[go: up one dir, main page]

WO2013032081A1 - Établissement d'une nouvelle interface pour une nouvelle application m2m - Google Patents

Établissement d'une nouvelle interface pour une nouvelle application m2m Download PDF

Info

Publication number
WO2013032081A1
WO2013032081A1 PCT/KR2012/001661 KR2012001661W WO2013032081A1 WO 2013032081 A1 WO2013032081 A1 WO 2013032081A1 KR 2012001661 W KR2012001661 W KR 2012001661W WO 2013032081 A1 WO2013032081 A1 WO 2013032081A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
additional
network
credential
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/KR2012/001661
Other languages
English (en)
Inventor
Dragan Vujcic
Jean-Francois Deprun
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
LG Electronics Inc
Original Assignee
LG Electronics Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by LG Electronics Inc filed Critical LG Electronics Inc
Publication of WO2013032081A1 publication Critical patent/WO2013032081A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key

Definitions

  • the present document is directed to M2M (Machine to Machine) communication technology. More specifically, the present document is directed to a method for a device to generate components for an additional application and the device for the same.
  • M2M Machine to Machine
  • Machine to Machine (M2M) Communication is seen as a form of data communication between entities that do not necessarily need human interaction. It is different to current communication models as it involves new or different market scenarios. M2M bears enormous application diversity, below is some application domain example :
  • Alarm systems backup for landline, access control, car/driver security, etc.
  • Figure 1 provides the key elements of M2M Domain:
  • the M2M Device Domain is a M2M area that provide connectivity between M2M Devices and M2M Gateways, e.g. Personal Area Network technologies such as IEEE 802.15, SRD, UWB, Zigbee, Bluetooth, etc, or local networks such as PLC, M-BUS, Wireless M-BUS.
  • M2M Gateways e.g. Personal Area Network technologies such as IEEE 802.15, SRD, UWB, Zigbee, Bluetooth, etc, or local networks such as PLC, M-BUS, Wireless M-BUS.
  • M2M Device is a device capable of replying to requests (or transmitting) for data contained within those devices autonomously. Such devices run M2M applications using M2M Service Capabilities. They can be connected to the Network domain either directly via the access network(s) or via M2M gateway(s) as e network proxy.
  • M2M Gateways use M2M capabilities to ensure M2M Devices inter working and interconnection to the communications network (Network Domain).
  • the M2M Core Network Domain provides connectivity between the M2M Device(s)/Gateway(s) and M2M application (server). It can be further split into Access transport and Core networks, e.g.: xDSL, PLC, satellite, LTE, GERAN, UTRAN, eUTRAN, W-LAN, WiMAX, etc.
  • Access transport and Core networks e.g.: xDSL, PLC, satellite, LTE, GERAN, UTRAN, eUTRAN, W-LAN, WiMAX, etc.
  • M2M Application Domain contains the middleware layer where data goes through various application services and is used by the specific business-processing a software agent, or process by which the data can be analyzed, reported, and acted upon.
  • Figure 2 provides the mapping of reference points dIa, mId and mIa interfaces to the different deployment scenarios that are supported by the current release of the specification.
  • gateway (G) shall provide Gateway M2M Service Capabilities (GSCL) that communicates to the Network M2M Service Capabilities NSCL using the mId reference point and to Device Application (DA) or Gateway Application (GA) using the dIa reference point.
  • GSCL Gateway M2M Service Capabilities
  • DA Device Application
  • GA Gateway Application
  • Service Capability Layer credentials such as permanent identifiers and root keys are provisioned to M2M Device. These credentials are required by the M2M Service Bootstrap procedure to configure the M2M Device with initial mutual authentication and secure communication between Device Service Capability Layer (DSCL) on the M2M Device and M2M Service Capability Layer in the network (NSCL), as well as authorization to access specific M2M Services and related accounting/billing functionality.
  • DSCL Device Service Capability Layer
  • NCL Network
  • the M2M Device security capability should provide functionalities to support service bootstrapping, key hierarchy realization for authentication and authorization.
  • the following describes keys used for different levels of Authentication and Authorization in current M2M architecture.
  • Figure 3 shows relationship between keys used for different levels of authentication and authorization.
  • Kr represents a root key.
  • the root key is pre-provisioned and stored within a Secured Environment of the M2M Device. It is coupled with a unique M2M Device and M2M Service Provider. It is used for mutual authentication and key agreement between the M2M Device and the M2M Service Provider, Kr is also used for deriving a service key (Ks) through authentication and key agreement between the M2M Device and the M2M Service Capabilities at the Network domain.
  • Ks service key
  • Ks represents a service key.
  • the service key is derived from Kr, upon successful mutual authentication of the device.
  • Ks is used for generating Ka keys (applications keys).
  • Ks is used for secure communication between Device Service capability layer (DSCL) and the M2M Service provider/Network Service capability layer(NSCL).
  • DSCL Device Service capability layer
  • NSCL M2M Service provider/Network Service capability layer
  • Ka represents a M2M Application key.
  • Ka is used as symmetric shared secret for setting up secure application data sessions authorized applications.
  • Ka keys are derived from Ks, after successful mutual authentication between M2M Device/and M2M Service Provider. Ka is used for authentication and authorization of M2M Applications at the M2M Device and for protection of application data traffic.
  • the requirement for the secure environment of the M2M communications is performed as part of general boot process for the M2M Devices.
  • the boot process configures the device based on pre-provisioned M2M service credentials, such as security root keys for mutual identification and secure communication between the M2M Device and M2M Service Provider.
  • M2M Service Provider hosts the application used by the M2M Device as well as authorization to access specific M2M services, and related accounting/billing functionality.
  • M2M service credentials are required in order to initiate/generate the required M2M interfaces and entities/elements/node to be involved into the specified ETSI M2M architecture.
  • the present invention is directed to a method for a device to establishing new interface for a new M2M application. This involves providing an efficient procedure to generate components for the new application.
  • the method may further comprises: transmitting a request message comprising information for the application credential related with the additional M2M application to a network; and receiving the application credential from the network.
  • the application credential may be received from a network application (NA) entity of the network.
  • the request message may comprise at least one of an ID of the additional M2M application, an ID of the device, and an ID of a user or an event.
  • the temporary root key (Kr’) may be generated by a network service capability layer (NSCL) based on a temporary application key (Kb’).
  • NSCL network service capability layer
  • Kb temporary application key
  • the temporary application key (Kb’) may be generated based on information for the device acquired from an application server or a device manufacture server.
  • the additional M2M application may communicate with the network via a specific reference point interface.
  • the specific reference point interface may be an interface between M2M applications.
  • the application credential may comprise a temporary root key (Kr’) related with the additional M2M application.
  • Kr temporary root key
  • the temporary root key may be acquired based on a validation of a user input with regards to the temporary root key.
  • the temporary root key (Kr’) may be generated by a network service capability layer (NSCL) based on a temporary application key (Kb’).
  • NSCL network service capability layer
  • Kb temporary application key
  • the temporary application key (Kb’) may be generated based on information for the device acquired from an application server or a device manufacture server.
  • Figure 1 provides the key elements of M2M Domain
  • Figure 2 provides the mapping of reference points dIa, mId and mIa interfaces to the different deployment scenarios that are supported by the current release of the specification;
  • Figure 3 shows relationship between keys used for different levels of authentication and authorization
  • Figure 4 shows an exemplary procedure to initiate the required M2M interface and entities
  • Figure 5 shows the concept of new reference point interface which can be either inside or outside of M2M core
  • FIG. 7 shows an embodiment of the present invention
  • Figure 8 shows entities within the M2M device domain
  • Figure 9 shows an example of establishing new reference point interface
  • Figure 10 shows another example of establishing new reference point interface.
  • M2M service credentials are required in order to initiate/generate the required M2M interfaces and entities/elements/nodes to be involved into the specified ETSI M2M architecture.
  • Figure 4 shows an exemplary procedure to initiate the required M2M interface and entities.
  • a user when a user wants to initiate an application (e.g. smart metering application), the user can put this information through a user interface to application e.g. web portal interface (using monitoring, user preference, etc).
  • the application has a mIa interface with ETSI M2M service capability layer, and the ETSI M2M service capability layer has a mId interface with M2M service capability layer of the device.
  • the mId interface allows a M2M Service Capabilities residing in a M2M Device or M2M Gateway to communicate with the M2M Service Capabilities in the Network Domain and vice versa.
  • mId uses core network connectivity functions as an underlying layer.
  • M2M service capability layer in the M2M gateway or in the M2M device has a dIa interface with M2M application in the device.
  • the M2M service credentials e.g. M2M IDs, M2M keys, etc. are either pre-provisioned, stored by default into the device (device memory) or provisioned from the access network, i.e in UICC (Universal Integrated Circuit Card) based on the a business relationship between the Access Network Provider and the M2M Service Provider.
  • UICC Universal Integrated Circuit Card
  • the mIa reference point offers generic and extendable mechanism for Network Applications interactions with the NSCL.
  • the mIa reference point, between NA and NSCL, shall support the procedures for the following functions, which include:
  • Request device management actions e.g. software upgrade, configuration management.
  • Request device management actions e.g. software upgrade, configuration management.
  • the access network only facilitates connectivity to the web page of the new service provider.
  • the new interface allows possibly into M2M core getting required service credentials needed for bootstrapping procedure to create the required secure environment interfaces (e.g.: dla, mla, mld) and entities(e.g.: nodes, service capabilities layers, etc8) in the M2M core communications as specified by the ETSI M2M architecture above.
  • Figure 6 shows the mapping of the proposed reference point interface to the existing deployment scenarios that are supported by the current release of the specification.
  • the device in order to establish new reference point interface, the device shall acquire application credential related with the additional M2M application.
  • the device transmits a request message comprising information for an application credential related with the additional application (S710) to a network.
  • the application credential may be acquired differently.
  • the request message may comprise at least one of an ID of the additional application, an ID of the device, and an ID of a user or an event.
  • This message may be transmitted to a NA (Network Application).
  • Figure 8 shows entities within the M2M device domain.
  • the M2M device domain comprises DA (Device Application), DSCL (Device SCL) and one or more communication modules. Also, DA and DSCL can be employed within a communication node. Thus, when generating entities for additional application, one may think of generating application, then SCL, and communication node for the same.
  • the present embodiment proposes to generate a communication node first, then generate a SCL for the communication node, and finally generate the additional application for the SCL of the communication node. Since the present invention is for adding new application which does not have credentials pre-provisioned by default, and for a situation when there are no business relationships between the access Network provider and the M2M service provider. Thus, by generating the entities from node, SCL and application, we can stably establish keys to be used for these entities.
  • the device may generate a service capability layer (SCL) for the communication node (S740). For this, new Ks’ may be generated based on Kr’. Then, the device may generate the additional application for the SCL of the communication node (S750). Also, the device may generate a new application key, Ka’, for the additional application.
  • SCL service capability layer
  • Ka new application key
  • the device When the user or an external event of the device needs a new M2M application, the device has only the information about the application entered by the user/external event. This information is used by the device to contacts the Application Server. This connection allows selecting the M2M Platform Provider used for the management of the Secret Keys. Note that the M2M Platform Provider is not selected (it could be) by the device manufacturer but by the Application provider.
  • the second step is a confirmation to the User/Event to be sure of the device request for a new application. Then different processes are possible as examples which are described below.
  • Figure 9 shows an example of establishing new reference point interface.
  • the keys (Kb, K1, K2 and K3) are preprovisioning keys between the actors of the M2M. Relationships between Application provider (with the NA, GA and DA), M2M provider (with the SCL) are mandatory. These relationships need encrypted communications and authentications.
  • a user or an external event may select a M2M application (001).
  • the user or the external event may send a request to the device (DA ?Device Application- or GA ?Gateway Application) (002).
  • the request there may be information about: the user/event. e.g the name of the user or the ID of the event; the application (it can be the application itself or the ID application. In this last case, the application will be downloaded later); the NA ID (it is the identifier of the server which is in charge of the application); the Kb (this key is shared with the NA.
  • This key shall be used to encrypt the communication between the DA/GA and the NA. e.g.: a license key printed in the box of the DA/GA).
  • the DA/GA may create the M2M node with the Kb key (003).
  • This DA/GA M2M Node can be empty.
  • the NA ID the DA/GA may send a Connection request to the NA (004).
  • This request may contain information about the application, device and user/external event. This request can be encrypted with the Kb.
  • the NA can send a request to the Device manufacturer to have more information about the device (005).
  • the device manufacturer server may answer to this request (006).
  • the NA shall select a SCL (and a NSCL) (007).
  • the Kb key can be updated.
  • the NA may send a Kr-Init request to the NSCL (008).
  • the application using the Id of the device, the Kb, and the user/event ID is transmitted.
  • This request may be encrypted with the Kb (Kb’) Key.
  • This information will be used to authenticate the DA/GA with the NA and NA with DA/GA.
  • the user may input information or will be within the loop of transmission (options 1 and 3).
  • the user has very low possibility to enter information in the DA/GA (e.g. no screen, no keyboard; the user can only push a button).
  • the option 2 can be used.
  • the DA/GA has already received the information from the SCL.
  • User/External Event Sender stamps this information (e.g. confirms its ID) (010).
  • User/External Event Sender shall enter this information (IDs, key) in the DA/GA (011).
  • User/External Event Sender may inform the NA that the information was transmitted to the DA/GA (012).
  • the NSCL may send User/Event ID and application ID with a new key to the NA/GA (013).
  • the DA/GA may transmit all or a part of this information to the User/Event (014).
  • User/External Event Sender may stamp this information (e.g. confirms its ID) (015). Then, user/External Event Sender shall enter this information (IDs, key) in the DA/GA (016).
  • the DA/GA may transmit and confirm the User/Event validation (017).
  • the authentication is first performed. Based on this, M2M node is generated (Step 3).
  • Device may transmit the node created Kr (M2M node ID) to M2M platform Provider Server. Based on this, Ks may be created at both of M2M node in device and M2M Platform Provider Server. By using this Ks, M2M platform Provider Server may contact to Service Server and establish connection. Then, SCL may be generated in the device (step 4).
  • Kr node created Kr
  • M2M platform Provider Server may contact to Service Server and establish connection.
  • SCL may be generated in the device (step 4).
  • the device may transmit this SCL created Ks (SCL ID) to Service Server. Then, Ka can be created.
  • Service Server may connect to application server and deliver the device ID, SCL ID and application ID.
  • Application Server may transmits application and its ID to the device, and the device can generate the application (step 5).

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Telephonic Communication Services (AREA)

Abstract

L'invention concerne un procédé pour un dispositif permettant de générer des composants pour une application supplémentaire, et le dispositif associé. Le procédé consiste à acquérir un justificatif d'application relatif à l'application M2M supplémentaire ; générer un nœud de communication d'après une authentification du justificatif d'application acquis ; générer une couche de capacité de service (SCL) pour le nœud de communication ; et générer l'application M2M supplémentaire pour le SCL du nœud de communication. Le dispositif comprend des modules de communication et un processeur configuré pour mettre en œuvre le procédé.
PCT/KR2012/001661 2011-09-01 2012-03-07 Établissement d'une nouvelle interface pour une nouvelle application m2m Ceased WO2013032081A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201161530374P 2011-09-01 2011-09-01
US61/530,374 2011-09-01

Publications (1)

Publication Number Publication Date
WO2013032081A1 true WO2013032081A1 (fr) 2013-03-07

Family

ID=47756527

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2012/001661 Ceased WO2013032081A1 (fr) 2011-09-01 2012-03-07 Établissement d'une nouvelle interface pour une nouvelle application m2m

Country Status (1)

Country Link
WO (1) WO2013032081A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9838258B2 (en) 2014-12-04 2017-12-05 At&T Intellectual Property I, L.P. Network service interface for machine-to-machine applications

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100099625A (ko) * 2009-03-03 2010-09-13 주식회사 케이티 M2m 모듈에서의 가입자 인증 정보 저장 방법 및 이를 위한 구조
US20100304716A1 (en) * 2009-06-02 2010-12-02 Vodafone Holding Gmbh Registering a mobile device in a mobile communication network
US20110154022A1 (en) * 2008-06-12 2011-06-23 Telefonaktiebolaget Lm Ericsson (Publ) Method and Apparatus for Machine-to-Machine Communication
KR20110070596A (ko) * 2009-12-18 2011-06-24 주식회사 케이티 어플리케이션 다운로드 방법 및 장치간 통신 모듈

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110154022A1 (en) * 2008-06-12 2011-06-23 Telefonaktiebolaget Lm Ericsson (Publ) Method and Apparatus for Machine-to-Machine Communication
KR20100099625A (ko) * 2009-03-03 2010-09-13 주식회사 케이티 M2m 모듈에서의 가입자 인증 정보 저장 방법 및 이를 위한 구조
US20100304716A1 (en) * 2009-06-02 2010-12-02 Vodafone Holding Gmbh Registering a mobile device in a mobile communication network
KR20110070596A (ko) * 2009-12-18 2011-06-24 주식회사 케이티 어플리케이션 다운로드 방법 및 장치간 통신 모듈

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9838258B2 (en) 2014-12-04 2017-12-05 At&T Intellectual Property I, L.P. Network service interface for machine-to-machine applications

Similar Documents

Publication Publication Date Title
CN110881184B (zh) 通信方法和装置
WO2020071887A1 (fr) Procédé de fourniture de paramètres de service à un ue et à un réseau dans un système 5g
WO2020145623A1 (fr) Appareil et procédé de gestion de profil esim de dispositif d'issp
WO2016010312A1 (fr) Procédé et dispositif pour installer un profil d'une carte à circuit intégré universelle incorporée (euicc)
WO2022019725A1 (fr) Procédés et systèmes pour identifier une ausf et accéder à des clés associées dans un service prose 5g
WO2020032491A1 (fr) Dispositif et procédé permettant de fournir une capacité radio d'équipement utilisateur à un réseau central d'un système de communication mobile
WO2020204475A1 (fr) Procédé pour fournir des informations d'abonnement sur des réseaux non publics à un terminal
WO2011081311A2 (fr) Procédé et système d'assistance à la sécurité dans un système de communications mobiles
WO2017116097A1 (fr) Procédé et appareil d'émission et de réception de profils dans un système de communication
WO2014193181A1 (fr) Procédé et appareil d'installation de profil
WO2013048084A2 (fr) Procédé de gestion de profil, uicc intégré, et dispositif pourvu de l'uicc intégré
WO2015147547A1 (fr) Procédé et appareil permettant la prise en charge de l'ouverture de session au moyen d'un terminal d'utilisateur
WO2014109597A1 (fr) Procédé de changement de passerelle dans un système machine à machine (m2m) et dispositif correspondant
WO2019009557A1 (fr) Procédé et appareil destinés à examiner un certificat numérique par un terminal esim et serveur
WO2013036009A1 (fr) Procédé pour gérer une uicc intégrée et uicc intégrée correspondante, et système de mno, procédé de mise à disposition et procédé pour changer de mno les utilisant
WO2015105374A1 (fr) Dispositif et procédé pour le faire fonctionner
WO2020251312A1 (fr) Procédé d'approvisionnement dynamique d'une clé pour authentification en dispositif relais
WO2014092385A1 (fr) Procédé de sélection de fournisseur de réseau de communication mobile à l'aide d'un profil de provisionnement, et appareil l'utilisant
WO2023249320A1 (fr) Procédé, dispositif et système de communication de dds
EP2630756A1 (fr) Procédé et appareil pour partager une connexion internet sur la base d'une configuration automatique d'une interface réseau
WO2015065165A1 (fr) Procédé de sécurité et système pour assister la découverte et la communication entre des terminaux de service basés sur la proximité dans un environnement de système de communication mobile
WO2012093900A2 (fr) Procédé et dispositif pour authentifier une entité de réseau personnel
WO2012044072A2 (fr) Procédé d'attribution de clé utilisateur dans un réseau convergent
WO2022145880A1 (fr) Procédé et système d'optimisation d'un mécanisme de rafraîchissement de clé akma dans un réseau sans fil
WO2015105402A1 (fr) Procédé et système de prise en charge de sécurité pour découverte de service et communication de groupe dans un système de communication mobile

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12827430

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12827430

Country of ref document: EP

Kind code of ref document: A1