公开(公告)号：US11647391B2

公开(公告)日：2023-05-09

申请号：US17180228

申请日：2021-02-19

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Bo Zhang ,  Chengdong He

IPC: H04L29/06 ,  H04W12/122 ,  H04W12/37 ,  H04W8/08 ,  H04W12/08

CPC classification number: H04W12/122 ,  H04W8/08 ,  H04W12/08 ,  H04W12/37

Abstract: Embodiments of this application provide a security protection method, a device, and a system, to improve data transmission security. The method includes: determining, by a terminal, a session management network element, or a mobility management network element, whether a security protection policy determined by an access network device is consistent with a user plane security policy delivered by the session management network element to the access network device; and if the security protection policy determined by the access network device is inconsistent with the user plane security policy delivered by the session management network element to the access network device, performing processing according to a preset policy.

公开(公告)号：US20210400482A1

公开(公告)日：2021-12-23

申请号：US17464104

申请日：2021-09-01

Applicant: Huawei Technologies Co., Ltd.

Inventor： Xuwen Zhao ,  Chengdong He

IPC: H04W12/06 ,  H04W12/122 ,  H04L29/06

Abstract: An authentication result update method and a communications apparatus, where the authentication result update method includes: determining that an authentication result of a terminal device in a first serving network needs to be updated; and sending a first service invocation request to an authentication server, where the first service invocation request is used to request to update the authentication result stored in a unified data management device, where visited network spoofing can be prevented after authentication is completed, and where network security can be improved.

公开(公告)号：US09538373B2

公开(公告)日：2017-01-03

申请号：US14873504

申请日：2015-10-02

Applicant: Huawei Technologies Co., Ltd.

Inventor： Chengdong He

IPC: H04L29/06 ,  H04W12/04 ,  H04W12/06 ,  H04L9/08 ,  H04W36/00 ,  H04W12/10 ,  H04W12/12

CPC classification number: H04W12/04 ,  H04L9/0844 ,  H04L9/088 ,  H04L63/0492 ,  H04L63/062 ,  H04L63/0876 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/205 ,  H04L69/24 ,  H04L2463/061 ,  H04W8/02 ,  H04W12/10 ,  H04W12/12 ,  H04W36/0038

Abstract: An MME negotiates security in case of idle state mobility for a UE from a first network to a LTE network. The UE sends its security capabilities including non-access stratum (NAS) security capabilities supported by the UE to the LTE network. The MME selects a NAS security algorithm, in accordance with the NAS security capabilities of the UE, and sends the selected NAS security algorithm to the UE, sharing the NAS security algorithm between the UE and the LTE network when the UE moves from the first network to the LTE network. The MME also derives, in accordance with the selected NAS security algorithm, a NAS protection key from an authentication vector-related key so as to security communication between the UE and the LTE network.

Abstract translation: 在UE从第一网络到LTE网络的空闲状态移动性的情况下，MME协商安全性。 UE向LTE网络发送其安全能力，包括UE支持的非接入层（NAS）安全功能。 MME根据UE的NAS安全能力选择NAS安全算法，并将所选择的NAS安全算法发送给UE，当UE从第一个网络移动时，在UE和LTE网络之间共享NAS安全算法 到LTE网络。 MME还根据所选择的NAS安全算法从认证向量相关的密钥导出NAS保护密钥，以便UE和LTE网络之间的安全通信。

公开(公告)号：US08812848B2

公开(公告)日：2014-08-19

申请号：US14147179

申请日：2014-01-03

Applicant: Huawei Technologies Co., Ltd.

Inventor： Chengdong He

IPC: H04L29/06

CPC classification number: H04W12/04 ,  H04L9/0844 ,  H04L9/088 ,  H04L63/0492 ,  H04L63/062 ,  H04L63/0876 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/205 ,  H04L69/24 ,  H04L2463/061 ,  H04W8/02 ,  H04W12/10 ,  H04W12/12 ,  H04W36/0038

Abstract: A method, user equipment (UE) and system are provided for negotiating a security capability during idle state mobility of the UE from a non-long term evolution (non-LTE) network to a long term evolution (LTE) network. The UE sends UE security capabilities supported by the UE to the LTE network for a non-access stratum (NAS) security algorithm selection use. The UE then receives from the LTE network selected NAS security algorithm. The UE further generates a root key from an authentication vector-related key stored at the UE and then derives, from the generated root key, a NAS protection key for security communication with the LTE network.

Abstract translation: 提供了一种方法，用户设备（UE）和系统，用于在UE从非长期演进（non-LTE）网络到长期演进（LTE）网络的空闲状态移动性期间协商安全能力。 UE向UE提供UE所支持的UE安全功能，用于非接入层（NAS）安全算法选择的使用。 然后，UE从LTE网络接收所选择的NAS安全算法。 UE还从存储在UE处的认证向量相关密钥生成根密钥，然后从生成的根密钥中导出用于与LTE网络进行安全通信的NAS保护密钥。

公开(公告)号：US12015707B2

公开(公告)日：2024-06-18

申请号：US17380961

申请日：2021-07-20

Applicant: Huawei Technologies Co., Ltd.

Inventor： Juan Deng ,  Chengdong He

IPC: H04L9/08 ,  H04W12/041 ,  H04W12/0433 ,  H04W60/00 ,  H04W88/08

CPC classification number: H04L9/0891 ,  H04W12/041 ,  H04W12/0433 ,  H04W60/00 ,  H04W88/08

Abstract: A communication method and a related product are provided. The communication method includes: When UE switches from a source slice to a target slice mutually exclusive with the source slice, both the UE and a target AMF serving the target slice can obtain a first AMF key Kamf_new. The first AMF key Kamf_new is different from a second AMF key Kamf, and the second AMF key Kamf is a key of a source AMF serving the source slice. According to the application communication security and effectiveness are significantly improved_in a mutually exclusive slice switching scenario.

公开(公告)号：US10588015B2

公开(公告)日：2020-03-10

申请号：US15197381

申请日：2016-06-29

Applicant: Huawei Technologies Co., Ltd.

Inventor： Bo Zhang ,  Chengdong He

IPC: G06F7/04 ,  G06F15/16 ,  G06F17/30 ,  H04L29/06 ,  H04W12/06

Abstract: Embodiments of the present invention disclose a terminal authenticating method, including: receiving, by a UE-to-network relay UE-R, a first request message sent by user equipment UE; sending, by the UE-R, a second request message to a control network element according to the first request message sent by the UE; receiving, by the UE-R, an authentication request message sent by the control network element, and determining whether the authentication request message is for authenticating on the UE; if the authentication request message is for authenticating on the UE, sending, by the UE-R, an authentication request message to the UE; and receiving, by the UE-R, an authentication response message sent by the UE according to the authentication request message, and sending the authentication response message to the control network element.

公开(公告)号：US10383017B2

公开(公告)日：2019-08-13

申请号：US15495607

申请日：2017-04-24

Applicant: Huawei Technologies Co., Ltd.

Inventor： Chengdong He

IPC: H04W36/14 ,  H04W36/00 ,  H04W12/02 ,  H04L29/06 ,  H04W12/10

Abstract: A security capability negotiation method is applicable to perform security capability negotiation during a mobile network handover. Moreover, a security capability negotiation system is also provided. Consistent with the provided system and method, it may be unnecessary for the MME to know the security capability of the corresponding eNB in a certain manner during a handover from a 2G/3G network to an LTE network. Meanwhile, during the handover from the LTE network to the 3G network, the SGSN does not need to introduce new requirements.

公开(公告)号：US20190200234A1

公开(公告)日：2019-06-27

申请号：US16289120

申请日：2019-02-28

Applicant: Huawei Technologies Co., Ltd.

Inventor： Chengdong He

IPC: H04W12/12 ,  H04L29/06 ,  H04W12/08

CPC classification number: H04W12/1204 ,  H04L63/0236 ,  H04L63/029 ,  H04L63/123 ,  H04W12/0017 ,  H04W12/0808 ,  H04W12/12

Abstract: A signaling attack prevention method and apparatus, where the method includes receiving a general packet radio service (GPRS) Tunneling Protocol (GTP-C) message from a public data network gateway (PGW), determining whether the GTP-C message is received from an S8 interface, determining whether a characteristic parameter of the GTP-C message is valid when the GTP-C message is received from the S8 interface, and discarding the GTP-C message or returning, to the PGW, a GTP-C response message carrying an error code cause value when the characteristic parameter of the GTP-C message is invalid. By determining validity of each parameter in the GTP-C message, a hacker is effectively prevented from attacking a serving gateway (SGW) using each attack path, and communication security is improved.

公开(公告)号：US20170094506A1

公开(公告)日：2017-03-30

申请号：US15372093

申请日：2016-12-07

Applicant: Huawei Technologies Co., Ltd.

Inventor： Chengdong He

IPC: H04W12/04 ,  H04L9/08 ,  H04W36/00 ,  H04W12/10 ,  H04W8/02 ,  H04L29/06 ,  H04W12/06

CPC classification number: H04W12/04 ,  H04L9/0844 ,  H04L9/088 ,  H04L63/0492 ,  H04L63/062 ,  H04L63/0876 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/205 ,  H04L69/24 ,  H04L2463/061 ,  H04W8/02 ,  H04W12/10 ,  H04W12/12 ,  H04W36/0038

Abstract: A communication method includes receiving by a SGSN a context request message from a mobility management entity (MME), obtaining by the SGSN an authentication vector-related key, and calculating by the SGSN a root key according to the authentication vector-related key. In addition, the method further includes sending by the SGSN a context response message including the root key to the MME, wherein the MME derives a NAS protection key according to the root key.

公开(公告)号：US20170012997A1

公开(公告)日：2017-01-12

申请号：US15270722

申请日：2016-09-20

Applicant: Huawei Technologies Co., Ltd.

Inventor： Rong Wu ,  Chengdong He ,  Lu Gan

IPC: H04L29/06

CPC classification number: H04L63/14 ,  H04L63/12 ,  H04L63/1441 ,  H04W12/12

Abstract: A method and an apparatus for detecting a man-in-the-middle attack, where the method includes receiving, by a macro evolved Node B (MeNB), a first check request message sent by a secondary evolved Node B (SeNB), where the first check request message includes first identifier information and a first data packet count value, generating a second check request message according to the first identifier information, sending the second check request message to a user terminal, receiving a first check response message generated by the user terminal according to the second check request message, where the first check response message includes second identifier information and a second data packet count value, determining, by the MeNB, that the man-in-the-middle attack exists between the SeNB and the user terminal when the first data packet count value is different from the second data packet count value.

Abstract translation: 一种用于检测中间人攻击的方法和装置，其中所述方法包括由宏演进节点B（MeNB）接收由次演进节点B（SeNB）发送的第一检查请求消息，其中 所述第一检查请求消息包括第一标识信息和第一数据包计数值，根据所述第一标识信息生成第二检查请求消息，向所述用户终端发送所述第二检查请求消息，接收所述第一检查请求消息， 用户终端根据第二检查请求消息，其中第一检查响应消息包括第二标识符信息和第二数据包计数值，由MeNB确定在SeNB和第二检查请求消息之间存在中间人攻击 当第一数据分组计数值与第二数据分组计数值不同时，用户终端。