公开(公告)号：US11722891B2

公开(公告)日：2023-08-08

申请号：US17043971

申请日：2019-04-04

Applicant: Nokia Technologies Oy

Inventor： Suresh Nair ,  Anja Jerichow ,  Nagendra S Bykampadi

IPC: H04W12/06 ,  H04W12/40 ,  H04W12/04

CPC classification number: H04W12/06 ,  H04W12/04 ,  H04W12/40

Abstract: In given user equipment seeking access to a first communication network (e.g., 5G network), wherein the given user equipment comprises a subscriber identity module (e.g., USIM) configured for a second communication network, and wherein the second communication network is a legacy network with respect to the first communication network (e.g., legacy 4G network), a method includes: initiating an authentication procedure with at least one network entity of the first communication network and selecting an authentication method to be used during the authentication procedure; and participating in the authentication procedure with the at least one network entity using the selected authentication method and, upon successful authentication, the given user equipment obtaining a set of keys to enable the given user equipment to access the first communication network.

公开(公告)号：US20210248025A1

公开(公告)日：2021-08-12

申请号：US17054949

申请日：2019-05-07

Applicant: Nokia Technologies Oy

Inventor： Suresh Nair ,  Anja Jerichow ,  Nagendra S Bykampadi

IPC: G06F11/07 ,  H04L29/06 ,  H04L12/707

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, and wherein one of the first and second security edge protection proxy elements is a sending security edge protection proxy element and the other of the first and second security edge protection proxy elements is a receiving security edge protection proxy element, the receiving security edge protection proxy element receives a message from the sending security edge protection proxy element. The receiving security edge protection proxy element detects one or more error conditions associated with the received message. The receiving security edge protection proxy element determines one or more error handling actions to be taken in response to the one or more detected error conditions.

公开(公告)号：US20210219137A1

公开(公告)日：2021-07-15

申请号：US17253895

申请日：2019-09-20

Applicant: Nokia Technologies Oy

Inventor： Nagendra S Bykampadi ,  Anja Jerichow ,  Suresh Nair

IPC: H04W12/086 ,  H04L29/06 ,  H04W12/033 ,  H04W76/12 ,  H04W88/16

Abstract: In one example, a method initiates establishment of a secure tunnel by a security proxy element (e.g., SEPP) in a first communication network (e.g., VPLMN) with an internetwork exchange element (e.g., IPX node) which is operatively coupled between the first communication network and a second communication network (e.g., HPLMN). Upon establishment of the secure tunnel, the method sends a message from the security proxy element to the internetwork exchange element over the secure tunnel. The secure tunnel can be a VPN tunnel and can be established using TLS or IPsec. In one example, the internetwork exchange node functions as an HTTP proxy, and in another embodiment as an interception (e.g., MITM) proxy. In another example, HTTPS is used to establish a separate TLS connection for each HTTP message. In yet another example, the security proxy element is configured to select (and change as needed) the secure communication mechanism.

公开(公告)号：US20250015983A1

公开(公告)日：2025-01-09

申请号：US18894179

申请日：2024-09-24

Applicant: Nokia Technologies Oy

Inventor： Nagendra S Bykampadi

IPC: H04L9/08 ,  H04L9/40

Abstract: SEPP 1 forms a first TLS protected N32-c connection between with SEPP 2 so that SEPP 1 and SEPP 2 are respectively a TLS client and server. A TLS protected second N32-c connection between with SEPP 2 so that SEPP 1 and SEPP 2 are respectively a TLS server and client. On forming the first and second TLS protected N32-c connections, respective first and second shared secrets are formed. First and second master keys are obtained from the first and second shared secrets, respectively. N32-f context IDs are created by each SEPP on setup of the first and second N32-c connections. Based on the first master key and the first N32-f context ID, a first session key is produced for encryption of a first N32-f request to the second security edge proxy and correspondingly a second session key is produced for decryption of a second N32-f request from SEPP 2.

公开(公告)号：US12170899B2

公开(公告)日：2024-12-17

申请号：US17252699

申请日：2019-10-23

Applicant: Nokia Technologies Oy

Inventor： Nagendra S Bykampadi ,  Bruno Landais

IPC: H04L29/06 ,  H04L9/40 ,  H04L61/3015 ,  H04W12/08 ,  H04W84/04

Abstract: According to an example aspect of the present invention, there is provided a method, comprising: receiving a first message from a service-consuming second network entity in a second mobile network for a service-providing first network entity in a first mobile network, the first message comprising a first callback resource identifier, generating a second callback resource identifier on the basis of the first callback resource identifier, wherein the second callback resource identifier comprises a domain name of a security edge node in the first network, and transferring a callback message from the first network entity to the security edge node, the callback message comprising the second callback resource identifier.

公开(公告)号：US11991190B2

公开(公告)日：2024-05-21

申请号：US17603528

申请日：2020-04-07

Applicant: Nokia Technologies Oy

Inventor： Suresh Nair ,  Anja Jerichow ,  Nagendra S Bykampadi

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/0876 ,  H04L63/1425 ,  H04L63/20

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to establish a user equipment context for a user equipment registered with the apparatus, the user equipment context being associated with an identity of the user equipment, determine that a plurality of network messages comprising the identity of the user equipment as sender fail a network message integrity process, and trigger, responsive to the determination, at least one of: 1) sending a paging message to the user equipment, and 2) initiating an authentication process with a sender of the network messages, and deletion the user equipment context as a response to successful completion of the authentication process.

公开(公告)号：US11902792B2

公开(公告)日：2024-02-13

申请号：US17045370

申请日：2019-04-04

Applicant: NOKIA TECHNOLOGIES OY

Inventor： Suresh Nair ,  Anja Jerichow ,  Nagendra S Bykampadi ,  Dimitrios Schoinianakis

IPC: H04L29/00 ,  H04W12/72 ,  H04W12/041 ,  H04L9/30 ,  H04W12/06

CPC classification number: H04W12/72 ,  H04L9/3073 ,  H04W12/041 ,  H04W12/06

Abstract: At given user equipment in a communication system, a unified subscription identifier data structure is constructed. The unified subscription identifier data structure includes a plurality of fields that specify information for a selected one of two or more subscription identifier types and selectable parameters associated with the selected subscription identifier type, and wherein the information in the unified subscription identifier data structure is useable by the given user equipment to access one or more networks associated with the communication system based on an authentication scenario corresponding to the selected subscription identifier type. For example, during different authentication scenarios, the given user equipment utilizes the unified subscription identifier data structure to provide the appropriate subscription identifier (e.g., SUPI, SUCI or IMSI) and associated parameters for the given authentication scenario.

公开(公告)号：US11483741B2

公开(公告)日：2022-10-25

申请号：US17273781

申请日：2019-08-09

Applicant: Nokia Technologies Oy

Inventor： Suresh Nair ,  Anja Jerichow ,  Nagendra S Bykampadi

IPC: H04W28/24 ,  H04W12/03 ,  H04L9/40 ,  H04W8/12 ,  H04W84/04

Abstract: Techniques for automated management of a service level agreement between a first communication network and a second communication network are provided. For example, one of the communication networks is a visited network while the other is a home network whereby the service level agreement is a roaming agreement. In one example, a message is received at a first communication network from a second communication network, wherein at least a portion of the message relates to the service level agreement between the first communication network and the second communication network. An automated verification of information in the message is performed at the first communication network to determine compliance with the service level agreement. The message receiving step is performed by a security edge protection proxy function of the first communication network and the automated verification performing step is performed by a service level agreement management function of the first communication network.

公开(公告)号：US12206774B2

公开(公告)日：2025-01-21

申请号：US17274551

申请日：2019-09-09

Applicant: Nokia Technologies Oy

Inventor： Nagendra S Bykampadi

IPC: H04L9/08 ,  H04L9/40

Abstract: SEPP 1 forms a first TLS protected N32-c connection between with SEPP 2 so that SEPP 1 and SEPP 2 are respectively a TLS client and server. A TLS protected second N32-c connection between with SEPP 2 so that SEPP 1 and SEPP 2 are respectively a TLS server and client. On forming the first and second TLS protected N32-c connections, respective first and second shared secrets are formed. First and second master keys are obtained from the first and second shared secrets, respectively. N32-f context IDs are created by each SEPP on setup of the first and second N32-c connections. Based on the first master key and the first N32-f context ID, a first session key is produced for encryption of a first N32-f request to the second security edge proxy and correspondingly a second session key is produced for decryption of a second N32-f request from SEPP 2.

公开(公告)号：US11985111B2

公开(公告)日：2024-05-14

申请号：US17056606

申请日：2019-05-20

Applicant: Nokia Technologies Oy

Inventor： Silke Holtmanns ,  Yoan Jean Claude Miche ,  Nagendra S Bykampadi

IPC: H04L9/40

CPC classification number: H04L63/029 ,  H04L63/08 ,  H04L63/102

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising a receiver configured to receive a message from a first security zone, distinct from the one where the apparatus is comprised in, and at least one processing core configured to determine whether to apply a recovery action to the message, the determination comprising a first verification, based on first criteria, to assess whether to apply the recovery action outright, and only in case the first verification does not result in the assessment to apply the recovery action outright, a second verification, based on second criteria, to generate a first weight and a third verification, based on third criteria, to generate a second weight, and to compare a sum of the first weight and the second weight to a predefined trigger to perform the determination.