METHOD AND APPARATUS FOR NEGOTIATING SECURITY DURING HANDOVER BETWEEN DIFFERENT RADIO ACCESS TECHNOLOGIES

US 20100056156A1
Filed: 11/12/2009
Published: 03/04/2010
Est. Priority Date: 05/15/2007
Status: Active Grant

First Claim

Patent Images

1. A method for negotiating security during handover between different radio access technologies, comprising:

transmitting security information of a Non Access Stratum (NAS) and security information of an Access Stratum (AS) selected by a target system to a User Equipment (UE) when the UE hands over between the different radio access technologies, the security information of the NAS and the security information of the AS are used to performed the security negotiation with the target system by the UE.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus of security negotiation for handover between different radio access technologies are provided. The method includes: transmitting the security information of the NAS and AS selected by the target system to the UE when the UE hands over between different radio access technologies. Therefore, the UE can perform security negotiation with the target system according to the security information of the NAS and AS. Through the embodiments of the present invention, the UE may obtain the key parameter information of the NAS and AS selected by the LTE system and perform security negotiation with the LTE system when the UE hands over from a different system, such as a UTRAN, to an LTE system.

Citations

18 Claims

1. A method for negotiating security during handover between different radio access technologies, comprising:
- transmitting security information of a Non Access Stratum (NAS) and security information of an Access Stratum (AS) selected by a target system to a User Equipment (UE) when the UE hands over between the different radio access technologies, the security information of the NAS and the security information of the AS are used to performed the security negotiation with the target system by the UE.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the transmitting comprises:
    - including the security information of the NAS and the security information of the AS selected by the target system in a transparent container, and transmitting the transparent container to the UE, contents of the transparent container are used to performed the security negotiation with the target system by the UE.
  - 3. The method of claim 2, wherein the including the security information of the NAS and the security information of the AS selected by the target system in the transparent container comprises:
    - including, by one of a target Mobile Management Entity (MME), a target evolution Node B (eNB) and a source access network, the security information of the NAS and the security information of the AS selected by the target system in the transparent container.
  - 4. The method of claim 2, wherein the including the security information of the NAS and the security information of the AS selected by the target system in the transparent container when the UE hands over from one of a second Generation (2G) system and a third Generation (3G) system to a Long Term Evolution (LTE) system comprises:
    - sending, by a source system of the UE, a handover request to a target MME, wherein the handover request comprises UE capability information and key information used by the source system;
      
      deriving, by the target MME, an Access Security Management Entity key (K_ASME) an NAS key (K_NAS), and an eNB key (K_eNB) according to the key information used by the source system, and selecting an NAS algorithm;
      
      sending, by the target MME, parameters used in K_ASMEderivation, parameters used in K_NASderivation, and parameters used in K_eNBderivation as well as the UE capability information, K_eNBand the NAS algorithm to a target eNB, through the handover request;
      
      selecting, by the target eNB, a Radio Resources Control (RRC) encryption algorithm of the target eNB, an integrity protection algorithm of the target eNB, and a User Plane (UP) encryption algorithm of the target eNB, and deriving an RRC encryption key, an integrity key, and a UP encryption key according to the K_eNB;
      
      including, by the target eNB, parameters used in the RRC encryption key derivation and UP encryption key derivation, the parameters used in K_ASMEderivation, the parameters used in K_NASderivation, and the parameters used in K_eNBderivation as well as the RRC encryption algorithm of the target eNB, the integrity protection algorithm of the target eNB, the UP encryption algorithm of the target eNB, and the NAS algorithm in the transparent container; and
      
      sending, by the target eNB, the transparent container to the target MME.
  - 5. The method of claim 2, wherein the including the security information of the NAS and the security information of the AS selected by the target system into the transparent container when the UE hands over from one of a 2G system and a 3G system to a LTE system comprises:
    - sending, by a source system of the UE, a handover request to a target MME, wherein the handover request comprises UE capability information and key information used by the source system;
      
      deriving, by the target MME, an ASME key (K_ASME), an NAS key (K_NAS), and an eNB key (K_eNB) according to the key information, and selecting an NAS algorithm;
      
      including, by the target MME, the NAS algorithm, parameters used in K_ASMEderivation, parameters used in K_NASderivation, and parameters used in K_eNBderivation in an NAS container;
      
      sending, by the target MME, the K_eNB, the UE capability information and the NAS container to a target eNB through the handover request;
      
      selecting, by the target eNB, a RRC encryption algorithm of the target eNB, an integrity protection algorithm of the target eNB, and a UP encryption algorithm of the target eNB, and deriving an RRC encryption key, an integrity key, and a UP encryption key according to the K_eNB;
      
      including, by the target eNB, parameters used in the RRC encryption key derivation and UP encryption key derivation as well as the RRC encryption algorithm of the target eNB, the integrity protection algorithm of the target eNB, and the UP encryption algorithm of the target eNB in an RRC container, and including the RRC container and the NAS container in the transparent container; and
      
      sending, by the target eNB, the transparent container to the target MME.
  - 6. The method of claim 2, wherein the including the security information of the NAS and the security information of the AS selected by the target system into the transparent container when the UE hands over from one of a 2G system and a 3G system to a LTE system comprises:
    - sending, by a source system of the UE, a handover request to a target MME, wherein the handover request comprises UE capability information and key information used by the source system;
      
      deriving, by the target MME, an ASME key (K_ASME), an NAS key (K_NAS), and an eNB key (K_eNB) according to the key information, and selecting an NAS algorithm;
      
      including, by the target MME, the NAS algorithm, parameters used in K_ASMEderivation, parameters used in K_NASderivation, and parameters used in K_eNBderivation in an NAS container;
      
      sending, by the target MME, the K_eNB, the UE capability information and the NAS container to a target eNB through the handover request;
      
      selecting, by the target eNB, a RRC encryption algorithm of the target eNB, an integrity protection algorithm of the target eNB, and a UP encryption algorithm of the target eNB, and deriving an RRC encryption key, an integrity key, and a UP encryption key according to the K_eNB;
      
      including, by the target eNB, parameters used in the RRC encryption key derivation and UP encryption key derivation as well as the RRC encryption algorithm of the target eNB, the integrity protection algorithm of the target eNB, the UP encryption algorithm of the target eNB, and the NAS container in the transparent container; and
      
      sending, by the target eNB, the transparent container to the target MME.
  - 7. The method of claim 4, wherein the transmitting the transparent container to the UE, so that the UE can perform the security negotiation with the target system according to contents of the transparent container comprises:
    - sending, by the target MME, the transparent container to a source Serving GPRS Support Node (SGSN) through a handover response;
      
      transmitting, by the source SGSN, the transparent container to a source access network through the handover response; and
      
      transmitting, by the source access network, the contents of the transparent container to the UE through the handover response, so that the UE derives the RRC encryption key, the UP encryption key, the K_ASME, the K_NAS, and the K_eNBaccording to the parameters used in the RRC encryption key derivation, UP encryption key derivation, the parameters used in K_ASMEderivation, the parameters used in K_NASderivation, and the parameters used in K_eNBderivation in the received transparent container, and sets relevant algorithms applicable after handover.
  - 8. The method of claim 5, wherein the transmitting the transparent container to the UE, so that the UE can perform the security negotiation with the target system according to contents of the transparent container comprises:
    - sending, by the target MME, the transparent container to a SGSN through a handover response;
      
      transmitting, by the source SGSN, the transparent container to a source access network through the handover response; and
      
      transmitting, by the source access network, the contents of the transparent container to the UE through the handover response, so that the UE derives the RRC encryption key, the UP encryption key, the K_ASME, the K_NAS, and the K_eNBaccording to the parameters used in the RRC encryption key derivation, UP encryption key derivation, the parameters used in K_ASMEderivation, the parameters used in K_NASderivation, and the parameters used in K_eNBderivation in the received transparent container, and sets relevant algorithms applicable after handover.
  - 9. The method of claim 6, wherein the transmitting the transparent container to the UE, so that the UE can perform the security negotiation with the target system according to contents of the transparent container comprises:
    - sending, by the target MME, the transparent container to a SGSN through a handover response;
      
      transmitting, by the source SGSN, the transparent container to a source access network through the handover response; and
      
      transmitting, by the source access network, the contents of the transparent container to the UE through the handover response, so that the UE derives the RRC encryption key, the UP encryption key, the K_ASME, the K_NAS, and the K_eNBaccording to the parameters used in the RRC encryption key derivation, UP encryption key derivation, the parameters used in K_ASMEderivation, the parameters used in K_NASderivation, and the parameters used in K_eNBderivation in the received transparent container, and sets relevant algorithms applicable after handover.
  - 10. The method of claim 2, wherein the including the security information of the NAS and the security information of the AS selected by the target system in the transparent container when the UE hands over from one of a 2G system and a 3G system to a LTE system comprises:
    - sending, by a source system of the UE, a handover request to a target MME, wherein the handover request comprises UE capability information and key information used by the source system;
      
      deriving, by the target MME, an ASME key (K_ASME), an NAS key (K_NAS) and an eNB key (K_eNB) according to the key information, and selecting an NAS algorithm;
      
      sending, by the target MME, the UE capability information and the K_eNBto a target eNB, including parameters used in K_ASMEderivation, parameters used in K_NASderivation, parameters used in K_eNBderivation, and the NAS algorithm in an NAS container, and sending the NAS container to a source access network through a source SGSN;
      
      selecting, by the target eNB, a RRC encryption algorithm of the target eNB, an integrity protection algorithm of the target eNB, and a UP encryption algorithm of the target eNB; and
      
      deriving an RRC encryption key, an integrity key, and a UP encryption key according to the K_eNB;
      
      including, by the target eNB, parameters used in the RRC encryption key derivation and UP encryption key derivation as well as the RRC encryption algorithm of the target eNB, the integrity protection algorithm of the target eNB, and the UP encryption algorithm of the target eNB in an RRC container, and sending the RRC container to the target MME;
      
      sending, by the target MME, the RRC container to the source access network through the source SGSN; and
      
      including, by the source access network, contents of the received NAS container and the RRC container in the transparent container.
  - 11. The method of claim 2, wherein the including the security information of the NAS and the security information of the AS selected by the target system in the transparent container when the UE hands over from one of a 2G system and a 3G system to a LTE system comprises:
    - sending, by a source system of the UE, a handover request to a target MME, wherein the handover request comprises UE capability information and key information used by the source system;
      
      deriving, by the target MME, an ASME key (K_ASME), an NAS key (K_NAS) and an eNB key (K_eNB) according to the key information, and selecting an NAS algorithm;
      
      sending, by the target MME, the UE capability information and the K_eNBto a target eNB, and including parameters used in K_ASMEderivation, parameters used in K_NASderivation, and parameters used in K_eNBderivation and the NAS algorithm in an NAS container;
      
      selecting, by the target eNB, a RRC encryption algorithm of the target eNB, an integrity protection algorithm of the target eNB and a UP encryption algorithm of the target eNB; and
      
      deriving an RRC encryption key, an integrity key, and a UP encryption key according to the K_eNB; and
      
      including, by the target eNB, parameters used in the RRC encryption key derivation and UP encryption key derivation as well as the RRC encryption algorithm of the target eNB, the integrity protection algorithm of the target eNB, and the UP encryption algorithm of the target eNB in an RRC container, and sending the RRC container to the target MME;
      
      including, by the target MME, the RRC container and the NAS container in a transparent container, and sending the transparent container to a source access network through a SGSN.
  - 12. The method of claim 10, wherein transmitting the transparent container to the UE, so that the UE can perform the security negotiation with the target system according to contents of the transparent container comprises:
    - sending, by the source access network, the transparent container to the UE through a handover response;
      
      deriving, by the UE, the RRC encryption key, the UP encryption key, the K_ASME, the K_NAS, and the K_eNB, and setting a relevant algorithm applicable after handover according to the parameters used in the RRC encryption key derivation and UP encryption key derivation, the parameters used in K_ASMEderivation, the parameters used in K_NASderivation, and the parameters used in K_eNBderivation in the received transparent container.
  - 13. The method of claim 11, wherein transmitting the transparent container to the UE, so that the UE can perform the security negotiation with the target system according to contents of the transparent container comprises:
    - sending, by the source access network, the transparent container to the UE through a handover response;
      
      deriving, by the UE, the RRC encryption key, the UP encryption key, the K_ASME, the K_NAS, and the K_eNB, and setting a relevant algorithm applicable after handover according to the parameters used in the RRC encryption key derivation and UP encryption key derivation, the parameters used in K_ASMEderivation, the parameters used in K_NASderivation, and the parameters used in K_eNBderivation in the received transparent container.
  - 14. The method of claim 1, wherein the method further comprising:
    - obtaining, by the UE, the security information of the NAS and the security information of the AS when the UE hands over from a Circuit Switched (CS) domain to of one of a 2G system and a 3G system to a LTE system, wherein the obtaining comprises;
      
      performing, by the UE, an Authentication and Key Agreement (AKA) process with the LTE system directly and then obtaining the security information of the NAS and the security information of the AS from the LTE system, if the UE is disconnected from the CS domain of one of the 2G and 3G system and then reconnected with the LTE system.
  - 15. The method of claim 1, wherein the method further comprising:
    - obtaining, by the UE, the security information of the NAS and the security information of the AS when the UE hands over from a CS domain to of one of a 2G system and a 3G system to a LTE system, wherein the obtaining comprises;
      
      transmitting, through a Mobile Switching Center (MSC) node, information between the UE and a target MME, while the UE negotiates with the LTE system about obtaining a security association of the security information of the NAS and the security information of the AS, if the UE hands over from the CS domain of one of the 2G and 3G system to the LTE system directly.
  - 16. The method of claim 1, wherein the method further comprising:
    - obtaining, by the UE, the security information of the NAS and the security information of the AS when the UE hands over from a Circuit Switched (CS) domain to of one of a 2G system and a 3G system to a LTE system, wherein the obtaining comprises;
      
      transmitting, through a Call Session Control Function (CSCF) node of an IP Multimedia Subsystem (IMS) information between the UE and the target MME, while the UE negotiates with the LTE system about obtaining the security association of the security information of the NAS and the security information of the AS, if the UE hands over from the IMS on the CS domain of one of the 2G and 3G system to the LTE system.

17. An evolution Node B (eNB) device, comprising:
- a key and algorithm information receiving unit, adapted to receive through a handover request the following sent by a target Mobile Management Entity (MME);
  
  parameters used in Non Access Stratum (NAS) key derivation and algorithm information, parameters used in a eNB key derivation, the eNB key and User Equipment (UE) capability information;
  
  an algorithm selecting and key deriving unit, adapted to select a supported Radio Resources Control (RRC) encryption algorithm of the eNB, an integrity protection algorithm of the eNB, and a User Plane (UP) encryption algorithm of the eNB according to information received by the key and algorithm information receiving unit, and derive an RRC encryption key and a UP encryption key; and
  
  a transparent container incorporating unit, adapted to include the following in a transparent container;
  
  parameters used in NAS key derivation and algorithm information obtained by the key and algorithm information receiving unit, parameters used in eNB key derivation, and the RRC encryption key, the UP encryption key, the RRC encryption algorithm of the eNB, the integrity protection algorithm of the eNB, and the UP encryption algorithm of the eNB that are obtained by the algorithm selecting and key deriving unit.

18. An evolution Node B (eNB) device, comprising:
- a key and algorithm information receiving unit, adapted to receive through a handover request the following sent by a target Mobile Management Entity (MME);
  
  a Non Access Stratum (NAS) container, an eNB key (K_eNB), and User Equipment (UE) capability information sent;
  
  an algorithm selecting and key deriving unit, adapted to select a Radio Resources Control (RRC) encryption algorithm of the eNB, an integrity protection algorithm of the eNB, and a User Plane (UP) encryption algorithm of the eNB according to the K_eNBand the UE capability information received by the key and algorithm information receiving unit, and derive an RRC encryption key and a UP encryption key; and
  
  a transparent container incorporating unit, adapted to include parameters used in the RRC encryption key derivation and UP encryption key derivation, the RRC encryption algorithm of the eNB, the integrity protection algorithm of the eNB, and the UP encryption algorithm of the eNB obtained by the algorithm selecting and key deriving unit in an RRC container, and include the RRC container and the NAS container in a transparent container.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
XU, Xiaoying, CHEN, Jing

Granted Patent

US 8,611,949 B2
Time in Patent Office

Days
Field of Search
US Class Current

455/436
CPC Class Codes

H04B 1/406   with more than one transmis...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/06   for supporting key manageme...

H04L 63/10   for controlling access to d...

H04L 9/14   using a plurality of keys o...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 12/108   Source integrity

H04W 36/00224   between packet switched [PS...

H04W 36/0038   of security context informa...

H04W 36/087   between radio units of acce...

H04W 48/18   Selecting a network or a co...

H04W 88/06   adapted for operation in mu...

H04W 88/08   Access point devices

METHOD AND APPARATUS FOR NEGOTIATING SECURITY DURING HANDOVER BETWEEN DIFFERENT RADIO ACCESS TECHNOLOGIES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR NEGOTIATING SECURITY DURING HANDOVER BETWEEN DIFFERENT RADIO ACCESS TECHNOLOGIES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links