Method and apparatus for secure communication between user equipment and private network
First Claim
1. A method for implementing special secure communication with a private network in user equipment of a communication network, comprising the steps of:
- a) generating a security parameters index value by using a pre-stored second root key, wherein said security parameters index value indicates an encryption/decryption algorithm and parameters of data encryption/decryption, and wherein said security parameters index value comprises a Hash operation on a locally current date value, a destination address prefix, a source address, and said second root key;
b) performing an operation on said security parameters index value and a first predetermined sequence by using a pre-stored first root key to generate an encryption key;
c) encrypting data to be transmitted by using said encryption key to generate encrypted data; and
d) encapsulating said encrypted data and said security parameters index value into a data packet which is transmitted via said communication network.
1 Assignment
0 Petitions
Accused Products
Abstract
It is an object of the present invention to provide a new technical solution of supporting special secure communication between user equipment which is located in an external network and an private network the user equipment belongs to. Specifically, transmitted data is encrypted/decrypted and authenticated by using pre-stored root keys corresponding to specific private networks and the agreed encryption/decryption and authentication algorithm at the user equipment and an access device. The manner of generating the encryption/decryption keys and authentication key is simplified, and the complexity of the access device at the private network end is reduced on the premise of not degrading the security grade. The technical solution of the present invention is highly flexible and extensible and can achieve better user experience.
16 Citations
25 Claims
-
1. A method for implementing special secure communication with a private network in user equipment of a communication network, comprising the steps of:
-
a) generating a security parameters index value by using a pre-stored second root key, wherein said security parameters index value indicates an encryption/decryption algorithm and parameters of data encryption/decryption, and wherein said security parameters index value comprises a Hash operation on a locally current date value, a destination address prefix, a source address, and said second root key; b) performing an operation on said security parameters index value and a first predetermined sequence by using a pre-stored first root key to generate an encryption key; c) encrypting data to be transmitted by using said encryption key to generate encrypted data; and d) encapsulating said encrypted data and said security parameters index value into a data packet which is transmitted via said communication network. - View Dependent Claims (2, 3, 4, 5, 25)
-
-
6. User equipment for implementing special secure communication with a belonging private network in a communication network, comprising:
-
means for generating a security parameters index value by using a pre-stored second root key, wherein said security parameters index value indicates an encryption/decryption algorithm and parameters of data encryption/decryption, wherein said security parameters index value comprises a Hash operation on a locally current date value, a destination address prefix, a source address, and said second root key; first operating means for performing an operation on said security parameters index value and a first predetermined sequence by using a pre-stored first root key to generate an encryption key; means for encrypting the data to be sent by using said encryption key to generate encrypted data; and means for encapsulating said encrypted data and said security parameters index value into a data packet which is transmitted via said communication network. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method for supporting special secure communication between user equipment and the belonging private network in an access device of a communication network, comprising the steps of:
-
i) receiving a data packet from said user equipment; ii) deciding whether said data packet from the user equipment belongs to special secure communication between said user equipment and the belonging private network, wherein step ii) further comprises; generating a security parameters index value by using a pre-stored second root key;
comparing said generated security parameters index value with the security parameters index value in the incoming data packet; and
performing an operation on said security parameters index value and a first predetermined sequence by using a pre-stored first root key to generate an encryption key;iii) if said data packet from the user equipment belongs to said special secure communication, performing a decryption algorithm, which corresponds to an encryption algorithm at the user equipment, on encrypted data part in said data packet from the user equipment by using a pre-stored first root key that corresponds to said private network to generate an ordinary data packet, and forwarding the ordinary data packet to said private network. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. An access device for supporting special secure communication between user equipment and the belonging private network in a communication network, comprising:
-
first means for receiving a data packet from said user equipment; deciding means for deciding whether said data packet from the user equipment belongs to special secure communication between said user equipment and the belonging private network, to generate a security parameters index value by using a pre-stored second root key, to compare said generated security parameters index value with the security parameters index value in the incoming data packet; and
to perform an operation on said security parameters index value and a first predetermined sequence by using a pre-stored first root key, to generate an encryption key;conversion processing means for, if said data packet belongs to said special secure communication, performing a decryption algorithm, which corresponds to the encryption algorithm at the user equipment, on encrypted data part in said data packet from the user equipment by using a pre-stored first root key that corresponds to said private network, to generate an ordinary data packet; and first sending means for forwarding the data packet. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
Specification