公开(公告)号：WO2009141919A1

公开(公告)日：2009-11-26

申请号：PCT/JP2008/059951

申请日：2008-05-23

Applicant: Telefonaktiebolaget LM Ericsson (publ) ,  MURAKAMI, Shingo ,  BARRIGA, Luis ,  ODA, Toshikane

Inventor： MURAKAMI, Shingo ,  BARRIGA, Luis ,  ODA, Toshikane

IPC: G06F13/00

CPC classification number: H04L63/061 ,  H04L65/1016 ,  H04L2463/062 ,  H04W12/04

Abstract: An IMS User Equipment (UE) is provided. The IMS UE comprises: searching means for searching, based on UPnP technology, a UPnP network for a host device that has IMS subscription information, establishing means for establishing a session with the host device discovered by the searching means, subscription retrieving means for retrieving, from the host device via the session, the IMS subscription information, registering means for registering with the IMS network using the IMS subscription information, key retrieving means for retrieving, from the host device via the session, a first encryption key shared with an IMS application server (AS) in an IMS network by sending identity of the IMS AS to the host device via the session, and communicating means for performing encrypted communication with the IMS AS using the first encryption key.

Abstract translation: 提供IMS用户设备（UE）。 IMS UE包括：搜索装置，用于基于UPnP技术搜索具有IMS订阅信息的主机设备的UPnP网络;建立装置，用于建立与搜索装置发现的主机设备的会话;订阅检索装置， 从所述主机设备经由所述会话，所述IMS订阅信息，用于使用所述IMS订阅信息向所述IMS网络注册的登记装置，用于从所述主机设备经由所述会话检索与IMS应用共享的第一加密密钥的密钥检索装置 服务器（AS）通过经由会话向主机设备发送IMS AS的标识，以及通信装置，用于使用第一加密密钥与IMS AS进行加密通信。

公开(公告)号：WO2009102248A1

公开(公告)日：2009-08-20

申请号：PCT/SE2008/050184

申请日：2008-02-15

Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL) ,  BARRIGA, Luis ,  CASTELLANOS ZAMORA, David

Inventor： BARRIGA, Luis ,  CASTELLANOS ZAMORA, David

IPC: H04W12/06 ,  H04L9/32

CPC classification number: H04W12/06 ,  H04L9/0844 ,  H04L9/321 ,  H04L9/3273 ,  H04L63/06 ,  H04L63/0838 ,  H04L65/1016 ,  H04L65/1073 ,  H04L69/08 ,  H04L69/18 ,  H04L2209/76 ,  H04L2209/80

Abstract: Methods and systems taught herein provide for authentication information for authenticating a user terminal to be shared between a network entity that supports IMS-AKA authentication of the user terminal and a network entity that supports GBA-AKA authentication of the user terminal. Sharing authentication information between these entities allows all or part of the authentication information generated for IMS-AKA authentication of the user terminal to be used subsequently for GBA-AKA authentication of the user terminal, or vice versa.

Abstract translation: 本文中教导的方法和系统提供认证信息，用于认证在支持用户终端的IMS-AKA认证的网络实体与支持用户终端的GBA-AKA认证的网络实体之间共享的用户终端。 在这些实体之间共享认证信息允许为用户终端的IMSA-AKA认证生成的全部或部分认证信息随后用于用户终端的GBA-AKA认证，反之亦然。

公开(公告)号：WO2009098130A2

公开(公告)日：2009-08-13

申请号：PCT/EP2009/050829

申请日：2009-01-26

Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL) ,  SMEETS, Bernard ,  SÄLLBERG, Krister ,  LEHTOVIRTA, Vesa ,  BARRIGA, Luis ,  JOHANSSON, Mattias

Inventor： SMEETS, Bernard ,  SÄLLBERG, Krister ,  LEHTOVIRTA, Vesa ,  BARRIGA, Luis ,  JOHANSSON, Mattias

IPC: H04L29/06

CPC classification number: G06F21/445 ,  G06F2221/2129 ,  H04L9/321 ,  H04L9/3263 ,  H04L63/062 ,  H04L2209/56 ,  H04L2209/80 ,  H04W12/04

Abstract: Methods and systems taught herein allow communication device manufacturers to preconfigure communication devices to use preliminary access credentials to gain temporary network access for downloading subscription credentials, and particularly allow the network operator issuing the subscription credentials to verify that individual devices requesting credentials are trusted. In one or more embodiments, a credentialing server is owned or controlled by the network operator, and is used by the network operator to verify that subscription credentials are issued only to trusted communication devices, even though such devices may be referred to the credentialing server by an external registration server and may be provisioned by an external provisioning server. Particularly, the credentialing server interrogates requesting devices for their device certificates and submits these device certificates to an external authorization server, e.g., an independent OCSP server, for verification. A common Public Key Infrastructure (PKI) may be used for operator and device certificates.

Abstract translation: 本文教导的方法和系统允许通信设备制造商预先配置通信设备以使用初步访问凭证来获得用于下载订阅凭证的临时网络访问，并且特别地允许网络运营商发布预订凭证来验证请求凭证的各个设备是否被信任。 在一个或多个实施例中，凭证服务器由网络运营商拥有或控制，并且被网络运营商用于验证订阅凭证仅被发送到受信任的通信设备，即使这样的设备可以被引用到凭证服务器 外部注册服务器，并且可以由外部配置服务器提供。 特别地，凭证服务器询问请求设备的设备证书，并将这些设备证书提交给外部授权服务器，例如独立的OCSP服务器，以进行验证。 通用公钥基础设施（PKI）可用于运营商和设备证书。

公开(公告)号：WO2009078775A1

公开(公告)日：2009-06-25

申请号：PCT/SE2007/051043

申请日：2007-12-19

Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL) ,  CHENG, Yi ,  BARRIGA, Luis ,  NORRMAN, Karl

Inventor： CHENG, Yi ,  BARRIGA, Luis ,  NORRMAN, Karl

IPC: G06F21/00

CPC classification number: H04W12/08 ,  G06F21/10 ,  G06F2221/0717 ,  H04L2463/101

Abstract: The present invention relates to a method and an operator network node for enabling a user-defined DRM domain of *SIMs hosted by *SIM-enabled devices. The operator network node is connectable to a *SIM based device and to a content provider node, and comprises means for establishing a secure channel between a *SIM-based device and an operator network node, means for creating a DRM domain defined by at least one user of *SIM- based devices, means for receiving at the operator network node a registration request from the *SIM-based device to register the *SIM of the *SIM-based device into the created user-defined DRM domain, means for registering at the operator network node the *SIM of the *SIM-based device into the registered user-defined DRM domain, and means for making the registered information associated with the user-defined DRM domain available to the content provider. The invention also relates to a further method and the content provider comprising means for accessing in the operator network node registered information associated with a registered user-defined DRM domain comprising *SIMs of a user, and means for establishing a content provider defined DRM domain comprising at least one of the *SIMs of the user-defined DRM domain.

Abstract translation: 本发明涉及一种方法和运营商网络节点，用于启用由启用SIM的设备主持的* SIM的用户定义的DRM域。 运营商网络节点可连接到基于* SIM的设备和内容提供商节点，并且包括用于在基于* SIM的设备和运营商网络节点之间建立安全信道的装置，用于创建至少定义的DRM域的装置 用于基于SIM的设备的一个用户，用于在所述运营商网络节点处接收来自基于* SIM的设备的注册请求以将所述基于SIM卡的设备的* SIM注册到所创建的用户定义的DRM域中的装置， 在运营商网络节点将基于* SIM的设备的* SIM注册到注册用户定义的DRM域中，以及用于使与用户定义的DRM域相关联的注册信息可用于内容提供商的装置。 本发明还涉及一种另外的方法和内容提供器，其包括用于在运营商网络节点中访问与包括用户的SIM的注册用户定义的DRM域相关联的注册信息的装置，以及用于建立内容提供商定义的DRM域的装置，包括 用户定义的DRM域的* SIM中的至少一个。

公开(公告)号：WO2003005636A1

公开(公告)日：2003-01-16

申请号：PCT/SE2002/001220

申请日：2002-06-18

Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL) ,  BARRIGA, Luis ,  MÅNGS, Jan-Erik

Inventor： BARRIGA, Luis ,  MÅNGS, Jan-Erik

IPC: H04L9/00

CPC classification number: H04L63/0428 ,  H04L51/063 ,  H04L51/38 ,  H04L63/104

Abstract: A multicontent e-mail has a body part comprising separately encrypted content parts and a header part comprising a clear text part and an encrypted part. The encrypted header part includes a descriptor section and a link section. The link section specifies relationships between content parts. The descriptor section provides information related to each body content part such as information format. The descriptor section, further, provides information for access to any content part such as requirement for authorization. The access information can include executable code exemplary for establishing a negotiation process for access to linked information at a remote information server. Further disclosed is an arrangement for download and decryption of the e-mail header part and analysis of the descriptor section. A user can select any body content part for downloading according to requirements determined from the descriptor section.

Abstract translation: 多电子邮件具有包括单独加密的内容部分的主体部分和包括明文部分和加密部分的标题部分。 加密的报头部分包括描述符部分和链接部分。 链接部分指定内容部分之间的关​​系。 描述符部分提供与每个身体内容部分相关的信息，例如信息格式。 描述符部分还提供了访问任何内容部分的信息，例如授权要求。 访问信息可以包括示例性的可执行代码，用于在远程信息服务器处建立用于访问链接信息的协商过程。 还公开了电子邮件标题部分的下载和解密以及描述符部分的分析的安排。 用户可以根据从描述符部分确定的要求，选择任何身体内容部分进行下载。

公开(公告)号：WO2010104435A1

公开(公告)日：2010-09-16

申请号：PCT/SE2009/050569

申请日：2009-05-20

Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL) ,  RÁCZ, András ,  SELANDER, Göran ,  NÄSLUND, Mats ,  BARRIGA, Luis ,  LINDSTRÖM, Magnus ,  MILDH, Gunnar ,  JOHANSSON, Niklas

Inventor： RÁCZ, András ,  SELANDER, Göran ,  NÄSLUND, Mats ,  BARRIGA, Luis ,  LINDSTRÖM, Magnus ,  MILDH, Gunnar ,  JOHANSSON, Niklas

IPC: H04W12/06

CPC classification number: H04W12/06 ,  H04B7/15557 ,  H04L63/0838 ,  H04W8/205 ,  H04W24/02 ,  H04W84/047

Abstract: Systems and methods for the configuration of network nodes without a secured connection in a telecommunications system are described herein. These network nodes can be wireless network nodes which are part of the network infrastructure, such as, wireless relays, wireless repeaters and self-backhauled eNodeBs.

Abstract translation: 这里描述了用于在电信系统中配置没有安全连接的网络节点的系统和方法。 这些网络节点可以是作为网络基础设施的一部分的无线网络节点，诸如无线中继，无线中继器和自回程的eNodeB。

公开(公告)号：WO2010090569A1

公开(公告)日：2010-08-12

申请号：PCT/SE2009/051092

申请日：2009-10-01

Applicant: Telefonaktiebolaget LM Ericsson (publ) ,  BARRIGA, Luis ,  DYSENIUS, Per-Anders ,  LINDSTRÖM, Magnus

Inventor： BARRIGA, Luis ,  DYSENIUS, Per-Anders ,  LINDSTRÖM, Magnus

IPC: H04W12/04 ,  H04L9/32 ,  H04W8/20

CPC classification number: H04L9/0861 ,  H04L9/0838 ,  H04L41/0803 ,  H04L63/061 ,  H04L63/083 ,  H04L63/1441 ,  H04L2209/80 ,  H04W12/04 ,  H04W12/12

Abstract: The embodiments of the present invention relate to apparatuses in the form of a first network unit and a device, and also relates to a method for enabling protection of a bootstrap message in a device management network system. The method comprises: receiving at the first network unit, a request to bootstrap the device; transmit a request for a bootstrap key, to a second network unit; receiving a message comprising the bootstrap key and further comprises trigger information and transmitting the trigger information to the device to trigger generation of the bootstrap key internally in the device. Thereafter a protected bootstrap message can be transmitted to the device from the first network unit, and when the device verifies and/or decrypts the bootstrap message, device management (DM) sessions can start between the device and the first network unit.

Abstract translation: 本发明的实施例涉及以第一网络单元和设备的形式的设备，并且还涉及一种用于在设备管理网络系统中实现自举消息的保护的方法。 该方法包括：在第一网络单元处接收引导设备的请求; 向第二网络单元发送对自举密钥的请求; 接收包括引导密钥的消息，并且进一步包括触发信息并将触发信息发送到设备以在设备内部触发引导密钥的产生。 此后，受保护的引导消息可以从第一网络单元发送到设备，并且当设备验证和/或解密引导消息时，设备管理（DM）会话可以在设备和第一网络单元之间开始。

公开(公告)号：WO2009082306A1

公开(公告)日：2009-07-02

申请号：PCT/SE2007/051068

申请日：2007-12-21

Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL) ,  LILJENSTAM, Michael ,  BARRIGA, Luis ,  MÉHES, András

Inventor： LILJENSTAM, Michael ,  BARRIGA, Luis ,  MÉHES, András

IPC: H04Q7/34 ,  G06F21/00

CPC classification number: H04L63/1416 ,  G06F21/56 ,  H04L63/12 ,  H04L63/1491

Abstract: A method and arrangement in a communications network is disclosed for detection and action on messages originating from execution ofmalicious software surreptitiouslyimplemented at a user device. The system is initially configured with special addresses generated at the network. A configuration phase includes update of user device address list and registration at network database of special addresses applicable for the user. A message is analyzed with respect to special address indicated as message receiver whereby network functionality determines actions ranging from deletion of message, update of charging data, to further statistical analysis for preventive actions at network level.

Abstract translation: 公开了一种通信网络中的方法和装置，用于对在用户设备上暗中实现的恶意软件执行的消息进行检测和动作。 该系统最初配置有在网络生成的特殊地址。 配置阶段包括更新用户设备地址列表，并在网络数据库中注册适用于用户的特殊地址。 针对指定为消息接收者的特殊地址分析消息，由此网络功能确定从消息的删除，计费数据的更新到网络级的预防性动作的进一步统计分析的动作。

公开(公告)号：WO2009068985A2

公开(公告)日：2009-06-04

申请号：PCT/IB2008/003288

申请日：2008-12-01

Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL) ,  BARRIGA, Luis ,  BLOM, Rolf ,  CHENG, Yi ,  NÄSLUND, Mats ,  NORRMAN, Karl ,  LINDHOLM, Fredrik

Inventor： BARRIGA, Luis ,  BLOM, Rolf ,  CHENG, Yi ,  NÄSLUND, Mats ,  NORRMAN, Karl ,  LINDHOLM, Fredrik

IPC: H04W12/02

CPC classification number: H04W76/02 ,  H04L63/0428 ,  H04L65/1016 ,  H04L65/1069 ,  H04W12/02 ,  H04W12/04 ,  H04W76/10

Abstract: An IMS system includes an IMS initiator user entity. The system includes an IMS responder user entity that is called by the initiator user entity. The system includes a calling side S-CSCF in communication with the caller entity which receives an INVITE having a first protection offer and parameters for key establishment from the caller entity, removes the first protection offer from the INVITE and forwards the INVITE without the first protection offer. The system includes a receiving end S-CSCF in communication with the responder user entity and the calling side S-CSCF which receives the INVITE without the first protection offer and checks that the responder user entity supports the protection, inserts a second protection offer into the INVITE and forwards the INVITE to the responder user entity, wherein the responder user entity accepts the INVITE including the second protection offer and answers with an acknowledgment having a first protection accept. A method for supporting a call by a telecommunications node.

Abstract translation: IMS系统包括IMS发起者用户实体。 该系统包括由发起者用户实体调用的IMS应答器用户实体。 该系统包括与主叫实体进行通信的主叫侧S-CSCF，其从呼叫方实体接收具有第一保护报价的INVITE和用于密钥建立的参数，从INVITE中移除第一保护报价并转发INVITE而没有第一保护 提供。 该系统包括与响应者用户实体通信的接收端S-CSCF，以及在没有第一保护提供的情况下接收INVITE的主叫侧S-CSCF，并检查响应者用户实体是否支持保护，将第二保护请求插入到 INVITE并将INVITE转发到响应者用户实体，其中响应者用户实体接受包括第二保护提议的INVITE和具有第一保护接受的确认的应答。 一种用于支持电信节点的呼叫的方法。

公开(公告)号：WO2008008014A9

公开(公告)日：2009-02-05

申请号：PCT/SE2006050625

申请日：2006-12-22

Applicant: ERICSSON TELEFON AB L M ,  FERNANDEZ-ALONSO SUSANA ,  BARRIGA LUIS

Inventor： FERNANDEZ-ALONSO SUSANA ,  BARRIGA LUIS

IPC: H04L9/00 ,  H04L12/22 ,  H04L29/06

CPC classification number: H04W12/06 ,  H04L63/0815 ,  H04L63/0823 ,  H04L63/0853

Abstract: The present invention is related to an authentication method and arrangements in a communication system including a Subscriber (50) with a terminal (51), an Operator Node (52) and a Service Provider Node (53), which authentication method 5 is based on an SLA agreement between the Operator (OP) and the Service Provider (SP). The method includes that the Subscriber (50) with terminal (51) performs (5) strong authentication with the Operator Node (52) acting as Registration Authority OP(RA). After the strong authentication is performed by the 10 Operator Node (52) a Mobile Strong Authentication Assertion MSAA is generated (6) and transmitted to the Service Provider Node (53) for validation. By this method the authentication is being delegated from the Service Provider to the Mobile Operator.

Abstract translation: 本发明涉及包括具有终端（51）的用户（50），运营商节点（52）和服务提供商节点（53）的通信系统中的认证方法和装置，该认证方法5基于 运营商（OP）和服务提供商（SP）之间的SLA协议。 该方法包括具有终端（51）的订户（50）执行（5）作为注册授权OP（RA）的运营商节点（52）的强认证。 在由10个运营商节点（52）执行强认证之后，生成（6）移动强认证断言MSAA并将其发送到服务提供商节点（53）以进行验证。 通过这种方法，认证被从服务提供商委派给移动运营商。