公开(公告)号：WO2008133590A9

公开(公告)日：2009-11-19

申请号：PCT/SE2008050479

申请日：2008-04-26

Applicant: ERICSSON TELEFON AB L M ,  BLOM ROLF ,  NAESLUND MATS

Inventor： BLOM ROLF ,  NAESLUND MATS

IPC: H04L9/00 ,  G06F7/58 ,  G09C1/00 ,  H04L9/08 ,  H04L9/22

CPC classification number: G06F7/588 ,  G01S19/14 ,  H04L9/0662 ,  H04L9/0872 ,  H04L9/0891 ,  H04L2209/80

Abstract: A communications apparatus includes a mobile device. The apparatus includes a receiver for receiving at the mobile device a plurality of signals carrying information including received signals which provides randomly varying data related to location of the mobile device. The apparatus includes a random number generator which generates a random number as a function of the data. The apparatus includes a cryptographic key generator which generates a cryptographic key using the random number. A method to establish at a mobile device a random number for cryptographic operations includes the steps of receiving at the mobile device a plurality of signals carrying information including received signals which provides randomly varying data related to location of the mobile device. There is the step of estimating signal entropy for at least one of the received signals in dependence of location where the signals are received by the mobile device. There is the step of selecting the at least one entropy estimated signal having estimated entropy satisfying a predetermined property. There is the step of generating from the at least one entropy estimated signal the random number.

Abstract translation: 通信装置包括移动装置。 该装置包括接收机，用于在移动设备处接收携带包括接收信号的信息的多个信号，所述接收信号提供与移动设备的位置相关的随机变化的数据。 该装置包括随机数生成器，其生成作为数据的函数的随机数。 该装置包括使用随机数生成加密密钥的加密密钥生成器。 一种用于在移动设备处建立用于密码操作的随机数的方法包括以下步骤：在移动设备处接收携带包括接收信号的信息的多个信号，所述接收信号提供与移动设备的位置相关的随机变化的数据。 根据移动设备接收信号的位置，估计接收到的信号中的至少一个信号熵的步骤。 存在选择具有满足预定特性的估计熵的至少一个熵估计信号的步骤。 存在从至少一个熵估计信号产生随机数的步骤。

公开(公告)号：WO03049357B1

公开(公告)日：2003-11-27

申请号：PCT/EP0214080

申请日：2002-12-06

Applicant: ERICSSON TELEFON AB L M ,  UUSITALO ILKKA ,  AHONEN PASI ,  BLOM ROLF ,  BOMAN KRISTER ,  NAESLUND MATS

Inventor： UUSITALO ILKKA ,  AHONEN PASI ,  BLOM ROLF ,  BOMAN KRISTER ,  NAESLUND MATS

IPC: H04L29/06 ,  H04L9/32 ,  H04L12/22

CPC classification number: H04L63/06 ,  H04L9/0841 ,  H04L9/0869 ,  H04L63/0428 ,  H04L63/08 ,  H04L63/306

Abstract: A method of facilitating the lawful interception of an IP session between two or more terminals 12,13, wherein said session uses encryption to secure traffic. The method comprises storing a key allocated to at least one of said terminals 12,13 or to at least one of the subscribers using one of the terminals 12,13, at the terminal 12,13 and at a node 5,8 within a network 1,6 through which said session is conducted, or a node coupled to that network. Prior to the creation of said session, a seed value is exchanged between the terminal 12,13 at which the key is stored and said node 5,8. The key and the seed value are used at both the terminal 12,13 and the node 5,8 to generate a pre-master key. The pre-master key becomes known to each of the terminals 12,13 involved in the IP session and to the network node 5,8. The pre-master key is used, directly or indirectly, to encrypt and decrypt traffic associated with said IP session.

Abstract translation: 一种促进在两个或多个终端12,13之间合法拦截IP会话的方法，其中所述会话使用加密来保证业务。 所述方法包括：在终端12,13和网络中的节点5,8处，存储分配给所述终端12,13中的至少一个的密钥或至少一个用户的终端12,13中的一个 1,6通过其进行所述会话，或者耦合到该网络的节点。 在创建所述会话之前，在存储密钥的终端12,13和所述节点5,8之间交换种子值。 密钥和种子值都在终端12,13和节点5,8两端使用以产生预先主密钥。 对于IP会话中涉及的每个终端12,13和网络节点5,8，预先主密钥变得已知。 预主密钥直接或间接地用于加密和解密与所述IP会话相关联的流量。

公开(公告)号：WO2008048179A3

公开(公告)日：2008-06-19

申请号：PCT/SE2007050734

申请日：2007-10-11

Applicant: ERICSSON TELEFON AB L M ,  BLOM ROLF ,  NAESLUND MATS ,  NORRMAN KARL

Inventor： BLOM ROLF ,  NAESLUND MATS ,  NORRMAN KARL

IPC: H04L9/08

CPC classification number: H04L9/321 ,  H04L63/062 ,  H04L63/08 ,  H04L2209/80 ,  H04L2463/061 ,  H04W12/04 ,  H04W12/06 ,  H04W36/0038

Abstract: An authentication server and a system and method for managing cryptographic keys across different combinations of user terminals, access networks, and core networks. A Transformation Coder Entity, TCE, (25) creates a master key, Mk, which is used to derive keys during the authentication procedure. During handover between the different access types, the Mk or a transformed Mk is passed between two authenticator nodes (42, 43, 44) that hold the key in the respective access networks when a User Equipment, UE, terminal (41, 51, 52, 53) changes access. The transformation of the Mk is performed via a one-way function, and has the effect that if the Mk is somehow compromised, it is not possible to automatically obtain access to previously used master keys. The transformation is performed based on the type of authenticator node and type of UE/identity module with which the transformed key is to be utilized. The Mk is never used directly, but is only used to derive the keys that are directly used to protect the access link.

Abstract translation: 一种认证服务器，以及用于管理跨越用户终端，接入网络和核心网络的不同组合的加密密钥的系统和方法。 转换编码器实体TCE（25）创建主密钥Mk，用于在认证过程期间导出密钥。 在不同访问类型之间的切换期间，当用户设备，UE，终端（41,51,52）处于不同接入类型的切换期间，M k或经变换的M k在两个认证节点（42,43,44）之间传递， ，53）改变访问。 通过单向函数执行Mk的转换，并且具有以下效果：如果Mk以某种方式受损，则不可能自动获得对先前使用的主密钥的访问。 基于认证者节点的类型和使用变换密钥的UE /身份模块的类型进行转换。 Mk从不直接使用，但仅用于派生直接用于保护访问链接的密钥。

公开(公告)号：WO2011053205A8

公开(公告)日：2011-11-03

申请号：PCT/SE2009051235

申请日：2009-11-02

Applicant: ERICSSON TELEFON AB L M ,  BLOM ROLF ,  NERBRANT PER-OLOF ,  SELANDER GOERAN ,  HALLBERG DAHLIN CLARY

Inventor： BLOM ROLF ,  NERBRANT PER-OLOF ,  SELANDER GOERAN ,  DAHLIN STEINAR

IPC: G06F21/10 ,  G06Q30/00

CPC classification number: G06F21/60 ,  G06F21/10 ,  G06F2221/0755 ,  G06Q30/02

Abstract: A method and arrangement is disclosed for flexible control of rendering of protected media comprising first and second content objects. An instruction database combines with traditional use of digital rights objects for determining, at rights parsing and instruction handler, conditions for rendering of first content object. Conditions may force the user to render second content objects or to input requested data and may adapt to environmental conditions exemplary relating to user profile, location, or time of day. A set of second content objects may be pre-determined and specified in provided instructions. User selection, from a list of second content objects, of a specified number of second content objects, provides for generation of a key enabling successful rendering of first content object.

Abstract translation: 公开了一种用于柔性控制包括第一和第二内容对象的受保护媒体的渲染的方法和装置。 指令数据库与数字版权对象的传统使用相结合，以在权利解析和指令处理程序处确定用于呈现第一内容对象的条件。 条件可以强制用户呈现第二内容对象或输入所请求的数据并且可以适应与用户简档，位置或一天中的时间有关的示例性环境条件。 一组第二内容对象可以被预先确定并且在提供的指令中被指定。 从第二内容对象的列表中选择指定数目的第二内容对象的用户选择提供了能够成功呈现第一内容对象的密钥的生成。

公开(公告)号：WO2010052514A3

公开(公告)日：2010-07-01

申请号：PCT/IB2008002973

申请日：2008-11-05

Applicant: ERICSSON TELEFON AB L M ,  LINDHOLM FREDRIK ,  BLOM ROLF

Inventor： LINDHOLM FREDRIK ,  BLOM ROLF

IPC: H04W12/02 ,  H04L29/06 ,  H04W12/04

CPC classification number: H04W12/02 ,  H04L63/0435 ,  H04L63/062 ,  H04L63/0876 ,  H04L63/18 ,  H04L65/1016 ,  H04W12/04

Abstract: Aspects of the present invention provide a mechanism to utilize IMS media security mechanisms in a CS network and, thereby, provide end-to-end media security in the case where the media traffic travels across both a CS network and a PS network.

Abstract translation: 本发明的各方面提供了一种机制，用于在CS网络中利用IMS媒体安全机制，并由此在媒体业务跨CS网络和PS网络两者传播的情况下提供端到端媒体安全性。

公开(公告)号：WO2007062882A3

公开(公告)日：2007-12-13

申请号：PCT/EP2006064107

申请日：2006-07-11

Applicant: ERICSSON TELEFON AB L M ,  NORRMAN KARL ,  BLOM ROLF ,  LINDHOLM FREDRIK

Inventor： NORRMAN KARL ,  BLOM ROLF ,  LINDHOLM FREDRIK

IPC: H04W12/02 ,  H04W12/04

CPC classification number: H04W12/02 ,  H04L63/0272 ,  H04L63/062 ,  H04L63/08 ,  H04L63/164 ,  H04L65/1016 ,  H04W12/04

Abstract: A method of delivering an application key or keys to an application server for use in securing data exchanged between the application server and a user equipment, the user equipment accessing a communications network via an access domain. The method comprises running an Authentication and Key Agreement procedure between the user equipment and a home domain in order to make keying material available to the user equipment and to an access enforcement point. At least a part of said keying material is used to secure a communication tunnel between the user equipment and the access enforcement point, and one or more application keys are derived within the home domain using at least part of said keying material. Said application key(s) is(are) provided to said application server, and the same application key(s) derived at the user equipment, wherein said access enforcement point is unable to derive or have access to said application key(s).

Abstract translation: 一种向应用服务器传递一个或多个应用密钥以用于保护在应用服务器和用户设备之间交换的数据的方法，该用户设备经由接入域接入通信网络。 该方法包括在用户设备和归属域之间运行认证和密钥协商程序，以便使密钥材料对于用户设备和访问执行点可用。 所述密钥资料的至少一部分用于保护用户设备和接入强制执行点之间的通信隧道，并且使用所述密钥资料的至少一部分在本地域内导出一个或多个应用密钥。 所述应用密钥被提供给所述应用服务器，并且在用户设备处导出相同的应用密钥，其中所述接入实施点不能导出或访问所述应用密钥。

公开(公告)号：WO02091668A3

公开(公告)日：2003-01-09

申请号：PCT/EP0203931

申请日：2002-04-09

Applicant: ERICSSON TELEFON AB L M ,  GEHRMANN CHRISTIAN ,  BLOM ROLF

Inventor： GEHRMANN CHRISTIAN ,  BLOM ROLF

IPC: H04L9/32

CPC classification number: H04L9/0643 ,  H04L9/3242 ,  H04L2209/80

Abstract: A method of authenticating a message (111) received via a transmission channel (108) using a Message Authentication Code (MAC). The message comprises a message body (114) and a tag (116) and the method comprises the steps of generating a second tag (115) according to a MAC function (112) on the basis of the received message body and a secret key (113), calculating a distance (117) between the received tag and generated second tag, and comparing (118) the calculated distance with a predetermined threshold value

Abstract translation: 一种验证通过使用消息认证码（MAC）的传输信道（108）接收的消息（111）的方法。 消息包括消息体（114）和标签（116），并且该方法包括以下步骤：根据所接收的消息体和根据MAC功能（112）生成第二标签（115）和密钥（ 113），计算接收标签与所生成的第二标签之间的距离（117），并将计算出的距离与预定阈值

公开(公告)号：WO2007042512A2

公开(公告)日：2007-04-19

申请号：PCT/EP2006067225

申请日：2006-10-10

Applicant: ERICSSON TELEFON AB L M ,  BLOM ROLF ,  NORMAN KARL

Inventor： BLOM ROLF ,  NORMAN KARL

IPC: H04L29/08 ,  H04L12/56 ,  H04L29/06

CPC classification number: H04W12/04 ,  H04L9/0841 ,  H04L9/3271 ,  H04L63/0435 ,  H04L63/062 ,  H04L67/26 ,  H04L2209/56 ,  H04L2209/80 ,  H04W84/042

Abstract: A method for establishing a security association between a client and a service node for the purpose of pushing information from the service node to the client, where the client and a key server share a base secret. The method comprises sending a request for generation and provision of a service key from the service node to a key server, the request identifying the client and the service node, generating a service key at the key server using the identities of the client and the service node, the base secret, and additional information, and sending the service key to the service node together with said additional information, forwarding said additional information from the service node to the client, and at the client, generating said service key using the received additional information and the base key. A similar approach may be used to provide p2p key management.

Abstract translation: 一种用于在客户机和服务节点之间建立安全关联以便将信息从服务节点推送到客户端的方法，其中客户端和密钥服务器共享基本秘密。 该方法包括从服务节点向密钥服务器发送生成和提供服务密钥的请求，所述请求标识客户端和服务节点，使用客户端和服务的身份在密钥服务器生成服务密钥 节点，基本秘密和附加信息，以及将服务密钥与所述附加信息一起发送到服务节点，将所述附加信息从服务节点转发到客户端，并且在客户端处，使用接收到的附加信息生成所述服务密钥 信息和基本键。 可以使用类似的方法来提供p2p密钥管理。

公开(公告)号：WO2009068985A3

公开(公告)日：2009-11-26

申请号：PCT/IB2008003288

申请日：2008-12-01

Applicant: ERICSSON TELEFON AB L M ,  BARRIGA LUIS ,  BLOM ROLF ,  CHENG YI ,  NÄSLUND MATS ,  NORRMAN KARL ,  LINDHOLM FREDRIK

Inventor： BARRIGA LUIS ,  BLOM ROLF ,  CHENG YI ,  NÄSLUND MATS ,  NORRMAN KARL ,  LINDHOLM FREDRIK

IPC: H04L29/06

CPC classification number: H04W76/02 ,  H04L63/0428 ,  H04L65/1016 ,  H04L65/1069 ,  H04W12/02 ,  H04W12/04

Abstract: An IMS system includes an IMS initiator user entity. The system includes an IMS responder user entity that is called by the initiator user entity. The system includes a calling side S-CSCF in communication with the caller entity which receives an INVITE having a first protection offer and parameters for key establishment from the caller entity, removes the first protection offer from the INVITE and forwards the INVITE without the first protection offer. The system includes a receiving end S-CSCF in communication with the responder user entity and the calling side S-CSCF which receives the INVITE without the first protection offer and checks that the responder user entity supports the protection, inserts a second protection offer into the INVITE and forwards the INVITE to the responder user entity, wherein the responder user entity accepts the INVITE including the second protection offer and answers with an acknowledgment having a first protection accept. A method for supporting a call by a telecommunications node.

Abstract translation: IMS系统包括IMS发起者用户实体。 该系统包括由发起者用户实体调用的IMS应答器用户实体。 该系统包括与主叫实体进行通信的主叫侧S-CSCF，其从呼叫方实体接收具有第一保护报价的INVITE和用于密钥建立的参数，从INVITE中移除第一保护报价并转发INVITE而没有第一保护 提供。 该系统包括与响应者用户实体通信的接收端S-CSCF，以及在没有第一保护提供的情况下接收INVITE的主叫侧S-CSCF，并检查响应者用户实体是否支持保护，将第二保护请求插入到 INVITE并将INVITE转发到响应者用户实体，其中响应者用户实体接受包括第二保护提议的INVITE和具有第一保护接受的确认的应答。 一种用于支持电信节点的呼叫的方法。

公开(公告)号：WO2007062941A2

公开(公告)日：2007-06-07

申请号：PCT/EP2006067807

申请日：2006-10-26

Applicant: ERICSSON TELEFON AB L M ,  BLOM ROLF ,  GEHRMANN CHRISTIAN

Inventor： BLOM ROLF ,  GEHRMANN CHRISTIAN

CPC classification number: G06F21/64 ,  G06F21/79 ,  G06F21/86 ,  H04L9/0891 ,  H04L2209/603 ,  H04L2209/80

Abstract: A device (e.g., mobile device) and method are described herein that can protect data stored in a rewritable openly accessible memory from replay attacks by using an integrity key and an encryption key to en/decrypt the data, integrity protect the data via a MAC calculation, and verify the data.

Abstract translation: 本文描述了可以通过使用完整性密钥和加密密钥来对数据进行/解密来保护存储在可重写可开放可访问存储器中的数据以重播攻击的设备（例如，移动设备）和方法，通过MAC完整性保护数据 计算和验证数据。