Call Handover Between Cellular Communication System Nodes That Support Different Security Contexts

US 20130195268A1
Filed: 11/15/2012
Published: 08/01/2013
Est. Priority Date: 01/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method of operating a first node to generate a security context for a client in a cellular communication system, wherein the first node comprises processing circuitry, the method comprising:

the first node performing;

receiving at least one cryptographic key from a second node;

receiving identities of security algorithms supported by the client from a third node; and

using the at least one cryptographic key and the identities to generate the security context for the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In the context of facilitating a circuit switched to packet switched handover of a call in a cellular communication system, a first node (e.g., packet switched target node) generates a security context for a client whose call is being handed over. This involves the first node receiving at least one cryptographic key from a second node (e.g., a circuit switched node supporting the existing connection) and receiving identities of security algorithms supported by the client from a third node (e.g., a packet switched node supporting the existing connection); The first node uses the at least one cryptographic key and the identities to generate the security context for the client.

69 Citations

View as Search Results

24 Claims

1. A method of operating a first node to generate a security context for a client in a cellular communication system, wherein the first node comprises processing circuitry, the method comprising:
- the first node performing;
  
  receiving at least one cryptographic key from a second node;
  
  receiving identities of security algorithms supported by the client from a third node; and
  
  using the at least one cryptographic key and the identities to generate the security context for the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the first and third nodes are packet switched nodes and the second node is a circuit switched node.
  - 3. The method of claim 2, wherein the first node is an MME, the second node is an MSC and the third node is an SGSN.
  - 4. The method of claim 2, wherein the first node is a first SGSN, the second node is an MSC and the third node is a second SGSN.
  - 5. The method of claim 1, further comprising:
    - causing the first node to receive one or more authentication vectors from the second node; and
      
      discarding the authentication vectors received from the second node.
  - 6. The method of claim 1, wherein the first node is an SGSN, and wherein the method further comprises:
    - using one or more of the at least one cryptographic key to protect traffic between a fourth node and the client.
  - 7. The method of claim 1, wherein the first node is an MME, and wherein the method further comprises:
    - deriving a key for an Access Security Management Entity (K_ASME) from one or more of the at least one cryptographic key.
  - 8. The method of claim 1, further comprising:
    - receiving, from the third node, packet switched encryption keys for use in a packet switched connection; and
      
      discarding the packet switched encryption keys.
  - 9. The method of claim 1, further comprising:
    - receiving at least one authentication vector from the third node; and
      
      storing the received at least one authentication vector.
  - 10. The method of claim 1, further comprising receiving additional information from the third node;
    - andwherein using the at least one cryptographic key and the identities to generate the security context for the client comprises using the at least one cryptographic key and the identities and the additional information to generate the security context for the client.

11. A method of operating first and second, nodes in a cellular communication system, the method operating to generate a security context as part of a process of handing over support of a client from the second node to the first node, wherein the first and second nodes each comprise processing circuitry, the method comprising:
- the second node generating at least one new cryptographic key from at least one existing key associated with the client and a nonce generated by the second node;
  
  the second node communicating the at least one new cryptographic key to the first node;
  
  the first node receiving identities of security algorithms supported by the client from a third node; and
  
  the first node using the at least one cryptographic key and the identities to generate the security context for the client.
- View Dependent Claims (12)
- - 12. The method of claim 11, wherein the first and third nodes are packet switched nodes and the second node is a circuit switched node.

13. An apparatus for operating a first node to generate a security context for a client in a cellular communication system, the apparatus comprising:
- circuitry configured to receive at least one cryptographic key from a second node;
  
  circuitry configured to receive identities of security algorithms supported by the client from a third node; and
  
  circuitry configured to use the at least one cryptographic key and the identities to generate the security context for the client.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The apparatus of claim 13, wherein the first and third nodes are packet switched nodes and the second node is a circuit switched node.
  - 15. The apparatus of claim 14, wherein the first node is an MME, the second node is an MSC and the third node is an SGSN.
  - 16. The apparatus of claim 14, wherein the first node is a first SGSN, the second node is an MSC and the third node is a second SGSN.
  - 17. The apparatus of claim 13, further comprising:
    - circuitry configured to receive one or more authentication vectors from the second node; and
      
      circuitry configured to discard the authentication vectors received from the second node.
  - 18. The apparatus of claim 13, wherein the first node is an SGSN, and wherein the apparatus further comprises:
    - circuitry configured to use one or more of the at least one cryptographic key to protect traffic between a fourth node and the client.
  - 19. The apparatus of claim 13, wherein the first node is an MME, and wherein the apparatus further comprises:
    - circuitry configured to derive a key for an Access Security Management Entity (K_ASME) from one or more of the at least one cryptographic key.
  - 20. The apparatus of claim 13, further comprising:
    - circuitry configured to receive, from the third node, packet switched encryption keys for use in a packet switched connection; and
      
      circuitry configured to discard the packet switched encryption keys.
  - 21. The apparatus of claim 13, further comprising:
    - circuitry configured to receive at least one authentication vector from the third node; and
      
      circuitry configured to store the received at least one authentication vector.
  - 22. The apparatus of claim 13, further comprising circuitry configured to receive additional information from the third node;
    - andwherein the circuitry configured to use the at least one cryptographic key and the identities to generate the security context for the client comprises circuitry configured to use the at least one cryptographic key and the identities and the additional information to generate the security context for the client.

23. An apparatus for operating first and second nodes in a cellular communication system, the apparatus operating to generate a security context as part of a process of handing over support of a client from the second node to the first node, the apparatus comprising:
- second node circuitry configured to generate at least one new cryptographic key from at least one existing key associated with the client and a nonce generated by the second node;
  
  second node circuitry configured to communicate the at least one new cryptographic key to the first node;
  
  first node circuitry configured to receive identities of security algorithms supported by the client from a third node; and
  
  first node circuitry configured to use the at least one cryptographic key and the identities to generate the security context for the client.
- View Dependent Claims (24)
- - 24. The apparatus of claim 23, wherein the first and third nodes are packet switched nodes and the second node is a circuit switched node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Norrman, Karl, Wifvesson, Monica

Granted Patent

US 10,433,161 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/247
CPC Class Codes

H04L 2463/061   applying further key deriva...

H04W 12/041   Key generation or derivation

H04W 36/0038   of security context informa...

H04W 36/0066   of control information betw...

Call Handover Between Cellular Communication System Nodes That Support Different Security Contexts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

69 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Call Handover Between Cellular Communication System Nodes That Support Different Security Contexts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links