Method for protecting security of data, network entity and communication terminal

US 9,189,632 B2
Filed: 07/16/2013
Issued: 11/17/2015
Est. Priority Date: 01/17/2011
Status: Active Grant

First Claim

Patent Images

1. A method for protecting security of data, which is applied to a machine type communication, comprising:

querying, by a network side entity, a home subscribe server (HSS) whether there is machine type communication (MTC) characteristic information of a communication terminal;

determining, by the network side entity, whether communication between the communication terminal and the network side entity is a small data transmission according to the MTC characteristic information of the communication terminal;

storing, by the network side entity, information pertaining to security context if the communication terminal which communicates with the network side entity is a small data transmission, wherein the step of storing the information pertaining to the security context is performed subsequent to the step of querying the HSS;

obtaining, by the network side entity, a current security context according to the information pertaining to security context; and

protecting, by the network side entity, security of communication data by employing the current security context,wherein the information pertaining to the security context comprises;

an algorithm and an authentication vector (AV) comprising a random number (RAND) and an authentication token (AUTN), oran algorithm and a root key (Kasme).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to communication technologies and discloses a method and an apparatus for protecting security of data, so as to solve the problem of the prior art in which the security of data transmission between a communication terminal which has a characteristic of small data transmission and the network cannot be guaranteed. Information relevant to security context is stored if a communication terminal has a characteristic of small data transmission; current security context is obtained according to the information relevant to security context; and security protection of communication data is performed by employing the current security context. The embodiments of the present invention may be applied to a communication system having a characteristic of small data transmission, such as an MTC and the like.

7 Citations

13 Claims

1. A method for protecting security of data, which is applied to a machine type communication, comprising:
- querying, by a network side entity, a home subscribe server (HSS) whether there is machine type communication (MTC) characteristic information of a communication terminal;
  
  determining, by the network side entity, whether communication between the communication terminal and the network side entity is a small data transmission according to the MTC characteristic information of the communication terminal;
  
  storing, by the network side entity, information pertaining to security context if the communication terminal which communicates with the network side entity is a small data transmission, wherein the step of storing the information pertaining to the security context is performed subsequent to the step of querying the HSS;
  
  obtaining, by the network side entity, a current security context according to the information pertaining to security context; and
  
  protecting, by the network side entity, security of communication data by employing the current security context,wherein the information pertaining to the security context comprises;
  
  an algorithm and an authentication vector (AV) comprising a random number (RAND) and an authentication token (AUTN), oran algorithm and a root key (Kasme).
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising:
    - sending, by the network side entity, a detach request message or a detach accept message to the communication terminal, wherein the detach request message comprises the authentication vector (AV).
  - 3. The method of claim 1, wherein when the information pertaining to the security context comprises the algorithm and the authentication vector (AV), the obtaining, by the network side entity, the current security context according to the information pertaining to the security context, comprises:
    - generating, by the network side entity, the security context according to the algorithm and a root key (Kasme) in the authentication vector (AV) comprised in the information pertaining to the security context.
  - 4. The method of claim 1, wherein the obtaining, by the network side entity, the current security context according to the information pertaining to the security context, comprises:
    - receiving, by the network side entity, a random number (RAND) generated by the communication terminal;
      
      (Kasme) according to the random number (RAND) generated by the communication terminal, a Count value stored by the network side entity and the root key (Kasme) comprised in the information pertaining to the security context; and
      
      generating, by the network side entity, the current security context according to the new root key (Kasme) and the algorithm comprised in the information pertaining to security context.

5. A method for protecting security of data, which is applied to a machine type communication (MTC), comprising:
- obtaining, by a communication terminal, MTC characteristic information of the communication terminal according to configuration information;
  
  determining, by the communication terminal, whether communication with the communication terminal is a small data transmission according to the MTC characteristic information of the communication terminal;
  
  storing, by the communication terminal, information pertaining to a security context if the communication with the communication terminal is a small data transmission, wherein the step of storing the information pertaining to the security context is performed subsequent to the step of obtaining the MTC characteristic information;
  
  obtaining, by the communication terminal, a current security context according to the information pertaining to the security context; and
  
  protecting, by the communication terminal, security of communication data by employing the current security context,wherein the information pertaining to the security context comprises;
  
  an algorithm and an authentication vector (AV) comprising a random number (RAND) and an authentication token (AUTN), oran algorithm and a root key (Kasme).
- View Dependent Claims (6, 7, 8, 9)
- - 6. The method of claim 5, wherein the storing, by a communication terminal, information pertaining to the security context, comprises:
    - receiving, by the communication terminal, a detach request message or a detach accept message sent by a network side entity; and
      
      storing, by the communication terminal, the random number (RAND) and the authentication token (AUTN) in the detach request message or the detach accept message.
  - 7. The method of claim 6, wherein the obtaining, by the communication terminal, the current security context according to the information pertaining to the security context, comprises:
    - validating, by the communication terminal, the authentication token (AUTN);
      
      generating, by the communication terminal, a root key (Kasme) according to the random number (RAND) and the authentication toke (AUTN); and
      
      generating, by the communication terminal, the current security context according to the generated root key (Kasme) and the algorithm in the information pertaining to the security context.
  - 8. The method of claim 5, wherein the obtaining, by the communication terminal, the current security context according to the information pertaining to the security context, comprises:
    - taking, by the communication terminal, the security context comprised in the information pertaining to the security context as the current security context.
  - 9. The method of claim 5, wherein the obtaining, by the communication terminal, the current security context according to the information pertaining to the security context, comprises:
    - obtaining, by the communication terminal, a Count value of the communication terminal and a random number (RAND) generated by the communication terminal, wherein the Count value of the communication terminal is number of times the communication terminal and the network side entity perform authentication;
      
      generating a new root key according to the random number (RAND) generated by the communication terminal, the Count value of the communication terminal and the root key (Kasme) comprised in the information pertaining to the security context; and
      
      generating the current security context according to the new root key and the algorithm comprised in the information pertaining to security context.

10. A communication terminal, which is applied to a machine type communication (MTC), comprising:
- a storing module, configured to store information pertaining to a security context if communication with the communication terminal is a small data transmission;
  
  a first obtaining module, configured to obtain a current security context according to the information pertaining to the security context; and
  
  a security protecting module, configured to protect security of communication data by employing the current security context, wherein the storing module further comprises;
  
  a determining module, configured to determine whether communication with the communication terminal is a small data transmission according to machine type communication (MTC) characteristic information, wherein the determining module is further configured to obtain its own MTC characteristic information according to configuration information, andwherein the first obtaining module further comprises;
  
  a receiving sub-module, configured to receive a detach request message or a detach accept message sent by a network side entity;
  
  a storing sub-module, configured to store a random number (RAND) and an authentication token (AUTN) in the detach request message or the detach accept message;
  
  a first generating sub-module, configured to validate the AUTN, and generate a root key (Kasme) according to the random number (RAND) and the authentication token (AUTN); and
  
  a third generating sub-module, configured to generate the current security context according to the generated root key (Kasme) and an algorithm in the information pertaining to the security context.
- View Dependent Claims (11, 12, 13)
- - 11. The communication terminal of claim 10, further comprising:
    - a second obtaining sub-module, configured to obtain a Count value of the communication terminal and a random number generated by the communication terminal, wherein the Count value of the communication terminal is the number of times the communication terminal and a network side entity perform authentication;
      
      (Kasme) comprised in the information pertaining to the security context; and
      
      a sending sub-module, configured to send the generated message authentication code (MAC) value to the network side entity.
  - 12. The communication terminal of claim 11, wherein the second obtaining sub-module is further configured to receive a Count value stored by the network side entity sent by a network side, and update the Count value of the communication terminal to the Count value stored by the network side entity if the Count value of the communication terminal is does not match the Count value stored by the network side entity.
  - 13. The communication terminal of claim 10, further comprising:
    - an a response value (RES) receiving module, configured to receive a response value (RES) sent by a network side entity;
      
      a response value (RES) generating module, configured to generate a response value (RES) according to a new root key generated by the third generating sub-module and the random number obtained by the second obtaining sub-module; and
      
      an a response value (RES) authenticating module, configured to check whether the generated response value (RES) matches the response value (RES) sent by the network side entity, and determine, if the generated RES matches the (RES) sent by the network side entity, then the communication terminal authenticates the network side entity successfully.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Xu, Yixian, Chen, Jing, Zhang, Lijia
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
CORUM JR, WILLIAM A

Application Number

US13/943,469
Publication Number

US 20130305386A1
Time in Patent Office

854 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/60   Protecting data

H04L 63/205   involving negotiation or de...

H04W 12/04   Key management, e.g. using ...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 4/70   Services for machine-to-mac...

Method for protecting security of data, network entity and communication terminal

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

7 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method for protecting security of data, network entity and communication terminal

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links