公开(公告)号：US10028136B2

公开(公告)日：2018-07-17

申请号：US15143095

申请日：2016-04-29

Applicant: Huawei Technologies Co., Ltd.

Inventor： Bo Zhang ,  Chengdong He ,  Lu Gan

IPC: H04L29/06 ,  H04W12/04 ,  H04L9/08 ,  H04W76/14

CPC classification number: H04W12/04 ,  H04L9/0816 ,  H04L63/205 ,  H04W76/14

Abstract: A negotiation processing method for a security algorithm, a control network element, and a control system where the negotiation processing method for a security algorithm includes selecting, by a control network element according to a security capability of first user equipment (UE) and a security capability of second UE, a security algorithm supported by both the first UE and the second UE, and notifying, by the control network element, the selected security algorithm to the first UE and the second UE, and hence, negotiation of a security algorithm between two UEs in proximity communication can be implemented under the control of a control network element.

公开(公告)号：US11825303B2

公开(公告)日：2023-11-21

申请号：US17867511

申请日：2022-07-18

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Chengdong He ,  Hua Li

IPC: H04L9/08 ,  H04L9/30 ,  H04W12/0433 ,  H04W12/08 ,  H04W60/00 ,  H04W12/037 ,  H04W12/40 ,  H04W84/04

CPC classification number: H04W12/0433 ,  H04L9/085 ,  H04L9/30 ,  H04W12/037 ,  H04W12/08 ,  H04W12/40 ,  H04W60/00 ,  H04W84/042

Abstract: A method and an apparatus for performing verification using a shared key are disclosed. The method includes: receiving, by a first network element, a registration request message from a second network element, where the registration request message includes a user identifier, first network identifier information, and second network identifier information, the second network identifier information is obtained by processing the first network identifier information by using a shared key, and the shared key is a key used between the first network element and the second network element; verifying, by the first network element, the registration request message by using the shared key; and sending, by the first network element, a registration response message to the second network element. When receiving a registration request from a visited network, a home network verifies the registration request message by using a shared key, to avoid a spoofing attack from the visited network.

公开(公告)号：US20210281986A1

公开(公告)日：2021-09-09

申请号：US17319663

申请日：2021-05-13

Applicant: Huawei Technologies Co., Ltd.

Inventor： Jintao Zhu ,  Fei Li ,  Chengdong He

IPC: H04W4/40 ,  H04W4/12 ,  H04W4/02 ,  H04W12/069

Abstract: A vehicle-to-everything (V2X) abnormal behavior detection method applied to a vehicle communications system that includes a V2X sending terminal, a V2X receiving terminal, and a V2X server. The method includes that the V2X receiving terminal receives a V2X message from the V2X sending terminal. The V2X receiving terminal determines, according to an abnormal behavior detection policy, that the V2X message is an abnormal message. The V2X receiving terminal sends a report message including the V2X message to the V2X server.

公开(公告)号：US10972917B2

公开(公告)日：2021-04-06

申请号：US16289106

申请日：2019-02-28

Applicant: Huawei Technologies Co., Ltd.

Inventor： Chengdong He

IPC: H04W12/12 ,  H04L29/06 ,  H04W76/12 ,  H04W76/11 ,  H04W8/04 ,  H04W8/08 ,  H04W12/00 ,  H04W84/04

Abstract: A signaling attack prevention method and apparatus, where the method includes receiving a general packet radio service (GPRS) Tunneling Protocol (GTP-C) message from a serving gateway (SGW), determining whether the GTP-C message is received from an eighth data interface (S8), determining whether a first characteristic parameter of the GTP-C message is valid when the GTP-C message is received from the S8 interface, where the first characteristic parameter includes at least one of an international mobile subscriber identity (IMSI) of a user, or an identifier of a message source end of the GTP-C message, and discarding the GTP-C message or returning, to the SGW, a GTP-C response message carrying an error code cause value when the first characteristic parameter of the GTP-C message is invalid.

公开(公告)号：US20190281070A1

公开(公告)日：2019-09-12

申请号：US16422051

申请日：2019-05-24

Applicant: Huawei Technologies Co., Ltd.

Inventor： Rong Wu ,  Chengdong He ,  Lu Gan

IPC: H04L29/06 ,  H04W12/12

Abstract: A system and method for detecting a man-in-the-middle attack, where the includes sending, by a secondary base station, a first check request message to a master base station, wherein the first check request message comprises first identifier information of an evolved random access bearer (ERAB) and a first data packet count value corresponding to the first identifier information; receiving, by the master base station, the first check request message; obtaining second identifier information that matches the first identifier information, wherein the second identifier information is an identifier of a data radio bearer (DRB) corresponding to the ERAB; sending a second check request message to a user terminal, wherein the second check request message comprises the first data packet count value and the second identifier information; and receiving, by the master base station, a check response message from the user terminal.

公开(公告)号：US20180109953A1

公开(公告)日：2018-04-19

申请号：US15847094

申请日：2017-12-19

Applicant: Huawei Technologies Co., Ltd.

Inventor： Chengdong He

IPC: H04W12/06

CPC classification number: H04W12/06 ,  H04L61/1588 ,  H04L61/6054 ,  H04L63/0892 ,  H04L63/1441 ,  H04W12/12

Abstract: A method includes receiving a diameter request message sent by a home subscriber server HSS, where the diameter request message carries a source domain name and a user identity, and determining whether a binding relationship between the source domain name and the user identity is correct. If the binding relationship is incorrect, the method includes discarding the diameter request message or sending a diameter response message to the HSS, where the diameter response message carries a failure code. In the embodiments of the present application, when the binding relationship between the source domain name and the user identity that are carried in the diameter request message is incorrect, the diameter request message is discarded or the diameter response message carrying the failure code is sent.

公开(公告)号：US09668182B2

公开(公告)日：2017-05-30

申请号：US14298341

申请日：2014-06-06

Applicant: Huawei Technologies Co., Ltd.

Inventor： Chengdong He

IPC: H04W36/14 ,  H04W36/00 ,  H04W12/02 ,  H04L29/06 ,  H04W12/10

CPC classification number: H04W36/14 ,  H04L63/205 ,  H04W12/02 ,  H04W12/10 ,  H04W36/0038

Abstract: A security capability negotiation method is applicable to perform security capability negotiation during a mobile network handover. Moreover, a security capability negotiation system is also provided. Consistent with the provided system and method, it may be unnecessary for the MME to know the security capability of the corresponding eNB in a certain manner during a handover from a 2G/3G network to an LTE network. Meanwhile, during the handover from the LTE network to the 3G network, the SGSN does not need to introduce new requirements.

公开(公告)号：US09203614B2

公开(公告)日：2015-12-01

申请号：US14141849

申请日：2013-12-27

Applicant: HUAWEI TECHNOLOGIES CO.,LTD.

Inventor： Jingbin Zhang ,  Chengdong He

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/14

CPC classification number: H04L9/083 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/14 ,  H04L63/0471

Abstract: The present invention relates to a method, an apparatus, and a system for protecting cloud data security. A key management center encrypts original data M sent by a first terminal using a key K, and uploads encrypted data C1 to a cloud server. When the key management center receives a request from a second terminal for the data M, it generates encrypted data C2, which is generated by first encrypting C1 with a key Kb of the second terminal and then decrypted by the key K that was used to encrypt the original data M to generate C1. The key management center then sends the encrypted data C2 to the second terminal. The second terminal decrypts the encrypted data C2 using its own key Kb to obtain the original data M.

Abstract translation: 本发明涉及一种保护云数据安全性的方法，装置和系统。 密钥管理中心使用密钥K对由第一终端发送的原始数据M进行加密，并将加密数据C1上传到云服务器。 当密钥管理中心从数据M的第二终端接收到请求时，生成加密数据C2，该加密数据C2通过用第二终端的密钥Kb首先加密C1，然后由用于加密的密钥K进行解密 原始数据M生成C1。 密钥管理中心然后将加密数据C2发送到第二终端。 第二终端使用其自己的密钥Kb解密加密数据C2以获得原始数据M.

公开(公告)号：US20140120879A1

公开(公告)日：2014-05-01

申请号：US14147179

申请日：2014-01-03

Applicant: Huawei Technologies Co., Ltd.

Inventor： Chengdong He

IPC: H04W36/00 ,  H04W12/04

CPC classification number: H04W12/04 ,  H04L9/0844 ,  H04L9/088 ,  H04L63/0492 ,  H04L63/062 ,  H04L63/0876 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/205 ,  H04L69/24 ,  H04L2463/061 ,  H04W8/02 ,  H04W12/10 ,  H04W12/12 ,  H04W36/0038

Abstract: A method, user equipment (UE) and system are provided for negotiating a security capability during idle state mobility of the UE from a non-long term evolution (non-LTE) network to a long term evolution (LTE) network. The UE sends UE security capabilities supported by the UE to the LTE network for a non-access stratum (NAS) security algorithm selection use. The UE then receives from the LTE network selected NAS security algorithm. The UE further generates a root key from an authentication vector-related key stored at the UE and then derives, from the generated root key, a NAS protection key for security communication with the LTE network.

Abstract translation: 提供了一种方法，用户设备（UE）和系统，用于在UE从非长期演进（non-LTE）网络到长期演进（LTE）网络的空闲状态移动性期间协商安全能力。 UE向UE提供UE所支持的UE安全功能，用于非接入层（NAS）安全算法选择的使用。 然后，UE从LTE网络接收所选择的NAS安全算法。 UE还从存储在UE处的认证向量相关密钥生成根密钥，然后从生成的根密钥中导出用于与LTE网络进行安全通信的NAS保护密钥。

公开(公告)号：US11096142B2

公开(公告)日：2021-08-17

申请号：US17004171

申请日：2020-08-27

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Chengdong He ,  Hua Li ,  Xuwen Zhao

IPC: H04W64/00 ,  H04W8/08

Abstract: A terminal device location determining method and a device. A core network device obtains location information of a terminal device reported by the terminal device and location information reported by a first base station. The core network device determines whether the location information of the terminal device matches the location information reported by the first base station, and if the location information of the terminal device does not match the location information reported by the first base station, the core network device sends a reject message to the terminal device. By determining, through comparison, whether the location information of the terminal device reported by the terminal device matches the location information reported by the base station, it can be determined whether a location of the terminal device is incorrectly determined.