[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2016079309A1 - Profil visant à assurer le même niveau de sécurité que dans le système 3gpp existant pour la prise en charge d'un epc de services de proximité (prose) pour la découverte et la communication directes de wlan - Google Patents

Profil visant à assurer le même niveau de sécurité que dans le système 3gpp existant pour la prise en charge d'un epc de services de proximité (prose) pour la découverte et la communication directes de wlan Download PDF

Info

Publication number
WO2016079309A1
WO2016079309A1 PCT/EP2015/077241 EP2015077241W WO2016079309A1 WO 2016079309 A1 WO2016079309 A1 WO 2016079309A1 EP 2015077241 W EP2015077241 W EP 2015077241W WO 2016079309 A1 WO2016079309 A1 WO 2016079309A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
security
user equipment
prose
area network
Prior art date
Application number
PCT/EP2015/077241
Other languages
English (en)
Inventor
Anja Jerichow
Original Assignee
Nokia Solutions And Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Solutions And Networks Oy filed Critical Nokia Solutions And Networks Oy
Publication of WO2016079309A1 publication Critical patent/WO2016079309A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/22Processing or transfer of terminal data, e.g. status or physical capabilities
    • H04W8/24Transfer of terminal data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • Ensuring security in communications may be beneficial in many communication systems.
  • certain wireless communication systems may benefit from a profile to ensure the same level of security (for example, confidentiality and integrity) as in the existing 3GPP system as required for proximity service (ProSe) Direct Communication and ProSe- assisted EPC support for WLAN direct discovery and communication.
  • certain communication systems may benefit from a profile that can permit the evolved packet system (EPS) to ensure the confidentiality and integrity of both user data and network signaling over the ProSe Communication path and ProSe-assisted WLAN direct communication path to a level comparable with that provided by the existing 3GPP system.
  • EPS evolved packet system
  • Proximity services have been specified to allow users with ProSe-enabled user equipment (UEs) that are in proximity to each other to communicate.
  • Proximity Services are specified in third generation partnership project (3GPP) technical specification (TS) 22.278 (requirements, see Section 7A for general and 9 for security requirements), TS 23.303 (architecture), and TS 33.303 (security).
  • TS 24.334 PC3 interface
  • TS 29.343 PC2
  • TS 29.344 PC4a
  • TS 29.345 PC6/PC7.
  • TS 22.278, TS 23.303, TS 24.334, TS 29.343, TS 29.344, and TS 29.345 is incorporated herein by reference in its entirety.
  • ProSe enabled UEs may need to be authorized to use proximity services such as Direct Discovery and Direct Communication or EPC support for WLAN Direct Discovery and Communication. Furthermore, the communication between ProSe enabled UEs may need to be secured.
  • TS 22.278 Section 9.4 on ProSe security requirements states: "The EPS shall ensure that the confidentiality and integrity of both user data and network signalling over the ProSe Communication path and ProSe-assisted WLAN direct communication path to a level comparable with that provided by the existing 3GPP system.”
  • ProSe discovery identifies that ProSe- enabled UEs are in proximity of each other, using E-UTRA (with or without E-UTRAN) or EPC when permission, authorization, and proximity criteria are fulfilled.
  • ProSe discovery can be ProSe direct discovery and EPC-level ProSe discovery (i.e. core network assisted discovery for roaming).
  • ProSe communication may permit establishment of new communication paths between two or more ProSe-enabled UEs that are in communication range. The ProSe communication path could use E-UTRA or wireless local area network (WLAN).
  • ProSe direct communication can be ProSe direct communication one-to-many or ProSe direct communication one-to-one.
  • a ProSe function is the logical function that is used for network related actions required for ProSe.
  • the ProSe function plays different roles for each of the features of ProSe.
  • WLAN direct communication between 2 UEs is not in the scope of 3GPP, but 3GPP entities may need to provide the necessary information such that the UEs can use WLAN for ProSe communication if the UE has indicated WLAN capability and whether it likes to use WLAN.
  • Figure 1 illustrates a generic architecture of ProSe, for example a non-roaming reference architecture.
  • UE A and UE B each having a ProSe application thereon, can be connected to a ProSe application server via interface PC1 .
  • the ProSe application server can be connected to a ProSe function via interface PC2.
  • the ProSe function can be connected to UE A and UE B by interface PC3.
  • the ProSe function can be connected to a home subscriber server (HSS) and secure user plane location (SUPL) location platform (SLP) respectively by interfaces PC4a and PC4b.
  • Interface PC5 can connect UE A and UE B to one another.
  • the UE When the UE registers at the ProSe function and intends to use EPC support for WLAN direct discovery and communication, it can already provide a permanent WLAN Link Layer ID or obtain a temporary WLAN Link Layer ID (WLLID) from the ProSe Function as part of the Proximity Request procedure later.
  • WLLID WLAN Link Layer ID
  • a proximity request can be used by the UE to tell the ProSe Function to be alerted when it enters proximity with other UEs.
  • the UE can indicate whether the UE has any intention to use WLAN.
  • the network triggers the Proximity Alert procedure and can provide WLAN assisted information to the UE.
  • the assistance information can be designed to expedite WLAN direct discovery and communication.
  • the content of the assistance information may depend on the technology used on the WLAN direct link. All the content in the assistance information may be dynamically generated by ProSe Function A, with the exception of WLAN Link Layer ID in case the other UE supports only permanent WLLID.
  • FIG. 2A illustrates signaling flow for EPC support for WLAN direct communication.
  • Figure 2A is Figure 5.6.2-1 from TS 23.303.
  • the ProSe function can decide to trigger the establishment of a WLAN direct group.
  • the ProSe function can send a WLAN direct group setup request including assistance information to UE-A.
  • UE-A can respond to the ProSe function with a WLAN direct group setup response, at 2b.
  • the same request/response can be performed with respect to UE-B at 3a/3b.
  • FIG. 2B illustrates an overall call flow for EPC-level ProSe Discovery and optional EPC support for WLAN direct discovery and communication.
  • This figure is Figure 5.5.2-1 in TS 23.303.
  • a UE A can perform UE registration with ProSe function A.
  • UE B can similarly perform UE registration with ProSe function B.
  • At 2a UE A can perform application registration with ProSe function A, and at 2b UE B can similarly perform application registration with ProSe function B.
  • FIG. 2C illustrates possible security operations for EPC support for WLAN direct communication.
  • Figure 2C is Figure 6.4.2-1 of S3-142433, a 3GPP change request, dated October 30, 2014.
  • the ProSe Function can authorize UEs that want to establish a WLAN direct group and can generate security parameters for WLAN.
  • the ProSe function can send (to UE-A) a WLAN direct group setup request including assistance information including security parameters.
  • UE-A can reply with a WLAN direct group setup response.
  • the ProSe function can perform setup with UE-B. Then, at 4, UE-A and UE-B can establish a WLAN security association to protect the ProSe communication.
  • the WLAN indication parameter can be used to carry an indication of whether the searching UE wishes to engage in WLAN direct discovery and communication subsequent to successful proximity detection.
  • Section 12.3.2.13 is on the Assistance Information parameter that is used to carry information for expediting WLAN direct discovery and communication.
  • the content of the assistance information parameter may depend on the WLAN technology.
  • Wi-Fi Peer-to-Peer (P2P) specification defines an architecture and set of protocols that facilitate direct discovery and communication using the IEEE 802.1 1 technology.
  • the Assistance Information can include the following parameters: service set identifier (SSID), WLAN secret key, group owner indication, P2P device address of self, P2P device address of peers, operation channel, and validity time. This may not be enough: the protection method to use ⁇ e.g. wired equivalent privacy (WEP), Wi-Fi protected access (WPA) variants, and so on, as can be found in IEEE 802.1 1 ⁇ ) may need to be specified as well.
  • the Wi-Fi direct or any appropriate specification can be used to identify the parameters.
  • the WLAN secret key is a pre-shared key to be used by UEs to secure their Wi-Fi P2P communication.
  • the WLAN secret key can be used by UEs as a pairwise master key (PMK).
  • the ProSe function can provide the WLAN Secret Key for ProSe Direct Communication with WLAN.
  • WLAN direct communication as such is not specified in 3GPP.
  • Commercial products like Wifi direct may be used for this.
  • the ProSe function may need to provide the assistance information as specified in stage 3 TS 24.334 (12.3.2.13) including SSID and the WLAN secret key to be used by the UEs to secure their Wi-Fi P2P communication.
  • UEs can register at the ProSe function and already include WLAN indication (optional if an identifier) if WLAN communication is an option for the UE.
  • the communication between ProSe function and UE is via PC3 interface in the reference architecture.
  • the PC3 interface may need to be secured (for example, authorized, authenticated, and/or confidentiality protected) for sending any information.
  • This need for security may be independent of the usage of assistance information for WLAN or any other information provisioned to the UEs. Thus, the specific security needed for PC3 is not described here.
  • ProSe requirements in 22.278 Section 9.4 states that the EPS is to ensure that the confidentiality and integrity of both the user data and the network signaling over the ProSe communication path and the ProSe-assisted WLAN direct communication path is protected to a level comparable with that provided by the existing 3GPP system.
  • Figure 3 illustrates a subset of a reference architecture.
  • This architecture is described in TS 23.303.
  • the architecture can include interface PC3.
  • PC3 can be described as a reference point between the UE and the ProSe Function.
  • PC3 can rely on the EPC user plane for transport, for example as an "over IP" reference point.
  • PC3 can be used to authorize ProSe direct discovery and EPC-level ProSe discovery requests, and can be used to perform allocation of ProSe application codes corresponding to ProSe application identities used for ProSe direct discovery.
  • PC3 can be used to define the authorization policy per public land mobile network (PLMN) for ProSe direct discovery, both as to public safety and non-public-safety, and for communication for public safety only between UE and ProSe function.
  • PLMN public land mobile network
  • FIG. 3 also shows interface PC4a.
  • PC4a can be described as a reference point between the HSS and ProSe function.
  • PC4a can be used to provide subscription information in order to authorize access for ProSe direct discovery and ProSe direct communication on a per PLMN basis.
  • PC4a can also be used by the ProSe function (such as an EPC-level ProSe discovery function) for retrieval of EPC-level ProSe discovery related subscriber data.
  • ProSe function such as an EPC-level ProSe discovery function
  • UE registration procedure initiation based on pre-configuration, if the UE is authorized to perform EPC-level ProSe discovery in the registered PLMN, the UE can initiate the UE registration procedure when the UE is triggered by upper layers to obtain EPC-level ProSe discovery services and the UE has no corresponding EPC ProSe User ID.
  • the UE may initiate the UE registration procedure by sending a UE REGISTRATION REQUEST message with the UE identity set to the UE's IMSI. If the UE intends to use EPC support for WLAN direct discovery and communication and if the UE uses a permanent WLAN link layer identifier, then the UE can also include the WLAN link layer identifier in the UE REGISTRATION REQUEST message.
  • the purpose of the proximity request procedure may be to allow a UE (UE A) to request to be alerted when the UE enters in proximity with a targeted UE (UE B) as defined in 3GPP TS 23.303.
  • UE A can perform the proximity request procedure with the ProSe Function residing in the home PLMN (HPLMN).
  • HPLMN home PLMN
  • the purpose of the proximity alert procedure may be to inform the UE (UE A) that it has been determined to be in proximity with the targeted UE (UE B) as defined in 3GPP TS 23.303. If UE A has indicated in the proximity request procedure that UE A wishes to engage in WLAN direct discovery and communication with UE B.
  • the proximity alert procedure can also be used to provide assistance information that may expedite the WLAN direct discovery and communication to both UE A and UE B.
  • the proximity alert procedure can be initiated by the ProSe Function residing in the HPLMN.
  • a method can include preparing a security capability registration message.
  • the message can be configured to identify security capabilities with respect to an alternative radio access technology.
  • the method can also include using the message to register security capabilities of a user equipment with a proximity services function.
  • the alternative radio access technology can be wireless local area network.
  • the message can be configured to describe at least one of wireless local area network technology supported, supported protection method, supported cipher, key length, or any combination thereof.
  • the using the message can involve including a wireless local area network security capability registration message along with, or embedded in, a wireless local area network indication parameter to the proximity services function.
  • the method can also include receiving from the proximity services function a set of parameters common to the user equipment and another device.
  • the method can further include communicating with another nearby user equipment based on the set of parameters.
  • a method can include receiving a security capability registration message.
  • the message can be configured to identify security capabilities of a user equipment with respect to an alternative radio access technology.
  • the method can also include comparing the security capabilities to other security capabilities.
  • the method can further include providing a response to the message based on the comparing.
  • the alternative radio access technology can be wireless local area network.
  • the comparing can include comparing content of the security capability registration message against a wireless local area network security profile and determining whether a logical intersection of the content and the profile is a non-empty group.
  • the method can further include selecting an acceptable set of parameters among those that the user equipment and the proximity services function have in common.
  • the method can additionally include identifying the acceptable set to the user equipment.
  • the method can also include generating an assistance information based on the acceptable set of parameters.
  • the method can further include sending the assistance information to the user equipment.
  • an apparatus can include means for performing the method according to the first and second embodiments respectively, in any of their variants.
  • an apparatus can include at least one processor and at least one memory and computer program code.
  • the at least one memory and the computer program code can be configured to, with the at least one processor, cause the apparatus at least to perform the method according to the first and second embodiments respectively, in any of their variants.
  • a computer program product may encode instructions for performing a process including the method according to the first and second embodiments respectively, in any of their variants.
  • a non-transitory computer readable medium may encode instructions that, when executed in hardware, perform a process including the method according to the first and second embodiments respectively, in any of their variants.
  • a system may include at least one apparatus according to the third or fifth embodiments in communication with at least one apparatus according to the fourth or sixth embodiments, respectively in any of their variants.
  • Figure 1 illustrates a generic architecture of ProSe, for example a non-roaming reference architecture.
  • Figure 2A illustrates signaling flow for EPC support for WLAN direct communication.
  • Figure 2B illustrates an overall call flow for EPC-level ProSe Discovery and optional EPC support for WLAN direct discovery and communication.
  • Figure 2C illustrates possible security operations for EPC support for WLAN direct communication.
  • Figure 3 illustrates a subset of a reference architecture.
  • Figure 4 illustrates a first alternative of providing user equipment capabilities, according to certain embodiments.
  • Figure 5 illustrates a second alternative of providing user equipment capabilities, according to certain embodiments.
  • Figure 6 illustrates a third alternative of providing user equipment capabilities, according to certain embodiments.
  • Figure 7 illustrates an alternative of obtaining user equipment capabilities, according to certain embodiments.
  • Figure 8 illustrates ProSe function handling of received security capabilities, according to certain embodiments.
  • Figure 9 illustrates a table of keys and values or meanings, according to certain embodiments.
  • Figure 10 illustrates a method according to certain embodiments.
  • Figure 1 1 illustrates a system according to certain embodiments.
  • Certain embodiments are related to ProSe direct discovery and communication using WLAN.
  • UE and ProSe function may communicate via PC3 to discover, configure and to provide the WLAN assistance information.
  • certain embodiments may relate to security for EPC support for WLAN direct discovery and communication and how to ensure that the ProSe-assisted WLAN direct communication path is at a security level comparable with that provided by the existing 3GPP system as may be mandated by the set of requirements defined and described above.
  • Certain embodiments define a WLAN security capability registration message that the UE shall use to register its WLAN security capabilities with the ProSe function.
  • This message can contain relevant information regarding the UE, for example: WLAN technology supported, supported protection method, supported ciphers, key length, or any combination thereof.
  • the support protection method may, for example, be WPA, WPA-enterprise, or the like.
  • the message can extend the WLAN indication parameter sent from the UE to the ProSe function.
  • a WLAN security capability profile can be defined.
  • the profile can contain the same type of information as the WLAN security capability registration message.
  • the profile can represent one or more set of WLAN security capabilities a UE is to have, from the point of view of the ProSe function, in order for the UE to be allowed to conduct ProSe communication using WLAN.
  • This profile can, for example, be configured by the party responsible of the ProSe function, such as the mobile network operator, depending on issues such as public safety requirements or legal constraints relative to privacy of communications.
  • the UE in a first step, can include a WLAN security capability registration message along with, or embedded in, a WLAN indication parameter that the UE sends to the ProSe function.
  • the ProSe function can compare the content of the WLAN security capability registration message against the WLAN security profile, for example by determining whether the logical intersection of the two is a non-empty group.
  • the ProSe function can select an acceptable set of parameters, for example the protection method and/or cipher and key length that would provide the highest level of security, among those that the UE and ProSe function have in common. Otherwise, for example if there is no such common acceptable set of parameters, the ProSe function may refuse to configure the UE for ProSe direct communication via WLAN.
  • an acceptable set of parameters for example the protection method and/or cipher and key length that would provide the highest level of security, among those that the UE and ProSe function have in common. Otherwise, for example if there is no such common acceptable set of parameters, the ProSe function may refuse to configure the UE for ProSe direct communication via WLAN.
  • the ProSe function can generate assistance information based on the parameters that have been selected in the third step, and can send the assistance information back to the terminal.
  • certain embodiments can be implemented by adding another information element to the assistance information when alerting the UE of another device in proximity that also would like to use WLAN as described in 24.334.
  • the UE Before using the alerting procedure, the UE may need to provide the UE's own security capabilities either to the ProSe Function or to the HSS, such that the ProSe Function can decide which WLAN security profile to use, for example by either comparing the profiles of 2 UEs directly or by requesting such information from the HSS or by requesting the profiles from the HSS.
  • Figure 4 illustrates a first alternative of providing user equipment capabilities, according to certain embodiments.
  • the WLAN security capability registration message can be a standalone message or can be integrated as part of the UE registration procedure as described in 24.334, 7.2.2.
  • the UE can send a ⁇ UE REGISTRATION REQUEST> to the ProSe function. Then, the ProSe function can respond with a ⁇ UE REGISTRATION RESPONSE/REJECT> message.
  • a ⁇ WLAN SECURITY CAPABILITY PROVISIONING REQUEST> message can be an additional step following the ⁇ UE
  • CAPABILITY PROVISIONING REQUEST > can contain at least the ⁇ transaction-ID>.
  • the transaction ID can be a parameter that is used to uniquely identify a PC3 Control Protocol for EPC-level ProSe discovery transaction when it is combined with other PC3 Control Protocol for EPC-level ProSe discovery transactions in the same transport message.
  • This new message may also include parameters that are described in the following examples.
  • FIG. 5 illustrates a second alternative of providing user equipment capabilities, according to certain embodiments.
  • WLAN security capabilities can be sent as part of the ⁇ UE_REGISTRATION_REQUEST>.
  • a new element such as ⁇ WLAN security capabilities> containing at least some of the parameters as described below can be used.
  • the ⁇ UE_REGISTRATION_REQUEST> element can include one or more ⁇ UE-register-request> element that contains transactions sent from the UE to the ProSe function to register the UE.
  • Each ⁇ UE-register-request > can include a ⁇ transaction-ID> element containing the parameter defined in subclause 12.3.2.1 ; a ⁇ UE-identity> element containing the parameter defined in subclause 12.3.2.2; and a ⁇ WLAN-link-layer-ID> element containing the parameter defined in subclause 12.3.2.6.
  • the ProSe function can either provide a registration response with an acknowledgment or a registration rejection.
  • Figure 6 illustrates a third alternative of providing user equipment capabilities, according to certain embodiments.
  • the ProSe function may request the UE to provide the user equipment capabilities.
  • the ⁇ WLAN SECURITY CAPABILITY REQUEST> message may include the transaction id, previously provided to the UE.
  • the response from the UE may include the transaction id and the WLAN security capabilities.
  • Figure 7 illustrates an alternative of obtaining user equipment capabilities, according to certain embodiments. As shown in Figure 7, instead of the approaches on PC3 (see Figures 4-6), different variants with or without PC4a exist. For example, HSS may be used to store WLAN security capabilities, having obtained them through integration with another protocol. In such cases, the ProSe function may request the information.
  • Figure 7 illustrates two alternatives for PC4a additions.
  • the ProSe function may request the WLAN security capabilities together with EPC-level ProSe discovery related subscriber data. Otherwise, as shown in the second alternative, the ProSe function may send the requests separately (the order of the requests does not have to be as shown).
  • the HSS does not have to be used, but the ProSe can store the ProSe related security.
  • the HSS is provided as one possible network element that may have the relevant information, although other network elements are also possible.
  • Figure 8 illustrates ProSe function handling of received security capabilities, according to certain embodiments.
  • the ProSe function may receive the WLAN security capabilities from the user equipment, for example according to any of the ways shown in Figures 4-6.
  • the ProSe function may store the capabilities itself and/or send them to a home subscriber server. If the ProSe function sends them to a home subscriber server without storing, them, the ProSe function may retrieve the capabilities from the home subscriber server for example, as shown in Figure 7, or as shown as optional steps in Figure 8.
  • the ProSe server may retrieve (from itself or from another entity) the capabilities of each member of the group of user equipment that may want to talk to one another.
  • the ProSe function can compare the results of such retrieval and add appropriate WLAN security capability information to assistance information provided with a proximity alert.
  • the UE may decide later to engage into WLAN direct discovery and communication and therefore start communication subsequent to successful proximity detection with another UE.
  • the UE may have registered but not sent yet the capabilities to the ProSe function.
  • the UE may include the UE's WLAN security capabilities in the PROXIMITY REQUEST message together with the WLAN indication.
  • Format of the WLAN security capability registration message and WLAN security profile can vary. Both or each may be made of one or more group of key/value elements. Each group may represent a capability of the UE or a requirement from the ProSe function.
  • the key/values elements for each group are shown in Figure 9. More particularly, Figure 9 illustrates a table of keys and values or meanings, according to certain embodiments.
  • FIG 9 illustrates that the keys can include protection mode, key length, EAP, EAP method, VPN, and VPN method.
  • the values and/or meanings of the keys can be as follows.
  • the protection mode key can indicate WEP, WPA Personal (aka WPA-PSK), WPA-Enterprise, WPA2-PSK, and/or WPA2-Enterprise.
  • the key length may be an optional item. It can be used whenever applicable, such as for WEP.
  • EAP can be a Boolean indicating whether EAP is supported.
  • EAP method can indicate EAP-PSK, EAP-TLS, EAP-SIM, EAP-MD5, LEAP, PEAP, the like, or any combination thereof.
  • VPN can be a Boolean indicating whether any VPN can be automatically established over a Wi-Fi connection. This may be particularly relevant for IPsec.
  • VPN method can indicate PPTP, L2TP, IPsec, or the like.
  • WEP and WPA are given for exemplary purpose. WEP or WPA version 1 may be unsuitable for ProSe direct communication. Further key/values elements may be provided as each technology is further analyzed. Analyzed technologies can include EAP methods or VPN.
  • ProSe function Another method that can be used is for the ProSe function to assume that ProSe- capable UEs have a standardized set of WLAN security capabilities. These may be provided by, for example, device provisioning at manufacture time.
  • the ProSe function may keep this data or the ProSe function may send the data to be stored as profile in the HSS separately of within an already existing HSS profile.
  • the ProSe function can either evaluates itself which WLAN security the UEs should use, or the ProSe function may request the HSS to evaluate. In the former case, the ProSe Function may still need to request the stored capabilities from the HSS.
  • the table in Figure 9 can be variously implemented.
  • the table in Figure 9 could be translated, for example, as follows:
  • Figure 10 illustrates a method according to certain embodiments.
  • a method can include, at 1010, preparing a security capability registration message, for example by a user equipment.
  • the message can be configured to identify security capabilities with respect to an alternative radio access technology.
  • the alternative radio access technology can be wireless local area network. This radio access technology may differ from a radio access technology over which the message is to be sent.
  • the method can also include, at 1020, using the message to register security capabilities of a user equipment with a proximity services function.
  • the message can be configured to describe at least one of wireless local area network technology supported, supported protection method, supported cipher, key length, or any combination thereof.
  • the information described in Figure 9 may be provided in the message.
  • Using the message can involve including a wireless local area network security capability registration message along with, or embedded in, a wireless local area network indication parameter to the proximity services function.
  • the method can further include, at 1030, receiving from the proximity services function a set of parameters common to the user equipment and another device.
  • the another device can be the proximity services function or another user equipment.
  • the method can additionally include, at 1040, communicating with another nearby user equipment based on the set of parameters.
  • the method can also include, at 1050, receiving a security capability registration message configured to identify security capabilities of a user equipment with respect to an alternative radio access technology. This message can be received at a proximity services function.
  • the method can also include, at 1060, comparing the security capabilities to other security capabilities. These other security capabilities may be a set of compatible security capabilities or a set of security capabilities of at least one user equipment near the user equipment.
  • the method can further include, at 1070, providing a response to the message based on the comparing.
  • the alternative radio access technology comprises wireless local area network.
  • the message received at 1050 can be the same message sent at 1020.
  • the comparing can include comparing content of the security capability registration message against a wireless local area network security profile and determining whether a logical intersection of the content and the profile is a non-empty group.
  • the method can additionally include, at 1080, selecting an acceptable set of parameters among those that the user equipment and the proximity services function have in common.
  • the method can also include, at 1085, identifying the acceptable set to the user equipment.
  • the method can further include, at 1090, generating an assistance information based on the acceptable set of parameters.
  • the method can additionally include, at 1095, sending the assistance information to the user equipment.
  • Figure 1 1 illustrates a system according to certain embodiments of the invention.
  • a system may include multiple devices, such as, for example, at least one UE 1 1 10, at least one ProSe function 1 120, and at least one HSS 1 130.
  • Each of these devices may include at least one processor, respectively indicated as 1 1 14, 1 124, and 1 134.
  • At least one memory can be provided in each device, and indicated as 1 1 15, 1 125, and 1 135, respectively.
  • the memory may include computer program instructions or computer code contained therein.
  • the processors 1 1 14, 1 124, and 1 134 and memories 1 1 15, 1 125, and 1 135, or a subset thereof, can be configured to provide means corresponding to the various blocks of Figure 10.
  • transceivers 1 1 16, 1 126, and 1 136 can be provided, and each device may also include an antenna, respectively illustrated as 1 1 17, 1 127, and 1 137.
  • antenna 1 137 can illustrate any form of communication hardware, without requiring a conventional antenna.
  • Transceivers 1 1 16, 1 126, and 1 136 can each, independently, be a transmitter, a receiver, or both a transmitter and a receiver, or a unit or device that is configured both for transmission and reception.
  • Processors 1 1 14, 1 124, and 1 134 can be embodied by any computational or data processing device, such as a central processing unit (CPU), application specific integrated circuit (ASIC), or comparable device.
  • the processors can be implemented as a single controller, or a plurality of controllers or processors.
  • Memories 1 1 15, 1 125, and 1 135 can independently be any suitable storage device, such as a non-transitory computer-readable medium.
  • a hard disk drive (HDD), random access memory (RAM), flash memory, or other suitable memory can be used.
  • the memories can be combined on a single integrated circuit as the processor, or may be separate from the one or more processors.
  • the computer program instructions stored in the memory and which may be processed by the processors can be any suitable form of computer program code, for example, a compiled or interpreted computer program written in any suitable programming language.
  • the memory and the computer program instructions can be configured, with the processor for the particular device, to cause a hardware apparatus such as UE 1 1 10, ProSe function 1 120, and HSS 1 130, to perform any of the processes described herein (see, for example, Figure 10). Therefore, in certain embodiments, a non-transitory computer-readable medium can be encoded with computer instructions that, when executed in hardware, perform a process such as one of the processes described herein. Alternatively, certain embodiments of the invention can be performed entirely in hardware.
  • Figure 1 1 illustrates a system including a UE, ProSe function, and HSS
  • embodiments of the invention may be applicable to other configurations, and configurations involving additional elements.
  • additional UEs may be present, and additional core network elements may be present, as illustrated in Figure 1 .
  • Certain embodiments may have various benefits and/or advantages.
  • the same level of confidentiality and integrity can be provided as for communication in 3GPP.
  • confidentiality and integrity can be maintained if the only WLAN configurations that are allowed are those that meet such a requirement.
  • WLAN Direct Discovery and WLAN Direct Communication can be restricted only to happen within EPC level ProSe Discovery (TS 24.334 section 7). Furthermore, the UE Registration Request may be made to be mandatory to perform before doing any proximity request and receiving any proximity alert.
  • the system may be restricted such that the only way for the UE to receive assistance information is via the proximity alert message.
  • An XML schema is already defined for this, see TS 24.334 section 1 1 .2.3:
  • the UE can be told which SSI D, key and channel to use, but not the 802.1 1 technology nor protection method to use, in certain embodiments.
  • the "WLAN Assistance-info" complexType can be extended according to the XML schemes above.
  • Extending the UE Registration Request may lead to a proximity alert being given with appropriate assistance information.
  • the other options such as separate Registration Request and Response initiated from the UE and separate Capability Information Request/Response initiated from the ProSe function, may be made optional.
  • An Update ProSe Subscriber Data Request is a procedure that, as explained in TS 29.344, can be used by an HSS to update the relevant subscriber related data in the ProSe Function to replace a specific part of the user data stored in the ProSe Function with the data sent.
  • the information elements of an update ProSe Subscriber Data Request are described in more detail at TS 29.344, table 5.3.1 -1 .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Assurer la sécurité dans les communications peut être avantageux dans de nombreux systèmes de communications. Par exemple, certains systèmes de communications sans fil pourraient bénéficier d'un profil visant à assurer le même niveau de sécurité (par exemple, de confidentialité et d'intégrité) que dans le système 3GPP existant comme il est nécessaire pour une communication directe par un service de proximité (ProSe) et pour la prise en charge d'une EPC assistée par ProSe pour la découverte et la communication directes de WLAN. En d'autres termes, certains systèmes de communications pourraient bénéficier d'un profil susceptible de permettre au système par paquets évolué (EPS) d'assurer la confidentialité et l'intégrité à la fois de données d'utilisateurs et d'une signalisation de réseau sur le trajet de communication ProSe et un trajet de communication directe en WLAN assistée par ProSe jusqu'à un niveau comparable à celui assuré par le système 3GPP existant. Un procédé selon l'invention peut comprendre l'étape consistant à préparer un message d'inscription de capacités de sécurité. Le procédé peut être configuré pour identifier des capacités de sécurité par rapport à une technologie d'accès radio de substitution. Le procédé peut également comprendre l'étape consistant à utiliser le message pour inscrire des capacités de sécurité d'un équipement d'utilisateur auprès d'une fonction de services de proximité.
PCT/EP2015/077241 2014-11-20 2015-11-20 Profil visant à assurer le même niveau de sécurité que dans le système 3gpp existant pour la prise en charge d'un epc de services de proximité (prose) pour la découverte et la communication directes de wlan WO2016079309A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201462082449P 2014-11-20 2014-11-20
US62/082,449 2014-11-20

Publications (1)

Publication Number Publication Date
WO2016079309A1 true WO2016079309A1 (fr) 2016-05-26

Family

ID=54608537

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2015/077241 WO2016079309A1 (fr) 2014-11-20 2015-11-20 Profil visant à assurer le même niveau de sécurité que dans le système 3gpp existant pour la prise en charge d'un epc de services de proximité (prose) pour la découverte et la communication directes de wlan

Country Status (1)

Country Link
WO (1) WO2016079309A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018165548A1 (fr) * 2017-03-10 2018-09-13 Stojanovski Alexandre Saso Coordination de technologies en vue d'une découverte de dispositif à dispositif
WO2018199597A1 (fr) 2017-04-28 2018-11-01 Samsung Electronics Co., Ltd. Dispositif électronique et procédé de découverte de proximité associé

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Proximity-based Services (ProSe); Security aspects (Release 12)", 3GPP STANDARD; 3GPP TS 33.303, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. V12.1.0, 26 September 2014 (2014-09-26), pages 1 - 48, XP050926105 *
HUAWEI ET AL: "Considerations on security for EPC supported WLAN direct discovery and communication", vol. SA WG3, no. San Francisco, US; 20141117 - 20141121, 7 December 2014 (2014-12-07), XP050925324, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Meetings_3GPP_SYNC/SA/Docs/> [retrieved on 20141207] *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018165548A1 (fr) * 2017-03-10 2018-09-13 Stojanovski Alexandre Saso Coordination de technologies en vue d'une découverte de dispositif à dispositif
US11812497B2 (en) 2017-03-10 2023-11-07 Apple Inc. Technology coordination for device-to-device discovery
WO2018199597A1 (fr) 2017-04-28 2018-11-01 Samsung Electronics Co., Ltd. Dispositif électronique et procédé de découverte de proximité associé
CN110521192A (zh) * 2017-04-28 2019-11-29 三星电子株式会社 电子设备及其接近发现方法
EP3616424A4 (fr) * 2017-04-28 2020-03-04 Samsung Electronics Co., Ltd. Dispositif électronique et procédé de découverte de proximité associé
US10904737B2 (en) 2017-04-28 2021-01-26 Samsung Electronics Co., Ltd. Electronic device and proximity discovery method thereof

Similar Documents

Publication Publication Date Title
US9253811B2 (en) Network-assisted device-to-device communication
JP6266807B2 (ja) ワイヤレス通信においてサービスおよびネットワークプロバイダ識別情報を分離すること
JP6538070B2 (ja) ワイヤレス通信における証明のプロビジョニング
KR102046159B1 (ko) 이동 통신에서 가입 사업자 재가입 혹은 추가 가입 제한 정책을 지원하는 보안 방안 및 시스템
KR101681854B1 (ko) 하이브리드 무선 광역 및 무선 로컬 영역 네트워크들의 발견 및 동작
US20170171752A1 (en) Securing signaling interface between radio access network and a service management entity to support service slicing
JP6671527B2 (ja) 端末デバイスが別の端末デバイスを発見するための方法および装置
KR20180034449A (ko) 서비스 발견 정보를 브로드캐스트하기 위한 기술
JP6159020B2 (ja) 近接サービス許可方法、装置及びシステム
KR20110091305A (ko) Mocn에서 긴급 호를 위한 plmn 선택 방법 및 장치
US20160262019A1 (en) Security method and system for supporting discovery and communication between proximity based service terminals in mobile communication system environment
WO2016110093A1 (fr) Terminal, système et procédé de sécurité de découverte de mode b d2d et support d&#39;informations
JP2018537927A (ja) 認証されていないユーザのための3gpp進化型パケットコアへのwlanアクセスを介した緊急サービスのサポート
US20190274039A1 (en) Communication system, network apparatus, authentication method, communication terminal, and security apparatus
KR102088848B1 (ko) 이동 통신에서 ProSe그룹 통신 또는 공공 안전을 지원하기 위한 보안 방안 및 시스템
JP6476523B2 (ja) 無線アクセスポイント
CN116746182A (zh) 安全通信方法及设备
CN108616805B (zh) 一种紧急号码的配置、获取方法及装置
US9131365B2 (en) Methods, apparatuses and computer program products for securing communications
JP2023080266A (ja) モビリティ管理ノード、ユーザ機器、及びこれらの方法
JP6522799B2 (ja) モバイル通信ネットワークのハンドオーバ機能を発見するための方法、モバイル通信ネットワークのハンドオーバ機能を発見するためのシステム、ユーザ装置、プログラム及びコンピュータプログラム製品
JP7053812B2 (ja) N3gppアクセスを通じた公共警報メッセージ
US20200169885A1 (en) Method and system for supporting security and information for proximity based service in mobile communication system environment
WO2016079309A1 (fr) Profil visant à assurer le même niveau de sécurité que dans le système 3gpp existant pour la prise en charge d&#39;un epc de services de proximité (prose) pour la découverte et la communication directes de wlan
EP3163920B1 (fr) Procédé pour traiter un changement d&#39;autorisation de service prose, premier élément de réseau et second élément de réseau

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15797675

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15797675

Country of ref document: EP

Kind code of ref document: A1