Lawful interception of encrypted communications

    公开(公告)号:US10432606B2

    公开(公告)日:2019-10-01

    申请号:US14370862

    申请日:2012-04-27

    IPC分类号: H04L29/06 H04L9/32

    摘要: A method and apparatus for providing access to an encrypted communication between a sending node and a receiving node to a Law Enforcement Agency (LEA). A Key Management Server (KMS) function stores cryptographic information used to encrypt the communication at a database. The cryptographic information is associated with an identifier used to identify the encrypted communication between the sending node and the receiving node. The KMS receives a request for Lawful Interception, the request including an identity of a Lawful Interception target. The KMS uses the target identity to determine the identifier, and retrieves the cryptographic information associated with the identifier from the database. The cryptographic information can be used to decrypt the encrypted communication. The KMS then sends either information derived from the cryptographic information or a decrypted communication towards the LEA. This allows the LEA to obtain a decrypted version of the communication.

    Security policy distribution to communication terminals
    2.
    发明授权
    Security policy distribution to communication terminals 有权
    通信终端的安全策略分配

    公开(公告)号:US08819765B2

    公开(公告)日:2014-08-26

    申请号:US12863746

    申请日:2008-01-22

    IPC分类号: G06F17/00 H04L29/06

    摘要: A method and arrangement for distributing a security policy to a communication terminal having an association with a home communication network, but being present in a visited communication network. The home communication network generates its own preferred security policy Ph and the visited communication network generates its own preferred security policy Pv. A communication network entity in the visited communication network combines the security policies and selects security algorithms and/or functions to apply from the combined security policy. By generating security policy vectors of both networks and combining them before the security algorithms are selected, both networks are able to influence the selection without requiring the use of signaling messages.

    摘要翻译: 一种用于将安全策略分发给具有与归属通信网络相关联但存在于被访问的通信网络中的通信终端的方法和装置。 家庭通信网络生成自己的首选安全策略Ph,并且被访问的通信网络生成其自己的优选安全策略Pv。 访问通信网络中的通信网络实体组合安全策略并选择从组合的安全策略应用的安全算法和/或功能。 通过在选择安全算法之前生成两个网络的安全策略向量并组合它们,两个网络能够影响选择,而不需要使用信令消息。

    Cryptographic key management in communication networks
    3.
    发明授权
    Cryptographic key management in communication networks 有权
    通信网络密码管理

    公开(公告)号:US08094817B2

    公开(公告)日:2012-01-10

    申请号:US11857621

    申请日:2007-09-19

    IPC分类号: H04L9/00

    摘要: An authentication server and a system and method for managing cryptographic keys across different combinations of user terminals, access networks, and core networks. A Transformation Coder Entity (TCE) creates a master key (Mk), which is used to derive keys during the authentication procedure. During handover between the different access types, the Mk or a transformed Mk is passed between two nodes that hold the key in the respective access networks when a User Equipment (UE) terminal changes access. The transformation of the Mk is performed via a one-way function, and has the effect that if the Mk is somehow compromised, it is not possible to automatically obtain access to previously used master keys. The transformation is performed based on the type of authenticator node and type of UE/identity module with which the transformed key is to be utilized. The Mk is never used directly, but is only used to derive the keys that are directly used to protect the access link.

    摘要翻译: 一种认证服务器,以及用于管理跨越用户终端,接入网络和核心网络的不同组合的加密密钥的系统和方法。 转换编码器实体(TCE)创建主密钥(Mk),用于在认证过程期间导出密钥。 在不同访问类型之间的切换期间,当用户设备(UE)终端改变访问时,Mk或经变换的Mk在保持密钥的两个节点之间传递。 通过单向函数执行Mk的转换,并且具有以下效果:如果Mk以某种方式受损,则不可能自动获得对先前使用的主密钥的访问。 基于认证者节点的类型和使用变换密钥的UE /身份模块的类型进行转换。 Mk从不直接使用,但仅用于派生直接用于保护访问链接的密钥。

    METHOD AND ARRANGEMENT FOR CREATION OF ASSOCIATION BETWEEN USER EQUIPMENT AND AN ACCESS POINT
    4.
    发明申请
    METHOD AND ARRANGEMENT FOR CREATION OF ASSOCIATION BETWEEN USER EQUIPMENT AND AN ACCESS POINT 有权
    创建用户设备与访问点之间的关联的方法和布置

    公开(公告)号:US20110256850A1

    公开(公告)日:2011-10-20

    申请号:US13140818

    申请日:2008-12-19

    IPC分类号: H04W12/06

    摘要: Methods, apparatus, and computer program products for creating an association between a first user equipment and at least one access point assisted by a registration server in a telecommunication network are disclosed. The registration server responds to a first contact request carried out using a first association number for the access point, provided by the first user equipment, receives a first association request for the association with the access point, provided by the first user equipment, authorizes the first association request based on a first authorization information provided by the first user equipment; registers the association between the first user equipment and the access point responsive to authorization of the first association request. The first user equipment is associated with the access point and the association is administered by the registration server.

    摘要翻译: 公开了用于在第一用户设备和由电信网络中的注册服务器辅助的至少一个接入点之间建立关联的方法,设备和计算机程序产品。 注册服务器响应由第一用户设备提供的接入点的第一关联号码执行的第一联系请求,接收由第一用户设备提供的与接入点的关联的第一关联请求,授权 基于由第一用户设备提供的第一授权信息的第一关联请求; 响应于第一关联请求的授权,注册第一用户设备和接入点之间的关联。 第一用户设备与接入点相关联,该关联由注册服务器管理。

    Method and apparatus for handling keys used for encryption and integrity
    6.
    发明申请
    Method and apparatus for handling keys used for encryption and integrity 有权
    用于处理用于加密和完整性的密钥的方法和装置

    公开(公告)号:US20070230707A1

    公开(公告)日:2007-10-04

    申请号:US11726527

    申请日:2007-03-22

    IPC分类号: H04L9/00

    摘要: A method and an arrangement for providing keys for protecting communication between a terminal (300) and service points in a communication network. A basic key (Ik) is first established with a service control node (304) when the terminal has entered the network. An initial modified key (Ik1) is then created in both the service control node and the terminal, by applying a predetermined first function (f) to at least the basic key and an initial value of a key version parameter (v). The initial modified key is sent to a first service point (302), such that it can be used to protect communication between the terminal and the first service point. When the terminal switches to a second service point (306), the first service point and the terminal both create a second modified key (Ik2) by applying a predetermined second function (g) to the initial modified key, and the first service point sends the second modified key to the second service point.

    摘要翻译: 一种用于提供用于保护终端(300)与通信网络中的服务点之间的通信的密钥的方法和装置。 当终端进入网络时,首先与服务控制节点(304)建立基本密钥(Ik)。 然后,通过将预定的第一功能(f)应用于至少基本密钥和密钥的初始值,在服务控制节点和终端两者中创建初始修改密钥(Ik1< 1>) 版本参数(v)。 初始修改的密钥被发送到第一服务点(302),使得其可以用于保护终端和第一服务点之间的通信。 当终端切换到第二服务点(306)时,第一服务点和终端都通过将预定的第二功能(g)应用于初始修改的密钥来创建第二修改密钥(Ik> 2< 密钥,第一服务点将第二修改密钥发送到第二服务点。

    Key management for network elements
    7.
    发明申请
    Key management for network elements 有权
    网元的密钥管理

    公开(公告)号:US20070160201A1

    公开(公告)日:2007-07-12

    申请号:US10597864

    申请日:2004-02-11

    IPC分类号: H04L9/30

    摘要: The invention provides an establishment of a secret session key shared Between two network elements (NEa, NEb) belonging to different network domains (NDa, NDb). A first network element (NEa) of a first network domain (NDa) requests security parameters from an associated key management center (KMC) (AAAa). Upon reception of the request, the KMC (AAAa) generates a freshness token (FRESH) and calculates the session key (K) based on this token (FRESH) and a master key (KAB) shared with a second network domain (NDb). The security parameters are (securely) provided to the network element (NEa), which extracts the session key (K) and forwards the freshness token (FRESH) to the KMC (AAAb) of the second domain (NDb) through a second network element (NEb). Based on the token (FRESH) and the shared master key (KAB), the KMC (AAAb) generates a copy of the session key (K), which is (securely) provided to the second network element (NEb). The two network elements (NEa, NEb) now have shares the session key (K), enabling them to securely communicate with each other.

    摘要翻译: 本发明提供了属于不同网络域(NDa,NDb)的两个网元(NEa,NEb)之间共享的秘密会话密钥的建立。 第一网络域(NDa)的第一网元(NEa)从相关联的密钥管理中心(AAAa)请求安全参数。 在接收到请求时,KMC(AAAa)生成新鲜令牌(FRESH),并且基于该令牌(FRESH)和与第二网络域(NDb)共享的主密钥(KAB)来计算会话密钥(K)。 安全参数(安全地)被提供给提取会话密钥(K)的网元(NEa),并通过第二网络元件将新鲜度令牌(FRESH)转发到第二域(NDb)的KMC(AAAb) (鼻)。 基于令牌(FRESH)和共享主密钥(KAB),KMC(AAAb)生成(安全地)提供给第二网元(NEb)的会话密钥(K)的副本。 两个网元(NEa,NEb)现在已经共享了会话密钥(K),使得它们能够彼此安全地通信。

    Key management for secure communication
    8.
    发明授权
    Key management for secure communication 有权
    安全通信的密钥管理

    公开(公告)号:US09178696B2

    公开(公告)日:2015-11-03

    申请号:US12744986

    申请日:2007-11-30

    IPC分类号: H04L9/08 H04L29/06

    摘要: A method and arrangement is disclosed for managing session keys for secure communication between a first and at least a second user device in a communications network. The method is characterized being independent of what type of credential each user device implements for security operations. A first user receives from a first key management server keying information and a voucher and generates a first session key. The voucher is forwarded to at least a responding user device that, with support from a second key management server communicating with the first key management server, resolves the voucher and determines a second session keys. First and second session keys are, thereafter, used for secure communication. In one embodiment the communication traverses an intermediary whereby first and second session keys protect communication with respective leg to intermediary.

    摘要翻译: 公开了一种用于管理用于通信网络中的第一和第二用户设备之间的安全通信的会话密钥的方法和装置。 该方法的特征在于独立于每个用户设备为安全操作实现什么类型的凭证。 第一用户从第一密钥管理服务器接收密钥信息和凭证并生成第一会话密钥。 该凭证被转发到至少一个响应用户设备,在来自与第一密钥管理服务器通信的第二密钥管理服务器的支持下,解决凭证并确定第二会话密钥。 此后,第一和第二会话密钥用于安全通信。 在一个实施例中,通信遍及中间体,由此第一和第二会话密钥保护与相应的腿到中间的通信。

    Key management in a communication network
    9.
    发明授权
    Key management in a communication network 有权
    通信网络中的密钥管理

    公开(公告)号:US08837737B2

    公开(公告)日:2014-09-16

    申请号:US13063997

    申请日:2009-03-13

    IPC分类号: H04L9/08 H04L29/06 H04L9/32

    摘要: A method and apparatus for key management in a communication network. A Key Management Terminal KMS Terminal Server (KMS) receives from a first device a request for a token associated with a user identity, the user identity being associated with a second device. The KMS then sends the requested token and a user key associated with the user to the first device. The KMS subsequently receives the token from the second device. A second device key is generated using the user key and a modifying parameter associated with the second device. The modifying parameter is available to the first device for generating the second device key. The second device key is then sent from the KMS to the second device. The second device key can be used by the second device to authenticate itself to the first device, or for the first device to secure communications to the second device.

    摘要翻译: 一种用于通信网络中密钥管理的方法和装置。 密钥管理服务器(KMS)从第一设备接收与用户身份相关联的令牌的请求,所述用户身份与第二设备相关联。 然后,KMS将所请求的令牌和与用户相关联的用户密钥发送到第一设备。 KMS随后从第二个设备接收令牌。 使用用户密钥和与第二设备相关联的修改参数来生成第二设备密钥。 修改参数可用于第一设备用于生成第二设备密钥。 然后,第二个设备密钥从KMS发送到第二个设备。 第二设备密钥可以由第二设备用于向第一设备或第一设备认证自身以确保与第二设备的通信。