Key storage and retrieval in a breakout component at the edge of a mobile data network
First Claim
Patent Images
1. A method for processing data packets in a mobile data network that includes a radio access network coupled to a core network, the method comprising:
- a plurality of antennas sending and receiving network messages between user equipment and a plurality of basestations in the radio access network, each basestation communicating with a corresponding one of the plurality of antennas;
providing a breakout component in one of the plurality of basestations, the breakout component comprising;
a system controller that controls function of the breakout component;
a service processor that monitors the breakout component and provides control functions for the breakout component;
a security subsystem that includes a key mechanism for storing keys to a non-volatile key storage and retrieving keys from the non-volatile key storage, wherein the keys are written to the non-volatile key storage in the security subsystem with a corresponding key identifier and a corresponding secret value during manufacture of the breakout component, the security subsystem comprising a tamper detection mechanism that detects tampering of the breakout component, and in response to a detected tampering of the breakout component, erases the keys in the non-volatile key storage;
a telco breakout system that performs;
defining an existing first data path in the radio access network for non-broken out data;
defining a second data path for broken out data;
identifying first data received from a corresponding basestation as data to be broken out;
sending the first data on the second data path;
forwarding other data that is not broken out on the first data path; and
performing a plurality of services with respect to internet protocol (IP) data sent to the user equipment in response to an IP data request in the first data from the user equipment;
writing the keys to the non-volatile key storage in the security subsystem during manufacture of the breakout component with each key having a corresponding key identifier and a corresponding secret value;
when an application running on a first subsystem system in the breakout component requires access to a key stored in the non-volatile key storage, the application requesting access to the key from the first subsystem using the key identifier and secret value corresponding to the key, and in response to the request by the application to access the key, the first subsystem retrieving the key from the security subsystem and writing the key to a shared memory in the first subsystem;
the application accessing the key in the shared memory;
detecting tampering of the breakout component; and
in response to a detected tampering of the breakout component, erasing the keys in the non-volatile key storage.
1 Assignment
0 Petitions
Accused Products
Abstract
Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A breakout component in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. These services may require the use of keys. Keys are stored and retrieved from a non-volatile key storage in a way that assures subsystems that need the keys have access to the keys. The keys retrieved from the non-volatile key storage are stored in a shared memory in the requesting subsystem, which allows any applications that requires access to the keys to directly access the keys in the shared memory.
41 Citations
9 Claims
-
1. A method for processing data packets in a mobile data network that includes a radio access network coupled to a core network, the method comprising:
-
a plurality of antennas sending and receiving network messages between user equipment and a plurality of basestations in the radio access network, each basestation communicating with a corresponding one of the plurality of antennas; providing a breakout component in one of the plurality of basestations, the breakout component comprising; a system controller that controls function of the breakout component; a service processor that monitors the breakout component and provides control functions for the breakout component; a security subsystem that includes a key mechanism for storing keys to a non-volatile key storage and retrieving keys from the non-volatile key storage, wherein the keys are written to the non-volatile key storage in the security subsystem with a corresponding key identifier and a corresponding secret value during manufacture of the breakout component, the security subsystem comprising a tamper detection mechanism that detects tampering of the breakout component, and in response to a detected tampering of the breakout component, erases the keys in the non-volatile key storage; a telco breakout system that performs; defining an existing first data path in the radio access network for non-broken out data; defining a second data path for broken out data; identifying first data received from a corresponding basestation as data to be broken out; sending the first data on the second data path; forwarding other data that is not broken out on the first data path; and performing a plurality of services with respect to internet protocol (IP) data sent to the user equipment in response to an IP data request in the first data from the user equipment; writing the keys to the non-volatile key storage in the security subsystem during manufacture of the breakout component with each key having a corresponding key identifier and a corresponding secret value; when an application running on a first subsystem system in the breakout component requires access to a key stored in the non-volatile key storage, the application requesting access to the key from the first subsystem using the key identifier and secret value corresponding to the key, and in response to the request by the application to access the key, the first subsystem retrieving the key from the security subsystem and writing the key to a shared memory in the first subsystem; the application accessing the key in the shared memory; detecting tampering of the breakout component; and in response to a detected tampering of the breakout component, erasing the keys in the non-volatile key storage.
-
-
2. A method for processing data packets in a mobile data network that includes a radio access network coupled to a core network, the method comprising:
-
a plurality of antennas sending and receiving network messages between user equipment and a plurality of basestations in the radio access network, each basestation communicating with a corresponding one of the plurality of antennas; a breakout component in the one of the plurality of basestations that performs; defining an existing first data path in the radio access network for non-broken out data; defining a second data path for broken out data; identifying first data received from a corresponding basestation as data to be broken out; sending the first data on the second data path; forwarding other data that is not broken out on the first data path; and performing a first service with respect to internet protocol (IP) data sent to the user equipment in response to an IP data request in the first data from the user equipment; storing keys to a non-volatile key storage and retrieving keys from the non-volatile key storage; and when an application running on a first subsystem system in the breakout component requires access to a key stored in the non-volatile key storage, the application requesting access to the key from the first subsystem, and in response to the request by the application to access the key, the first subsystem retrieving the key from the security subsystem and writing the key to a shared memory in the first subsystem. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsBillau, Ronald L., Di Luoffo, Vincenzo V., Grady, Philip E., Van Leeuwen, George W.
-
Primary Examiner(s)Yao, Kwang B
-
Assistant Examiner(s)DUDA, ADAM K
-
Application NumberUS13/681,358Publication NumberTime in Patent Office869 DaysField of Search370/310, 370/351, 370/254, 370/259, 370/252, 370/328, 370/235, 370/401, 455/424, 455/423, 455/411US Class Current370/310CPC Class CodesH04L 63/1425 Traffic logging, e.g. anoma...H04W 12/04 Key management, e.g. using ...H04W 12/126 Anti-theft arrangements, e....H04W 12/65 Environment-dependent, e.g....H04W 40/02 Communication route or path...H04W 40/32 for defining a routing clus...
