公开(公告)号：WO2012134369A1

公开(公告)日：2012-10-04

申请号：PCT/SE2011/050916

申请日：2011-07-06

Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL) ,  OHLSSON, Oscar ,  LEHTOVIRTA, Vesa ,  MATTSSON, John ,  NORRMAN, Karl

Inventor： OHLSSON, Oscar ,  LEHTOVIRTA, Vesa ,  MATTSSON, John ,  NORRMAN, Karl

IPC: H04W12/06 ,  H04L9/32 ,  H04L29/06

CPC classification number: H04L63/14 ,  H04L63/1466 ,  H04L63/168 ,  H04L67/02 ,  H04L67/14 ,  H04L2463/061 ,  H04W12/04

Abstract: Methods and apparatuses in a client terminal (400) and a web server (402) for enabling safe communication between said terminal and server. When the terminal obtains a web page from the server in a session, the terminal creates a context specific key, Ks_NAF', based on one or more context parameters, P1,...Pn, pertaining to said session and/or web page. The terminal then indicates the context specific key in a login request to the server, and the server determines a context specific key, Ks_NAF', in the same manner to verify the client if the context specific key determined in the web server matches the context specific key received from the client terminal. The context specific key is thus bound to and valid for the present context or session only and cannot be used in other contexts or sessions.

Abstract translation: 客户终端（400）和网络服务器（402）中的方法和装置，用于使所述终端和服务器之间能够进行安全通信。 当终端在会话中从服务器获得网页时，终端基于与所述会话和/或网页有关的一个或多个上下文参数P1，... Pn来创建上下文特定密钥Ks_NAF'。 终端然后在向服务器的登录请求中指示上下文特定密钥，并且服务器以相同的方式确定上下文特定密钥Ks_NAF'，以验证客户端，如果在web服务器中确定的上下文特定密钥与上下文具体 从客户终端收到的密钥。 因此，上下文特定密钥被绑定到并且仅对于当前上下文或会话有效，并且不能在其他上下文或会话中使用。

公开(公告)号：WO2010114475A2

公开(公告)日：2010-10-07

申请号：PCT/SE2010050366

申请日：2010-03-31

Applicant: ERICSSON TELEFON AB L M ,  LEHTOVIRTA VESA ,  LINDHOLM FREDRIK

Inventor： LEHTOVIRTA VESA ,  LINDHOLM FREDRIK

IPC: H04L29/06

CPC classification number: H04L63/062 ,  H04L12/189 ,  H04L65/1016 ,  H04L65/4076 ,  H04W12/04 ,  H04W88/14

Abstract: A system, method, and nodes for managing shared security keys between a User Equipment, UE, an authentication node such as an SCF/NAF, and a service node such as a BM-SC or AS. The SCF/NAF allocates to each BM-SC, a different SCF/NAF identifier such as a fully qualified domain name, FQDN, from the FQDN space the SCF/NAF administers. The SCF/NAF then locally associates these allocated FQDNs with the connected BM-SCs and with different services. The network sends the correct FQDN to the UE in a service description for a desired service, and the UE is able to derive a security key using the FQDN. When the UE requests the desired service, the SCF/NAF is able to associate the service identifier with the correct FQDN and an associated BM-SC. The SCF/NAF uses the FQDN to obtain the security key from a bootstrapping server and sends it to the associated BM-SC.As a result, the UE and the associated BM-SC share a specific security key.

Abstract translation: 用于管理用户设备，UE，诸如SCF / NAF之类的认证节点与诸如BM-SC或AS之类的服务节点之间的共享安全密钥的系统，方法和节点。 SCF / NAF从SCF / NAF管理的FQDN空间向每个BM-SC分配不同的SCF / NAF标识符，例如完全合格的域名FQDN。 然后，SCF / NAF在本地将这些分配的FQDN与所连接的BM-SC和不同的服务相关联。 网络在用于期望服务的服务描述中向UE发送正确的FQDN，并且UE能够使用FQDN导出安全密钥。 当UE请求期望的服务时，SCF / NAF能够将服务标识符与正确的FQDN和相关联的BM-SC相关联。 SCF / NAF使用FQDN从自举服务器获得安全密钥并将其发送到相关联的BM-SC。结果，UE和相关联的BM-SC共享特定的安全密钥。

公开(公告)号：WO2013164803A1

公开(公告)日：2013-11-07

申请号：PCT/IB2013/053548

申请日：2013-05-03

Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL) ,  LEHTOVIRTA, Vesa ,  TURCOTTE, Eric Joseph ,  SLSSINGAR, Michael John ,  NORRMAN, Karl

Inventor： LEHTOVIRTA, Vesa ,  TURCOTTE, Eric Joseph ,  SLSSINGAR, Michael John ,  NORRMAN, Karl

IPC: H04L29/06 ,  H04W12/04

CPC classification number: H04W12/04 ,  H04L63/064

Abstract: A split architecture eMBMS with distributed BMSCs providing the same eMBMS service allows for a centralized key service where each BMSC is able to derive a set of MTKs from the MSK using the MTK-IDs as the differentiating input. This avoids the need to send MTKs to the BMSCs.

Abstract translation: 具有提供相同eMBMS服务的分布式BMSC的分离架构eMBMS允许集中式密钥服务，其中每个BMSC能够使用MTK-ID作为区分输入从MSK导出一组MTK。 这样可以避免将MTK发送给骨髓基质干细胞。

公开(公告)号：WO2009106131A1

公开(公告)日：2009-09-03

申请号：PCT/EP2008/052302

申请日：2008-02-26

Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL) ,  LEHTOVIRTA, Vesa

Inventor： LEHTOVIRTA, Vesa

IPC: H04L12/18 ,  H04W4/06

CPC classification number: H04W76/002 ,  H04L12/1863 ,  H04L12/189 ,  H04W4/06 ,  H04W8/18 ,  H04W60/00 ,  H04W76/40 ,  H04W80/04

Abstract: A method is provided for use by a user terminal (20) operating an IP-based multimedia broadcast/multicast service. The method comprises storing (S3) information relating to user service registrations performed (S2) using an IP connection such as a Packet Data Protocol, PDP, context established to enable connectivity between the user terminal (20) and a service node (40) for the broadcast/multicast service. The information is of a type to enable re-registration (S7) of at least some of any of the user services affected by a loss of the IP connection. In one embodiment, the multimedia broadcast/multicast service is a 3GPP Multimedia Broadcast/Multicast Service, MBMS, the user terminal (20) is a User Equipment, UE, and the service node (40) is a Broadcast/Multicast Service Center, BM-SC. In another embodiment, the multimedia broadcast/multicast service is an Open Mobile Alliance Broadcast, OMA BCAST, service, the user terminal (20) is a Terminal, and the service node (40) is an OMA BCAST Subscription Management, BSM, node.

Abstract translation: 提供了一种用于操作基于IP的多媒体广播/多播服务的用户终端（20）使用的方法。 该方法包括使用诸如分组数据协议等的IP连接（PDP），建立用于使用户终端（20）和服务节点（40）之间的连接的上下文的IP连接（S3）存储与所执行的用户服务注册有关的信息（S2） 广播/组播服务。 所述信息是能够重新注册（S7）至少部分受IP连接丢失影响的用户服务的信息。 在一个实施例中，多媒体广播/组播服务是3GPP多媒体广播/组播服务MBMS，用户终端（20）是用户设备，UE，服务节点（40）是广播/组播服务中心，BM -SC。 在另一实施例中，多媒体广播/组播服务是开放移动联盟广播，OMA BCAST，服务，用户终端（20）是终端，服务节点（40）是OMA BCAST订阅管理BSM节点。

公开(公告)号：WO2006079419A1

公开(公告)日：2006-08-03

申请号：PCT/EP2005/050372

申请日：2005-01-28

Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (publ) ,  TORVINEN, Vesa, Matti ,  LEHTOVIRTA, Vesa, Petteri ,  WIFVESSON, Monica

Inventor： TORVINEN, Vesa, Matti ,  LEHTOVIRTA, Vesa, Petteri ,  WIFVESSON, Monica

IPC: H04L9/32 ,  H04L29/06 ,  H04Q7/38

CPC classification number: H04L9/321 ,  H04L9/0838 ,  H04L9/3273 ,  H04L63/08 ,  H04L2209/80 ,  H04W12/04 ,  H04W12/06

Abstract: A method of authenticating a client to two or more servers coupled together via a communications network, wherein the client and a first server possess a shared secret. The method comprises authenticating the client to a first server using said shared secret, signalling associated with this authentication process being sent between the client and said first server via a second server, generating a session key at the client and at the first server, and providing the session key to said second server, and using the session key to authenticate the client to the second server.

Abstract translation: 一种将客户端认证到通过通信网络耦合在一起的两个或多个服务器的方法，其中客户机和第一服务器拥有共享密钥。 该方法包括使用所述共享秘密将客户端认证给第一服务器，与通过第二服务器在客户端和所述第一服务器之间发送的该认证过程相关联的信令，在客户端和第一服务器处生成会话密钥，并提供 所述会话密钥到所述第二服务器，并且使用所述会话密钥将所述客户端认证到所述第二服务器。

公开(公告)号：WO2011128183A2

公开(公告)日：2011-10-20

申请号：PCT/EP2011/054303

申请日：2011-03-22

Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL) ,  NIKANDER, Pekka ,  EKDAHL, Patrik ,  LEHTOVIRTA, Vesa ,  NORRMAN, Karl ,  WIFVESSON, Monica

Inventor： NIKANDER, Pekka ,  EKDAHL, Patrik ,  LEHTOVIRTA, Vesa ,  NORRMAN, Karl ,  WIFVESSON, Monica

IPC: H04L29/06

CPC classification number: H04L63/0815 ,  H04L63/0853 ,  H04L63/18 ,  H04W12/06

Abstract: A method is provided for use in interworking a single sign-on authentication architecture and a further authentication architecture in a split terminal scenario. The split terminal scenario is one in which authentication under the single sign-on authentication architecture is required of a browsing agent (8) being used to access a relying party and in response, due to the interworking in the split terminal scenario, an associated authentication under the further authentication architecture is performed in relation to a separate authentication agent (7). A controlling agent (4) sends (C3) a token to the authentication agent (7). The controlling agent (4) sends (C4) a request to the browsing agent (8) to return a token for comparing with the token sent to the authentication agent (7). The controlling agent (4) waits (C6) for the authentication agent (7) or a user of the authentication agent (7) to communicate (A2) the received token to the browsing agent (8) via a secure and/or trusted channel and for the browsing agent (8), in response to the earlier received request, to forward (B4) the token to the controlling agent (4). The controlling agent (4) receives (C7) the token from the browsing agent (8). The controlling agent (4) compares (C10) the received token with the token sent to the authentication agent (7) to determine whether the authentication agent (7) is authorised to perform authentication on behalf of the browsing agent (8) and/or whether the browsing agent (8) is authorised to act as a representative for the authentication agent (7). The controlling agent (4) authenticates (C11) the browsing agent (8) to the relying party based on the associated authentication performed in relation to the authentication agent (7) if it is determined in the comparing step (C10) that the authentication agent (7) and/or browsing agent (8) is so authorised.

Abstract translation: 提供了一种用于在分离终端场景中互通单一登录认证架构和另外的认证架构的方法。 分裂终端场景是其中需要用于访问依赖方的浏览代理（8）的单点登录认证体系结构下的认证，并且由于分裂终端场景中的互通，相关联的认证 在另外的认证体系结构下相对于单独的认证代理（7）执行。 控制代理（4）向认证代理（7）发送（C3）令牌。 控制代理（4）向浏览代理（8）发送（C4）请求以返回与发送给认证代理（7）的令牌进行比较的令牌。 控制代理（4）等待认证代理（7）的认证代理（7）或认证代理（7）的用户通过安全和/或受信任的信道将接收的令牌（A2）通信（A2）到浏览代理（8） 并且对于浏览代理（8），响应于较早接收到的请求，将令牌转发（B4）到控制代理（4）。 控制代理（4）从浏览代理（8）接收（C7）令牌。 控制代理（4）将接收的令牌（C10）与发送给认证代理（7）的令牌进行比较（C10），以确定认证代理（7）是否被授权代表浏览代理（8）执行认证和/或 浏览代理（8）是否被授权充当认证代理（7）的代表。 如果在比较步骤（C10）中确定认证代理（7）确定了相对于认证代理（7）执行的关联认证，则控制代理（4）将浏览代理（8）认证给依赖方（C11） （7）和/或浏览代理（8）被授权。

公开(公告)号：WO2007030074A1

公开(公告)日：2007-03-15

申请号：PCT/SE2006/001040

申请日：2006-09-08

Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (publ) ,  NÄSLUND, Mats ,  RAITH, Krister ,  LEHTOVIRTA, Vesa ,  NORRMAN, Karl

Inventor： NÄSLUND, Mats ,  RAITH, Krister ,  LEHTOVIRTA, Vesa ,  NORRMAN, Karl

IPC: H04L9/12

CPC classification number: H04L9/12 ,  H04L9/0861 ,  H04L9/16

Abstract: Methods for cryptographic synchronization of data packets. A roll-over counter (ROC) value is periodically appended to and transmitted with a data packet when a function of the packet sequence number equals a predetermined value. The ROC effectively synchronizes the cryptographic transformation of the data packets. Although the disclosed methods are generally applicable to many transmission protocols, they are particularly adaptable for use in systems wherein the data packets are transmitted to a receiver using the Secure Real-Time Transport Protocol (SRTP) as defined in Internet Engineering Task Force (IETF) Request for Comments (RFC) 3711.

Abstract translation: 数据包的密码同步方法。 当分组序列号的功能等于预定值时，翻转计数器（ROC）值周期性地附加到数据分组并与数据分组一起发送。 ROC有效地同步数据包的加密转换。 虽然所公开的方法通常适用于许多传输协议，但是它们特别适用于使用如因特网工程任务组（IETF）中定义的安全实时传输协议（SRTP）将数据分组发送到接收机的系统， 请求评论（RFC）3711。

公开(公告)号：WO2007022800A1

公开(公告)日：2007-03-01

申请号：PCT/EP2005/055136

申请日：2005-10-10

Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL) ,  LINDHOLM, Fredrik ,  LEHTOVIRTA, Vesa, Petteri ,  SAHLIN, Bengt, Olof ,  ARKKO, Jari, Juhani

Inventor： LINDHOLM, Fredrik ,  LEHTOVIRTA, Vesa, Petteri ,  SAHLIN, Bengt, Olof ,  ARKKO, Jari, Juhani

IPC: H04L29/06 ,  G06F21/00

CPC classification number: H04L63/126 ,  H04L63/166

Abstract: A method is provided of deferring part of a procedure for establishing access security, such as Transport Layer Security (TLS), between a User Equipment (UE) and a Proxy Call Session Control Function (P-CSCF), and instead incorporating that part into a subsequent IP Multimedia Subsystem Authentication and Key Agreement (IMS AKA) procedure involving the User Equipment (UE) and the Proxy Call Session Control Function (P-CSCF). The deferred part is the verification by the User Equipment (UE) of a server certificate associated with the Proxy Call Session Control Function (P-CSCF). A first authorisation token (s_token) is generated (S5) at the Proxy Call Session Control Function (P-CSCF) using the server certificate and at least one session key (CK and/or IK) extracted from an authentication challenge message (SM5) sent (S4) from a Serving Call Session Control Function (S-CSCF) towards the User Equipment (UE) as part of the procedure. The first authorisation token (s_token) is sent (S6, SM6) to the User Equipment (UE). The at least one session key (CK and/or IK) is computed (S7) at the User Equipment (UE) using the challenge message (SM6) received as part of the procedure. A second authorisation token is generated at the User Equipment (UE) using the server certificate and the at least one computed session key (CK and/or IK), according to the same algorithm used to generate the first authorisation token (s_token). The server certificate is verified (S7) at the User Equipment (UE) if the first and second authorisation tokens agree. A method is also disclosed in which part of a TLS procedure is deferred to a subsequent Hypertext Transfer Protocol (HTTP) / Generic Authentication Architeture (GAA) / Generic Bootstrap Architecture (GBA) procedure.

Abstract translation: 提供了一种延迟在用户设备（UE）和代理呼叫会话控制功能（P-CSCF）之间建立访问安全性（例如传输层安全性（TLS））的过程的一部分的方法，并且将该部分并入 涉及用户设备（UE）和代理呼叫会话控制功能（P-CSCF）的后续IP多媒体子系统认证和密钥协商（IMS AKA）过程。 延迟部分是用户设备（UE）与代理呼叫会话控制功能（P-CSCF）相关联的服务器证书的验证。 使用服务器证书和从认证挑战消息（SM5）提取的至少一个会话密钥（CK和/或IK），在代理呼叫会话控制功能（P-CSCF）处生成第一授权令牌（s_token） 作为过程的一部分，从服务呼叫会话控制功能（S-CSCF）向用户设备（UE）发送（S4）。 第一授权令牌（s_token）被发送（S6，SM6）给用户设备（UE）。 使用作为过程的一部分接收的质询消息（SM6）在用户设备（UE）处计算（S7）至少一个会话密钥（CK和/或IK）。 根据用于生成第一授权令牌（s_token）的相同算法，使用服务器证书和至少一个计算的会话密钥（CK和/或IK）在用户设备（UE）处生成第二授权令牌。 如果第一和第二授权令牌同意，则在用户设备（UE）处验证服务器证书（S7）。 还公开了一种方法，其中TLS过程的一部分被推迟到随后的超文本传输​​协议（HTTP）/通用认证架构（GAA）/通用引导体系结构（GBA））过程。

公开(公告)号：WO2011128183A3

公开(公告)日：2012-01-05

申请号：PCT/EP2011054303

申请日：2011-03-22

Applicant: ERICSSON TELEFON AB L M ,  NIKANDER PEKKA ,  EKDAHL PATRIK ,  LEHTOVIRTA VESA ,  NORRMAN KARL ,  WIFVESSON MONICA

Inventor： NIKANDER PEKKA ,  EKDAHL PATRIK ,  LEHTOVIRTA VESA ,  NORRMAN KARL ,  WIFVESSON MONICA

IPC: H04L29/06

CPC classification number: H04L63/0815 ,  H04L63/0853 ,  H04L63/18 ,  H04W12/06

Abstract: A method is provided for use in interworking a single sign-on authentication architecture (Open ID) and a further authentication architecture (3GPP) in a split terminal scenario. The split terminal scenario is one in which authentication under the single sign-on authentication architecture is required of a browsing agent (8) being used to access a relying party and in response an associated authentication under the further authentication architecture is performed in relation to a separate authentication agent (7). A controlling agent (4) sends (C3) a token to the authentication agent (7). The controlling agent (4) sends (C4) a request to the browsing agent (8) to return a token for comparing with the token sent to the authentication agent (7). The controlling agent (4) waits (C6) for the authentication agent (7) or a user of the authentication agent (7) to communicate (A2) the received token to the browsing agent (8). The controlling agent (4) compares (C10) the received token with the token sent to the authentication agent (7) to determine whether the authentication agent (7) is authorised to perform authentication on behalf of the browsing agent (8).

Abstract translation: 提供了一种用于在分离终端场景中互通单一登录认证架构（开放ID）和另外的认证架构（3GPP）的方法。 拆分终端场景是其中需要用于访问依赖方的浏览代理（8）的单点登录认证体系结构下的认证，并且响应于在进一步认证架构下的相关认证相对于 单独的认证代理（7）。 控制代理（4）向认证代理（7）发送（C3）令牌。 控制代理（4）向浏览代理（8）发送（C4）请求以返回与发送给认证代理（7）的令牌进行比较的令牌。 控制代理（4）等待认证代理（7）或认证代理（7）的用户（C6）将所接收的令牌通信（A2）到浏览代理（8）。 控制代理（4）将接收的令牌（C10）与发送给认证代理（7）的令牌进行比较（C10），以确定认证代理（7）是否被授权代表浏览代理（8）进行认证。

公开(公告)号：WO2010114475A3

公开(公告)日：2010-10-07

申请号：PCT/SE2010/050366

申请日：2010-03-31

Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL) ,  LEHTOVIRTA, Vesa ,  LINDHOLM, Fredrik

Inventor： LEHTOVIRTA, Vesa ,  LINDHOLM, Fredrik

IPC: H04L29/06 ,  H04W12/04

Abstract: A system, method, and nodes for managing shared security keys between a User Equipment, UE, an authentication node such as an SCF/NAF, and a service node such as a BM-SC or AS. The SCF/NAF allocates to each BM-SC, a different SCF/NAF identifier such as a fully qualified domain name, FQDN, from the FQDN space the SCF/NAF administers. The SCF/NAF then locally associates these allocated FQDNs with the connected BM-SCs and with different services. The network sends the correct FQDN to the UE in a service description for a desired service, and the UE is able to derive a security key using the FQDN. When the UE requests the desired service, the SCF/NAF is able to associate the service identifier with the correct FQDN and an associated BM-SC. The SCF/NAF uses the FQDN to obtain the security key from a bootstrapping server and sends it to the associated BM-SC.As a result, the UE and the associated BM-SC share a specific security key.