Key exchange method and apparatus

US 11,025,414 B2
Filed: 06/17/2019
Issued: 06/01/2021
Est. Priority Date: 03/05/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a non-transitory memory storage comprising instructions; and

one or more processors in communication with the memory storage, wherein the one or more processors are configured to execute the instructions to;

acquire a second key, wherein the second key is shared by a network device and a first user equipment, and a device to device (D2D) link is established between the first user equipment and a second user equipment; and

generate, according to the second key and a first parameter, a first key using a key derivation function; and

a transmitter, configured to send a first message comprising the first key to the second user equipment and the first parameter to the first user equipment; and

wherein communication information transmitted on the D2D link is protected based on the first key.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention disclose a key exchange method and apparatus. A network device acquires a first key, and sends a message including the first key to a second user equipment, so that the second user equipment uses, when communicating with a first user equipment by using a D2D link, the first key to protect transmitted information.

6 Citations

17 Claims

1. An apparatus, comprising:
- a non-transitory memory storage comprising instructions; and
  
  one or more processors in communication with the memory storage, wherein the one or more processors are configured to execute the instructions to;
  
  acquire a second key, wherein the second key is shared by a network device and a first user equipment, and a device to device (D2D) link is established between the first user equipment and a second user equipment; and
  
  generate, according to the second key and a first parameter, a first key using a key derivation function; and
  
  a transmitter, configured to send a first message comprising the first key to the second user equipment and the first parameter to the first user equipment; and
  
  wherein communication information transmitted on the D2D link is protected based on the first key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The apparatus according to claim 1, wherein the first parameter comprises a random number generated by the network device.
  - 3. The apparatus according to claim 1, wherein the first key is a random key.
  - 4. The apparatus according to claim 1, wherein the transmitter is configured to send the first message comprising the first key to the first user equipment using an encrypted connection between the apparatus and the first user equipment.
  - 5. The apparatus according to claim 1, wherein the one or more processors are configured to further execute the instructions to:
    - before the transmitter sends the first message comprising the first key to the second user equipment, acquire a third key, wherein the third key is a shared key between the apparatus and the second user equipment;
      
      generate a fourth key according to the third key; and
      
      encrypt the first key using the fourth key; and
      
      wherein the transmitter being configured to send the first message comprising the first key to the second user equipment comprises the transmitter being configured to;
      
      send the first message comprising an encrypted first key to the second user equipment.
  - 6. The apparatus according to claim 1, wherein the transmitter is configured to send the first message comprising the first key to the second user equipment using an encrypted connection between the apparatus and the second user equipment.
  - 7. The apparatus according to claim 1, wherein:
    - the one or more processors are configured to further execute the instructions to;
      
      determine, according to a pre-stored cryptographic algorithm list, a security capability of the first user equipment, and a security capability of the second user equipment, a cryptographic algorithm that is applicable to the first user equipment and the second user equipment and whose priority ranks first in the cryptographic algorithm list;
      
      the transmitter is further configured to send the cryptographic algorithm to the first user equipment and the second user equipment;
      
      the security capability of the first user equipment indicates a cryptographic algorithm applicable to the first user equipment;
      
      the security capability of the second user equipment indicates a cryptographic algorithm applicable to the second user equipment;
      
      the cryptographic algorithm comprises at least one of an encryption algorithm or an integrity protection algorithm;
      
      the encryption algorithm is used to encrypt data transmitted on the D2D link; and
      
      the integrity protection algorithm is used to perform integrity protection on information transmitted on the D2D link.
  - 8. The apparatus according to claim 1, wherein the apparatus is the network device or the apparatus is comprised in the network device.

9. An apparatus, comprising:
- a non-transitory memory storage comprising instructions; and
  
  one or more processors in communication with the memory storage, wherein the one or more processors are configured to execute the instructions to;
  
  acquire a second key, wherein the second key is shared by a network device and the apparatus, and wherein a device to device (D2D) link is established between the apparatus and a user equipment;
  
  generate, according to the second key and a first parameter, a first key using a key derivation function, wherein the first parameter comprises a random number randomly selected by the network device; and
  
  protect communication information transmitted on the D2D link based on the first key.
- View Dependent Claims (10, 11, 12)
- - 10. The apparatus according to claim 9, further comprising:
    - a receiver, configured to receive an encryption algorithm identifier;
      
      wherein the one or more processors are configured to further execute the instructions to;
      
      generate an encryption key according to the first key and the encryption algorithm identifier; and
      
      wherein the one or more processors being configured to execute the instructions to protect the communication information transmitted on the D2D link based on the first key, comprises the one or more processors being configured to execute the instructions to;
      
      encrypt, based on the encryption key and an encryption algorithm corresponding to the encryption algorithm identifier, the communication information transmitted on the D2D link.
  - 11. The apparatus according to claim 9, further comprising:
    - a receiver, configured to receive an integrity protection algorithm identifier from the network device; and
      
      wherein the one or more processors are configured to further execute the instructions to;
      
      after the first key is generated, generate an integrity protection key according to the first key and the integrity protection algorithm identifier; and
      
      wherein the one or more processors being configured to execute the instructions to protect the communication information transmitted on the D2D link based on the first key comprises the one or more processors being configured to execute the instructions to;
      
      protect the communication information by performing, based on the integrity protection key and an integrity protection algorithm corresponding to the integrity protection algorithm identifier, integrity protection on the communication information transmitted on the D2D link.
  - 12. The apparatus according to claim 9, further comprising:
    - a receiver, configured to receive an encryption algorithm identifier and an integrity protection algorithm identifier from the network device; and
      
      wherein the one or more processors are further configured to execute the instructions to;
      
      after the first key is generated, generate an encryption key according to the first key and the encryption algorithm identifier, and generate an integrity protection key according to the first key and the integrity protection algorithm identifier; and
      
      wherein the one or more processors being configured to execute the instructions to protect the communication information transmitted on the D2D link based on the first key comprises the one or more processors being configured to execute the instructions to;
      
      encrypt, based on the encryption key and an encryption algorithm corresponding to the encryption algorithm identifier, the communication information transmitted on the D2D link; and
      
      perform, based on the integrity protection key and an integrity protection algorithm corresponding to the integrity protection algorithm identifier, integrity protection on the communication information transmitted on the D2D link.

13. A method, comprising:
- acquiring, by a first user equipment, a second key, wherein the second key is shared by a network device and the first user equipment, and wherein a device to device (D2D) link is established between the first user equipment and a second user equipment;
  
  receiving, by the first user equipment, a first parameter, wherein the first parameter comprises a random number randomly selected by the network device;
  
  generating, by the first user equipment according to the second key and the first parameter, a first key using a key derivation function; and
  
  protecting, by the first user equipment, communication information transmitted on the D2D link based on the first key.
- View Dependent Claims (14, 15, 16)
- - 14. The method according to claim 13, wherein the method further comprises:
    - receiving, by the first user equipment, an encryption algorithm identifier; and
      
      generating, by the first user equipment, an encryption key according to the first key and the encryption algorithm identifier;
      
      wherein protecting, by the first user equipment, the communication information based on the first key comprises;
      
      encrypting, by the first user equipment based on the encryption key and an encryption algorithm corresponding to the encryption algorithm identifier, the communication information transmitted on the D2D link.
  - 15. The method according to claim 13, wherein, after generating, by the first user equipment, the first key, the method further comprises:
    - receiving, by the first user equipment, an integrity protection algorithm identifier from the network device; and
      
      generating, by the first user equipment, an integrity protection key according to the first key and the integrity protection algorithm identifier;
      
      wherein the protecting, by the first user equipment, the communication information based on the first key comprises;
      
      performing, by the first user equipment based on the integrity protection key and an integrity protection algorithm corresponding to the integrity protection algorithm identifier, integrity protection on the communication information transmitted on the D2D link.
  - 16. The method according to claim 13, wherein, after generating, by the first user equipment, the first key, the method further comprises:
    - receiving, by the first user equipment, an encryption algorithm identifier and an integrity protection algorithm identifier from the network device;
      
      generating, by the first user equipment, an encryption key according to the first key and the encryption algorithm identifier; and
      
      generating, by the first user equipment, an integrity protection key according to the first key and the integrity protection algorithm identifier;
      
      wherein protecting, by the first user equipment, the communication information based on the first key comprises;
      
      encrypting, by the first user equipment based on the encryption key and an encryption algorithm corresponding to the encryption algorithm identifier, the communication information transmitted on the D2D link; and
      
      performing, by the first user equipment based on the integrity protection key and an integrity protection algorithm corresponding to the integrity protection algorithm identifier, integrity protection on the communication information transmitted on the D2D link.

17. A communication system, comprising:
- a network device; and
  
  a first user equipment;
  
  wherein a device to device (D2D) link is established between the first user equipment comprised in the communication system and a second user equipment comprised in the communication system;
  
  wherein the network device comprises;
  
  a first processor, configured to;
  
  acquire a second key, wherein the second key is shared by a network device and the first user equipment; and
  
  generate, according to the second key and a first parameter, a first key using a key derivation function, wherein the first parameter comprises a random number randomly selected by the network device; and
  
  a first transmitter, configured to send a first message comprising the first key to the second user equipment and the first parameter to the first user equipment; and
  
  wherein the first user equipment comprises;
  
  a second processor, configured to;
  
  acquire the second key;
  
  generate, according to the second key and the first parameter, the first key using the key derivation function; and
  
  protect communication information transmitted on the D2D link based on the first key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Zhang, Dongmei, Chen, Jing
Primary Examiner(s)
Hoffman, Brandon S

Application Number

US16/443,723
Publication Number

US 20190306706A1
Time in Patent Office

715 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/205   involving negotiation or de...

H04L 9/0819   Key transport or distributi...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 76/14   Direct-mode setup

Key exchange method and apparatus

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Key exchange method and apparatus

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links