公开(公告)号：US20110206206A1

公开(公告)日：2011-08-25

申请号：US13063997

申请日：2009-03-13

申请人： Rolf Blom ,  Fredrik Lindholm ,  Mats Naslund ,  Karl Norrman

发明人： Rolf Blom ,  Fredrik Lindholm ,  Mats Naslund ,  Karl Norrman

IPC分类号： H04L9/08

CPC分类号： H04L63/0869 ,  H04L9/0819 ,  H04L9/083 ,  H04L9/3213 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/08

摘要： A method and apparatus for key management in a communication network. A Key Management Terminal KMS Terminal Server (KMS) receives from a first device a request for a token associated with a user identity, the user identity being associated with a second device. The KMS then sends the requested token and a user key associated with the user to the first device. The KMS subsequently receives the token from the second device. A second device key is generated using the user key and a modifying parameter associated with the second device. The modifying parameter is available to the first device for generating the second device key. The second device key is then sent from the KMS to the second device. The second device key can be used by the second device to authenticate itself to the first device, or for the first device to secure communications to the second device.

摘要翻译： 一种用于通信网络中密钥管理的方法和装置。 密钥管理服务器（KMS）从第一设备接收与用户身份相关联的令牌的请求，所述用户身份与第二设备相关联。 然后，KMS将所请求的令牌和与用户相关联的用户密钥发送到第一设备。 KMS随后从第二个设备接收令牌。 使用用户密钥和与第二设备相关联的修改参数来生成第二设备密钥。 修改参数可用于第一设备用于生成第二设备密钥。 然后，第二个设备密钥从KMS发送到第二个设备。 第二设备密钥可以由第二设备用于向第一设备或第一设备认证自身以确保与第二设备的通信。

公开(公告)号：US08837737B2

公开(公告)日：2014-09-16

申请号：US13063997

申请日：2009-03-13

申请人： Rolf Blom ,  Fredrik Lindholm ,  Mats Naslund ,  Karl Norrman

发明人： Rolf Blom ,  Fredrik Lindholm ,  Mats Naslund ,  Karl Norrman

IPC分类号： H04L9/08 ,  H04L29/06 ,  H04L9/32

CPC分类号： H04L63/0869 ,  H04L9/0819 ,  H04L9/083 ,  H04L9/3213 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/08

摘要： A method and apparatus for key management in a communication network. A Key Management Terminal KMS Terminal Server (KMS) receives from a first device a request for a token associated with a user identity, the user identity being associated with a second device. The KMS then sends the requested token and a user key associated with the user to the first device. The KMS subsequently receives the token from the second device. A second device key is generated using the user key and a modifying parameter associated with the second device. The modifying parameter is available to the first device for generating the second device key. The second device key is then sent from the KMS to the second device. The second device key can be used by the second device to authenticate itself to the first device, or for the first device to secure communications to the second device.

摘要翻译： 一种用于通信网络中密钥管理的方法和装置。 密钥管理服务器（KMS）从第一设备接收与用户身份相关联的令牌的请求，所述用户身份与第二设备相关联。 然后，KMS将所请求的令牌和与用户相关联的用户密钥发送到第一设备。 KMS随后从第二个设备接收令牌。 使用用户密钥和与第二设备相关联的修改参数来生成第二设备密钥。 修改参数可用于第一设备用于生成第二设备密钥。 然后，第二个设备密钥从KMS发送到第二个设备。 第二设备密钥可以由第二设备用于向第一设备或第一设备认证自身以确保与第二设备的通信。

公开(公告)号：US07987366B2

公开(公告)日：2011-07-26

申请号：US10597864

申请日：2004-02-11

申请人： Rolf Blom ,  Mats Naslund ,  Elisabetta Carrara ,  Fredrik Lindholm ,  Karl Norrman

发明人： Rolf Blom ,  Mats Naslund ,  Elisabetta Carrara ,  Fredrik Lindholm ,  Karl Norrman

IPC分类号： H04L9/32 ,  H04L9/30 ,  H04L9/08

CPC分类号： H04L9/0844 ,  H04L9/0891 ,  H04L2209/80

摘要： The invention provides an establishment of a secret session key shared Between two network elements (NEa, NEb) belonging to different network domains (NDa, NDb). A first network element (NEa) of a first network domain (NDa) requests security parameters from an associated key management center (KMC) (AAAa). Upon reception of the request, the KMC (AAAa) generates a freshness token (FRESH) and calculates the session key (K) based on this token (FRESH) and a master key (KAB) shared with a second network domain (NDb). The security parameters are (securely) provided to the network element (NEa), which extracts the session key (K) and forwards the freshness token (FRESH) to the KMC (AAAb) of the second domain (NDb) through a second network element (NEb). Based on the token (FRESH) and the shared master key (KAB), the KMC (AAAb) generates a copy of the session key (K), which is (securely) provided to the second network element (NEb). The two network elements (NEa, NEb) now have shares the session key (K), enabling them to securely communicate with each other.

摘要翻译： 本发明提供了属于不同网络域（NDa，NDb）的两个网元（NEa，NEb）之间共享的秘密会话密钥的建立。 第一网络域（NDa）的第一网元（NEa）从相关联的密钥管理中心（AAAa）请求安全参数。 在接收到请求时，KMC（AAAa）生成新鲜令牌（FRESH），并且基于该令牌（FRESH）和与第二网络域（NDb）共享的主密钥（KAB）来计算会话密钥（K）。 安全参数（安全地）被提供给提取会话密钥（K）的网元（NEa），并通过第二网络元件将新鲜度令牌（FRESH）转发到第二域（NDb）的KMC（AAAb） （鼻）。 基于令牌（FRESH）和共享主密钥（KAB），KMC（AAAb）生成（安全地）提供给第二网元（NEb）的会话密钥（K）的副本。 两个网元（NEa，NEb）现在已经共享了会话密钥（K），使得它们能够彼此安全地通信。

公开(公告)号：US20120198527A1

公开(公告)日：2012-08-02

申请号：US13254013

申请日：2009-03-04

申请人： Mats Näslund ,  Rolf Blom ,  Yi Cheng ,  Fredrik Lindholm ,  Karl Norrman

发明人： Mats Näslund ,  Rolf Blom ,  Yi Cheng ,  Fredrik Lindholm ,  Karl Norrman

IPC分类号： G06F21/20

CPC分类号： H04L63/06 ,  H04L9/0844 ,  H04L2209/80 ,  H04W12/04

摘要： A method of establishing keys for at least partially securing media plane data exchanged between first and second end users via respective first and second media plane network nodes. The method comprises sending session set-up signalling from said first end point towards said second end point, said session set-up signalling including a session key generated by said first end point. The set-up signalling is intercepted at a first signalling plane network node and a determination made as to whether or not a signalling plane key has already been established for securing the signalling plane between said first end point and said first signalling plane network node. If a signalling plane key has already been established, then a media plane key is derived from that signalling plane key, and the media plane key sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node. If a signalling plane key has not already been established, then an alternative media plane key is derived from said session key and sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node.

摘要翻译： 一种建立用于经由相应的第一和第二媒体平面网络节点至少部分地保护在第一和第二终端用户之间交换的媒体平面数据的密钥的方法。 该方法包括从所述第一端点向所述第二端点发送会话建立信令，所述会话建立信令包括由所述第一端点产生的会话密钥。 建立信令在第一信令平面网络节点被拦截，并且确定信令平面密钥是否已被建立用于在所述第一终端和所述第一信令平面网络节点之间保护信令平面。 如果已经建立了信令平面密钥，则从该信令平面密钥导出媒体平面密钥，并且将媒体平面密钥发送到所述第一媒体平面网络节点，以将介质平面固定在所述第一终端用户和所述第一媒体之间 平面网络节点。 如果还没有建立信令平面密钥，则从所述会话密钥导出替代媒体平面密钥，并将其发送到所述第一媒体平面网络节点，以便在所述第一终端用户和所述第一媒体平面网络节点之间保护媒体平面。

公开(公告)号：US08539564B2

公开(公告)日：2013-09-17

申请号：US13254013

申请日：2009-03-04

申请人： Mats Näslund ,  Rolf Blom ,  Yi Cheng ,  Fredrik Lindholm ,  Karl Norrman

发明人： Mats Näslund ,  Rolf Blom ,  Yi Cheng ,  Fredrik Lindholm ,  Karl Norrman

IPC分类号： G06F7/04

CPC分类号： H04L63/06 ,  H04L9/0844 ,  H04L2209/80 ,  H04W12/04

摘要： A method of establishing keys for at least partially securing media plane data exchanged between first and second end users via respective first and second media plane network nodes. The method comprises sending session set-up signalling from said first end point towards said second end point, said session set-up signalling including a session key generated by said first end point. The set-up signalling is intercepted at a first signalling plane network node and a determination made as to whether or not a signalling plane key has already been established for securing the signalling plane between said first end point and said first signalling plane network node. If a signalling plane key has already been established, then a media plane key is derived from that signalling plane key, and the media plane key sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node. If a signalling plane key has not already been established, then an alternative media plane key is derived from said session key and sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node.

摘要翻译： 一种建立用于经由相应的第一和第二媒体平面网络节点至少部分地保护在第一和第二终端用户之间交换的媒体平面数据的密钥的方法。 该方法包括从所述第一端点向所述第二端点发送会话建立信令，所述会话建立信令包括由所述第一端点产生的会话密钥。 建立信令在第一信令平面网络节点被拦截，并且确定信令平面密钥是否已被建立用于在所述第一终端和所述第一信令平面网络节点之间保护信令平面。 如果已经建立了信令平面密钥，则从该信令平面密钥导出媒体平面密钥，并且将媒体平面密钥发送到所述第一媒体平面网络节点，以将介质平面固定在所述第一终端用户和所述第一媒体之间 平面网络节点。 如果还没有建立信令平面密钥，则从所述会话密钥导出替代媒体平面密钥，并将其发送到所述第一媒体平面网络节点，以便在所述第一终端用户和所述第一媒体平面网络节点之间保护媒体平面。

公开(公告)号：US08966105B2

公开(公告)日：2015-02-24

申请号：US12999178

申请日：2009-02-20

申请人： Rolf Blom ,  Yi Cheng ,  John Mattsson ,  Mats Nåslund ,  Karl Norrman

发明人： Rolf Blom ,  Yi Cheng ,  John Mattsson ,  Mats Nåslund ,  Karl Norrman

IPC分类号： G06F15/16 ,  H04L29/06

CPC分类号： H04L65/605 ,  H04L63/0428 ,  H04L65/608

摘要： A method and apparatus for sending a first secured media stream having a payload via an intermediate node. The intermediate node receives from a sender the first secured media stream. An end-to-end context identifier and a hop-by-hop context identifier are determined for the first secured media stream, where the hop-by-hop context identifier relates to the intermediate node and the end-to-end identifier relates to the sender. A second secured media stream is generated, which includes at least the payload of the first secured media stream and the context identifiers to identify the first secured media stream. The second secured media stream is sent to a receiving node, and the context identifiers are also sent to the receiving node. The context identifiers are usable by the receiving node to recover the first secured media stream.

摘要翻译： 一种用于经由中间节点发送具有有效载荷的第一安全媒体流的方法和装置。 中间节点从发送器接收第一安全媒体流。 针对第一安全媒体流确定端到端上下文标识符和逐跳上下文标识符，其中逐跳上下文标识符与中间节点相关，并且端到端标识符与 发件人。 生成第二安全媒体流，其包括至少第一安全媒体流的有效载荷和上下文标识符以识别第一安全媒体流。 第二安全媒体流被发送到接收节点，并且上下文标识符也被发送到接收节点。 上下文标识符可由接收节点使用以恢复第一安全媒体流。

公开(公告)号：US20110093609A1

公开(公告)日：2011-04-21

申请号：US12999178

申请日：2009-02-20

申请人： Rolf Blom ,  Yi Cheng ,  John Mattsson ,  Mats Näslund ,  Karl Norrman

发明人： Rolf Blom ,  Yi Cheng ,  John Mattsson ,  Mats Näslund ,  Karl Norrman

IPC分类号： G06F15/16

CPC分类号： H04L65/605 ,  H04L63/0428 ,  H04L65/608

摘要： A method and apparatus for sending a first secured media stream having a payload via an intermediate node. The intermediate node receives from a sender the first secured media stream. An end-to-end context identifier and a hop-by-hop context identifier are determined for the first secured media stream, where the hop-by-hop context identifier relates to the intermediate node and the end-to-end identifier relates to the sender. A second secured media stream is generated, which includes at least the payload of the first secured media stream and the context identifiers to identify the first secured media stream. The second secured media stream is sent to a receiving node, and the context identifiers are also sent to the receiving node. The context identifiers are usable by the receiving node to recover the first secured media stream.

摘要翻译： 一种用于经由中间节点发送具有有效载荷的第一安全媒体流的方法和装置。 中间节点从发送器接收第一安全媒体流。 针对第一安全媒体流确定端到端上下文标识符和逐跳上下文标识符，其中逐跳上下文标识符与中间节点相关，并且端到端标识符与 发件人。 生成第二安全媒体流，其包括至少第一安全媒体流的有效载荷和上下文标识符以识别第一安全媒体流。 第二安全媒体流被发送到接收节点，并且上下文标识符也被发送到接收节点。 上下文标识符可由接收节点使用以恢复第一安全媒体流。

公开(公告)号：US08094817B2

公开(公告)日：2012-01-10

申请号：US11857621

申请日：2007-09-19

申请人： Rolf Blom ,  Karl Norrman ,  Mats Naslund

发明人： Rolf Blom ,  Karl Norrman ,  Mats Naslund

IPC分类号： H04L9/00

CPC分类号： H04L9/321 ,  H04L63/062 ,  H04L63/08 ,  H04L2209/80 ,  H04L2463/061 ,  H04W12/04 ,  H04W12/06 ,  H04W36/0038

摘要： An authentication server and a system and method for managing cryptographic keys across different combinations of user terminals, access networks, and core networks. A Transformation Coder Entity (TCE) creates a master key (Mk), which is used to derive keys during the authentication procedure. During handover between the different access types, the Mk or a transformed Mk is passed between two nodes that hold the key in the respective access networks when a User Equipment (UE) terminal changes access. The transformation of the Mk is performed via a one-way function, and has the effect that if the Mk is somehow compromised, it is not possible to automatically obtain access to previously used master keys. The transformation is performed based on the type of authenticator node and type of UE/identity module with which the transformed key is to be utilized. The Mk is never used directly, but is only used to derive the keys that are directly used to protect the access link.

摘要翻译： 一种认证服务器，以及用于管理跨越用户终端，接入网络和核心网络的不同组合的加密密钥的系统和方法。 转换编码器实体（TCE）创建主密钥（Mk），用于在认证过程期间导出密钥。 在不同访问类型之间的切换期间，当用户设备（UE）终端改变访问时，Mk或经变换的Mk在保持密钥的两个节点之间传递。 通过单向函数执行Mk的转换，并且具有以下效果：如果Mk以某种方式受损，则不可能自动获得对先前使用的主密钥的访问。 基于认证者节点的类型和使用变换密钥的UE /身份模块的类型进行转换。 Mk从不直接使用，但仅用于派生直接用于保护访问链接的密钥。

公开(公告)号：US20110256850A1

公开(公告)日：2011-10-20

申请号：US13140818

申请日：2008-12-19

申请人： Göran Selander ,  Jari Vikberg ,  Karl Norrman ,  Rolf Blom ,  Mats Naslund

发明人： Göran Selander ,  Jari Vikberg ,  Karl Norrman ,  Rolf Blom ,  Mats Naslund

IPC分类号： H04W12/06

CPC分类号： H04W12/08 ,  H04L63/101 ,  H04W84/045

摘要： Methods, apparatus, and computer program products for creating an association between a first user equipment and at least one access point assisted by a registration server in a telecommunication network are disclosed. The registration server responds to a first contact request carried out using a first association number for the access point, provided by the first user equipment, receives a first association request for the association with the access point, provided by the first user equipment, authorizes the first association request based on a first authorization information provided by the first user equipment; registers the association between the first user equipment and the access point responsive to authorization of the first association request. The first user equipment is associated with the access point and the association is administered by the registration server.

摘要翻译： 公开了用于在第一用户设备和由电信网络中的注册服务器辅助的至少一个接入点之间建立关联的方法，设备和计算机程序产品。 注册服务器响应由第一用户设备提供的接入点的第一关联号码执行的第一联系请求，接收由第一用户设备提供的与接入点的关联的第一关联请求，授权 基于由第一用户设备提供的第一授权信息的第一关联请求; 响应于第一关联请求的授权，注册第一用户设备和接入点之间的关联。 第一用户设备与接入点相关联，该关联由注册服务器管理。

公开(公告)号：US20110035787A1

公开(公告)日：2011-02-10

申请号：US12937008

申请日：2008-11-05

申请人： Mats Naslund ,  Jari Arkko ,  Rolf Blom ,  Vesa Lehtovirta ,  Karl Norrman ,  Stefan Rommer ,  Bengt Sahlin

发明人： Mats Naslund ,  Jari Arkko ,  Rolf Blom ,  Vesa Lehtovirta ,  Karl Norrman ,  Stefan Rommer ,  Bengt Sahlin

IPC分类号： G06F21/00 ,  G06F15/177

CPC分类号： H04W12/06 ,  G06F21/30 ,  H04L63/0272 ,  H04L63/08 ,  H04L63/0892 ,  H04L63/1433 ,  H04L63/162 ,  H04L63/164 ,  H04L63/20 ,  H04W60/00 ,  H04W72/0493

摘要： When setting up communication from a user equipment UE (1), such as for providing IP access for the UE in order to allow it to use some service, information or an indication or at least one network properly relating to a first network, e.g. the current access network (3, 3′), is sent to the UE from a node (13) in a sue and network such as the home network (5) of the subscriber ask UE. The information or indication can be sent in a first stage of an authentication procedure being part of the setting up of a connection from the UE. In particular, the network property can indicate whether the access network (3, 3′) is trusted or not.

摘要翻译： 当从用户设备UE（1）建立通信时，例如用于为UE提供IP接入，以便允许其使用与第一网络正确相关的至少一个网络的一些服务，信息或指示，例如， 当前接入网络（3,3'）从诸如用户询问UE的归属网络（5）的第二网络中的节点（13）发送到UE。 可以在认证过程的第一阶段中发送信息或指示，这是作为来自UE的连接的建立的一部分。 特别地，网络属性可以指示接入网络（3,3'）是否被信任。