HOME NODE-B APPARATUS AND SECURITY PROTOCOLS

US 20100125732A1
Filed: 09/21/2009
Published: 05/20/2010
Est. Priority Date: 09/24/2008
Status: Active Grant

First Claim

Patent Images

1. A home node B/home evolved node B (H(e)NB), comprising:

a trusted environment (TrE);

H(e)NB functional modules; and

interfaces between the TrE and H(e)NB functional modules configured to provide multiple levels of security,wherein the TrE is configured to interact with the H(e)NB functional modules to provide security and authentication,wherein security and authentication includes at least one of TrE or H(e)NB authentication and conditional hosting party authentication.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Home Node B or Home evolved Node B (HN(e)B) apparatus and methods are disclosed. The HN(e)B includes a Trusted Environment (TrE) and interfaces including unprotected interfaces, cryptographically protected interfaces, and hardware protected interfaces. The H(e)NB includes security/authentication protocols for communication between the H(e)NB and external network elements, including a Security Gateway (SGW).

40 Citations

View as Search Results

35 Claims

1. A home node B/home evolved node B (H(e)NB), comprising:
- a trusted environment (TrE);
  
  H(e)NB functional modules; and
  
  interfaces between the TrE and H(e)NB functional modules configured to provide multiple levels of security,wherein the TrE is configured to interact with the H(e)NB functional modules to provide security and authentication,wherein security and authentication includes at least one of TrE or H(e)NB authentication and conditional hosting party authentication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The H(e)NB of claim 1, wherein the TrE comprises:
    - a storage area for securing at least one of keys, secrets, sensitive data and programs; and
      
      a secure execution environment for performing at least one of authentication and keying agreement (AKA) and certificate-based authentication of at least one of the TrE or H(e)NB.
  - 3. The H(e)NB of claim 1, wherein the secure execution environment performs security sensitive operations related to securely indicating to a network the validity of at least the TrE.
  - 4. The H(e)NB of claim 1, wherein the secure execution environment protects and validates the location of the H(e)NB.
  - 5. The H(e)NB of claim 4, wherein network authorization is provided on a condition that location is validated.
  - 6. The H(e)NB as in claim 1, further comprising:
    - a hosting party module (HPM) for providing authentication and keying agreement (AKA) based authentication for a hosting party, wherein the HPM is connected to the TrE.
  - 7. The H(e)NB as in claim 6, wherein the HPM is embodied by a universal integrated circuit card (UICC).
  - 8. The H(e)NB as in claim 1, wherein the TrE is configured to validate device integrity of the H(e)NB and transmit an integrity indication combined with a device authentication indication to a security gateway (SGW).
  - 9. The H(e)NB as in claim 1, wherein the TrE is configured to support multiple authentications.
  - 10. The H(e)NB as in claim 1, wherein the TrE is configured to support mutual authentication.
  - 11. The H(e)NB as in claim 1, wherein the TrE is configured to perform binding authentication based on records and identifications of the H(e)NB, TrE and a conditional hosting platform.
  - 12. The H(e)NB as in claim 1, wherein the TrE is configured to perform location locking, wherein location locking includes registration of H(e)NB location information, and/or an authentication of the H(e)NB location information.
  - 13. The H(e)NB as in claim 12, wherein location information is based on neighboring macro-cells.
  - 14. The H(e)NB as in claim 12, wherein location information is based on an IP address.
  - 15. The H(e)NB as in claim 12, wherein location information is based on an IP address and macro-cells.
  - 16. The H(e)NB as in claim 12, wherein location information is based on a global positioning system.
  - 17. The H(e)NB as in claim 1, wherein a type of authentication is indicated using a IKE_AUTH request of an IKEv2 protocol
  - 18. The H(e)NB as in claim 1, wherein a predetermined parameter in a IKE_AUTH request denotes one of a certificate based H(e)NB or TrE authentication or an extensible authentication protocol-authentication key agreement (EAP-AKA) based H(e)NB or TrE authentication.
  - 19. The H(e)NB as in claim 1, wherein the conditional hosting party authentication is performed using extensible authentication protocol-authentication key agreement (EAP-AKA).
  - 20. The H(e)NB as in claim 1, wherein protocols for interacting between the H(e)NB functional modules, the TrE and a network include at least one of Internet Key Exchange (IKEv2), Transport Layer Security (TLS), Broadband Forum Technical Requirements (TR) 069, or Open Mobile Alliance (OMA) Device Management (DM).

21. A method for authenticating a home nodeB/home evolved node B (H(e)NB) with a network, comprising:
- initiating secure access to the network;
  
  receiving a first requirement designating one of device authentication or device authentication and hosting party authentication;
  
  receiving a second requirement designating one of certification based authentication or extensible authentication protocol-authentication and key agreement (EAP-AKA) authentication;
  
  responding with a first parameter supportive of one of device authentication or device authentication and hosting party authentication;
  
  responding with a second parameter supportive of one of certification based authentication or EAP-AKA authentication; and
  
  performing authentication using the first requirement and the second requirement on a condition that the first requirement and the second requirement matches the first parameter and the second parameter.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 22. The method as in claim 21, further comprising:
    - receiving an acceptance of the first parameter response based on an authentication profile retrieved using an H(e)NB identity.
  - 23. The method as in claim 21, further comprising:
    - receiving a rejection of the first parameter response based on an authentication profile retrieved using an H(e)NB identity.
  - 24. The method as in claim 21, further comprising:
    - responding with another first parameter supportive of hosting party authentication.
  - 25. The method as in claim 21, further comprising:
    - providing information that indicates at least one of platform trustworthiness or expected state of at least a Trusted Environment (TrE) or the H(e)NB to the network.
  - 26. The method as in claim 25, wherein the information is signed by a private key protected within the TrE.
  - 27. The method as in claim 25, wherein the information is used by the network to determine access rights to the network and applications.
  - 28. The method as in claim 21, further comprising:
    - providing TrE cryptographically protected evidence of platform validity to the network.
  - 29. The method as in claim 21, further comprising:
    - checking, by a TrE, the integrity of the first and second requirements; and
      
      forwarding, by the TrE, identity information to the network.
  - 30. The method as in claim 21, further comprising:
    - performing hosting party authentication by using the TrE and a hosting party module (HPM), wherein the TrE protects HPM information and securely communicates with the HPM.
  - 31. The method as in claim 21, further comprising:
    - binding a TrE, a H(e)NB and a HPM using at least one identification value for the TrE, or H(e)NB, and one identification value for the HPM.
  - 32. The method as in claim 21, wherein protocols for interacting between H(e)NB functional modules, a TrE and a network include at least one of Internet Key Exchange (IKEv2), Transport Layer Security (TLS), Broadband Forum Technical Requirements (TR) 069, or Open Mobile Alliance (OMA) Device Management (DM).

33. A method for authenticating a home nodeB/home evolved node B (H(e)NB) with a network, comprising:
- securely storing H(e)NB location information in a Trusted Environment (TrE); and
  
  securely sending the stored H(e)NB location information to the network via the TrE.
- View Dependent Claims (34, 35)
- - 34. The method as in claim 33, further comprising:
    - securely storing last known good location of the H(e)NB in the TrE;
      
      comparing the stored ‘
      
      last known good location’
      
      with a newly acquired location information using the TrE; and
      
      indicating the outcome of the comparison by the TrE to a location server on the network.
  - 35. The method as in claim 33, wherein protocols for interacting between the H(e)NB, the TrE and the network include at least one of Internet Key Exchange (IKEv2), Transport Layer Security (TLS), Broadband Forum Technical Requirements (TR) 069, or Open Mobile Alliance (OMA) Device Management (DM).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Original Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Inventors
Cha, Inhyok, Schmidt, Andreas U., Shah, Yogendra C.

Granted Patent

US 8,307,205 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/166
CPC Class Codes

H04L 63/107   wherein the security polici...

H04L 63/162   at the data link layer

H04L 63/205   involving negotiation or de...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 12/63   Location-dependent; Proximi...

H04W 88/08   Access point devices

HOME NODE-B APPARATUS AND SECURITY PROTOCOLS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

40 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

HOME NODE-B APPARATUS AND SECURITY PROTOCOLS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links