AMF of the fifth or sixth example aspect.
[0044] The system may further comprise a Mobility Management Entity of the evolved universal terrestrial radio access network.
[0045] According to an eighth example aspect of the present invention, there is provided a computer program comprising computer executable program code configured to execute any method of the first or second example aspect.
[0046] The computer program may be stored in a computer readable memory medium.
[0047] Any foregoing memory medium may comprise a digital data storage such as a data disc or diskette, optical storage, magnetic storage, holographic storage, opto- magnetic storage, phase-change memory, resistive random access memory, magnetic random access memory, solid-electrolyte memory, ferroelectric random access memory, organic memory or polymer memory. The memory medium may be formed into a device without other substantial functions than storing memory or it may be formed as part of a device with other functions, including but not limited to a memory of a computer, a chip set, and a sub assembly of an electronic device.
[0048] Different non-binding example aspects and embodiments of the present invention have been illustrated in the foregoing. The embodiments in the foregoing are used merely to explain selected aspects or steps that may be utilized in implementations of the present invention. Some embodiments may be presented only with reference to certain example aspects of the invention lt should be appreciated that corresponding embodiments may apply to other example aspects as well.
BRIEF DESCRIPTION OF THE DRAWINGS
[0049] For a more complete understanding of example embodiments of the present invention, reference is now made to the following descriptions taken in connection with the accompanying drawings in which:
[0050] Fig. 1 shows an architectural drawing of a system of an example embodiment;
[0051] Fig. 2 shows a flow chart of a process of an example embodiment in user equipment; and
[0052] Fig. 3 shows a flow chart of a process of an example embodiment in an Access and Mobility Management Function;
[0053] Fig. 4 shows a block diagram of an apparatus of an example embodiment.
DETAILED DESCRIPTON OF THE DRAWINGS
[0054] An example embodiment of the present invention and its potential advantages are understood by referring to Figs. 1 through 4 of the drawings ln this document, like reference signs denote like parts or steps.
[0055] Fig. 1 shows an architectural drawing of a system 100 of an example embodiment. Fig. 1 shows non-roaming architecture for interworking between 5GS and EPC/E-UTRAN, but suitably demonstrates various network parts and interfaces useful to explain some example embodiments. Fig. 1 shows corresponding parts of Evolved Packet System, EPS, 160 and of a fifth Generation System, 5GS, 170 that are related to EPS and 5GS interworking lt should be appreciated that in practice, the EPS and the 5GS need not comprise functionalities of each other, although it is also possible to implement shared functionalities by shared execution platform, for example.
[0056] ln Fig. 1, user equipment 110 are in radio access to respective cellular networks that comprise an evolved Universal Terrestrial Radio Access Network, e- UTRAN, 120 and a Next Generation Radio Access Network, ng-RAN, 130. The EPS comprises the e-UTRAN 120 and Evolved Core Network, EPC, parts such as a Mobility Management Entity, MME, 140.
[0057] The 5GS 170 comprises the ng-RAN 130 and a 5G core network that comprises, for example, an access and mobility management function, AMF 150.
[0058] Fig. 2 shows a flow chart of a process 200 of an example embodiment in user equipment, UE, on idle mode inter-system change, while the UE is in a single registration mode, comprising:
[0059] deriving 210 a cryptographic protection to a new initial non-access stratum, NAS, message for a target network from an existing security context in an idle mode inter-system change, if any one or more of following conditions are met:
[0060] condition a) 220 the source cellular network is an e-UTRAN; and the target cellular network is an ng-RAN; and the UE does not have a valid native 5G NAS security context; and the UE has a packet data network, PDN, connection for emergency bearer services; and the UE has a current EPS security context including NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm; and the UE has received an indication that the source cellular network does not support interworking with the target cellular network without a signaling channel between mobility management entities of the source and target cellular networks;
[0061] condition b) 230 the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE has received an indication that the source cellular network does not support interworking with the target cellular network without a signaling channel between mobility management entities of the source and target cellular networks;
[0062] condition c) 240 the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE does not support sending an ATTACH REQUEST message containing a PDN CONNECT1V1TY REQUEST message with request type set to "handover" to transfer a PDU session from N1 mode to SI mode;
[0063] condition d) 250 the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE has received an indication that the source cellular network supports interworking with the target cellular network without a signaling channel between mobility management entities of the source and target cellular networks; and the UE supports sending an ATTACH REQUEST message containing a PDN CONNECT1V1TY REQUEST message with request type set to "handover" to transfer a PDU session from N1 mode to SI mode; and the UE has a valid native EPS security context.
[0064] Fig. 3 shows a flow chart of a process of an example embodiment in the AMF, for handling an idle mode inter-system change of the UE, from an e-UTRAN to an ng- RAN, while the UE is in a single registration mode connection, comprising:
[0065] deriving 310 a mapped 5G NAS security context from a source cellular network that is an EPS security context maintained by a source MME of the EPS, in an idle mode inter-system change, if any one or more of following conditions are met:
[0066] Condition 1) 320 the AMF has received from a UE a REG1STRAT10N REQUEST message without integrity protection and encryption; and the REG1STRAT10N REQUEST message comprises a Key Set ldentifier for Next Generation Radio Access Network, ngKSl, indicating a mapped 5G NAS security context value "000"; [0067] condition 2) 330 interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from an MME of the EPS includes the NAS security algorithms set to null integrity protection algorithm and null ciphering algorithm, such as E1A0 and EEA0;
[0068] condition 3) 340 interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from the source MME does not include the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm;
[0069] condition 4) 350 interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from the source MME includes the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm.
[0070] The method may comprise, before the deriving of the mapped security context, receiving 360 the REG1STRAT10N REQUEST message without integrity protection and encryption.
[0071] Fig. 4 shows a block diagram of an apparatus 300 according to an embodiment of the invention.
[0072] The apparatus 400 comprises a memory 440 including a persistent computer program code 450. The apparatus 400 further comprises a processor 420 for controlling the operation of the apparatus 400 using the computer program code 440, a communication unit 410 for communicating with other nodes. The communication unit 410 comprises, for example, a local area network (LAN) port; a wireless local area network (WLAN) unit; Bluetooth unit; cellular data communication unit; or satellite data communication unit. The processor 420 comprises, for example, any one or more of: a master control unit (MCU); a microprocessor; a digital signal processor (DSP); an application specific integrated circuit (AS1C); a field programmable gate array; and a microcontroller. The apparatus may further comprise a user interface (U/l) 430.
[0073] Some non-limiting example use cases are next described in context of 3GPP TS 24.501 V15.1.0 section 4.4.2.5, Establishment of secure exchange of NAS messages Secure exchange of NAS messages via a NAS signaling connection is usually
established by the AMF during the registration procedure by initiating a security mode control procedure. After successful completion of the security mode control procedure, all NAS messages exchanged between the UE and the AMF are sent integrity protected using the current 5G security algorithms, and except for the messages such as REGISTRATION REQUEST and SECUR1TY MODE COMMAND messages, all NAS messages exchanged between the UE and the AMF are sent ciphered using the current 5G security algorithms.
During inter-system change from SI mode to N1 mode in 5GMM-CONNECTED mode, secure exchange of NAS messages is established between the AMF and the UE by: a) the transmission of NAS security related parameters encapsulated in the AS signaling from the AMF to the UE triggering the inter-system change in 5GMM- CONNECTED mode. The UE uses these parameters to generate the mapped 5G NAS security context; and b) after the inter-system change in 5GMM-CONNECTED mode, the transmission of a REG1STRAT10N REQUEST message from the UE to the AMF. The UE shall send this message integrity protected using the mapped 5G NAS security context, but unciphered. From this time onward, all NAS messages exchanged between the UE and the AMF are sent integrity protected using the mapped 5G NAS security context, and except for the messages such as REG1STRAT10N REQUEST and SECUR1TY MODE COMMAND messages, all NAS messages exchanged between the UE and the AMF are sent ciphered using the mapped 5G NAS security context.
During inter-system change from SI mode to N1 mode in 5GMM-1DLE mode, if the UE is operating in single-registration mode and:
a) if the UE has a valid native 5G NAS security context, the UE shall transmit a REG1STRAT10N REQUEST message integrity protected with the native 5G NAS security context. The UE shall include the ngKSl indicating the native 5G NAS security context value in the REG1STRAT10N REQUEST message.
After receiving the REG1STRAT10N REQUEST message including the ngKSl indicating a native 5G NAS security context value, the AMF shall check whether the ngKSl included in the REG1STRAT10N REQUEST message belongs to a 5G NAS security context available in the AMF, and shall verify the MAC of the REG1STRAT10N REQUEST message lf the verification is successful, the AMF deletes the EPS security context received from the source MME if any, and the AMF re-establishes the secure exchange of NAS messages by either: i) replying with a REG1STRAT10N ACCEPT message that is integrity protected and ciphered using the native 5G NAS security context. From this time onward, all NAS messages exchanged between the UE and the AMF are sent integrity protected and except for the messages such as REG1STRAT10N REQUEST and SECUR1TY MODE COMMAND messages, all NAS messages exchanged between the UE and the AMF are sent ciphered; or ii) initiating a security mode control procedure. This can be used by the AMF to take a non-current 5G NAS security context into use or to modify the current 5G NAS security context by selecting new NAS security algorithms. b) if the UE has no valid native 5G NAS security context and: i) if the UE has no PDN connection for emergency bearer services, the UE has a current EPS security context not including the NAS security algorithms set to
E1A0 and EEA0, or the UE received an "interworking without N26 supported" indication from the network, the UE shall send the REG1STRAT10N REQUEST message without integrity protection and encryption.
After receiving the REG1STRAT10N REQUEST message without integrity protection and encryption:
1) if interworking without N26 is not supported, the AMF shall either create a fresh mapped 5G NAS security context or trigger a primary authentication and key agreement procedure to create a fresh native 5G NAS security context; or 2) if interworking without N26 is supported, the AMF shall trigger a primary authentication and key agreement procedure.
The newly created 5G NAS security context is taken into use by initiating a security mode control procedure and this context becomes the current 5G NAS security context in both the UE and the AMF. This re-establishes the secure exchange of NAS messages; or ii) if the UE has a PDN connection for emergency bearer services, the UE has a current EPS security context including the NAS security algorithms set to E1A0 and EEA0, and the UE received an "interworking without N26 not supported" indication from the network, the UE shall derive a mapped 5G NAS security from the current EPS security context and transmit a
REG1STRAT10N REQUEST message integrity protected with the mapped 5G NAS security context. The UE shall include the ngKSl indicating the mapped 5G NAS security context value in the REG1STRAT10N REQUEST message.
After receiving the REG1STRAT10N REQUEST message including the ngKSl indicating the mapped 5G NAS security context value "000", the AMF not supporting interworking without N26 shall derive a mapped 5G NAS security context from the EPS security context and check whether the ngKSl included in the REG1STRAT10N REQUEST message matches the ngKSl of the mapped 5G NAS security context lf the check is successful, the AMF re-establishes the secure exchange of NAS messages by replying with a REG1STRAT10N ACCEPT message that is integrity protected and ciphered using the mapped 5G NAS security context. b) if the UE operating in single-registration mode has no valid native 5G NAS security context, the UE shall send the REG1STRAT10N REQUEST message without integrity protection and encryption.
After receiving the REG1STRAT10N REQUEST message without integrity protection and encryption: i) if interworking without N26 is not supported and:
1) if an EPS security context received from the source MME does not include the NAS security algorithms set to E1A0 and EEA0, the AMF shall either create a fresh mapped 5G NAS security context or trigger a primary authentication and key agreement procedure to create a fresh native 5G NAS security context; or 2) if an EPS security context received from the source MME includes the NAS security algorithms set to E1A0 and EEA0, the AMF shall create a fresh mapped 5G NAS security; or ii) if interworking without N26 is supported, the AMF shall trigger a primary authentication and key agreement procedure.
The newly created 5G NAS security context is taken into use by initiating a security mode control procedure and this context becomes the current 5G NAS security context in both the UE and the AMF. This re-establishes the secure exchange of NAS messages.
During inter-system change from N1 mode to SI mode in 5GMM-CONNECTED mode, secure exchange of NAS messages is established between the MME and the UE by: a) the transmission of NAS security related parameters encapsulated in the AS signaling from the AMF to the UE triggering the inter-system change in 5GMM- CONNECTED mode. The UE uses these parameters to generate the mapped EPS security context; and b) after the inter-system change in 5GMM-CONNECTED mode, the transmission of a TRACKING AREA UPDATE REQUEST message from the UE to the MME. The UE shall send this message integrity protected using the mapped EPS security context, but unciphered. From this time onward, all NAS messages exchanged between the UE and the AMF are sent integrity protected using the mapped EPS security context, and except for the messages such as REG1STRAT10N REQUEST and SECUR1TY MODE COMMAND message, all NAS messages exchanged between the UE and the AMF are sent ciphered using the mapped EPS security context.
During inter-system change from N1 mode to SI mode in 5GMM-1DLE mode, if the UE is operating in the single-registration mode and:
a) if the UE received an "interworking without N26 not supported" indication from the network or the UE does not support sending an ATTACH REQUEST message containing a PDN CONNECT1V1TY REQUEST message with request type set to "handover" to transfer a PDU session from N1 mode to SI mode, the UE shall transmit a TRACKING AREA UPDATE REQUEST message integrity protected with the current 5G NAS security context and the UE shall derive a mapped EPS security context. The UE shall include the eKSl indicating the mapped EPS security context value in the TRACK1NG AREA UPDATE REQUEST message.
After receiving the TRACK1NG AREA UPDATE REQUEST message including the eKSl, the MME forwards the TRACK1NG AREA UPDATE REQUEST message to the source AMF. The source AMF shall use the eKSl value field to identify a 5G NAS security context available in the AMF, and shall verify the MAC of the TRACK1NG AREA UPDATE REQUEST message using the 5G NAS security context lf the verification is successful, the AMF shall derive a mapped EPS security context from the 5G NAS security context and send the mapped EPS security context to the MME. The MME re-establishes the secure exchange of NAS messages by either: i) replying with a TRACK1NG AREA UPDATE ACCEPT message that is integrity protected and ciphered using the mapped 5G NAS security context. From this time onward, all NAS messages exchanged between the UE and the MME are sent integrity protected and except for the messages such as ATTACH
REQUEST and TRACK1NG AREA UPDATE REQUEST messages, all NAS messages exchanged between the UE and the MME are sent ciphered; or ii) initiating a security mode control procedure. This can be used by the MME to take a non-current EPS security context into use or to modify the current EPS security context by selecting new NAS security algorithms. b) if the UE received an "interworking without N26 supported" indication from the network and the UE supports sending an ATTACH REQUEST message containing a PDN CONNECT1V1TY REQUEST message with request type set to "handover" to transfer a PDU session from N1 mode to SI mode and: i) if the UE has a valid native EPS security context, the UE shall send an ATTACH REQUEST message integrity protected with the native EPS security context. The UE shall include the eKSl indicating the native EPS security context value in the ATTACH REQUEST message. ii) if the UE has no valid native EPS security context, the UE shall send an ATTACH REQUEST message without integrity protection and encryption.
After receiving the ATTACH REQUEST message, the MME shall proceed with the attach procedure.
During an N1 mode to N1 mode handover, secure exchange of NAS messages is established between the AMF and the UE by:
a) the transmission of NAS security related parameters encapsulated in the AS signaling from the target AMF to the UE triggering the N 1 mode to N1 mode handover. The UE uses these parameters to create a new 5G NAS security context.
The secure exchange of NAS messages shall be continued after N1 mode to N1 mode handover lt is terminated after inter-system change from N1 mode to SI mode in 5GMM-CONNECTED mode or when the NAS signaling connection is released.
When a UE in 5GMM-1DLE mode establishes a new NAS signaling connection and has a valid current 5G NAS security context, the UE shall transmit the initial NAS message integrity protected with the current 5G NAS security context, but unciphered. The UE shall include the ngKSl indicating the current 5G NAS security context value in the initial NAS message. The AMF shall check whether the ngKSl included in the initial NAS message belongs to a 5G NAS security context available in the AMF, and shall verify the MAC of the NAS message lf the verification is successful, the AMF may re establish the secure exchange of NAS messages:
a) by replying with a NAS message that is integrity protected and ciphered using the current 5G NAS security context. From this time onward, all NAS messages exchanged between the UE and the AMF are sent integrity protected and except for the messages such as REGISTRATION REQUEST and SECUR1TY MODE COMMAND message, all NAS messages exchanged between the UE and the AMF are sent ciphered; or b) by initiating a security mode control procedure. This can be used by the AMF to take a non-current 5G NAS security context into use or to modify the current 5G NAS security context by selecting new NAS security algorithms. [0074] As used in this application, the term "circuitry" may refer to one or more or all of the following:
[0075] (a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and;
[0076] (b) combinations of hardware circuits and software, such as (as applicable)
[0077] (i) a combination of analog and/or digital hardware circuit(s) with software/firmware; and
[0078] (ii) any portions of hardware processor(s) with software (including digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions); and
[0079] (c) hardware circuit(s) and or processor(s), such as a microprocessor(s) or a portion of a microprocessor(s), that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
[0080] This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
[0081] Without in any way limiting the scope, interpretation, or application of the claims appearing below, a technical effect of one or more of the example embodiments disclosed herein is that it may be possible to avoid unnecessary 5GMM procedures being initiated which results in worsening user experience for a critical call. Another technical effect of one or more of the example embodiments disclosed herein is that radio interface and/or core network signaling may be reduced. Yet another technical effect of one or more of the example embodiments disclosed herein is that security may be improved by increasing use of previously established security contexts so that clear text transmission of data may be reduced over radio interface and/or in one or more core networks.
[0082] Embodiments of the present invention may be implemented in software, hardware, application logic or a combination of software, hardware and application logic ln an example embodiment, the application logic, software or an instruction set is maintained on any one of various conventional computer-readable media ln the context of this document, a "computer-readable medium" may be any non-transitory media or means that can contain, store, communicate, propagate or transport the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer, with one example of a computer described and depicted in Fig. 4. A computer-readable medium may comprise a computer- readable storage medium that may be any media or means that can contain or store the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer.
[0083] lf desired, the different functions discussed herein may be performed in a different order and/or concurrently with each other. Furthermore, if desired, one or more of the before-described functions may be optional or may be combined.
[0084] Although various aspects of the invention are set out in the independent claims, other aspects of the invention comprise other combinations of features from the described embodiments and/or the dependent claims with the features of the independent claims, and not solely the combinations explicitly set out in the claims.
[0085] lt is also noted herein that while the foregoing describes example embodiments of the invention, these descriptions should not be viewed in a limiting sense. Rather, there are several variations and modifications which may be made without departing from the scope of the present invention as defined in the appended claims.

Claims

1.A method in user equipment, UE, on idle mode inter-system change, while the UE is in a single registration mode, comprising:
deriving a cryptographic protection to a new initial non-access stratum, NAS, message for a target network from an existing security context in an idle mode inter system change, if any one or more of following conditions are met:
condition a) the source cellular network is an evolved universal terrestrial radio access network, e-UTRAN; and the target cellular network is a Next Generation Radio Access Network, ng-RAN of a 5G system, 5GS; and the UE does not have a valid native 5G NAS security context; and the UE has a packet data network, PDN, connection for emergency bearer services; and the UE has a current Evolved Packet System, EPS, security context including NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm; and the UE has received an indication that the source cellular network does not support interworking with the target cellular network without a signaling channel between mobility management entities of EPS and 5GS; condition b) the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE has received an indication that the source cellular network does not support interworking with the target cellular network without a signaling channel between mobility management entities of the EPS and 5GS;
condition c) the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE does not support sending an ATTACH REQUEST message containing a PDN CONNECT1V1TY REQUEST message with request type set to "handover" to transfer a Protocol Data Unit, PDU, session from N1 mode to SI mode; condition d) the source cellular network is the ng-RAN; and the target cellular network is the e-UTRAN; and the UE has received an indication that the source cellular network supports interworking with the target cellular network without a signaling channel between mobility management entities of the EPS and 5GS; and the UE supports sending an ATTACH REQUEST message containing a PDN CONNECT1V1TY REQUEST message with request type set to "handover" to transfer a PDU session from N1 mode to SI mode; and the UE has a valid native EPS security context.
2. The method of claim 1, wherein the SI mode is a mode of a UE allowing access to a 4G core network via a 4G access network and the N1 mode is a mode of a UE allowing access to a 5G core network via a 5G access network.
3. The method of claim 1 or 2, wherein the signaling channel between the mobility management entities of the EPS and 5GS is an N26 interface.
4. The method of any one of preceding claims, wherein in case of condition a), the cryptographic protection comprises integrity protecting a REGISTRATION REQUEST message with a 5G NAS security context mapped from current EPS NAS security context.
5. The method of any one of preceding claims, wherein in case of condition a), the cryptographic protection comprises partially encrypting a REG1STRAT10N REQUEST message with a 5G NAS security context mapped from current EPS NAS security context.
6. The method of any one of preceding claims, wherein in case of any one of conditions b) and c), the cryptographic protection is integrity protecting a TRACK1NG AREA UPDATE REQUEST message with current 5G NAS security context.
7. The method of any one of preceding claims, wherein in case of condition d), the cryptographic protection is integrity protecting an ATTACH REQUEST message with the valid native EPS security context.
8. A method in an Access and Mobility Management Function, AMF, of a 5G system, 5GS, for handling an idle mode inter-system change of User Equipment, UE, from an evolved universal terrestrial radio access network, e-UTRAN to a Next Generation Radio Access Network, ng-RAN, while the UE is in a single registration mode connection, comprising:
deriving a mapped Next Generation Radio Access Network, ng-RAN, Non-Access Stratum, NAS, security context from a source cellular network that is an Evolved Packet System, EPS, security context maintained by a source Mobility Management Entity of the EPS, in an idle mode inter-system change, if any one or more of following conditions are met:
condition 1) the AMF has received from a UE a REG1STRAT10N REQUEST message without integrity protection and encryption; and the REG1STRAT10N REQUEST message comprises a Key Set ldentifier for Next Generation Radio Access Network, ngKSl, indicating a mapped 5G NAS security context value "000";
condition 2) interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from a Mobility Management Entity, MME, of the EPS includes the NAS security algorithms set to null integrity protection algorithm and null ciphering algorithm;
condition 3) interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from the source MME does not include the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm;
condition 4) interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from the source MME includes the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm.
9. The method of claim 8 further comprising, before the deriving of the mapped security context, receiving the REG1STRAT10N REQUEST message without integrity protection and encryption.
10. The method of claim 8 or 9, further comprising that, after receiving the REG1STRAT10N REQUEST message without integrity protection and encryption, the AMF either creates a fresh mapped 5G NAS security context or triggers a primary authentication and key agreement procedure to create a fresh native 5G NAS security context.
11. The method of any one of claims 8 to 10, wherein if conditions 1) and 3) are met, the AMF chooses between creating a fresh mapped 5G NAS security context and triggering a primary authentication and key agreement procedure to create a fresh native 5G NAS security context.
12. A process comprising the method of any one of claims 1 to 7 and any one of claims 8 to 11.
13. User equipment comprising at least one processor and a memory comprising computer executable program code which, when executed by the at least one processor, is configured to cause the user equipment to perform the method of any one of claims 1 to 7.
14. An Access and Mobility Management Function, AMF comprising at least one processor and a memory comprising computer executable program code which, when executed by the at least one processor, is configured to cause the AMF to perform the method of any one of claims 8 to 11.
15. An Access and Mobility Management Function, AMF, of a 5G System, 5GS; wherein the AMF configured to handle an idle mode inter-system change of User Equipment, UE, from an evolved universal terrestrial radio access network, e-UTRAN to a Next Generation Radio Access Network, ng-RAN, while the UE is in a single registration mode connection, the AMF comprising:
means communicating with an Evolved Packet System, EPS, that comprises the e- UTRAN and for communicating with the UE; and
means for deriving a mapped Next Generation Radio Access Network, ng-RAN, Non- Access Stratum, NAS, security context from a source cellular network that is an Evolved Packet System, EPS, security context maintained by a source Mobility Management Entity of the EPS, in an idle mode inter-system change, if any one or more of following conditions are met:
condition 1) the AMF has received from a UE a REG1STRAT10N REQUEST message without integrity protection and encryption; and the REG1STRAT10N REQUEST message comprises a Key Set ldentifier for Next Generation Radio Access Network, ngKSl, indicating a mapped 5G NAS security context value "000";
condition 2) interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from a Mobility Management Entity, MME, of the EPS includes the NAS security algorithms set to null integrity protection algorithm and null ciphering algorithm;
condition 3) interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from the source MME does not include the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm;
condition 4) interworking without a signaling channel between mobility management entities of the EPS and the 5GS is not supported; and an EPS security context received from the source MME includes the NAS security algorithms set to a null integrity protection algorithm and null ciphering algorithm.
16. The AMF of claim 15, comprising means for causing the AMF to perform the method of any one of claims 9 to 11.
17. A system comprising the UE of claim 13 and the AMF of any one of claims 14 to 16.
18. The system of claim 17, further comprising the MME of the EPS.
PCT/FI2018/050714 2018-10-04 2018-10-04 Method and apparatus for security context handling during inter-system change WO2020070371A1 (en)

Priority Applications (7)

Application Number Priority Date Filing Date Title
PCT/FI2018/050714 WO2020070371A1 (en) 2018-10-04 2018-10-04 Method and apparatus for security context handling during inter-system change
JP2021517968A JP7192107B2 (en) 2018-10-04 2018-10-04 Method and apparatus for handling security context during intersystem changes
CN201880099980.1A CN113170369B (en) 2018-10-04 2018-10-04 Method and apparatus for security context handling during intersystem changes
BR112021006297A BR112021006297A2 (en) 2018-10-04 2018-10-04 method and apparatus for handling security context during intersystem change
EP18936081.1A EP3861791A4 (en) 2018-10-04 2018-10-04 Method and apparatus for security context handling during inter-system change
US17/281,778 US20210385722A1 (en) 2018-10-04 2018-10-04 Method and apparatus for security context handling during inter-system change
PH12021550731A PH12021550731A1 (en) 2018-10-04 2021-04-01 Method and apparatus for security context handling during inter-system change

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI2018/050714 WO2020070371A1 (en) 2018-10-04 2018-10-04 Method and apparatus for security context handling during inter-system change

Publications (1)

Publication Number Publication Date
WO2020070371A1 true WO2020070371A1 (en) 2020-04-09

Family

ID=70054692

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2018/050714 WO2020070371A1 (en) 2018-10-04 2018-10-04 Method and apparatus for security context handling during inter-system change

Country Status (7)

Country Link
US (1) US20210385722A1 (en)
EP (1) EP3861791A4 (en)
JP (1) JP7192107B2 (en)
CN (1) CN113170369B (en)
BR (1) BR112021006297A2 (en)
PH (1) PH12021550731A1 (en)
WO (1) WO2020070371A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113260015A (en) * 2021-05-11 2021-08-13 中国联合网络通信集团有限公司 Task processing method and access and mobility management functional entity

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021027439A1 (en) * 2019-08-14 2021-02-18 Mediatek Singapore Pte. Ltd. Apparatuses and methods for delivery of inter-system non-access stratum (nas) security algorithms
US20220338079A1 (en) * 2019-08-19 2022-10-20 Telefonaktiebolaget Lm Ericsson (Publ) AMF Re-Allocation Due to Slicing

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101224230B1 (en) * 2008-06-13 2013-01-21 노키아 코포레이션 Methods, apparatuses, and computer program products for providing fresh security context during intersystem mobility
KR101579757B1 (en) * 2008-08-15 2015-12-24 삼성전자주식회사 security protected Non -Access Stratum PROTOCOL OPERATION SUPPORTING METHOD IN MOBILE TELECOMMUNICATION SYSTEM
US10588105B2 (en) * 2017-01-12 2020-03-10 Lg Electronics Inc. Method and user equipment device for registering in wireless communication system
EP3574667B1 (en) * 2017-01-30 2021-02-24 Telefonaktiebolaget LM Ericsson (PUBL) Methods and apparatueses for security management before handover from 5g to 4g system
CN115396886A (en) * 2017-01-30 2022-11-25 瑞典爱立信有限公司 Method and apparatus for security context handling in 5G during idle mode

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Non-Access-Stratum (NAS) protocol for 5G System (5GS); Stage 3 (Release 15)", 3GPP TS 24.501 V15.1.0, 21 September 2018 (2018-09-21), XP051477389, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/specs/archive/24_series/24.501/24501-f10.zip> [retrieved on 20190116] *
3GPP: "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security architecture and procedures for 5G system (Release 15)", 3GPP TS 33.501 V15.2.0, 21 September 2018 (2018-09-21), XP051477480, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/specs/archive/33_series/33.501/33501-f20.zip> [retrieved on 20190118] *
ERICSSON: "Corrections and clarifications to interworking clauses", 3GPP TSG-SA WG3 MEETING #92 S3-182581, 27 August 2018 (2018-08-27), Dalian ( China, XP051541656, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/TSG_SA/WG3_Security/TSGS3_92_Dalian/Docs/S3-182581.zip> [retrieved on 20190118] *
NTT DOCOMO: "PDU SESSION CORRELATION Session correlation when N26 is not deployed", SA WG2 MEETING #124 S2-178501, 21 November 2017 (2017-11-21), Reno, USA, XP051379514, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/tsg_sa/WG2_Arch/TSGS2_124_Reno/Docs/S2-178501.zip> [retrieved on 20190118] *
QUALCOMM INCORPORATED, DEUTSCHE TELEKOM: "Support for partial ciphering for initial NAS messages", 3GPP TSG-CT WG1 MEETING #11 1 BIS C1-184608, 11 July 2018 (2018-07-11), Sophia-Antipolis, XP051466221, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/tsg_ct/WG1_mm-cc-sm_ex-CN1/TSGC1_111bisSophia-Antipolis/docs/C1-184608.zip> [retrieved on 20190118] *
See also references of EP3861791A4 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113260015A (en) * 2021-05-11 2021-08-13 中国联合网络通信集团有限公司 Task processing method and access and mobility management functional entity
CN113260015B (en) * 2021-05-11 2022-11-18 中国联合网络通信集团有限公司 Task processing method and access and mobility management functional entity

Also Published As

Publication number Publication date
CN113170369B (en) 2024-06-14
CN113170369A (en) 2021-07-23
BR112021006297A2 (en) 2021-07-06
EP3861791A4 (en) 2022-05-04
JP7192107B2 (en) 2022-12-19
EP3861791A1 (en) 2021-08-11
US20210385722A1 (en) 2021-12-09
JP2022501973A (en) 2022-01-06
PH12021550731A1 (en) 2021-10-25

Similar Documents

Publication Publication Date Title
US11737045B2 (en) Connection processing method and apparatus in multi-access scenario
US10548012B2 (en) Method, system and apparatus for negotiating security capabilities during movement of UE
EP3738333B1 (en) Method and apparatus for multiple registrations
CN107079023B (en) User plane security for next generation cellular networks
JP5597676B2 (en) Key material exchange
US8094817B2 (en) Cryptographic key management in communication networks
WO2018161796A1 (en) Connection processing method and apparatus in multi-access scenario
US8707045B2 (en) Method and apparatus for traffic count key management and key count management
WO2019164759A1 (en) Identifier-based access control in mobile networks
JP2022502908A (en) Systems and methods for securing NAS messages
CN108012264A (en) The scheme based on encrypted IMSI for 802.1x carriers hot spot and Wi-Fi call authorizations
WO2009152755A1 (en) Method and system for generating an identity identifier of a key
CN101083839A (en) Cipher key processing method for switching among different mobile access systems
WO2021244509A1 (en) Data transmission method and system, electronic device, and computer readable storage medium
US20210385722A1 (en) Method and apparatus for security context handling during inter-system change
WO2021244569A1 (en) Data transmission method and system, electronic device, and storage medium
US20070124587A1 (en) Re-Keying in a Generic Bootstrapping Architecture Following Handover of a Mobile Terminal
US11751160B2 (en) Method and apparatus for mobility registration
WO2022134089A1 (en) Method and apparatus for generating security context, and computer-readable storage medium
US11696128B2 (en) Reducing authentication steps during Wi-Fi and 5G handover
AU2020329305A1 (en) Managing security keys in a communication system
CN115244892A (en) Security authentication method, device, equipment and storage medium
WO2021073382A1 (en) Registration method and apparatus
CN110830996B (en) Key updating method, network equipment and terminal
KR20100092371A (en) Method and apparatus for traffic count key management and key count management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18936081

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021517968

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 2101001991

Country of ref document: TH

NENP Non-entry into the national phase

Ref country code: DE

REG Reference to national code

Ref country code: BR

Ref legal event code: B01A

Ref document number: 112021006297

Country of ref document: BR

ENP Entry into the national phase

Ref document number: 2018936081

Country of ref document: EP

Effective date: 20210504

ENP Entry into the national phase

Ref document number: 112021006297

Country of ref document: BR

Kind code of ref document: A2

Effective date: 20210331