公开(公告)号：US07660417B2

公开(公告)日：2010-02-09

申请号：US10937873

申请日：2004-09-10

Applicant: Rolf Blom ,  Näslund Mats ,  Jari Arkko

Inventor： Rolf Blom ,  Näslund Mats ,  Jari Arkko

IPC: H04K1/00 ,  H04L9/16

CPC classification number: H04W12/04 ,  H04L9/0844 ,  H04L9/3273 ,  H04L63/0428 ,  H04L63/06 ,  H04L2209/80 ,  H04W12/02 ,  H04W12/06

Abstract: A basic idea according to the invention is to enhance or update the basic cryptographic security algorithms by an algorithm-specific modification of the security key information generated in the normal key agreement procedure of the mobile communication system. For communication with the mobile terminal, the network side normally selects an enhanced version of one of the basic cryptographic security algorithms supported by the mobile, and transmits information representative of the selected algorithm to the mobile terminal. The basic security key resulting from the key agreement procedure (AKA, 10) between the mobile terminal and the network is then modified (22) in dependence on the selected algorithm to generate an algorithm-specific security key. The basic security algorithm (24) is then applied with this algorithm-specific security key as key input to enhance security for protected communication in the mobile communications network.

Abstract translation: 根据本发明的基本思想是通过针对移动通信系统的正常密钥协商过程中产生的安全密钥信息的特定于算法的修改来增强或更新基本密码安全性算法。 为了与移动终端通信，网络侧通常选择由移动台支持的基本密码安全算法之一的增强版本，并将表示所选算法的信息发送到移动终端。 然后根据所选择的算法修改（22）移动终端和网络之间的密钥协商过程（AKA，10）产生的基本安全密钥，以生成特定于算法的安全密钥。 然后将基本的安全性算法（24）应用于该特定于算法的安全密钥作为关键输入，以增强移动通信网络中受保护通信的安全性。

公开(公告)号：WO2013034187A1

公开(公告)日：2013-03-14

申请号：PCT/EP2011/065529

申请日：2011-09-08

Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (publ) ,  GRONOWSKI, Kristoffer ,  MURAKAMI, Shingo ,  NÄSLUND, Mats

Inventor： GRONOWSKI, Kristoffer ,  MURAKAMI, Shingo ,  NÄSLUND, Mats

IPC: H04L9/08

CPC classification number: H04L63/062 ,  H04L9/0816 ,  H04L9/0819 ,  H04L9/083 ,  H04L9/0838 ,  H04L63/061 ,  H04L63/083 ,  H04L63/0853 ,  H04L2209/56 ,  H04L2209/80

Abstract: A method comprising the use of a bootstrapping protocol to define a security relationship between a first server and a second server, the first and second servers co-operating to provide a service to a user terminal. A bootstrapping protocol is used to generate a shared key for securing communication between the first server and the second server. The shared key is based on a context of the bootstrapping protocol, and the context is associated with a Subscriber Identity Module (SIM) associated with the user terminal and provides a base for the shared key. A method of the invention may, for example, be employed within a computing/service network such as a "cloud", and in particular for communications between two servers in the cloud that are co-operating to provide a service to a user.

Abstract translation: 一种方法，包括使用引导协议来定义第一服务器和第二服务器之间的安全关系，所述第一和第二服务器协作以向用户终端提供服务。 引导协议用于生成用于保护第一服务器和第二服务器之间的通信的共享密钥。 共享密钥基于引导协议的上下文，并且上下文与与用户终端相关联的订户身份模块（SIM）相关联，并为共享密钥提供基础。 例如，本发明的方法可以在诸如“云”的计算/服务网络内使用，并且特别地用于云中的两个服务器之间的通信，这些服务器正在协作以向用户提供服务。

公开(公告)号：WO2011081588A1

公开(公告)日：2011-07-07

申请号：PCT/SE2010/050001

申请日：2010-01-04

Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL) ,  NÄSLUND, Mats ,  NORRMAN, Karl ,  YLITALO, Jukka ,  NIKANDER, Pekka

Inventor： NÄSLUND, Mats ,  NORRMAN, Karl ,  YLITALO, Jukka ,  NIKANDER, Pekka

IPC: H04L12/56

CPC classification number: H04L45/00 ,  H04L63/04 ,  H04L63/06

Abstract: Methods and arrangements for supporting a forwarding process in routers (R1-R3) when routing data packets through a packet-switched network, by employing hierarchical parameters in which the hops of a predetermined transmission path between a sender (A) and a receiver are encoded. A name server (300) generates and distributes router-associated keys (K, K1-K3) to routers in the network which keys are used for computing the hierarchical parameters.

Abstract translation: 在路由器（R1-R3）中通过分组交换网络路由数据分组时支持转发过程的方法和装置，通过采用其中编码发送器（A）和接收机之间的预定传输路径的跳数的分层参数 。 名称服务器（300）生成并将路由器相关密钥（K，K1-K3）分发给网络中用于计算层次参数的密钥的路由器。

公开(公告)号：WO2010134862A1

公开(公告)日：2010-11-25

申请号：PCT/SE2009/050585

申请日：2009-05-20

Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL) ,  BARRIGA, Luis ,  LILJENSTAM, Michael ,  NERBRANT, Per-Olof ,  NÄSLUND, Mats

Inventor： BARRIGA, Luis ,  LILJENSTAM, Michael ,  NERBRANT, Per-Olof ,  NÄSLUND, Mats

IPC: H04L9/32 ,  H04W8/18 ,  H04W8/22

CPC classification number: H04L9/3271 ,  G06F21/31 ,  G06F2221/2133 ,  G06Q10/107 ,  H04L63/08 ,  H04L2209/805 ,  H04W12/06 ,  H04W48/16 ,  H04W76/10

Abstract: The invention relates to a method, party challenging device (18) and computer program products for providing a challenge to a first terminal (10) intending to communicate with a second terminal (24) via two networks (N1, N2). The party challenging device receives a first electronic message (1M) concerning a transfer of media from the first terminal to the second terminal sent from the first terminal (10) and addressed to the second terminal (24), obtains communication contextual data associated with the first party or the first terminal, provides an electronic challenge message (CHM) including a challenge (CH1l) based on the obtained data and sends the challenge message to the first terminal in order to enable a decision to be made how to process the invitation message for the second terminal based on the correctness of a response (RM) including a response to the challenge.

Abstract translation: 本发明涉及一种方法，一方挑战性装置（18）和用于向第一终端（10）提供有意通过两个网络（N1，N2）与第二终端（24）进行通信的计算机程序产品。 派对挑战装置接收关于从第一终端（10）发送的媒体从第一终端到第二终端的传送并寻址到第二终端（24）的第一电子消息（1M），获得与第一终端相关联的通信上下文数据 第一方或第一终端基于获得的数据提供包括质询（CH1l）的电子质询消息（CHM），并将询问消息发送到第一终端，以便能够做出如何处理邀请消息 基于包括对挑战的响应的响应（RM）的正确性的第二终端。

公开(公告)号：WO2010099823A1

公开(公告)日：2010-09-10

申请号：PCT/EP2009/052560

申请日：2009-03-04

Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL) ,  NÄSLUND, Mats ,  BLOM, Rolf ,  CHENG, Yi ,  LINDHOLM, Fredrik ,  NORRMAN, Karl

Inventor： NÄSLUND, Mats ,  BLOM, Rolf ,  CHENG, Yi ,  LINDHOLM, Fredrik ,  NORRMAN, Karl

IPC: H04L29/06 ,  H04W12/04

CPC classification number: H04L63/06 ,  H04L9/0844 ,  H04L2209/80 ,  H04W12/04

Abstract: A method of establishing keys for at least partially securing media plane data exchanged between first and second end users via respective first and second media plane network nodes. The method comprises sending session set-up signalling from said first end point towards said second end point, said session set-up signalling including a session key generated by said first end point. The set-up signalling is intercepted at a first signalling plane network node and a determination made as to whether or not a signalling plane key has already been established for securing the signalling plane between said first end point and said first signalling plane network node. If a signalling plane key has already been established, then a media plane key is derived from that signalling plane key, and the media plane key sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node. If a signalling plane key has not already been established, then an alternative media plane key is derived from said session key and sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node.

Abstract translation: 一种建立用于经由相应的第一和第二媒体平面网络节点至少部分地保护在第一和第二终端用户之间交换的媒体平面数据的密钥的方法。 该方法包括从所述第一端点向所述第二端点发送会话建立信令，所述会话建立信令包括由所述第一端点产生的会话密钥。 建立信令在第一信令平面网络节点被拦截，并且确定信令平面密钥是否已被建立用于在所述第一终端和所述第一信令平面网络节点之间保护信令平面。 如果已经建立了信令平面密钥，则从该信令平面密钥导出媒体平面密钥，并且将媒体平面密钥发送到所述第一媒体平面网络节点，以将介质平面固定在所述第一终端用户和所述第一媒体之间 平面网络节点。 如果还没有建立信令平面密钥，则从所述会话密钥导出替代媒体平面密钥，并将其发送到所述第一媒体平面网络节点，以便在所述第一终端用户和所述第一媒体平面网络节点之间保护媒体平面。

公开(公告)号：WO2010053416A1

公开(公告)日：2010-05-14

申请号：PCT/SE2008/051281

申请日：2008-11-07

Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (publ) ,  CSÁSZÁR, András ,  MAGNUSSON, Lars G ,  NÄSLUND, Mats ,  WESTBERG, Lars

Inventor： CSÁSZÁR, András ,  MAGNUSSON, Lars G ,  NÄSLUND, Mats ,  WESTBERG, Lars

IPC: H04L12/56

CPC classification number: H04L45/00 ,  H04L63/0227

Abstract: Method and apparatus for supporting the forwarding of received data packets in a router (402,702) of a packet- switched network. A forwarding table (706a) is configured in the router based on aggregating router keys and associated aggregation related instructions received from a key manager (400,700). Each aggregating router key represents a set of destinations. When a data packet (P) is received comprising an ingress tag derived from a sender key or router key, the ingress tag is matched with entries in the forwarding table. An outgoing port is selected for the packet according to a found matching table entry that further comprises an associated aggregation related instruction. An egress tag is then created according to the aggregation related instruction, and the packet with the created egress tag attached is sent from the selected outgoing port to a next hop router.

Abstract translation: 用于支持在分组交换网络的路由器（402,702）中转发所接收的数据分组的方法和装置。 基于从密钥管理器（400,700）接收的聚合路由器密钥和相关联的聚合相关指令，在路由器中配置转发表（706a）。 每个聚合路由器密钥代表一组目的地。 当接收到包含从发送方密钥或路由器密钥导出的入口标签的数据分组（P）时，入口标签与转发表中的条目匹配。 根据发现的匹配表条目，为分组选择输出端口，进一步包括相关联的聚合相关指令。 然后根据聚合相关指令创建出口标签，并将附加了创建的出口标签的数据包从所选出口端口发送到下一跳路由器。

公开(公告)号：WO2009065923A2

公开(公告)日：2009-05-28

申请号：PCT/EP2008/065967

申请日：2008-11-21

Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL) ,  HADDAD, Wassim ,  NÄSLUND, Mats

Inventor： HADDAD, Wassim ,  NÄSLUND, Mats

IPC: H04W12/04 ,  H04W80/04

CPC classification number: H04W12/04 ,  H04L9/3239 ,  H04L63/0823 ,  H04L2209/80 ,  H04L2463/081 ,  H04W8/082 ,  H04W12/06 ,  H04W80/04 ,  H04W88/02 ,  H04W88/182

Abstract: A method and apparatus for establishing a cryptographic relationship between a first node and a second node in a communications network. The first node receives at least part of a cryptographic attribute of the second node, uses the received at least part of the cryptographic attribute to generate an identifier for the first node. The cryptographic attribute may a public key belonging to the second node, and the identifier may be a Cryptographically Generated IP address. The cryptographic relationship allows the second node to establish with a third node that it is entitled to act on behalf of the first node.

Abstract translation: 一种在通信网络中建立第一节点和第二节点之间的密码关系的方法和装置。 第一节点接收第二节点的加密属性的至少一部分，使用所接收的至少部分密码属性来生成第一节点的标识符。 加密属性可以是属于第二节点的公共密钥，并且该标识符可以是加密生成的IP地址。 加密关系允许第二节点与第三节点建立它有权代表第一节点行动。

公开(公告)号：WO2008115126A2

公开(公告)日：2008-09-25

申请号：PCT/SE2008/050209

申请日：2008-02-26

Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL) ,  HADDAD, Wassim ,  NÄSLUND, Mats

Inventor： HADDAD, Wassim ,  NÄSLUND, Mats

IPC: H04L29/06 ,  G06F21/00

CPC classification number: H04L63/1416 ,  H04L9/30 ,  H04L63/061 ,  H04L63/123 ,  H04L63/1466 ,  H04L2209/24

Abstract: There is disclosed a method, and a communication system, and a communication node for implementing the claimed method, for attempting to enhance legitimacy assessment and thwart a man-in-the middle or similar false-location attack by evaluating the topology of a communication-session requesting node relative to the proposed communication path through a network between the requesting node and the requested node. Upon receiving the request,a PRD (Prefix Reachability Detection) protocol is initiated, either after or during a secure key exchange, if any, which if performed preferably includes an ART (address reachability text). The PRD is executed by sending a message to the communication node challenging the location-authenticity of the requesting device. The communication node, which may be for example an access router through which the requesting node accesses the network, determines if the requesting node is positioned behind the communication node topologically, and reports the result to the requested node. The requested node may then make a decision on whether to permit the communication. If so, the PRD may be repeated one or more times while the communication session is in progress.

Abstract translation: 公开了一种用于实现所要求保护的方法的方法，通信系统和通信节点，用于通过评估通信的拓扑来尝试增强合法性评估并阻止中间或类似的假位置攻击中的人员， 会话请求节点相对于所提出的通信路径通过请求节点和请求节点之间的网络。 在接收到请求后，在安全密钥交换之后或期间，如果执行了PRD（前缀可达性检测）协议，如果执行的话，优先包括ART（地址可达性文本）。 通过向通信节点发送消息来执行请求设备的位置真实性来执行PRD。 通信节点，其可以是例如请求节点访问网络的接入路由器，确定请求节点是否在拓扑结构中位于通信节点后面，并将结果报告给所请求的节点。 所请求的节点然后可以决定是否允许通信。 如果是，则通信会话正在进行时，PRD可以重复一次或多次。

公开(公告)号：WO2013117243A1

公开(公告)日：2013-08-15

申请号：PCT/EP2012/057788

申请日：2012-04-27

Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL) ,  NÄSLUND, Mats ,  IOVIENO, Maurizio ,  NORRMAN, Karl

Inventor： NÄSLUND, Mats ,  IOVIENO, Maurizio ,  NORRMAN, Karl

IPC: H04L29/06

CPC classification number: H04L63/0807 ,  H04L9/3213 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/306

Abstract: A method and apparatus for providing access to an encrypted communication between a sending node and a receiving node to a Law Enforcement Agency (LEA). A Key Management Server (KMS) function stores cryptographic information used to encrypt the communication at a database. The cryptographic information is associated with an identifier used to identify the encrypted communication between the sending node and the receiving node. The KMS receives a request for Lawful Interception, the request including an identity of a Lawful Interception target. The KMS uses the target identity to determine the identifier, and retrieves the cryptographic information associated with the identifier from the database. The cryptographic information can be used to decrypt the encrypted communication. The KMS then sends either information derived from the cryptographic information or a decrypted communication towards the LEA. This allows the LEA to obtain a decrypted version of the communication.

Abstract translation: 一种用于向执法机构（LEA）提供对发送节点和接收节点之间的加密通信的访问的方法和装置。 密钥管理服务器（KMS）功能存储用于加密数据库中的通信的加密信息。 加密信息与用于识别发送节点和接收节点之间的加密通信的标识符相关联。 KMS收到合法侦听请求，该请求包括合法拦截目标的身份。 KMS使用目标身份确定标识符，并从数据库检索与标识符相关联的加密信息。 加密信息可用于解密加密通信。 然后，KMS将从加密信息或解密的通信导出的信息发送给LEA。 这允许LEA获得通信的解密版本。

公开(公告)号：WO2011113873A1

公开(公告)日：2011-09-22

申请号：PCT/EP2011/053999

申请日：2011-03-16

Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL) ,  NORRMAN, Karl ,  HEDBERG, Tomas ,  NÄSLUND, Mats

Inventor： NORRMAN, Karl ,  HEDBERG, Tomas ,  NÄSLUND, Mats

IPC: H04W12/04 ,  H04W36/00

CPC classification number: H04L9/08 ,  H04L63/06 ,  H04W12/04 ,  H04W12/08 ,  H04W36/0038 ,  H04W36/12

Abstract: A method comprises maintaining, in a first node serving a mobile terminal over a connection protected by at least one first key, said first key and information about the key management capabilities of the mobile terminal. Upon relocation of the mobile terminal to a second node the method includes: if, and only if, said key management capabilities indicate an enhanced key management capability supported by the mobile terminal, modifying, by said first node, the first key, thereby creating a second key, sending, from the first node to the second node, the second key, and transmitting to the second node the information about the key management capabilities of the mobile terminal.

Abstract translation: 一种方法包括在通过由至少一个第一密钥保护的连接上为移动终端服务的第一节点中保留所述第一密钥和关于移动终端的密钥管理能力的信息。 在将移动终端重定位到第二节点时，该方法包括：如果并且仅当所述密钥管理能力指示由移动终端支持的增强密钥管理能力时，由所述第一节点修改第一密钥，从而创建 第二密钥，从第一节点向第二节点发送第二密钥，并向第二节点发送关于移动终端的密钥管理能力的信息。