WO2010019020A9 - 이동 통신 시스템의 보안화된 비계층 프로토콜 처리 방법 - Google Patents
이동 통신 시스템의 보안화된 비계층 프로토콜 처리 방법 Download PDFInfo
- Publication number
- WO2010019020A9 WO2010019020A9 PCT/KR2009/004570 KR2009004570W WO2010019020A9 WO 2010019020 A9 WO2010019020 A9 WO 2010019020A9 KR 2009004570 W KR2009004570 W KR 2009004570W WO 2010019020 A9 WO2010019020 A9 WO 2010019020A9
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- key
- new
- terminal
- mme
- request message
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/037—Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0433—Key management protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W60/00—Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
Definitions
- the present invention relates to a method for managing a terminal of a mobile communication system, and more particularly, to a method for efficiently supporting mobility management, location management, and registration management of a terminal through a NAS protocol.
- the 3rd Generation Partnership Project (3GPP) which is representative of general mobile communication systems, defines an Evolved Packet System (EPS) for next generation communication and introduces an MME as a mobility management entity of a network.
- EPS Evolved Packet System
- an improvement method for providing a high speed communication service in the next generation mobile communication by improving the NAS protocol used in the 3GPP of the conventional mobile communication system, in particular 3GPP.
- the methods of mobility management, location management, and registration management have been improved, and the security management method was strengthened by introducing the concept of secured NAS protocol at the NAS layer.
- the present invention uses secured NAS messages in the mobility management, location management, registration management and management procedures of the terminal in an evolved mobile communication system including 3GPP EPS, thereby making it possible to secure mobility management, location management, and registration management. To provide effective and efficient support.
- the present invention also defines how the NAS protocol operates by utilizing NAS messages, which are protocols between the terminal and the mobility manager (MME). Accordingly, the present invention provides a method for supporting mobility management, location management, and registration management for a terminal using a NAS even when moving to a wireless access technology other than 3GPP EPS, that is, another access network.
- the present invention provides a mobility, idle mode management, registration management (attachment management) of the terminal using a non-access-stratum (network layer: NAS) protocol in the mobile communication network detach management, location management (tracking area management). That is, the present invention provides a method for managing mobility, idle mode, registration, and location management of a terminal using a NAS protocol, that is, a NAS message in a mobile communication system.
- the mobile communication system of the present invention includes a terminal (hereinafter referred to as UE) and a mobility manager (MME, referred to as a mobility management entity (hereinafter referred to as MME)).
- a method for processing status information of a terminal includes: transmitting, by a terminal, a state change request message secured to a previous key to a new MME; Receiving the previous key information of the terminal and transmitting the response message to the terminal after the new MME interprets the request message using the previous key information.
- the previous key information received by the new MME from the previous MME includes KSIasme and Kasme.
- the new key information generated by the new MME includes NAS encryption key KNASenc and integrity key KNASint
- the NAS security mode command message includes a security key identifier (KSI), a UE security capability, and an encryption algorithm to be used. (ciphering algorithm), integrity algorithm (integrity algorithm) to be used, etc.
- KASME basic security key
- KNASenc an encryption key
- KNASint an integrity key
- the new MME when the new MME fails to interpret the request message using a previous key, the new MME transmits a user authentication request message to the terminal, and the terminal further responds to the user authentication request.
- the user authentication request message may include an authentication vector (AUTN) and a security key identifier (KSIASME).
- the state change request message may be one of a handover request message, a TAU request message, or a registration (release) request message.
- the terminal transmits a state change request message secured to the new key to the new MME
- the new MME is a user to the terminal
- Transmitting an authentication request message the terminal responding to the user authentication request, the new MME generating a new key, and transmitting a NAS security mode command message including the generated new key information to the terminal
- the previous MME transmits a message (forward relocation request message) including the previous key information of the terminal to the new MME, the terminal the new MME And transmitting the TAU request message secured by the previous key to the new MME, and interpreting and processing the TAU request message as the previous key. If the new MME fails to interpret the TAU request message as a previous key, the new MME transmits a user authentication request message to a terminal, the terminal responds to the user authentication request, and the new MME is a new key.
- a message forward relocation request message
- the terminal transmits a TAU request message secured by the previous key to the new MME
- the new MME is the previous MME Requesting information related to the previous key of the terminal, receiving previous key information
- the new MME interprets the TAU request message as the previous key
- the terminal transmits a registration request message secured by a previous key to the new MME, the new MME terminal to the previous MME Requesting information related to a previous key of, receiving previous key information, and transmitting the registration approval message secured with the previous key to the terminal after the new MME interprets the registration request message as the previous key; Characterized in that made. If the new MME fails to interpret the registration request message as a previous key, the new MME transmits a user authentication request message to a terminal, the terminal responds to the user authentication request, and the new MME is a new key.
- the present invention provides mobility, idle mode management, and registration management of a terminal using a non-access-stratum (network layer: NAS) protocol in a mobile communication network.
- NAS network layer
- a method for managing mobility, idle mode, registration management, and location of a terminal using a NAS protocol includes a UE and a mobility manager (hereinafter referred to as MME).
- FIG. 1 and 2 are diagrams for explaining the configuration and operation of performing a handover in a mobile communication system according to an embodiment of the present invention
- 3 and 4 are diagrams for explaining the configuration and operation of performing location management in a mobile communication system according to an embodiment of the present invention.
- 5 and 6 are diagrams for explaining a configuration and operation of performing a registration procedure of a terminal in a mobile communication system according to an embodiment of the present invention
- FIG. 7 to 9 are flowcharts illustrating a process of MME performing procedures of mobility management, location management, registration management, etc. according to an embodiment of the present invention.
- FIG. 10 is a flowchart illustrating a process in which a terminal performs procedures such as mobility management, location management, and registration management according to an embodiment of the present invention.
- the term “status change request message” may be hand over, tracking area update (TAU), attach (detach) request message, or the like.
- the term “old key” refers to security key-related information used in the old MME (old MME, serving MME) to which the terminal is connected
- the term “new key” refers to a new MME (the terminal is connected by a state change) new MME, target MME).
- old key information received from the old MME includes a basic security key identifier (KSIASME) and a basic security key (KASME), which are security information of the terminal, and the key access security management entity (KASME).
- KSIASME basic security key identifier
- KASME basic security key
- KASME key access security management entity
- the "user authentication request" message is an authentication message between a new MME and a UE when a new key is generated, and may include an authentication vector, an authentication token (AUTN) and a security key identifier (KSIASME).
- AUTN authentication token
- KSIASME security key identifier
- the "NAS Security mode command message” is a message that a new MME generates a new key and transmits to the UE.
- the information includes information on a security key identifier and a security algorithm supported by the terminal.
- UE security capability UE security capability
- the encryption algorithm ciphering algorithm
- the integrity algorithm integrated algorithm
- the present invention provides a method for supporting mobility management, location management, and registration management in a mobile system using a NAS protocol, which is a protocol between a terminal and an MME of a mobile communication system.
- a NAS protocol which is a protocol between a terminal and an MME of a mobile communication system.
- FIG. 1 of the present invention the embodiment of FIG. 1 has been described using two 3GPP EPS networks as an example, but not only a handover from 3GPP EPS to EPS but also 3GPP UMTS, 3GPP GPRS network, WiMAX, 3GPP2, etc. Even if the terminal is moved to a network using another wireless access technology, a modified NAS will be available. Therefore, the method for supporting mobility management, location management, and registration management using the NAS protocol, which is a basic object of the present invention, is applicable to other mobile communication systems having a similar technical background and channel form without departing from the scope of the present invention. It can be seen that.
- FIG. 1 is a block diagram illustrating a handover environment in a mobile communication system environment according to an embodiment of the present invention.
- the 3GPP EPS system structure is illustrated as an example.
- an Evolved Node Base Station (E Node B: hereinafter referred to as eNB) 112 is a UE (User Equipment: hereinafter referred to as UE or UE) located in a cell which is each service area 110. Set up a wireless connection with and perform communications.
- the UE 110 refers to a terminal that accesses a packet data network such as the Internet through a serving gateway (hereinafter, referred to as a Serving GW, or SGW) 116.
- a serving gateway hereinafter, referred to as a Serving GW, or SGW
- PDN GW Packed Data Network Gateway
- HA home agent
- An interface and a data path exist between the eNBs 112 and 132, the serving GWs 116 and 136, the MMEs 114 and 134, and the serving GWs 116 and 136 to manage mobility of the terminal.
- the UE 110 and the MME 114, 134 communicate with each other with a NAS protocol stack to perform mobility management, location management, registration management, and session management.
- the UE 110 may handover from NW1 141 to NW2 143 or vice versa. Meanwhile, in the present invention, an interface may exist between the MME 114 and the MME 134 for mobility management, location management, and registration management of the UE 110, and an interface may exist between the eNB 112 and the eNB 132. .
- the present invention focuses on the NAS protocol, which is a protocol between the MME 114 and the terminal 110, which are entities introduced for mobility management, location management, and session management of the UE 110.
- the NAS protocol introduced between the terminal 110 and the MME 114 for mobility management and location and session management becomes an EPS system, thereby enhancing security, changing location management functions, and changing session management functions. It became.
- FIG. 2 is a diagram illustrating a procedure for performing a handover function using a NAS protocol between an MME and a UE in a mobile communication system environment according to an embodiment of the present invention in a mobile communication system having the structure as shown in FIG. 1.
- the new MME 134 may perform three kinds of operations. That is, in an exemplary embodiment of the present invention, when the operation is performed as in steps 151 to 157 of FIG. 2, that is, in case 2, the new MME 134: new MME is received from the old MME 114. This is the case using relevant information.
- case 1 which includes the procedures of steps 151 to 153, steps 171 to 179, 181, 191 to 193 of FIG. 2, and steps 171 to 173. It includes a procedure of interpreting a message using new security-related information, including an authentication procedure of steps and a security mode command procedure of steps 175 to 181.
- steps 151 to 153, steps 161 to 163, 163, and 171 to 181 are performed, which is to perform steps 151 to 153 and 161 to 163.
- steps 163 when a tracking area update (TAU request) message is interpreted as a previous security key and the security verification fails, steps 171 to 181 are performed.
- TAU request tracking area update
- case 2 case 2
- the serving MME 114 serves as a target MME (target relocation request message).
- the transmission relocation request message includes UE security context information.
- the target MME 134 then sends a forward relocation response message to the serving MME 114.
- the terminal 110 transmits a tracking area update (TAU) request message to the target MME 134, and the TAU request message is protected by a previous security key. key).
- TAU tracking area update
- the target MME analyzes the received TAU request message using the previous security key in step 163. (interprets TAU request message using old key).
- the serving MME (ie, old MME before handover) 114 transmits security related information to the target MME (ie, new MME) 134 (UE security context). Transmit a forward relocation request message including a). And security related information of the terminal. The new MME 134 then forwards a forward relocation response message to the old MME 114. Then, in the UE 110, when a tracking area update (Tracking Area UpdateRequest: TAU request) message, which is a location registration message secured by the previous security key, is transmitted to the new MME 134, the target MME (target MME). 134 interprets the TAU request message using the old security key.
- TAU request Tracking Area UpdateRequest
- case 1 case 1
- the serving MME 114 and the target MME 134 perform steps 151 and 153 and transmit and respond to a transmission relocation request message. Send a message.
- the target MME 134 transmits a user authentication request message to the terminal 110.
- the user authentication request message includes an authentication vector (AUTN) and a security key identifier (KSIASME).
- the terminal 110 transmits a user authentication response message to the target MME 134 in step 173.
- the target MME 134 generates an encryption key KNASenc and an integrity key KNASint in response to the terminal.
- the target MME 134 is a security key identifier (key set index KSI), UE security capability (UE security capability) that is information about a security algorithm supported by the terminal (ciphering algorithm) to be used,
- a NAS security mode command including an integrity algorithm and the like is transmitted to the terminal 110.
- the terminal 110 generates an encryption key KNASenc and an integrity key KNASint based on the key KASME indexed by the security key identifier KSI (Generate KNASenc and KNASint based on KASME indexed by KSI).
- the target MME 134 and the terminal 110 share the same key value.
- the terminal 110 transmits a security mode complete message to the target MME, thereby terminating the NAS security mode command process.
- the terminal 110 transmits a TAU request message protected by a new security key, that is, a new encryption key (KNASenc) or an integrity key (KNASint), to the target MME 134 in step 191.
- a new security key that is, a new encryption key (KNASenc) or an integrity key (KNASint)
- KNASenc new encryption key
- KNASint integrity key
- the target MME 134 analyzes the received TAU request message by the new key (interprets TAU request using new key).
- the old MME 114 and the new MME 134 transmit a transmission relocation request message and a response message accordingly.
- the new MME 134 transmits a user authentication request message to the terminal, and the user authentication request message includes an authentication vector (AUTN) and a security key identifier (KSIASME).
- the terminal 110 transmits a user authentication response of the user authentication request message.
- the new MME 134 then generates an encryption key (KNASenc) and integrity key (KNASint), and sends a NAS Security mode command message to the UE.
- KNASenc encryption key
- KNASint integrity key
- the information included in the NAS security mode command may include a key set index, a UE security capability that is information about a security algorithm supported by the terminal, a ciphering algorithm to be used, and an integrity to be used. Algorithms, and the like.
- the UE 110 generates an encryption key KNASenc and an integrity key KNASint based on the key KASME indexed by the security key identifier KSI, and thus the new MNE 134 and the terminal. 110 will own the same key value.
- the UE 110 sends a security mode complete message to the MME 134, thereby completing the NAS security mode command process, and then the UE 110 sends a new security to the MME 134.
- case 3 may be a case where security verification of the TAU request message fails in case 1 (case 1). That is, after performing steps 151 to 153 and 161, when the target MME 134 fails to verify security in the process of analyzing the TAU request message using the previous security key in step 163, the target MME ( 134) and the NAS 110 generate a new security key while performing the steps 171 to 181 in the same manner as the case 2 is performed in case 2 (NAS security mode) Do this. Thereafter, the terminal 110 transmits a TAU request message protected by a new security key, that is, a new encryption key (KNASenc) or an integrity key (KNASint), to the target MME 134 in step 191. The target MME 134 analyzes the received TAU request message by the new key (interprets TAU request using new key).
- KNASenc new encryption key
- KNASint integrity key
- TAU request tracking area update
- the new MME 134 is connected to the new MME 134.
- the terminal 110 generates a new security key and shares it, and then processes the TAU request message with the new security key.
- FIG. 3 is a diagram illustrating a location management environment in a mobile communication system environment according to a preferred embodiment of the present invention.
- the mobile communication system is a 3GPP EPS.
- a configuration entity and a configuration environment of a mobile communication system have a structure similar to that of FIG. 1.
- the focus on the location management function will be described. That is, in the situation as shown in FIG. 3, the UE 110 is not activated as an active mode as shown in FIG. 1, and the UE 110 operates in an idle mode for power consumption. Or when the location of the UE is changed from a tracking area TA 1 (241) to TA 2 243 after handover in the active mode. In this case, location management of the terminal is required.
- the tracking area TA is a concept used to manage an approximate location, although the location of the terminal is not as precise as a cell unit.
- FIG. 4 is a diagram illustrating a method of operating an MME in a location management situation in a mobile communication system environment according to an embodiment of the present invention as shown in FIG. 3.
- the new MME 234 is capable of three operations, and the three cases are as follows.
- case 2 is a case where a new MME 234: new MME utilizes security related information received from an old MME while performing step 251 259 of FIG. 4.
- case 1 includes steps 251 to 257, steps 261 to 269, steps 271 and 281. That is, the case 1 (case 1) is a message using the new security-related information, including the authentication procedure (step 261-263) and the security mode command (step 265-271). Include procedures for interpretation. That is, in case 1, an attempt is made to interpret a message with security-related information (old security context) received from the previous MME 214, but fails in security verification.
- case 3 is a case that the security verification of the message failed by performing steps 251 to 257, unlike case 1 (case 1), authentication during the execution of steps 261 to 271 due to the need for a new security authentication procedure If the procedure or the security procedure fails, it is a case where a location registration reject message of step 291 is transmitted from the MME 234 to the UE (UE: 210) with respect to the location registration request in step 251.
- case 2 case 2
- the UE UE 210 transmits a TAU request message to a new MME (hereinafter, referred to as a new MME) by securing a TAU request message with a previous security key value.
- the new MME 234 then delivers a context request message to the previous MME (hereinafter referred to as old MME) 214 to know the information of the terminal.
- the old MME 214 generates an information response message for the information request message and transmits the information response message to the new MME 234.
- the context response message includes a basic security key identifier (KSIASME) and a basic security key (KASME) which are security information of the terminal.
- KSIASME basic security key identifier
- KASME basic security key
- the basic access key (KASME) is used to protect an encryption key (KNASenc) used for encrypting NAS messages, a NAS integrity key (KNASint) used for integrity protection, and a wireless section AS (Access Stratum) message. It is used to generate an Innodeby key (KeNB).
- the new MME 234 interprets the TAU request message received from the UE 210 in step 251 using the old key.
- TAU request Tracking Area Update Request
- the new MME 234 interprets the TAU request message with the old security key.
- the old security key includes a NAS encryption key (KNASenc) and NAS integrity key (KNASint) used for NAS message security used in the communication between the UE 210 and the previous MME 214.
- the new MME 234 secures a tracking area update accept (TAU accept) message, which is a location registration response message, by using an old key (TAU accept message using old key). Transmit to the UE 210.
- KNASenc NAS encryption key
- KNASint NAS integrity key
- case 2 case 2 for location management of the terminal as described above
- the new MME 234 is an old MME 214.
- the old MME 214 In order to know the information of the UE (110).
- the old MME 214 generates a context response message including KSI asme and Kasme, which are security information of the terminal, and transmits it to the new MME 234.
- the new MME 234 interprets the TAU request message of the UE 110 using the old key according to the information response of the old MME 214, and secures the resulting TAU accept message using the old key. And transmit to the UE 110.
- the new MME 234 when the new MME 234 receives the TAU request message secured by the old key, the new MME 234 requests the old key information of the UE 210 from the old MME 214, and according to the information response of the old MME 214.
- the received TAU request message is interpreted to register a location, and the resulting TAU accept message is secured with an old key and transmitted to the UE 210.
- case 1 In the case of location management of the UE 110, the operation of case 1 (case 1) will be described. In the case of operation 1, operations 251 to 257 in the case 1 proceed in the same manner as the operation of case 2 (case 2). do.
- the new MME 234 transmits a user authentication request message to the UE 210 in step 261.
- the user authentication request message includes an authentication vector (AUTN) and a security key identifier (KSIASME).
- the UE 210 generates a user authentication response message according to the user authentication request message in step 263 and transmits it to the new MME 234.
- the new MME 234 In step 265, the new MME 234 generates an encryption key (KNASenc) and an integrity key (KNASint), which are new security information.
- the new MME 234 transmits a NAS security mode command message to the UE 210.
- information included in the NAS Security mode command message includes a key set index, a UE security capability that is information about a security algorithm supported by the terminal, and a ciphering algorithm to be used. Integrity algorithm.
- the UE 210 generates an encryption key (KNASenc) and an integrity key (KNASint) based on the basic security key KASME indexed by the security key identifier (KSI) in step 269 (generate KNASenc and KNASint based on KASME indexed by KSI). Accordingly, when performing step 269, the new MME 234 and the UE 210 possess the same security key value. Thereafter, the UE 210 transmits a security mode complete message to the MME in step 271 to complete the NAS security mode command process. The new MME 234 then transmits a TAU accept message, which is a location registration response message protected by the new security key, that is, the new encryption key KNASenc or the integrity key KNASint, to the UE 210 in step 281.
- KNASenc an encryption key
- KNASint integrity key
- the new MME 234 may obtain a new security key (KNASenc and KNASint). ), And transmits a NAS Security mode command message to the UE 210 to allow the UE 210 to generate a new security key (KNASenc and KNASint). Therefore, when the NAS Security mode is performed, the new MME 234 and the UE 210 share the same security key.
- step 3 performs steps 251 to 257 and steps 261 to 271, which perform steps 251 to 257. If the security verification fails as a result of interpreting the tracking area update (TAU request) message with the previous security key in step 257, steps 261 to 217 are performed.
- the SMC performs an authentication process in steps 261 to 263 or an authentication process in steps 261 to 263 succeeds, but performs steps 271 to 271 in steps 267 to 271. If there is a failure during the security mode command) process, the UE 210 and the new MME 234 own different security keys. In this case, the new MME 234 transmits a tracking area update reject message to the UE 210 in step 291.
- FIG. 5 is a diagram illustrating a registration environment of a terminal in a mobile communication system environment according to an embodiment of the present invention.
- the UE 310 may perform an attach process when first accessing a network. Meanwhile, when the UE 310 no longer accesses the EPS network, the UE 310 may perform a registration detach, or the UE 310 may not communicate with the MME 314 for a long time or may contact the network operator. Even if the registration is terminated by the UE, the UE 110 may perform a registration process.
- FIG. 6 is a flowchart illustrating a registration and release procedure of a terminal in a mobile communication system having the configuration as shown in FIG. 5.
- a new MME (new MME) 334 may be operated in three ways, and the three cases (case1 to case 3) will be described below.
- case 2 may perform steps 351, 361 to 365 and 371, and utilizes the security-related information that the new MME (334: new MME) received from the old MME (old MME: 314). This is the case.
- case 1 (case 1) can perform steps 351, 361-365, 381-391, 395, step 381-383 authentication procedure (step 381-383) and step 385-391 It includes a procedure for interpreting a message using new security-related information, including a security mode command procedure.
- case 1 attempts to interpret a message with security-related security information (old security context) received from the previous MME 314, but failed in the security verification, etc., authentication and security of steps 381 to 391
- the procedure includes sending a message with new security information obtained by performing the procedure, and then decrypting the received message.
- case 3 is a case where security verification of the message fails after performing steps 351 and 361-365 and step 381 due to the necessity of a new security authentication procedure unlike case 1 (case 1). This is the case where the MME sends an attach reject message to the UE (UE: 310) due to a failure in the authentication procedure or the security procedure while performing step 391. .
- the UE UE 310 transmits an Attach request message secured by the old security key (old key) to the new MME 334.
- the new MME 334 transmits an identification request message to the old MME 314 to know information of the UE.
- the old MME 314 transmits an identification response message to the new MME 334 in step 713.
- the identification response message may include a basic security key identifier (KSIASME) and a basic security key (KASME), which are security information of the terminal.
- KSIASME basic security key identifier
- KASME basic security key
- a key access security management entity KASME is used to encrypt NAS messages.
- the new MME 334 interprets the attach request message transmitted by the UE 310 in step 351 with the old key.
- the old security key includes a NAS encryption key (KNASenc) and NAS integrity key (KNASint) used in the NAS message security used in the communication between the UE 310 and the previous MME 314.
- the new MME 334 transmits an attach accept message, which is an attach registration response message, to the UE 310 in step 371, wherein the registration response message is old. Secured by key.
- case 1 case 1
- the new MME 334 transmits a user authentication request message to the UE 310 in step 381.
- the user authentication request message includes an authentication vector (AUTN) and a security key identifier (KSIASME).
- AUTN authentication vector
- KSIASME security key identifier
- the new MME 334 When the user authentication is performed by the user authentication request and the response according to the above, the new MME 334 generates an encryption key KNASenc and an integrity key KNASint in step 385. In operation 387, the new MME 334 transmits a NAS security mode command message to the UE 310.
- the information included in the NAS Security mode command message includes a key set index, UE security capability which is information on a security algorithm supported by the terminal, a ciphering algorithm to be used, and an integrity to be used. Algorithms, and the like.
- the UE 310 generates an encryption key KNASenc and an integrity key KNASint based on the default security key KASME indexed by the security key identifier KSI in step 389. 310 and new MME 334 will own the same key value. Thereafter, the UE 310 transmits a security mode complete message to the new MME 334 in step 391 to complete the NAS security mode command process. In operation 395, the new MME 334 transmits an Attach accept message, which is a connection registration response message protected by a new security key, that is, a new encryption key KNASenc or an integrity key KNASint, to the UE 310.
- an Attach accept message which is a connection registration response message protected by a new security key, that is, a new encryption key KNASenc or an integrity key KNASint
- Step 3 is a case in which steps 351, 361-365, 381-391 are performed, while steps 351, 361-365 are performed.
- steps 371 to 391 are performed. That is, in case 3, unlike in the case 2, the authentication procedure fails while performing steps 381 to 383, or the authentication process of steps 381 to 383 succeeds but is performed in steps 367 to 391. If there is a failure during the security mode command (SMC) process, the UE 310 and the new MME 334 possess different security keys. In step 399, the new MME 334 transmits an attach reject message to the UE 310.
- SMC security mode command
- the new MME when receiving a state change message (here, handover, TAU, attach (detach) request message), the new MME is first described as a method of receiving an old key from the old MME and interpreting the corresponding request message.
- the new key may be generated and processed immediately by omitting the process of interpreting the old key, that is, when receiving the state change message (here, handover, TAU, attach (detach) request message), the new MME is added to the old key.
- Request message analysis procedure of the terminal steps 151, 153, 163 in FIG. 2, steps 253, 255, 257, 259 in FIG. 4, and 361, 363, 365, 371 in FIG. 6), and new You can also generate a key to process the request message.
- 7 and 9 are flowcharts illustrating a procedure for performing mobility management, location management, and registration management of an MME in a mobile communication system according to an embodiment of the present invention.
- 10 is a flowchart illustrating a procedure of performing mobility management, location management, and registration management of a terminal in a mobile communication system according to an exemplary embodiment of the present invention.
- 7 to 9 and 10 mainly describe the process of the UE transmits the message and the MME interprets the message transmitted from the UE to operate, but also applies in the opposite direction unless the operation characteristics are significantly different. It will be possible.
- the form of the message other than the context (context) to be transmitted for the operation of the MME and the UE as shown in FIGS. 7 to 9 and 10 will be omitted.
- the NAS protocol is used between the terminal and the MME to support the above management.
- These NAS protocols include secure NAS protocols and unsecured NAS protocols, and EPS mobility management Evolved Mobility Management (hereinafter referred to as EMM) NAS messages and EPS session management Evolved Session Management (hereinafter referred to as ESM) to support the EPS NAS protocol.
- EMM Evolved Mobility Management
- ESM EPS session management Evolved Session Management
- a request message (handover request, TAU request or attach (detach) request) is generated from the UE
- the MME analyzes the request type in step 401 and operates differently according to handover, location management, and registration request.
- step 401 If it is determined in step 401 that the handover request is made, in case of handover, the MME proceeds to step 411 to perform a handover related process.
- the UE 110 moves from the NW 1 141 managed by the MME 114 to the NW2 143 managed by the MME 134 in the situation as shown in FIG. 1. .
- the case may be changed to the Serving Gateway of the handover, but the Serving Gateway may not be changed and only the MME may be changed.
- the serving MME (old MME: 114 here) transmits information on the UE that the Serving MME has to the target MME through a message such as FORWARD RELOCATION REQUEST / RESPONSE in step 411.
- the important information transmitted may include security-related parameters such as key set identifier (KSI), authentication parameter (authentication parameter or authentication vector), NAS key set identifier (KSI), NAS encryption key KNASenc or integrity key KNASint.
- KKI key set identifier
- KNAS key set identifier NAS key set identifier
- NAS encryption key KNASenc or integrity key KNASint.
- the target MME checks whether a new user authentication and / or secure mode command process should be performed.
- a security key includes a key set identifier (KSI), an authentication parameter (authentication parameter or authentication vector), a NAS key set identifier (KSI), a NAS encryption key KNASenc, or an integrity key KNASint.
- the target MME is a security key including a new NAS key set identifier (NAS KSI), NAS encryption key KNASenc or integrity key KNASint from the UE in step 415 Receive a secured TRACKING AREA UPDATE REQUEST (hereinafter referred to as TAU REQUEST) NAS message.
- TAU REQUEST a secured TRACKING AREA UPDATE REQUEST
- the MME sets a new security-related parameter, that is, a key set identifier (KSI), an authentication parameter (authentication parameter or authentication vector), a NAS key set identifier (KSI), and a NAS encryption key KNASenc.
- the TAU REQUEST is decrypted with the security key including the integrity key KNASint.
- the MME uses a security parameter previously used by the MME and the UE from the UE in step 419, that is, a previous security related parameter, that is, an OLD KSI (key set identifier).
- a previous security related parameter that is, an OLD KSI (key set identifier).
- TAU REQUEST generated by UE with OLD security key including OLD authentication parameter or authentication vector, OLD NAS KSI (key set identifier), OLD NAS encryption key KNASenc or OLD integrity key KNASint Receive the message.
- the MME itself uses a previous security parameter previously used by the MME and the UE, that is, an OLD KSI (key set identifier), an OLD authentication parameter or an authentication vector, and an OLD NAS KSI (key).
- a previous security parameter previously used by the MME and the UE that is, an OLD KSI (key set identifier), an OLD authentication parameter or an authentication vector, and an OLD NAS KSI (key).
- OLD KSI key set identifier
- an OLD authentication parameter or an authentication vector an OLD NAS KSI (key).
- the target MME receives a secured TRACKING AREA UPDATE REQUEST (hereinafter referred to as TAU REQUEST) from the UE in step 431.
- TAU REQUEST is a previous security-related parameter used by the previous Serving MME and the UE 110, that is, an OLD KSI (key set identifier), an OLD authentication parameter, or an authentication vector authentication vector, OLD. It is generated with an OLD security key including a NAS key set identifier (NAS KSI), an OLD NAS encryption key KNASenc, or an OLD integrity key KNASint.
- the new MME receives security-related parameters from the old MME through a CONTEXT RESPONSE message.
- the new MME needs to know the old MME and the corresponding terminal in order to receive the security parameters from the old MME. That is, when the new MME receives the TAU REQUEST in step 431, in order to find out the old MME and the corresponding terminal, the last visited registered tracking area identity (TAI) and the previous temporary terminal which is the identifier of the terminal A globally unique temporary identifier (GUTI), or OLD GUTI, must be known, and at least this information is protected, but not encrypted, so that the new MME can request security parameter information from the old MME.
- TAI tracking area identity
- GUI globally unique temporary identifier
- OLD GUTI globally unique temporary identifier
- step 433 new MME receives the security parameters from the old MME in step 433 (new MME receive NAS KSI, key, authentication parameter, KSI from old MME through context response message), in step 435 using the previous security parameters Read the TAU REQUEST message (new MME ingterprets TAU request with old MME's NAS key, authentication parameters, KSI).
- the new MME decides whether to perform the authentication process in step 437. (new MME decide do authentication or not (if integrity check failed, THEN do authentication) In particular, if the security verification fails in step 435, the new MME determines. If the authentication process of step 439, NAS SMC, SMC process is performed, the new MME transmits a TAU ACCEPT message to the UE using the new security parameter in step 441. If the authentication process, the NAS SMC, or the SMC process is not performed in step 439, the new MME transmits a secured TAU ACCEPT message to the UE using the previous security parameter in step 443.
- the new MME receives a secured ATTACH REQUEST NAS message from the UE in step 461.
- the received ATTACH REQUEST is a previous security-related parameter used by the old MME and the UE, that is, OLD KSI (key set identifier), OLD authentication parameter (authentication parameter or authentication vector authentication vector), OLD NAS KSI (key set identifier) , OLD security key including OLD NAS encryption key KNASenc or OLD integrity key KNASint.
- the new MME determines whether it has security parameters for the UE 110 in step 463, and if so, the new MME reads the ATTACH REQUEST with the security parameters in step 469. In this case, the process proceeds from step 463 to step 469 when the UE has previously registered with the new MME but has been terminated for some reason (DETACH), and the UE and the MME have security-related parameters. On the other hand, if the new MME does not have UE-related security information in step 463, the new MME determines whether or not the security-related parameters from the old MME in step 465.
- the new MME fails to read the message in step 479 and transmits an error message to the UE. This is to allow the UE to transmit an unsecured message or retransmit the secured message in a later step.
- the new MME reads the ATTACH REQUEST message using the security parameter information transmitted from the old MME in step 469.
- the new MME needs to know the old MME and the corresponding terminal when the new MME receives the ATTACH REQUEST in step 461. This information must know the Last Visited Registered Tracking Area Identifier (TAI) and the former Temporary Terminal Identifier (GUTI), which is the terminal's identifier, or OLD GUTI, and at least this information should be encrypted, even if integrity protected.
- TAI Last Visited Registered Tracking Area Identifier
- GUI Temporary Terminal Identifier
- the new MME can request security parameter information from the old MME.
- the new MME determines whether to perform the authentication process as in step 471 and 473. In particular, when the security verification fails in step 469, the new MME must perform the authentication process in step 473.
- the new MME transmits and receives NAS messages using the new security parameters in step 475. If the authentication process, the NAS SMC, or the SMC process is not performed at step 473, the new MME may transmit and receive a secured NAS message using a previous security parameter (OLD) at step 477.
- OLD previous security parameter
- FIG. 10 is a flowchart illustrating a procedure for supporting mobility management, location management, and registration management of a terminal according to an embodiment of the present invention. This support procedure will be described focusing on the process of generating, sending, and verifying NA messages.
- the terminal may use a key setidentifier (KSI), an authentication parameter (authentication parameter or authentication vector), a NAS key set identifier (KSI), a NAS encryption key KNASenc, or an integrity key KNASint. It is determined whether or not a security key including a key is included.
- KSI serves as an identifier for keys used in the authentication process between the terminal and the MME
- an authentication parameter or an authentication vector means authentication parameters or vector values necessary for authentication.
- NAS KSI is an identifier for distinguishing the keys used to secure the NAS message
- Key is a security-related key, as well as a key related to the UE security and the NAS security required for the UE and the MME to communicate with the NAS message. It can be a key, that is, a NAS encryption key KNASenc or an integrity key KNASint.
- KSI is the same as NAS KSI. This KSI may refer to KSISGSN values used in KSIASME or handover situations.
- KSIASME default security key identifier is used to identify KASME, which is the default security key, and KSI and NAS KSI are the same because NAS encryption key KNASenc or integrity key KNASint is generated from KASME, the default security key.
- KSISGSN used in the handover situation from GERAN / UTRAN to 3GPP LTE network, E-UTRAN, where KSI is not KSIASME, K'ASME generated from encryption key (CK: cipher key) and authentication key (IK: integrity key).
- CK cipher key
- IK integrity key
- step 501 if there are no such security-related values in step 501, in particular, if there is no NAS KSI or NAS-related security key, that is, NAS encryption key KNASenc or integrity key KNASint, the terminal creates and transmits an unsecured NAS message in step 513. If there is a NAS KSI or NAS-related security key, the terminal determines whether to transmit the secured message in step 503, and if the terminal does not want to send the secured message, the terminal proceeds to step 513.
- NAS KSI or NAS-related security key that is, NAS encryption key KNASenc or integrity key KNASint
- the terminal has its own key set identifier (KSI), authentication parameter (authentication parameter or authentication vector), NAS KSI (key set) Create a NAS message by using an identifier, a security key, etc. and send the generated message.
- the UE then receives a new security related parameter from the MME in step 507.
- the security parameters may include a security key including a key set identifier (KSI), an authentication parameter or an authentication vector authentication vector, a NAS key set identifier (KSI), a NAS encryption key KNASenc, or an integrity key KNASint. Can be.
- the security-related parameters as described above may be received from the MME through an authentication process or a security mode command.
- the terminal receives a new security related parameter, that is, a key set identifier (KSI), an authentication parameter (authentication parameter or authentication vector), NAS key set identifier (NAS), and NAS encryption key received in step 509. Verifies the security key including KNASenc or integrity key KNASint.
- the terminal After performing the verification process, the terminal generates and transmits a message with new security-related parameters in step 511.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (16)
- 이동통신시스템에서 단말의 상태 정보를 처리하는 방법에 있어서,단말이 이전 키에 보안화된 상태 변경 요청 메시지를 뉴 MME에 전송하는 과정과,상기 뉴 MME가 이전 MME에서 상기 단말의 이전 키 정보를 수신하는 과정과,상기 뉴 MME가 상기 이전 키정보를 이용하여 상기 요청 메시지를 해석한 후 상기 단말에 응답메시지를 전송하는 과정으로 이루어짐을 특징으로 하는 상기 방법.
- 제1항에 있어서, 상기 뉴 MME가 이전 MME로부터 수신하는 이전 키 정보는 KSIasme 및 Kasme 등을 포함하는 것을 특징으로 하는 상기 방법.
- 제1항에 있어서,상기 뉴 MME가 이전 키로 상기 요청 메시지의 해석 실패시 뉴 키를 생성하며, 상기 생성된 뉴 키 정보를 포함하는 NAS 보안 모드 명령 메시지를 단말에 전송하는 과정과,상기 단말이 상기 뉴 MME의 뉴 키 정보에 따라 단말의 뉴 키를 생성하고, 상기 뉴 MME에 NAS 보안 모드 명령에 응답하는 과정으로 이루어짐을 특징으로 하는 상기 방법.
- 제3항에 있어서,상기 뉴 MME가 생성하는 뉴 키 정보는 NAS 암호화 키 KNASenc 및 무결성 키 KNASint 등을 포함하며, 상기 NAS 보안 모드 명령 메시지는 보안키 식별자(KSI), 단말 보안 능력(UE security capability), 사용될 암호화 알고리즘(ciphering algorithm), 사용될 무결성 알고리즘(integrity algorithm) 등을 포함하며,상기 단말이 생성하는 뉴 키 정보는 상기 NAS 보안모드 명령 메시지의 보안키 식별자(KSI)에 의해 색인되는 기본 보안키(KASME)에 기초하여 생성되는 암호화 키(KNASenc)와 무결성 키(KNASint)등을 포함하는 것을 특징으로 하는 상기 방법.
- 제3항에 있어서,상기 뉴 MME가 이전 키로 상기 요청 메시지의 해석 실패시 단말에 사용자 인증 요청 메시지를 전송하며, 상기 단말이 상기 사용자 인증 요청에 응답하는 과정을 더 구비하는 것을 특징으로 하는 상기 방법.
- 제5항에 있어서, 상기 사용자 인증 요청 메시지는 인증 벡터(AUTN)와 보안키 식별자(KSIASME)를 포함하는 것을 특징으로 하는 상기 방법.
- 제1항 또는 제3항 또는 제5항 중의 어느 한 항에 있어서,상기 상태 변경 요청 메시지는 핸드오버 요청 메시지, TAU 요청 메시지 또는 등록(해제) 요청 메시지 중의 하나인 것을 특징으로 하는 상기 방법.
- 이동통신시스템에서 단말의 상태 정보를 처리하는 방법에 있어서,단말이 뉴 키에 보안화된 상태 변경 요청 메시지를 뉴 MME에 전송하는 과정과,상기 뉴 MME가 단말에 사용자 인증 요청 메시지를 전송하며, 상기 단말이 상기 사용자 인증 요청에 응답하는 과정과,상기 뉴 MME가 뉴 key를 생성하며, 상기 생성된 뉴 키 정보를 포함하는 NAS 보안 모드 명령 메시지를 단말에 전송하는 과정과,상기 단말이 상기 뉴 MME의 뉴 키 정보에 따라 단말의 뉴 키를 생성하고, 상기 뉴 MME에 NAS 보안 모드 명령에 응답하는 과정으로 이루어짐을 특징으로 하는 상기 방법.
- 제8항에 있어서,상기 뉴 MME가 생성하는 뉴 키 정보는 NAS 암호화 키 KNASenc 및 무결성 키 KNASint 등을 포함하며, 상기 NAS 보안 모드 명령 메시지는 보안키 식별자(KSI), 단말 보안 능력(UE security capability), 사용될 암호화 알고리즘(ciphering algorithm), 사용될 무결성 알고리즘(integrity algorithm) 등을 포함하며,상기 단말이 생성하는 뉴 키 정보는 상기 NAS 보안모드 명령 메시지의 보안키 식별자(KSI)에 의해 색인 되는 기본 보안키(KASME)에 기초하여 생성되는 암호화 키(KNASenc)와 무결성 키(KNASint)등을 포함하는 것을 특징으로 하는 상기 방법.
- 제9항에 있어서, 상기 사용자 인증 요청 메시지는 인증 벡터(AUTN)와 보안키 식별자(KSIASME)를 포함하는 것을 특징으로 하는 상기 방법.
- 이동통신시스템의 핸드오버 처리 방법에 있어서,이전 MME가 뉴 MME에 단말의 이전 키 정보를 포함하는 메시지(forward relocation request message)를 전송하는 과정과,단말이 상기 뉴 MME에 이전 키에 의해 보안화된 TAU 요청 메시지를 전송하는 과정과,상기 뉴 MME가 상기 TAU 요청 메시지를 이전 키로 해석하여 처리하는 과정으로 이루어짐을 특징으로 하는 상기 방법.
- 제11항에 있어서, 상기 뉴 MME가 상기 TAU 요청 메시지를 이전 키로 해석 실패시,상기 뉴 MME가 단말에 사용자 인증 요청 메시지를 전송하며, 상기 단말이 상기 사용자 인증 요청에 응답하는 과정과,상기 뉴 MME가 뉴 키를 생성하며, 상기 생성된 뉴 키 정보를 포함하는 NAS 보안 모드 명령 메시지를 단말에 전송하는 과정과,상기 단말이 상기 뉴 MME의 뉴 키 정보에 따라 단말의 뉴 키를 생성하고, 상기 뉴 MME에 NAS 보안 모드 명령에 응답하는 과정과,상기 단말이 뉴 키에 의해 보안화된 TAU 요청 메시지를 상기 뉴 MME에 전송하며, 상기 뉴 MME가 뉴 키에 의해 상기 메시지를 처리하는 과정을 더 구비함을 특징으로 하는 상기 방법.
- 이동통신시스템에서 단말의 위치 갱신을 처리하는 방법에 있어서,단말이 뉴 MME에 이전 키에 의해 보안화된 TAU 요청 메시지를 전송하는 과정과,상기 뉴 MME가 상기 이전 MME에 단말의 이전 키에 관련된 정보을 요청하며, 이전 키 정보를 수신하는 과정과,상기 새롱누 MME가 상기 TAU 요청 메시지를 상기 이전 키로 해석한 후, 상기 단말에 상기 이전 키로 보안화된 TAU 승인 메시지를 전송하는 과정으로 이루어짐을 특징으로 하는 상기 방법.
- 제13항에 있어서, 상기 뉴 MME가 상기 TAU 요청 메시지를 이전 키로 해석 실패시,상기 뉴 MME가 단말에 사용자 인증 요청 메시지를 전송하며, 상기 단말이 상기 사용자 인증 요청에 응답하는 과정과,상기 뉴 MME가 뉴 키를 생성하며, 상기 생성된 뉴 키 정보를 포함하는 NAS 보안 모드 명령 메시지를 단말에 전송하는 과정과,상기 단말이 상기 뉴 MME의 뉴 키 정보에 따라 단말의 뉴 키를 생성하고, 상기 뉴 MME에 NAS 보안 모드 명령에 응답하는 과정과,상기 단말이 뉴 키에 의해 보안화된 TAU 요청 메시지를 상기 뉴 MME에 전송하며, 상기 뉴 MME가 뉴 키에 의해 상기 메시지를 처리하는 과정을 더 구비함을 특징으로 하는 상기 방법.
- 이동통신시스템에서 단말의 등록처리하는 방법에 있어서,단말이 뉴 MME에 이전 키에 의해 보안화된 등록 요청 메시지를 전송하는 과정과,상기 뉴 MME가 상기 이전 MME에 단말의 이전 키에 관련된 정보을 요청하며, 이전 키 정보를 수신하는 과정과,상기 뉴 MME가 상기 등록 요청 메시지를 상기 이전 키로 해석한 후, 상기 단말에 상기 이전 키로 보안화된 등록 승인 메세지를 전송하는 과정으로 이루어짐을 특징으로 하는 상기 방법.
- 제15항에 있어서, 상기 뉴 MME가 상기 등록 요청 메시지를 이전 키로 해석 실패시, 상기 뉴 MME가 단말에 사용자 인증 요청 메시지를 전송하며, 상기 단말이 상기 사용자 인증 요청에 응답하는 과정과,상기 뉴 MME가 뉴 키를 생성하며, 상기 생성된 뉴 키 정보를 포함하는 NAS 보안 모드 명령 메시지를 단말에 전송하는 과정과,상기 단말이 상기 뉴 MME의 뉴 키 정보에 따라 단말의 뉴 키를 생성하고, 상기 뉴 MME에 NAS 보안 모드 명령에 응답하는 과정과,상기 단말이 뉴 키에 의해 보안화된 등록 요구 메시지를 상기 뉴 MME에 전송하며, 상기 뉴 MME가 뉴 키에 의해 상기 메시지를 처리하는 과정을 더 구비함을 특징으로 하는 상기 방법.
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP19175614.7A EP3554113A1 (en) | 2008-08-15 | 2009-08-14 | Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system |
JP2011522916A JP5390611B2 (ja) | 2008-08-15 | 2009-08-14 | 移動通信システムの保安化された非接続階層プロトコル処理方法 |
US13/059,227 US8638936B2 (en) | 2008-08-15 | 2009-08-14 | Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system |
CN200980140975.1A CN102187599B (zh) | 2008-08-15 | 2009-08-14 | 在移动通信***中安全保护的非接入层面协议操作支持方法 |
EP09806882.8A EP2315371A4 (en) | 2008-08-15 | 2009-08-14 | SAFETY PROTECTED METHOD FOR SUPPORTING NON-ACCESSIBLE LAYER PROTOCOL OPERATION IN A MOBILE TELECOMMUNICATIONS SYSTEM |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2008-0080205 | 2008-08-15 | ||
KR20080080205 | 2008-08-15 |
Publications (3)
Publication Number | Publication Date |
---|---|
WO2010019020A2 WO2010019020A2 (ko) | 2010-02-18 |
WO2010019020A3 WO2010019020A3 (ko) | 2010-07-22 |
WO2010019020A9 true WO2010019020A9 (ko) | 2010-09-10 |
Family
ID=41669507
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2009/004570 WO2010019020A2 (ko) | 2008-08-15 | 2009-08-14 | 이동 통신 시스템의 보안화된 비계층 프로토콜 처리 방법 |
Country Status (6)
Country | Link |
---|---|
US (1) | US8638936B2 (ko) |
EP (2) | EP3554113A1 (ko) |
JP (1) | JP5390611B2 (ko) |
KR (1) | KR101579757B1 (ko) |
CN (1) | CN102187599B (ko) |
WO (1) | WO2010019020A2 (ko) |
Families Citing this family (49)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10341910B2 (en) | 2009-06-16 | 2019-07-02 | Blackberry Limited | Method for accessing a service unavailable through a network cell |
US8861433B2 (en) | 2009-06-16 | 2014-10-14 | Blackberry Limited | Method for accessing a service unavailable through a network cell |
ES2694393T3 (es) | 2009-06-16 | 2018-12-20 | Blackberry Limited | Método para acceder a un servicio no disponible a través de una celda de red |
DE102009029828B4 (de) * | 2009-06-18 | 2011-09-01 | Gigaset Communications Gmbh | DEFAULT Verschlüsselung |
EP2567499B1 (en) | 2010-05-04 | 2016-10-26 | Qualcomm Incorporated | Shared circuit switched security context |
WO2011152665A2 (en) * | 2010-06-01 | 2011-12-08 | Samsung Electronics Co., Ltd. | Method and system of securing group communication in a machine-to-machine communication environment |
JP4892084B2 (ja) * | 2010-06-16 | 2012-03-07 | 株式会社エヌ・ティ・ティ・ドコモ | 移動通信方法 |
KR101737425B1 (ko) * | 2010-06-21 | 2017-05-18 | 삼성전자주식회사 | 응급 콜을 지원하는 이동 통신 시스템에서 보안 관리 방법 및 장치와 그 시스템 |
KR101712865B1 (ko) * | 2010-09-09 | 2017-03-08 | 삼성전자주식회사 | 이동 통신 시스템에서 비계층 프로토콜을 이용한 통신 지원 방법 및 장치 |
US8929334B2 (en) | 2010-11-16 | 2015-01-06 | Qualcomm Incorporated | Systems and methods for non-optimized handoff |
US8743828B2 (en) | 2010-11-16 | 2014-06-03 | Qualcomm Incorporated | Systems and methods for non-optimized handoff |
CN102340754B (zh) * | 2011-09-23 | 2014-07-23 | 电信科学技术研究院 | 数据发送和接收方法及设备 |
CN102572816B (zh) * | 2011-12-27 | 2014-08-06 | 电信科学技术研究院 | 一种移动切换的方法及装置 |
EP3606001A1 (en) * | 2013-01-10 | 2020-02-05 | NEC Corporation | Mtc key management for key derivation at both ue and network |
WO2015015714A1 (en) * | 2013-07-31 | 2015-02-05 | Nec Corporation | Devices and method for mtc group key management |
CN104581652B (zh) | 2013-10-15 | 2018-12-07 | 华为技术有限公司 | 消息处理方法、选择mme的方法和装置 |
US9955393B2 (en) * | 2014-05-08 | 2018-04-24 | Interdigital Patent Holdings, Inc. | Methods and apparatus for selection of dedicated core network |
KR102102858B1 (ko) * | 2014-05-13 | 2020-04-23 | 주식회사 케이티 | Lte망으로 천이시 인증 과정을 간소화한 시스템 |
US10104603B2 (en) | 2014-05-30 | 2018-10-16 | Nec Corporation | Apparatus, system and method for dedicated core network |
CN105578456B (zh) * | 2014-10-14 | 2019-01-25 | 成都鼎桥通信技术有限公司 | Td-lte集群通信***的端到端加密方法、设备及*** |
US9693219B2 (en) | 2014-10-24 | 2017-06-27 | Ibasis, Inc. | User profile conversion to support roaming |
US9585013B2 (en) * | 2014-10-29 | 2017-02-28 | Alcatel Lucent | Generation of multiple shared keys by user equipment and base station using key expansion multiplier |
EP3547739A1 (en) * | 2015-02-13 | 2019-10-02 | NEC Corporation | Apparatus, system and method for security management |
RU2017132104A (ru) * | 2015-02-16 | 2019-03-18 | Нек Корпорейшн | Система связи, устройство узла, терминал связи, способ управления ключами и энергонезависимый читаемый компьютером носитель, на котором хранится программа |
US9686675B2 (en) * | 2015-03-30 | 2017-06-20 | Netscout Systems Texas, Llc | Systems, methods and devices for deriving subscriber and device identifiers in a communication network |
US9883385B2 (en) | 2015-09-15 | 2018-01-30 | Qualcomm Incorporated | Apparatus and method for mobility procedure involving mobility management entity relocation |
US10334435B2 (en) | 2016-04-27 | 2019-06-25 | Qualcomm Incorporated | Enhanced non-access stratum security |
EP3479614A4 (en) * | 2016-07-01 | 2019-11-27 | Nokia Technologies Oy | SECURE COMMUNICATIONS |
US20170013651A1 (en) * | 2016-09-22 | 2017-01-12 | Mediatek Singapore Pte. Ltd. | NAS Security And Handling Of Multiple Initial NAS Messages |
JP6763435B2 (ja) * | 2016-10-26 | 2020-09-30 | 日本電気株式会社 | ソースコアネットワークのノード、端末、及び方法 |
WO2018139910A1 (en) | 2017-01-27 | 2018-08-02 | Samsung Electronics Co., Ltd. | Method for providing end-to-end security over signaling plane in mission critical data communication system |
EP3574669B1 (en) * | 2017-01-30 | 2021-10-13 | Telefonaktiebolaget LM Ericsson (Publ) | Security context handling in 5g during connected mode |
CN108924841B (zh) * | 2017-03-20 | 2021-11-19 | ***通信有限公司研究院 | 安全保护方法、装置、移动终端、基站和mme设备 |
CN109314861B (zh) * | 2017-05-04 | 2021-09-07 | 华为技术有限公司 | 获取密钥的方法、设备和通信*** |
CN116866905A (zh) * | 2017-09-27 | 2023-10-10 | 日本电气株式会社 | 通信终端和通信终端的方法 |
CN109586913B (zh) * | 2017-09-28 | 2022-04-01 | ***通信有限公司研究院 | 安全认证方法、安全认证装置、通信设备及存储介质 |
CN109803333B (zh) * | 2017-11-17 | 2022-04-19 | 中兴通讯股份有限公司 | 偶联重定向方法及装置 |
US10542428B2 (en) | 2017-11-20 | 2020-01-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Security context handling in 5G during handover |
CN110099382B (zh) * | 2018-01-30 | 2020-12-18 | 华为技术有限公司 | 一种消息保护方法及装置 |
KR102405412B1 (ko) * | 2018-04-06 | 2022-06-07 | 삼성전자주식회사 | 무선 통신 시스템에서 정보 보안을 위한 장치 및 방법 |
KR102425582B1 (ko) * | 2018-05-11 | 2022-07-26 | 삼성전자주식회사 | 무선통신 시스템에서 정보 보호 방법 및 장치 |
KR102449988B1 (ko) * | 2018-06-29 | 2022-10-05 | 삼성전자주식회사 | 무선 통신 시스템에서 통신 방법 및 장치 |
US11689920B2 (en) * | 2018-09-24 | 2023-06-27 | Nokia Technologies Oy | System and method for security protection of NAS messages |
JP7192107B2 (ja) * | 2018-10-04 | 2022-12-19 | ノキア テクノロジーズ オーユー | システム間変更中のセキュリティ・コンテキストを扱う方法及び装置 |
US20220338071A1 (en) * | 2019-09-25 | 2022-10-20 | Samsung Electronics Co., Ltd. | Method and device for performing communication in wireless communication system |
CN110933669A (zh) * | 2019-11-21 | 2020-03-27 | 北京长焜科技有限公司 | 一种跨rat用户的快速注册的方法 |
EP4064748A4 (en) * | 2019-12-13 | 2022-11-16 | Huawei Technologies Co., Ltd. | COMMUNICATION METHOD, DEVICE AND SYSTEM |
CN115362702A (zh) * | 2020-04-07 | 2022-11-18 | 苹果公司 | 认证请求处理期间的跟踪区域标识符(tai)改变 |
KR102279293B1 (ko) | 2020-08-07 | 2021-07-20 | 한국인터넷진흥원 | 비암호화 채널 탐지 방법 및 장치 |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR19990004237A (ko) * | 1997-06-27 | 1999-01-15 | 김영환 | 비동기 전송 모드망에서의 데이터 암호화/복호화 장치 및 방법 |
FI111423B (fi) * | 2000-11-28 | 2003-07-15 | Nokia Corp | Järjestelmä kanavanvaihdon jälkeen tapahtuvan tietoliikenteen salauksen varmistamiseksi |
US8127136B2 (en) * | 2004-08-25 | 2012-02-28 | Samsung Electronics Co., Ltd | Method for security association negotiation with extensible authentication protocol in wireless portable internet system |
JP2009525681A (ja) * | 2006-01-31 | 2009-07-09 | インターデイジタル テクノロジー コーポレーション | WTRU(WirelessTransmitReceiveUnit:無線送受信ユニット)が待機状態にある間にセル更新およびRA(RoutingArea:経路制御領域)更新の手続きを実行するための方法およびシステム |
JP5059096B2 (ja) * | 2006-03-31 | 2012-10-24 | サムスン エレクトロニクス カンパニー リミテッド | アクセスシステム間のハンドオーバー時の認証手順を最適化するシステム及び方法 |
EP2036382B1 (en) * | 2006-06-16 | 2019-07-24 | Nokia Technologies Oy | An apparatus and method for transferring pdp context information for a terminal in the case of intersystem handover |
GB0619409D0 (en) * | 2006-10-02 | 2006-11-08 | Vodafone Plc | Telecommunications networks |
EP1914930A1 (en) * | 2006-10-17 | 2008-04-23 | Matsushita Electric Industrial Co., Ltd. | User plane entity selection in a mobile communication system having overlapping pool areas |
CA2665452C (en) * | 2006-10-31 | 2016-01-05 | Qualcomm Incorporated | Inter-enode b handover procedure |
FI20075297A0 (fi) * | 2007-04-27 | 2007-04-27 | Nokia Siemens Networks Oy | Menetelmä, radiojärjestelmä ja tukiasema |
-
2009
- 2009-08-14 WO PCT/KR2009/004570 patent/WO2010019020A2/ko active Application Filing
- 2009-08-14 EP EP19175614.7A patent/EP3554113A1/en not_active Ceased
- 2009-08-14 CN CN200980140975.1A patent/CN102187599B/zh active Active
- 2009-08-14 KR KR1020090075379A patent/KR101579757B1/ko active IP Right Grant
- 2009-08-14 EP EP09806882.8A patent/EP2315371A4/en not_active Ceased
- 2009-08-14 US US13/059,227 patent/US8638936B2/en active Active
- 2009-08-14 JP JP2011522916A patent/JP5390611B2/ja active Active
Also Published As
Publication number | Publication date |
---|---|
JP2012500511A (ja) | 2012-01-05 |
EP2315371A2 (en) | 2011-04-27 |
US20110142239A1 (en) | 2011-06-16 |
WO2010019020A3 (ko) | 2010-07-22 |
KR101579757B1 (ko) | 2015-12-24 |
US8638936B2 (en) | 2014-01-28 |
CN102187599A (zh) | 2011-09-14 |
EP3554113A1 (en) | 2019-10-16 |
WO2010019020A2 (ko) | 2010-02-18 |
JP5390611B2 (ja) | 2014-01-15 |
KR20100021385A (ko) | 2010-02-24 |
CN102187599B (zh) | 2015-04-01 |
EP2315371A4 (en) | 2015-10-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2010019020A9 (ko) | 이동 통신 시스템의 보안화된 비계층 프로토콜 처리 방법 | |
EP1713289B1 (en) | A method for establishing security association between the roaming subscriber and the server of the visited network | |
US9071962B2 (en) | Evolved packet system non access stratum deciphering using real-time LTE monitoring | |
EP1707024B1 (en) | Improvements in authentication and authorization in heterogeneous networks | |
WO2011162538A2 (ko) | 응급 콜을 지원하는 이동 통신 시스템에서 보안 관리 방법 및 장치와 그 시스템 | |
WO2011081311A2 (ko) | 이동 통신 시스템에서 보안을 지원하는 방법 및 시스템 | |
KR101159441B1 (ko) | Lte 모바일 유닛에서의 비접속 계층(nas) 보안을 가능하게 하는 방법 및 장치 | |
KR101490243B1 (ko) | 이종망간 핸드오버시 빠른 보안연계 설정방법 | |
US8731194B2 (en) | Method of establishing security association in inter-rat handover | |
TWI482479B (zh) | 用於交遞保全之方法、裝置、系統及相關電腦程式產品 | |
WO2011052995A2 (en) | Method and system for managing security in mobile communication system | |
US20070105549A1 (en) | Mobile communication system using private network, relay node, and radio network controller | |
WO2011081242A1 (ko) | 바이너리 cdma에서 키 인증 방법 | |
WO2015105402A1 (ko) | 이동 통신 시스템에서 서비스 발견 및 그룹 통신을 위한 보안 지원방법 및 시스템 | |
WO2017078459A1 (en) | Method, ue and network node for protecting user privacy in networks | |
WO2015065165A1 (ko) | 이동 통신 시스템 환경에서 프락시미티 기반 서비스 단말 간 발견 및 통신을 지원하기 위한 보안 방안 및 시스템 | |
KR20120026178A (ko) | 이동 통신 시스템에서 비계층 프로토콜을 이용한 통신 지원 방법 및 장치 | |
CN101627644A (zh) | 用于漫游环境的基于令牌的动态密钥分配方法 | |
KR20170097487A (ko) | 통합 코어 망 서비스 이용방법과 이를 위한 통합 제어장치 및 그 시스템 | |
WO2010019021A9 (ko) | 이동 통신 시스템의 비계층 프로토콜 처리 방법 및 이동통신 시스템 | |
WO2022025566A1 (en) | Methods and systems for deriving cu-up security keys for disaggregated gnb architecture | |
WO2015105401A1 (ko) | 이동 통신에서 prose그룹 통신 또는 공공 안전을 지원하기 위한 보안 방안 및 시스템 | |
WO2019194642A1 (en) | Apparatus and method for information security in wireless communication | |
CN115915315A (zh) | 一种wapi无线网络快速漫游方法 | |
WO2021249512A1 (zh) | 安全通信方法、相关装置及*** |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200980140975.1 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09806882 Country of ref document: EP Kind code of ref document: A2 |
|
ENP | Entry into the national phase |
Ref document number: 2011522916 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13059227 Country of ref document: US Ref document number: 2009806882 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |