HK40016385B - Security key derivation for handover - Google Patents

Description

Secure key derivation for handover

Cross-references

This patent application claims the benefit of U.S. Provisional Patent Application No. 62/538,626, filed by Lee et al. on July 28, 2017, entitled “Security Key Derivation for Handover”; and U.S. Patent Application No. 16/035,239, filed by Lee et al. on July 13, 2018, entitled “Security Key Derivation for Handover”; each of which is assigned to the present assignee.

Background Art

The following relates generally to wireless communications, and more particularly to secure key derivation for handover.

Wireless communication systems are widely deployed to provide various types of communication content, such as voice, video, packet data, messaging, broadcast, and the like. These systems may be capable of supporting communication with multiple users by sharing available system resources (e.g., time, frequency, and power). Examples of such multiple access systems include fourth generation (4G) systems, such as Long Term Evolution (LTE) systems or LTE-Advanced (LTE-A) systems, and fifth generation (5G) systems, which may be referred to as New Radio (NR) systems. These systems may employ techniques such as code division multiple access (CDMA), time division multiple access (TDMA), frequency division multiple access (FDMA), orthogonal frequency division multiple access (OFDMA), or discrete Fourier transform spread OFDM (DFT-S-OFDM). A wireless multiple access communication system may include several base stations or network access nodes, each of which simultaneously supports communication for multiple communication devices, which may also be referred to as user equipment (UE).

In some wireless communication systems, network entities (e.g., Mobility Management Entity (MME)) may utilize one or more security keys to facilitate secure communications across the network (e.g., between a UE and a base station). These security keys may be derived from a number of parameters or a key derivation function (KDF). In some cases, the network may derive the initial security key using a different method or parameters than subsequent security keys, resulting in a complex and chained key derivation. Furthermore, deriving security keys at the target network entity can delay the handover process due to the signaling of security key parameters between the target network entity and other network entities.

Summary of the Invention

The described techniques relate to improved methods, systems, devices, or apparatuses that support secure key derivation for handover. The described techniques enable a network entity (e.g., an access and mobility function (AMF)) to identify a handover trigger message for a user equipment (UE) handover from a source network entity (e.g., a source AMF) to a target network entity (e.g., a target AMF). Before or during the handover process, the source AMF may generate an intermediate key for the target AMF. The intermediate key may be generated based on a freshness parameter and transmitted to the target AMF. The target AMF may utilize the intermediate key and a second freshness parameter to generate a base station base key at the target AMF.

A method of wireless communication is described. The method may include identifying a handover triggering message that triggers a handover from a source network entity to a target network entity, generating a refreshed intermediate key based at least in part on a first freshness parameter and the handover triggering message, and transmitting the refreshed intermediate key to the target network entity.

An apparatus for wireless communication is described. The apparatus may include means for identifying a handover triggering message that triggers a handover from a source network entity to a target network entity, means for generating a refreshed intermediate key based at least in part on a first freshness parameter and the handover triggering message, and means for transmitting the refreshed intermediate key to the target network entity.

Another apparatus for wireless communication is described. The apparatus may include a processor, a memory in electronic communication with the processor, and instructions stored in the memory. The instructions are operable to cause the processor to: identify a handover triggering message that triggers a handover from a source network entity to a target network entity, generate a refreshed intermediate key based at least in part on a first freshness parameter and the handover triggering message, and transmit the refreshed intermediate key to the target network entity.

A non-transitory computer-readable medium for wireless communication is described. The non-transitory computer-readable medium may include instructions operable to cause a processor to: identify a handover triggering message that triggers a handover from a source network entity to a target network entity, generate a refreshed intermediate key based at least in part on a first freshness parameter and the handover triggering message, and transmit the refreshed intermediate key to the target network entity.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for generating an intermediate key based at least in part on the network entity base key, where the intermediate key may be different from the refreshed intermediate key.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for generating a source base station base key that may be based at least in part on the intermediate key and the second freshness parameter.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for transmitting the source base station base key to the source base station.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for generating a refreshed source base station base key based at least in part on the second freshness parameter.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, the second freshness parameter includes a retention counter for refreshing the source base station base key.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for generating encryption keys for non-access stratum (NAS) signaling and integrity keys for NAS signaling based at least in part on a network entity base key.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, the first freshness parameter includes an uplink NAS count, a downlink NAS count, a retention counter for refreshing intermediate keys at the source network entity, or a combination thereof.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, the refreshed intermediate key includes a network entity base key of the target network entity.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, a network entity base key of a target network entity may be configured to be specifically used to generate a target base station base key.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, the source network entity includes a source AMF and the target network entity includes a target AMF.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, the refreshed intermediate key may be configured to be used specifically for generating a target base station base key.

A method of wireless communication is described. The method may include: identifying a handover trigger message that triggers a handover from a source network entity to a target network entity; receiving a refreshed intermediate key from the source network entity, wherein the refreshed intermediate key is based at least in part on a first freshness parameter and is configured specifically for use in generating a target base station base key; and generating the target base station base key based at least in part on the refreshed intermediate key and a second freshness parameter.

An apparatus for wireless communication is described. The apparatus may include: means for identifying a handover trigger message that triggers a handover from a source network entity to a target network entity; means for receiving a refreshed intermediate key from the source network entity, wherein the refreshed intermediate key is based at least in part on a first freshness parameter and is configured specifically for use in generating a target base station base key; and means for generating a target base station base key based at least in part on the refreshed intermediate key and a second freshness parameter.

Another apparatus for wireless communication is described. The apparatus may include a processor, a memory in electronic communication with the processor, and instructions stored in the memory. The instructions are operable to cause the processor to: identify a handover triggering message that triggers a handover from a source network entity to a target network entity; receive a refreshed intermediate key from the source network entity, wherein the refreshed intermediate key is based at least in part on a first freshness parameter and is configured specifically for use in generating a target base station base key; and generate a target base station base key based at least in part on the refreshed intermediate key and a second freshness parameter.

A non-transitory computer-readable medium for wireless communication is described. The non-transitory computer-readable medium may include instructions operable to cause a processor to: identify a handover triggering message that triggers a handover from a source network entity to a target network entity; receive a refreshed intermediate key from the source network entity, wherein the refreshed intermediate key is based at least in part on a first freshness parameter and is configured specifically for use in generating a target base station base key; and generate a target base station base key based at least in part on the refreshed intermediate key and a second freshness parameter.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, the refreshed intermediate key may differ from the intermediate key used at the source network entity.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, the refreshed intermediate key includes a chain key of the network entity base key.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for generating a target base station base key based at least in part on the intermediate key and the third freshness parameter.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, the third freshness parameter includes a retention counter for refreshing the target base station base key.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, the source network entity includes a source AMF and the target network entity includes a target AMF.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, the first freshness parameter includes an uplink NAS count, a downlink NAS count, a retention counter for refreshing intermediate keys at the source network entity, or a combination thereof.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, the second freshness parameter includes a retention counter for refreshing the target base station base key.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for transmitting the target base station base key to the target base station.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for receiving a refreshed network entity base key after the handover may be completed.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for generating encryption keys for NAS signaling and integrity keys for NAS signaling based at least in part on the refreshed network entity base key.

A method of wireless communication is described. The method may include receiving a handover command message from a source network entity triggering a handover to a target network entity, receiving an indication of a first freshness parameter, and generating a refreshed intermediate key based at least in part on the first freshness parameter and the handover command message, wherein the refreshed intermediate key is configured specifically for use in generating a target base station base key.

An apparatus for wireless communication is described. The apparatus may include: means for receiving a handover command message from a source network entity triggering a handover to a target network entity, means for receiving an indication of a first freshness parameter, and means for generating a refreshed intermediate key based at least in part on the first freshness parameter and the handover command message, wherein the refreshed intermediate key is configured specifically for use in generating a target base station base key.

Another apparatus for wireless communication is described. The apparatus may include a processor, a memory in electronic communication with the processor, and instructions stored in the memory. The instructions are operable to cause the processor to: receive a handover command message from a source network entity triggering a handover to a target network entity, receive an indication of a first freshness parameter, and generate a refreshed intermediate key based at least in part on the first freshness parameter and the handover command message, wherein the refreshed intermediate key is configured specifically for use in generating a target base station base key.

A non-transitory computer-readable medium for wireless communication is described. The non-transitory computer-readable medium may include instructions operable to cause a processor to: receive a handover command message from a source network entity triggering a handover to a target network entity; receive an indication of a first freshness parameter; and generate a refreshed intermediate key based at least in part on the first freshness parameter and the handover command message, wherein the refreshed intermediate key is configured specifically for use in generating a target base station base key.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for receiving an indication of a second freshness parameter. Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for generating a target base station base key based at least in part on the refreshed intermediate key and the second freshness parameter.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for receiving an indication of an updated second freshness parameter. Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for refreshing the target base station base key based at least in part on the updated second freshness parameter.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for receiving an indication of an updated refreshed intermediate key. Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for refreshing the target base station base key based at least in part on the updated refreshed intermediate key.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include a process, feature, means, or instruction for receiving an indication of an updated first freshness parameter. Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include a process, feature, means, or instruction for refreshing the target base station base key based at least in part on the updated first freshness parameter.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for communicating with a target base station based at least in part on the target base station base key.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, the second freshness parameter includes a retention counter for refreshing the target base station base key.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for generating an intermediate key based at least in part on the network entity base key, where the intermediate key may be different from the refreshed intermediate key.

Some examples of the methods, apparatus, and non-transitory computer-readable media described above may further include processes, features, means, or instructions for receiving an indication that the refreshed intermediate key may be configured specifically for use in generating a target base station base key.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, the first freshness parameter includes an uplink NAS count, a downlink NAS count, a retention counter for refreshing intermediate keys at the source network entity, or a combination thereof.

In some examples of the methods, apparatus, and non-transitory computer-readable media described above, the source network entity includes a source AMF and the target network entity includes a target AMF.

BRIEF DESCRIPTION OF THE DRAWINGS

1 illustrates an example of a wireless communication system supporting security key derivation for handover according to aspects of the present disclosure.

2 illustrates an example of a wireless communication system supporting security key derivation for handover according to aspects of the present disclosure.

3 through 6 illustrate example key derivations that support secure key derivation for handover according to aspects of the present disclosure.

7 illustrates an example of a process flow to support security key derivation for handover according to aspects of the present disclosure.

8 to 10 illustrate block diagrams of apparatuses supporting security key derivation for handover according to aspects of the present disclosure.

11 illustrates a block diagram of a system including a network entity supporting security key derivation for handover according to aspects of the present disclosure.

12 to 14 illustrate block diagrams of apparatuses supporting secure key derivation for handover according to aspects of the present disclosure.

15 illustrates a block diagram of a system including a UE supporting security key derivation for handover according to aspects of the present disclosure.

16 through 24 illustrate security key derivation methods for handover according to aspects of the present disclosure.

DETAILED DESCRIPTION

The described techniques relate to improved methods, systems, apparatuses, or devices that support secure key derivation for handovers. A network entity (e.g., a mobility management entity (MME) or an access and mobility function (AMF)) can utilize access stratum (AS) keys to ensure secure communications between a user equipment (UE) and a base station or other network entities across the network. If network conditions begin to degrade or the UE needs to relocate to a new network entity (e.g., due to UE mobility/relocation), the network entity (e.g., a source network entity) can initiate a handover procedure to the new network entity (e.g., a target network entity). In some aspects, the source and target network entities can derive AS keys (e.g., K _gNB ) for the handover procedure in a unified manner based on an intermediate key. For example, regardless of whether the AS key is derived for a first or subsequent time, the procedure for deriving the AS key (e.g., K _gNB ) can be based on this intermediate key, which can increase efficiency and reduce complexity compared to techniques that derive the AS key differently between first and subsequent derivations.

In some aspects, the intermediate key may be an AS root key (e.g., _{KAS_root} ) derived from a network entity key (e.g., _KAMF ). The intermediate key may be shared between the UE and network entities and may also be used to facilitate secure communications between the UE and network entities. The source network entity may derive a refreshed intermediate key based on a freshness parameter and then transmit the refreshed intermediate key to the target network entity. The target network entity may then utilize the derived intermediate key to derive an AS key (e.g., _KgNB ). In this manner, transmitting the refreshed intermediate key for the purpose of deriving the AS key at the target network entity may provide key separation between the source and target network entities. Furthermore, transmitting the intermediate key (as opposed to a higher-level key, such as _KAMF ) may provide enhanced security compared to techniques that share higher-level keys between entities. Furthermore, using the intermediate key in this manner may facilitate an efficient handover process because the target network entity may begin deriving the AS key to send to the target base station before having to receive or derive a higher-level key (e.g., a new _KAMF ) from another network entity. Using intermediate keys in this manner can also be used for inter-system handoffs (eg, between a next generation system and a legacy system).

Aspects of the present disclosure are initially described in the context of wireless communication systems. Various key derivations are then described. A process flow illustrating aspects of the present disclosure is also described. Aspects of the present disclosure are further illustrated by, and described with reference to, device diagrams, system diagrams, and flow diagrams related to secure key derivation for handover.

FIG1 illustrates an example of a wireless communication system 100 according to various aspects of the present disclosure. The wireless communication system 100 includes a base station 105, a UE 115, and a core network 130. In some examples, the wireless communication system 100 may be a Long Term Evolution (LTE) network, an LTE-Advanced (LTE-A) network, or a New Radio (NR) network. In some cases, the wireless communication system 100 may support enhanced broadband communication, ultra-reliable (e.g., mission-critical) communication, low-latency communication, or communication with low-cost and low-complexity devices.

The base station 105 can communicate wirelessly with the UE 115 via one or more base station antennas. The base station 105 described herein may include or may be referred to by those skilled in the art as a base transceiver station, a radio base station, an access point, a radio transceiver, a Node B, an evolved Node B (eNB), a next-generation Node B, or a giga-Node B (any of which may be referred to as a gNB), a Home Node B, a Home eNode B, or other suitable terminology. The wireless communication system 100 may include different types of base stations 105 (e.g., macro or small cell base stations). The UE 115 described herein may be capable of communicating with various types of base stations 105 and network equipment (including macro eNBs, small cell eNBs, gNBs, relay base stations, etc.).

Each base station 105 may be associated with a particular geographic coverage area 110 that supports communications with various UEs 115. Each base station 105 may provide communication coverage for the respective geographic coverage area 110 via a communication link 125, and the communication link 125 between the base station 105 and the UE 115 may utilize one or more carriers. The communication link 125 shown in the wireless communication system 100 may include uplink transmissions from the UE 115 to the base station 105, or downlink transmissions from the base station 105 to the UE 115. Downlink transmissions may also be referred to as forward link transmissions, while uplink transmissions may also be referred to as reverse link transmissions.

The geographic coverage area 110 of a base station 105 can be divided into sectors that constitute only a portion of the geographic coverage area 110, and each sector can be associated with a cell. For example, each base station 105 can provide communication coverage for macro cells, small cells, hotspots, or other types of cells, or various combinations thereof. In some examples, a base station 105 can be mobile and, therefore, provide communication coverage for a mobile geographic coverage area 110. In some examples, different geographic coverage areas 110 associated with different technologies can overlap, and the overlapping geographic coverage areas 110 associated with different technologies can be supported by the same base station 105 or different base stations 105. The wireless communication system 100 can include a heterogeneous LTE/LTE-A or NR network in which different types of base stations 105 provide coverage for various geographic coverage areas 110.

The term "cell" refers to a logical communication entity used to communicate with base station 105 (e.g., via a carrier), and may be associated with an identifier (e.g., a physical cell identifier (PCID), a virtual cell identifier (VCID)) used to distinguish between adjacent cells operating via the same or different carriers. In some examples, a carrier may support multiple cells, and different cells may be configured according to different protocol types (e.g., machine-type communication (MTC), narrowband Internet of Things (NB-IoT), enhanced mobile broadband (eMBB), or other protocols) that can access different types of devices. In some cases, the term "cell" may refer to a portion (e.g., a sector) of a geographic coverage area 110 on which the logical entity operates.

UEs 115 may be dispersed throughout wireless communication system 100, and each UE 115 may be stationary or mobile. UE 115 may also be referred to as a mobile device, wireless device, remote device, handheld device, or user device, or other appropriate terminology, where "device" may also be referred to as a unit, station, terminal, or client. UE 115 may also be a personal electronic device such as a cellular phone, a personal digital assistant (PDA), a tablet computer, a laptop computer, or a personal computer. In some examples, UE 115 may also refer to a wireless local loop (WLL) station, an Internet of Things (IoT) device, an Internet of Everything (IoE) device, or an MTC device, which may be implemented in various items such as appliances, vehicles, meters, and the like.

Some UEs 115, such as MTC or IoT devices, may be low-cost or low-complexity devices that enable automated communication between machines (e.g., via machine-to-machine (M2M) communication). M2M communication or MTC may refer to data communication technology that allows devices to communicate with each other or with base station 105 without human intervention. In some examples, M2M communication or MTC may include communications from devices that integrate sensors or meters to measure or capture information and relay that information to a central server or application that can utilize or present the information to a person interacting with the program or application. Some UEs 115 may be designed to collect information or enable automated behavior of machines. Application examples of MTC devices include smart meter reading, inventory monitoring, water level monitoring, equipment monitoring, medical monitoring, wildlife monitoring, weather and geological event monitoring, fleet management and tracking, remote security sensing, physical access control, and transaction-based service billing.

Some UEs 115 may be configured to employ operating modes that reduce power consumption, such as half-duplex communication (e.g., a mode that supports one-way communication via transmission or reception, but not simultaneous transmission and reception). In some instances, half-duplex communication may be performed at a reduced peak rate. Other power conservation techniques for UEs 115 include entering a power-saving "deep sleep" mode when not engaged in active communications or operating with limited bandwidth (e.g., based on narrowband communications). In some cases, UEs 115 may be designed to support critical functions (e.g., mission-critical functions), and the wireless communication system 100 may be configured to provide ultra-reliable communication for these functions.

In some cases, a UE 115 may also be able to communicate directly with other UEs 115 (e.g., using a peer-to-peer (P2P) or device-to-device (D2D) protocol). One or more of a group of UEs 115 utilizing D2D communication may be within the geographic coverage area 110 of a base station 105. Other UEs 115 in the group may be outside the geographic coverage area 110 of the base station 105 or otherwise unable to receive transmissions from the base station 105. In some cases, a group of UEs 115 communicating via D2D communication may utilize a one-to-many (1:M) system, in which each UE 115 transmits to each other UE 115 in the group. In some cases, the base station 105 facilitates the scheduling of resources for the D2D communication. In other cases, D2D communication occurs between UEs 115 without involving the base station 105.

The base stations 105 can communicate with the core network 130 and with each other. For example, the base stations 105 can interface with the core network 130 via backhaul links 132 (e.g., S1, N2, N3). The base stations 105 can communicate with each other directly (e.g., directly between the base stations 105) or indirectly (e.g., via the core network 130) via backhaul links 134 (e.g., X2, Xn).

The core network 130 may provide user authentication, access authorization, tracking, Internet Protocol (IP) connectivity, and other access, routing, or mobility functions. The core network 130 may be an evolved packet core (EPC), which may include at least one mobility management entity (MME), at least one serving gateway (S-GW), and at least one packet data network (PDN) gateway (P-GW). The MME may manage non-access stratum (e.g., control plane) functions such as mobility, authentication, and bearer management for UEs 115 served by base stations 105 associated with the EPC. User IP packets may be passed through the S-GW, which itself may be connected to the P-GW. The P-GW may provide IP address allocation and other functions. The P-GW may connect to network operator IP services. Operator IP services may include access to the Internet, an intranet, an IP multimedia subsystem (IMS), or packet-switched (PS) streaming services.

At least some of the network devices (e.g., base station 105) may include subcomponents such as access network entities, which may be instances of access node controllers (ANCs). Each access network entity may communicate with UE 115 through a number of other access network transmitting entities, which may be referred to as radio heads, smart radio heads, or transmit/receive points (TRPs). In some configurations, various functions of each access network entity or base station 105 may be distributed across various network devices (e.g., radio heads and access network controllers) or consolidated into a single network device (e.g., base station 105).

The wireless communication system 100 may operate using one or more frequency bands typically in the range of 300 megahertz (MHz) to 300 gigahertz (GHz). The region from 300 MHz to 3 GHz is often referred to as the ultra-high frequency (UHF) region or decimeter band, due to the wavelength length being approximately one decimeter to one meter. UHF waves can be blocked or redirected by buildings and environmental features. However, for macrocells, the waves can penetrate structures sufficiently to provide service to UEs 115 located indoors. Transmission of UHF waves may be associated with smaller antennas and a shorter range (e.g., less than 100 km) compared to transmission in the lower frequency and longer wavelength high frequency (HF) or very high frequency (VHF) portions of the spectrum below 300 MHz.

The wireless communication system 100 may also operate in the extremely high frequency (SHF) region (also known as the centimeter band), which is a frequency band from 3 GHz to 30 GHz. The SHF region includes frequency bands such as the 5 GHz Industrial, Scientific, and Medical (ISM) band, which can be used by devices that can tolerate interference from other users.

The wireless communication system 100 may also operate in the extreme high frequency (EHF) region of the spectrum (e.g., from 25 GHz to 300 GHz), also known as the millimeter band. In some instances, the wireless communication system 100 may support millimeter wave (mmW) communications between the UE 115 and the base station 105, and the EHF antennas of the respective devices may be even smaller and more closely spaced than the UHF antennas. In some cases, this may facilitate the use of antenna arrays within the UE 115. However, the propagation of EHF transmissions may be subject to even greater atmospheric attenuation and a shorter range than SHF or UHF transmissions. Transmissions that may span the use of one or more different frequency regions may employ the techniques disclosed herein, and the designated frequency band usage across these frequency regions may vary by country or regulatory agency.

In some cases, the wireless communication system 100 may utilize both licensed and unlicensed radio frequency spectrum bands. For example, the wireless communication system 100 may employ license-assisted access (LAA), LTE-unlicensed (LTE-U) radio access technology, or NR technology in an unlicensed band, such as the 5 GHz ISM band. When operating in an unlicensed radio frequency spectrum band, wireless devices such as base station 105 and UE 115 may employ a listen-before-talk (LBT) procedure to ensure that the channel is clear before transmitting data. In some cases, operation in the unlicensed band in conjunction with CCs operating in the licensed band (e.g., LAA) may be based on a CA configuration. Operation in the unlicensed spectrum may include downlink transmissions, uplink transmissions, peer-to-peer transmissions, or a combination of these transmissions. Duplexing in the unlicensed spectrum may be based on frequency division duplexing (FDD), time division duplexing (TDD), or a combination of both.

In some examples, base station 105 or UE 115 may be equipped with multiple antennas, which can be used to employ techniques such as diversity transmission, diversity reception, multiple-input, multiple-output (MIMO) communication, or beamforming. For example, a wireless communication system may employ a transmission scheme between a transmitting device (e.g., base station 105) and a receiving device (e.g., UE 115), wherein the transmitting device is equipped with multiple antennas and the receiving device is equipped with one or more antennas. MIMO communication may exploit multipath signal propagation to increase spectral efficiency by transmitting or receiving multiple signals via different spatial layers (which may be referred to as spatial multiplexing). The multiple signals may be transmitted by the transmitting device via different antennas or different combinations of antennas. Similarly, the multiple signals may be received by the receiving device via different antennas or different combinations of antennas. Each of the multiple signals may be referred to as a separate spatial stream and may carry bits associated with the same data stream (e.g., the same codeword) or different data streams. Different spatial layers may be associated with different antenna ports for channel measurement and reporting. MIMO technology includes single-user MIMO (SU-MIMO), in which multiple spatial layers are transmitted to the same receiving device, and multi-user MIMO (MU-MIMO), in which multiple spatial layers are transmitted to multiple devices.

Beamforming (which may also be referred to as spatial filtering, directional transmission, or directional reception) is a signal processing technique that can be used at a transmitting device or receiving device (e.g., base station 105 or UE 115) to shape or steer an antenna beam (e.g., a transmit beam or a receive beam) along a spatial path between the transmitting device and the receiving device. Beamforming can be achieved by combining signals communicated via antenna elements of an antenna array so that signals propagating in a particular orientation relative to the antenna array experience constructive interference, while other signals experience destructive interference. Adjusting the signals communicated via the antenna elements may include the transmitting device or receiving device applying certain amplitude and phase offsets to the signals carried by each of the antenna elements associated with the device. The adjustments associated with each of the antenna elements may be defined by a beamforming weight setting associated with a particular orientation (e.g., relative to the antenna array of the transmitting device or receiving device, or relative to other orientations).

In one example, base station 105 can use multiple antennas or antenna arrays to perform beamforming operations for directional communication with UE 115. For example, some signals (e.g., synchronization signals, reference signals, beam selection signals, or other control signals) can be transmitted multiple times by base station 105 in different directions, which can include transmitting signals according to different beamforming weight settings associated with different transmit directions. Transmissions in different beam directions can be used to identify (e.g., by base station 105 or a receiving device such as UE 115) a beam direction for subsequent transmissions and/or receptions by base station 105. Some signals, such as data signals associated with a particular receiving device, can be transmitted by base station 105 in a single beam direction (e.g., a direction associated with a receiving device such as UE 115). In some examples, the beam direction associated with transmissions along a single beam direction can be determined based at least in part on the signals transmitted in the different beam directions. For example, UE 115 may receive one or more of the signals transmitted by base station 105 in different directions, and UE 115 may report an indication of the signal received with the highest signal quality or an otherwise acceptable signal quality to base station 105. Although these techniques are described with reference to signals transmitted by base station 105 in one or more directions, UE 115 may employ similar techniques for transmitting signals multiple times in different directions (e.g., for identifying beam directions for subsequent transmissions or receptions by UE 115), or for transmitting signals in a single direction (e.g., for transmitting data to a receiving device).

A receiving device (e.g., UE 115, which may be an example of a mmW receiving device) may attempt multiple receive beams when receiving various signals (e.g., synchronization signals, reference signals, beam selection signals, or other control signals) from base station 105. For example, the receiving device may attempt multiple receive directions by receiving through different antenna subarrays, by processing received signals according to different antenna subarrays, by receiving according to different receive beamforming weight settings applied to signals received at multiple antenna elements of an antenna array, or by processing received signals according to different receive beamforming weight settings applied to signals received at multiple antenna elements of an antenna array, any of which may be referred to as "listening" according to different receive beams or receive directions. In some examples, the receiving device may use a single receive beam to receive along a single beam direction (e.g., when receiving data signals). A single receive beam may be aligned in a beam direction determined based at least in part on listening from different receive beam directions (e.g., a beam direction determined to have the highest signal strength, highest signal-to-noise ratio, or otherwise acceptable signal quality based at least in part on listening from multiple beam directions).

In some cases, the antennas of a base station 105 or a UE 115 may be located within one or more antenna arrays that can support MIMO operations or transmit or receive beamforming. For example, one or more base station antennas or antenna arrays may be co-located at an antenna assembly, such as an antenna tower. In some cases, the antennas or antenna arrays associated with a base station 105 may be located at different geographic locations. A base station 105 may have an antenna array with rows and columns of antenna ports that the base station 105 may use to support beamforming for communications with a UE 115. Similarly, a UE 115 may have one or more antenna arrays that can support various MIMO or beamforming operations.

In some cases, the wireless communication system 100 may be a packet-based network operating according to a layered protocol stack. In the user plane, communications at the bearer layer or Packet Data Convergence Protocol (PDCP) layer may be IP-based. In some cases, the Radio Link Control (RLC) layer may perform packet segmentation and reassembly for communication via logical channels. The Medium Access Control (MAC) layer may perform priority handling and multiplexing of logical channels to transport channels. The MAC layer may also use Hybrid Automatic Repeat Request (HARQ) to provide retransmissions at the MAC layer to improve link efficiency. In the control plane, the Radio Resource Control (RRC) protocol layer may establish, configure, and maintain an RRC connection between the UE 115 and the base station 105 or the core network 130 supporting radio bearers for user plane data. At the physical (PHY) layer, transport channels may be mapped to physical channels.

In some cases, the UE 115 and the base station 105 may support retransmission of data to increase the likelihood of successful data reception. HARQ feedback is a technique that increases the likelihood of correct data reception via the communication link 125. HARQ may include a combination of error detection (e.g., using a cyclic redundancy check (CRC)), forward error correction (FEC), and retransmission (e.g., automatic repeat request (ARQ)). HARQ can improve throughput at the MAC layer under poor radio conditions (e.g., signal-to-noise ratio conditions). In some cases, a wireless device may support same-slot HARQ feedback, wherein the device may provide HARQ feedback in a particular slot for data received in previous symbols in the slot. In other cases, the device may provide HARQ feedback in subsequent slots or according to other time intervals.

Time intervals in LTE or NR can be expressed as multiples of a basic time unit, which can be a sampling period of _Ts = 1/30,720,000 seconds. Time intervals for communication resources can be organized according to radio frames, each of which has a duration of 10 milliseconds (ms), where the frame period can be represented as _Tf = _307,200Ts . Radio frames can be identified by a system frame number (SFN) ranging from 0 to 1023. Each frame can contain 10 subframes, numbered from 0 to 9, and each subframe can have a duration of 1 millisecond (ms). A subframe can be further divided into two slots, each of which has a duration of 0.5 ms, and each slot can contain 6 or 7 modulation symbol periods (e.g., depending on the length of the cyclic prefix preceding each symbol period). In addition to the cyclic prefix, each symbol period can contain 2048 sampling periods. In some cases, a subframe can be the smallest scheduling unit for the wireless communication system 100 and can be referred to as a transmission time interval (TTI). In other cases, the minimum scheduling unit of the wireless communication system 100 may be shorter than a subframe, or may be selected dynamically (e.g., in a series of shortened TTIs (sTTIs) or in a selected component carrier using sTTIs).

In some wireless communication systems, a time slot may be further divided into multiple mini-slots containing one or more symbols. In some cases, a symbol of a mini-slot or a mini-slot may be the minimum scheduling unit. The duration of each symbol may vary depending on, for example, the subcarrier spacing or the operating frequency band. In addition, some wireless communication systems may implement time slot aggregation, in which multiple time slots or mini-slots are aggregated and used for communication between UE 115 and base station 105.

The term "carrier" refers to a collection of radio frequency spectrum resources with a defined physical layer structure for supporting communications via the communication link 125. For example, a carrier of the communication link 125 may comprise a portion of a radio frequency spectrum band that operates according to a physical layer channel for a given radio access technology. Each physical layer channel may carry user data, control information, or other signaling. A carrier may be associated with a predefined frequency channel (e.g., an E-UTRA Absolute Radio Frequency Channel Number (EARFCN)) and may be located according to a channel grid for discovery by a UE 115. A carrier may be downlink or uplink (e.g., in FDD mode), or configured to carry both downlink and uplink communications (e.g., in TDD mode). In some examples, a signal waveform transmitted via a carrier may be composed of multiple subcarriers (e.g., using multicarrier modulation (MCM) techniques such as OFDM or DFT-s-OFDM).

The organizational structure of carriers can differ for different radio access technologies (e.g., LTE, LTE-A, NR, etc.). For example, communications over a carrier can be organized according to time intervals (TTIs) or time slots, each of which can include user data as well as control information or signaling to support decoding of user data. A carrier can also include dedicated acquisition signaling (e.g., synchronization signals or system information) and control signaling to coordinate the operation of the carrier. In some instances (e.g., in carrier aggregation configurations), a carrier can also have acquisition signaling or control signaling to coordinate the operation of other carriers.

Physical channels on a carrier can be multiplexed according to various techniques. Physical control channels and physical data channels can be multiplexed on a downlink carrier, for example, using time division multiplexing (TDM), frequency division multiplexing (FDM), or hybrid TDM-FDM techniques. In some examples, control information transmitted in a physical control channel can be distributed in a concatenated manner across different control regions (e.g., a common control region or common search space and one or more UE-specific control regions or UE-specific search spaces).

A carrier may be associated with a particular bandwidth of radio frequency spectrum, and in some instances, the carrier bandwidth may be referred to as the "system bandwidth" of the carrier or wireless communication system 100. For example, the carrier bandwidth may be one of several predetermined bandwidths of the carrier for a particular radio access technology (e.g., 1.4, 3, 5, 10, 15, 20, 40, or 80 MHz). In some instances, each served UE 115 may be configured for operation over part or all of the carrier bandwidth. In other instances, some UEs 115 may be configured for operation using a narrowband protocol type associated with a predefined portion or range within a carrier (e.g., a set of subcarriers or resource blocks (RBs)) (e.g., an "in-band" deployment of a narrowband protocol type).

In a system employing MCM techniques, a resource element may consist of one symbol period (e.g., the duration of one modulation symbol) and one subcarrier, where the symbol period is inversely related to the subcarrier spacing. The number of bits carried by each resource element may depend on the modulation scheme (e.g., the order of the modulation scheme). Therefore, the more resource elements a UE 115 receives and the higher the order of the modulation scheme, the higher the data rate for the UE 115 may be. In a MIMO system, wireless communication resources may refer to a combination of radio frequency spectrum resources, time resources, and spatial resources (e.g., spatial layers), and the use of multiple spatial layers may further increase the data rate of communications with the UE 115.

Devices of the wireless communication system 100 (e.g., base station 105 or UE 115) may have a hardware configuration that supports communication via a specific carrier bandwidth, or may be configured to support communication via one of a set of carrier bandwidths. In some examples, the wireless communication system 100 may include a base station 105 and/or UE that can support simultaneous communication via carriers associated with more than one different carrier bandwidth.

The wireless communication system 100 may support communication with a UE 115 on multiple cells or carriers, a feature that may be referred to as carrier aggregation (CA) or multi-carrier operation. Depending on the CA configuration, the UE 115 may be configured with multiple downlink CCs and one or more uplink CCs. CA may be used with both FDD and TDD component carriers.

In some cases, the wireless communication system 100 may utilize an enhanced component carrier (eCC). An eCC may be characterized by one or more features including a wider carrier or channel bandwidth, a shorter symbol duration, a shorter TTI duration, or a modified control channel configuration. In some cases, an eCC may be associated with a carrier aggregation (CA) configuration or a dual connectivity configuration (e.g., when multiple serving cells have suboptimal or non-ideal backhaul links). An eCC may also be configured for use in unlicensed spectrum or shared spectrum (e.g., where more than one operator is allowed to use the spectrum). An eCC characterized by a wide carrier bandwidth may include one or more segments that may be utilized by UEs 115 that are unable to monitor the entire carrier bandwidth or are otherwise configured to use a limited carrier bandwidth (e.g., to save power).

In some cases, an eCC may utilize a different symbol duration than other CCs, which may include using a reduced symbol duration compared to the symbol duration of other CCs. A shorter symbol duration may be associated with increased spacing between adjacent subcarriers. A device utilizing an eCC (e.g., a UE 115 or a base station 105) may transmit a wideband signal (e.g., according to a channel or carrier bandwidth of 20, 40, 60, 80 MHz, etc.) with a reduced symbol duration (e.g., 16.67 microseconds (μs)). A TTI in an eCC may consist of one or more symbol periods. In some cases, the TTI duration (i.e., the number of symbol periods in a TTI) may be variable.

Wireless communication systems such as NR systems can utilize any combination of licensed, shared, and unlicensed spectrum bands, among others. Flexibility in eCC symbol duration and subcarrier spacing can allow eCCs to be used across multiple spectrums. In some examples, NR shared spectrum can increase spectrum utilization and efficiency, particularly through dynamic vertical (e.g., across frequency) and horizontal (e.g., across time) resource sharing.

The core network 130 may include several entities (e.g., functions) such as an AMF, a session management function (SMF), a user plane function (UPF), etc. One or more of the entities of the core network may be implemented virtually in software. In some examples, the UE 115 and the base station 105 may communicate with an entity of the core network 130 (e.g., an MME or an AMF) to establish a secure connection for communication. The AMF may provide access and mobility management services for the UE 115 and the base station 105. In some examples, the AMF may serve as the primary point of control plane signaling communication with the UE 115 and the base station 105, such that most control plane communications between the UE 115, the base station 105, and the core network 130 pass through the AMF.

In some examples, UE 115 may initiate a connection process with base station 105 by sending an attach request. Based on the attach request, base station 105 may facilitate authentication and/or authorization of UE 115 by core network 130 (e.g., via one or more entities of core network 130). Once authenticated, UE 115 may communicate with core network 130 based on a non-access stratum (NAS) protocol configured to securely establish and maintain connectivity between UE 115 and core network 130. One or more core network nodes (e.g., AMF, MME, serving gateway, etc.) may inform base station 105 that UE 115 is authenticated and authorized to connect to wireless communication system 100. Thereafter, base station 105 may establish a radio resource control (RRC) connection with UE 115 (e.g., based on the AS protocol).

To establish the RRC connection, the base station 105 may generate a security configuration during execution of the AS protocol or after the AS protocol has been executed and transmit the security configuration to the UE 115. In some examples, the security configuration may be transmitted to the UE 115 via a secure radio channel (e.g., a secure RRC channel), which may be established at least in part based on a shared key associated with the base station 105 and the UE 115. In some examples, the shared key may be a gNB key (e.g., _KgNB ) or an eNB key ( _KeNB ), which may be transmitted to the base station 105 by a core network node (e.g., during or after an authentication and key agreement (AKA) procedure) and/or derived by the UE 115.

The base station 105 may then generate an encoded message that includes the resource allocation, and specifically, the shared resource pattern for allocating uplink control information for the UE 115. In one example, the encoded message may be encrypted based on a shared key and provided to the UE 115 via a secure RRC channel. In another example, the encoded message may be encrypted in a PDCCH message. The encrypted PDCCH message may be encrypted using the encryption key. The encryption key may be transmitted from the base station 105 to the UE 115 during the RRC connection and/or may be transmitted via a secure RRC channel (e.g., after the RRC connection is established). Using a secure RRC channel may prevent other devices, such as jammers, from intercepting the encryption key. In some examples, the encryption key may be common to all UEs 115 connected to or attempting to connect to the base station 105. In some cases, the encryption key may be randomly generated by the base station 105 or the core network 130. In some examples, the encryption key may be derived based on a shared key associated with the base station 105 and the UE 115, such as K _gNB (or K _eNB ).

In some wireless communication systems 100 (e.g., LTE), a home subscriber server (HSS) may generate an access security management entity (ASME) key (e.g., _KASME ) and signal it to the MME. The MME may then derive an initial K _eNB using _KASME . Subsequent K _eNB may be derived from next-hop (NH) keys, where the NH key may be derived from _KASME and a previous NH key or from _KASME and the K _eNB used for initial NH key derivation. To derive various keys (e.g., K _eNB , NH keys, integrity check keys, encryption keys, etc.), the UE 115, base station 105, or MME may utilize a key derivation function (KDF), where each KDF may include certain parameters of the input S, such as a function code (FC), parameter 0 (P0), the length of parameter 0 (L0), parameter 1 (P1), the length of parameter 1 (L1), etc.

In some examples, when deriving K _eNB from K _ASME using the uplink NAS COUNT in the UE 115 and the MME, the KDF parameter may consist of an FC value of 0x11, a P0 value equal to the uplink NAS COUNT, and an L0 value equal to the length of the uplink NAS COUNT (e.g., 0x00 0x04). Additionally, the UE 115 and the MME may use a 256-bit K _ASME as the input key. The UE 115 and the MME may apply this KDF when establishing a cryptographically protected Evolved Universal Mobile Telecommunications System Terrestrial Radio Access Network (E-UTRAN) radio bearer and/or when performing a key change in real time.

In some examples, when deriving the NH key from _KASME , the KDF parameters may consist of an FC value of 0x12, a P0 value equal to the SYNC input, and an L0 value equal to the length of the SYNC input (e.g., 0x00 0x20). The SYNC input parameter may be a newly derived K _eNB for the initial NH key derivation or a previous NH key for subsequent NH key derivations. With this SYNC input parameter, an NH chain may be formed so that the next NH key is fresh and derived from the previous NH key. Additionally, the UE 115 and the MME may use a 256-bit _KASME as the input key.

For handover purposes, the UE 115 and the base station 105 may derive an intermediate key (e.g., K _eNB *) from the current K _eNB or from a fresh NH key and the target physical cell ID. In some examples, the UE 115 and the base station 105 may utilize a KDF with parameters consisting of an FC value of 0x13, a P0 value equal to the target physical cell ID, an L0 value equal to the length of the physical cell ID (e.g., 0x00, 0x02), a P1 value equal to the downlink E-UTRA Absolute Radio Frequency Channel Number Downlink (EARFCN-DL) (e.g., the target physical cell downlink frequency), and an L1 value equal to the length of the EARFCN-DL (e.g., 0x00 0x02 when the EARFCN-DL is between 0 and 65535, or 0x00 0x03 when the EARFCN-DL is between 65536 and 262143). In some aspects, the length of the EARFCN-DL may not generally be set to 3 bytes (e.g., to support backward compatibility). For example, some release entities (e.g., Release 8 UEs or eNBs) may assume that the input parameter length for EARFCN-DL is 2 bytes, while another entity may assume that the input parameter length for EARFCN-DL is 3 bytes, which may result in different derived keys. Additionally, if the index in the handover increases, UE 115 and base station 105 may use a 256-bit NH key for the input key, otherwise the current 256-bit K _eNB may use the input key.

In some instances, vertical (e.g., across frequency) or horizontal (e.g., across time) key derivation may be performed for handover purposes. For vertical key derivation, the MME may derive AS keys (e.g., K _eNB ) using _KASME . For horizontal key derivation, the base station 105 (e.g., eNB) may derive AS keys using the current K _eNB . While the initial K _eNB can be easily derived, subsequent K _eNBs may involve additional or more complex derivations involving intermediate keys and one or more NH keys. Furthermore, _KASME may be shared between MMEs upon MME relocation, allowing the target MME to reuse the key chain used by the source MME. For some wireless communication systems (e.g., 5G/NR), the handover procedure may require key separation between network entities (e.g., AMF). However, AS keys (e.g., K _gNB ) may still be derived from network entity keys (e.g., AMF keys ( _KAMF )) maintained by the target or serving network entity, which may result in delayed handover procedures. For example, the target network entity (e.g., target AMF) may first obtain a network entity key (e.g., K _AMF ) from a security anchor function (SEAF), then negotiate the network entity key with the UE 115 based on a NAS security mode command (SMC), and then derive the AS key.

The wireless communication system 100 may support efficient techniques for deriving a unified AS key (e.g., K _gNB ) for handover procedures by utilizing an intermediate key, while also accounting for possible key separation between network entities (e.g., AMF) to achieve forward and backward security. In some aspects, the intermediate key may be an AS root key (e.g., K _{AS_root} ) derived from a network entity key (e.g., K _AMF ). Alternatively, a limited-purpose network entity key (e.g., K _AMF *) may be derived from the current network entity key and sent to the target entity during handover. These techniques may provide enhanced security by utilizing an evolved root key, as the network entity key used to derive the NAS key does not need to be shared between network entities, and the target network entity cannot derive the AS key used at the previous base station 105. Furthermore, regardless of key separation (e.g., to achieve forward and backward security), the handover procedure may not be delayed. The techniques described herein may also be used for inter-system handovers (e.g., between a 5G AMF and a 4G MME).

FIG2 illustrates an example of a wireless communication system 200 that supports security key derivation for handover according to various aspects of the present disclosure. In some examples, the wireless communication system 200 may implement aspects of the wireless communication system 100. The wireless communication system 200 may include a base station 105-a, a base station 105-b, and a UE 115-a, which may be examples of the corresponding base station 105 and UE 115 as described with reference to FIG1. The base station 105-a may communicate with an AMF 205-a, and the base station 105-b may communicate with an AMF 205-b. Each base station 105 and (in some aspects) each AMF 205 may provide communication coverage for or be associated with a corresponding coverage area 210 (e.g., the AMF 205-a may be associated with the coverage area 210-a, and the AMF 205-b may be associated with the coverage area 210-b). In other examples, each supported coverage area 210 of the AMF 205 may include multiple base stations 105.

As shown, wireless communication system 200 illustrates aspects of a UE 115-a performing a handover procedure from AMF 205-a to AMF 205-b. Initially, UE 115-a may securely communicate with base station 105-a and AMF 205-a via resources of carrier 215-a. In this example, AMF 205-a may be referred to as source AMF 205-a. To securely communicate, UE 115-a and base station 105-a may utilize a base station base key ( _KgNB ), which may be derived by AMF 205-a using a procedure similar to that described above with reference to FIG. 1. Furthermore, _KgNB derivation may include utilizing an intermediate key, such as an AS root key ( _{KAS_root} ). _{KAS_root} may be derived from the AMF 205-a key ( _KAMF ) and a first freshness parameter. The freshness parameter may include an uplink NAS COUNT, a downlink NAS COUNT, or a new freshness parameter (e.g., COUNT) used only for K _{AS_root} derivation. In some examples, K _gNB derivation may be based on K _{AS_root} and a second freshness parameter. The second freshness parameter may be a counter maintained at the AMF 205-a for the purpose of generating K _gNB . The AMF 205-a may utilize the first derivation of K _{AS_root} when it determines that a refresh of the AS security context is required (e.g., when the UE 115-a transitions from idle mode to connected mode or in the event of AMF 205 relocation). The AMF 205-a may indicate this derivation of K _{AS_root} to the UE 115-a by providing the first freshness parameter.

In some aspects, the AMF 205-a may utilize a second derivation of the _KgNB when a new _KgNB is to be derived (e.g., due to UE mobility involving a PDCP anchor change). In some cases, this may occur without the AMF 205 being relocated or changed. The AMF 205-a may indicate this derivation of the _KgNB to the UE 115-a by providing a second freshness parameter. In some aspects, the first derivation of the _{KAS_root} may trigger the second derivation of the _KgNB . However, the second derivation of the _KgNB may occur without performing the first derivation of the _{KAS_root} .

In some instances, channel conditions on carrier 215-a may change (e.g., deteriorate) or UE 115-a may move outside of coverage area 210-a. This may cause UE 115-a to initiate a handover to base station 105-b, which may also involve a handover from AMF 205-a to AMF 205-b. In this instance, AMF 205-b may be referred to as target AMF 205-b. As part of the handover procedure, AMF 205-b may derive _KgNB to enable secure communication between base station 105-b and UE 115-a using resources of carrier 215-b. To do so, source AMF 205-a may first refresh _{KAS_root} based on the first freshness parameter and transfer the refreshed _{KAS_root} to target AMF 205-b. The target AMF 205-b may derive _KgNB from the refreshed _{KAS_root} and the second freshness parameter until a new _KAMF corresponding to the target AMF 205-b is derived (or obtained, for example, from SEAF). Because the target AMF 205-b _KAMF may be established after the handover is complete (e.g., during a NAS SMC), the handover procedure for the UE 115-a may be completed before the target AMF 205-b _KAMF is established. This may reduce handover delays that may otherwise occur due to deriving the target AMF 205-b _KAMF before the handover is complete and deriving the _KgNB based on the target AMF 205-b _KAMF .

FIG3 illustrates an example of a key derivation 300 that supports security key derivation for handover, in accordance with various aspects of the present disclosure. The key derivation 300 may include derivations performed by a source AMF 205-c and a target AMF 205-d, which may be examples of the source AMF 205-a and the target AMF 205-b as described with reference to FIG2 . The key derivation 300 may illustrate security key derivations performed before or during a handover procedure for a UE 115 from a source AMF 205-c to a target AMF 205-d.

The source AMF 205-a may initially obtain _KAMF 305 (e.g., from an HSS, a security anchor function (SEAF), or an authentication server function (AUSF)), which may be used to derive a key (e.g., _KgNB ) for implementing a secure connection between the _UE 115 and the base station 105. At the initiation of the handover procedure, the source AMF 205-c may generate an intermediate key (e.g., _{KAS_root} 320-a) by utilizing a KDF 315-a with input KAMF 305 and a freshness parameter 310-a (e.g., a first freshness parameter). In some examples, the freshness parameter 310-a may be a downlink NAS COUNT, an uplink NAS COUNT, a retention counter for refreshing _KAMF , another bit indicating that the AMF 205 is relocated, or any combination thereof. The equation for deriving _{KAS_root} may be represented by the following equation (1).

K _{AS — root} = KDF ( K _AMF , first freshness parameter) (1)

The source AMF 205-c may then calculate _KgNB 325-a using a KDF 315-b with input _{KAS_root} 320-a and a freshness parameter 310-b (e.g., a second freshness parameter different from freshness parameter 310-a). In some examples, freshness parameter 310-b may be a COUNTER maintained at the AMF 205-c. When deriving a new _KgNB based on the current _{KAS_root} , the COUNTER may be sent to the UE 115, enabling the UE 115 to derive the same _KgNB . The equation for _KgNB at the source AMF 205-c may be represented by the following equation (2).

_KgNB = KDF( _{KAS_root} , second freshness parameter) (2)

In some aspects, the UE 115, the base station 105, or other network entity may initiate a handover procedure involving an AMF change from a source AMF 205-c to a target AMF 205-d. In such a case, the source AMF 205-c may derive the _{KAS_root} 320-b and provide (e.g., send) the _{KAS_root} 320-b to the target AMF 205-d. Although the _{KAS_root} 320-b may be the same as the _{KAS_root} 320-a and thus may be derived using equation (1) above, in some cases the _{KAS_root} 320-b may be different from the _{KAS_root} 320-a. Furthermore, the handover command, which may be sent from the base station 105 to the UE 115 based on the interaction between the source AMF 205-c and the target AMF 205-d, may include the freshness parameter 310-a (e.g., within a nested NAS downlink message). The target AMF 205-d may then derive _KgNB 325-b using a KDF 315-c with inputs _{KAS_root} 320-b and a freshness parameter 310-c (e.g., the second freshness parameter or the third freshness parameter). In some examples, the freshness parameter 310-c may be set to an initial value (INIT_VALUE) such as 0 or 1, or may be set to a random number.

The source AMF 205-c, target AMF 205-d, or UE 115 may refresh the _KgNB before or after the handover procedure (e.g., in the case of UE 115 mobility involving a PDCP anchor change without AMF relocation). For example, the _KgNB may be refreshed by refreshing the freshness parameter 310-b or 310-c (depending on whether it is at the source or target AMF 205). From the perspective of the UE 115, the network may signal the need to refresh the _KgNB at the UE 115, and the UE 115 may perform a similar procedure to refresh the current _KgNB (e.g., by refreshing the corresponding freshness parameter, which may be indicated to the UE 115 or locally derived). The _KgNB may also be refreshed at the source AMF 205-c, target AMF 205-d, or UE 115 by refreshing the _{KAS_root} . The _{KAS_root} may be refreshed at the AMF 205 and signaled to the UE 115. Refreshing K _{AS_root} may be associated with handover, as described above, or may be used as another technique to refresh K _gNB at the AMF 205 or UE 115.

FIG4 illustrates an example of a key derivation 400 that supports security key derivation for handover in accordance with various aspects of the present disclosure. The key derivation 400 may include derivations performed by a source AMF 205-e and a target AMF 205-f, which may be instances of the respective AMFs 205 as described with reference to FIGs. 2 and 3. The key derivation 400 may illustrate security key derivations performed before or during a handover procedure for a UE 115 from a source AMF 205-e to a target AMF 205-f.

The source AMF 205-e may initially obtain K _AMF 405 (e.g., from an HSS, SEAF, or AUSF), which may be used to derive a key (e.g., K _gNB ) for implementing a secure connection between the UE 115 and the base station 105. In some instances, a handover procedure involving AMF relocation from the source AMF 205-e to the target AMF 205-f may be initiated (e.g., by the UE 115 or the base station 105). In such a case, the source AMF 205-e may generate an intermediate key (e.g., K _{AS_root} 420-a) by utilizing a KDF 415-a with input K _AMF 405 and a freshness parameter 410-a (e.g., a first freshness parameter). The freshness parameter 410-a may be a downlink NAS COUNT, an uplink NAS COUNT, a reserved counter for refreshing K _AMF , other bits indicating AMF relocation, or any combination thereof.

K _{AS_root} 420-a may be derived using equation (1) above, and in some aspects, the handover command may include a freshness parameter 410-a (e.g., within a nested NAS downlink message). _{K AS_root} 420-a may be temporarily used for AS key derivation (e.g., K _gNB 425-b). The target AMF 205-f may then utilize a KDF 415-c with inputs K _{AS_root} 420-a and a freshness parameter 410-c (e.g., a second freshness parameter) to derive K _gNB 425-b. In some examples, freshness parameter 410-c may be set to an initial value (INIT_VALUE), such as 0 or 1, or may be set to a random number. K _{AS_root} 420-a may be used only for deriving K _gNB at the target AMF 205-f, and in some aspects, the use of K _{AS_root} 420-a may be indicated to the UE in the handover command.

The source AMF 205-e may utilize the KDF 415-b with the input K _AMF 405 and the freshness parameter 410-b (e.g., the second freshness parameter) to generate an AS key (e.g., K _gNB 425-a). In some aspects, the freshness parameter 410-b may be a COUNTER maintained at the AMF 205-a, and the equation for K _gNB at the source AMF 205-e may be represented by the following equation (3).

_KgNB = KDF( _KAMF , second freshness parameter) (3)

FIG5 illustrates an example of a key derivation 500 that supports security key derivation for handover in accordance with various aspects of the present disclosure. The key derivation 500 may include derivations performed by a source AMF 205-g and a target AMF 205-h, which may be instances of the respective AMF 205 as described with reference to FIGs. 2 to 4. The key derivation 500 may illustrate key derivations performed before or during a handover procedure for a UE 115 involving AMF relocation from a source AMF 205-g to a target AMF 205-h.

The source AMF 205-g may initially obtain K _AMF 505 (e.g., from an HSS, SEAF, or AUSF), which may be used to derive a key (e.g., K _gNB ) for implementing a secure connection between the UE 115 and the base station 105. In some instances, a handover procedure involving AMF relocation from the source AMF 205-g to the target AMF 205-h may be initiated (e.g., by the UE 115 or the base station 105). In such a case, the source AMF 205-g may generate an intermediate key (e.g., K _AMF * 505-b) from a KDF 515-a having input K _AMF 505-a and a freshness parameter 510-a (e.g., a first freshness parameter). K _AMF * 505-b may be provided to the target AMF 205-h. The freshness parameter 510-a may be a downlink NAS COUNT, an uplink NAS COUNT, a retention counter for refreshing _KAMF , another bit indicating AMF relocation, or any combination thereof. In some examples, the handover command may include the freshness parameter 510-a (e.g., within a nested NAS downlink message), and the equation for _KAMF * 505-b may be represented by the following equation (4).

_KAMF *=KDF( _KAMF , first freshness parameter) (4)

_KAMF * 505-b may be used for limited purposes, such as for _KgNB derivation, but may not be used for NAS message protection. Key usage may be indicated to UE 115 in the handover command. NAS message protection may include establishing a new _KAMF at the target AMF 205-h, which may be based on the SMC. In some aspects, _KAMF 505 for AMF 205-b may be set to _KAMF * 505-b (e.g., in a _KAMF refresh within the same AMF 205). The target AMF 205-b may then utilize KDF 515-c with input _KAMF * 505-b and a freshness parameter 510-c (e.g., a second freshness parameter) to derive _KgNB 525-b. In some examples, freshness parameter 510-c may be set to an initial value (INIT_VALUE), such as 0 or 1, or may be set to a random number.

In some aspects, the source AMF 205-g may utilize a KDF 515-b with inputs K _AMF 505-a and a freshness parameter 510-b (e.g., a second freshness parameter) to generate an AS key (e.g., K _gNB 525-a). The freshness parameter 510-b may be a COUNTER maintained at the AMF 205-a.

FIG6 illustrates an example of a key derivation 600 that supports security key derivation for handover in accordance with various aspects of the present disclosure. The key derivation 600 may include derivations performed by a source AMF 205-i and a target AMF 205-j, which may be instances of the respective AMFs 205 as described with reference to FIGs. 2 through 5. The key derivation 600 may illustrate derivations performed before or during a handover procedure for a UE 115 from a source AMF 205-i to a target AMF 205-j.

The source AMF 205-i may initially obtain _KAMF 605-a (e.g., from an HSS, SEAF, or AUSF), which may be used to derive a key (e.g., _KgNB ) for implementing a secure connection between the UE 115 and the base station 105. The source AMF 205-i may utilize a KDF 615-b with input _KAMF 605-a and a freshness parameter 610-b (e.g., a first freshness parameter) to generate an intermediate key (e.g., _{KAS_root} 620-a). In some examples, the freshness parameter 610-b may be a downlink NAS COUNT, an uplink NAS COUNT, a retention counter for refreshing _KAMF , other bits indicating AMF relocation, or any combination thereof. _{KAS_root} 620-a may be derived using equation (1) above. The source AMF 205-i may then calculate _KgNB 625-a using a KDF 615-d having as input _{KAS_root} 620-a and a freshness parameter 610-d (e.g., a second freshness parameter). In some aspects, the freshness parameter 610-d may be a COUNTER maintained at the AMF 205-a, and the COUNTER may be sent to the UE 115 when deriving a new _KgNB based on the current _{KAS_root} .

In some examples, a handover procedure involving an AMF change from a source AMF 205-i to a target AMF 205-j may be initiated (e.g., by a UE 115 or a base station 105). In such a case, the source AMF 205-i may derive an intermediate key, _KAMF * 605-b, by utilizing a _KDF 615-a with inputs, KAMF 605-a and a freshness parameter 610-a (e.g., a third freshness parameter). In some examples, _KAMF 605-a may be provided to the target AMF 205-j, and the freshness parameter 610-a may be a downlink NASCOUNT, an uplink NASCOUNT, a retention counter for refreshing _KAMF , another bit indicating AMF relocation, or any combination thereof. The handover command may include the freshness parameter 610-a (e.g., within a nested NAS downlink message). _KAMF * 605-b may be used for limited purposes (e.g., for _KgNB derivation but not for NAS message protection). NAS message protection may include establishing a new _KAMF at the target AMF 205-j (e.g., based on the SMC). In some aspects, the _KAMF 605 for the AMF 205-j may be set to _KAMF * 605-b (e.g., in a _KAMF refresh within the same AMF 205).

The target AMF 205-j may then derive _{KAS_root} 620-b from a KDF 615-c having input _KAMF * 605-b and a freshness parameter 610-c (e.g., a first freshness parameter). In some examples, the freshness parameter 610-c may be a downlink NAS COUNT. The target AMF 205-i may then derive _KgNB 625-b using a KDF 615-e having input _{KASF_root} 620-b and a freshness parameter 610-e (e.g., a second freshness parameter). In some examples, the freshness parameter 610-e may be set to an initial value (INIT_VALUE), such as 0 or 1, or may be set to a random number.

FIG7 illustrates an example of a process flow 700 for supporting security key derivation for handover in accordance with various aspects of the present disclosure. The process flow 700 illustrates technical aspects performed by a UE 115-b, a source AMF 205-k, and a target AMF 205-1, which may be respective instances of a UE 115 and a respective AMF 205 as described with reference to FIGs. 1-6.

In the following description of process flow 700, operations between UE 115-b, source AMF 205-k, and target AMF 205-1 may be performed in a different order or at different times. Certain operations may also be omitted from process flow 700, or other operations may be added to process flow 700.

At 705, the source AMF 205-k and the target AMF 205-1 may identify a handover trigger message that triggers a handover from a source network entity (e.g., source AMF 205-k) to a target network entity (e.g., target AMF 205-1). For example, the handover trigger message may be sent from a base station (e.g., a source gNB serving UE 115-b). The source base station may communicate a handover decision to the target base station (e.g., target gNB) and a network entity associated with the source base station (e.g., a source AMF such as source AMF 205-k).

At 710, the source AMF 205-k may generate a refreshed intermediate key (e.g., K _{AS_root} ). The refreshed intermediate key may be generated as described with reference to FIGURES 2 through 6 based on a first freshness parameter. The first freshness parameter may include an uplink NAS count, a downlink NAS count, a retention counter for refreshing the intermediate key at the source network entity, or a combination thereof. The refreshed intermediate key may be configured specifically for use in generating a target base station base key (e.g., K _gNB ), and this limited purpose may be signaled to the UE 115-b.

At 715, the source AMF 205-k may transmit the refreshed intermediate key to the target AMF 205-1. In some examples, the intermediate key may be transmitted as part of the forward relocation request. The refreshed intermediate key may be different from the intermediate key used at the source AMF 205-k, which may facilitate key separation between the two AMFs.

At 720, the target AMF 205-1 may generate a target base station base key (e.g., _KgNB ) based on the received refreshed intermediate key. The target base station base key may also be generated based on the second freshness parameter as described with reference to Figures 2 to 6. The target AMF 205-1 may then send a handover request to the target base station. In some examples, the target base station may send a handover confirmation message to the target AMF 205-1.

The target AMF 205-1 may transmit the second freshness parameter to the source AMF 205-k at 725. In some examples, the second freshness parameter is conveyed as part of a forward relocation response message.

At 730, the source AMF 205-k may send a handover command message to the UE 115-b (e.g., via the source base station). The handover command message may also indicate the first and second freshness parameters. The handover command may also indicate that the intermediate key to be generated at the UE 115-b is for the limited purpose of generating a base station base key (e.g., _KgNB ).

At 735, UE 115-b may generate a target base station base key based on the handover command, the first freshness parameter, the second freshness parameter, or a combination thereof. After generating the target base station base key associated with the target base station, UE 115-b may then securely communicate with the target base station.

At 740, and after the handover procedure has completed, the target AMF 205-1 (or target base station) may transmit a signaling to the UE 115-b to refresh the base station base key (e.g., _KgNB ). The signaling may include parameters for the UE 115-b to use to refresh the base station base key, such as a refreshed or updated intermediate key (e.g., refreshed _{KAS_root} ) or a refreshed or updated second freshness value.

At 745 , UE 115 - b may refresh the target base station base key based at least in part on the updated second freshness parameter or the updated intermediate key.

FIG8 shows a block diagram 800 of a wireless device 805 that supports security key derivation for handover according to aspects of the present disclosure. The wireless device 805 may be an example of aspects of a base station 105 or a network entity 205 (e.g., a source AFM or a target AMF), as described herein. The wireless device 805 may include a receiver 810, a network entity AS key manager 815, and a transmitter 820. The wireless device 805 may also include a processor. Each of these components may communicate with each other (e.g., via one or more buses).

The receiver 810 may receive information such as packets, user data, or control information associated with various information channels (e.g., control channels, data channels), and information related to derivation of security keys for handover. The information may be passed to other components of the device. The receiver 810 may be an example of aspects of the transceiver 1135 described with reference to FIG. The receiver 810 may utilize a single antenna or a collection of antennas.

The network entity AS key manager 815 may be an example of aspects of the network entity AS key manager 1115 described with reference to FIG. 11 .

The network entity AS key manager 815 and/or at least some of its various subcomponents may be implemented in hardware, software executed by a processor, firmware, or any combination thereof. If implemented in software executed by a processor, the functions of the network entity AS key manager 815 and/or at least some of its various subcomponents may be performed by a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic device designed to perform the functions described in this disclosure, discrete gate or transistor logic, discrete hardware components, or any combination thereof. The network entity AS key manager 815 and/or at least some of its various subcomponents may be physically located at various locations (including distributed), such that various portions of the functions are implemented by one or more physical devices at different physical locations.

In some examples, the network entity AS key manager 815 and/or at least some of its various subcomponents may be separate and distinct components according to various aspects of the present disclosure. In other examples, the network entity AS key manager 815 and/or at least some of its various subcomponents may be combined with one or more other hardware components according to various aspects of the present disclosure, including but not limited to I/O components, transceivers, network servers, another computing device, one or more other components described in the present disclosure, or a combination thereof.

In some examples, the network entity AS key manager 815 may be a source AMF or a source base station. In such cases, the network entity AS key manager 815 may identify a handover triggering message that triggers a handover from the source network entity to the target network entity, generate a refreshed intermediate key based on the first freshness parameter and the handover triggering message, and transmit the refreshed intermediate key to the target network entity.

In some examples, the network entity AS key manager 815 may be a target AMF or a target base station. In such cases, the network entity AS key manager 815 may identify a handover triggering message that triggers a handover from a source network entity to a target network entity; receive a refreshed intermediate key from the source network entity, wherein the refreshed intermediate key is based on a first freshness parameter and is configured specifically for use in generating a target base station base key; and generate a target base station base key based on the refreshed intermediate key and a second freshness parameter.

The transmitter 820 may transmit signals generated by other components of the device. In some examples, the transmitter 820 may be co-located with the receiver 810 in the transceiver module. For example, the transmitter 820 may be an example of aspects of the transceiver 1135 described with reference to FIG. The transmitter 820 may utilize a single antenna or a collection of antennas.

FIG9 shows a block diagram 900 of a wireless device 905 that supports secure key derivation for handover according to aspects of the present disclosure. The wireless device 905 may be an example of aspects of the wireless device 805 or the network entity 205 as described with reference to FIG8 . The wireless device 905 may include a receiver 910, a network entity AS key manager 915, and a transmitter 920. The wireless device 905 may also include a processor. Each of these components may communicate with each other (e.g., via one or more buses).

The receiver 910 may receive information such as packets, user data, or control information associated with various information channels (e.g., control channels, data channels), and information related to derivation of security keys for handover. The information may be passed to other components of the device. The receiver 910 may be an example of aspects of the transceiver 1135 described with reference to FIG. The receiver 910 may utilize a single antenna or a collection of antennas.

The network entity AS key manager 915 may be an example of aspects of the network entity AS key manager 1115 described with reference to FIG 11. The network entity AS key manager 915 may also include a switching component 925, an intermediate key generator 930, an intermediate key communicator 935, and a base station base key generator 940.

The handover component 925 can identify a handover triggering message that triggers a handover from a source network entity to a target network entity. In some cases, the source network entity includes a source AMF and the target network entity includes a target AMF.

The intermediate key generator 930 may generate an intermediate key based on a network entity base key, wherein the intermediate key is different from the refreshed intermediate key. In some examples, the intermediate key generator 930 may generate the refreshed intermediate key based on a first freshness parameter and the handover trigger message. In some cases, the first freshness parameter includes an uplink NAS count, a downlink NAS count, a retention counter for refreshing the intermediate key at the source network entity, or a combination thereof. In some cases, the refreshed intermediate key includes the network entity base key of the target network entity. In some cases, the network entity base key of the target network entity is configured specifically for generating the target base station base key. In some cases, the refreshed intermediate key is configured specifically for generating the target base station base key.

The intermediate key communicator 935 may transmit a refreshed intermediate key to the target network entity and receive a refreshed intermediate key from the source network entity, wherein the refreshed intermediate key is based on a first freshness parameter and is configured specifically for use in generating the target base station base key. In some cases, the refreshed intermediate key is different from the intermediate key used at the source network entity. In some cases, the refreshed intermediate key comprises a chained key of the network entity base key. In some cases, the first freshness parameter comprises an uplink NAS count, a downlink NAS count, a retention counter for refreshing the intermediate key at the source network entity, or a combination thereof.

The base station base key generator 940 may generate a source base station base key based on the intermediate key and the second freshness parameter, generate a refreshed source base station base key based on the second freshness parameter, generate a target base station base key based on the refreshed intermediate key and the second freshness parameter, and generate a target base station base key based on the intermediate key and the third freshness parameter. In some cases, the second freshness parameter includes a retention counter for refreshing the source base station base key. In some cases, the third freshness parameter includes a retention counter for refreshing the target base station base key. In some cases, the second freshness parameter includes a retention counter for refreshing the target base station base key.

The transmitter 920 may transmit signals generated by other components of the device. In some examples, the transmitter 920 may be co-located with the receiver 910 in the transceiver module. For example, the transmitter 920 may be an example of aspects of the transceiver 1135 described with reference to FIG. The transmitter 920 may utilize a single antenna or a collection of antennas.

FIG10 shows a block diagram 1000 of a network entity AS key manager 1015 supporting secure key derivation for handover according to aspects of the present disclosure. The network entity AS key manager 1015 may be an example of aspects of the network entity AS key manager 815, the network entity AS key manager 915, or the network entity AS key manager 1115 described with reference to FIG8 , 9 , and 11 . The network entity AS key manager 1015 may include a handover component 1020, an intermediate key generator 1025, an intermediate key communicator 1030, a base station base key generator 1035, a base station base key transmitter 1040, a NAS key generator 1045, and a network entity base key communicator 1050. Each of these modules may communicate with each other directly or indirectly (e.g., via one or more buses).

The handover component 1020 can identify a handover triggering message that triggers a handover from a source network entity to a target network entity. In some cases, the source network entity includes a source AMF and the target network entity includes a target AMF.

The intermediate key generator 1025 may generate an intermediate key based on a network entity base key, wherein the intermediate key is different from the refreshed intermediate key. In some examples, the intermediate key generator 1025 may generate the refreshed intermediate key based on a first freshness parameter and the handover trigger message. In some cases, the first freshness parameter includes an uplink NAS count, a downlink NAS count, a retention counter for refreshing the intermediate key at the source network entity, or a combination thereof. In some cases, the refreshed intermediate key includes the network entity base key of the target network entity. In some aspects, the network entity base key of the target network entity is configured specifically for use in generating the target base station base key. In some cases, the refreshed intermediate key is configured specifically for use in generating the target base station base key.

The intermediate key communicator 1030 may transmit a refreshed intermediate key to the target network entity and receive a refreshed intermediate key from the source network entity, wherein the refreshed intermediate key is based on a first freshness parameter and is configured specifically for use in generating the target base station base key. In some cases, the refreshed intermediate key is different from the intermediate key used at the source network entity. In some examples, the refreshed intermediate key comprises a chained key of the network entity base key. In some aspects, the first freshness parameter comprises an uplink NAS count, a downlink NAS count, a retention counter for refreshing the intermediate key at the source network entity, or a combination thereof.

The base station base key generator 1035 may generate a source base station base key based on the intermediate key and the second freshness parameter, and generate a refreshed source base station base key based on the second freshness parameter. The base station base key generator 1035 may generate a target base station base key based on the refreshed intermediate key and the second freshness parameter, and generate the target base station base key based on the intermediate key and the third freshness parameter. In some cases, the second freshness parameter includes a retention counter for refreshing the source base station base key. In some instances, the third freshness parameter includes a retention counter for refreshing the target base station base key. In some aspects, the second freshness parameter includes a retention counter for refreshing the target base station base key.

The base station base key transmitter 1040 may transmit a source base station base key to a source base station and transmit a target base station base key to a target base station.

The NAS key generator 1045 may generate an encryption key for NAS signaling and an integrity key for NAS signaling based on the network entity base key, and may generate an encryption key for NAS signaling and an integrity key for NAS signaling based on the refreshed network entity base key.

The network entity base key communicator 1050 may receive the refreshed network entity base key after the handover is completed.

FIG11 shows a diagram of a system 1100 including a device 1105 that supports secure key derivation for handover according to aspects of the present disclosure. Device 1105 may be an example of, or include components of, wireless device 805, wireless device 905, or network entity 205, as described above, for example, with reference to FIG8 and FIG9. Device 1105 may include components for two-way voice and data communication (including components for transmitting and receiving communications), including a network entity AS key manager 1115, a processor 1120, memory 1125, software 1130, a transceiver 1135, and an I/O controller 1140. These components may communicate electronically via one or more buses, such as bus 1110.

Processor 1120 may include an intelligent hardware device (e.g., a general-purpose processor, a DSP, a central processing unit (CPU), a microcontroller, an ASIC, an FPGA, a programmable logic device, discrete gate or transistor logic components, discrete hardware components, or any combination thereof). In some cases, processor 1120 may be configured to operate a memory array using a memory controller. In other cases, the memory controller may be integrated into processor 1120. Processor 1120 may be configured to execute computer-readable instructions stored in memory to perform various functions (e.g., functions or tasks supporting the derivation of security keys for handover).

Memory 1125 may include random access memory (RAM) and read-only memory (ROM). Memory 1125 may store computer-readable, computer-executable software 1130, which includes instructions that, when executed, cause the processor to perform the various functions described herein. In some cases, memory 1125 may contain, among other things, a basic input/output system (BIOS), which may control basic hardware or software operations, such as interaction with peripheral components or devices.

The software 1130 may include code that implements aspects of the present disclosure, including code that supports derivation of secure keys for handover. The software 1130 may be stored in a non-transitory computer-readable medium, such as system memory or other memory. In some cases, the software 1130 may not be directly executable by a processor, but may cause a computer (e.g., when compiled and executed) to perform the functions described herein.

The transceiver 1135 can communicate bidirectionally via one or more antennas, wired or wireless links, as described above. For example, the transceiver 1135 can represent a wireless transceiver and can communicate bidirectionally with another wireless transceiver. The transceiver 1135 can also include a modem to modulate packets and provide the modulated packets to the antenna for transmission, and demodulate packets received from the antenna.

I/O controller 1140 may manage input and output signals for device 1105. I/O controller 1140 may also manage peripheral devices not integrated into device 1105. In some cases, I/O controller 1140 may represent a physical connection or port to an external peripheral device. In some cases, I/O controller 1140 may utilize an operating system, such as Windows XP or another known operating system. In other cases, I/O controller 1140 may represent or interact with a modem, keyboard, mouse, touch screen, or similar device. In some cases, I/O controller 1140 may be implemented as part of a processor. In some cases, a user may interact with device 1105 via I/O controller 1140 or via hardware components controlled by I/O controller 1140.

FIG12 shows a block diagram 1200 of a wireless device 1205 that supports secure key derivation for handover according to aspects of the present disclosure. The wireless device 1205 may be an example of aspects of the UE 115 as described herein. The wireless device 1205 may include a receiver 1210, a UE AS key manager 1215, and a transmitter 1220. The wireless device 1205 may also include a processor. Each of these components may communicate with each other (e.g., via one or more buses).

The receiver 1210 may receive information such as packets, user data, or control information associated with various information channels (e.g., control channels, data channels), and information related to derivation of security keys for handover. The information may be passed to other components of the device. The receiver 1210 may be an example of aspects of the transceiver 1535 described with reference to FIG. 15 . The receiver 1210 may utilize a single antenna or a collection of antennas.

The UE AS key manager 1215 may be an example of aspects of the UE AS key manager 1515 described with reference to FIG. 15 .

At least some of the UE AS key manager 1215 and/or its various subcomponents may be implemented in hardware, software executed by a processor, firmware, or any combination thereof. If implemented in software executed by a processor, the functionality of at least some of the UE AS key manager 1215 and/or its various subcomponents may be performed by a general-purpose processor, DSP, ASIC, FPGA, or other programmable logic device designed to perform the functions described in this disclosure, discrete gate or transistor logic, discrete hardware components, or any combination thereof. The UE AS key manager 1215 and/or its various subcomponents may be physically located at various locations (including distributed), such that portions of the functionality are implemented by one or more physical devices at different physical locations.

In some examples, the UE AS key manager 1215 and/or at least some of its various subcomponents may be separate and distinct components according to various aspects of the present disclosure. In other examples, the UE AS key manager 1215 and/or at least some of its various subcomponents may be combined with one or more other hardware components according to various aspects of the present disclosure, including but not limited to an I/O component, a transceiver, a network server, another computing device, one or more other components described in the present disclosure, or a combination thereof.

The UE AS key manager 1215 may receive a handover command message from a source network entity that triggers a handover to a target network entity, receive an indication of a first freshness parameter, and generate a refreshed intermediate key based on the first freshness parameter and the handover command message, wherein the refreshed intermediate key is configured specifically for generating a target base station base key.

The transmitter 1220 may transmit signals generated by other components of the device. In some examples, the transmitter 1220 may be co-located with the receiver 1210 in the transceiver module. For example, the transmitter 1220 may be an example of aspects of the transceiver 1535 described with reference to FIG15. The transmitter 1220 may utilize a single antenna or a collection of antennas.

The transmitter 1220 may communicate with the target base station based on the target base station base key.

FIG13 shows a block diagram 1300 of a wireless device 1305 that supports secure key derivation for handover according to aspects of the present disclosure. The wireless device 1305 may be an example of aspects of the wireless device 1205 or UE 115 as described with reference to FIG12 . The wireless device 1305 may include a receiver 1310, a UE AS key manager 1315, and a transmitter 1320. The wireless device 1305 may also include a processor. Each of these components may communicate with each other (e.g., via one or more buses).

The receiver 1310 may receive information such as packets, user data, or control information associated with various information channels (e.g., control channels, data channels), and information related to derivation of security keys for handover. The information may be passed to other components of the device. The receiver 1310 may be an example of aspects of the transceiver 1535 described with reference to FIG. 15 . The receiver 1310 may utilize a single antenna or a collection of antennas.

The UE AS key manager 1315 may be an example of aspects of the UE AS key manager 1515 described with reference to FIG 15. The UE AS key manager 1315 may also include a switching component 1325, a freshness parameter communicator 1330, and an intermediate key generator 1335.

The handover component 1325 may receive a handover command message from a source network entity that triggers a handover to a target network entity. In some cases, the source network entity includes a source AMF and the target network entity includes a target AMF.

Freshness parameter communicator 1330 may receive an indication of a first freshness parameter, receive an indication of a second freshness parameter, receive an indication of an updated second freshness parameter, and receive an indication of an updated first freshness parameter. In some cases, the first freshness parameter includes an uplink NAS count, a downlink NAS count, a retention counter for refreshing intermediate keys at the source network entity, or a combination thereof.

The intermediate key generator 1335 may generate a refreshed intermediate key based on the first freshness parameter and the handover command message, wherein the refreshed intermediate key is configured to be used exclusively for generating the target base station base key. In some examples, the intermediate key generator 1335 may generate the intermediate key based on the network entity base key, wherein the intermediate key is different from the refreshed intermediate key; and receive an indication that the refreshed intermediate key is configured to be used exclusively for generating the target base station base key.

The transmitter 1320 may transmit signals generated by other components of the device. In some examples, the transmitter 1320 may be co-located with the receiver 1310 in the transceiver module. For example, the transmitter 1320 may be an example of aspects of the transceiver 1535 described with reference to FIG15. The transmitter 1320 may utilize a single antenna or a collection of antennas.

FIG14 shows a block diagram 1400 of a UE AS key manager 1415 that supports secure key derivation for handover according to aspects of the present disclosure. The UE AS key manager 1415 may be an example of aspects of the UE AS key manager 1515 described with reference to FIG12 , 13 , and 15 . The UE AS key manager 1415 may include a handover component 1420, a freshness parameter communicator 1425, an intermediate key generator 1430, a base station base key generator 1435, and an intermediate key communicator 1440. Each of these modules may communicate with each other directly or indirectly (e.g., via one or more buses).

The handover component 1420 may receive a handover command message from a source network entity that triggers a handover to a target network entity. In some cases, the source network entity includes a source AMF and the target network entity includes a target AMF.

Freshness parameter communicator 1425 may receive an indication of a first freshness parameter and an indication of a second freshness parameter. Freshness parameter communicator 1425 may receive an indication of an updated second freshness parameter and an indication of an updated first freshness parameter. In some cases, the first freshness parameter includes an uplink NAS count, a downlink NAS count, a retention counter for refreshing intermediate keys at the source network entity, or a combination thereof.

The intermediate key generator 1430 may generate a refreshed intermediate key based on the first freshness parameter and the handover command message, wherein the refreshed intermediate key is configured to be specifically used to generate the target base station base key. The intermediate key generator 1430 may generate an intermediate key based on the network entity base key, wherein the intermediate key is different from the refreshed intermediate key; and receive an indication that the refreshed intermediate key is configured to be specifically used to generate the target base station base key.

The base station base key generator 1435 may generate a target base station base key based on the refreshed intermediate key and the second freshness parameter, and refresh the target base station base key based on the updated second freshness parameter. The base station base key generator 1435 may refresh the target base station base key based on the updated refreshed intermediate key and refresh the target base station base key based on the updated first freshness parameter. In some cases, the second freshness parameter includes a retention counter for refreshing the target base station base key.

The intermediate key communicator 1440 may receive an indication of the updated refreshed intermediate key.

FIG15 shows a diagram of a system 1500 including a device 1505 that supports secure key derivation for handover, according to aspects of the present disclosure. Device 1505 may be an example of, or include components of, UE 115, as described above, for example, with reference to FIG1 . Device 1505 may include components for two-way voice and data communication (including components for transmitting and receiving communications), including a UE AS key manager 1515, a processor 1520, memory 1525, software 1530, a transceiver 1535, an antenna 1540, and an I/O controller 1545. These components may communicate electronically via one or more buses (e.g., bus 1510). Device 1505 may communicate wirelessly with one or more base stations 105.

Processor 1520 may include an intelligent hardware device (e.g., a general-purpose processor, a DSP, a CPU, a microcontroller, an ASIC, an FPGA, a programmable logic device, discrete gate or transistor logic components, discrete hardware components, or any combination thereof). In some cases, processor 1520 may be configured to operate a memory array using a memory controller. In other cases, the memory controller may be integrated into processor 1520. Processor 1520 may be configured to execute computer-readable instructions stored in memory to perform various functions (e.g., functions or tasks supporting derivation of security keys for handover).

Memory 1525 may include RAM and ROM. Memory 1525 may store computer-readable, computer-executable software 1530, which includes instructions that, when executed, cause the processor to perform the various functions described herein. In some cases, memory 1525 may contain, among other things, BIOS, which may control basic hardware or software operations, such as interaction with peripheral components or devices.

The software 1530 may include code that implements aspects of the present disclosure, including code that supports derivation of secure keys for handover. The software 1530 may be stored in a non-transitory computer-readable medium, such as system memory or other memory. In some cases, the software 1530 may not be directly executable by a processor, but may cause a computer (e.g., when compiled and executed) to perform the functions described herein.

The transceiver 1535 can communicate bidirectionally via one or more antennas, wired or wireless links, as described above. For example, the transceiver 1535 can represent a wireless transceiver and can communicate bidirectionally with another wireless transceiver. The transceiver 1535 can also include a modem to modulate packets and provide the modulated packets to the antenna for transmission, and demodulate packets received from the antenna.

In some cases, a wireless device may include a single antenna 1540. However, in some cases, a device may have more than one antenna 1540, which may be capable of transmitting or receiving multiple wireless transmissions simultaneously.

I/O controller 1545 may manage input and output signals for device 1505. I/O controller 1545 may also manage peripheral devices not integrated into device 1505. In some cases, I/O controller 1545 may represent a physical connection or port to an external peripheral device. In some cases, I/O controller 1545 may utilize an operating system, such as Windows XP or another known operating system. In other cases, I/O controller 1545 may represent or interact with a modem, keyboard, mouse, touch screen, or similar device. In some cases, I/O controller 1545 may be implemented as part of a processor. In some cases, a user may interact with device 1505 via I/O controller 1545 or via hardware components controlled by I/O controller 1545.

FIG16 shows a flow chart illustrating a method 1600 for derivation of security keys for handover according to aspects of the present disclosure. The operations of method 1600 may be implemented by a network entity 205 (e.g., an AMF) or a component thereof as described herein. For example, the operations of method 1600 may be performed by a network entity AS key manager as described with reference to FIG8 through FIG11. In some examples, the network entity 205 may execute a code set that controls functional elements of a device to perform the functions described below. Additionally or alternatively, the network entity 205 may use dedicated hardware to perform aspects of the functions described below.

At block 1605, the network entity 205 may identify a handover triggering message that triggers a handover from a source network entity to a target network entity. As described herein, the source network entity may be a source AMF, and the target network entity may be a target AMF. The operations of block 1605 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1605 may be performed by a handover component as described with reference to Figures 8 to 11.

At block 1610, the network entity 205 may generate a refreshed intermediate key based at least in part on the first freshness parameter and the handover trigger message. The operations of block 1610 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1610 may be performed by an intermediate key generator as described with reference to Figures 8 to 11.

At block 1615, the network entity 205 may transmit the refreshed intermediate key to the target network entity. The operations of block 1615 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1615 may be performed by an intermediate key communicator as described with reference to Figures 8 to 11.

FIG17 shows a flow chart illustrating a method 1700 for derivation of security keys for handover according to aspects of the present disclosure. The operations of method 1700 may be implemented by a network entity 205 (e.g., an AMF) or a component thereof as described herein. For example, the operations of method 1700 may be performed by a network entity AS key manager as described with reference to FIG8 through FIG11. In some examples, the network entity 205 may execute a code set that controls functional elements of a device to perform the functions described below. Additionally or alternatively, the network entity 205 may use dedicated hardware to perform aspects of the functions described below.

At block 1705, the network entity 205 may identify a handover triggering message that triggers a handover from the source network entity to the target network entity. The operations of block 1705 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1705 may be performed by a handover component as described with reference to Figures 8 to 11.

At block 1710, the network entity 205 may generate an intermediate key based at least in part on the network entity base key, wherein the intermediate key is different from the refreshed intermediate key. The operations of block 1710 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1710 may be performed by an intermediate key generator as described with reference to Figures 8 to 11.

At block 1715, the network entity 205 may generate a refreshed intermediate key based at least in part on the first freshness parameter and the handover trigger message. The operations of block 1715 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1715 may be performed by an intermediate key generator as described with reference to Figures 8 to 11.

At block 1720, the network entity 205 may transmit the refreshed intermediate key to the target network entity. The operations of block 1720 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1720 may be performed by an intermediate key communicator as described with reference to Figures 8 to 11.

FIG18 shows a flow chart illustrating a method 1800 for derivation of security keys for handover according to aspects of the present disclosure. The operations of method 1800 may be implemented by a network entity 205 (e.g., an AMF) or a component thereof as described herein. For example, the operations of method 1800 may be performed by a network entity AS key manager as described with reference to FIG8 through FIG11. In some examples, the network entity 205 may execute a code set that controls functional elements of a device to perform the functions described below. Additionally or alternatively, the network entity 205 may use dedicated hardware to perform aspects of the functions described below.

At block 1805, the network entity 205 may identify a handover triggering message that triggers a handover from the source network entity to the target network entity. The operations of block 1805 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1805 may be performed by a handover component as described with reference to Figures 8 to 11.

At block 1810, the network entity 205 may generate an intermediate key based at least in part on the network entity base key, wherein the intermediate key is different from the refreshed intermediate key. The operations of block 1810 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1810 may be performed by an intermediate key generator as described with reference to Figures 8 to 11.

At block 1815, the network entity 205 may generate a refreshed intermediate key based at least in part on the first freshness parameter and the handover trigger message. The operations of block 1815 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1815 may be performed by an intermediate key generator as described with reference to Figures 8 to 11.

At block 1820, the network entity 205 may transmit the refreshed intermediate key to the target network entity. The operations of block 1820 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1820 may be performed by an intermediate key communicator as described with reference to Figures 8 to 11.

At block 1825, the network entity 205 may generate a source base station base key based at least in part on the intermediate key and the second freshness parameter. The operations of block 1825 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1825 may be performed by a base station base key generator as described with reference to Figures 8 to 11.

FIG19 shows a flow chart illustrating a method 1900 for derivation of security keys for handover according to aspects of the present disclosure. The operations of method 1900 may be implemented by a network entity 205 (e.g., an AMF) or a component thereof as described herein. For example, the operations of method 1900 may be performed by a network entity AS key manager as described with reference to FIG8 through FIG11. In some examples, the network entity 205 may execute a set of codes that control functional elements of a device to perform the functions described below. Additionally or alternatively, the network entity 205 may use dedicated hardware to perform aspects of the functions described below.

At block 1905, the network entity 205 may identify a handover triggering message that triggers a handover from the source network entity to the target network entity. The operations of block 1905 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1905 may be performed by a handover component as described with reference to Figures 8 to 11.

At block 1910, the network entity 205 may receive a refreshed intermediate key from the source network entity, wherein the refreshed intermediate key is based at least in part on the first freshness parameter and is configured specifically for use in generating a target base station base key. The operations of block 1910 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1910 may be performed by an intermediate key communicator as described with reference to Figures 8 to 11.

At block 1915, the network entity 205 may generate a target base station base key based at least in part on the refreshed intermediate key and the second freshness parameter. The operations of block 1915 may be performed according to the methods described herein. In some examples, aspects of the operations of block 1915 may be performed by a base station base key generator as described with reference to Figures 8 to 11.

FIG20 shows a flow chart illustrating a method 2000 for derivation of security keys for handover according to aspects of the present disclosure. The operations of method 2000 may be implemented by UE 115 or components thereof as described herein. For example, the operations of method 2000 may be performed by a UE AS key manager as described with reference to FIGs. 12 to 15. In some examples, UE 115 may execute a set of code that controls functional elements of the device to perform the functions described below. Additionally or alternatively, UE 115 may use dedicated hardware to perform aspects of the functions described below.

At block 2005, UE 115 may receive a handover command message from a source network entity that triggers a handover to a target network entity. The operations of block 2005 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2005 may be performed by a handover component as described with reference to Figures 12 to 15.

At block 2010, the UE 115 may receive an indication of a first freshness parameter. The operations of block 2010 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2010 may be performed by a freshness parameter communicator as described with reference to Figures 12 to 15.

At block 2015, UE 115 may generate a refreshed intermediate key based at least in part on the first freshness parameter and the handover command message, wherein the refreshed intermediate key is configured specifically for use in generating a target base station base key. The operations of block 2015 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2015 may be performed by an intermediate key generator as described with reference to Figures 12 to 15.

FIG21 shows a flow chart illustrating a method 2100 for derivation of security keys for handover according to aspects of the present disclosure. The operations of method 2100 may be implemented by UE 115 or components thereof as described herein. For example, the operations of method 2100 may be performed by a UE AS key manager as described with reference to FIGs. 12 to 15. In some examples, UE 115 may execute a set of code that controls functional elements of the device to perform the functions described below. Additionally or alternatively, UE 115 may use dedicated hardware to perform aspects of the functions described below.

At block 2105, UE 115 may receive a handover command message from the source network entity that triggers a handover to the target network entity. The operations of block 2105 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2105 may be performed by a handover component as described with reference to Figures 12 to 15.

At block 2110, UE 115 may receive an indication of a first freshness parameter. The operations of block 2110 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2110 may be performed by a freshness parameter communicator as described with reference to Figures 12 to 15.

At block 2115, UE 115 may generate a refreshed intermediate key based at least in part on the first freshness parameter and the handover command message, wherein the refreshed intermediate key is configured specifically for use in generating a target base station base key. The operations of block 2115 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2115 may be performed by an intermediate key generator as described with reference to Figures 12 to 15.

At block 2120, UE 115 may receive an indication of a second freshness parameter. The operations of block 2120 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2120 may be performed by a freshness parameter communicator as described with reference to Figures 12 to 15.

At block 2125, UE 115 may generate a target base station base key based at least in part on the refreshed intermediate key and the second freshness parameter. The operations of block 2125 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2125 may be performed by a base station base key generator as described with reference to Figures 12 to 15.

FIG22 shows a flow chart illustrating a method 2200 for derivation of security keys for handover according to aspects of the present disclosure. The operations of the method 2200 may be implemented by the UE 115 or components thereof as described herein. For example, the operations of the method 2200 may be performed by the UE AS key manager as described with reference to FIG12 through FIG15. In some examples, the UE 115 may execute a set of codes that control functional elements of the device to perform the functions described below. Additionally or alternatively, the UE 115 may use dedicated hardware to perform aspects of the functions described below.

At block 2205, UE 115 may receive a handover command message from the source network entity that triggers a handover to the target network entity. The operations of block 2205 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2205 may be performed by a handover component as described with reference to Figures 12 to 15.

At block 2210, UE 115 may receive an indication of a first freshness parameter. The operations of block 2210 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2210 may be performed by a freshness parameter communicator as described with reference to Figures 12 to 15.

At block 2215, UE 115 may generate a refreshed intermediate key based at least in part on the first freshness parameter and the handover command message, wherein the refreshed intermediate key is configured specifically for use in generating a target base station base key. The operations of block 2215 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2215 may be performed by an intermediate key generator as described with reference to Figures 12 to 15.

At block 2220, UE 115 may receive an indication of a second freshness parameter. The operations of block 2220 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2220 may be performed by a freshness parameter communicator as described with reference to Figures 12 to 15.

At block 2225, UE 115 may generate a target base station base key based at least in part on the refreshed intermediate key and the second freshness parameter. The operations of block 2225 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2225 may be performed by a base station base key generator as described with reference to Figures 12 to 15.

At block 2230, UE 115 may receive an indication of the updated second freshness parameter. The operations of block 2230 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2230 may be performed by a freshness parameter communicator as described with reference to Figures 12 to 15.

At block 2235, UE 115 may refresh the target base station base key based at least in part on the updated second freshness parameter. The operations of block 2235 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2235 may be performed by a base station base key generator as described with reference to Figures 12 to 15.

FIG23 shows a flow chart illustrating a method 2300 for derivation of security keys for handover according to aspects of the present disclosure. The operations of the method 2300 may be implemented by the UE 115 or components thereof as described herein. For example, the operations of the method 2300 may be performed by the UE AS key manager as described with reference to FIGs. 12 to 15. In some examples, the UE 115 may execute a set of codes that control functional elements of the device to perform the functions described below. Additionally or alternatively, the UE 115 may use dedicated hardware to perform aspects of the functions described below.

At block 2305, UE 115 may receive a handover command message from the source network entity that triggers a handover to the target network entity. The operations of block 2305 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2305 may be performed by a handover component as described with reference to Figures 12 to 15.

At block 2310, UE 115 may receive an indication of a first freshness parameter. The operations of block 2310 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2310 may be performed by a freshness parameter communicator as described with reference to Figures 12 to 15.

At block 2315, UE 115 may generate a refreshed intermediate key based at least in part on the first freshness parameter and the handover command message, wherein the refreshed intermediate key is configured specifically for use in generating a target base station base key. The operations of block 2315 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2315 may be performed by an intermediate key generator as described with reference to Figures 12 to 15.

At block 2320, UE 115 may receive an indication of a second freshness parameter. The operations of block 2320 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2320 may be performed by a freshness parameter communicator as described with reference to Figures 12 to 15.

At block 2325, UE 115 may generate a target base station base key based at least in part on the refreshed intermediate key and the second freshness parameter. The operations of block 2325 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2325 may be performed by a base station base key generator as described with reference to Figures 12 to 15.

At block 2330, UE 115 may receive an indication of the updated refreshed intermediate key. The operations of block 2330 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2330 may be performed by an intermediate key communicator as described with reference to Figures 12 to 15.

At block 2335, UE 115 may refresh the target base station base key based at least in part on the updated refreshed intermediate key. The operations of block 2335 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2335 may be performed by a base station base key generator as described with reference to Figures 12 to 15.

FIG24 shows a flow chart illustrating a method 2400 for derivation of security keys for handover according to aspects of the present disclosure. The operations of the method 2400 may be implemented by the UE 115 or components thereof as described herein. For example, the operations of the method 2400 may be performed by the UE AS key manager as described with reference to FIGs. 12 to 15. In some examples, the UE 115 may execute a set of codes that control functional elements of the device to perform the functions described below. Additionally or alternatively, the UE 115 may use dedicated hardware to perform aspects of the functions described below.

At block 2405, UE 115 may receive a handover command message from the source network entity that triggers a handover to the target network entity. The operations of block 2405 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2405 may be performed by a handover component as described with reference to Figures 12 to 15.

At block 2410, UE 115 may receive an indication of a first freshness parameter. The operations of block 2410 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2410 may be performed by a freshness parameter communicator as described with reference to Figures 12 to 15.

At block 2415, UE 115 may generate a refreshed intermediate key based at least in part on the first freshness parameter and the handover command message, wherein the refreshed intermediate key is configured specifically for use in generating a target base station base key. The operations of block 2415 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2415 may be performed by an intermediate key generator as described with reference to Figures 12 to 15.

At block 2420, UE 115 may receive an indication of a second freshness parameter. The operations of block 2420 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2420 may be performed by a freshness parameter communicator as described with reference to Figures 12 to 15.

At block 2425, UE 115 may generate a target base station base key based at least in part on the refreshed intermediate key and the second freshness parameter. The operations of block 2425 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2425 may be performed by a base station base key generator as described with reference to Figures 12 to 15.

At block 2430, UE 115 may receive an indication of the updated first freshness parameter. The operations of block 2430 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2430 may be performed by a freshness parameter communicator as described with reference to Figures 12 to 15.

At block 2435, UE 115 may refresh the target base station base key based at least in part on the updated first freshness parameter. The operations of block 2435 may be performed according to the methods described herein. In some examples, aspects of the operations of block 2435 may be performed by a base station base key generator as described with reference to Figures 12 to 15.

It should be noted that the methods described above describe possible implementations, and that the operations and steps may be rearranged or otherwise modified, and other implementations are possible. Furthermore, two or more aspects from the methods may be combined.

The techniques described herein may be used in various wireless communication systems, such as code division multiple access (CDMA), time division multiple access (TDMA), frequency division multiple access (FDMA), orthogonal frequency division multiple access (OFDMA), single carrier frequency division multiple access (SC-FDMA), and other systems. A CDMA system may implement a radio technology such as CDMA2000, Universal Terrestrial Radio Access (UTRA), and the like. CDMA2000 encompasses the IS-2000, IS-95, and IS-856 standards. Versions of IS-2000 may be commonly referred to as CDMA2000 1X, 1X, and the like. IS-856 (TIA-856) is commonly referred to as CDMA2000 1xEV-DO, High Rate Packet Data (HRPD), and the like. UTRA includes Wideband CDMA (WCDMA) and other variants of CDMA. A TDMA system may implement a radio technology such as Global System for Mobile Communications (GSM).

OFDMA systems may implement radio technologies such as Ultra Mobile Broadband (UMB), Evolved UTRA (E-UTRA), Institute of Electrical and Electronics Engineers (IEEE) 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), IEEE 802.20, Flash-OFDM, and the like. UTRA and E-UTRA are parts of the Universal Mobile Telecommunications System (UMTS). LTE and LTE-A are versions of UMTS that use E-UTRA. UTRA, E-UTRA, UMTS, LTE, LTE-A, NR, and GSM are described in documents from an organization named "3rd Generation Partnership Project" (3GPP). CDMA2000 and UMB are described in documents from an organization named "3rd Generation Partnership Project 2" (3GPP2). The techniques described herein may be used for the systems and radio technologies mentioned above, as well as other systems and radio technologies. Although aspects of LTE or NR systems may be described for example, and LTE or NR terminology may be used in much of the description, the techniques described herein are also applicable beyond LTE or NR applications.

A macro cell typically covers a relatively large geographic area (e.g., a radius of several kilometers) and may allow unrestricted access to UEs 115 with a service subscription with the network provider. Compared to a macro cell, a small cell may be associated with a lower-power base station 105 and may operate in the same or different frequency bands (e.g., licensed, unlicensed, etc.) as the macro cell. According to various examples, small cells may include pico cells, femto cells, and micro cells. For example, a pico cell may cover a small geographic area and may allow unrestricted access to UEs 115 with a service subscription with the network provider. A femto cell may also cover a small geographic area (e.g., a home) and may enable restricted access to UEs 115 associated with the femto cell (e.g., UEs 115 in a non-open subscriber group (CSG), UEs 115 of users in a home, etc.). An eNB for a macro cell may be referred to as a macro eNB. An eNB for a small cell may be referred to as a small cell eNB, a pico eNB, a femto eNB, or a home eNB. An eNB may support one or more (eg, two, three, four, etc.) cells and may also use one or more component carriers to support communications.

The wireless communication system 100 described herein can support synchronous or asynchronous operation. For synchronous operation, the base stations 105 can have similar frame timing, and transmissions from different base stations 105 can be approximately aligned in time. For asynchronous operation, the base stations 105 can have different frame timing, and transmissions from different base stations 105 can be misaligned in time. The techniques described herein can be used for either synchronous or asynchronous operation.

The information and signals described herein may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof.

The various illustrative blocks and modules described in connection with the present disclosure may be implemented or performed with a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA) or other programmable logic device (PLD), discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices (e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration).

The functions described herein may be implemented in hardware, software executed by a processor, firmware, or any combination thereof. If implemented in software executed by a processor, the functions may be stored as one or more instructions or codes on a computer-readable medium or transmitted via a computer-readable medium. Other examples and implementations are within the scope of this disclosure and the appended claims. For example, due to the nature of software, the functions described above may be implemented using software executed by a processor, hardware, firmware, hardwiring, or a combination of any of these. Features implementing the functions may also be physically located in various locations (including distributed) such that parts of the functions are implemented at different physical locations.

Computer-readable media includes both non-transitory computer storage media and communication media including any media that facilitates the transfer of computer programs from one place to another. Non-transitory storage media can be any available media that can be accessed by a general-purpose or special-purpose computer. By way of example and not limitation, non-transitory computer-readable media can include random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory, compact disc (CD) ROM or other optical disc storage devices, magnetic disc storage devices or other magnetic storage devices, or any other non-transitory media that can be used to carry or store the desired program code means in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer or a general-purpose or special-purpose processor. Also, any connection is appropriately referred to as a computer-readable medium. For example, if a coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwaves are used to transmit software from a website, server, or other remote source, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwaves are included in the definition of media. As used herein, disk and disc include CD, laser disc, optical disc, digital versatile disc (DVD), floppy disk, and Blu-ray disc. Disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above are also included within the scope of computer-readable media.

As used herein (including in the claims), "or" as used in a list of items (e.g., a list of items preceded by a phrase such as "at least one of" or "one or more of") indicates an inclusive list, so that a list such as at least one of A, B, or C means A or B or C or AB or AC or BC or ABC (i.e., A and B and C). Also, as used herein, the phrase "based on" should not be understood as referring to a closed set of conditions. For example, an exemplary step described as "based on condition A" may be based on both condition A and condition B without departing from the scope of this disclosure. In other words, as used herein, the phrase "based on" should be understood likewise as the phrase "based at least in part on."

In the accompanying drawings, similar components or features may have the same reference number. In addition, various components of the same type may be distinguished by following the reference number with a dashed line and a second reference number that distinguishes among the similar components. If only the first reference number is used in the specification, the description applies to any of the similar components having the same first reference number, regardless of the second or subsequent reference numbers.

The embodiments described herein in conjunction with the accompanying drawings describe example configurations and do not represent all examples that may be implemented or within the scope of the claims. The term "exemplary" as used herein means "serving as an example, instance, or illustration" and does not mean "preferred" or "superior to other examples." For the purpose of providing an understanding of the described technology, the embodiments include specific details. However, these technologies can be practiced without these specific details. In some cases, well-known structures and devices are shown in block diagram form to avoid obscuring the concepts of the described examples.

The description herein is provided to enable one skilled in the art to make or use the present disclosure. Various modifications to the present disclosure will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other variations without departing from the scope of the present disclosure. Therefore, the present disclosure is not limited to the examples and designs described herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (38)

1. A method for wireless communication, comprising: Identify and trigger handover events that initiate a handover from the source access and mobility function (AMF) to the target AMF. In response to recognizing the handover trigger, a refreshed intermediate key is generated, at least in part, based on the AMF base key of the source AMF and a first freshness parameter, wherein the first freshness parameter is a downlink or uplink Non-Access Stratum (NAS) count; and The refreshed intermediate key is transmitted to the target AMF. 2. The method according to claim 1, further comprising: An intermediate key for the source AMF is generated at least in part based on the AMF base key, wherein the intermediate key is different from the refreshed intermediate key. 3. The method according to claim 2, further comprising: A source base station base key is generated, which is at least partially based on the intermediate key and a second freshness parameter. The source base station base key is used to protect the connection between the UE and the source base station, and the second freshness parameter includes a second count. 4. The method of claim 3, further comprising: The source base station basic key is transmitted to the source base station. 5. The method of claim 3, further comprising: The refreshed source base station base key is generated at least in part based on the refreshed second freshness parameter. 6. The method of claim 3, wherein the third freshness parameter includes a retention counter for refreshing the source base station base key. 7. The method of claim 2, further comprising: An encryption key for NAS communication and an integrity key for NAS communication are generated, based at least in part on the refreshed intermediate key. 8. The method of claim 1, wherein the refreshed intermediate key includes the AMF base key of the target AMF. 9. The method of claim 8, wherein the AMF base key of the target AMF is configured specifically for generating the target base station base key. 10. The method of claim 1, wherein the refreshed intermediate key is configured specifically for generating the target base station base key. 11. A method for wireless communication, comprising: Identify and trigger handover events that initiate a handover from the source access and mobility function (AMF) to the target AMF. A refreshed intermediate key is received from the source AMF, wherein the refreshed intermediate key is generated at least in part based on the source AMF's AMF base key and a first freshness parameter, and is configured specifically for generating the target base station base key, wherein the first freshness parameter is a downlink or uplink non-access stratum (NAS) count; and The target base station base key is generated at least in part based on the refreshed intermediate key and a second freshness parameter, the second freshness parameter including a second count. 12. The method of claim 11, wherein the refreshed intermediate key is different from the intermediate key used at the source AMF. 13. The method of claim 11, wherein the refreshed intermediate key comprises a chain of keys of the AMF base key. 14. The method of claim 11, wherein: The target base station base key is generated at least in part based on the intermediate key and the third freshness parameter. 15. The method of claim 14, wherein the third freshness parameter includes a retention counter for refreshing the target base station base key. 16. The method of claim 11, wherein the second freshness parameter includes a retention counter for refreshing the target base station base key. 17. The method of claim 11, further comprising: The target base station basic key is transmitted to the target base station. 18. The method of claim 11, further comprising: After the switch is completed, receive the refreshed AMF base key. 19. The method of claim 18, further comprising: At least in part based on the refreshed AMF base key, an encryption key for non-access stratum (NAS) communication and an integrity key for NAS communication are generated. 20. A method for wireless communication, comprising: Receive a handover command message from the source access and mobility function (AMF) that triggers a handover to the target AMF; Receive an indication of a first freshness parameter, wherein the first freshness parameter is a downlink or uplink Non-Access Stratum (NAS) count; and A refreshed intermediate key is generated at least in part based on the AMF base key of the source AMF and the first freshness parameter, wherein the refreshed intermediate key is configured specifically for generating the target base station base key. 21. The method of claim 20, further comprising: Receive an indication of a second freshness parameter, the second freshness parameter including a second count; and The target base station base key is generated at least in part based on the refreshed intermediate key and the second freshness parameter. 22. The method of claim 21, further comprising: Receive an instruction for the updated second freshness parameter; and The target base station base key is refreshed at least in part based on the updated second freshness parameter. 23. The method of claim 21, further comprising: Instructions to receive the updated and refreshed intermediate key; and The target base station base key is refreshed at least in part based on the updated refreshed intermediate key. 24. The method of claim 21, further comprising: Receive an instruction for the updated first freshness parameter; and The target base station base key is refreshed at least in part based on the updated first freshness parameter. 25. The method of claim 21, further comprising: The communication with the target base station is based at least in part on the target base station's basic key. 26. The method of claim 21, wherein the second freshness parameter includes a retention counter for refreshing the target base station base key. 27. The method of claim 20, further comprising: An intermediate key is generated at least in part based on the AMF base key, wherein the intermediate key is different from the refreshed intermediate key. 28. The method of claim 20, further comprising: The received refreshed intermediate key is configured specifically for generating the target base station base key. 29. The method of claim 20, wherein the first freshness parameter comprises an uplink non-access stratum (NAS) count, a downlink NAS count, a retention counter for refreshing the intermediate key at the source AMF, or a combination thereof. 30. A device for wireless communication, comprising: A means for identifying handover triggers that initiate a handover from the source access and mobility function (AMF) to the target AMF; A means for generating a refreshed intermediate key in response to recognizing the handover trigger, at least in part based on the AMF base key of the source AMF and a first freshness parameter, wherein the first freshness parameter is a downlink or uplink Non-Access Stratum (NAS) count; and A means for transmitting the refreshed intermediate key to the target AMF. 31. A device for wireless communication, comprising: A means for identifying handover triggers that initiate a handover from the source access and mobility function (AMF) to the target AMF; A means for receiving a refreshed intermediate key from the source AMF, wherein the refreshed intermediate key is generated at least in part based on the source AMF's AMF base key and a first freshness parameter, and is configured specifically for generating a target base station base key, wherein the first freshness parameter is a downlink or uplink non-access stratum (NAS) count; and A means for generating the target base station base key based at least in part on the refreshed intermediate key and a second freshness parameter, the second freshness parameter including a second count. 32. A device for wireless communication, comprising: A means for receiving a handover command message from a source access and mobility function (AMF) that triggers a handover to a target AMF; A means for receiving an indication of a first freshness parameter, wherein the first freshness parameter is a downlink or uplink non-access stratum (NAS) count; and A means for generating a refreshed intermediate key based at least in part on the AMF base key of the source AMF and the first freshness parameter, wherein the refreshed intermediate key is configured specifically for generating the target base station base key. 33. A device for wireless communication, comprising: processor; Memory, which is in electronic communication with the processor; and Instructions, which are stored in the memory and operable when executed by the processor to cause the device to: Identify and trigger handover events that initiate a handover from the source access and mobility function (AMF) to the target AMF. In response to recognizing the handover trigger, a refreshed intermediate key is generated, at least in part, based on the AMF base key of the source AMF and a first freshness parameter, wherein the first freshness parameter is a downlink or uplink Non-Access Stratum (NAS) count; and The refreshed intermediate key is transmitted to the target AMF. 34. A device for wireless communication, comprising: processor; Memory, which is in electronic communication with the processor; and Instructions, which are stored in the memory and operable when executed by the processor to cause the device to: Identify and trigger handover events that initiate a handover from the source access and mobility function (AMF) to the target AMF. A refreshed intermediate key is received from the source AMF, wherein the refreshed intermediate key is generated at least in part based on the source AMF's AMF base key and a first freshness parameter, and is configured specifically for generating the target base station base key, wherein the first freshness parameter is a downlink or uplink non-access stratum (NAS) count; and The target base station base key is generated at least in part based on the refreshed intermediate key and a second freshness parameter, the second freshness parameter including a second count. 35. A device for wireless communication, comprising: processor; Memory, which is in electronic communication with the processor; and Instructions, which are stored in the memory and operable when executed by the processor to cause the device to: Receive a handover command message from the source access and mobility function (AMF) that triggers a handover to the target AMF; Receive an indication of a first freshness parameter, wherein the first freshness parameter is a downlink or uplink Non-Access Stratum (NAS) count; and A refreshed intermediate key is generated at least in part based on the AMF base key of the source AMF and the first freshness parameter, wherein the refreshed intermediate key is configured specifically for generating the target base station base key. 36. A non-transitory computer-readable medium storing code for wireless communication, said code comprising instructions executable by a processor to perform the following operations: Identify and trigger handover events that initiate a handover from the source access and mobility function (AMF) to the target AMF. In response to recognizing the handover trigger, a refreshed intermediate key is generated, at least in part, based on the AMF base key of the source AMF and a first freshness parameter, wherein the first freshness parameter is a downlink or uplink Non-Access Stratum (NAS) count; and The refreshed intermediate key is transmitted to the target AMF. 37. A non-transitory computer-readable medium storing code for wireless communication, said code comprising instructions executable by a processor to perform the following operations: Identify and trigger handover events that initiate a handover from the source access and mobility function (AMF) to the target AMF. A refreshed intermediate key is received from the source AMF, wherein the refreshed intermediate key is generated at least in part based on the source AMF's AMF base key and a first freshness parameter, and is configured specifically for generating the target base station base key, wherein the first freshness parameter is a downlink or uplink non-access stratum (NAS) count; and The target base station base key is generated at least in part based on the refreshed intermediate key and a second freshness parameter, the second freshness parameter including a second count. 38. A non-transitory computer-readable medium storing code for wireless communication, said code comprising instructions executable by a processor to perform the following operations: Receive a handover command message from the source access and mobility function (AMF) that triggers a handover to the target AMF; Receive an indication of a first freshness parameter, wherein the first freshness parameter is a downlink or uplink Non-Access Stratum (NAS) count; and A refreshed intermediate key is generated at least in part based on the AMF base key of the source AMF and the first freshness parameter, wherein the refreshed intermediate key is configured specifically for generating the target base station base key.