Apparatus and method for signalling enhanced security context for session encryption and integrity keys

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to security context signalling. A method for establishing a first security context between a remote station and a serving network, the first security context having a security property that is not supported by a second security context, the method comprising: the remote station forwarding a first message to the serving network, wherein the first message includes an information element; the remote station generating an integrity session key and an encryption session key in accordance with the first security context; the remote station receiving a second message having a message authentication code indicating that the serving network supports the first security context; the remote station verifying the message authentication code using the integrity session key; and the remote station, in response to successful verification of the message authentication code, performs wireless communication protected by the encryption session key.

EFFECT: providing signalling on support of an improved security context.

31 cl, 8 dwg

 

Cross-reference to related applications

The present application claims priority on provisional application for U.S. patent No. 61/324,646, filed April 15, 2010, which is incorporated herein by reference.

The technical field to which the invention relates

The present invention generally relates to an improved alarm security context for user equipment operating in a network, a universal mobile telecommunication service (UMTS) and/or network edge radio access GSM (GERAN).

Art

Successful AKA (authentication and key agreement) authentication in a radio access network of UMTS third generation (3G) or in GERAN networks using 3G AKA authentication, resulting in a pair of shared keys: the encryption key (CK) and integrity key (IK), for secure communication between user equipment (UE) and the network. Shared keys can be used directly for the protection of traffic between UE and the network, as in the case of UTRAN (terrestrial radio access network UMTS), or can be used for static elimination of the keys, for example, KCor KC128in the case of GERAN (network edge radio access GSM).

Compromised key may lead to serious security problems before m�ment, while the keys will not be changed the next time AKA authentication. As a rule, AKA authentication is not done often due to the fact that this would lead to significant costs. Also, will be compromised if both keys (CK and IK), then you will be compromised and the keys GERAN.

When deploying UMTS/HSPA (high speed packet access) some or all of the functionality of a radio network controller (RNC) and Node B can be combined into one node at the network edge. For RNC need the keys for functionalities such as encryption of user plane encryption plane signaling and integrity protection. However, the RNC functionality may be deployed in a vulnerable location, such as a Home Node B in the UMTS femtocell. Accordingly, the RNC functionality deployed in a potentially unsafe place for granting access (including physical access), can afford to compromise the keys CK and IK.

Session keys (a modified version of the CK and IK) can be used to minimize security risks associated with vulnerable RNC functionality. Methods of providing such session keys are disclosed in application for U.S. patent No. US 2007/0230707 A1.

Unfortunately, the use of such session keys requires modification of the serving networks with a view to their modernization. However, we can expect that network operators will be upgrading�ing service network step by step.

Consequently, there is a need for a method to signal support enhanced security context, which would be compatible with legacy service networks.

Summary of the INVENTION

Aspect of the present invention may be in the process of establishing the first security context between a remote station and the serving network. The first security context has a security property that is not supported by the second security context. In this method, the remote station sends to the service network the first message, the first message includes an information element signaling that the remote station supports the first security context. The remote station generates at least one session key, in accordance with the first security context, using this information element. Remote station in response to the first message receives the second message having an indication that the serving network supports the first security context. Remote station in response to the second message carries a wireless connection protected by at least one session key.

In more detailed aspects of the invention, the information element may contain the counter value, updated for the session. To�ome, an indication that the serving network supports the first security context may include an authentication code generated based on at least one of the corresponding session key generated by the serving network using an information element received from a remote station. Also, the remote station may include a mobile user equipment.

In other more detailed aspects of the invention, the serving network may be serving the UMTS network. The first security context can be enhanced UMTS security context and the second security context can inherit the security context of the UTRAN. Alternatively, the serving network may be a service network GERAN.

Another aspect of the invention may be in a remote station which may include means for sending the first message to the service network, wherein the first message includes an information element signaling that the remote station supports the first context, and wherein the first security context has a security property that is not supported by the second security context; means for generating at least one session key, in accordance with the first context safety�and, using the information element; means for receiving in response to the first message a second message having an indication that the serving network supports the first security context; and a means for implementation in response to the second message wireless connection protected by at least one session key.

Another aspect of the invention may be in a remote station which may include a processor configured to: send to the service network the first message, the first message includes an information element signaling that the remote station supports the first security context, and wherein the first security context has a security property that is not supported by the second security context; generate at least one session key, in accordance with the first security context, using the information element; to take in response to the first message, the second message having an indication of that the serving network supports the first security context; and in response to the second message to realize the wireless connection protected by at least one session key.

Another aspect of the invention may be a computer software product, with�holding computer-readable storage media, contains the code for prescribing the computer to send to the service network the first message, the first message includes an information element signaling that the computer supports the first security context, and wherein the first security context has a security property that is not supported by the second security context; code for prescribing the computer to generate at least one session key, in accordance with the first security context, using the information element; code for prescribing the computer to receive, in response to the first message, the second message having an indication that the serving network supports the first security context; and code requirements for a computer to realize the wireless connection in response to the second message, protected by at least one session key.

BRIEF description of the DRAWINGS

Fig.1 is a block diagram of an example wireless communication system.

Fig.2 is a block diagram of an example wireless communication system in accordance with the architecture of UMTS/UTRAN.

Fig.3 is a block diagram of an example wireless communication system in accordance with the GERAN architecture.

Fig.4 is a flow chart of a method of establishing an enhanced security context between a remote station and the serving network.

Fig.5 - scheme pic�egovernance of a method of establishing an enhanced security context between a remote station and the serving network based on the request message of accession.

Fig.6 is a flow chart of a method of establishing at least one session key from improved security context between a remote station and the serving network on the basis of the message of the service request.

Fig.7 is a flow chart of a method of establishing at least one session key from improved security context between a remote station and the serving network on the basis of the message of the update request area routing.

Fig.8 is a block diagram of a computer that includes a processor and memory.

DETAILED DESCRIPTION

The term “exemplary” is used herein to mean “serving as the example, sample or illustration”. Any variant of implementation, described herein as “exemplary” should not necessarily be construed as preferred or predominant over the other variants of the implementation.

As shown in Fig.2-4, an aspect of the present invention may be to method 400 of establishing improved security context between a remote station 210 and the serving network 230. In this method, the remote station sends to the service network the first message (step 410), wherein the first message includes an information element signaling that the remote station under�supports the enhanced security context. The remote station generates at least one session key, CKSand IKSin accordance with the enhanced security context, using an information element (step 420). Remote station in response to the first message receives the second message having an indication that the serving network supports the enhanced security context (step 430). Remote station in response to the second message carries a wireless connection protected by at least one session key (step 440).

Information element may contain the counter. In addition, an indication that the serving network supports the enhanced security context may contain authentication code (MAC) generated based on the corresponding at least one session key generated by the serving network 230 using information item received from the remote station 210. Also, the remote station may include a mobile user equipment (UE), such as a wireless device.

As further shown in Fig.8, another aspect of the invention may be in a remote station 210 which may include means (CPU 810) to be sent to the service network 230 of the first message, the first message includes information� element, signaling that the remote station supports the enhanced security context; means for generating at least one session key, in accordance with the enhanced security context, using the information element; means for receiving in response to the first message a second message having an indication that the serving network supports the enhanced security context; and a means for implementation in response to the second message wireless connection protected by at least one session key.

Another aspect of the invention may be in a remote station 210 which may include a processor 810, configured to: send to the service network 230 first message, the first message includes an information element signaling that the remote station supports the enhanced security context; generate at least one session key, in accordance with the enhanced security context, using the information element; to take in response to the first message, the second message having an indication that the serving network supports the enhanced security context; and in response to the second message to realize the wireless connection protected by at least one� a session key.

Another aspect of the invention may consist in a computer program product containing computer-readable storage medium 820, which contains the code for the prescriptions to the computer 800 to send to the service network 230 first message, the first message includes an information element signaling that the computer supports an enhanced security context; code for prescribing the computer to generate at least one session key, in accordance with the enhanced security context, using the information element; code for prescribing the computer to take in response to the first message, the second message having an indication of that the serving network supports the enhanced security context; and code for instructions to the computer in response to the second message to realize the wireless connection protected by at least one session key.

Serving core network 230 is connected to the serving RAN (radio access network) 220, which provides wireless communication with a remote station 210. In the architecture of UMTS/UTRAN serving RAN includes Node B and RNC (radio network controller). In the architecture of the serving GERAN RAN includes a BTS (base transceiver station) and BSC (controller of base stations). Serving core network includes MSCVLR (mobile switching center/registry locations visiting subscribers) to provide services channel switching (CS) and SGSN (serving GPRS support node) for providing services to packet switching (PS). The home network includes a HLR (registry locations home subscribers) and AuC (authentication centre).

UE 210 and the serving core network 230 can be improved with new security properties to create an enhanced UMTS security context (ESC), using COUNT (the count value). 256-bit root key (KASMEUfor the ESC can be derived from CK and IK when performing the AKA authentication. The root key can be set equal to CK||IK, or it may be output using a more complex launch, which gives additional useful security properties (e.g., CK and IK do not need to store). COUNT can be 16-bit counter value that is supported between UE and serving core network. (Note: the inherited security context of the UTRAN consists of KSI (3-bit identifier of the set of keys), CK (128-bit encryption key) and IK (128-bit integrity key)).

As shown in Fig.5, the method 500 relating to the procedures for accession UMTS, UE 210 can indicate that it supports the ESC in the request message for connection UMTS (step 510). ESC is an example of the first security context. A message of support may be the presence of a new information element (IE) in the message. IE may contain the value of COUNT. The serving network SN 230, which does not support ESC will ignore Novye. The lack of support for ESC is an example of the second security context. Authentication data (RAND, XRES, CK, IK, AUTN) are obtained from the HLR/AuC 240 (step 515). SN may indicate support for ESC in the call AKA (authentication request) sent to the UE (step 520). UE performs the authentication procedure (step 525) and returns in the SN response RES (stage 530). If authentication succeeds (step 530), the UE and SN derive the root key KASMEUand session keys CKSand IKS(step 535). SN sends the session keys to the RAN 220 in the SMC message (command protected mode) (step 540). RAN generates a message authentication code (MAC) using the session key IKSthat is sent to the UE in the SMC message (step 545). UE checks the MAC (step 550), using the session key IKSthat brought UE (step 535), and returns an indication of completion in RAN (step 555), which sends it to the SN (step 560). After that UE is capable of secure communication using the session key (step 565).

As shown in Fig.6, the method 600 related to the procedure 600 of the transition from the inactive to the active mode, the UE 210 sends a message service request, which includes the value of COUNT, SN 230 (step 610). UE and SN derive new session keys CKSand IKSfrom the root key KASMEU(stage 620). SN sends the session keys to the RAN 220 in the SMC message (step 630). RAN generates a MAC, cat�which is sent to UE in the SMC message (step 640). UE checks the MAC (step 650) and returns an indication of completion in RAN (step 660), which sends it to the SN (step 670). After that UE is capable of secure communication using the session keys (step 680).

As shown in Fig.7, the method 700 relating to procedures for 700 mobility management (such as updating the zone routing (RAU) or refresh the zone location (LAU)), UE 210 sends a request message to RAU (or LAU), which includes the value of COUNT, SN 230 (step 710). Optional, UE and SN can derive new session keys CKSand IKSfrom the root key KASMEU(stage 720). SN may send the session keys to the RAN 220 in the SMC message (step 730). RAN can generate the MAC that can be sent to UE in the SMC message (step 740). The UE may check the MAC (step 750) and can return an indication of completion in RAN (step 760), which sends it to the SN (step 770). After that, the SN sends to the UE a message of acceptance RAU (step 780). After that UE is capable of secure communication using the session key.

New keys access layer (AS) can be generated for each transition from the inactive to the active state. Similarly, keys may be generated for other events. The value of COUNT may be sent in messages inactive mobility and in the initial message of the 3rd level, for example, requests to join, RAU, LAU, inactivity mobility or service. SN can verify that the received COUNT value has not yet been used, and to update the stored COUNT value in the process. If the new value of COUNT (e.g., signified by the value of COUNT> stored COUNT value), the UE and SN continue to compute new key CKSand IKSusing the function of removing the key (KDF), such as HMAC-SHA256, the root key KASMEUand the received COUNT value. KDF may include additional information such as the ID of the node RAN, to compute the new key. If the test fails (the value of COUNT is not new), SN rejects the message. For use in GERAN, when KCand KC128are computed from CKSand IKSthis can be done in the same way as in the calculation of CK and IK.

Session keys (CKSand IKS) may have a duration such that the UE and the serving network to store and use both session keys until then, or until no longer needs to store the keys to send traffic securely between the UE and the network (UE moved to an inactive status), or not created a new context for subsequent event (such as the AKA authentication or mobility event).

A remote station 210 may include a computer 800 that includes a storage medium 820, such as memory, display device 830 and 840 �water, such as a keyboard. The device may include a wireless connection 850.

As shown in Fig.1, wireless remote station (RS) 102 (or UE) may communicate with one or more base stations (BS) 104 of the wireless communication system 100. Wireless communication system 100 may further include one or more base stations controllers (BSC) 106 and the core network 108. The core network may be connected to the Internet 110 and the telephone network (PSTN) 112 via a suitable transit connection. A typical wireless mobile station may include a portable phone or portable computer. Wireless communication system 100 may use any of a variety of multiple access methods, such as multiple access, code division multiplexing (CDMA), multiple access with time division multiplexing (TDMA), multiple access frequency division multiplexing (FDMA), multiple access with spatial division multiplexing (SDMA), multiple access with polarization division multiplexing (PDMA), or any other modulation technique, known in the art.

Wireless device 102 may include various components that perform functions based on signals that are transmitted or received (or wireless device. For example, wireless�traveler headset may include a transducer, adapted to provide audio output based on the signal received by the receiver. A wireless watch may include a user interface adapted to provide instructions on the basis of the signals received by the receiver. The wireless sensor device may include a sensor adapted to provide data that must be transferred to another device.

The wireless device may communicate via one or more wireless links, which are based on or otherwise support any suitable wireless communication technology. For example, in some aspects a wireless device may be associated with the network. In some aspects the network may contain wearable network or personal area network (e.g., ultra-wideband network). In some aspects the network may include a local area network or global network. A wireless device may support or otherwise use one or more of many different technologies, protocols and standards for wireless communication, such as, for example, CDMA, TDMA, OFDM, OFDMA, WiMAX and Wi-Fi. Similarly, a wireless device may support or otherwise use one or more of the many schemes for modulation or multiplexing. Qi�to the device, thus include appropriate components (e.g., air interfaces) to establish and communicate via one or more wireless links using the above or other wireless technologies. For example, the device may comprise a wireless transceiver with associated transmitter components and receiver (e.g., transmitter and receiver) that may include various components (e.g., signal generators and signal processors) that facilitate communication over a wireless medium.

The described idea can be implemented (e.g., implemented within or executed by) a variety of apparatuses (e.g., devices). For example, one or more aspects of the ideas of this document can be incorporated into a phone (e.g., cell phone), pocket PC (PDA), a multimedia device (e.g., a music or video device), a headset (e.g., headphones of various types), a microphone, a medical device (e.g., a biometric sensor, heart rate monitor, pedometer, electrocardiograph, etc.), user interface I / o (e.g., a watch, a remote control, a light switch, a keyboard, a mouse, etc.), monitor tire pressure, PC, the device of item sales, razvleka�individual device, hearing AIDS, set-top box (STB) or any other suitable device.

These devices may have different power requirements and data. In some aspects of the ideas in this document can be adapted for use in applications with low energy consumption (e.g., through the use of a pulsed signaling and modes with a low coefficient of working time) and can support different data transfer speed, including relatively high data rate (for example, when using broadband pulses).

In some aspects a wireless device may include a device access (e.g., access point Wi-Fi) for the communication system. Such an access device may provide, for example, connectivity to a network (e.g., a global network such as the Internet or a cellular network) via a wired or wireless communication line. Accordingly, the access device can provide another device (e.g., station Wi-Fi) the ability to access another network or some other functionality. Additionally be aware that one or both of the devices may be portable or, in some cases, relatively reportative.

Specialist in the art it should be clear that the information and�gnali can be represented using any of a variety of technologies and methods. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced by the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, or any combination of the above.

Specialist in the art should recognize that the various illustrative logical blocks, modules, circuits, and steps of the algorithms described in connection with variants of the implementation disclosed herein may be implemented as electronic hardware, computer software, or their combination. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends on the constraints of a particular application and the design imposed on the system as a whole. Specialists can implement the described functionality in different ways for each particular application, but such solutions by the method of implementation should not be interpreted as a departure from the scope of the present invention.

Various illustration�trative logical blocks, modules, and circuits described in connection with variants of the implementation disclosed in this document can be implemented using the General-purpose processor, a digital signal processor (DSP), specific integrated circuit (ASIC), programmable gate array (FPGA) or other programmable logic device, discrete logic gate or transistor logic, discrete hardware components, or any combination of these, designed to perform the functions described herein. The General-purpose processor may be a microprocessor, but the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. The processor may also be implemented as a combination of computing devices, for example, the combination of DSP and microprocessor, multiple microprocessors, one or more microprocessors associated with a DSP core, or any other configuration.

The stages of a method or algorithm described in connection with the disclosures provided in this document variants of implementation, can be embedded directly in hardware, in a software module, executable by a processor, or in a combination of these two options. A software module may reside in RAM memory, flash memory, p�memory ROM the EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM or any other storage media known in the art. An exemplary storage medium connected to the processor so that the processor can read information from the storage medium and to record information on it. Alternatively, the storage media may be integrated into the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. Alternative, the processor and the storage medium may reside in a user terminal as discrete components.

In one or more exemplary embodiments, the functions described may be implemented in hardware, software, firmware or any combination thereof. If implemented in software in the form of a computer program product, the functions may be stored in or transferred through one or more instructions or codes on a computer-readable medium. Computer-readable media includes both computer storage media and communication environment, including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media, to which m�can be accessed using a computer. As an example, but not limitation, such computer-readable media can include RAM, ROM, EEPROM, CD-ROM or other storage on optical disk storage, magnetic disk or other magnetic storage device, or any other medium which can be used to carry or store desired program code in the form of instructions or data structures and which can be accessed by computer. Also, any connection should be viewed as a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, digital line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. The term "disk" as used herein, includes compact disc (CD), laser disc, optical disc, digital versatile disk (DVD), floppy disk and Blu-ray disk, and magnetic discs reproduce data magnetically, while optical discs reproduce data optically with p�power lasers. Combinations of the above should also be included within the definition of computer-readable media.

The previous description of the disclosed embodiments is provided to ensure the ability of anyone skilled in the art to use the present invention. Various modifications to these embodiments will be easily understandable to experts in the art, and generic principles defined herein may be applied to other variants of implementation without deviation from the essence and scope of the invention. Thus, the present invention is not limited shown in this document variants of implementation, but is designed to meet the widest possible scope in accordance with the principles and new features, disclosed in this document.

1. The way to establish a first security context between a remote station and the serving network in which the first security context has a security property that is not supported by the second security context, wherein the method contains the stages at which:
the remote station sends to the service network the first message, the first message includes an information element signaling that the remote station supports the first� the security context;
the remote station generates a session integrity key and a session encryption key, in accordance with the first security context, using the information element; a remote station receives, in response to the first message, the second message having a message authentication code that indicates that the serving network supports the first security context;
remote station checks the message authentication code using the session key integrity; and
a remote station, in response to successful verification of the authentication code of the message, performs wireless communication, a secure session encryption key.

2. The way to establish a first security context according to claim 1, wherein the information element contains the counter value, updated for the session.

3. The way to establish a first security context according to claim 1, wherein the serving network is the serving network UMTS.

4. The way to establish a first security context according to claim 3, wherein the first security context is an enhanced UMTS security context and the second security context is a legacy UTRAN security context.

5. The way to establish a first security context according to claim 1, wherein the serving network is a service network GERAN.

<> 6. The way to establish a first security context according to claim 1, wherein the indication that the serving network supports the first security context contains an authentication code generated based on the corresponding session key integrity generated by the serving network using an information element received from a remote station.

7. The way to establish a first security context according to claim 1, wherein the remote station comprises a mobile user equipment.

8. The way to establish a first security context according to claim 1, wherein the session integrity key and a session encryption key is calculated from the information element and the root key.

9. A remote station that contains:
means for sending to the service network of the first message, the first message includes an information element signaling that the remote station supports the first security context, and wherein the first security context has a security property that is not supported by the second security context;
means for generating a session key integrity and session key encryption, in accordance with the first security context, using the information element;
means for receiving in response to the first message, the second message having a message authentication code that indicates that the serving network supports the first security context;
a means for checking the authentication code of the message using the session key integrity; and
the means for the implementation of wireless communication, in response to successful verification of the message authentication codes, are protected by at least one session key.

10. A remote station according to claim 9, in which the information element contains the counter value, updated for the session.

11. A remote station according to claim 9, in which the serving network is the serving network UMTS.

12. A remote station according to claim 11, in which the first security context is an enhanced UMTS security context and the second security context is a legacy UTRAN security context.

13. A remote station according to claim 9, in which the service network is a service network GERAN.

14. A remote station according to claim 9, in which the indication that the serving network supports the first security context contains an authentication code generated based on the corresponding session key integrity generated by the serving network using an information element received from a remote station.

15. A remote station according to claim , wherein the remote station comprises a mobile user equipment.

16. A remote station according to claim 9, in which the session integrity key and a session encryption key is calculated from the information element and the root key.

17. A remote station comprising: a processor configured to:
to send to the service network the first message, the first message includes an information element signaling that the remote station supports the first security context, and wherein the first security context has a security property that is not supported by the second security context;
to generate a session integrity key and a session encryption key, in accordance with the first security context, using the information element;
to take, in response to the first message, the second message having a message authentication code that indicates that the serving network supports the first security context;
check message authentication code using the session key integrity; and
to realize the wireless connection, in response to successful verification of the message authentication codes, are protected by at least one session key.

18. A remote station according to claim 17, in which the information element contains� the counter, updated for the session.

19. A remote station according to claim 17, in which the serving network is the serving network UMTS.

20. A remote station according to claim 19, in which the first security context is an enhanced UMTS security context and the second security context is a legacy UTRAN security context.

21. A remote station according to claim 17, in which the service network is a service network GERAN.

22. A remote station according to claim 17, in which the indication that the serving network supports the first security context contains an authentication code generated based on the corresponding session key integrity generated by the serving network using an information element received from a remote station.

23. A remote station according to claim 17, wherein the remote station comprises a mobile user equipment.

24. A remote station according to claim 17, in which the session integrity key and a session encryption key is calculated from the information element and the root key.

25. The computer-readable storage media containing:
code for prescribing the computer to send to the service network the first message, the first message includes an information element signaling that the remote station supported�t first security context and wherein the first security context has a security property that is not supported by the second security context;
code for prescribing the computer to generate a session integrity key and a session encryption key, in accordance with the first security context, using the information element;
code for prescribing the computer to receive, in response to the first message, the second message having a message authentication code that indicates that the serving network supports the first security context;
code for prescribing the computer to verify the message authentication code using the session key integrity; and
code requirements for a computer to realize the wireless connection, in response to successful verification of the message authentication codes, are protected by at least one session key.

26. The computer-readable storage medium according to claim 25, in which the information element contains the counter value, updated for the session.

27. The computer-readable storage medium according to claim 25, in which the serving network is the serving network UMTS. 28. The computer-readable storage medium according to claim 27, in which the first security context is an enhanced UMTS security context and the second security context is inherited to�tekstom UTRAN security.

29. The computer-readable storage medium according to claim 25, in which the service network is a service network GERAN.

30. The computer-readable storage medium according to claim 25, wherein the indication that the serving network supports the first security context contains an authentication code generated based on the corresponding session key integrity generated by the serving network using the received information element.

31. The computer-readable storage medium according to claim 25, wherein the session integrity key and a session encryption key is calculated from the information element and the root key.



 

Same patents:

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to means of changing direction of flow. After establishing a connection with a device, a control server reverses the direction of message flow between the device and the control server such that the device becomes the initiator of the call (the caller) and the control server becomes the device which is called (the callee). A connection is also established between a first device, the control server and a second device which is an endpoint for the call. Initial multimedia data and forking are available to the first device after reversing the direction of message flow between the first device and the control server and the callee has been contacted. Additionally, information flows between the first device and the second device through the control server as if the first device and the second device were directly connected.

EFFECT: shorter time for changing the source of the flow of messages; the control server initiates calls to the first device.

20 cl, 3 dwg

FIELD: radio engineering, communication.

SUBSTANCE: invention relates to communication systems. The invention provides techniques and apparatus for signalling the bandwidth to be used for wireless communication using an RTS/CTS (Request to Send/Clear to Send) frame exchange, provided for bandwidths of at least 20 MHz, 40 MHz, 80 MHz, 160 MHz, or higher. This exchange of bandwidth information may be performed implicitly - by determining the channels through which the RTS/CTS frames are actually sent - or explicitly. In addition to this bandwidth information exchange, aspects of the present invention may also allow for Network Allocation Vector (NAV) protection in multiple channels.

EFFECT: wireless communication media may be reserved, and transmission may be protected from hidden nodes.

103 cl, 20 dwg

FIELD: radio engineering, communication.

SUBSTANCE: invention relates to the commercial communication system, especially to the system giving a possibility to any person or a computer user client connected to the Internet to establish bidirectional voice communication and the unidirectional video conference with a commercial agent. The system contains a server of web pages (2) from which one is available for access from the remote computer (52) of a user, the main server (1) and the communication centre (4) containing a telephone terminal (43), the computer (44) and the webcam (41) connected to the videoconference server (42) and used to connect an agent to a user. The system also contains automatic phone exchange or the secondary automatic private centre (3) connected to the main server (1) for the voice communication connecting a user, an agent and the main server (1), and combining computer gateway facilities (44) and the videoconference server of (42) communication centre (4).

EFFECT: improvement of communication quality when using low level data flow, required for Internet communication.

6 cl, 2 dwg

FIELD: radio engineering, communication.

SUBSTANCE: invention relates to transceiver device for processing a medium access control (MAC) protocol used by a transceiver. The transceiver comprises a first antenna system for on-body communication and a second antenna system for off-body communication, the transceiver device being designed to reserve one or more data payloads for on-body communication and to allocate the first antenna system to the transceiver in the time interval occupied by said data payloads, and/or to reserve one or more data payloads for off-body communication and to allocate the second antenna system to the transceiver in the time interval occupied by said data payloads.

EFFECT: providing an optimally matched antenna system for on-body communication and off-body communication respectively, preventing collisions between data payloads on a radio channel, thereby increasing data throughput and, at the same time, reducing power consumption of the transceiver.

15 cl, 14 dwg

FIELD: physics, communications.

SUBSTANCE: invention relates to a base station device and a communication method used for multi-carrier communication. The station device includes: a selection unit for selecting a mobile station resource block using one of a first selection and a second selection, wherein the resource blocks, each comprising a plurality of subcarriers, are sequential in the frequency domain, are divided into a plurality of groups, each comprising a predefined number of resource blocks which are sequential in the frequency domain; and a transmitting unit for transmitting to the mobile station control information which includes both information of the difference between the first selection and the second selection and information indicating the selected resource block, where in the first selection said plurality of groups is divided into a plurality of sets which includes a first set comprising at least two groups which are part of said plurality of groups and are non-sequential in the frequency domain, and a second set comprising at least two groups which are different from said part of said plurality of groups and are non-sequential in the frequency domain.

EFFECT: preventing increase in overhead of allocation result report in frequency scheduling in a multi-carrier communication system.

22 cl, 17 dwg

FIELD: radio engineering, communication.

SUBSTANCE: closed subscriber group (CSG) cell is a cell which allows use of subscribers. In order to receive a service from the CSG cell, a CSG identifier (CSG-ID) is required to be notified to user equipment, which cannot be obtained outside the reach of radio waves from a non-CSG cell. In a mobile communication system including base stations respectively provided in a CSG cell and a non-CSG cell in which access is made to the CSG cell with the use of a CSG-ID issued in a case where use of the CSG cell is allowed, the base station provided in the CSG cell refers to the notified identification information of user equipment and then transmits a tracking area update request from the user equipment to a core network, and the core network determines whether the user equipment is allowed to use the CSG cell and, in the case where the use is allowed, transmits a signal for allowing assignment of radio resources to the user equipment and the CSG-ID. The user equipment accesses the CSG cell using the CSG-ID.

EFFECT: high quality of communication.

4 cl, 51 dwg

FIELD: radio engineering, communication.

SUBSTANCE: invention relates to a method and a device for controlling retransmission in user equipment which supports uplink spatial multiplexing. The method comprises the following steps: detecting uplink resolution in a physical downlink control channel (102), wherein the uplink resolution is real for at least one transport unit; detecting that at least one transport unit is blocked (103) such that resolution is not associated with at least one transport unit; and interpreting (106) at least one blocked transport unit as acknowledgement, ACK, of previous transmission corresponding to said blocked transport unit, regardless of what indicator was received in reception status feedback channel for said previous transmission.

EFFECT: procedure for obtaining uplink resolution, which can be repeated simultaneously for each said resolution associated with a certain transmission time interval (TTI).

12 cl, 6 dwg

FIELD: radio engineering, communication.

SUBSTANCE: invention relates to radio communication complexes using an unpiloted aircraft (UA). A complex for provision of radio communication using UA, which includes a satellite communication system, UA, a UA control centre, an IP chamber, an onboard systems complex of (OSC) of UA, which includes a UA retransmitter and a converter, which through a switching router performing communication with subscribers operating in different frequency ranges and using a satellite communication system of the control centre, interacts with a controller that monitors control commands at movement along the specified route and diagnostics of UA operating modes.

EFFECT: enlargement of functional capabilities concerning control of the territory with damaged communication infrastructure due to provision of radio communication using UA, including between subscribers of different type, which are scattered at long distance.

2 cl, 2 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to computer engineering. A method of searching for an object belonging to a set of objects using a verification device, wherein the verification device and objects from the set of objects are configured to exchange information elements through at least one communication channel, wherein each object from the set of objects has a first corresponding identifier from which a plurality of representatives is obtained, wherein the method includes obtaining, in the verification device, a first identification word (mi;p(xi)) relating to the object being searched for, wherein the first identification word is formed by applying a first encoding function to a first object identifier, the search of which is performed such that the first identification word depends on a sub-part of the plurality of representatives obtained from the first identifier, wherein the sub-part is defined by at least one variable parameter (i), wherein the value of the variable parameter is selected randomly using the verification device, said value defining the sub-part of the plurality of representatives obtained from the first identifier; and the first identification word received over the communication channel is transmitted from the verification device.

EFFECT: protecting the identity of objects to prevent third-party monitoring of the objects.

14 cl, 4 dwg

FIELD: radio engineering, communication.

SUBSTANCE: invention relates to a mobile communication system and is intended to adequately report sounding reference signal (SRS) transmission time and SRS parameters to a mobile terminal when an aperiodic SRS is used and efficient utilisation of radio resources used when transmitting an SRS. A radio base station that reports SRS transmission control information to a mobile terminal and controls transmission of an SRS in the mobile terminal, includes an SRS setting unit that selects bit information to report to the mobile terminal apparatus, from a table having bit information indicating not to trigger SRS transmission and bit information indicating to trigger SRS transmission using a default SRS parameter, and a reporting unit that reports the bit information for the mobile terminal using a downlink control channel.

EFFECT: improved communication.

9 cl, 25 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to multimedia content protection. A method of protecting content (6) scrambled using a content key CW transmitted encrypted by a content access key K, characterised by that said content is transmitted by a transmission system to at least one receiving terminal (4) using a service, provided locally in said receiving terminal using a set of properties Pi, i ranges from 1 to n, known for the transmission system, where each of said properties Pi is represented by a data element xi recorded in said data transmission system, and using a local data element yi with local access, intended only for reading in said terminal, and during transmission, said method comprises a step of super-encrypting said content key CW using at least one invertible super-encryption function fi(xi), which depends on at least one of the properties Pi, i ranges from 1 to n, and upon reception, the value of said super-encrypted content key CW is disclosed by applying to said super-encrypted content key CW an inverse super-encryption function fi1(yi) corresponding to the property Pi.

EFFECT: efficient protection of multimedia content from illegal redistribution.

9 cl, 3 dwg

FIELD: information technology.

SUBSTANCE: method includes steps of: a transmitter using an operating key and an encryption algorithm executable code in a virtual mother card to encrypt a control word CWt to obtain a cryptogram CWt*, using a syntax constructor executable code in the virtual mother card to generate an ECM (Entitlement Control Message) that incorporates the cryptogram CWt*, and transmitting said ECM to a terminal; the terminal receiving the ECM, determining the location of the cryptogram CWt* in the received ECM using syntax analyser executable code and then decrypting the cryptogram CWt* using the operating key and the encryption algorithm.

EFFECT: safer data transmission.

14 cl, 6 dwg

FIELD: radio engineering, communication.

SUBSTANCE: invention relates to a broadcast encryption method. The technical result is achieved through a method of controlling decoders of at least one group of decoders, having access to audiovisual data, wherein the method comprises the following steps: at a step when the decoder should become a member of a group: obtaining and storing keys relating to a certain position in the group according to the broadcast encryption scheme; obtaining and storing current group access data containing at least the current group access key which is common for said group at the step of accessing the audiovisual data: using the current group access data for direct or indirect access to audiovisual data, at the step of updating the current group access key: transmitting a first group message containing at least the next group access data containing at least the next group access key encrypted such that only uncancelled decoders can gain access thereto, wherein said group message is further encrypted by the current group access key (CGK); updating the current group access key using the next group access key.

EFFECT: high efficiency of controlling access to broadcast content for a large number of subscribers by controlling access only based on keys.

5 cl, 4 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to computer engineering. The invention can be implemented in a conditional access content broadcast system where it is desirable to identify and take measures against receiving equipment, applied when sharing control words. Owing to the requirement that receiving equipment used in the system transmits to a transmission station a conditional access content message at a precisely defined time, the invention provides a method through which a server identifies receiving equipment participating in the sharing of control words and prevents said receiver from further accessing said content.

EFFECT: effective protection of transmitted content.

12 cl, 2 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to cryptography. A chipset function activation method includes: receiving at least one of the following elements: a segmentation key, a general purpose key and a global cryptographic algorithm selector; transmitting at least two of the following elements: an initial value, the obtained segmentation key, the general purpose key and the global cryptographic algorithm selector to a computation module, wherein the initial value, the obtained segmentation key, the general purpose key and the global cryptographic algorithm selector are provided by at least two different organisations; generating in the computation module a temporary key using one of the following elements: at least one cryptographic algorithm of the computation module and at least two elements selected from a group including the initial value, the segmentation key, the general purpose key and the global cryptographic algorithm selector; receiving an activation message using the computation module; receiving an authentication code of said message using the computation module, wherein said message authentication code is calculated using the temporary key; authenticating said received message using the message authentication code and the temporary key; if the received message is authentic, activating the corresponding chipset function; if the received message is not authentic, prohibiting activation of said corresponding chipset function.

EFFECT: effective chipset protection.

11 cl, 1 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to information decryption methods. The method comprises steps of, in response to the absence in any of the terminals of one or more control words CWc for decrypting one or more multimedia content cryptoperiods, transmitting through said terminal to a control word server a request containing a cryptogram(s) of said one or more absent control words, and in response, transmitting by the control word server to said terminal said one or more absent control words, wherein the control word server selectively determines for each terminal the number of additional control words CWs intended for transmission to the terminal depending on the probability of compromising the protection of said additional control words, and besides the absent control words CWc, transmitting to said terminal said determined number of additional control words CWs, which enables the terminal to decrypt additional multimedia content cryptoperiods in addition to cryptoperiods decrypted using the requested absent control words CWc.

EFFECT: ensuring secure transmission of control words.

10 cl, 6 dwg

FIELD: radio engineering, communication.

SUBSTANCE: apparatus comprises: a unit which stores a key used for encrypting or decrypting data; a unit which receives a key transmission request including a key-dividing number via a wireless signal from an operation terminal; a unit which acquires a key transmission request from the wireless signal received by the reception section; a unit which determines a security level when transmitting the key to the operation terminal, as a transmission security level; a unit which determines a transmission power in accordance with the transmission security level determined by the security level determination unit and the key-dividing number included in the key transmission request acquired by the key transmission request acquisition unit; a unit which acquires each key fragment by dividing the key stored in the storage unit into the key-dividing number; and a unit which transmits the each key fragment acquired by the key acquisition unit using the transmission power determined by the transmission power determination unit, via a wireless signal to the operation terminal.

EFFECT: safer data transmission.

15 cl, 9 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to a network operation method. A network comprises a node and a system control device. A system control device comprises a root key material which is a set of functions, each having a degree of complexity α, and a node is provided with a portion of key material of a node having a degree of complexity α extracted from the root key material. The system control device generates a portion of key material for an external user with a degree of complexity α from the root key material and generates an access identifier. The system control device generates access key material with a degree of complexity less than α from the portion of key material for the external user and generates a node identifier. The system control device provides the external user with a portion of access key material and the node identifier. The external user extracts a key from the portion of access key material and sends to the node said key and access identifier. The node calculates a key from the access identifier and the portion of node key material and compares the key sent by the external user and the key calculated by the node in order to identify the external user.

EFFECT: improved security.

14 cl, 4 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to methods of providing secure communication in a network. The method comprises: an administration device provided with root keying materials, and steps of: generating, by the administration device based on the root keying materials, parts of keying material of a first node containing a certain number of sub-elements, and parts of keying material of the first node, assembled for generating a first terminated key, the administration device selects a subset of sub-elements of the first parts of the keying material, wherein the number of selected sub-elements is less than or equal to the total number of sub-elements of the first parts of the keying material, and the selected sub-elements form partial parts of the keying material of the first node or a symmetrical key generation mechanism, the first node generates, based on the symmetrical key generation mechanism of the first node and on a second node identifier, a first key used to provide secure communication with a second node.

EFFECT: more secure data transmission in a network.

6 cl, 7 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to computer engineering and specifically to means of secure communication in a network. The method relates to secure transmission of information from a first node (N1) to a second node (N2) in a network, the first node comprising a first node keying material (KM(ID1)), the second node comprising a second node keying material (KM(ID2)), wherein the keying materials of the first node and of the second node comprise each a plurality of shared keying root parts formed by segments of the shared keying root parts. A communication network, having at least two communication devices, carries out said method.

EFFECT: safer communication by dividing keys into segments for predistributed keying material according to a variable distribution.

13 cl, 5 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to means of executing services on a server and a client of a client-server architecture. When making a user decision at a predefined point during the process of executing services, execution of services is suspended at the server and a user decision request is sent to the client. The user decision request includes information which requests the user to make a decision with respect to executing services after the user decision making point. After receiving information on the user decision generated by the client in response to the user decision request, the method includes determining action on executing services, which corresponds to the received information on the user decision, based on the corresponding link between information on the user decision and an instruction to execute services. Services are executed in accordance with the determined action on executing services.

EFFECT: enabling change in the sequence of actions on executing services on a server.

11 cl, 6 dwg

Up!