Secure signaling before performing an authentication and key agreement

US 10,588,019 B2
Filed: 11/07/2016
Issued: 03/10/2020
Est. Priority Date: 05/05/2016
Status: Active Grant

First Claim

Patent Images

1. A method of wireless communication at a wireless communication device, comprising:

generating a secured query message based at least in part on a cryptography based security credential of the wireless communication device, wherein the secured query message comprises an indication of cipher suites supported by the wireless communication device and is generated prior to performing an authentication and key agreement (AKA) with a network;

transmitting, to a network device, the secured query message to the network prior to performing the AKA with the network;

receiving, from the network device, a response to the secured query message prior to performing the AKA with the network, wherein the response includes a network security credential;

transmitting, to the network device, a first message including an encrypted pre-master secret based at least in part on the network security credential;

receiving, from the network device, a second message based at least in part on the transmitted first message including the encrypted pre-master secret;

determining whether the wireless communication device and the network device derived the same session key based at least in part on the received second message; and

determining whether to perform the AKA with the network based at least in part on the determination of whether the wireless communication device and the network device derived the same session key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for wireless communication. A wireless device may generate a secured query message based at least in part on a security credential of the wireless device. The secured query message may be generated prior to performing an authentication and key agreement (AKA) with a network. The wireless device may transmit the secured query message to the network, and receive a response to the secured query message. The wireless device may then determine whether or not to perform the AKA with the network based on the received response (e.g., the wireless device may determine whether or not the response is associated with the security credential of the wireless communication device and a network security credential of the network). The wireless device may establish a secure connection with the network or refrain from considering the response based on the determination.

28 Citations

30 Claims

1. A method of wireless communication at a wireless communication device, comprising:
- generating a secured query message based at least in part on a cryptography based security credential of the wireless communication device, wherein the secured query message comprises an indication of cipher suites supported by the wireless communication device and is generated prior to performing an authentication and key agreement (AKA) with a network;
  
  transmitting, to a network device, the secured query message to the network prior to performing the AKA with the network;
  
  receiving, from the network device, a response to the secured query message prior to performing the AKA with the network, wherein the response includes a network security credential;
  
  transmitting, to the network device, a first message including an encrypted pre-master secret based at least in part on the network security credential;
  
  receiving, from the network device, a second message based at least in part on the transmitted first message including the encrypted pre-master secret;
  
  determining whether the wireless communication device and the network device derived the same session key based at least in part on the received second message; and
  
  determining whether to perform the AKA with the network based at least in part on the determination of whether the wireless communication device and the network device derived the same session key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising:
    - establishing a secure connection with the network based at least in part on the cryptography based security credential of the wireless communication device and the network security credential of the network;
      
      wherein the secured query message is transmitted to the network using the secure connection.
  - 3. The method of claim 2, wherein establishing the secure connection comprises:
    - establishing the secure connection with a core network.
  - 4. The method of claim 2, wherein establishing the secure connection comprises:
    - performing a transport layer security (TLS) handshake over a non-access stratum (NAS).
  - 5. The method of claim 2, wherein establishing the secure connection comprises:
    - establishing the secure connection with a network access device.
  - 6. The method of claim 2, wherein establishing the secure connection comprises:
    - performing a TLS handshake over a radio resource control (RRC) connection.
  - 7. The method of claim 2, further comprising:
    - performing the AKA using the secure connection.
  - 8. The method of claim 2, wherein the wireless communication device is associated with a first mobile network of a home mobile network operator (MNO), the method further comprising obtaining at least one of:
    - a first security credential of a roaming MNO from the first mobile network;
      
      or a second security credential of the roaming MNO from a second mobile network of the roaming MNO, the second security credential signed by the home MNO;
      
      or a third security credential of the roaming MNO from a certificate authority common to the home MNO and the roaming MNO;
      
      or a combination thereof.
  - 9. The method of claim 1, further comprising:
    - determining the response is not associated with;
      
      the cryptography based security credential of the wireless communication device, the network security credential of the network, or a combination thereof; and
      
      refraining from considering the response when determining whether to perform the AKA with the network.
  - 10. The method of claim 1, further comprising:
    - determining the network supports receipt of the secured query message.
  - 11. The method of claim 10, wherein the determining is based at least in part on a network advertisement.
  - 12. The method of claim 1, further comprising:
    - receiving a non-secured message from the network;
      
      wherein the secured query message is generated in response to the non-secured message.
  - 13. The method of claim 1, wherein the secured query message is further generated based at least in part on the network security credential of the network.
  - 14. The method of claim 1, wherein the secured query message is secured based at least in part on pairing-based cryptography.
  - 15. The method of claim 14, wherein the pairing-based cryptography comprises at least one of:
    - an identity-based encryption, an identity-based signature, or a combination thereof.
  - 16. The method of claim 1, further comprising:
    - determining the response is associated with the cryptography based security credential of the wireless communication device and the network security credential of the network; and
      
      determining whether to perform the AKA with the network based at least in part on the response.
  - 17. The method of claim 1, wherein the secured query message comprises:
    - an access request, a network capability query, a service query, or a combination thereof.
  - 18. The method of claim 1, wherein the response comprises a message that causes the wireless communication device a denial of service.

19. A method for wireless communication at a network device, comprising:
- receiving a secured query message over a network, from a wireless communication device, prior to performing an authentication and key agreement (AKA) with the wireless communication device, wherein the secured query message comprises an indication of cipher suites supported by the wireless communication device and is based at least in part on a cryptography based security credential of the wireless communication device;
  
  generating, in response to receiving the secured query message, a secured response message based at least in part on a network security credential of the network device;
  
  transmitting the secured response message to the wireless communication device prior to performing the AKA with the wireless communication device;
  
  receiving a first message including an encrypted pre-master secret based at least in part on the network security credential; and
  
  deriving a session key based at least in part on the encrypted pre-master secret; and
  
  transmitting a second message based at least in part on the derived session key.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The method of claim 19, further comprising:
    - establishing a secure connection with the wireless communication device based at least in part on the cryptography based security credential of the wireless communication device and the network security credential of the network device;
      
      wherein the secured query message is received over the network using the secure connection.
  - 21. The method of claim 20, wherein the network device comprises at least one of:
    - a network access device, a core network device, or a combination thereof.
  - 22. The method of claim 20, wherein the secure connection comprises a transport layer security (TLS) handshake over a non-access stratum (NAS).
  - 23. The method of claim 20, wherein the secure connection comprises a TLS handshake over a radio resource control (RRC) connection.
  - 24. The method of claim 20, further comprising:
    - performing the AKA with the wireless communication device using the secure connection.
  - 25. The method of claim 20, wherein the wireless communication device and the network device are associated with a first mobile network of a home mobile network operator (MNO), the method further comprising:
    - transmitting to the wireless communication device, over the first mobile network, a security credential of a roaming MNO.
  - 26. The method of claim 19, wherein the secured query message is further based at least in part on the network security credential of the network device.
  - 27. The method of claim 19, wherein the secured query message is secured based at least in part on pairing-based cryptography.
  - 28. The method of claim 19, wherein the secured query message comprises:
    - an access request, a network capability query, a service query, or a combination thereof.

29. An apparatus for wireless communication, comprising:
- a processor;
  
  memory in electronic communication with the processor; and
  
  the processor and the memory configured to;
  
  generate a secured query message based at least in part on a cryptography based security credential of the wireless communication apparatus, wherein the secured query message comprises an indication of cipher suites supported by the wireless communication apparatus and is generated prior to performing an authentication and key agreement (AKA) with a network;
  
  transmit, to a network device, the secured query message to the network prior to performing the AKA with the network;
  
  receive, from the network device, a response to the secured query message prior to performing the AKA with the network, wherein the response includes a network security credential;
  
  transmit, to the network device, a first message including an encrypted pre-master secret based at least in part on the network security credential;
  
  receive, from the network device, a second message based at least in part on the transmitted first message including the encrypted pre-master secret;
  
  determine whether the wireless communication apparatus and the network device derived the same session key based at least in part on the received second message; and
  
  determine whether to perform the AKA with the network based at least in part on the determination of whether the wireless communication apparatus and the network device derived the same session key.

30. A non-transitory computer-readable medium storing computer-executable code for wireless communication, the code comprising instructions executable to:
- generate a secured query message based at least in part on a cryptography based security credential of a wireless communication device, wherein the secured query message comprises an indication of cipher suites supported by the wireless communication device and is generated prior to performing an authentication and key agreement (AKA) with a network;
  
  transmit, to a network device, the secured query message to the network prior to performing the AKA with the network;
  
  receive, from the network device, a response to the secured query message prior to performing the AKA with the network, wherein the response includes a network security credential;
  
  transmit, to the network device, a first message including an encrypted pre-master secret based at least in part on the network security credential;
  
  receive, from the network device, a second message based at least in part on the transmitted first message including the encrypted pre-master secret;
  
  determine whether the wireless communication apparatus and the network device derived the same session key based at least in part on the received second message; and
  
  determine whether to perform the AKA with the network based at least in part on the determination of whether the wireless communication apparatus and the network device derived the same session key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Lee, Soo Bum, Chaponniere, Lenaig Genevieve, Palanigounder, Anand, Escott, Adrian Edward, Horn, Gavin Bernard
Primary Examiner(s)
Tran, Khoi H
Assistant Examiner(s)
Hannan, B M M

Application Number

US15/345,077
Publication Number

US 20170325094A1
Time in Patent Office

1,219 Days
Field of Search

455411
US Class Current
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04W 12/037   of the control plane, e.g. ...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/062   Pre-authentication

H04W 12/08   Access security

H04W 12/122   Counter-measures against at...

Secure signaling before performing an authentication and key agreement

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Secure signaling before performing an authentication and key agreement

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others