Method and apparatus for security of IP security tunnel using public key infrastructure in mobile communication network

US 20060105741A1
Filed: 11/18/2005
Published: 05/18/2006
Est. Priority Date: 11/18/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for security of an IP security tunnel using public key infrastructure in a security gateway of a mobile communication network, the method comprising the steps of:

receiving a request message from a mobile node which relates to a security service requested by the mobile node;

determining if there is security association (SA) for the security service, and determining if there is a public key related to a peer address when the SA does not exist;

sending a certificate request message to a certificate authority (CA) when the public key does not exist, and receiving a certificate response message from the certificate authority which has a certificate that comprises a public key related to the peer address;

performing an internet key exchange and SA establishment procedure with a peer corresponding to the peer address by using the certificate;

completing the internet key exchange and the SA establishment; and

encrypting a packet received from the mobile node by means of the public key, transmitting the encrypted packet to the peer, decrypting a packet received from the peer by means of a private key corresponding to the public key, and transmitting the decrypted packet to the mobile node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus is provided for security of an IP security tunnel using public key infrastructure, including the steps of receiving a request message which relates to a security service requested by a mobile node, determining if there is security association (SA) for the security service and determining if there is a public key related to a peer address when the SA does not exist, sending a certificate request message to a certificate authority (CA) when the public key does not exist and receiving a certificate response message which has a certificate that includes a public key. The method further includes the steps of performing an internet key exchange and SA establishment procedure with a peer corresponding to the peer address by using the certificate, completing the internet key exchange and the SA establishment, and encrypting a packet received from the mobile node, transmitting the encrypted packet to the peer, decrypting a packet received from the peer, and transmitting the decrypted packet to the mobile node.

82 Citations

View as Search Results

44 Claims

1. A method for security of an IP security tunnel using public key infrastructure in a security gateway of a mobile communication network, the method comprising the steps of:
- receiving a request message from a mobile node which relates to a security service requested by the mobile node;
  
  determining if there is security association (SA) for the security service, and determining if there is a public key related to a peer address when the SA does not exist;
  
  sending a certificate request message to a certificate authority (CA) when the public key does not exist, and receiving a certificate response message from the certificate authority which has a certificate that comprises a public key related to the peer address;
  
  performing an internet key exchange and SA establishment procedure with a peer corresponding to the peer address by using the certificate;
  
  completing the internet key exchange and the SA establishment; and
  
  encrypting a packet received from the mobile node by means of the public key, transmitting the encrypted packet to the peer, decrypting a packet received from the peer by means of a private key corresponding to the public key, and transmitting the decrypted packet to the mobile node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method as claimed in claim 1, wherein the request message comprises a CPCRQ (Create Packet Data Protocol Context Request) message, which includes a specific access point name (APN) related to an IP security service requested by the mobile node.
  - 3. The method as claimed in claim 1, wherein the request message comprises an authentication protocol message, which includes security area information of a network access identifier (NAI) related to the IP security service which is requested by the mobile node in an authentication procedure after a link control protocol (LCP) is established with respect to the mobile node.
  - 4. The method as claimed in claim 3, further comprising a step of:
    - receiving an IP though internet protocol control protocol (IPCP) negotiation with the mobile node after completing the authentication procedure.
  - 5. The method as claimed in claim 3, wherein the authentication protocol message comprises one message selected from a password authentication protocol (PAP) request message and a challenge handshake authentication protocol (CHAP) response message.
  - 6. The method as claimed in claim 1, further comprising a step of:
    - transmitting a response message to the mobile node when the SA establishment has been completed.
  - 7. The method as claimed in claim 1, further comprising a step of:
    - transmitting the response message to the mobile node without delay when the SA exists.
  - 8. The method as claimed in claim 6 or 7, wherein the response message comprises a CPCRP (Create Packet Data Protocol Context Response) message.
  - 9. The method as claimed in claim 1, further comprising a step of:
    - performing the internet key exchange and SA establishment procedure with the peer without delay when the public key exists.
  - 10. The method as claimed in claim 1, wherein the certificate comprises at least one of a public key of the peer, an identifier (ID), IP security policy, and a digital signature.
  - 11. The method as claimed in claim 1, further comprising a steps of:
    - performing encryption and decryption of the packets by means of a session key created by the security gateway in the case of using a key update function when the SA establishment has been completed; and
      
      performing a key update procedure when lifetime of the session key elapses.
  - 12. The method as claimed in claim 1, further comprising a step of:
    - inserting a failure reason value into a cause field of the response message in order to transmit the failure reason value to the mobile node when the SA establishment fails.
  - 13. The method as claimed in claim 1, further comprising a step of:
    - transmitting a message comprising information notifying the mobile node of restriction to access a server to the mobile node when the SA establishment fails, or stopping provision of the security service after a predetermined period of time has lapsed when the SA establishment fails.

14. A method for security of an IP security tunnel using public key infrastructure in a security gateway of a mobile communication network, the method comprising the steps of:
- creating a tunnel in cooperation with a service node providing a service to a mobile node, and receiving a packet having a security-required peer address through the created tunnel;
  
  buffering the received packet, and determining if security association (SA) for the security-required peer address has been established;
  
  determining if there is a public key related to the peer address when the SA does not exist;
  
  sending a certificate request message to a certificate authority (CA) when the public key does not exist, and receiving a certificate response message which has a certificate comprising a public key related to the peer address from the certificate authority;
  
  performing an internet key exchange and SA establishment procedure with a peer corresponding to the peer address by using the certificate; and
  
  encrypting a packet received from the mobile node by means of the public key to transmit the encrypted packet to the peer when the internet key exchange and the SA establishment are completed, and decrypting a packet received from the peer by means of a private key corresponding to the public key to transmit the decrypted packet to the mobile node.
- View Dependent Claims (15, 16, 17)
- - 15. The method as claimed in claim 14, further comprising a step of:
    - performing the internet key exchange and SA establishment procedure with the peer without delay when the public key exists.
  - 16. The method as claimed in claim 14, wherein the certificate comprises at least one of a public key of the peer, an identifier (ID), IP security policy, and a digital signature.
  - 17. The method as claimed in claim 14, further comprising a steps of:
    - performing encryption and decryption of the packets by means of a session key created by the security gateway in the case of using a key update function when the SA establishment has been completed; and
      
      performing a key update procedure when lifetime of the session key elapses.

18. A method for security of an IP security tunnel using public key infrastructure in a mobile communication network, the method comprising the steps of:
- creating, by a security gateway for a mobile node, a new key pair containing a public key and a private key in order to change public/private keys used to communicate with the mobile node and a peer, and sending a key update request message including the new key pair to a certificate authority;
  
  storing, by the certificate authority, an existing certificate of the security gateway in a certification revocation list, creating a certificate response message having a new certificate including the new key pair, and transmitting the certificate response message to the security gateway;
  
  storing, by the security gateway, a pre-stored certificate in a certification revocation list of the security gateway, storing the new certificate, and transmitting a confirmation message to the certificate authority; and
  
  broadcasting, by the certificate authority, a certificate announcement message including the new certificate to authentication clients which are managed by the certificate authority in response to the confirmation message.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The method as claimed in claim 18, further comprising a step of:
    - performing, by the security gateway, internet key negotiation with the peers after the confirmation message is transmitted.
  - 20. The method as claimed in claim 18, further comprising a step of:
    - managing, by the security gateway, a security gateway-relation table which comprises at least one of the certificate, the private key, and the certification revocation list.
  - 21. The method as claimed in claim 20, wherein the certificate for each security gateway comprises at least one of an interface ID, a public key of the security gateway, a digital signature, and IP security policy.
  - 22. The method as claimed in claim 18, further comprising a step of:
    - managing, by the security gateway, a peer-relation table which comprises at least one of a certificate for each peer, an interface address of the security gateway, an inbound/outbound session key, and lifetime of the session key.
  - 23. The method as claimed in claim 22, wherein the certificate for each peer comprises at least one of a peer ID, a peer'"'"'s public key, a digital signature, and IP security policy.

24. An apparatus for security of an IP security tunnel using public key infrastructure in a security gateway of a mobile communication network, the apparatus comprising:
- a mobile node for generating a request message related to a security service to transmit the request message to the security gateway, and transmitting/receiving packet data;
  
  the security gateway for determining if there is security association (SA) for the security service, determining if there is a public key related to a peer address when the SA does not exist, sending a certificate request message to a certificate authority (CA) when the public key does not exist, receiving a certificate response message which has a certificate including a public key related to the peer address from the certificate authority, performing an internet key exchange and SA establishment procedure with a peer corresponding to the peer address by using the certificate, encrypting a packet received from the mobile node by means of the public key, transmitting the encrypted packet to the peer when the internet key exchange and the SA establishment has been completed, decrypting a packet received from the peer by means of a private key corresponding to the public key, and transmitting the decrypted packet to the mobile node; and
  
  the certificate authority for transmitting a certificate response message, which has the certificate including the public key related to the peer address, to the security gateway when the certificate request message is received from the security gateway.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 25. The apparatus as claimed in claim 24, wherein the mobile node is configured to create a tunnel in cooperation with the security gateway and transmit a packet having a security-required peer address to the security gateway through the created tunnel.
  - 26. The apparatus as claimed in claim 25, wherein the security gateway is configured to buffer the received packet and determine if SA for the security-required peer address has been established.
  - 27. The apparatus as claimed in claim 24, wherein the request message comprises a CPCRQ (Create Packet Data Protocol Context Request) message, which comprises a specific access point name (APN) related to an IP security service requested by the mobile node.
  - 28. The apparatus as claimed in claim 24, wherein the request message comprises an authentication protocol message, which includes security area information of a network access identifier (NAI) related to the IP security service that is requested by the mobile node in an authentication procedure after a link control protocol (LCP) is established with respect to the mobile node.
  - 29. The apparatus as claimed in claim 28, wherein the security gateway is configured to receive an IP though internet protocol control protocol (IPCP) negotiation with the mobile node after completing the authentication procedure.
  - 30. The apparatus as claimed in claim 28, wherein the authentication protocol message comprises one message selected from a password authentication protocol (PAP) request message and a challenge handshake authentication protocol (CHAP) response message.
  - 31. The apparatus as claimed in claim 28, wherein the security gateway is configured to transmit a response message to the mobile node when the SA establishment has been completed.
  - 32. The apparatus as claimed in claim 24, wherein the security gateway is configured to transmit the response message to the mobile node without delay when the SA exists.
  - 33. The apparatus as claimed in claim 31 or 32, wherein the response message comprises a CPCRP (Create Packet Data Protocol Context Response) message.
  - 34. The apparatus as claimed in claim 24, wherein the security gateway is configured to perform the internet key exchange and SA establishment procedure with the peer without delay when the public key exists.
  - 35. The apparatus as claimed in claim 24, wherein the certificate comprises at least one of a public key of the peer, an identifier (ID), IP security policy, and a digital signature.
  - 36. The apparatus as claimed in claim 24, wherein, when the SA establishment has been completed, the security gateway is configured to:
    - perform encryption and decryption of the packets by means of a session key created by the security gateway in the case of using a key update function; and
      
      perform a key update procedure when lifetime of the session key elapses.
  - 37. The apparatus as claimed in claim 24, wherein, when the SA establishment fails, the security gateway is configured to insert a failure reason value into a cause field of the response message and transmit the response message to the mobile node.
  - 38. The apparatus as claimed in claim 24, wherein, when the SA establishment fails, the security gateway is configured to transmit a message including information notifying the mobile node of restriction to access a server to the mobile node, or stop provision of the security service after a predetermined period of time has lapsed.
  - 39. The apparatus as claimed in claim 24, wherein the key update procedure is performed by the security gateway and the certificate authority, wherein the security gateway is configured to create a new key pair containing a public key and a private key in order to change public/private keys used to communicate with the mobile node and a peer, send a key update request message including the new key pair to a certificate authority, store a pre-stored certificate in a certification revocation list of the security gateway according to response of the certificate authority, store the new certificate, and then transmit a confirmation message to the certificate authority;
    - and the certificate authority is configured to store an existing certificate of the security gateway in a certification revocation list, create a certificate response message having a new certificate including the new key pair, transmit the certificate response message to the security gateway, and broadcast a certificate announcement message including the new certificate to authentication clients managed by the certificate authority.
  - 40. The apparatus as claimed in claim 39, wherein the security gateway is configured to perform internet key negotiation with the peers after the confirmation message is transmitted.
  - 41. The apparatus as claimed in claim 39, wherein the security gateway is configured to manage a security gateway-relation table which comprises at least one of the certificate, the private key, and the certification revocation list.
  - 42. The apparatus as claimed in claim 41, wherein the certificate for each security gateway comprises at least one of an interface ID, a public key of the security gateway, a digital signature, and IP security policy.
  - 43. The apparatus as claimed in claim 39, wherein the security gateway is configured to manage a peer-relation table which comprises at least one of a certificate for each peer, an interface address of the security gateway, an inbound/outbound session key, and lifetime of the session key.
  - 44. The apparatus as claimed in claim 43, wherein the certificate for each peer comprises at least one of a peer ID, a peer'"'"'s public key, a digital signature, and IP security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Samsung Electronics Co. Ltd.
Inventors
Moon, Bok-Jin, Hwang, Se-Hun, Suh, Dong-Wook

Application Number

US11/281,677
Publication Number

US 20060105741A1
Time in Patent Office

Days
Field of Search
US Class Current

455/410
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/0471   applying encryption by an i...

H04L 63/0823   using certificates cryptogr...

H04L 63/164   at the network layer

H04M 2203/609   Secret communication

H04M 2207/18   wireless networks

H04M 3/16   with lock-out or secrecy pr...

H04M 7/006   Networks other than PSTN/IS...

H04W 12/03   Protecting confidentiality,...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

Method and apparatus for security of IP security tunnel using public key infrastructure in mobile communication network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

82 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for security of IP security tunnel using public key infrastructure in mobile communication network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links