公开(公告)号：US11695742B2

公开(公告)日：2023-07-04

申请号：US17321964

申请日：2021-05-17

Applicant: Huawei Technologies Co., Ltd.

Inventor： Bo Zhang ,  Rong Wu ,  Lu Gan

IPC: H04L29/06 ,  H04L9/40 ,  H04L9/08 ,  H04L67/14 ,  H04W12/033 ,  H04W12/041 ,  H04W12/106

CPC classification number: H04L63/0428 ,  H04L9/0861 ,  H04L63/20 ,  H04L67/14 ,  H04W12/033 ,  H04W12/041 ,  H04W12/106 ,  H04L2209/80

Abstract: A security implementation method includes obtaining, by a first device, a security policy of a session and at least one key, and sending, by the first device, protected data to a second device, where the protected data is obtained by protecting security of session data of the session using the at least one key based on the security policy of the session, and the second device is configured to restore the protected data using the at least one key based on the security policy to obtain the session data, where when the first device is a terminal device, the second device is an access network node or a user plane node, or when the first device is an access network node or a user plane node, the second device is a terminal device.

公开(公告)号：US20220166622A1

公开(公告)日：2022-05-26

申请号：US17540664

申请日：2021-12-02

Applicant: Huawei Technologies Co., Ltd.

Inventor： Shuaishuai Tan ,  Lu Gan ,  Bo Zhang ,  Rong Wu

IPC: H04L9/32 ,  H04L9/40

Abstract: A network function service invocation method includes sending, by a first network function network element, a first request message to an authorization network element, wherein the first request message is used to request permission to invoke a first network function service provided by a second network function network element, performing, by the authorization network element, identity authentication on the first network function network element, generating, by the authorization network element, a token when determining that the identity authentication succeeds, wherein the token is used to indicate that the first network function network element has the permission to invoke the first network function service of the second network function network element, and sending, by the authorization network element, a token to the first network function network element.

公开(公告)号：US11228442B2

公开(公告)日：2022-01-18

申请号：US16923741

申请日：2020-07-08

Applicant: Huawei Technologies Co., Ltd.

Inventor： Bo Zhang ,  Lu Gan ,  Yanjiang Yang

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  H04W12/06

Abstract: An authentication method, an authentication apparatus, and an authentication system for the communications field are described. The authentication includes receiving, by a communications network element, a request from a user equipment (UE) comprising a first identifier that is an international mobile subscriber identity (IMSI). The communication network element, in response to the request, sends the first identifier to a home subscriber server. The communications network element, upon authenticating the UE successfully, sends a second identifier to a key management center (KMS) to facilitate the KMS generating a subscriber private key corresponding to the second identifier and sending the subscriber private key to the communications network element. The communications network element thereafter sends the subscriber private key to the UE.

公开(公告)号：US20210273923A1

公开(公告)日：2021-09-02

申请号：US17321964

申请日：2021-05-17

Applicant: Huawei Technologies Co., Ltd.

Inventor： Bo Zhang ,  Rong Wu ,  Lu Gan

IPC: H04L29/06 ,  H04L9/08 ,  H04L29/08 ,  H04W12/033 ,  H04W12/041 ,  H04W12/106

Abstract: A security implementation method includes obtaining, by a first device, a security policy of a session and at least one key, and sending, by the first device, protected data to a second device, where the protected data is obtained by protecting security of session data of the session using the at least one key based on the security policy of the session, and the second device is configured to restore the protected data using the at least one key based on the security policy to obtain the session data, where when the first device is a terminal device, the second device is an access network node or a user plane node, or when the first device is an access network node or a user plane node, the second device is a terminal device.

公开(公告)号：US11057775B2

公开(公告)日：2021-07-06

申请号：US16224999

申请日：2018-12-19

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Bo Zhang ,  Rong Wu ,  Lu Gan

IPC: H04W12/00 ,  H04W12/37 ,  H04L29/06 ,  H04L9/08 ,  H04W12/0431 ,  H04W12/10

Abstract: This application provides a key configuration method. A session management network element receives a request for end-to-end communication and obtains a security policy, where the security policy is determined based on at least one of: a user security requirement that is of the user equipment and that is preconfigured on a home subscriber server, a service security requirement from the user equipment, a security capability requirement supported by the user equipment, a security capability requirement from a carrier network, and a security requirement of a device on the other end of the end-to-end communication. The session management network element obtains a protection key used for protecting the end-to-end communication. The session management network element sends the security policy to the devices on two ends of the end-to-end communication.

公开(公告)号：US11051171B2

公开(公告)日：2021-06-29

申请号：US16569415

申请日：2019-09-12

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Bo Zhang ,  Rong Wu ,  Lu Gan ,  Lichun Li

IPC: H04W12/08 ,  H04W8/02 ,  H04W8/26 ,  H04W36/08 ,  H04W12/04

Abstract: Embodiments of the present invention disclose a communication method, a related device, and a system. The system may include a terminal, a first access network node (AN), and a second AN. The first AN is configured to determine that the terminal meets a condition of being handed over from the first AN to the second AN, where a value of a target parameter used for encryption and/or integrity protection when the terminal and the first AN communicate with each other before the terminal is handed over to the second AN is equal to a first reference value. In the system, the first AN may further be configured to send a target message to the second AN to instruct the second AN to obtain a second reference value. The second AN may be configured to obtain the second reference value based on the target message. Furthermore, the terminal may be configured to obtain the second reference value, where the second reference value is used as a value of the target parameter used for encryption and/or integrity protection when the second AN and the terminal communicate with each other. According to the embodiments of the present invention, security performance of the terminal can be improved.

公开(公告)号：US10966083B2

公开(公告)日：2021-03-30

申请号：US16441598

申请日：2019-06-14

Applicant: Huawei Technologies Co., Ltd.

Inventor： Rong Wu ,  Bo Zhang ,  Lu Gan

IPC: H04L9/00 ,  H04W12/04 ,  H04W80/10 ,  H04W88/02 ,  H04W76/11 ,  H04W76/25 ,  H04W8/08 ,  H04L9/08 ,  H04L29/06

Abstract: An anchor key generation method, device, and system, where the method includes generating, by a unified data management network element (UDM), an intermediate key based on a cipher key (CK), an integrity key (IK), and indication information regarding an operator; sending, by the UDM, the intermediate key to an authentication server function (AUSF); receiving, by the AUSF, the intermediate key; generating, by the AUSF, an anchor key based on the intermediate key; sending, by the AUSF, the anchor key to a security anchor function (SEAF); and generating, by the SEAF, a key (Kamf) based on the anchor key, where the Kamf is used to derive a 3rd Generation Partnership Project (3GPP) key.

公开(公告)号：US10742418B2

公开(公告)日：2020-08-11

申请号：US16291954

申请日：2019-03-04

Applicant: Huawei Technologies Co., Ltd.

Inventor： Bo Zhang ,  Lu Gan ,  Yanjiang Yang

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  H04W12/06

Abstract: An authentication method, an authentication apparatus, and an authentication system for the communications field are described. The authentication includes sending, by first user equipment, a first random parameter to second user equipment. The second user equipment obtains a first user identifier, a second user identifier, and a second random parameter; and generates a second authentication feature based on the first user identifier, the second user identifier, the first random parameter, and the second random parameter. The second user equipment sends the second authentication feature to the first user equipment for authentication. The first user equipment, after authentication, generates a first authentication feature. The first authentication feature is sent to the second user equipment for authentication.

公开(公告)号：US10728757B2

公开(公告)日：2020-07-28

申请号：US16409207

申请日：2019-05-10

Applicant: Huawei Technologies Co., Ltd.

Inventor： Rong Wu ,  Lu Gan ,  Bo Zhang ,  Shuaishuai Tan

IPC: H04L29/00 ,  H04W12/04 ,  H04W12/00 ,  H04W36/00 ,  H04W36/08 ,  H04W12/08 ,  H04W12/06

Abstract: A security implementation method includes receiving, by a first network element, a request for handing over user equipment from a source access network device to a target access network device to perform communication. The method further includes obtaining, by the first network element, a security key, where the security key is used for protecting the communication between the user equipment and the target access network device after the user equipment is handed over from the source access network device to the target access network device, and sending, by the first network element, the security key to the target access network device.

公开(公告)号：US20200213290A1

公开(公告)日：2020-07-02

申请号：US16814018

申请日：2020-03-10

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Shuaishuai Tan ,  Lu Gan ,  Bo Zhang ,  Rong Wu

IPC: H04L29/06 ,  H04W12/06 ,  H04L12/911 ,  H04W12/08 ,  H04L9/32 ,  H04L9/30 ,  H04L9/08 ,  H04W8/18 ,  H04W12/04

Abstract: An authorization method and a network element are disclosed, to implement a third-party authorization function based on a 5G service-based network architecture. The method is: receiving, by a resource control network element, a resource usage request message sent by a terminal device; replacing a first user identifier in the resource usage request message with a second user identifier; sending an authorization request message carrying the second user identifier to an authorization server by using an NEF; receiving, by using the NEF, an authorization response message sent by the authorization server, where the authorization response message includes an authorization result that is obtained by performing authorization based on the second user identifier and the resource usage request message; and allocating a network resource to the terminal device based on the authorization result, and sending a resource allocation response message to the terminal device.