METHOD AND DEVICE FOR VERIFYING KEY REQUESTER

US 20190320320A1
Filed: 06/26/2019
Published: 10/17/2019
Est. Priority Date: 12/30/2016
Status: Active Grant

First Claim

Patent Images

1. A method for verifying a key requester, comprising:

receiving, by a security function entity, a request message sent by a first core-network network element, wherein the request message carries an identifier of the first core-network network element, identity information of a user equipment (UE), and a first token; and

determining, by the security function entity, to provide a key for the first core-network network element when determining, based on the identifier of the first core-network network element and the identity information of the UE, that the first token is valid.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and device for verifying a key requester are described. The method may include a security function entity receiving a request message sent by a user management function (UMF) entity. The method may also include decrypting information in the request message by using a private key of the security function entity, and obtaining the information carried in the request message after signature verification on decrypted information using a public key in a certificate of the UMF entity succeeds. Furthermore, the method may include determining to provide a key of a user equipment (UE) for the UMF entity, when determining that a first verification parameter carried in the request message is valid and determining that an identifier which is of the UMF entity and which is carried in the request message is the same as an identifier of a UMF entity to which the UE attaches.

Citations

13 Claims

1. A method for verifying a key requester, comprising:
- receiving, by a security function entity, a request message sent by a first core-network network element, wherein the request message carries an identifier of the first core-network network element, identity information of a user equipment (UE), and a first token; and
  
  determining, by the security function entity, to provide a key for the first core-network network element when determining, based on the identifier of the first core-network network element and the identity information of the UE, that the first token is valid.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1, wherein before the receiving, by the security function entity, the request message sent by the first core-network network element, the method further comprises:
    - generating, by the security function entity, a first fresh parameter; and
      
      sending, by the security function entity, the first fresh parameter to a second core-network network element, wherein the second core-network network element generate the first token based on the identifier of the first core-network network element to which the UE attaches, the identity information of the UE, the first fresh parameter, and a shared key.
  - 3. The method according to claim 2, wherein the shared key is generated by the security function entity and sent by the security function entity to the second core-network network element, or the shared key is generated by the security function entity and the second core-network network element individually.
  - 4. The method according to claim 2, wherein the determining, by the security function entity based on the identifier of the first core-network network element and the identity information of the UE, that the first token is valid comprises:
    - generating, by the security function entity, a second token based on the identifier of the first core-network network element, the identity information of the UE, the first fresh parameter corresponding to the first core-network network element, and the shared key; and
      
      determining that the first token is valid when determining that the first token is the same as the second token.
  - 5. The method according to claim 2, wherein the first token is generated by a second core-network network element using a private key of the second core-network network element, the identifier of the first core-network network element to which the UE attaches, the identity information of the UE, and a second fresh parameter.
  - 6. The method according to claim 2, wherein the determining, by the security function entity based on the identifier of the first core-network network element and the identity information of the UE, that the first token is valid comprises:
    - sending, by the security function entity, the identity information of the UE, the first token, and the identifier of the first core-network network element to the second core-network network element; and
      
      receiving, by the security function entity, a response message returned by the second core-network network element, wherein the response message is used to indicate that the first token is valid, and the response message is returned after the second core-network network element generates a second token based on the identity information of the UE, the identifier of the first core-network network element, the second fresh parameter corresponding to the identity information of the UE, and the private key of the second core-network network element that are provided by the security function entity, and determines that the first token is the same as the second token.

7. A device for verifying a key requester, comprising:
- a transceiver, configured to receive a request message sent by a first core-network network element, wherein the request message carries an identifier of the first core-network network element, identity information of a user equipment (UE), and a first token; and
  
  at least one processor in communication with a memory storing one or more instructions, wherein the processor executes the instructions to;
  
  determine to provide the key for the first core-network network element when determining, based on the identifier of the first core-network network element and the identity information of the UE, that the first token is valid.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The device according to claim 7, further comprising:
    - the at least one processor is configured to;
      
      generate a first fresh parameter before receiving the request message sent by the first core-network network element; and
      
      the transceiver configured to;
      
      send the first fresh parameter to a second core-network network element, wherein the second core-network network element generates the first token based on the identifier of the first core-network network element to which the UE attaches, the identity information of the UE, the first fresh parameter, and a shared key.
  - 9. The device according to claim 8, wherein the shared key is generated by the security function entity and sent by the security function entity to the second core-network network element, or the shared key is generated by the security function entity and the second core-network network element individually.
  - 10. The device according to claim 8, wherein the at least one processor is configured to:
    - generate a second token based on the identifier of the first core-network network element, the identity information of the UE, the first fresh parameter corresponding to the first core-network network element, and the shared key; and
      
      determine that the first token is valid when determining that the first token is the same as the second token.
  - 11. The device according to claim 8, wherein the first token is generated by a second core-network network element using a private key of the second core-network network element, the identifier of the first core-network network element to which the UE attaches, the identity information of the UE, and a second fresh parameter.
  - 12. The device according to claim 8, further comprising the transceiver configured to:
    - send the identity information of the UE, the first token, and the identifier of the first core-network network element to the second core-network network element; and
      
      receive a response message returned by the second core-network network element, wherein the response message is used to indicate that the first token is valid, and the response message is returned after the second core-network network element generates a second token based on the identity information of the UE, the identifier of the first core-network network element, the second fresh parameter corresponding to the identity information of the UE, and the private key of the second core-network network element that are provided by the device, and determines that the first token is the same as the second token.

13. A device for verifying a key requester, comprising:
- a transceiver configured to obtain an identifier of a user management function (UMF) entity to which a user equipment (UE) attaches;
  
  at least one processor in communication with a memory storing one or more instructions, wherein the processor executes the instructions to;
  
  generate a key of the UE and a verification parameter for the UMF entity;
  
  the transceiver further configured to;
  
  send configuration information to the UMF entity, wherein the configuration information is signed using a private key of the security function entity and encrypted by using a public key of the UMF entity, and the configuration information comprises the key, identity information of the UE, and the verification parameter; and
  
  receive verification information returned by the UMF entity, wherein the verification information is obtained by the UMF entity after the UMF entity encrypts the verification parameter by using the key; and
  
  the at least one processor further configured to determine, after determining that the verification information is valid, that the key is successfully delivered.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
LI, He, CHEN, Jing

Granted Patent

US 11,445,370 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3247   involving digital signatures

H04L 9/3297   involving time stamps, e.g....

H04L 9/40   Network security protocols

H04W 12/0431   Key distribution or pre-dis...

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

METHOD AND DEVICE FOR VERIFYING KEY REQUESTER

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND DEVICE FOR VERIFYING KEY REQUESTER

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links