Key storage and retrieval in a breakout component at the edge of a mobile data network

US 8,769,615 B2
Filed: 12/19/2011
Issued: 07/01/2014
Est. Priority Date: 12/19/2011
Status: Active Grant

First Claim

Patent Images

1. A mobile data network comprising:

a plurality of basestations, each basestation communicating with a corresponding antenna that transmits and receives radio signals to and from user equipment, wherein the plurality of basestations are part of a radio access network that communicates with a core network in the mobile data network, each basestation comprising;

a breakout component that defines an existing first data path in the radio access network for non-broken out data, defines a second data path for broken out data, identifies first data corresponding to first user equipment received from a corresponding basestation as data to be broken out, sends the first data on the second data path, and forwards other data that is not broken out on the first data path, wherein the breakout component provides a first service with respect to internet protocol (IP) data sent to the first user equipment in response to an IP data request in the first data from the first user equipment, the breakout component comprising;

a security subsystem that includes a key mechanism for storing keys to a non-volatile key storage and retrieving keys from the non-volatile key storage, wherein the keys are written to the non-volatile key storage in the security subsystem during manufacture of the breakout component; and

a first subsystem, and when an application running on the first subsystem system requires access to a key stored in the non-volatile key storage, the application requests access to the key from the first subsystem, and in response to the request by the application to access the key, the first subsystem retrieves the key from the security subsystem using a key identifier corresponding to the key and writes the key to a shared memory in the first subsystem, wherein the application accesses the key in the shared memory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A breakout component in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. These services may require the use of keys. Keys are stored and retrieved from a non-volatile key storage in a way that assures subsystems that need the keys have access to the keys. The keys retrieved from the non-volatile key storage are stored in a shared memory in the requesting subsystem, which allows any applications that requires access to the keys to directly access the keys in the shared memory.

32 Citations

7 Claims

1. A mobile data network comprising:
- a plurality of basestations, each basestation communicating with a corresponding antenna that transmits and receives radio signals to and from user equipment, wherein the plurality of basestations are part of a radio access network that communicates with a core network in the mobile data network, each basestation comprising;
  
  a breakout component that defines an existing first data path in the radio access network for non-broken out data, defines a second data path for broken out data, identifies first data corresponding to first user equipment received from a corresponding basestation as data to be broken out, sends the first data on the second data path, and forwards other data that is not broken out on the first data path, wherein the breakout component provides a first service with respect to internet protocol (IP) data sent to the first user equipment in response to an IP data request in the first data from the first user equipment, the breakout component comprising;
  
  a security subsystem that includes a key mechanism for storing keys to a non-volatile key storage and retrieving keys from the non-volatile key storage, wherein the keys are written to the non-volatile key storage in the security subsystem during manufacture of the breakout component; and
  
  a first subsystem, and when an application running on the first subsystem system requires access to a key stored in the non-volatile key storage, the application requests access to the key from the first subsystem, and in response to the request by the application to access the key, the first subsystem retrieves the key from the security subsystem using a key identifier corresponding to the key and writes the key to a shared memory in the first subsystem, wherein the application accesses the key in the shared memory.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The mobile data network of claim 1 wherein the breakout component further comprises a tamper detection mechanism that detects tampering of the breakout component, and in response to a detected tampering of the breakout component, erases the keys in the non-volatile key storage.
  - 3. The mobile data network of claim 1 wherein keys are written to the non-volatile key storage in the security subsystem with the key identifier.
  - 4. The mobile data network of claim 3 wherein the keys are written to the non-volatile key storage in the security subsystem with a corresponding secret value.
  - 5. The mobile data network of claim 1 wherein the first subsystem requests the key from the security subsystem using a secret value corresponding to the key.

6. A mobile data network comprising:
- a plurality of basestations, each basestation communicating with a corresponding antenna that transmits and receives radio signals to and from user equipment, wherein the plurality of basestations are part of a radio access network that communicates with a core network in the mobile data network, each basestation comprising;
  
  a breakout component connected to the basestation and connected to an upstream computer system, the breakout component comprising;
  
  a system controller that controls function of the breakout component;
  
  a service processor that monitors the breakout component and provides control functions for the breakout component;
  
  a security subsystem that includes a key mechanism for storing keys to a non-volatile key storage and retrieving keys from the non-volatile key storage, wherein the keys are written to the non-volatile key storage in the security subsystem with a corresponding key identifier and a corresponding secret value during manufacture of the breakout component, the security subsystem comprising a tamper detection mechanism that detects tampering of the breakout component, and in response to a detected tampering of the breakout component, erases the keys in the non-volatile key storage;
  
  a telco breakout system that comprises;
  
  a first service mechanism that defines an existing first data path in the radio access network for non-broken out data, defines a second data path for broken out data, identifies first data corresponding to first user equipment received from a corresponding basestation as data to be broken out, sends the first data on the second data path, and forwards other data that is not broken out on the first data path, wherein the first service mechanism provides a plurality of services with respect to internet protocol (IP) data sent to the first user equipment in response to an IP data request in the first data from the first user equipment;
  
  when an application running on one of the system controller and the telco breakout system requires access to a key stored in the non-volatile key storage, the application requests access to the key from the one of the system controller and the telco breakout system by sending the key identifier and secret value corresponding to the key, and in response to the request by the application to access the key, the one of the system controller and the telco breakout system retrieves the key from the security subsystem and writes the key to a shared memory in the one of the system controller and the telco breakout system, wherein the application accesses the key in the shared memory.

7. A mobile data network comprising:
- a plurality of basestations, each basestation communicating with a corresponding antenna that transmits and receives radio signals to and from user equipment, wherein the plurality of basestations are part of a radio access network that communicates with a core network in the mobile data network, each basestation comprising;
  
  a breakout component that defines an existing first data path in the radio access network for non-broken out data, defines a second data path for broken out data, identifies first data corresponding to first user equipment received from a corresponding basestation as data to be broken out, sends the first data on the second data path, and forwards other data that is not broken out on the first data path, wherein the breakout component provides a first service with respect to internet protocol (IP) data sent to the first user equipment in response to an IP data request in the first data from the first user equipment, the breakout component comprising;
  
  a security subsystem that includes a key mechanism for storing keys to a non-volatile key storage and retrieving keys from the non-volatile key storage, wherein the keys are written to the non-volatile key storage in the security subsystem during manufacture of the breakout component, wherein keys are written to the non-volatile key storage in the security subsystem with a corresponding key identifier and with a corresponding secret value;
  
  a first subsystem, and when an application running on the first subsystem system requires access to a key stored in the non-volatile key storage, the application requests access to the key from the first subsystem, and in response to the request by the application to access the key, the first subsystem retrieves the key from the security subsystem and writes the key to a shared memory in the first subsystem, wherein the application accesses the key in the shared memory; and
  
  a tamper detection mechanism that detects tampering of the breakout component, and in response to a detected tampering of the breakout component, erases the keys in the non-volatile key storage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Billau, Ronald L., Di Luoffo, Vincenzo V., Grady, Philip E., Van Leeuwen, George W.
Primary Examiner(s)
Cervetti, David Garca
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US13/329,517
Publication Number

US 20130156020A1
Time in Patent Office

925 Days
Field of Search

726 2- 6, 713151-153, 380/270, 455/411, 709225-226, 370/338
US Class Current

726/3
CPC Class Codes

H04L 63/1425   Traffic logging, e.g. anoma...

H04W 12/04   Key management, e.g. using ...

H04W 12/126   Anti-theft arrangements, e....

H04W 12/65   Environment-dependent, e.g....

H04W 40/02   Communication route or path...

H04W 40/32   for defining a routing clus...

Key storage and retrieval in a breakout component at the edge of a mobile data network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

Key storage and retrieval in a breakout component at the edge of a mobile data network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links