METHOD AND APPARATUS FOR SECURE COMMUNICATION BETWEEN USER EQUIPMENT AND PRIVATE NETWORK

US 20070157309A1
Filed: 12/28/2006
Published: 07/05/2007
Est. Priority Date: 12/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method for implementing special secure communication with a private network in user equipment of a communication network, wherein, comprising the steps of:

a) generating a security parameters index value by using a pre-stored second root key, said security parameters index value being used for indicating the encryption/decryption algorithm and parameters of data encryption/decryption;

b) performing an operation on said security parameters index value and a first predetermined sequence by using a pre-stored first root key, to generate an encryption key;

c) encrypting data to be transmitted by using said encryption key, to generate encrypted data;

d) encapsulating said encrypted data and said security parameters index value into a data packet which is transmitted via said communication network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

It is an object of the present invention to provide a new technical solution of supporting special secure communication between user equipment which is located in an external network and an private network the user equipment belongs to. Specifically, transmitted data is encrypted/decrypted and authenticated by using pre-stored root keys corresponding to specific private networks and the agreed encryption/decryption and authentication algorithm at the user equipment and an access device. The manner of generating the encryption/decryption keys and authentication key is simplified, and the complexity of the access device at the private network end is reduced on the premise of not degrading the security grade. The technical solution of the present invention is highly flexible and extensible and can achieve better user experience.

118 Citations

23 Claims

1. A method for implementing special secure communication with a private network in user equipment of a communication network, wherein, comprising the steps of:
- a) generating a security parameters index value by using a pre-stored second root key, said security parameters index value being used for indicating the encryption/decryption algorithm and parameters of data encryption/decryption;
  
  b) performing an operation on said security parameters index value and a first predetermined sequence by using a pre-stored first root key, to generate an encryption key;
  
  c) encrypting data to be transmitted by using said encryption key, to generate encrypted data;
  
  d) encapsulating said encrypted data and said security parameters index value into a data packet which is transmitted via said communication network.
- View Dependent Claims (2, 3, 4, 5, 14, 15, 17)
- - 2. The method according to claim 1, characterized in that said security parameters index value comprises three parts, among which the first part is used to indicate the adopted security policy scheme comprising an encryption algorithm, an encapsulation manner etc.;
    - the second part comprises a locally current date value;
      
      the third part comprises a value obtained by performing a Hash operation on said locally current date value, a destination address prefix, a source address, said second root key etc.
  - 3. The method according to claim 1, characterized by further comprising the steps of:
    - performing an operation on said security parameters index value and a second predetermined sequence by using said first root key, to generate an authentication key;
      
      performing a Hash operation on said encrypted data by using said authentication key, to generate an authentication part;
      
      wherein step d) further comprises the step of;
      
      encapsulating said authentication part into said encrypted data packet to be transmitted.
  - 4. The method according to claim 1, characterized by further comprising, prior to step a), the steps of:
    - verifying the identity of a user by using locally pre-stored user-related information and through interaction with the user;
      
      if said user is a valid user, going to step a);
      
      otherwise, stopping the operation.
  - 5. The method according to claim 1, characterized in that, said communication network is an IP-based network.
  - 14. The method according to claim 1, characterized by further comprising the steps of:
    - recording related information of all set up communication;
      
      based on said related information, deciding whether said data packet from the user equipment belongs to special secure communication between the user equipment and said private network or said user equipment'"'"'s set up communication which falls into other type;
      
      if said data packet from the user equipment belongs to said special secure communication, performing a decryption algorithm, which corresponds to an encryption algorithm at the user equipment, on encrypted data part in said data packet from the user equipment by using said first root key to generate an ordinary data packet, and forwarding the ordinary data packet to said private network;
      
      if said data packet from the user equipment belongs to said user equipment'"'"'s set up communication which falls into other type, forwarding said data packet directly;
      
      if said data packet from the user equipment does not belong to said special secure communication or said user equipment'"'"'s set up communication which falls into other type, discarding said data packet.
  - 15. The method according to claim 14, characterized by further comprising the steps of:
    - receiving a data packet from said private network;
      
      based on the recorded related information of all set up communication, deciding whether said data packet from the private network belongs to special secure communication set up between said private network and the user equipment or said private network'"'"'s set up communication which falls into other type;
      
      if said data packet from the private network belongs to the special secure communication set up between said private network and the user equipment, converting said ordinary data packet into an encrypted data packet used for said special secure communication by using said first root key and said second root key and in the same manner as at the user equipment, and sending the converted encrypted data packet to said user equipment;
      
      if said data packet from the private network belongs to said private network'"'"'s set up communication which falls into other type, forwarding said data packet directly.
  - 17. The method according to claim 1, characterized in that said communication network is an IP-based network.

6. User equipment for implementing special secure communication with a belonging private network in a communication network, comprising:
- generating means for generating a security parameters index value by using a pre-stored second root key, said security parameters index value being used for indicating the encryption/decryption algorithm and parameters of data encryption/decryption;
  
  first operating means for performing an operation on said security parameters index value and a first predetermined sequence by using a pre-stored first root key, to generate an encryption key;
  
  encrypting means for encrypting the data to be sent by using said encryption key, to generate encrypted data; and
  
  encapsulating means for encapsulating said encrypted data and said security parameters index value into a data packet which is transmitted via said communication network.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The user equipment according to claim 6, characterized in that said security parameters index value comprises three parts, among which the first part is used to indicate the adpoted security policy scheme comprising the encryption algorithm, the encapsulation manner etc.;
    - the second part comprises a locally current date value;
      
      the third part comprises a value obtained by performing a Hash operation on said locally current date value, a destination address prefix, a source address, said second root key etc.
  - 8. The user equipment according to claim 6, characterized by further comprising:
    - second operating means for performing an operation on said security parameters index value and a second predetermined sequence by using said first root key, to generate an authentication key;
      
      authenticating means for performing an authentication operation on said encrypted data by using said authentication key, to generate an authentication part;
      
      wherein, said encapsulating means is also used for encapsulating said authentication part into said data packet to be transmitted.
  - 9. The user equipment according to claim 6, characterized by further comprising:
    - verifying means for performing the following operations;
      
      verifying the identity of a user by using locally pre-stored user-related information and through interaction with the user;
      
      if said user is a valid user, allowing the subsequent operation;
      
      otherwise, stopping the operation.
  - 10. The user equipment according to claim 6, characterized in that said communication network is an IP-based network.

11. A method for supporting special secure communication between user equipment and the belonging private network in an access device of a communication network, comprising the steps of:
- i) receiving a data packet from said user equipment;
  
  ii) deciding whether or not said data packet from the user equipment belongs to special secure communication between said user equipment and the belonging private network;
  
  iii) if said data packet from the user equipment belongs to said special secure communication, performing a decryption algorithm, which corresponds to an encryption algorithm at the user equipment, on encrypted data part in said data packet from the user equipment by using a pre-stored first root key corresponding to said private network, to generate an ordinary data packet, and forwarding the ordinary data packet to said private network.
- View Dependent Claims (12, 13, 16)
- - 12. The method according to claim 11, characterized in that step ii) comprises the steps of:
    - extracting from said data packet from the user equipment a destination address prefix of said data packet and an original security parameters index value;
      
      generating a new security parameters index value by using a second root key corresponding to said destination address prefix and in the same generating manner as at the user equipment;
      
      comparing said original security parameters index value with the new security parameters index value;
      
      if said original security parameters index value is consistent with the new security parameters index value, determining said data packet from the user equipment belongs to said special secure communication.
  - 13. The method according to claim 12, characterized in that step ii) further comprises the steps of:
    - extracting said original authentication part from said security parameters index value;
      
      performing on the operated security parameters index value the same operation as at the user equipment by using a pre-stored first root key corresponding to said destination address prefix to generate a new authentication key;
      
      performing on encrypted data part in said encrypted data packet from the user equipment the same authentication operation as at the user equipment by using said new authentication key to generate a new authentication part;
      
      comparing said original authentication part with said new authentication part;
      
      if said original authentication part is consistent with said new authentication part, determining said data packet from the user equipment belongs to said special secure communication.
  - 16. The method according to claim 11, characterized in that said related information comprises a destination address, a source address, a SPI value, a first root key and the like of a data packet.

18. An access device for supporting special secure communication between user equipment and the belonging private network in a communication network, comprising:
- first receiving means for receiving a data packet from said user equipment;
  
  deciding means for deciding whether or not said data packet from the user equipment belongs to special secure communication between said user equipment and the belonging private network;
  
  conversion processing means for, if said data packet belongs to said special secure communication, performing a decryption algorithm, which corresponds to the encryption algorithm at the user equipment, on encrypted data part in said data packet from the user equipment by using a pre-stored first root key corresponding to said private network, to generate an ordinary data packet; and
  
  first sending means for forwarding the data packet.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The access device according to claim 18, characterized in that said deciding means comprises:
    - extracting means for extracting from said data packet a destination address prefix of said data packet and an original security parameters index value;
      
      operating means for generating a new security parameters index value by using a second root key corresponding to said destination address prefix and in the same generating manner as at the user equipment;
      
      comparing means for comparing said original security parameters index value with the new security parameters index value;
      
      determining means for, if said original security parameters index value is consistent with the new security parameters index value, determining said data packet from the user equipment belongs to said special secure communication.
  - 20. The access device according to claim 19, characterized in that, said extracting means is further used for extracting from said original authentication part from said security parameters index value;
    - said operating means is further used for performing on the operated security parameters index value the same operation as at the user equipment by using a pre-stored first root key corresponding to said destination address prefix to generate a new authentication key;
      
      said comparing means is further used for comparing said original authentication part with said new authentication part;
      
      said determining means is further used for, if said authentication part is consistent with said new authentication part, determining said data packet from the user equipment belongs to said special secure communication.
  - 21. The access device according to claim 18, characterized by further comprising:
    - recording means for recording related information of all set up communication;
      
      wherein, said deciding means is further used for, based on said related information, deciding whether said data packet from the user equipment belongs to special secure communication between the user equipment and said private network or said user equipment'"'"'s set up communication which falls into other type;
      
      said conversion processing means is further used for performing the following functions;
      
      if said data packet is an encrypted data packet used for secure communication between the user equipment and said private network, converting said encrypted data packet into an ordinary data packet by using a pre-stored first root key corresponding to said private network, and providing the ordinary data packet to the first sending means;
      
      if said data packet belongs to said user equipment'"'"'s set up communication which falls into other type, directly providing said data packet to said first sending means;
      
      otherwise, discarding said data packet.
  - 22. The access device according to claim 21, characterized by further comprising:
    - second receiving means for receiving a data packet from said private network;
      
      second sending means for sending the data packet to the user equipment;
      
      wherein, said deciding means is further used for, based on the recorded related information of all set up communication, deciding whether said data packet from the private network belongs to special secure communication set up between said private network and the user equipment or said private network'"'"'s set up communication which falls into other type;
      
      said conversion processing means is further used for performing the following operations;
      
      if said data packet from the private network belongs to the special secure communication set up between said private network and the user equipment, converting said ordinary data packet into an encrypted data packet used for said special secure communication by using said first root key and said second root key and in the same manner as at the user equipment, and providing the converted ordinary data packet to the second sending means;
      
      if said data packet from the private network belongs to said private network'"'"'s set up communication which falls into other type, directly providing said data packet to the second sending means.
  - 23. The access device according to claim 18, characterized in that, said related information comprises a destination address, a source address, a SPI value, a first root key and the like of a data packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Yan, RenXiang, Jiang, YingLan, Ding, ZheMin, Wen, HaiBo, Zhang, QingShan, Bin, FanXiang

Granted Patent

US 7,853,783 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

METHOD AND APPARATUS FOR SECURE COMMUNICATION BETWEEN USER EQUIPMENT AND PRIVATE NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

118 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR SECURE COMMUNICATION BETWEEN USER EQUIPMENT AND PRIVATE NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links