Method and apparatus for secure communication between user equipment and private network

US 7,853,783 B2
Filed: 12/28/2006
Issued: 12/14/2010
Est. Priority Date: 12/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method for implementing special secure communication with a private network in user equipment of a communication network, comprising the steps of:

a) generating a security parameters index value by using a pre-stored second root key, wherein said security parameters index value indicates an encryption/decryption algorithm and parameters of data encryption/decryption, and wherein said security parameters index value comprises a Hash operation on a locally current date value, a destination address prefix, a source address, and said second root key;

b) performing an operation on said security parameters index value and a first predetermined sequence by using a pre-stored first root key to generate an encryption key;

c) encrypting data to be transmitted by using said encryption key to generate encrypted data; and

d) encapsulating said encrypted data and said security parameters index value into a data packet which is transmitted via said communication network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

It is an object of the present invention to provide a new technical solution of supporting special secure communication between user equipment which is located in an external network and an private network the user equipment belongs to. Specifically, transmitted data is encrypted/decrypted and authenticated by using pre-stored root keys corresponding to specific private networks and the agreed encryption/decryption and authentication algorithm at the user equipment and an access device. The manner of generating the encryption/decryption keys and authentication key is simplified, and the complexity of the access device at the private network end is reduced on the premise of not degrading the security grade. The technical solution of the present invention is highly flexible and extensible and can achieve better user experience.

16 Citations

View as Search Results

25 Claims

1. A method for implementing special secure communication with a private network in user equipment of a communication network, comprising the steps of:
- a) generating a security parameters index value by using a pre-stored second root key, wherein said security parameters index value indicates an encryption/decryption algorithm and parameters of data encryption/decryption, and wherein said security parameters index value comprises a Hash operation on a locally current date value, a destination address prefix, a source address, and said second root key;
  
  b) performing an operation on said security parameters index value and a first predetermined sequence by using a pre-stored first root key to generate an encryption key;
  
  c) encrypting data to be transmitted by using said encryption key to generate encrypted data; and
  
  d) encapsulating said encrypted data and said security parameters index value into a data packet which is transmitted via said communication network.
- View Dependent Claims (2, 3, 4, 5, 25)
- - 2. The method according to claim 1, wherein said security parameters index value comprises three parts, comprising:
    - a first part used to indicate the adopted security policy scheme comprising said encryption algorithm, said encapsulation manner etc.;
      
      a second part comprises said locally current date value; and
      
      a third part comprises a value obtained by performing a Hash operation on said locally current date value, said destination address prefix, said source address, said second root key etc.
  - 3. The method according to claim 1, further comprising the steps of:
    - performing an operation on said security parameters index value and a second predetermined sequence by using said first root key to generate an authentication key;
      
      performing said Hash operation on said encrypted data by using said authentication key to generate an authentication part;
      
      wherein step d) further comprises the step of;
      
      encapsulating said authentication part into said encrypted data packet to be transmitted.
  - 4. The method according to claim 1, further comprising, prior to step a), the steps of:
    - verifying an identity of a user by using locally pre-stored user-related information and through interaction with the user;
      
      if said user is a valid user, going to step a);
      
      otherwise, stopping the operation.
  - 5. The method according to claim 1, wherein said communication network is an IP-based network.
  - 25. The method according to claim 1, wherein said communications network is an IPv6-based network.

6. User equipment for implementing special secure communication with a belonging private network in a communication network, comprising:
- means for generating a security parameters index value by using a pre-stored second root key, wherein said security parameters index value indicates an encryption/decryption algorithm and parameters of data encryption/decryption, wherein said security parameters index value comprises a Hash operation on a locally current date value, a destination address prefix, a source address, and said second root key;
  
  first operating means for performing an operation on said security parameters index value and a first predetermined sequence by using a pre-stored first root key to generate an encryption key;
  
  means for encrypting the data to be sent by using said encryption key to generate encrypted data; and
  
  means for encapsulating said encrypted data and said security parameters index value into a data packet which is transmitted via said communication network.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The user equipment according to claim 6, wherein said security parameters index value comprises three parts, comprising:
    - a first part is used to indicate the adopted security policy scheme comprising the encryption algorithm, the encapsulation manner etc.;
      
      a second part comprises said locally current date value; and
      
      a third part comprises a value obtained by performing a Hash operation on said locally current date value, said destination address prefix, said source address, said second root key etc.
  - 8. The user equipment according to claim 6, further comprising:
    - second operating means for performing an operation on said security parameters index value and a second predetermined sequence by using said first root key to generate an authentication key; and
      
      means for performing an authentication operation on said encrypted data by using said authentication key to generate an authentication part;
      
      wherein said means for encapsulating encapsulates said authentication part into said data packet to be transmitted.
  - 9. The user equipment according to claim 6, further comprising:
    - verifying means for performing the following operations;
      
      verifying an identity of a user by using locally pre-stored user-related information and through interaction with the user;
      
      if said user is a valid user, allowing the subsequent operation;
      
      otherwise, stopping the operation.
  - 10. The user equipment according to claim 6, wherein said communication network is an IP-based network.

11. A method for supporting special secure communication between user equipment and the belonging private network in an access device of a communication network, comprising the steps of:
- i) receiving a data packet from said user equipment;
  
  ii) deciding whether said data packet from the user equipment belongs to special secure communication between said user equipment and the belonging private network,wherein step ii) further comprises;
  
  generating a security parameters index value by using a pre-stored second root key;
  
  comparing said generated security parameters index value with the security parameters index value in the incoming data packet; and
  
  performing an operation on said security parameters index value and a first predetermined sequence by using a pre-stored first root key to generate an encryption key;
  
  iii) if said data packet from the user equipment belongs to said special secure communication, performing a decryption algorithm, which corresponds to an encryption algorithm at the user equipment, on encrypted data part in said data packet from the user equipment by using a pre-stored first root key that corresponds to said private network to generate an ordinary data packet, and forwarding the ordinary data packet to said private network.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method according to claim 11, wherein step ii) further comprises the steps of:
    - extracting from said data packet from the user equipment a destination address prefix of said data packet and an original security parameters index value;
      
      generating said new security parameters index value by using said second root key that corresponds to said destination address prefix and in the same generating manner as at the user equipment;
      
      comparing said original security parameters index value with the new security parameters index value; and
      
      if said original security parameters index value is consistent with the new security parameters index value, determining said data packet from the user equipment belongs to said special secure communication.
  - 13. The method according to claim 12, wherein step ii) further comprises the steps of:
    - extracting said original authentication part from said security parameters index value;
      
      performing on the operated security parameters index value the same operation as at the user equipment by using a pre-stored first root key that corresponds to said destination address prefix to generate a new authentication key;
      
      performing on encrypted, data part in said encrypted data packet from the user equipment the same authentication operation as at the user equipment by using said new authentication key to generate a new authentication part;
      
      comparing said original authentication part with said new authentication part; and
      
      if said original authentication part is consistent with said new authentication part, determining said data packet from the user equipment belongs to said special secure communication.
  - 14. The method according to claim 11, further comprising the steps of:
    - recording related information of all set up communication;
      
      based on said related information, deciding whether said data packet from the user equipment belongs to special secure communication between the user equipment and said private network or said user equipment'"'"'s set up communication which falls into other type;
      
      if said data packet from the user equipment belongs to said special secure communication, performing a decryption algorithm, which corresponds to an encryption algorithm at the user equipment, on encrypted data part in said data packet from the user equipment by using said first root key to generate an ordinary data packet, and forwarding the ordinary data packet to said private network;
      
      if said data packet from the user equipment belongs to said user equipment'"'"'s set up communication which falls into other type, forwarding said data packet directly; and
      
      if said data packet from the user equipment does not belong to said special secure communication or said user equipment'"'"'s set up communication which falls into other type, discarding said data packet.
  - 15. The method according to claim 14, further comprising the steps of;
    - receiving a data packet from said private equipment;
      
      based on the recorded related information of all set up communication, deciding whether said data packet from the private equipment belongs to special secure communication between said private equipment and the user equipment or said private network'"'"'s set up communication which falls into other type;
      
      if said data packet from the private equipment belongs to the special secure communication set up between said private equipment and the user equipment, converting said ordinary data packet into an encrypted data packet used for said special secure communication by using said first root key and said second root key in the same manner as at the user equipment, and sending the converted encrypted data packet to said user equipment; and
      
      if said data packet from the private network belongs to said private network'"'"'s set up communication which falls into other type, forwarding said data packet directly.
  - 16. The method according to claim 11, wherein said related information comprises a destination address, a source address, a security parameters index (SPI) value, and a first root key of a data packet.
  - 17. The method according to claim 11, wherein said communication network is an IP-based network.

18. An access device for supporting special secure communication between user equipment and the belonging private network in a communication network, comprising:
- first means for receiving a data packet from said user equipment;
  
  deciding means for deciding whether said data packet from the user equipment belongs to special secure communication between said user equipment and the belonging private network, to generate a security parameters index value by using a pre-stored second root key, to compare said generated security parameters index value with the security parameters index value in the incoming data packet; and
  
  to perform an operation on said security parameters index value and a first predetermined sequence by using a pre-stored first root key, to generate an encryption key;
  
  conversion processing means for, if said data packet belongs to said special secure communication, performing a decryption algorithm, which corresponds to the encryption algorithm at the user equipment, on encrypted data part in said data packet from the user equipment by using a pre-stored first root key that corresponds to said private network, to generate an ordinary data packet; and
  
  first sending means for forwarding the data packet.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The access device according to claim 18, wherein said deciding means comprises:
    - means for extracting from said data packet a destination address prefix of said data packet and an original security parameters index value;
      
      operating means for generating a new security parameters index value by using a second root key that corresponds to said destination address prefix and in the same generating manner as at the user equipment;
      
      means for comparing said original security parameters index value with the new security parameters index value; and
      
      determining means for, if said original security parameters index value is consistent with the new security parameters index value, determining said data packet from the user equipment belongs to said special secure communication.
  - 20. The access device according to claim 19, whereinsaid means for extracting is operable to extract an original authentication part from said security parameters index value;
    - said operating means is operable to perform on the operated security parameters index value the same operation as at the user equipment by using a pre-stored first root key that corresponds to said destination address prefix to generate a new authentication key;
      
      said means for comparing is operable to compare said original authentication part with said new authentication part; and
      
      said determining means is further used for, If said authentication part is consistent with said new authentication part, determining said data packet from the user equipment belongs to said special secure communication.
  - 21. The access device according to claim 18, further comprising:
    - means for recording related information of all set up communication;
      
      wherein, said deciding means is further used for, based on said related information, deciding whether said data packet from the user equipment belongs to special secure communication between the user equipment and said private network or said user equipment'"'"'s set up communication which falls into other type;
      
      said conversion processing means is operable to perform the following functions;
      
      if said data packet is an encrypted data packet used for secure communication between the user equipment and said private network, converting said encrypted data packet into an ordinary data packet by using a pre-stored first root key that corresponds to said private network, and providing the ordinary data packet to the first sending means;
      
      if said data packet belongs to said user equipment'"'"'s set up communication which falls into other type, directly providing said data packet to said first sending means;
      
      otherwise, discarding said data packet.
  - 22. The access device according to claim 21, further comprising:
    - second means for receiving a data packet from said private network;
      
      second sending means for sending the data packet to the user equipment;
      
      wherein, said deciding means is further used for, based on the recorded related information of all set up communication, deciding whether said data packet from the private network belongs to special secure communication set up between said private network and the user equipment or said private network'"'"'s set up communication which falls into other type;
      
      said conversion processing means is operable to perform the following operations;
      
      if said data packet from the private network belongs to the special secure communication set up between said private network and the user equipment, converting said ordinary data packet into an encrypted data packet used for said special secure communication by using said first root key and said second root key and in the same manner as at the user equipment, and providing the converted ordinary data packet to the second sending means;
      
      if said data packet from the private network belongs to said private network'"'"'s set up communication which falls into other type, directly providing said data packet to the second sending means.
  - 23. The access device according to claim 18, wherein said related information comprises a destination address, a source address, a security parameters index (SPI) value, a first root key of a data packet.
  - 24. The access device according to claim 18, wherein said communication network is an IP-based network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Yan, RenXiang, Jiang, YingLan, Ding, ZheMin, Wen, HaiBo, Zhang, QingShan, Bin, FanXiang
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Hailu; Teshome

Application Number

US11/616,937
Publication Number

US 20070157309A1
Time in Patent Office

1,447 Days
Field of Search

713/153
US Class Current

713/153
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

Method and apparatus for secure communication between user equipment and private network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for secure communication between user equipment and private network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links