公开(公告)号：WO2015097980A1

公开(公告)日：2015-07-02

申请号：PCT/JP2014/005847

申请日：2014-11-20

Applicant: NEC CORPORATION

Inventor： ZHANG, Xiaowei ,  PRASAD, Anand Raghawa

IPC: H04W12/04

CPC classification number: H04W12/04 ,  H04L2463/061 ,  H04W12/08 ,  H04W84/045

Abstract: In order for supporting separate ciphering at an MeNB (20) and an SeNB (30), the MeNB (20) derives separate first and second keys (K UPenc-M , K UPenc-S ) from a third key (K eNB ). The first key (K UPenc-M ) is used for confidentially protecting first traffic transmitted over U-Plane between the MeNB (20) and a UE (10). The first key (K UPenc-M ) may be the same as current KUPenc or a new key. The second key (K UPenc-S ) is used for confidentially protecting second traffic transmitted over the U-Plane between the UE (10) and the SeNB (30). The MeNB (20) sends the second key (K UPenc-S ) to the SeNB (30). The UE (10) negotiates with the MeNB (20), and derives the second key (K UPenc-S ) based on a result of the negotiation.

Abstract translation: 为了支持在MeNB（20）和SeNB（30）处的单独加密，MeNB（20）从第三密钥（KeNB）导出分开的第一和第二密钥（KUPenc-M，KUPenc-S）。 第一个密钥（KUPenc-M）用于保密地保护MeNB（20）和UE（10）之间在U平面上传输的第一个流量。 第一个键（KUPenc-M）可能与当前的KUPenc或新的键相同。 第二密钥（KUPenc-S）用于保密地保护在UE（10）和SeNB（30）之间通过U平面传输的第二业务。 MeNB（20）将第二个密钥（KUPenc-S）发送给SeNB（30）。 UE（10）与MeNB（20）协商，并根据协商结果得出第二密钥（KUPenc-S）。

公开(公告)号：WO2014041806A1

公开(公告)日：2014-03-20

申请号：PCT/JP2013/005398

申请日：2013-09-12

Applicant: NEC CORPORATION

Inventor： ZHANG, Xiaowei ,  PRASAD, Anand Raghawa

IPC: H04L29/06 ,  H04W12/04

CPC classification number: H04L63/062 ,  H04L9/0836 ,  H04L63/06 ,  H04L63/10 ,  H04L2463/061 ,  H04W4/70 ,  H04W12/04 ,  H04W12/10

Abstract: A MTC device (10) and a MTC interworking function, MTC-IWF, (20) form a communication system and conduct communication with each other. In this communication system, a root key (K iwf) is securely shared between the MTC device (10) and the MTC-IWF (20). The MTC device (10) and the MTC-IWF (20) use the root key (K iwf) to respectively derive temporary keys (K di (K di conf, K di int)) for protecting the communication. The temporary keys provide integrity protection and confidentiality. The root key can be derived by the HSS or MME/SGSN/MSC and provided to the MTC-IWF. The root key can also be derived by the MTC-IWF based on received key derivation material. The described system is useful for the security of small data transmission in MTC system.

Abstract translation: MTC设备（10）和MTC互通功能MTC-IWF（20）形成通信系统并进行通信。 在该通信系统中，在MTC设备（10）和MTC-IWF（20）之间安全地共享根密钥（K iwf）。 MTC设备（10）和MTC-IWF（20）使用根密钥（K iwf）分别导出用于保护通信的临时密钥（K di（K di conf，K di int））。 临时密钥提供完整性保护和保密性。 根密钥可以由HSS或MME / SGSN / MSC导出并提供给MTC-IWF。 根密钥也可以基于接收的密钥导出材料由MTC-IWF导出。 所描述的系统对于MTC系统中的小数据传输的安全性是有用的。

公开(公告)号：WO2014002355A1

公开(公告)日：2014-01-03

申请号：PCT/JP2013/002757

申请日：2013-04-23

Applicant: NEC CORPORATION

Inventor： ZHANG, Xiaowei ,  PRASAD, Anand Raghawa

IPC: H04W4/00

CPC classification number: H04W4/005 ,  H04L45/125 ,  H04W4/70 ,  H04W28/0289 ,  H04W40/02 ,  H04W52/0209 ,  H04W88/16 ,  Y02D70/1224 ,  Y02D70/1262 ,  Y02D70/1264 ,  Y02D70/21

Abstract: A network node (21), which is placed within a core network, stores a list of network elements (24) capable of forwarding a trigger message to a MTC device (10). The network node (21) receives the trigger message from a transmission source (30, 40) placed outside the core network, and then selects, based on the list, one of the network elements to forward the trigger message to the MTC device (10). The MTC device (10) validates the received trigger message, and then transmits, when the trigger message is not validated, to the network node (21) a reject message indicating that the trigger message is not accepted by the MTC device (10). Upon receiving the reject message, the network node (21) forwards the trigger message through a different one of the network elements, or forwards the reject message to transmission source (30, 40) to send the trigger message through user plane.

Abstract translation: 放置在核心网络内的网络节点（21）存储能够将触发消息转发到MTC设备（10）的网元（24）的列表。 网络节点（21）从放置在核心网络外的发送源（30,40）接收触发消息，然后基于该列表选择一个网元，将触发消息转发到MTC设备（10 ）。 MTC设备（10）验证接收到的触发消息，然后当触发消息未被验证时向网络节点（21）发送指示触发消息未被MTC设备（10）接受的拒绝消息。 在接收到拒绝消息时，网络节点（21）通过不同的网络单元转发触发消息，或者将拒绝消息转发到发送源（30,40），以通过用户平面发送触发消息。

公开(公告)号：WO2012018130A1

公开(公告)日：2012-02-09

申请号：PCT/JP2011/068001

申请日：2011-08-01

Applicant: NEC CORPORATION ,  PRASAD, Raghawa ,  ZHANG, Xiaowei

Inventor： PRASAD, Raghawa ,  ZHANG, Xiaowei

IPC: H04L29/06 ,  H04L9/08 ,  H04W8/00 ,  H04L29/12

CPC classification number: H04L63/065 ,  H04L9/0819 ,  H04L9/083 ,  H04L9/0833 ,  H04L29/12207 ,  H04L61/20 ,  H04L63/062 ,  H04L63/067 ,  H04W4/08 ,  H04W4/70

Abstract: [Technical Problem] If the related secure communication method is applied to the system which includes a plurality of the MTC devices (1101), traffic in a network (1100) would increase in proportion to the number of MTC devices (1101). [Solution to Problem] A communication apparatus (1000) in the present invention, which is connected to a network (1100) and a plurality of communication terminals (1101), includes: a group information sending means (1001) for sending group information, which is received from the network (1100); an access control means (1002) for 1) receiving a reply from the communication terminal (s) (1101) which responded to the group information and 2) sending the reply to the network (1100); and a temporary identifier and group key sending means (1003) for sending a temporary identifier and a group key to the communication terminal (1101) which responded to the group information, when the communication apparatus (1000) received the temporary identifier and the group key from the network (1100).

Abstract translation: 技术问题如果将相关的安全通信方法应用于包括多个MTC设备（1101）的系统，则网络（1100）中的业务将与MTC设备（1101）的数量成比例地增加。 [问题的解决方案]本发明的连接到网络（1100）和多个通信终端（1101）的通信装置（1000）包括：组信息发送装置（1001），用于发送组信息， 其从网络（1100）接收; 访问控制装置（1002），用于1）从响应于所述组信息的所述通信终端（1101）接收回复，以及2）将所述回复发送到所述网络（1100）; 以及临时标识符和组密钥发送装置（1003），用于当通信装置（1000）接收到临时标识符和组密钥时，向响应于组信息的通信终端（1101）发送临时标识符和组密钥 从网络（1100）。

公开(公告)号：WO2015136888A1

公开(公告)日：2015-09-17

申请号：PCT/JP2015/001122

申请日：2015-03-03

Applicant: NEC CORPORATION

Inventor： ZHANG, Xiaowei ,  PRASAD, Anand Raghawa

IPC: H04W36/28

CPC classification number: H04W36/0055 ,  H04W36/0038 ,  H04W88/06

Abstract: A UE (10) provides information on potential S'eNB(s). The information is forwarded from an MeNB (20_1) to an M'eNB (20_2) such that the M'eNB (20_2) can determine, before the handover happens, whether the M'eNB (20_2) will configure a new SeNB (S'eNB) and which S'eNB the M'eNB (20_2) will configure. In one of options, the MeNB (20_1) derives a key S'-KeNB for communication protection between the UE (10) and the S'eNB (30_1), and send the S'-KeNB to the M'eNB (20_2). In another option, the M'eNB (20_2) derives the S'-KeNB from a key KeNB* received from the MeNB (20_1). The M'eNB (20_2) sends the S'-KeNB to the S'eNB (30_1). Moreover, there are also provided several variations to perform SeNB Release, SeNB Addition, Bearer Modification and the like, in which the order and/or timing thereof can be different during the handover procedure.

Abstract translation: UE（10）提供关于潜在S'NB的信息。 信息从MeNB（20_1）转发到M'NB（20_2），使得M'eNB（20_2）可以在切换发生之前确定M'eNB（20_2）是否将配置新的SeNB（S 'eNB）和M'eNB（20_2）将配置的S'eNB。 在一个选项中，MeNB（20_1）导出用于UE（10）和S'eNB（30_1）之间的通信保护的密钥S'-KeNB，并将S'-KeNB发送到M'NB（20_2） 。 在另一选择中，M'eNB（20_2）从从MeNB（20_1）接收的密钥KeNB *导出S'-KeNB。 M'eNB（20_2）将S'-KeNB发送到S'NB（30_1）。 此外，还提供了用于执行SeNB释放，SeNB添加，承载修改等的几种变型，其中顺序和/或定时在切换过程期间可以不同。

公开(公告)号：WO2015133144A1

公开(公告)日：2015-09-11

申请号：PCT/JP2015/001164

申请日：2015-03-05

Applicant: NEC CORPORATION

Inventor： ZHANG, Xiaowei ,  PRASAD, Anand Raghawa

IPC: H04W36/28

CPC classification number: H04W36/28 ,  H04W12/04 ,  H04W28/08 ,  H04W36/0055 ,  H04W76/27 ,  H04W88/08 ,  H04W92/20

Abstract: An SeNB (30) informs an MeNB (20) that it can configure bearers for the given UE (10). At this time, the MeNB (20) manages the DRB status, and then sends a key S-KeNB to the SeNB (30). The MeNB (20) also sends a KSI for the S-KeNB to both of the UE (10) and the SeNB (30). After this procedure, the MeNB (20) informs an EPC (MME (40) and S-GW (50)) about the new bearer configured at the SeNB (30), such that the S-GW 50 can start offloading the bearer(s) to the SeNB 30. Prior to the offloading, the EPC network entity (MME (40) or S-GW (50)) performs verification that: 1) whether the request is coming from authenticated source (MeNB); and 2) whether the SeNB (30) is a valid eNB to which the traffic can be offload.

Abstract translation: 一个SeNB（30）通知MeNB（20）可以配置给定UE（10）的承载。 此时，MeNB（20）管理DRB状态，然后向SeNB（30）发送密钥S-KeNB。 MeNB（20）还向UE（10）和SeNB（30）向S-KeNB发送KSI。 在该过程之后，MeNB（20）通知EPC（MME（40）和S-GW（50））关于在SeNB（30）配置的新承载，使得S-GW50可以开始卸载承载（ 在卸载之前，EPC网络实体（MME（40）或S-GW（50））执行以下验证：1）请求是否来自经认证的源（MeNB）; 以及2）SeNB（30）是否是可以卸载业务的有效eNB。

公开(公告)号：WO2015063991A1

公开(公告)日：2015-05-07

申请号：PCT/JP2014/004393

申请日：2014-08-27

Applicant: NEC CORPORATION

Inventor： ZHANG, Xiaowei ,  PRASAD, Anand Raghawa

IPC: H04W12/04 ,  H04W76/02

CPC classification number: H04W12/08 ,  H04L63/065 ,  H04W12/04 ,  H04W76/14

Abstract: In order for effectively ensuring security for direct communication in ProSe, a ProSe Function (20) acquires from a 3rd party root keys for each of UEs (10_1-10_m) to derive a pair of session keys for securely conducting direct communication with different UEs, and distributes the acquired root keys to each of the UEs (10_1-10_m). Each of the UEs (10_1-10_m) derives the session keys by using one of the distributed root keys. Moreover, a plurality of UEs, which form a communication system, and are allowed to conduct direct communication with each other when the UEs are in proximity to each other, share public keys of the UEs therebetween through a node which supports the direct communication upon successfully registering the UEs with the node. Each of the UEs verifies at least a request for the direct communication by using one of the public keys.

Abstract translation: 为了有效地确保ProSe中的直接通信的安全性，ProSe功能（20）从每个UE（10_1-10_m）的第三方根密钥获取以导出用于安全地与不同UE进行直接通信的一对会话密钥， 并将获取的根密钥分发给每个UE（10_10-10_m）。 每个UE（10_1-10_m）通过使用分布式根密钥之一来导出会话密钥。 此外，形成通信系统并且当UE彼此接近时被允许彼此进行直接通信的多个UE通过成功地支持直接通信的节点共享其间的公共密钥 向所述节点注册所述UE。 每个UE通过使用其中一个公钥来至少验证直接通信的请求。

公开(公告)号：WO2015015714A1

公开(公告)日：2015-02-05

申请号：PCT/JP2014/003579

申请日：2014-07-07

Applicant: NEC CORPORATION

Inventor： ZHANG, Xiaowei ,  PRASAD, Anand Raghawa

IPC: H04L29/06 ,  H04W4/00 ,  H04W4/06 ,  H04W8/20 ,  H04W12/04 ,  H04W88/16

CPC classification number: H04L63/065 ,  H04L63/062 ,  H04L63/083 ,  H04L2463/061 ,  H04L2463/062 ,  H04W4/08 ,  H04W4/70 ,  H04W12/04 ,  H04W12/06 ,  H04W88/16

Abstract: In order to improve security upon distributing a group key, there is provided a gateway (20) to a core network for a group of MTC devices (10_1-10_n) communicating with the core network. The gateway (20) protects confidentiality and integrity of a group key, and distributes the protected group key to each of the MTC devices (10_1-10_n). The protection is performed by using: a key (Kgr) that is preliminarily shared between the gateway (20) and each of the MTC devices (10_1-10_n), and that is used for the gateway (20) to authenticate each of the MTC devices (10_1-10_n) as a member of the group; or a key (K_iwf) that is shared between an MTC-IWF (50) and each of the MTC devices (10_1-10_n), and that is used to derive temporary keys for securely conducting individual communication between the MTC-IWF (50) and each of the MTC devices (10_1-10_n).

Abstract translation: 为了在分配组密钥时提高安全性，向与核心网络通信的一组MTC设备（10_1-10_n）提供到核心网络的网关（20）。 网关（20）保护组密钥的机密性和完整性，并将保护组密钥分发给每个MTC设备（10_1-10_n）。 通过使用以下步骤执行保护：在网关（20）和每个MTC设备（10_1-10_n）之间预先共享的密钥（Kgr），并且用于网关（20）认证每个MTC 设备（10_1-10_n）作为组的成员; 或者在MTC-IWF（50）和每个MTC设备（10_1-10_n）之间共享的密钥（K_iwf），用于导出用于安全地执行MTC-IWF（50）之间的个人通信的临时密钥的密钥（K_iwf） 和每个MTC设备（10_1-10_n）。

公开(公告)号：WO2014208035A1

公开(公告)日：2014-12-31

申请号：PCT/JP2014/003167

申请日：2014-06-13

Applicant: NEC CORPORATION

Inventor： ZHANG, Xiaowei ,  PRASAD, Anand Raghawa

IPC: H04W12/02 ,  H04W12/10 ,  H04W4/00 ,  H04L9/08 ,  H04W76/02 ,  H04W8/00

CPC classification number: H04L63/06 ,  H04L9/0833 ,  H04L9/088 ,  H04L9/3242 ,  H04L63/08 ,  H04L2209/80 ,  H04W4/80 ,  H04W12/02 ,  H04W12/10 ,  H04W76/10

Abstract: A method of performing authentication and authorization in Proximity based Service (ProSe) communication by a requesting device (31) which sends a request of a communication and a receiving device (32) which receives the request from the requesting device (31) and (32), the method including deriving session keys Kpc and Kpi from an unique key Kp at the requesting and receiving devices (31) and (32), using the session keys Kpc and Kpi for ProSe communication setup and direct communication between the requesting and receiving devices (31) and (32), starting the direct communication with the requesting and receiving devices (31) and (32). The key Kpc is confidentiality key and the key Kpi is integrity protection key.

Abstract translation: 一种通过发送通信请求的请求设备（31）和接收来自请求设备（31）和（32）的请求的接收设备（32）的请求设备（ProSe）通信中的认证和授权的方法， ），该方法包括使用用于ProSe通信建立的会话密钥Kpc和Kpi来在请求和接收设备（31）和（32）处从唯一密钥Kp导出会话密钥Kpc和Kpi，以及请求和接收设备之间的直接通信 （31）和（32），开始与请求和接收设备（31）和（32）的直接通信。 密钥Kpc是机密密钥，密钥Kpi是完整性保护密钥。

公开(公告)号：WO2014208032A1

公开(公告)日：2014-12-31

申请号：PCT/JP2014/003154

申请日：2014-06-13

Applicant: NEC CORPORATION

Inventor： ZHANG, Xiaowei ,  PRASAD, Anand Raghawa

IPC: H04W12/06 ,  H04W12/08 ,  H04W76/02 ,  H04L29/06

CPC classification number: H04L63/101 ,  H04L63/062 ,  H04L63/065 ,  H04L63/0869 ,  H04W12/06 ,  H04W12/08 ,  H04W76/14

Abstract: A secure system 1 includes a requesting device (L01) which requests a communication, and a receiving device (L03) which receives a communication request from the requesting device (L01). The requesting device (L01) and the receiving device (L03) are members of a specific group when the requesting device (L01) discovers the receiving device (L03). The requesting device (L01) is allowed to communicate with the requesting device (L01) by a network used by the specific group or by the receiving device upon a proof being provided by a network used by the specific group, the devices (L01) and (L03) being able to perform a mutual authentication over a direct wireless interface, or the receiving device (L03) checking a list maintained by a user on members of the specific group of devices for ProSe service purpose.

Abstract translation: 安全系统1包括请求通信的请求设备（L01）和从请求设备（L01）接收通信请求的接收设备（L03）。 当请求设备（L01）发现接收设备（L03）时，请求设备（L01）和接收设备（L03）是特定组的成员。 允许请求设备（L01）通过特定组使用的网络或接收设备通过由特定组使用的网络提供的证明来与请求设备（L01）进行通信，设备（L01）和 （L03）能够通过直接无线接口执行相互认证，或者接收设备（L03）检查由用户维护的用于ProSe服务目的的特定设备组成员的列表。