[go: up one dir, main page]

HK1180169A - Apparatus and method for transitioning enhanced security context from a utran/geran-based serving network to an e-utran-based serving network - Google Patents

Apparatus and method for transitioning enhanced security context from a utran/geran-based serving network to an e-utran-based serving network Download PDF

Info

Publication number
HK1180169A
HK1180169A HK13107387.1A HK13107387A HK1180169A HK 1180169 A HK1180169 A HK 1180169A HK 13107387 A HK13107387 A HK 13107387A HK 1180169 A HK1180169 A HK 1180169A
Authority
HK
Hong Kong
Prior art keywords
serving network
root key
security context
type
utran
Prior art date
Application number
HK13107387.1A
Other languages
Chinese (zh)
Inventor
A.E.艾斯科特
A.帕拉尼格朗德
Original Assignee
高通股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 高通股份有限公司 filed Critical 高通股份有限公司
Publication of HK1180169A publication Critical patent/HK1180169A/en

Links

Description

Apparatus and method for transferring enhanced security context from UTRAN/GERAN-based serving network to E-UTRAN-based serving network
Background
Priority requirements according to 35U.S.C. § 119
This application claims the benefit of U.S. provisional application No.61/355,977, filed on 17.6.2010, which is incorporated herein by reference.
Cross Reference to Related Applications
The present application relates to U.S. provisional application No.61/324,646 filed on day 4/15 2010, U.S. provisional application 61/324,991 filed on day 4/16 2010, and U.S. provisional application 61/325,001 filed on day 4/16 2010.
FIELD
The present invention relates generally to enhanced security context for user equipment operating in Universal Mobile Telecommunications Service (UMTS) and/or GSM Edge Radio Access Network (GERAN) and transitioning to evolved UMTS terrestrial radio access network (E-UTRAN).
Background
Successful AKA authentication in UMTS third generation (3G) radio access networks or GERAN networks using 3G AKA (authentication and key agreement) authentication results in a pair of shared keys, namely a Cipher Key (CK) and an Integrity Key (IK), for protecting communications between the User Equipment (UE) and the network. These shared keys may be used directly to protect traffic between the UE and the network as in the UTRAN (UMTS terrestrial radio access network) case, or may be used to derive keys statically, e.g. K in the GERAN (GSM Edge radio access network) caseCOr KC128
Compromised keys may cause serious security problems until they are changed at the next AKA authentication. AKA authentication typically does not run often due to the large amount of overhead required. In addition, if both keys (CK and IK) are compromised, the GERAN key is compromised.
In UMTS/HSPA (high speed packet access) deployments, some or all of the functionality of the Radio Network Controller (RNC) and the node B may be folded together into one node at the edge of the network. The RNC needs keys for functionalities such as user plane ciphering and signaling plane ciphering and integrity protection. However, RNC functionality may be deployed in exposed locations, such as in a home node B within a UMTS femtocell. Accordingly, RNC functionality providing access (including physical access) deployed in potentially unsecured locations may allow these keys (i.e., CK and IK) to be compromised.
The session keys (modified versions of CK and IK) can be used to reduce security risks associated with exposed RNC functionality. Techniques for providing such session keys are disclosed in U.S. patent application publication No. us 2007/0230707a 1.
The ability to create a root key in E-UTRAN derived from a root key for an enhanced security context in UTRAN/GERAN provides a clear advantage when transitioning from a UTRAN/GERAN based serving network to an E-UTRAN based serving network, as this means that AKA does not have to be run in E-UTRAN to generate a root key in E-UTRAN from a key that has not been exposed outside the core network.
Accordingly, there is a need for techniques for transferring enhanced security context support from a UTRAN/GERAN-based serving network to an E-UTRAN-based serving network.
SUMMARY
An aspect of the present invention may be directed to a method for transferring a security context from a first type of serving network to a second type of serving network. In the method, the remote station generates a first session key and a second session key according to the security context using a first information element and a first root key associated with a first type of serving network. The remote station receives a first message from a second type of serving network. The first message signals the remote station to generate a second root key for the second type of serving network. The remote station generates a second root key using the first root key and the first and second session keys as inputs in response to the first message. The remote station protects wireless communications over the second type of serving network based on the second root key.
In a more particular aspect of the invention, the security context may comprise an enhanced security context, the first type of security serving network may comprise a UTRAN/GERAN-based serving network, and the second type of serving network may comprise an E-UTRAN-based serving network. Further, the first root key may comprise a first enhanced security context root key, and the second root key may comprise a second enhanced security context root key.
In other more detailed aspects of the invention, the first information element may comprise a count. Additionally, the remote station may comprise a mobile user equipment.
Another aspect of the invention may be found in a remote station, which may include: means for generating a first session key and a second session key according to a security context using a first information element and a first root key associated with a first type of serving network; means for receiving a first message from a second type of serving network, wherein the first message signals the remote station to generate a second root key for the second type of serving network; means for generating a second root key in response to the first message using the first root key and the first and second session keys as inputs; and means for securing wireless communications over the second type of serving network based on the second root key.
Another aspect of the invention can be found in a remote station that can include a processor configured to: generating a first session key and a second session key according to a security context using a first information element and a first root key associated with a first type of serving network; receiving a first message from a second type of serving network, wherein the first message signals the remote station to generate a second root key for the second type of serving network; generating a second root key in response to the first message using the first root key and the first and second session keys as inputs; and securing wireless communications over the second type of serving network based on the second root key.
Another aspect of the invention may be found in a computer program product comprising a computer readable storage medium including: code for causing a computer to generate a first session key and a second session key according to a security context using a first information element and a first root key associated with a first type of serving network; code for causing a computer to receive a first message from a second type of serving network, wherein the first message signals a remote station to generate a second root key for the second type of serving network; code for causing a computer to generate a second root key in response to the first message using the first root key and the first and second session keys as inputs; and code for causing a computer to secure wireless communications over a second type of serving network based on the second root key.
Brief Description of Drawings
Fig. 1 is a block diagram of an example of a wireless communication system.
Fig. 2A is a block diagram of an example of a wireless communication system according to the UMTS/UTRAN architecture.
Fig. 2B is a block diagram of an example of a wireless communication system according to a GERAN architecture.
Fig. 3 is a block diagram of an example of a wireless communication system in accordance with an E-UTRAN architecture.
Fig. 4 is a flow diagram of a method for transitioning enhanced security context support from a UTRAN/GERAN based serving network to an E-UTRAN based serving network.
Fig. 5 is a flow diagram of a method for establishing an enhanced security context between a remote station and a serving network based on an attach request message.
Fig. 6 is a flow diagram of a method for establishing at least one session key from an enhanced security context between a remote station and a serving network based on a service request message.
Fig. 7 is a flow diagram of a method for establishing at least one session key from an enhanced security context between a remote station and a serving network based on a routing area update request message.
FIG. 8 is a block diagram of a computer including a processor and a memory.
Fig. 9 is a flow chart of a method for transitioning (i.e., handover) from a UTRAN/GERAN based serving network to an E-UTRAN based serving network.
Detailed Description
The word "exemplary" is used herein to mean "serving as an example, instance, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
Referring to fig. 2 through 4, an aspect of the present invention may be directed to a method 400 for transferring an enhanced security context from a UTRAN/GERAN based serving network 230 to an E-UTRAN based serving network 230'. In this method, the remote station 210 uses a first enhanced security context root key (K) associated with a UTRAN/GERAN-based serving networkASMEU) And the first information element generating a first and a second session key (CK) according to the enhanced security contextSAnd IKS) (step 410). The remote station receives a first message from an E-UTRAN based serving network (step 420). The first message signals the remote station to generate a second enhanced security context root key (K)ASME) For use in an E-UTRAN based serving network. In response to the first message, the remote station generates a second enhanced security context root key using the first enhanced security context root key and the first and second session keys as inputs (step 430). Remote station protecting on E-UTRAN-based serving network based on second enhanced security context root keyStep 440).
The first information element may comprise a count. In addition, the remote station may include a mobile User Equipment (UE), such as a wireless device.
Referring again to fig. 8, another aspect of the invention can be seen in a remote station 210, the remote station 210 can include a processor configured to use a first enhanced security context root key (K) associated with a UTRAN/GERAN based serving networkASMEU) And the first information element generating a first and a second session key (CK) according to the enhanced security contextSAnd IKS) The apparatus of (processor 810); means for receiving a first message from an E-UTRAN-based serving network, wherein the first message signals the remote station to generate a second enhanced security context root key (K)ASME) For an E-UTRAN-based serving network; means for generating a second enhanced security context root key in response to the first message using the first enhanced security context root key and the first and second session keys as inputs; and means for protecting wireless communications on the GERAN-based serving network based on the second enhanced security context root key.
Another aspect of the invention can be a remote station 210 that can include a processor 810, the processor 810 configured to: using a first enhanced security context root key (K) associated with a UTRAN/GERAN-based serving networkASMEU) And the first information element generating a first and a second session key (CK) according to the enhanced security contextSAnd IKS) (ii) a Receiving a first message from an E-UTRAN-based serving network, wherein the first message signals the remote station to generate a second enhanced security context root key (K)ASME) For an E-UTRAN-based serving network; generating a second enhanced security context root key in response to the first message using the first enhanced security context root key and the first and second session keys as inputs; and securing wireless communications on the E-UTRAN based serving network based on the second enhanced security context root key.
Another aspect of the invention may reside in a computer program product comprising a computer-readable storage medium 820, the computer-readable storage medium 820 comprising: code for causing a computer 800 to generate first and second session keys from an enhanced security context using a first enhanced security context root key and a first information element associated with a UTRAN/GERAN-based serving network; code for causing a computer to receive a first message from an E-UTRAN based serving network, wherein the first message signals the remote station to generate a second enhanced security context root key for the E-UTRAN based serving network; code for causing a computer to generate, in response to the first message, a second enhanced security context root key using the first enhanced security context root key and the first and second session keys as inputs; and code for causing a computer to secure wireless communications over the E-UTRAN based serving network based on the second enhanced security context root key.
The E-UTRAN-based serving network 230' may include an MME that supports Enhanced Security Context (ESC). ESC MME receives session key CK from source SGSN during handoverSAnd IKSAnd a root key KASMEU. ESC MME uses the session key CKSAnd IKSAs input from KASMEUCalculating a new root Key KASME. The remote station 210 performs the same algorithm to use the session key CKSAnd IKSAs input from KASMEUObtaining a new root Key KASME. Thus, the new root key KASMEIs fresh and calculated from keys that have not been exposed outside the core network.
The source serving core network 230 is connected to a serving RAN (radio access network) 220 that provides wireless communication to the remote station 210. In the UMTS/UTRAN architecture, the serving RAN comprises node bs and RNCs (radio network controllers). In the GERAN architecture, the serving RAN includes a BTS (base transceiver station) and a BSC (base station controller). The serving core network comprises an MSC/VLR (mobile switching center/visitor location register) for providing Circuit Switched (CS) services and an SGSN (serving GPRS support node) for providing Packet Switched (PS) services. The home network includes an HLR (home location register) and an AuC (authentication center). The target serving network 230 'is connected to a serving RAN (radio access network) 220', such as an eNB.
The UE 210 and the source serving core network 230 may be enhanced with new security features to create an enhanced UMTS security context (ESC) using COUNT (counter value). When AKA authentication is performed, a 256-bit root key (K) for ESC can be derived from CK and IKASMEU). The root key may be set equal to CK | | IK, or a more complex derivation may be used that results in additional useful security properties (e.g., CK and IK need not be maintained). The COUNT may be a 16-bit counter value maintained between the UE and the serving core network. (note: the legacy UTRAN security context consists of KSI (3-bit keyset identifier), CK (128-bit ciphering key), and IK (128-bit integrity key)).
Before handover, the UE 210 and the SGSN 230 share an enhanced security context including the following parameters: KSI (also known as CKSN) as a key set identifier and currently also used in UMTS/GERAN, and K as a 256-bit root key for security contextsASMEU. Slave root Key KASMEUAnd possibly a session key set CK from parameters (e.g. information elements such as counts) exchanged between the UE and the SGSNSAnd IKS. At handover, the source SGSN 230 delivers a session key CK to the target MME230SAnd IKSAnd a root key KASMEU
Fig. 9 is a flow chart of a method for transitioning (i.e., handover) from a UTRAN/GERAN based serving network 220 to an E-UTRAN based serving network 220'. In the method, a new root key KASMEIs a root key K from an enhanced security context in UTRAN/GERANASMEUDerived, this provides a clear advantage, since it is not necessary to run AKA in the E-UTRAN based serving network in order to do so in the E-UTRAN based serving networkWherein the root key is generated from keys that have not been exposed outside the core network.
Target MME 230' supporting ESC uses the transferred root Key KASMEUAnd a session key CKSAnd IKSAnd possibly some additional information to calculate the new root key KASME. The target MME indicates to the UE 210 that the new root key has been evolved and may include additional information used by the MME that is not yet known to the UE, in a parameter sent as part of the handover signaling (e.g., NAS security parameter to E-UTRAN), and the UE performs the same algorithm to obtain the new root key KASME
Referring to fig. 5, in a method 500 related to a UMTS attach procedure, the UE 210 may signal in a UMTS attach request message that the UE 210 supports ESC (step 510). The support signaling may be the presence of a new Information Element (IE) in the message. The IE may include a count value. The new IE will be ignored by the serving network SN 230 that does not support ESC. Authentication data (RAND, XRES, CK, IK, AUTN) is obtained from HLR/AuC 240 (step 515). The SN may indicate ESC support in an AKA challenge (authentication request) to the UE (step 520). The UE performs an authentication procedure (step 525) and returns a response RES to the SN (step 530). Upon successful authentication (step 530), the UE and SN derive a root Key KASMEUAnd a session key CKSAnd IKS(step 535). The SN forwards these session keys to RAN 220 in an SMC (security mode command) message (step 540). RAN uses session key IKSA Message Authentication Code (MAC) is generated that is forwarded to the UE in the SMC message (step 545). The UE derives (step 535) a session key IK using the UESThe MAC is checked (step 550) and a completion indication is returned to the RAN (step 555), which forwards the completion indication to the SN (step 560). The UE can then use these session keys to secure communications (step 565).
Referring to fig. 6, in a method 600 related to the idle to active mode procedure 600, the UE 210 forwards a service request message including a count value to the SN 230 (step 610). UE and SN slave root keysKASMEUDeriving a new session key CKSAnd IKS(step 620). The SN may forward the session keys to RAN 220 in an SMC message (step 630). The RAN generates a MAC, which is forwarded to the UE in an SMC message (step 640). The UE checks the MAC (step 650) and returns a completion indication to the RAN (step 660), which forwards the completion indication to the SN (step 670). The UE can then use these session keys to secure communications (step 680).
Referring to fig. 7, in a method 700 related to a mobility management procedure 700, such as a Routing Area Update (RAU) or Location Area Update (LAU), a UE 210 forwards a RAU (or LAU) request message including a count value to a SN 230 (step 710). Optionally, the UE and SN may be derived from the root Key KASMEUDeriving a new session key CKSAnd IKS(step 720). The SN may forward the session keys to RAN 220 in an SMC message (step 730). The RAN may generate a MAC, which may be forwarded to the UE in an SMC message (step 740). The UE may check the MAC (step 750) and may return a completion indication to the RAN (step 760), which forwards the completion indication to the SN (step 770). The SN then sends an RAU accept message to the UE (step 780). The UE can then use these session keys to secure communications.
A new Access Stratum (AS) key may be generated for each transition from idle to active state. Similarly, keys may be generated when other events occur. The count value may be sent in an idle mobility message and in an initial layer 3 message (e.g., attach, RAU, LAU for idle, mobility, or service request). The SN may check that the transmitted count value has not been used before and update the stored count value in the process. If the count value is new (e.g., the received count value)>Stored count value), then the UE and SN use a Key Derivation Function (KDF) such as HMAC-SHA256 to derive the root key K from the root key KASMEUCalculates a new key CK based on the transmitted count valueSAnd IKS. The KDF may include additional information such as RAN node identity regarding new key calculation. If it is checkedThe check fails (the count value is not new), then the SN rejects the message. For GERAN use, in slave CKSAnd IKSCalculation KCAnd KC128In this case, the algorithm can be applied to calculate K from CK and IKCAnd KC128The same procedure is followed.
Session key (CK)SAnd IKS) There may be a lifetime such that the UE and the serving network maintain and use these session keys until they are stored to either create a new context when it is no longer necessary to securely send traffic between the UE and the network (the UE moves to idle mode) or when a subsequent event occurs, such as an AKA authentication or mobility event.
The remote station 210 may include a computer 800 that includes a storage medium 820, such as memory, a display 830, and an input device 840, such as a keyboard. The device may include a wireless connection 850.
Referring to fig. 1, a wireless Remote Station (RS) 102 (or UE) may communicate with one or more Base Stations (BSs) 104 of a wireless communication system 100. The wireless communication system 100 may further include one or more Base Station Controllers (BSCs) 106, and a core network 108. The core network may be connected to the internet 110 and a Public Switched Telephone Network (PSTN) 112 via suitable backhauls. A typical wireless mobile station may include a handheld phone or a laptop computer. The wireless communication system 100 may employ any of several multiple-access techniques, such as Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Space Division Multiple Access (SDMA), Polarization Division Multiple Access (PDMA), or other modulation techniques known in the art.
Wireless device 102 may include various components that perform functions based on signals transmitted by or received at the wireless device. For example, a wireless headset may include a transducer adapted to provide an audio output based on a signal received via a receiver. The wireless watch may include a user interface adapted to provide an indication based on a signal received via the receiver. A wireless sensing device may include a sensor adapted to provide data to be transmitted to another device.
The wireless devices may communicate via one or more wireless communication links that are based on or otherwise support any suitable wireless communication technology. For example, in some aspects, a wireless device may be associated with a network. In some aspects, the network may comprise a body area network or a personal area network (e.g., an ultra-wideband network). In some aspects, the network may comprise a local area network or a wide area network. The wireless device may support or otherwise use one or more of various wireless communication technologies, protocols, or standards, such as, for example, CDMA, TDMA, OFDM, OFDMA, WiMAX, and Wi-Fi. Similarly, the wireless device may support or otherwise use one or more of a variety of corresponding modulation or multiplexing schemes. The wireless device may thus include suitable components (e.g., an air interface) for establishing and communicating via one or more wireless communication links using the above or other wireless communication technologies. For example, a device may include a wireless transceiver with associated transmitter and receiver components (e.g., a transmitter and a receiver) that may include various components (e.g., a signal generator and a signal processor) that facilitate communication over a wireless medium.
The teachings herein may be incorporated into (e.g., implemented within or performed by) various apparatuses (e.g., devices). For example, one or more aspects taught herein may be incorporated into a phone (e.g., a cellular phone), a personal digital assistant ("PDA"), an entertainment device (e.g., a music or video device), a headset (e.g., an earpiece, etc.), a microphone, a medical device (e.g., a biometric sensor, a heart rate monitor, a pedometer, an EKG device, etc.), a user I/O device (e.g., a watch, a remote control, a light switch, a keyboard, a mouse, etc.), a tire pressure monitor, a computer, a point of sale (POS) device, an entertainment device, a hearing aid, a set-top box, or any other suitable device.
These devices may have different power and data requirements. In some aspects, the teachings herein may be adapted for use in low power applications (e.g., by using a pulse-based signaling scheme and a low duty cycle mode), and may support various data rates, including relatively high data rates (e.g., by using high bandwidth pulses).
In some aspects, a wireless device may comprise an access device (e.g., a Wi-Fi access point) of a communication system. Such access devices may provide connectivity to another network (e.g., a wide area network such as the internet or a cellular network), for example, via a wired or wireless communication link. Thus, an access device may enable another device (e.g., a Wi-Fi station) to access the other network or some other functionality. Further, it should be appreciated that one or both of these devices may be portable or, in some cases, relatively non-portable.
Those of skill in the art would understand that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits (bits), symbols, and chips that may be referenced throughout the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The various illustrative logical blocks, modules, and circuits described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
In one or more exemplary embodiments, the functions described may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software as a computer program product, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. Any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a web site, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk (disk) and disc (disc), as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk and blu-ray disc where disks (disks) usually reproduce data magnetically, while discs (discs) reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (13)

1. A method for transferring a security context from a first type of serving network to a second type of serving network, comprising:
the remote station generating first and second session keys according to the security context using a first information element and a first root key associated with the first type of serving network;
receiving, by the remote station, a first message from the second type of serving network, wherein the first message signals the remote station to generate a second root key for the second type of serving network;
the remote station generating the second root key using the first root key and the first and second session keys as input in response to the first message; and
the remote station protects wireless communications over the second type of serving network based on the second root key.
2. A method for transitioning as defined in claim 1, wherein the security context comprises an enhanced security context, the first-type serving network comprises a UTRAN/GERAN-based serving network, the second-type serving network comprises an E-UTRAN-based serving network, the first root key comprises a first enhanced security context root key, and the second root key comprises a second enhanced security context root key.
3. A method for transitioning as defined in claim 1, wherein the first information element comprises a count.
4. The method for transitioning of claim 1, wherein the remote station comprises a mobile user equipment.
5. A remote station, comprising:
means for generating first and second session keys according to a security context using a first information element and a first root key associated with a first type of serving network;
means for receiving a first message from a second type of serving network, wherein the first message signals the remote station to generate a root key for the second type of serving network;
means for generating a second root key from the first root key using the first and second session keys as input in response to the first message; and
means for securing wireless communications over the second type of serving network based on the second root key.
6. A remote station as defined in claim 5, wherein the security context comprises an enhanced security context, the first type of serving network comprises a UTRAN/GERAN-based serving network, the second type of serving network comprises an E-UTRAN-based serving network, the first root key comprises a first enhanced security context root key, and the second root key comprises a second enhanced security context root key.
7. A remote station as defined in claim 5, wherein the first information element comprises a count.
8. A remote station, comprising:
a processor configured to:
generating first and second session keys according to a security context using a first information element and a first root key associated with a first type of serving network;
receiving a first message from a second type of serving network, wherein the first message signals the remote station to generate a second root key for the second type of serving network;
generating the second root key using the first root key and the first and second session keys as input in response to the first message; and
securing wireless communications over the second type of serving network based on the second root key.
9. A remote station as defined in claim 8, wherein the security context comprises an enhanced security context, the first type of serving network comprises a UTRAN/GERAN-based serving network, the second type of serving network comprises an E-UTRAN-based serving network, the first root key comprises a first enhanced security context root key, and the second root key comprises a second enhanced security context root key.
10. A remote station as defined in claim 8, wherein the information element comprises a count.
11. A computer program product, comprising:
a computer-readable storage medium comprising:
code for causing a computer to generate first and second session keys according to a security context using a first information element and a first root key associated with a first type of serving network;
code for causing a computer to receive a first message from a second type of serving network, wherein the first message signals a remote station to generate a second root key for the second type of serving network;
code for causing a computer to generate, in response to the first message, the second root key using the first root key and the first and second session keys as inputs; and
code for causing a computer to secure wireless communications over the second type of serving network based on the second root key.
12. The computer program product of claim 11, wherein the security context comprises an enhanced security context, the first type of serving network comprises a UTRAN/GERAN-based serving network, the second type of serving network comprises an E-UTRAN-based serving network, the first root key comprises a first enhanced security context root key, and the second root key comprises a second enhanced security context root key.
13. The computer program product of claim 11, wherein the first information element comprises a count.
HK13107387.1A 2010-06-17 2011-06-16 Apparatus and method for transitioning enhanced security context from a utran/geran-based serving network to an e-utran-based serving network HK1180169A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US61/355,977 2010-06-17
US13/159,212 2011-06-13

Publications (1)

Publication Number Publication Date
HK1180169A true HK1180169A (en) 2013-10-11

Family

ID=

Similar Documents

Publication Publication Date Title
KR101614044B1 (en) Apparatus and method for transitioning enhanced security context from a utran/geran-based serving network to an e-utran-based serving network
US8848916B2 (en) Apparatus and method for transitioning from a serving network node that supports an enhanced security context to a legacy serving network node
US9191812B2 (en) Apparatus and method for transitioning from a serving network node that supports an enhanced security context to a legacy serving network node
CA2795358C (en) Apparatus and method for signaling enhanced security context for session encryption and integrity keys
WO2011130684A1 (en) Apparatus and method for transitioning enhanced security context from a utran-based serving network to a geran-based serving network
HK1180169A (en) Apparatus and method for transitioning enhanced security context from a utran/geran-based serving network to an e-utran-based serving network
HK1177861B (en) Apparatus and method for signaling enhanced security context for session encryption and integrity keys
HK1179804B (en) Apparatus and method for transitioning from a serving network node that supports an enhanced security context to a legacy serving network node