METHOD, APPARATUS, AND SYSTEM FOR PROVIDING ENCRYPTION OR INTEGRITY PROTECTION IN A WIRELESS NETWORK
First Claim
1. A method, in a core network node, for establishing encryption or integrity protection, the method comprising:
- identifying a non-USIM based authentication procedure to be utilized by a wireless communication device, WCD, being served by the core network node;
obtaining a session key associated with the identified non-USIM based authentication procedure;
converting the session key associated with the identified non-USIM based authentication procedure to at least one of;
i) a first key, K1, for use by the WCD and a base station serving the WCD to derive an encryption or integrity protection key, Kenc/int, for enabling encryption or integrity protection of a communication between the WCD and the base station and ii) a second key, K2, for use by the WCD and the core network node to derive the first key K1; and
performing at least one of;
i) sending K1 to the base station and ii) sending K2 to another core network node that is configured to derive K1 from K2,wherein K1 and K2 each has a length that is at least one of the following;
i) equal to a length of an evolved packet system authentication and key agreement (EPS AKA) key, and ii) different than a length of the session key.
1 Assignment
0 Petitions
Accused Products
Abstract
A core network node identifies a non-USIM based authentication procedure to be utilized by a wireless communication device, WCD, being served by the core network node. The node obtains a session key associated with the identified non-USIM based authentication procedure. The node converts the session key associated with the identified non-USIM based authentication procedure to i) a first key, K1, for use by the WCD and a base station serving the WCD to derive an encryption or integrity protection key, Kenc/int, for enabling encryption or integrity protection of a communication between the WCD and the base station or ii) a second key, K2, for use by the WCD and the core network node to derive the first key K1. The node then send i) K1 to the base station or ii) K2 to another core network node that is configured to derive K1 from K2.
-
Citations
55 Claims
-
1. A method, in a core network node, for establishing encryption or integrity protection, the method comprising:
-
identifying a non-USIM based authentication procedure to be utilized by a wireless communication device, WCD, being served by the core network node; obtaining a session key associated with the identified non-USIM based authentication procedure; converting the session key associated with the identified non-USIM based authentication procedure to at least one of;
i) a first key, K1, for use by the WCD and a base station serving the WCD to derive an encryption or integrity protection key, Kenc/int, for enabling encryption or integrity protection of a communication between the WCD and the base station and ii) a second key, K2, for use by the WCD and the core network node to derive the first key K1; andperforming at least one of;
i) sending K1 to the base station and ii) sending K2 to another core network node that is configured to derive K1 from K2,wherein K1 and K2 each has a length that is at least one of the following;
i) equal to a length of an evolved packet system authentication and key agreement (EPS AKA) key, and ii) different than a length of the session key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method, in a wireless communication device, WCD, for establishing encryption or integrity protection with a base station serving the WCD, the method comprising:
-
sending, to a mobility management entity, MME, node, non-USIM based authentication data; receiving, from the MME node, key generation data associated with the non-USIM based authentication data; generating a non-USIM based session key using the key generation data; converting the non-USIM based session key to an encryption or integrity protection key, Kenc/int, for use by the WCD and the base station in encrypting or integrity protecting any communication between the WCD and the base station; and sending, to the base station, a communication that is encrypted or integrity protected using the encryption or integrity protection key converted from the session key, wherein the encryption or integrity protection key Kenc/int has a length that is at least one of the following;
i) equal to a length of an evolved packet system authentication and key agreement (EPS AKA) key, and ii) different than a length of the session key. - View Dependent Claims (19, 20, 21, 22, 23)
-
-
24-32. -32. (canceled)
-
33. A core network node, for establishing encryption or integrity protection, the core network node comprising:
-
a network interface configured to receive communication from a wireless communication device, WCD; and a data processing system that is connected to the network interface and that comprises one or more processors configured to; identify a non-USIM based authentication procedure to be utilized by a wireless communication device, WCD, being served by the core network node; obtain a session key associated with the identified non-USIM based authentication procedure; convert the session key associated with the identified non-USIM based authentication procedure to at least one of;
i) a first key, K1, for use by the WCD and a base station serving the WCD to derive an encryption or integrity protection key, Kenc/int, for enabling encryption or integrity protection of a communication between the WCD and the base station and ii) a second key, K2, for use by the WCD and the core network node to derive the first key K1; andperform at least one of;
i) sending K1 to the base station sending K2 to another core network node that is configured to derive K1 from K2,wherein K1 and K2 each has a length that is at least one of the following;
i) equal to a length of an evolved packet system authentication and key agreement (EPS AKA) key, and ii) different than a length of the session key. - View Dependent Claims (34, 35, 36, 37, 38, 39, 34, 44, 45, 46, 47, 48, 49)
-
-
41. The core network node of claim 40, wherein the session key is longer than a predefined key length of the KASME format, and wherein the one or more processors are configured to map the session key to the KASME format by extracting a portion of the session key to be KASME, wherein the extracted portion has the predefined key length.
-
42. The core network node of claim 40, wherein the session key is shorter than the predefined key length of the KASME format, and wherein the one or more processors are configured to map the session key to the KASME format by padding the session key with additional bits to be KASME, wherein the padded session key has the predefined key length.
-
43. The core network node of claim 40, wherein the one or more processors are configured to map the session key to KASME by inputting the session key into a key derivation function, KDF, to output the KASME, wherein the KDF is a keyed-hash-message-authentication-code function using a secure hash algorithm, HMAC-SHA.
-
50. A wireless communication device, WCD, for establishing encryption or integrity protection with a base station serving the WCD, the WCD comprising:
-
a transceiver system for receiving communication from a mobility management entity, MME, node; and a data processing system connected to the transceiver system and having one or more processors configured to; send, to a mobility management entity, MME, node, non-USIM based authentication data; receive, from the MME node, key generation data associated with the non-USIM based authentication data; generate a non-USIM based session key using the key generation data; convert the non-USIM based session key to an encryption or integrity protection key, Kenc/int, for use by the WCD and the base station in encrypting or integrity protecting communication between the WCD and the base station; and send, to the base station, communication that is encrypted or integrity protected using the encryption or integrity protection key converted from the session key, wherein the encryption or integrity protection key Kenc/int has a length that is at least one of the following;
i) equal to a length of an evolved packet system authentication and key agreement (EPS AKA) key, and ii) different than a length of the session key. - View Dependent Claims (51, 52, 53, 54)
-
-
55-64. -64. (canceled)
Specification