System and Method for Wireless Network Access Protection and Security Architecture

US 20160007193A1
Filed: 07/02/2015
Published: 01/07/2016
Est. Priority Date: 07/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method for wireless network access protection, the method comprising:

obtaining, by a base station, a wireless network (WN) specific key assigned to a wireless network to which the base station belongs;

establishing a wireless connection between the base station and a user equipment (UE);

receiving encrypted data from the UE over the wireless connection, the encrypted data having first and second layers of encryption;

decrypting the first layer of encryption using the WN specific key to obtain partially decrypted data; and

forwarding the partially decrypted data to a gateway in the WN.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Wireless network specific (WN-specific) key can be used to provide access protection over the radio access link. A WN-specific key may be associated with (or assigned to) a wireless network, and distributed to access points of the wireless network, as well as to user equipments (UEs) following UE authentication. The WN-specific key is then used to encrypt/decrypt data transported over the radio access link. The WN-specific key can be used in conjunction with the UE-specific keys to provide multi-level access protection. In some embodiments, WN-specific keys are shared between neighboring wireless networks to reduce the frequency of key exchanges during handovers. Service-specific keys may be used to provide access protection to machine to machine (M2M) services. Group-specific keys may be used to provide access protection to traffic communicated between members of a private social network.

Citations

24 Claims

1. A method for wireless network access protection, the method comprising:
- obtaining, by a base station, a wireless network (WN) specific key assigned to a wireless network to which the base station belongs;
  
  establishing a wireless connection between the base station and a user equipment (UE);
  
  receiving encrypted data from the UE over the wireless connection, the encrypted data having first and second layers of encryption;
  
  decrypting the first layer of encryption using the WN specific key to obtain partially decrypted data; and
  
  forwarding the partially decrypted data to a gateway in the WN.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the gateway comprises a user-specific serving gateway (SGW).
  - 3. The method of claim 2, wherein the user-specific SGW is adapted to further decrypt the partially decrypted data using a UE-specific key to remove the second layer of encryption from the encrypted data, the UE-specific key being different than the WN-specific key.
  - 4. The method of claim 2, wherein the user-specific SGW and the base station are co-located on the same network-side device.
  - 5. The method of claim 2, wherein the user-specific SGW and the base station are located on different network-side devices.
  - 6. The method of claim 2, further comprising:
    - receiving a packet over the wireless connection;
      
      attempting to partially decrypt the packet using the WN specific key; and
      
      dropping the packet when the attempt to partially decrypt the packet is unsuccessful.
  - 7. The method of claim 6, further comprising:
    - forwarding the packet to the user-specific SGW when the attempt to partially decrypt the packet is successful, wherein the user-specific SGW is adapted to attempt to further decrypt the packet using a UE-specific key, and to drop the packet when the attempt to further decrypt the packet using the UE-specific key is unsuccessful.
  - 8. The method of claim 7, wherein the first layer of encryption provides access protection to the wireless connection, and wherein the second layer of encryption provides access protection to a bearer channel extending between the UE and the user-specific SGW.
  - 9. The method of claim 1, wherein the WN specific key is distributed to a set of base stations in the wireless network, and wherein handovers between base stations in the set of base stations occur without exchanging the WN specific key during the handover.
  - 10. The method of claim 1, wherein the WN specific key is assigned to a group of wireless networks, and wherein handovers between wireless networks in the group of wireless networks occur without exchanging the WN specific key during the handover.
  - 11. The method of claim 1 wherein the encrypted data received over the wireless connection is encrypted symmetrically using the WN specific key.

12. A base station comprising:
- a processor; and
  
  a computer readable storage medium storing programming for execution by the processor, the programming including instructions to;
  
  obtaining, by a base station, a wireless network (WN) specific key assigned to a wireless network to which the base station belongs;
  
  establish a wireless connection between the base station and a user equipment (UE);
  
  receive encrypted data from the UE over the wireless connection, the encrypted data having first and second layers of encryption;
  
  decrypt the first layer of encryption using the WN specific key to obtain partially decrypted data; and
  
  forward the partially decrypted data to a gateway in the WN.

13. A method for distributing keys in wireless networks, the method comprising:
- generating a wireless network (WN) specific key at a WN key controller, the WN specific key being assigned to a first wireless network; and
  
  distributing the WN specific key to base stations in the first wireless network, wherein the WN specific key is configured to provide access protection over radio access interfaces established between the base stations and user equipments (UEs) accessing the wireless network.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13, wherein the WN specific key is assigned to a group of wireless networks that includes at least the first wireless network and a second wireless network, and wherein the method further includes distributing the WN specific key to base stations in the second wireless network.
  - 15. The method of claim 13, further comprising:
    - updating, by the key controller, the WN specific key at the end of a first time period; and
      
      distributing the updated WN specific key to base stations in the first wireless network, wherein the WN specific key provided access protection to the radio access interfaces during the first period, and wherein the updated WN specific key provided access protection to the radio access interfaces during a second period.

16. A key controller comprising:
- a processor; and
  
  a computer readable storage medium storing programming for execution by the processor, the programming including instructions to;
  
  generate a wireless network (WN) specific key at a WN key controller, the WN specific key being assigned to a first wireless network; and
  
  distribute the WN specific key to base stations in the first wireless network, wherein the WN specific key is configured to provide access protection over radio access interfaces established between the base stations and user equipments (UEs) accessing the wireless network.

17. A key management architecture comprising:
- a wireless network (WN) protection controller adapted to obtain user equipment (UE) specific keys assigned to the UEs accessing a wireless network, and to distribute the UE specific keys to a serving gateway (SGW) in the wireless network, wherein the UE specific keys are adapted to provide access protection over bearer channels extending between the UE and the SGW.
- View Dependent Claims (18, 19)
- - 18. The key management architecture of claim 17, wherein the WN protection controller obtains the UE specific keys from a third party key management entity, the third party key management entity being operated by a third party administrator that is separate and distinct form an operator of the wireless network.
  - 19. The key management architecture of claim 17, further comprising:
    - a WN key controller adapted to generate a WN specific key assigned to the wireless network, and to distribute the WN specific key to base stations in the wireless network, the WN specific key being separate and distinct from the UE specific keys, wherein the WN specific key is adapted to provide access protection over radio access interfaces established between the base stations and user equipments (UEs) accessing the wireless network.

20. A method for authenticating a mobile device, the method comprising:
- receiving, by a wireless network (WN) protection controller, a UE specific key, wherein the WN protection controller is assigned to distribute keys throughout a wireless network;
  
  identifying, by the WN protection controller, a wireless network domain that corresponds to a UE identifier specified by the UE specific key; and
  
  distributing, by the WN protection controller, the UE specific key to a serving gateway (SGW) in the wireless network domain, wherein UE specific key is adapted to provide access protection to a bearer channel extending between the UE and the SGW.
- View Dependent Claims (21, 22)
- - 21. The method of claim 20, wherein the WN protection controller receives the UE specific key from a third party key management entity, the third party key management entity being operated by a third party administrator that is different than an operator of the wireless network.
  - 22. The method of claim 20, wherein the SGW is a user-specific SGW.

23. A wireless network (WN) protection controller comprising:
- a processor; and
  
  a computer readable storage medium storing programming for execution by the processor, the programming including instructions to;
  
  receive a UE specific key from a third party key management entity, wherein the WN protection controller is assigned to distribute keys throughout a wireless network, and wherein the third party key management entity is operated by a third party administrator that is different than an operator of the wireless network;
  
  identify a wireless network domain that corresponds to a UE identifier specified by the UE specific key; and
  
  distribute the UE specific key to a serving gateway (SGW) in the wireless network domain, wherein UE specific key is adapted to provide access protection to a bearer channel extending between the UE and the SGW.

24-34. -34. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Zhang, Hang

Granted Patent

US 10,212,585 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 9/08   Key distribution or managem...

H04W 12/02   Protecting privacy or anony...

H04W 12/033   of the user plane, e.g. use...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 4/70   Services for machine-to-mac...

System and Method for Wireless Network Access Protection and Security Architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Wireless Network Access Protection and Security Architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links