Secured map messages for telecommunications networks

US 20020052200A1
Filed: 09/07/2001
Published: 05/02/2002
Est. Priority Date: 09/11/2000
Status: Active Grant

First Claim

Patent Images

1. A method of sending a mobile application part (MAP) protocol message between a first network element of a first telecommunications network and a second network element of a second telecommunications network, the method comprising:

at the first network element using a master security association to derive a connection-specific security association for use by the first network element;

including a parameter obtained from the connection-specific security association in an encrypted/authenticated MAP message sent from the first network element to the second network element;

at the second network element, upon receipt of the MAP message using the master security association to derive a connection-specific security association for use by the second network element;

using the connection-specific security association for use by the second network element to decrypt/decode the MAP message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An encrypted/authenticated mobile application part (MAP) protocol message is sent between a first network element (42A) of a first telecommunications network (40A) and a second network element (42B) of a second telecommunications network (40B). The first network element uses a master security association to derive a connection-specific security association, and includes in the encrypted/authenticated MAP message a parameter obtained from the connection-specific security association. Upon receipt at the second network element, the master security association is used to derive a connection-specific security association for use by the second network element. The second network element uses the connection-specific security association to decrypt/decode the MAP message.

Citations

34 Claims

1. A method of sending a mobile application part (MAP) protocol message between a first network element of a first telecommunications network and a second network element of a second telecommunications network, the method comprising:
- at the first network element using a master security association to derive a connection-specific security association for use by the first network element;
  
  including a parameter obtained from the connection-specific security association in an encrypted/authenticated MAP message sent from the first network element to the second network element;
  
  at the second network element, upon receipt of the MAP message using the master security association to derive a connection-specific security association for use by the second network element;
  
  using the connection-specific security association for use by the second network element to decrypt/decode the MAP message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 2. The method of claim 1, further comprising negotiating the master security association between the first telecommunications network and the second telecommunications network.
  - 3. The method of claim 2, further comprising performing negotiating of the master security association between the first telecommunications network and the second telecommunications network over a network which differs from a network over which the MAP message is sent.
  - 4. The method of claim 3, further comprising performing negotiating of the master security association between the first telecommunications network and the second telecommunications network over an Internet Protocol network.
  - 5. The method of claim 4, further comprising performing negotiating of the master security association between the first telecommunications network and the second telecommunications network using an Internet Key Exchange Protocol (IKE).
  - 6. The method of claim 3, further comprising sending the MAP message over a Signaling System No. 7 network.
  - 7. The method of claim 1, wherein the master security association is a set of security parameters that includes at least one of the following:
    - (1) an authentication algorithm;
      
      (2) authentication keying material;
      
      (3) an encryption algorithm;
      
      (4) encryption keying material;
      
      (5) a lifetime value for the master security association.
  - 8. The method of claim 2, further comprising using a key administration center of the first telecommunications network and a key administration center of the second telecommunications network to negotiate the master security association.
  - 9. The method of claim 1, wherein the master security association includes at least one of the following:
    - (1) an authentication algorithm;
      
      (2) authentication keying material;
      
      (3) an encryption algorithm;
      
      (4) encryption keying material;
      
      (5) a lifetime value for the master security association.
  - 10. The method of claim 1, wherein the connection-specific security association is a set of security parameters that specifies a cryptographic key used in communication between the first network element and the second network element.
  - 11. The method of claim 1, further comprising at least one of the following:
    - the first network element requesting the master security association from a key administration center of the first telecommunications network;
      
      the second network element requesting the master security association from a key administration center of the second telecommunications network.
  - 12. The method of claim 11, wherein at least one of the requesting actions is implementing utilizing an Internet Protocol.
  - 13. The method of claim 1, wherein the parameter included in the MAP message comprises security information that is required in order to extract protected information from the MAP message.
  - 14. The method of claim 13, further comprising including a Security Parameters Index (SPI) in the MAP message.
  - 15. The method of claim 14, further comprising including the Security Parameters Index (SPI) in a MAP Security Header in the MAP message.
  - 16. The method of claim 13, further comprising including in the MAP message along with the parameter a sending network identifier, and wherein the parameter in conjunction with the sending network identifier identifies a master security association.
  - 17. The method of claim 16, wherein the sending network identifier is a PLMNID value, the PLMNID value being formed from the Mobile Country Code (MCC) and Mobile Network Code (MNC).
  - 19. The system of claim 18, wherein the first telecommunications network further comprises a first key administration center and the second telecommunications network comprises a second key administration center, and wherein the first key administration center and the second key administration center negotiate the master security association.
  - 20. The system of claim 19, wherein the first key administration center and the second key administration center negotiate the master security association over a network which differs from a network over which the MAP message is sent.
  - 21. The system of claim 20, wherein the first key administration center and the second key administration center negotiate the master security association over an Internet Protocol network.
  - 22. The system of claim 21, wherein the first key administration center and the second key administration center negotiate the master security association using an Internet Key Exchange Protocol (IKE).
  - 23. The system of claim 18, further comprising a Signaling System No. 7 network over which the MAP message is sent.
  - 24. The system of claim 18, wherein the master security association is a set of security parameters that includes at least one of the following:
    - (1) an authentication algorithm;
      
      (2) authentication keying material;
      
      (3) an encryption algorithm;
      
      (4) encryption keying material;
      
      (5) a lifetime value for the master security association.
  - 25. The system of claim 18, wherein the connection-specific security association is a set of security parameters that specifies a cryptographic key used in communication between the first network element and the second network element.
  - 26. The system of claim 18, wherein the first network element requests the master security association from a key administration center of the first telecommunications network.
  - 27. The system of claim 26, wherein the first network element requests the master security association from a key administration center of the first telecommunications network using an Internet Protocol.
  - 28. The system of claim 18, wherein the second network element requests the master security association from a key administration center of the second telecommunications network.
  - 29. The system of claim 28, wherein the second network element requests the master security association from a key administration center of the second telecommunications network using an Internet Protocol.
  - 30. The system of claim 18, wherein the parameter included in the MAP message comprises security information that is required in order to extract protected information from the MAP message.
  - 31. The system of claim 30, wherein a Security Parameters Index (SPI) is included in the MAP message.
  - 32. The system of claim 31, wherein the Security Parameters Index (SPI) is included in a MAP Security Header in the MAP message.
  - 33. The system of claim 18, further comprising a sending network identifier included in the MAP message along with the parameter;
    - and wherein the parameter in conjunction with the sending network identifier identifies a master security association.
  - 34. The system of claim 33, wherein the sending network identifier is a PLMNID value, the PLMNID value being formed from the Mobile Country Code (MCC) and Mobile Network Code (MNC).

18. A telecommunications system comprising a first telecommunications network and a second telecommunications network, the system comprising:
- a first network element of the first telecommunications network which uses a master security association to derive a connection-specific security association for use by the first network element and which includes a parameter obtained from the connection-specific security association in an encrypted/authenticated MAP message sent from the first network element to the second network element;
  
  a second network element belonging to the second telecommunications network, the second network element being configured, upon receipt of the MAP message, to use the master security association to derive a connection-specific security association for the second network element and to use the connection-specific security association for the second network element to decrypt/decode the MAP message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Arkko, Jari, Blom, Rolf, Turtiainen, Esa

Granted Patent

US 7,181,012 B2
Time in Patent Office

Days
Field of Search
US Class Current

455/432.1
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/18   using different networks or...

H04W 12/03   Protecting confidentiality,...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 92/02   Inter-networking arrangements

Secured map messages for telecommunications networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Secured map messages for telecommunications networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links