Security key generation for simultaneous multiple cell connections for mobile device
Abstract
A first security context is established between a given user computing device and a first network computing device to enable a secure data connection between the given user computing device and the first network computing device. A second security context is established between the given user computing device and a second network computing device to enable a secure data connection between the given user computing device and the second network computing device simultaneous with the secure data connection between the given user computing device and the first network computing device. Establishment of the second security context includes the first network computing device sending the given user computing device a simultaneous secure data connection parameter useable by the given user computing device to establish the second security context with the second network computing device.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A method, comprising:
establishinga given user computing device generating a first security context between a given user computing device and a first network computing device to enable a secure data connection between the given user computing device and the a first network computing device; and
the given user computing device receiving a simultaneous secure data connection parameter from the first network computing device; and
establishingthe given user computing device generating at least a second security context between the given user computing device and at least a second network computing device to enable a secure data connection between the given user computing device and the at least a second network computing device simultaneous with the secure data connection between the given user computing device and the first network computing device, wherein establishment of the second security context comprises the first network computing device sending the given user computing device a simultaneous secure data connection parameter useable by the given user computing device utilizes the simultaneous secure data connection parameter to establish generate the second security context with the second network computing device;
wherein the simultaneous secure data connection parameter comprises a counter that is set to a unique predetermined value for the second network computing device to enable the given user computing device to establish generate the second security context as a unique security context for the secure data connection with the second network computing device.
2. The method of claim 1 , wherein the first network computing device is associated with a first cell of a communications network and the second network computing device is associated with a second cell of the communications network.
3. The method of claim 2 , wherein the given user computing device comprises user equipment (UE), the first network computing device comprises a Master Evolved Node B (MeNB) network access point, and the second network computing device comprises a Secondary Evolved Node B (SeNB) network access point.
4. The method of claim 1 , wherein the first network computing device is associated with a first access point and the second network computing device is associated with a second access point.
5. The method of claim 1 , wherein the simultaneous secure data connection parameter comprises a counter function that is configured to monotonically increase or monotonically decrease for each simultaneous data connection.
6. The method of claim 5 , wherein the counter function, when configured to monotonically increase, equals an initial value incremented by one for the simultaneously-connected second network computing device, and is further incremented each time another network computing device is enabled by the first network computing device to establish generate another security context with the given user computing device.
7. The method of claim 6 , wherein the counter function is reset to an initial value when the first security context between the first network computing device and the given user computing device changes.
8. The method of claim 1 , wherein establishment of generating the second security context further comprises computing a security key for the second security context using a key derivation function based on a security key established generated for the first security context and the simultaneous secure data connection parameter.
9. The method of claim 1 , wherein establishment of generating the second security context allows for secure data offload from the first network computing device to the second network computing device.
10. An article of manufacture comprising a non-transitory processor-readable storage medium storing one or more software programs which when executed by one or more processors a processor of a given user computing device cause the given user computing device to perform the steps of the method of claim 1 :
generating a first security context to enable a secure data connection between the given user computing device and a first network computing device;
receiving a simultaneous secure data connection parameter from the first network computing device; and
generating at least a second security context to enable a secure data connection between the given user computing device and at least a second network computing device simultaneous with the secure data connection between the given user computing device and the first network computing device, wherein the given user computing device utilizes the simultaneous secure data connection parameter to generate the second security context with the second network computing device;
wherein the simultaneous secure data connection parameter comprises a counter that is set to a unique predetermined value for the second network computing device to enable the given user computing device to generate the second security context as a unique security context for the secure data connection with the second network computing device.
11. An apparatus comprising:
one or more memories and one or more processors coupled to the one or more memories, and;
the processor being configured to perform the steps of the method of claim 1 :
generating, at a given user computing device, a first security context to enable a secure data connection between the given user computing device and a first network computing device;
receiving, at the given user computing device from the first network device, a simultaneous secure data connection parameter; and
generating, at the given user computing device, at least a second security context to enable a secure data connection between the given user computing device and at least a second network computing device simultaneous with the secure data connection between the given user computing device and the first network computing device, wherein the given user computing device utilizes the simultaneous secure data connection parameter to generate the second security context with the second network computing device;
wherein the simultaneous secure data connection parameter comprises a counter that is set to a unique predetermined value for the second network computing device to enable the given user computing device to generate the second security context as a unique security context for the secure data connection with the second network computing device.
12. A method, comprising:
given a first security context established between a first network computing device and a given user computing device to form a secure data connection between the given user computing device and the first network computing device;
determining at the first computing device to initiate an offload operation;
causing establishment of at least a second security context between the given user computing device and at least a second network computing device to form a secure data connection between the given user computing device and the second network computing device simultaneous with the secure data connection between the given user computing device and the first network computing device, wherein the second security context is at least partially based on a simultaneous secure data connection parameter controlled by the first network computing device;
wherein the simultaneous secure data connection parameter comprises a counter that is set to a unique predetermined value for the second network computing device to enable the given user computing device to establish a unique security context for the secure data connection with the second network computing device.
13. The method of claim 12 , wherein causing establishment of the second security context comprises the first network computing device computing a security key for the second security context based on a security key computed for the first security context and the simultaneous secure data connection parameter.
14. The method of claim 13 , wherein causing establishment of the second security context comprises:
the first network computing device sending an offload request to the second network computing device with the computed security key for the second security context; and
receiving security algorithm parameters identifying a user plane encryption algorithm, a user plane integrity algorithm, a radio resource control encryption algorithm, and a radio resource control integrity algorithm, from the second network computing device.
15. The method of claim 13 , wherein causing establishment of the second security context comprises the first network computing device sending the simultaneous secure data connection counter parameter and one or more parameters associated with the second network computing device to the user computing device to enable the user computing device to compute the security key for the second security context and compute one or more additional keys from the security key for the second security context, the one or more additional keys comprising integrity and ciphering keys.
16. An article of manufacture comprising a non-transitory processor-readable storage medium storing one or more software programs which when executed by a processor perform the steps of the method of claim 12 .
17. An apparatus comprising a memory and a processor coupled to the memory, and configured to perform the steps of the method of claim 12 .
18. A method, comprising:
givenreceiving, at a given user computing device having a first security context established betweenwith a first network computing device and a given user computing device to formfor a secure data connection between the given user computing device and the first network computing device, and given a determination at the first computing devicea request to initiate an offload operation comprising a simultaneous secure data connection parameter; and
the given user computing device establishing generating at least a second security context with at least a second network computing device to form a secure data connection between the given user computing device and the second network computing device simultaneous with the secure data connection between the given user computing device and the first network computing device, wherein the second security context is at least partially based on a the simultaneous secure data connection parameter controlled by the first network computing device and sent to the given user computing device;
wherein the simultaneous secure data connection parameter comprises a counter that is set to a unique predetermined value for the second network computing device to enable the given user computing device to establish generate the second security context as a unique security context for the secure data connection with the second network computing device.
19. An article of manufacture comprising a processor-readable storage medium storing one or more software programs which when executed by a processor of a given user computing device having a first security context established with a first network computing device for a secure data connection between the given user computing device and the first network computing device, cause the given user computing device to perform the steps of the method of claim 18 :
receiving a request to initiate an offload operation comprising a simultaneous secure data connection parameter; and
generating at least a second security context with at least a second network computing device to form a secure data connection between the given user computing device and the second network computing device simultaneous with the secure data connection between the given user computing device and the first network computing device, wherein the second security context is at least partially based on the simultaneous secure data connection parameter;
wherein the simultaneous secure data connection parameter comprises a counter that is set to a unique predetermined value for the second network computing device to enable the given user computing device to generate the second security context as a unique security context for the secure data connection with the second network computing device.
20. An apparatus comprising:
a memory and a processor coupled to the memory,;
andthe processor being configured to perform the steps of the method of claim 18 :
receiving, at a given user computing device having a first security context established with a first network computing device for a secure data connection between the given user computing device and the first network computing device, a request to initiate an offload operation comprising a simultaneous secure data connection parameter; and generating, by the given user computing device, at least a second security context with at least a second network computing device to form a secure data connection between the given user computing device and the second network computing device simultaneous with the secure data connection between the given user computing device and the first network computing device, wherein the second security context is at least partially based on the simultaneous secure data connection parameter;
wherein the simultaneous secure data connection parameter comprises a counter that is set to a unique predetermined value for the second network computing device to enable the given user computing device to generate the second security context as a unique security context for the secure data connection with the second network computing device.
21. The apparatus of claim 20, wherein the first network computing device is associated with a first cell of a communications network and the second network computing device is associated with a second cell of the communications network.
22. The apparatus of claim 21, wherein the given user computing device comprises user equipment (UE), the first network computing device comprises a Master Evolved Node B (MeNB) network access point, and the second network computing device comprises a Secondary Evolved Node B (SeNB) network access point.
23. The apparatus of claim 20, wherein the first network computing device is associated with a first access point and the second network computing device is associated with a second access point.
24. The apparatus of claim 20, wherein the simultaneous secure data connection parameter comprises a counter function that is configured to monotonically increase or monotonically decrease for each simultaneous data connection.
25. The apparatus of claim 20, wherein generating the second security context further comprises the given user computing device computing a security key for the second security context using a key derivation function based on a security key generated for the first security context and the simultaneous secure data connection parameter.
26. The apparatus of claim 20, wherein the processor is further configured to perform the step of sending, from the given user computing device, an offload connection request to the second network computing device.
27. The apparatus of claim 20, wherein the processor is further configured to perform the steps of:
receiving, at the given user computing device, an additional request to initiate another offload operation comprising an additional simultaneous secure data connection parameter; generating, by the given user computing device, at least a third security context with at least a third network computing device to form a secure data connection between the given user computing device and the third computing device simultaneous with at least one of: (i) the secure data connection between the given user computing device and the first network computing device; and (ii) the secure data connection between the given user computing device and the second network computing device; wherein the third security context is at least partially based on the additional simultaneous secure data connection parameter; wherein the additional simultaneous secure data connection parameter comprises the counter set to another unique predetermined value for the third network computing device to enable the given user computing device to generate the third security context as a unique security context for the secure data connection with the third network computing device.
28. The apparatus of claim 27, wherein the additional simultaneous secure data connection parameter comprises a value of the counter in the simultaneous secure data connection parameter incremented by one.
29. The apparatus of claim 11, wherein the first network computing device is associated with a first cell of a communications network and the second network computing device is associated with a second cell of the communications network.
30. The apparatus of claim 29, wherein the given user computing device comprises user equipment (UE), the first network computing device comprises a Master Evolved Node B (MeNB) network access point, and the second network computing device comprises a Secondary Evolved Node B (SeNB) network access point.
31. The apparatus of claim 11, wherein the first network computing device is associated with a first access point and the second network computing device is associated with a second access point.
32. The apparatus of claim 11, wherein the simultaneous secure data connection parameter comprises a counter function that is configured to monotonically increase or monotonically decrease for each simultaneous data connection.
33. The apparatus of claim 11, wherein generating the second security context further comprises the given user computing device computing a security key for the second security context using a key derivation function based on a security key generated for the first security context and the simultaneous secure data connection parameter.
34. The apparatus of claim 11, wherein the processor is further configured to perform the step of sending, from the given user computing device, an offload connection request to the second network computing device.
35. The apparatus of claim 11, wherein the processor is further configured to perform the steps of:
receiving, at the given user computing device, an additional request to initiate another offload operation comprising an additional simultaneous secure data connection parameter; generating, by the given user computing device, at least a third security context with at least a third network computing device to form a secure data connection between the given user computing device and the third computing device simultaneous with at least one of: (i) the secure data connection between the given user computing device and the first network computing device; and (ii) the secure data connection between the given user computing device and the second network computing device; wherein the third security context is at least partially based on the additional simultaneous secure data connection parameter; wherein the additional simultaneous secure data connection parameter comprises the counter set to another unique predetermined value for the third network computing device to enable the given user computing device to generate the third security context as a unique security context for the secure data connection with the third network computing device.
36. The apparatus of claim 35, wherein the additional simultaneous secure data connection parameter comprises a value of the counter in the simultaneous secure data connection parameter incremented by one.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.