公开(公告)号：US20050063544A1

公开(公告)日：2005-03-24

申请号：US10497568

申请日：2002-12-06

申请人： Ilkka Uusitalo ,  Pasi Ahonen ,  Rolf Blom ,  Boman Krister ,  Mats Naslund

发明人： Ilkka Uusitalo ,  Pasi Ahonen ,  Rolf Blom ,  Boman Krister ,  Mats Naslund

IPC分类号： H04L29/06 ,  H04L9/00

CPC分类号： H04L63/06 ,  H04L9/0841 ,  H04L9/0869 ,  H04L63/0428 ,  H04L63/08 ,  H04L63/306

摘要： A method of facilitating the lawful interception of an IP session between two or more terminals 12,13, wherein said session uses encryption to secure traffic. The method comprises storing a key allocated to at least one of said terminals 12,13 or to at least one of the subscribers using one of the terminals 12,13, at the terminal 12,13 and at a node 5,8 within a network 1,6 through which said session is conducted, or a node coupled to that network. Prior to the creation of said session, a seed value is exchanged between the terminal 12,13 at which the key is stored and said node 5,8. The key and the seed value are used at both the terminal 12,13 and the node 5,8 to generate a pre-master key. The pre-master key becomes known to each of the terminals 12,13 involved in the IP session and to the network node 5,8. The pre-master key is used, directly or indirectly, to encrypt and decrypt traffic associated with said IP session.

摘要翻译： 一种促进在两个或多个终端12,13之间合法拦截IP会话的方法，其中所述会话使用加密来保证业务。 所述方法包括：在终端12,13和网络中的节点5,8处，存储分配给所述终端12,13中的至少一个的密钥或至少一个用户的终端12,13中的一个终端 1,6通过其进行所述会话，或者耦合到该网络的节点。 在创建所述会话之前，在存储密钥的终端12,13和所述节点5,8之间交换种子值。 密钥和种子值都在终端12,13和节点5,8两端使用以产生预先主密钥。 对于IP会话中涉及的每个终端12,13和网络节点5,8，预先主密钥变得已知。 预主密钥直接或间接地用于加密和解密与所述IP会话相关联的流量。

公开(公告)号：US20070192602A1

公开(公告)日：2007-08-16

申请号：US11275166

申请日：2005-12-16

申请人： Rolf Blom ,  Mats Naslund

发明人： Rolf Blom ,  Mats Naslund

IPC分类号： H04L9/00

CPC分类号： H04L9/3236 ,  H04L9/0643 ,  H04L9/0841 ,  H04L9/321 ,  H04L9/3247 ,  H04L9/3273 ,  H04L63/0823 ,  H04L63/0853 ,  H04L63/0869 ,  H04L2209/20 ,  H04L2209/80 ,  H04W12/06 ,  H04W12/1206

摘要： A system and method for preventing unauthorized duplication of an identity module, IM, and authenticating valid IMs. Different information is stored in the IM and an authentication center, AuC, and if the information in the AuC is leaked, it is insufficient to clone the IM. The IM generates a first key, K1, and a second key, K2, while assuring that K1 cannot be derived from K2, and optionally that K2 cannot be derived from K1. The IM exports K2 and an identifier to the AuC while keeping K1 secret within the IM. During authentication, the IM provides to a third party such as a VLR, information containing the identifier. The VLR forwards the information to the AuC, which retrieves K2 based on the identifier and generates a first value, R, and a second value, X, based on at least K2. The AuC then returns R and X to the VLR, which forwards R to the IM. The IM then generates a response, RES, based on at least K1 and R, and sends the RES to the VLR. The VLR then verifies the RES based on X.

摘要翻译： 一种用于防止身份模块的未经授权的复制，IM和验证有效的IM的系统和方法。 不同的信息存储在IM和认证中心AuC中，如果AuC中的信息泄漏，则不足以克隆IM。 IM产生第一密钥K1和第二密钥K2，同时确保K1不能从K2导出，并且可选地，K2不能从K1导出。 IM将K2和一个标识符导出到AuC，同时保持K1内的IM秘密。 在认证期间，IM向诸如VLR的第三方提供包含标识符的信息。 VLR将信息转发到AuC，AuC基于标识符检索K2，并且至少基于K2产生第一值R和第二值X。 然后，AuC将R和X返回给VLR，VLR将R转发到IM。 然后，IM至少基于K1和R产生响应RES，并将RES发送到VLR。 VLR然后验证基于X的RES。

公开(公告)号：US20070157022A1

公开(公告)日：2007-07-05

申请号：US11570186

申请日：2005-05-17

申请人： Rolf Blom ,  Mats Naslund

发明人： Rolf Blom ,  Mats Naslund

IPC分类号： H04L9/00

CPC分类号： H04L9/0838 ,  H04L9/3273 ,  H04L63/0428 ,  H04L63/0853 ,  H04L2209/80 ,  H04W12/04 ,  H04W12/06 ,  H04W88/06

摘要： When a mobile terminal (10), having a basic identity module (12) operative according to a first security standard, initiates a service access, the home network (30) determines whether the mobile terminal has an executable program (14) configured to interact with the basic identity module for emulating an identity module according to the second security standard. If it is concluded that the mobile terminal has such an executable program, a security algorithm is executed at the home network (30) to provide security data according to the second security standard. At least part of these security data are then transferred, transparently to a visited network (20), to the mobile terminal (10). On the mobile terminal side, the executable program (14) is executed for emulating an identity module according to the second security standard using at least part of the transferred security data as input. Preferably, the first security standard corresponds to a 2G standard, basically the GSM standard and the second security standard at least in part corresponds to a 3G standard such as the UMTS standard, and/or the IP Multimedia Sub-system (IMS) standard.

摘要翻译： 当具有根据第一安全标准操作的基本身份模块（12）的移动终端（10）启动服务访问时，家庭网络（30）确定移动终端是否具有被配置为相互作用的可执行程序（14） 具有用于根据第二安全标准模拟身份模块的基本身份模块。 如果确定移动终端具有这样的可执行程序，则在归属网络（30）处执行安全算法以根据第二安全标准提供安全数据。 这些安全数据的至少一部分然后被透明地传送到被访问网络（20）到移动终端（10）。 在移动终端侧，执行可执行程序（14），用于使用至少部分传送的安全数据作为输入来根据第二安全标准来模拟身份模块。 优选地，第一安全标准对应于2G标准，基本上GSM标准和第二安全标准至少部分地对应于诸如UMTS标准和/或IP多媒体子系统（IMS）标准的3G标准。

公开(公告)号：US20130268681A1

公开(公告)日：2013-10-10

申请号：US13800129

申请日：2013-03-13

申请人： Luis Barriga ,  Rolf Blom ,  Yi Cheng ,  Fredrik Lindholm ,  Mats Naslund ,  Karl Norrman

发明人： Luis Barriga ,  Rolf Blom ,  Yi Cheng ,  Fredrik Lindholm ,  Mats Naslund ,  Karl Norrman

IPC分类号： H04W76/02

CPC分类号： H04W76/02 ,  H04L63/0428 ,  H04L65/1016 ,  H04L65/1069 ,  H04W12/02 ,  H04W12/04 ,  H04W76/10

摘要： An IMS system includes an IMS initiator user entity. The system includes an IMS responder user entity that is called by the initiator user entity. The system includes a calling side S-CSCF in communication with the caller entity which receives an INVITE having a first protection offer and parameters for key establishment from the caller entity, removes the first protection offer from the INVITE and forwards the INVITE without the first protection offer. The system includes a receiving end S-CSCF in communication with the responder user entity and the calling side S-CSCF which receives the INVITE without the first protection offer and checks that the responder user entity supports the protection, inserts a second protection offer into the INVITE and forwards the INVITE to the responder user entity, wherein the responder user entity accepts the INVITE including the second protection offer and answers with an acknowledgment having a first protection accept. A method for supporting a call by a telecommunications node.

摘要翻译： IMS系统包括IMS发起者用户实体。 该系统包括由发起者用户实体调用的IMS应答器用户实体。 该系统包括与主叫实体进行通信的主叫侧S-CSCF，其从呼叫方实体接收具有第一保护报价的INVITE和用于密钥建立的参数，从INVITE中移除第一保护报价并转发INVITE而没有第一保护 提供。 该系统包括与响应者用户实体通信的接收端S-CSCF，以及在没有第一保护提供的情况下接收INVITE的主叫侧S-CSCF，并检查响应者用户实体是否支持保护，将第二保护请求插入到 INVITE并将INVITE转发到响应者用户实体，其中响应者用户实体接受包括第二保护请求的INVITE和具有第一保护接受的确认的应答。 一种用于支持电信节点的呼叫的方法。

公开(公告)号：US08429737B2

公开(公告)日：2013-04-23

申请号：US12744720

申请日：2008-12-01

申请人： Luis Barriga ,  Rolf Blom ,  Yi Cheng ,  Fredrik Lindholm ,  Mats Naslund ,  Karl Norrman

发明人： Luis Barriga ,  Rolf Blom ,  Yi Cheng ,  Fredrik Lindholm ,  Mats Naslund ,  Karl Norrman

IPC分类号： H04L29/06 ,  G06F15/16

摘要： An IMS system includes an IMS initiator user entity. The system includes an IMS responder user entity that is called by the initiator user entity. The system includes a calling side S-CSCF in communication with the caller entity which receives an INVITE having a first protection offer and parameters for key establishment from the caller entity, removes the first protection offer from the INVITE and forwards the INVITE without the first protection offer. The system includes a receiving end S-CSCF in communication with the responder user entity and the calling side S-CSCF which receives the INVITE without the first protection offer and checks that the responder user entity supports the protection, inserts a second protection offer into the INVITE and forwards the INVITE to the responder user entity, wherein the responder user entity accepts the INVITE including the second protection offer and answers with an acknowledgment having a first protection accept. A method for supporting a call by a telecommunications node.

公开(公告)号：US20110206206A1

公开(公告)日：2011-08-25

申请号：US13063997

申请日：2009-03-13

申请人： Rolf Blom ,  Fredrik Lindholm ,  Mats Naslund ,  Karl Norrman

发明人： Rolf Blom ,  Fredrik Lindholm ,  Mats Naslund ,  Karl Norrman

IPC分类号： H04L9/08

CPC分类号： H04L63/0869 ,  H04L9/0819 ,  H04L9/083 ,  H04L9/3213 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/08

摘要： A method and apparatus for key management in a communication network. A Key Management Terminal KMS Terminal Server (KMS) receives from a first device a request for a token associated with a user identity, the user identity being associated with a second device. The KMS then sends the requested token and a user key associated with the user to the first device. The KMS subsequently receives the token from the second device. A second device key is generated using the user key and a modifying parameter associated with the second device. The modifying parameter is available to the first device for generating the second device key. The second device key is then sent from the KMS to the second device. The second device key can be used by the second device to authenticate itself to the first device, or for the first device to secure communications to the second device.

摘要翻译： 一种用于通信网络中密钥管理的方法和装置。 密钥管理服务器（KMS）从第一设备接收与用户身份相关联的令牌的请求，所述用户身份与第二设备相关联。 然后，KMS将所请求的令牌和与用户相关联的用户密钥发送到第一设备。 KMS随后从第二个设备接收令牌。 使用用户密钥和与第二设备相关联的修改参数来生成第二设备密钥。 修改参数可用于第一设备用于生成第二设备密钥。 然后，第二个设备密钥从KMS发送到第二个设备。 第二设备密钥可以由第二设备用于向第一设备或第一设备认证自身以确保与第二设备的通信。

公开(公告)号：US20100268937A1

公开(公告)日：2010-10-21

申请号：US12744986

申请日：2007-11-30

申请人： Rolf Blom ,  Yi Cheng ,  Fredrik Lindholm ,  John Mattsson ,  Mats Naslund ,  Karl Norrman

发明人： Rolf Blom ,  Yi Cheng ,  Fredrik Lindholm ,  John Mattsson ,  Mats Naslund ,  Karl Norrman

IPC分类号： H04L9/32 ,  H04L29/06 ,  H04L9/08

CPC分类号： H04L9/0838 ,  H04L9/083 ,  H04L9/0861 ,  H04L63/061 ,  H04L63/062 ,  H04L63/0884 ,  H04L65/1016

摘要： A method and arrangement is disclosed for managing session keys for secure communication between a first and at least a second user device in a communications network. The method is characterized being independent of what type of credential each user device implements for security operations. A first user receives from a first key management server keying information and a voucher and generates a first session key. The voucher is forwarded to at least a responding user device that, with support from a second key management server communicating with the first key management server, resolves the voucher and determines a second session keys. First and second session keys are, thereafter, used for secure communication. In one embodiment the communication traverses an intermediary whereby first and second session keys protect communication with respective leg to intermediary.

摘要翻译： 公开了一种用于管理用于通信网络中的第一和第二用户设备之间的安全通信的会话密钥的方法和装置。 该方法的特征在于独立于每个用户设备为安全操作实现什么类型的凭证。 第一用户从第一密钥管理服务器接收密钥信息和凭证并生成第一会话密钥。 该凭证被转发到至少一个响应用户设备，在来自与第一密钥管理服务器通信的第二密钥管理服务器的支持下，解决凭证并确定第二会话密钥。 此后，第一和第二会话密钥用于安全通信。 在一个实施例中，通信遍及中间体，由此第一和第二会话密钥保护与相应的腿到中间的通信。

公开(公告)号：US20070150794A1

公开(公告)日：2007-06-28

申请号：US10271945

申请日：2002-10-17

申请人： Mats Naslund ,  Rolf Blom

发明人： Mats Naslund ,  Rolf Blom

IPC分类号： H03M13/00

CPC分类号： H03M13/158 ,  G06F7/724 ,  G06F7/725 ,  H03M13/6561

摘要： Binary data representing a code word of an error-correcting code is used for calculating a syndrome, wherein a given portion of the binary data comprises k groups of data bits and represents a field element of the finite field GF(pk), p being an odd prime number, the field element comprising k coefficients in accordance with a polynomial basis representation, each group of data bits of the given portion representing a corresponding one of the k coefficients. The given portion is stored in a first general purpose register and is processed such that the k groups of data bits of the given portion are processed in parallel; determining whether the syndrome is equal to zero; and detecting and correcting errors in the binary data if the syndrome is not equal to zero.

摘要翻译： 表示纠错码的代码字的二进制数据用于计算校正子，其中二进制数据的给定部分包括k组数据位，并且表示有限域GF（p < / SUP>），p是奇素数，场元素包括根据多项式基表示的k个系数，给定部分的每组数据位表示k个系数中的相应一个。 给定部分存储在第一通用寄存器中，并被处理使得给定部分的k组数据位被并行处理; 确定综合征是否等于零; 以及如果所述综合征不等于零，则检测和校正二进制数据中的错误。

公开(公告)号：US09178696B2

公开(公告)日：2015-11-03

申请号：US12744986

申请日：2007-11-30

申请人： Rolf Blom ,  Yi Cheng ,  Fredrik Lindholm ,  John Mattsson ,  Mats Naslund ,  Karl Norrman

发明人： Rolf Blom ,  Yi Cheng ,  Fredrik Lindholm ,  John Mattsson ,  Mats Naslund ,  Karl Norrman

IPC分类号： H04L9/08 ,  H04L29/06

CPC分类号： H04L9/0838 ,  H04L9/083 ,  H04L9/0861 ,  H04L63/061 ,  H04L63/062 ,  H04L63/0884 ,  H04L65/1016

摘要： A method and arrangement is disclosed for managing session keys for secure communication between a first and at least a second user device in a communications network. The method is characterized being independent of what type of credential each user device implements for security operations. A first user receives from a first key management server keying information and a voucher and generates a first session key. The voucher is forwarded to at least a responding user device that, with support from a second key management server communicating with the first key management server, resolves the voucher and determines a second session keys. First and second session keys are, thereafter, used for secure communication. In one embodiment the communication traverses an intermediary whereby first and second session keys protect communication with respective leg to intermediary.

摘要翻译： 公开了一种用于管理用于通信网络中的第一和第二用户设备之间的安全通信的会话密钥的方法和装置。 该方法的特征在于独立于每个用户设备为安全操作实现什么类型的凭证。 第一用户从第一密钥管理服务器接收密钥信息和凭证并生成第一会话密钥。 该凭证被转发到至少一个响应用户设备，在来自与第一密钥管理服务器通信的第二密钥管理服务器的支持下，解决凭证并确定第二会话密钥。 此后，第一和第二会话密钥用于安全通信。 在一个实施例中，通信遍及中间体，由此第一和第二会话密钥保护与相应的腿到中间的通信。

公开(公告)号：US08942377B2

公开(公告)日：2015-01-27

申请号：US13578356

申请日：2010-02-12

申请人： Wassim Haddad ,  Rolf Blom ,  Mats Naslund

发明人： Wassim Haddad ,  Rolf Blom ,  Mats Naslund

IPC分类号： H04L12/06 ,  H04W12/06 ,  H04L29/06

CPC分类号： H04W12/06 ,  H04L63/08 ,  H04L63/0823

摘要： A method and apparatus to establish trust between two nodes in a communications network. A first node receives from a network node authentication data unique to the first node, which can be used to derive a compact representation of verification data for the first node. The first node also receives a certified compact representation of verification data of all nodes in the network. The first node derives trust information from the authentication data for the node, and sends to a second node a message that includes the trust information and part of the authentication data. The second node has its own copy of the certified compact representation of verification data of all nodes in the network, and verifies the authenticity of the message from the first node using the compact representation of verification data of all nodes in the network and the received trust information and authentication data.

摘要翻译： 一种在通信网络中的两个节点之间建立信任的方法和装置。 第一节点从网络节点接收对第一节点唯一的认证数据，其可以用于导出用于第一节点的验证数据的紧凑表示。 第一个节点还接收到网络中所有节点的验证数据的认证紧凑表示。 第一节点从节点的认证数据中导出信任信息，并向第二节点发送包含信任信息和认证数据的一部分的消息。 第二节点具有网络中所有节点的验证数据的经认证的紧凑表示的副本，并使用网络中所有节点的验证数据的紧密表示和接收到的信任来验证来自第一节点的消息的真实性 信息和认证数据。