公开(公告)号：US08819765B2

公开(公告)日：2014-08-26

申请号：US12863746

申请日：2008-01-22

申请人： Mats Naslund ,  Michael Liljenstam ,  Karl Norrman ,  Bengt Sahlin

发明人： Mats Naslund ,  Michael Liljenstam ,  Karl Norrman ,  Bengt Sahlin

IPC分类号： G06F17/00 ,  H04L29/06

CPC分类号： H04L41/0893 ,  H04L63/20 ,  H04L63/205 ,  H04W12/02

摘要： A method and arrangement for distributing a security policy to a communication terminal having an association with a home communication network, but being present in a visited communication network. The home communication network generates its own preferred security policy Ph and the visited communication network generates its own preferred security policy Pv. A communication network entity in the visited communication network combines the security policies and selects security algorithms and/or functions to apply from the combined security policy. By generating security policy vectors of both networks and combining them before the security algorithms are selected, both networks are able to influence the selection without requiring the use of signaling messages.

摘要翻译： 一种用于将安全策略分发给具有与归属通信网络相关联但存在于被访问的通信网络中的通信终端的方法和装置。 家庭通信网络生成自己的首选安全策略Ph，并且被访问的通信网络生成其自己的优选安全策略Pv。 访问通信网络中的通信网络实体组合安全策略并选择从组合的安全策略应用的安全算法和/或功能。 通过在选择安全算法之前生成两个网络的安全策略向量并组合它们，两个网络能够影响选择，而不需要使用信令消息。

公开(公告)号：US08660270B2

公开(公告)日：2014-02-25

申请号：US12677675

申请日：2008-05-20

申请人： Rolf Blom ,  Gunnar Mildh ,  Karl Norrman

发明人： Rolf Blom ,  Gunnar Mildh ,  Karl Norrman

IPC分类号： H04L9/32 ,  H04M1/66

CPC分类号： H04L9/083 ,  H04L9/0816 ,  H04L9/0869 ,  H04L63/062 ,  H04L2209/24 ,  H04L2209/80 ,  H04L2463/061 ,  H04W8/20 ,  H04W12/04 ,  H04W92/10

摘要： A security key, K_eNB, for protecting RRC/UP traffic between a User Equipment, UE, and a serving eNodeB is established by a method and an arrangement in a Mobility Management Entity, MME, and in said UE, of an Evolved Packet System, EPS. The MME and the UE derives the security key, K_eNB, from at least an NAS uplink sequence number, NAS_U_SEQ, sent from the UE to the MME, and from an Access Security Management Entity-key, K_ASME, shared between the MME and the UE.

摘要翻译： 用于在用户设备，UE和服务eNodeB之间保护RRC / UP业务的安全密钥K_eNB通过移动性管理实体MME中的所述UE和所述UE中的演进分组系统的方法和配置来建立， EPS。 MME和UE从从UE发送到MME的至少一个NAS上行链路序列号NAS_U_SEQ以及从MME和UE之间共享的接入安全管理实体密钥K_ASME中导出安全密钥K_eNB 。

公开(公告)号：US08122240B2

公开(公告)日：2012-02-21

申请号：US11305329

申请日：2005-12-19

申请人： Rolf Blom ,  Karl Norrman

发明人： Rolf Blom ,  Karl Norrman

IPC分类号： H04L29/06

CPC分类号： H04W12/04 ,  H04L9/0841 ,  H04L9/3271 ,  H04L63/0435 ,  H04L63/062 ,  H04L67/26 ,  H04L2209/56 ,  H04L2209/80 ,  H04W84/042

摘要： A method for establishing a security association between a client and a service node for the purpose of pushing information from the service node to the client, where the client and a key server share a base secret. The method comprises sending a request for generation and provision of a service key from the service node to a key server, the request identifying the client and the service node, generating a service key at the key server using the identities of the client and the service node, the base secret, and additional information, and sending the service key to the service node together with said additional information, forwarding said additional information from the service node to the client, and at the client, generating said service key using the received additional information and the base key. A similar approach may be used to provide p2p key management.

摘要翻译： 一种用于在客户机和服务节点之间建立安全关联以便将信息从服务节点推送到客户端的方法，其中客户端和密钥服务器共享基本秘密。 该方法包括从服务节点向密钥服务器发送生成和提供服务密钥的请求，所述请求标识客户端和服务节点，使用客户端和服务的身份在密钥服务器生成服务密钥 节点，基本秘密和附加信息，以及将服务密钥与所述附加信息一起发送到服务节点，将所述附加信息从服务节点转发到客户端，并且在客户端处，使用接收到的附加信息生成所述服务密钥 信息和基本键。 可以使用类似的方法来提供p2p密钥管理。

公开(公告)号：US08094817B2

公开(公告)日：2012-01-10

申请号：US11857621

申请日：2007-09-19

申请人： Rolf Blom ,  Karl Norrman ,  Mats Naslund

发明人： Rolf Blom ,  Karl Norrman ,  Mats Naslund

IPC分类号： H04L9/00

CPC分类号： H04L9/321 ,  H04L63/062 ,  H04L63/08 ,  H04L2209/80 ,  H04L2463/061 ,  H04W12/04 ,  H04W12/06 ,  H04W36/0038

摘要： An authentication server and a system and method for managing cryptographic keys across different combinations of user terminals, access networks, and core networks. A Transformation Coder Entity (TCE) creates a master key (Mk), which is used to derive keys during the authentication procedure. During handover between the different access types, the Mk or a transformed Mk is passed between two nodes that hold the key in the respective access networks when a User Equipment (UE) terminal changes access. The transformation of the Mk is performed via a one-way function, and has the effect that if the Mk is somehow compromised, it is not possible to automatically obtain access to previously used master keys. The transformation is performed based on the type of authenticator node and type of UE/identity module with which the transformed key is to be utilized. The Mk is never used directly, but is only used to derive the keys that are directly used to protect the access link.

摘要翻译： 一种认证服务器，以及用于管理跨越用户终端，接入网络和核心网络的不同组合的加密密钥的系统和方法。 转换编码器实体（TCE）创建主密钥（Mk），用于在认证过程期间导出密钥。 在不同访问类型之间的切换期间，当用户设备（UE）终端改变访问时，Mk或经变换的Mk在保持密钥的两个节点之间传递。 通过单向函数执行Mk的转换，并且具有以下效果：如果Mk以某种方式受损，则不可能自动获得对先前使用的主密钥的访问。 基于认证者节点的类型和使用变换密钥的UE /身份模块的类型进行转换。 Mk从不直接使用，但仅用于派生直接用于保护访问链接的密钥。

公开(公告)号：US20110305339A1

公开(公告)日：2011-12-15

申请号：US12964991

申请日：2010-12-10

申请人： Karl Norrman ,  Rolf Blom ,  Gunnar Mildh ,  Ingrid Nordstrand

发明人： Karl Norrman ,  Rolf Blom ,  Gunnar Mildh ,  Ingrid Nordstrand

IPC分类号： H04K1/00

CPC分类号： H04W12/0013 ,  H04L63/0272 ,  H04L63/0442 ,  H04L63/164 ,  H04L63/166 ,  H04L2463/061 ,  H04W12/003 ,  H04W88/08

摘要： Techniques for providing additional security for the wireless interface between a relay node and a donor base station are based on a security association established between the relay node and the donor base station. In an example method implemented in a relay node, communications with a donor base station are established and a first cryptographic key is generated according to a radio access protocol. A security association between the relay node and the donor base station is then established, using a credential stored at the relay node, and a second cryptographic key is derived from the first cryptographic key, using the stored credential, or one or more parameters relating to the security association, or information exchanged within the security association. The second key is used to protect user plane data relayed from one or more mobile terminals to the donor base station.

摘要翻译： 用于为中继节点和施主基站之间的无线接口提供附加安全性的技术基于在中继节点和施主基站之间建立的安全关联。 在中继节点中实现的示例性方法中，建立与施主基站的通信，并且根据无线电接入协议生成第一密码密钥。 然后使用存储在中继节点处的凭证建立中继节点和施主基站之间的安全关联，并且使用存储的凭证从第一密码密钥导出第二密码密钥，或者与 安全关联或在安全关联中交换的信息。 第二个密钥用于保护从一个或多个移动终端中继到被授权基站的用户平面数据。

公开(公告)号：US20110302627A1

公开(公告)日：2011-12-08

申请号：US13201694

申请日：2009-02-18

申请人： Rolf Blom ,  Luis Barriga ,  Karl Norrman

发明人： Rolf Blom ,  Luis Barriga ,  Karl Norrman

IPC分类号： G06F21/00 ,  G06F7/04

CPC分类号： H04W12/06 ,  H04L63/0492 ,  H04L63/18 ,  H04L67/04

摘要： A method of authenticating access to a service comprises: a) receiving at a mobile terminal, over a bi-directional near-field communication channel between the mobile terminal and a browser, at least part of the identifier of a service; b) comparing, at the mobile terminal, at least part of the identifier received at the mobile terminal with a set of identifiers stored in the mobile device; and c) authenticating access to the service on the basis of whether at least part of the identifier received at the mobile terminal matches an identifier in the set. The mobile terminal may stored a set of URLs, and may compare a received URL (or part URL) with the set of stored URLs. It may generate an alert to the user if at least part of the URL received at the mobile terminal does not match a stored URL. User names and keys are not required to be stored on the web-browser, so the web-browser does not need to maintain a password database. This improves security, since a password database would be vulnerable to malicious code.

摘要翻译： 认证对服务的访问的方法包括：a）在移动终端处通过移动终端和浏览器之间的双向近场通信信道，至少部分服务的标识符进行接收; b）在移动终端处将在移动终端处接收到的标识符的至少一部分与存储在移动设备中的一组标识符进行比较; 以及c）基于在所述移动终端中接收到的所述标识符的至少一部分是否匹配所述集合中的标识符来认证对所述服务的访问。 移动终端可以存储一组URL，并且可以将接收到的URL（或部分URL）与存储的URL集合进行比较。 如果在移动终端处接收到的URL的至少一部分与存储的URL不匹配，则它可以向用户生成警报。 用户名和密钥不需要存储在Web浏览器上，因此Web浏览器不需要维护密码数据库。 这提高了安全性，因为密码数据库将容易受到恶意代码的攻击。

公开(公告)号：US20110256850A1

公开(公告)日：2011-10-20

申请号：US13140818

申请日：2008-12-19

申请人： Göran Selander ,  Jari Vikberg ,  Karl Norrman ,  Rolf Blom ,  Mats Naslund

发明人： Göran Selander ,  Jari Vikberg ,  Karl Norrman ,  Rolf Blom ,  Mats Naslund

IPC分类号： H04W12/06

CPC分类号： H04W12/08 ,  H04L63/101 ,  H04W84/045

摘要： Methods, apparatus, and computer program products for creating an association between a first user equipment and at least one access point assisted by a registration server in a telecommunication network are disclosed. The registration server responds to a first contact request carried out using a first association number for the access point, provided by the first user equipment, receives a first association request for the association with the access point, provided by the first user equipment, authorizes the first association request based on a first authorization information provided by the first user equipment; registers the association between the first user equipment and the access point responsive to authorization of the first association request. The first user equipment is associated with the access point and the association is administered by the registration server.

摘要翻译： 公开了用于在第一用户设备和由电信网络中的注册服务器辅助的至少一个接入点之间建立关联的方法，设备和计算机程序产品。 注册服务器响应由第一用户设备提供的接入点的第一关联号码执行的第一联系请求，接收由第一用户设备提供的与接入点的关联的第一关联请求，授权 基于由第一用户设备提供的第一授权信息的第一关联请求; 响应于第一关联请求的授权，注册第一用户设备和接入点之间的关联。 第一用户设备与接入点相关联，该关联由注册服务器管理。

公开(公告)号：US20110035787A1

公开(公告)日：2011-02-10

申请号：US12937008

申请日：2008-11-05

申请人： Mats Naslund ,  Jari Arkko ,  Rolf Blom ,  Vesa Lehtovirta ,  Karl Norrman ,  Stefan Rommer ,  Bengt Sahlin

发明人： Mats Naslund ,  Jari Arkko ,  Rolf Blom ,  Vesa Lehtovirta ,  Karl Norrman ,  Stefan Rommer ,  Bengt Sahlin

IPC分类号： G06F21/00 ,  G06F15/177

CPC分类号： H04W12/06 ,  G06F21/30 ,  H04L63/0272 ,  H04L63/08 ,  H04L63/0892 ,  H04L63/1433 ,  H04L63/162 ,  H04L63/164 ,  H04L63/20 ,  H04W60/00 ,  H04W72/0493

摘要： When setting up communication from a user equipment UE (1), such as for providing IP access for the UE in order to allow it to use some service, information or an indication or at least one network properly relating to a first network, e.g. the current access network (3, 3′), is sent to the UE from a node (13) in a sue and network such as the home network (5) of the subscriber ask UE. The information or indication can be sent in a first stage of an authentication procedure being part of the setting up of a connection from the UE. In particular, the network property can indicate whether the access network (3, 3′) is trusted or not.

摘要翻译： 当从用户设备UE（1）建立通信时，例如用于为UE提供IP接入，以便允许其使用与第一网络正确相关的至少一个网络的一些服务，信息或指示，例如， 当前接入网络（3,3'）从诸如用户询问UE的归属网络（5）的第二网络中的节点（13）发送到UE。 可以在认证过程的第一阶段中发送信息或指示，这是作为来自UE的连接的建立的一部分。 特别地，网络属性可以指示接入网络（3,3'）是否被信任。

公开(公告)号：US20100284368A1

公开(公告)日：2010-11-11

申请号：US12743694

申请日：2007-11-23

申请人： Wassim Haddad ,  Karl Norrman

发明人： Wassim Haddad ,  Karl Norrman

IPC分类号： H04W36/00 ,  H04W84/02

CPC分类号： H04L63/0823 ,  H04L63/0807 ,  H04W12/06 ,  H04W36/0011 ,  H04W84/12

摘要： A method of performing hand-off of a Mobile Node from a previous Access Point to a new Access Point within a WLAN domain, where the previous and new Access Points are connected respectively to previous and new Access Routers. The method comprises, following a MAC authentication exchange between the Mobile Node and the new Access Point, sending a MAC Reassociation Request from the Mobile Node to the New Access Point, forwarding said Reassociation Request to said new Access Router, and sending the Reassociation Request from said new Access Router to said previous Access Router within an IP hand-off request, and authenticating the Reassociation Request at the previous Access Router and initiating the tunnelling of IP packets received at the previous Access Router and destined for said Mobile Node, towards said new Access Router.

摘要翻译： 执行移动节点从先前接入点切换到WLAN域内的新接入点的方法，其中先前和新的接入点分别连接到先前和新的接入路由器。 该方法包括：在移动节点和新的接入点之间的MAC认证交换之后，从移动节点向新的接入点发送MAC重新关联请求，将所述重新关联请求转发到所述新的接入路由器，并将所述重新关联请求从 在IP切换请求中将所述新的接入路由器表示到所述先前的接入路由器，并且在先前的接入路由器上认证重新发送请求，并且发起在先前的接入路由器接收并发往所述移动节点的IP分组的隧道，朝向所述新的 接入路由器

公开(公告)号：US20100267363A1

公开(公告)日：2010-10-21

申请号：US12746879

申请日：2008-07-01

申请人： Rolf Blom ,  Magnus Lindstrom ,  Karl Norrman

发明人： Rolf Blom ,  Magnus Lindstrom ,  Karl Norrman

IPC分类号： H04M3/16

CPC分类号： H04W12/04 ,  H04J11/0069 ,  H04L9/0656 ,  H04L2463/061 ,  H04W88/08

摘要： In a method and a system for providing secure communication in a cellular radio system radio base station key is generated by determining a set of data bits known to both the UE and the radio base station, and creating the radio base station key in response to the determined set of data.

摘要翻译： 在用于在蜂窝无线电系统中提供安全通信的方法和系统中，通过确定UE和无线电基站已知的一组数据比特来生成无线基站密钥，并响应于该无线基站密钥创建无线基站密钥 确定的数据集。