公开(公告)号：WO2018021964A1

公开(公告)日：2018-02-01

申请号：PCT/SG2017/050164

申请日：2017-03-28

Applicant: HUAWEI INTERNATIONAL PTE. LTD.

Inventor： WANG, Haiguang ,  SHI, Jie ,  KANG, Xin

IPC: H04L9/30 ,  H04L9/14 ,  H04L9/32 ,  H04L29/06

Abstract: This invention relates to a key generation and distribution method for an authentication framework for an operator provider network and a service provider network. The method comprises receiving a first request from a first requestor, the first requestor comprising an identity of the first requestor; generating a new identity (ID) based on the identity of the first requestor; generating a secret key based on an Identity Based Cryptography (IBC) key generation algorithm for the new ID with a predetermined pair of global keys, namely Global Secret Key (GSK) and Global Public Key (GPK); transmitting the new ID, secret key and the GPK to the first requestor; receiving a request from a second requestor, the request comprising a plurality of identities; generating an new ID for each of the plurality of identities; generating a secret key based on the IBC key generation algorithm for each of the plurality of new IDs; and transmitting the plurality of new IDs, secret keys corresponding to each of the plurality of IDs and the GPK to the second requestor.

Abstract translation: 本发明涉及用于运营商提供商网络和服务提供商网络的认证框架的密钥生成和分配方法。 该方法包括：从第一请求者接收第一请求，第一请求者包括第一请求者的身份; 基于第一请求者的身份生成新的身份（ID） 使用预定的全局密钥对（即全局密钥（GSK）和全局公钥（GPK））基于用于新ID的基于身份的密码（IBC）密钥生成算法来生成密钥; 将新的ID，秘密密钥和GPK发送给第一请求者; 接收来自第二请求者的请求，所述请求包括多个身份; 为多个身份的每一个生成新的ID; 基于用于多个新ID中的每一个的IBC密钥生成算法来生成密钥; 以及将多个新ID，与多个ID中的每一个和GPK相对应的秘密密钥发送到第二请求者。

公开(公告)号：WO2018013052A1

公开(公告)日：2018-01-18

申请号：PCT/SG2017/050163

申请日：2017-03-28

Applicant: HUAWEI INTERNATIONAL PTE. LTD.

Inventor： WANG, Haiguang ,  LI, Lichun ,  KANG, Xin ,  SHI, Jie

IPC: H04W12/06 ,  H04W36/00 ,  H04W84/04 ,  H04W88/06

Abstract: This invention relates to a User Equipment (UE) for communicating directly with a core network comprising: a first communication device; a second communication device; an authentication management module; a processor; a storage medium; instructions stored on the storage medium and executable by the processor to: perform a first authentication with the core network to obtain a security context; transmit a security context from the authentication management module to at least one of the first and second communication devices (1220, 1230); and perform a second authentication for one of the first and second communication devices with the core network using the security context from the authentication management module to establish connection with the core network (1240).

Abstract translation: 本发明涉及一种用于与核心网直接通信的用户设备（UE），包括：第一通信设备; 第二通信设备; 认证管理模块; 处理器; 存储介质; 存储在所述存储介质上并且可由所述处理器执行以执行以下操作的指令：与所述核心网络执行第一认证以获得安全上下文; 从认证管理模块向第一和第二通信设备（1220,1230）中的至少一个传输安全上下文; 并且使用来自认证管理模块的安全性上下文对具有核心网络的第一和第二通信设备中的一个执行第二认证以建立与核心网络的连接（1240）。

公开(公告)号：WO2017160227A1

公开(公告)日：2017-09-21

申请号：PCT/SG2017/050095

申请日：2017-03-01

Applicant: HUAWEI INTERNATIONAL PTE. LTD.

Inventor： SHI, Jie ,  KANG, Xin ,  WANG, Haiguang

IPC: H04L29/06 ,  H04W12/04 ,  H04W12/06 ,  H04W4/00

Abstract: Embodiments of the invention provide key generation and authentication methods that dynamically generate device credentials e.g. device key, at the core network during authentication procedure, and thereby eliminating the need to store device credentials, e.g. device key, at the core network. Particularly, at a core network node, e.g. HSS, upon receiving an authentication message which at least includes a device identifier and a service identifier, the core network node generates a device key based at least on the device identifier and a service key which is stored at the core network node and associated with the service identifier; and uses the generated device key to authenticate a device associated with the device identifier.

Abstract translation: 本发明的实施例提供了动态生成设备凭证的密钥生成和认证方法，例如， 设备密钥，在认证过程期间在核心网络处，并且由此消除了存储设备证书的需要，例如， 设备密钥，位于核心网络。 特别是，在核心网络节点，例如， HSS在接收到至少包括设备标识符和服务标识符的认证消息时，核心网络节点至少基于设备标识符和存储在核心网络节点处并与该设备标识符相关联的服务密钥来生成设备密钥 服务标识符; 并使用生成的设备密钥来验证与设备标识符关联的设备。

公开(公告)号：WO2017160226A1

公开(公告)日：2017-09-21

申请号：PCT/SG2017/050094

申请日：2017-03-01

Applicant: HUAWEI INTERNATIONAL PTE. LTD.

Inventor： KANG, Xin ,  WANG, Haiguang ,  SHI, Jie

IPC: H04W12/06 ,  H04L29/06 ,  H04W4/00

CPC classification number: H04W12/06 ,  H04L9/0866 ,  H04L9/0869 ,  H04L63/0869 ,  H04W4/70 ,  H04W8/02 ,  H04W8/04 ,  H04W12/04 ,  H04W12/0608 ,  H04W76/10 ,  H04W88/04

Abstract: A method for devices without SIM card (SD) to communicate directly with a core network. The method may be performed in the following matter. The SD registers with the core network through a cellular device (MD) in order to obtain a credential for the SD. The credential comprises Access ID, key, and control parameters. The SD then performs a mutual authentication directly with the core network using the credential. If the SD authenticates successfully with the core network, the SD is granted access to the servers via the core network.

Abstract translation:

无SIM卡（SD）的设备直接与核心网络通信的方法。 该方法可以在以下事项中执行。 SD通过蜂窝设备（MD）向核心网注册以获得SD的凭证。 凭证包括访问标识，密钥和控制参数。 SD然后使用凭证直接与核心网络执行相互认证。 如果SD认证与核心网络成功，则SD将被授予通过核心网络访问服务器的权限。

公开(公告)号：WO2017091145A1

公开(公告)日：2017-06-01

申请号：PCT/SG2016/050530

申请日：2016-10-28

Applicant: HUAWEI INTERNATIONAL PTE. LTD.

Inventor： WANG, Haiguang ,  SHI, Jie ,  KANG, Xin

IPC: H04L9/08

CPC classification number: H04L9/0844 ,  H04W12/06

Abstract: Embodiments of the invention provide methods and apparatuses for session key generation, which use Diffie-Hellman procedure in both user equipment and network to prevent an attacker from breaking the session key by simply listening to signal exchanges passively when the attacker possesses credentials of a USIM card.

Abstract translation: 本发明的实施例提供了用于会话密钥生成的方法和装置，其在用户设备和网络两者中使用Diffie-Hellman过程来防止攻击者通过简单地在被动地监听信号交换时破坏会话密钥 攻击者拥有USIM卡的凭证。

公开(公告)号：WO2018067066A1

公开(公告)日：2018-04-12

申请号：PCT/SG2017/050361

申请日：2017-07-19

Applicant: HUAWEI INTERNATIONAL PTE. LTD.

Inventor： LI, Lichun ,  WANG, Haiguang ,  KANG, Xin

IPC: H04L29/06 ,  H04W12/06 ,  H04W12/08 ,  H04W12/12

Abstract: This invention relates a system for managing and distributing of a blacklist of User Equipment ID (UE ID) in a network. The system comprises a number of groups of network,each of the groups of network comprise a blacklist server and a number of authentication servers. The system further comprises a Package Key Generator (PKG). The blacklist server is configured to: store a blacklist containing UE IDs that are not supposed to gain access to the network; transmit the blacklist to the plurality of authentication servers in the same group; receive a message; determine a content in the message is an order to add anew revoked UE ID in the blacklist; update the blacklist to include the new revoked UE ID;and send an update blacklist message to the plurality of authentication servers in the same group.

Abstract translation: 本发明涉及一种用于在网络中管理和分发用户设备ID（UE ID）黑名单的系统。 该系统包括多个网络组，每个网络组包括黑名单服务器和多个认证服务器。 该系统还包括封装密钥生成器（PKG）。 黑名单服务器被配置为：存储包含不应该访问网络的UE ID的黑名单; 将黑名单发送给同一组中的多个认证服务器; 接收消息; 确定消息中的内容是在黑名单中添加新的被撤销的UE ID的命令; 更新黑名单以包括新的被撤销的UE ID;并且向同一组中的多个认证服务器发送更新黑名单消息。

公开(公告)号：WO2018017013A1

公开(公告)日：2018-01-25

申请号：PCT/SG2017/050162

申请日：2017-03-28

Applicant: HUAWEI INTERNATIONAL PTE. LTD.

Inventor： KANG, Xin ,  WANG, Haiguang ,  SHI, Jie ,  WANG, Guilin ,  YANG, Yanjiang

IPC: H04L9/30 ,  H04L9/32 ,  H04L9/08 ,  H04L29/06 ,  H04W12/04 ,  H04W12/06

Abstract: This invention relates a unified authentication method for a device to authenticate an operator provider network and a service provider network based on Identity-Based Cryptography where each of the device, operator provider network and service provider network has a different private key and a same Global Public Key (GPK) issued by a public key generator, the unified authentication method comprising: the device, generating and transmitting an authentication data package to the operator provider network, the authentication data package includes an Authentication Type (Auth. Type), and a Service Provider network's ID (SP_ID), wherein the Auth. Type comprises a first type where authentication involves an element of the operator provider network and an element of the service provider network, a second type where authentication involves the element of the operator provider network, and a third type where authentication involves the element of the service provider network; the element of the operator provider network, in response to receiving the authentication data package, determining a type of authentication based on the Authentication Type; the element of the operator provider network, in response to determining the first type of authentication, generating and transmitting a first Authentication Response Message to the device and transmitting the authentication data package to the element of the service provider network based on the SP_ID; and the element of the service provider network, in response to receiving the authentication data package, generating and transmitting a second Authentication Response Message to the device.

Abstract translation: 本发明涉及一种统一认证方法，用于设备基于基于身份的密码术对运营商提供商网络和服务提供商网络进行认证，其中设备，运营商提供商网络和服务提供商网络中的每一个具有 不同的私钥和由公钥生成器发布的相同的全局公钥（GPK），所述统一的认证方法包括：所述设备生成认证数据包并将其发送给运营商运营商网络，所述认证数据包包括认证类型 身份验证类型）和服务提供商网络ID（SP_ID），其中， 类型包括第一类型和第三类型，在第一类型中，认证涉及运营商提供商网络的元素和服务提供商网络的元素，其中认证涉及运营商提供商网络的元素的第二类型，以及其中认证涉及服务的元素的第三类型 供应商网络; 运营商提供商网络的单元响应于接收到认证数据包，基于认证类型确定认证的类型; 响应于确定第一类型的认证，运营商提供商网络的单元基于SP_ID产生并发送第一认证响应消息到设备并且将认证数据包发送到服务提供商网络的单元; 以及服务提供商网络的元件响应于接收到认证数据包而生成第二认证响应消息并将其发送到设备。

公开(公告)号：WO2017188895A1

公开(公告)日：2017-11-02

申请号：PCT/SG2017/050220

申请日：2017-04-20

Applicant: HUAWEI INTERNATIONAL PTE. LTD.

Inventor： WANG, Haiguang ,  SHI, Jie ,  KANG, Xin

IPC: H04W12/06 ,  H04L29/06

Abstract: Embodiments of the invention relate to authentication of user equipment and core network with at least an asymmetric key in USIM/eUICC as authentication credentials to prevent man-in-the-middle attacks. Embodiments of the invention further relate to use of asymmetric key in combination with any of a symmetric key,another pair of asymmetric keys and Diffie-Hellman (DH) procedure in authentication and/or key generation procedure.

Abstract translation: 本发明的实施例涉及用USIM / eUICC中的至少一个非对称密钥作为认证凭证对用户设备和核心网络的认证，以防止中间人攻击（man-in-the-middle）。 本发明的实施例进一步涉及在认证和/或密钥生成过程中将非对称密钥与对称密钥，另一对非对称密钥和Diffie-Hellman（DH）过程中的任何一个结合使用。