Apparatus, method and system for creating and maintaining multicast data encryption key in machine to machine communication system

US 9,258,705 B2
Filed: 06/29/2012
Issued: 02/09/2016
Est. Priority Date: 07/01/2011
Status: Active Grant

First Claim

Patent Images

1. A method of operating a subscriber station, the method comprising:

performing a network entry procedure through a base station (BS);

receiving multicast service authentication information comprising a machine-to-machine (M2M) service group security seed from the BS during the network entry procedure;

generating a multicast data encryption key based on the multicast service authentication information; and

communicating data with the BS based on the multicast data encryption key,wherein the multicast data encryption key is determined by Equation below;

MGTEK=Dot16KDF(MAK,MGSS|Key_counter|MGID|“

MGTEK”

,128)where,MGTEK;

multicast data encryption key,MAK;

M2M service authorization key,MGSS;

M2M service group security seed,Key_counter;

index of the currently used MGTEK,MGID;

multicast group identifier,“

MGTEK”

;

character string representing that it is multicast data encryption key, andDot16KDF;

algorithm of generating multicast data encryption key of 128 bits that inputs M2M service authorization key, M2M service group security seed, and multicast group identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A wireless communication system includes a system and method for encryption of multicast data between a subscriber station and a base station that communicate a multicast service in a Machine-To-Machine (M2M) communication system. An M2M service controller manages the multicast service manages information for encrypting the multicast data and provides the information to the subscriber station and the base station.

21 Citations

View as Search Results

40 Claims

1. A method of operating a subscriber station, the method comprising:
- performing a network entry procedure through a base station (BS);
  
  receiving multicast service authentication information comprising a machine-to-machine (M2M) service group security seed from the BS during the network entry procedure;
  
  generating a multicast data encryption key based on the multicast service authentication information; and
  
  communicating data with the BS based on the multicast data encryption key,wherein the multicast data encryption key is determined by Equation below;
  
  MGTEK=Dot16KDF(MAK,MGSS|Key_counter|MGID|“
  
  MGTEK”
  
  ,128)where,MGTEK;
  
  multicast data encryption key,MAK;
  
  M2M service authorization key,MGSS;
  
  M2M service group security seed,Key_counter;
  
  index of the currently used MGTEK,MGID;
  
  multicast group identifier,“
  
  MGTEK”
  
  ;
  
  character string representing that it is multicast data encryption key, andDot16KDF;
  
  algorithm of generating multicast data encryption key of 128 bits that inputs M2M service authorization key, M2M service group security seed, and multicast group identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the multicast service authentication information further comprises at least one of a multicast group IDentifier (ID), and an M2M service authorization key.
  - 3. The method of claim 1, wherein performing the network entry procedure through the BS comprises:
    - acquiring synchronization;
      
      performing a ranging procedure;
      
      performing a basic capability negotiation procedure;
      
      performing an authentication procedure; and
      
      performing a register procedure.
  - 4. The method of claim 3, further comprising, after performing the register procedure, performing a service flow creation procedure.
  - 5. The method of claim 1, wherein receiving the multicast service authentication information from the BS comprises:
    - transmitting a register request message to the BS; and
      
      receiving a register response message comprising the multicast service authentication information BS forwarded from a subscriber station register response message received by the BS from a system controller, wherein the BS transmits the system controller a subscriber station register request message informing that the subscriber station enters a network in response to receiving a register request message from the subscriber station.
  - 6. The method of claim 1, wherein receiving the multicast service authentication information from the BS comprises one of:
    - a first process of;
      
      receiving a service flow creation request message comprising the multicast service authentication information from the BS; and
      
      transmitting a service flow creation response message to the BS, anda second process of;
      
      transmitting a service flow creation request message to the BS; and
      
      receiving a service flow creation response message comprising the multicast service authentication information from the BS.
  - 7. The method of claim 1, further comprising:
    - determining if it is an idle mode interval;
      
      if it is the idle mode interval, receiving a paging message instructing a location register procedure;
      
      deter mining whether a new multicast service authentication information is received through a ranging message during the location register procedure; and
      
      if the new multicast service authentication information is received, re-generating a multicast data encryption key based on the new multicast service authentication information, and storing the multicast data encryption key.
  - 8. The method of claim 1, further comprising:
    - determining if it is an idle mode interval;
      
      if it is the idle mode interval, receiving a paging message comprising information instructing multicast data encryption key updating;
      
      receiving new multicast service authentication information according to the information instructing the multicast data encryption key updating; and
      
      re-generating a multicast data encryption key based on the new multicast service authentication information, and storing the multicast data encryption key.
  - 9. The method of claim 1, further comprising:
    - receiving new multicast service authentication information from the BS, through a service change request message or a message exchanged in an authentication procedure; and
      
      re-generating a multicast data encryption key based on the new multicast service authentication information, and storing the multicast data encryption key,wherein the service change request message is unicasted or multicasted.

10. A method of operating a base station (BS) in a machine-to-machine (M2M) communication system, the method comprising:
- performing a network entry procedure of a subscriber station;
  
  obtaining a M2M service group security seed from a network entity, andtransmitting multicast service authentication information comprising the M2M service group security seed to the subscriber station during the network entry procedure;
  
  generating a multicast data encryption key based on the multicast service authentication information; and
  
  communicating data with the subscriber station based on the multicast data encryption key,wherein the multicast data encryption key is determined by Equation below;
  
  MGTEK=Dot16KDF(MAK,MGSS|Key_counter|MGID|“
  
  MGTEK”
  
  ,128)where,MGTEK;
  
  multicast data encryption key,MAK;
  
  M2M service authorization key,MGSS;
  
  M2M service group security seed,Key_counter;
  
  index of the currently used MGTEK,MGID;
  
  multicast group identifier, “
  
  MGTEK”
  
  ;
  
  character string representing that it is multicast data encryption key, andDot16KDF;
  
  algorithm of generating multicast data encryption key of 128 bits that inputs M2M service authorization key, M2M service group security seed, and multicast group identifier.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method of claim 10, wherein the multicast service authentication information further comprises at least one of a multicast group identifier (ID), and an M2M service authorization key.
  - 12. The method of claim 10, wherein performing the network entry procedure of the subscriber station comprises:
    - acquiring synchronization;
      
      performing a ranging procedure;
      
      performing a basic capability negotiation procedure;
      
      performing an authentication procedure; and
      
      performing a register procedure.
  - 13. The method of claim 12, further comprising, after performing the register procedure, performing a service flow creation procedure.
  - 14. The method of claim 10, wherein, at network entry procedure execution, receiving the multicast service authentication information from a system controller, and forwarding the multicast service authentication information to the subscriber station comprises:
    - if receiving a register request message from the subscriber station, transmitting to the system controller a subscriber station register request message of informing that the subscriber station enters a network;
      
      receiving a subscriber station register response message comprising the multicast service authentication information from the system controller; and
      
      forwarding the multicast service authentication information received from the system controller, to the subscriber station through a register response message.
  - 15. The method of claim 10, wherein, at network entry procedure execution, receiving the multicast service authentication information from a system controller, and forwarding the multicast service authentication information to the subscriber station comprises:
    - receiving a subscriber station service flow creation request message comprising the multicast service authentication information from the system controller;
      
      forwarding the multicast service authentication information received from the system controller, to the subscriber station through a service flow creation request message; and
      
      receiving a service flow creation response message from the subscriber station.
  - 16. The method of claim 10, wherein, at network entry procedure execution, receiving the multicast service authentication information from a system controller, and forwarding the multicast service authentication information to the subscriber station comprises:
    - if receiving a service flow creation request message from the subscriber station, transmitting a subscriber station service flow creation request message to the system controller;
      
      receiving a subscriber station service flow creation response message comprising the multicast service authentication information from the system controller, and forwarding the multicast service authentication information to the subscriber station through a service flow creation response message; and
      
      after receiving a service flow creation check message from the subscriber station, transmitting a subscriber station service flow creation check message to the system controller.
  - 17. The method of claim 10, further comprising:
    - receiving new multicast service authentication information from a system controller;
      
      forwarding the new multicast service authentication information to the subscriber station through a service change request message or a message exchanged in an authentication procedure; and
      
      re-generating a multicast data encryption key based on the new multicast service authentication information, and storing the multicast data encryption key,wherein the service change request message is unicasted or multicasted.
  - 18. The method of claim 10, further comprising:
    - determining if it is an idle mode interval;
      
      if it is the idle mode interval, transmitting a paging message of instructing a location register procedure to the subscriber station;
      
      transmitting new multicast service authentication information to the subscriber station through a ranging message during the location register procedure; and
      
      re-generating a multicast data encryption key based on the new multicast service authentication information, and storing the multicast data encryption key.
  - 19. The method of claim 10, further comprising:
    - determining if it is an idle mode interval;
      
      if it is the idle mode interval, transmitting a paging message comprising information instructing multicast data encryption key updating;
      
      transmitting new multicast service authentication information according to the information instructing the multicast data encryption key updating; and
      
      re-generating a multicast data encryption key based on the new multicast service authentication information, and storing the multicast data encryption key.

20. A method of a base station (BS) in a machine-to-machine (M2M) communication system, the method comprising:
- determining whether a replay attack preventive counter has expired;
  
  if the replay attack preventive counter expires, determining if a key counter for generating a multicast data encryption key has expired;
  
  if the key counter expires, transmitting a request for multicast service authentication information to a group service controller; and
  
  generating the multicast data encryption key based on the multicast service authentication information, and forwarding the multicast service authentication information to a subscriber station.
- View Dependent Claims (21)
- - 21. The method of claim 20, wherein the multicast data encryption key is determined by Equation below:
    - MGTEK=Dot16KDF(MAK,MGSS|Key_counter|MGID|“
      
      MGTEK”
      
      ,128)where,MGTEK;
      
      multicast data encryption key,MAK;
      
      M2M service authorization key,MGSS;
      
      M2M service group security seed,Key_counter;
      
      key counter value,MGID;
      
      multicast group identifier,“
      
      MGTEK”
      
      ;
      
      character string representing that it is multicast data encryption key, andDot16KDF;
      
      algorithm of generating multicast data encryption key of 128 bits that inputs MAK, MGSS, Key_counter, and MGID.

22. A method of a subscriber station, the method comprising:
- determining whether a replay attack preventive counter has expired;
  
  if the replay attack preventive counter expires, determining if a key counter for generating a multicast data encryption key has expired;
  
  if the key counter expires, receiving multicast service authentication information from a base station (BS); and
  
  generating the multicast data encryption key based on the multicast service authentication information, and storing the multicast data encryption key.
- View Dependent Claims (23)
- - 23. The method of claim 22, wherein the multicast data encryption key is determined by Equation below:
    - MGTEK=Dot16KDF(MAK,MGSS|Key_counter|MGID|“
      
      MGTEK”
      
      ,128)where,MGTEK;
      
      multicast data encryption key,MAK;
      
      M2M service authorization key,MGSS;
      
      M2M service group security seed,Key_counter;
      
      key counter value,MGID;
      
      multicast group identifier,“
      
      MGTEK”
      
      ;
      
      character string representing that it is multicast data encryption key, andDot16KDF;
      
      algorithm of generating multicast data encryption key of 128 bits that inputs MAK, MGSS, Key_counter, and MGID.

24. A subscriber station comprising:
- a transceiver configured to receive a multicast service authentication information comprising a machine-to-machine (M2M) service group security seed from a base station (BS) during a network entry procedure; and
  
  a controller configured to generate a multicast data encryption key based on the multicast service authentication information, and communicate data with the BS based on the multicast data encryption key, wherein the multicast data encryption key is determined using Equation below;
  
  MGTEK=Dot16KDF(MAK,MGSS|Key counter MGID|“
  
  MGTEK”
  
  ,128) where,MGTEK;
  
  multicast data encryption key, MAK;
  
  M2M service authorization key, MGSS;
  
  M2M service group security seed, MGID;
  
  multicast group identifier, Key counter;
  
  index of the currently used MGTEK, “
  
  MGTEK”
  
  ;
  
  character string representing that it is multicast data encryption key, and Dot16KDF;
  
  algorithm of generating multicast data encryption key of 128 bits that inputs M2M service authorization key, M2M service group security seed, and multicast group identifier.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
- - 25. The subscriber station of claim 24, wherein the multicast service authentication information further comprises at least one of a multicast group identifier (ID), and an M2M service authorization key.
  - 26. The subscriber station of claim 24, wherein the transceiver is configured to:
    - transmit a register request message to the BS, andreceive a register response message comprising the multicast service authentication information from the BS.
  - 27. The subscriber station of claim 24, wherein the transceiver is configured to:
    - receive a service flow creation request message comprising the multicast service authentication information from the BS, and transmit a service flow creation response message to the BS, ortransmit a service flow creation request message to the BS, and receive a service flow creation response message comprising the multicast service authentication information from the BS.
  - 28. The subscriber station of claim 24, wherein the controller is configured to:
    - determine if it is an idle mode interval,if it is the idle mode interval, receive, via the transceiver, a paging message instructing a location register procedure,determine whether new multicast service authentication information is received through a ranging message during the location register procedure,if the new multicast service authentication information is received, re-generate a multicast data encryption key based on the new multicast service authentication information, andstore the multicast data encryption key.
  - 29. The subscriber station of claim 24, wherein the controller is configured to:
    - determine if it is an idle mode interval,if it is the idle mode interval, receive, via the transceiver, a paging message comprising information instructing multicast data encryption key updating,receive, via the transceiver, new multicast service authentication information according to the information instructing the multicast data encryption key updating,re-generate a multicast data encryption key based on the new multicast service authentication information, andstore the multicast data encryption key.
  - 30. The subscriber station of claim 24, wherein the controller is configured to:
    - receive, via the transceiver, new multicast service authentication information from the BS, through a service change request message or a message exchanged in an authentication procedure,re-generate a multicast data encryption key based on the new multicast service authentication information, andstore the multicast data encryption key,wherein the service change request message is unicasted or multicasted.
  - 31. The subscriber station of claim 24, wherein the controller is configured to:
    - transmit a register request message to the BS; and
      
      receive a register response message comprising the multicast service authentication information BS forwarded from a subscriber station register response message received by the BS from a system controller, wherein the BS transmits the system controller a subscriber station register request message informing that the subscriber station enters a network in response to receiving a register request message from the subscriber station.

32. A base station (BS) in a machine-to-machine (M2M) communication system, the base station comprising:
- a transceiver; and
  
  a controller configured to;
  
  perform a network entry procedure of a subscriber station;
  
  obtain a M2M service group security seed from a network entity;
  
  control to transmit multicast service authentication information comprising the M2M service group security seed to a subscriber station during the network entry procedure,generate a multicast data encryption key based on the multicast service authentication information, andcommunicate, via the transceiver, data with the subscriber station based on the multicast data encryption key, wherein the multicast data encryption key is determined using Equation below;
  
  MGTEK=Dot16KDF(MAK,MGSS|Key_counter|MGID|“
  
  MGTEK”
  
  ,128)where,MGTEK;
  
  multicast data encryption key,MAK;
  
  M2M service authorization key,MGSS;
  
  M2M service group security seed,MGM;
  
  multicast group identifier,Key_counter;
  
  index of the currently used MGTEK,“
  
  MGTEK”
  
  ;
  
  character string representing that it is multicast data encryption key, andDot16KDF;
  
  algorithm of generating multicast data encryption key of 128 bits that inputs M2M service authorization key, M2M service group security seed, and multicast group identifier.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39)
- - 33. The base station of claim 32, wherein the multicast service authentication information further comprises at least one of a multicast group identifier (ID), and an M2M service authorization key.
  - 34. The base station of claim 32, wherein the transceiver is configured to:
    - if receiving a register request message from the subscriber station, transmit a system controller a subscriber station register request message of informing that the subscriber station enters a network;
      
      receive a subscriber station register response message comprising the multicast service authentication information from the system controller; and
      
      forward the multicast service authentication information received from the system controller, to the subscriber station through a register response message.
  - 35. The base station of claim 32, wherein the transceiver configured to:
    - receive subscriber station service flow creation request message comprising the multicast service authentication information from a system controller;
      
      forward the multicast service authentication information received from the system controller, to the subscriber station through a service flow creation request message; and
      
      receive a service flow creation response message from the subscriber station.
  - 36. The base station of claim 32, wherein the transceiver is configured to:
    - if receiving a service flow creation request message from the subscriber station, transmit a subscriber station service flow creation request message to a system controller;
      
      receive a subscriber station service flow creation response message comprising the multicast service authentication information from the system controller, and forwarding the multicast service authentication information to the subscriber station through a service flow creation response message; and
      
      after receiving a service flow creation check message from the subscriber station, transmit a subscriber station service flow creation check message to the system controller.
  - 37. The base station of claim 32, wherein the controller configured to:
    - receive, via the transceiver, new multicast service authentication information from a system controller;
      
      forward, via the transceiver, the new multicast service authentication information to the subscriber station through a service change request message or a message exchanged in an authentication procedure; and
      
      re-generate a multicast data encryption key based on the new multicast service authentication information, and storing the multicast data encryption key,wherein the service change request message is unicasted or multicasted.
  - 38. The base station of claim 32, wherein the controller configured to:
    - determine if it is an idle mode interval;
      
      if it is the idle mode interval, transmit, via the transceiver, a paging message of instructing a location register procedure to the subscriber station;
      
      transmit, via the transceiver, the new multicast service authentication information to the subscriber station through a ranging message during the location register procedure; and
      
      re-generate a multicast data encryption key based on a new multicast service authentication information, and storing the multicast data encryption key.
  - 39. The base station of claim 32, wherein the controller configured to:
    - determine if it is an idle mode interval;
      
      if it is the idle mode interval, transmit, via the transceiver, a paging message comprising information instructing multicast data encryption key updating;
      
      transmit, via the transceiver, new multicast service authentication information according to the information instructing the multicast data encryption key updating; and
      
      re-generate a multicast data encryption key based on the new multicast service authentication information, and storing the multicast data encryption key.

40. A subscriber station, the subscriber station comprising:
- a transceiver; and
  
  a controller configured to determine whether a replay attack preventive counter has expired;
  
  if the replay attack preventive counter expires, determine if a key counter for generating a multicast data encryption key has expired;
  
  if the key counter expires, receive, via the transceiver, multicast service authentication information from a network node; and
  
  generate the multicast data encryption key based on the multicast service authentication information, and store the multicast data encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Samsung Electronics Co. Ltd.
Inventors
Kang, Hyun-Jeong, Baek, Young-Kyo, Taori, Rakesh
Primary Examiner(s)
Abyaneh, Ali
Assistant Examiner(s)
Alata, Ayoub

Application Number

US13/539,015
Publication Number

US 20130003972A1
Time in Patent Office

1,320 Days
Field of Search

380/270, 726/4
US Class Current

1/1
CPC Class Codes

H04L 12/1895   for short real-time informa...

H04L 63/065   for group communications cr...

H04L 9/0833   involving conference or gro...

H04L 9/0869   involving random numbers or...

H04W 12/02   Protecting privacy or anony...

H04W 12/03   Protecting confidentiality,...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 12/0433   Key management protocols

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

H04W 12/082   using revocation of authori...

H04W 4/06   Selective distribution of b...

H04W 4/08   User group management

H04W 4/70   Services for machine-to-mac...

H04W 60/04   using triggered events

Apparatus, method and system for creating and maintaining multicast data encryption key in machine to machine communication system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus, method and system for creating and maintaining multicast data encryption key in machine to machine communication system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links