Secured map messages for telecommunications networks

US 7,181,012 B2
Filed: 09/07/2001
Issued: 02/20/2007
Est. Priority Date: 09/11/2000
Status: Active Grant

First Claim

Patent Images

1. A method of sending a mobile application part (MAP) protocol message between a first network element of a first telecommunications network and a second network element of a second telecommunications network, the method comprising:

between a key administration center of the first telecommunications network and a key administration center of the second telecommunications network, using Internet Key Exchange (IRE) to negotiate a master security association between the first telecommunications network and the second telecommunications network, the master security association comprising a set of security parameters;

using the master security association to derive a unique connection-specific security association for use by the first network element on a connection between the first network element and the second network element;

at the first network element, including a parameter obtained from the connection-specific security association in an encrypted/authenticated MAP message sent from the first network element to the second network element;

at the second network element, upon receipt of the MAP message using the master security association to derive a connection-specific security association for use by the second network element;

using the connection-specific security association for use by the second network element to decrypt/decode the MAP message;

performing negotiating of the master security association between the first telecommunications network and the second telecommunications network over a first intermediate network which differs from a second intermediate network over which the MAP message is sent, wherein the first intermediate network and the second intermediate network interconnect the first telecommunications network and the second telecommunications network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An encrypted/authenticated mobile application part (MAP) protocol message is sent between a first network element (42A) of a first telecommunications network (40A) and a second network element (42B) of a second telecommunications network (40B). The first network element uses a master security association to derive a connection-specific security association, and includes in the encrypted/authenticated MAP message a parameter obtained from the connection-specific security association. Upon receipt at the second network element, the master security association is used to derive a connection-specific security association for use by the second network element. The second network element uses the connection-specific security association to decrypt/decode the MAP message.

21 Citations

View as Search Results

30 Claims

1. A method of sending a mobile application part (MAP) protocol message between a first network element of a first telecommunications network and a second network element of a second telecommunications network, the method comprising:
- between a key administration center of the first telecommunications network and a key administration center of the second telecommunications network, using Internet Key Exchange (IRE) to negotiate a master security association between the first telecommunications network and the second telecommunications network, the master security association comprising a set of security parameters;
  
  using the master security association to derive a unique connection-specific security association for use by the first network element on a connection between the first network element and the second network element;
  
  at the first network element, including a parameter obtained from the connection-specific security association in an encrypted/authenticated MAP message sent from the first network element to the second network element;
  
  at the second network element, upon receipt of the MAP message using the master security association to derive a connection-specific security association for use by the second network element;
  
  using the connection-specific security association for use by the second network element to decrypt/decode the MAP message;
  
  performing negotiating of the master security association between the first telecommunications network and the second telecommunications network over a first intermediate network which differs from a second intermediate network over which the MAP message is sent, wherein the first intermediate network and the second intermediate network interconnect the first telecommunications network and the second telecommunications network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising performing negotiating of the master security association between the first telecommunications network and the second telecommunications network over a network which differs from a network over which the MAP message is sent.
  - 3. The method of claim 2, further comprising performing negotiating of the master security association between the first telecommunications network and the second telecommunications network over an Internet Protocol network.
  - 4. The method of claim 2, further comprising sending the MAP message over a Signaling System No. 7 network.
  - 5. The method of claim 1, wherein the master security association is a set of security parameters that includes at least one of the following:
    - (1) an authentication algorithm;
      
      (2) authentication keying material;
      
      (3) an encryption algorithm;
      
      (4) encryption keying material;
      
      (5) a lifetime value for the master security association.
  - 6. The method of claim 1, wherein the master security association includes at least one of the following:
    - (1) an authentication algorithm;
      
      (2) authentication keying material;
      
      (3) an encryption algorithm;
      
      (4) encryption keying material;
      
      (5) a lifetime value for the master security association.
  - 7. The method of claim 1, wherein the connection-specific security association is a set of security parameters that specifies a cryptographic key used in communication between the first network element and the second network element.
  - 8. The method of claim 1, further comprising at least one of the following:
    - the first network element requesting the master security association from a key administration center of the first telecommunications network;
      
      the second network element requesting the master security association from a key administration center of the second telecommunications network.
  - 9. The method of claim 8, wherein at least one of the requesting actions is implementing utilizing an Internet Protocol.
  - 10. The method of claim 1, wherein the parameter included in the MAP message comprises security information that is required in order to extract protected information from the MAP message.
  - 11. The method of claim 10, further comprising including a Security Parameters Index (SPI) in the MAP message.
  - 12. The method of claim 11, further comprising including the Security Parameters Index (SPI) in a MAP Security Header in the MAP message.
  - 13. The method of claim 10, further comprising including in the MAP message along with the parameter a sending network identifier, and wherein the parameter in conjunction with the sending network identifier identifies a master security association.
  - 14. The method of claim 1, wherein the parameter comprises a combination of an arbitrary value and a sending network identifier, the combination uniquely identifying the master security association. association.
  - 15. The method of claim 14, wherein the sending network identifier is a PLMNID value, the PLMNID value being formed from the Mobile Country Code (MCC) and Mobile Network Code (MNC).

16. A telecommunications system comprising a first telecommunications network and a second telecommunications network, the system comprising:
- a first key administration center at the first telecommunications network and a second key administration center at the second telecommunications network which negotiate a master security association using Internet Key Exchange (IRE), the master security associating comprising a set of security parameters;
  
  a first network element of the first telecommunications network which uses the master security association to derive a unique connection-specific security association for use by the first network element on a connection between the first network element and the second network element and which includes a parameter obtained from the connection-specific security association in an encrypted/authenticated MAP message sent from the first network element to the second network element;
  
  a second network element belonging to the second telecommunications network, the second network element being configured, upon receipt of the MAP message, to use the master security association to derive a connection-specific security association for the second network element and to use the connection-specific security association for the second network element to decrypt/decode the MAP message;
  
  performing negotiating of the master security association between the first telecommunications network and the second telecommunications network overa first intermediate network for interconnecting the first telecommunications network and the second telecommunications network and over which the master security association is negotiated;
  
  a second intermediate network, which differs from the intermediate network, for interconnecting the first telecommmunications network and the second telecommunications network and over which the MAP message is sent.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The system of claim 16, wherein the first key administration center and the second key administration center negotiate the master security association over a network which differs from a network over which the MAP message is sent.
  - 18. The system of claim 16, wherein the first key administration center and the second key administration center negotiate the master security association over an Internet Protocol network.
  - 19. The system of claim 16, further comprising a Signaling System No. 7 network over which the MAP message is sent.
  - 20. The system of claim 16, wherein the master security association is a set of security parameters that includes at least one of the following:
    - (1) an authentication algorithm;
      
      (2) authentication keying material;
      
      (3) an encryption algorithm;
      
      (4) encryption keying material;
      
      (5) a lifetime value for the master security association.
  - 21. The system of claim 16, wherein the connection-specific security association is a set of security parameters that specifies a cryptographic key used in communication between the first network element and the second network element.
  - 22. The system of claim 16, wherein the first network element requests the master security association from a key administration center of the first telecommunications network using an Internet Protocol.
  - 23. The system of claim 16, wherein the second network element requests the master security association from a key administration center of the second telecommunications network.
  - 24. The system of claim 23, wherein the second network element requests the master security association from a key administration center of the second telecommunications network using an Internet Protocol.
  - 25. The system of claim 16, wherein the parameter included in the MAP message comprises security information that is required in order to extract protected information from the MAP message.
  - 26. The system of claim 25, wherein a Security Parameters Index (SPI) is included in the MAP message.
  - 27. The system of claim 26, wherein the Security Parameters Index (SPI) is included in a MAP Security Header in the MAP message.
  - 28. The system of claim 16, further comprising a sending network identifier included in the MAP message along with the parameter;
    - and wherein the parameter in conjunction with the sending network identifier identifies a master security association.
  - 29. The system of claim 16, wherein the parameter comprises a combination of an arbitrary value and a sending network identifier, the combination uniquely identifying the master security association.
  - 30. The system of claim 29, wherein the sending network identifier is a PLMNID value, the PLMNID value being formed from the Mobile Country Code (MCC) and Mobile Network Code (MNC).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Arkko, Jari, Blom, Rolf, Turtiainen, Esa
Primary Examiner(s)
Revak; Christopher
Assistant Examiner(s)
Abrishamkar; Kaveh

Application Number

US09/948,101
Publication Number

US 20020052200A1
Time in Patent Office

1,992 Days
Field of Search

380/246, 380/270, 380/247, 713/169
US Class Current

380/270
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/18   using different networks or...

H04W 12/03   Protecting confidentiality,...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 92/02   Inter-networking arrangements

Secured map messages for telecommunications networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Secured map messages for telecommunications networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links