View All Documents & Correspondence
Method And System For Establishing A Secure Communication Between Remote Ue And Relay Ue In A Device To Device Communication Network
Abstract: ABSTRACT METHOD AND SYSTEM FOR ESTABLISHING A SECURE COMMUNICATION BETWEEN REMOTE UE AND RELAY UE IN A DEVICE TO DEVICE COMMUNICATION NETWORK The present invention provides a method and system for establishing a secure communication between remote UE and a relay UE in a device to device communication. In one embodiment, the UE-to-Network relay transmits a security key request along with at least one of a remote UE ID, a UE-to-Network relay UE ID and group ID of the remote UE to a ProSe server. The Prose Server derives a security key for the UE-to-Network relay (PTKUE-to Network relay) to securely transmit data packets to the remote UE. The UE-to-Network relay UE generates a security key, a ProSe encryption key (PEK UE-to-Network relay) and forwards the security key to the remote UE. The relay UE also transmits ProSe group key (PGK ID) and PTK ID to the remote UE so that the remote UE generate security keys (PTK Remote UE and PEK Remote UE) to establish secure communication with the UE-to-Network relay. Figure 3
Notices, Deadlines & Correspondence
Patent Information
Applicants
SAMSUNG R&D INSTITUTE INDIA – BANGALORE PRIVATE LIMITED
Inventors
1. AGIWAL, Anil
2. RAJADURAI, Rajavelsamy
3. CHANG, Youngbin
Specification
DESC:FORM 2
THE PATENTS ACT, 1970
[39 of 1970]
&
THE PATENTS RULES, 2003
COMPLETE SPECIFICATION
(Section 10; Rule 13)
METHOD AND SYSTEM FOR ESTABLISHING A SECURE COMMUNICATION BETWEEN REMOTE UE AND RELAY UE IN A DEVICE TO DEVICE COMMUNICATION NETWORK
SAMSUNG R&D INSTITUTE INDIA – BANGALORE Pvt. Ltd.
# 2870, ORION Building, Bagmane Constellation Business Park,
Outer Ring Road, Doddanakundi Circle,
Marathahalli Post,
Bangalore -560037, Karnataka, India
Indian Company
The following Specification particularly describes the invention and the manner in which it is to be performed
RELATED APPLICATION
The present invention claims benefit of the Indian Provisional Application No. 226/CHE/2015 titled "SYSTEM AND METHOD OF SECURING COMMUNICATION BETWEEN REMOTE UE AND RELAY UE” by Samsung R&D Institute India – Bangalore Private Limited, filed on 14th January 2015, which is herein incorporated in its entirety by reference for all purposes.
FIELD OF THE INVENTION
The present invention generally relates to device to device (D2D) communications (proximity services), and more particularly relates to method and system for establishing a secure communication between remote user equipment (UE) and relay UE in a device to device (D2D) communication network.
BACKGROUND OF THE INVENTION
Device to Device (D2D) communication is being studied in communication standard groups to enable data communication services between the UEs. During the D2D communication a transmitting D2D UE can transmit data packets to a group of D2D UEs or broadcast data packets to all the D2D UEs. D2D communication between the transmitter and receiver(s) is connectionless in nature i.e. there is no connection setup between the transmitter and receiver before the transmitter starts transmitting the data packets. During the transmission, the transmitter includes the source ID and the destination ID in the data packets. The source ID is set to the UE ID of the transmitter. The destination ID is the broadcast ID or group ID or UE ID of intended recipient of the transmitted packet.
One of the requirements of D2D communication is that a UE in out of coverage of network should be able to communicate with network via another UE (i.e. UE-to-Network Relay) which is in coverage of network and is in proximity of remote UE. This is illustrated in Figure 1. A Remote UE 102 communicates with UE-to-Network Relay 104 using D2D communication. Further requirements of D2D communication is that UEs in out of proximity with each other should be able to communicate via another UE (i.e. UE-to-UE Relay) which is in proximity to both UEs.
In order to support the security for D2D communication a ProSe Group Key (PGK) is defined. PGK is specific to a group of D2D UEs. Multiple PGKs per group can be pre-provisioned in the UE. Each of these PGKs for the same group is identified using a PGK ID (usually in size of 8 bits). Each PGK also has an expiry time associated with it. If a UE wants to send data packets to a group, then it derives a ProSe Traffic Key (PTK) from the PGK corresponding to that group. The PTK is identified using PTK Id. PTK is a group member specific key generated from the PGK. Each PTK is also associated with a PTK ID counter (usually in size of 16 bits). For encrypting data the combination of is unique. The PDCP counter is updated for every packet transmitted. If the PDCP counter rolls over than a new PTK is generated from the PGK. PTK = KDF (PGK, PTK ID, group member identity of transmitter). A ProSe Encryption Key (PEK) is also generated whenever PTK is generated. PEK = KDF (PTK, Algorithm ID). Algorithm ID identifies the security algorithm, for example, SNOW 3G integrity algorithms or AES encryption algorithm, like so. The Key hierarchy is illustrated in Figure 2. The PGK ID, PTK ID and PDCP Counter value is transmitted along with data packet. The PTK ID, PGK ID and PDCP Counter value are included by the transmitter along with the secured data packet. The receiver generates the PTK used by transmitter using PTK ID, PGK ID and destination ID (identifying the group) received along with the packet for decryption.
During the group communication the security key i.e. PGK is already known to both the transmitter and receiver(s). In case of communication between Remote UE and UE-to-Network relay wherein the Remote UE and UE-to-Network relay belongs to different group, then different security key i.e. PGK is available at Remote UE and UE-to-Network relay. So communication between Remote UE and UE-to-Network relay cannot be secured. In other words, the UE-to-Network relay may not belong to all/any of the groups (formed by the network (e.g. ProSe Function)), which implies, UE-to-Network relay may not have all the group keys to secure or decrypt the packets that to be relayed. Further, the UE-to-Network relay which belongs to a specific group(s) may need to take the role/functionality of relaying packets securely to all other (or specific) group members (for example, for mission critical communication, only one UE-to-Network relay is in coverage of network).
Thus, there is a need for a method and system for securing communication between Remote UE and UE-to-Network relay.
SUMMARY OF THE INVENTION
Various embodiments herein describe a method and system for establishing a secure communication between a remote User Equipment (UE) and UE-to-Network relay in a Device-to-Device (D2D) group communication. In one embodiment, the method comprises of transmitting, by the UE-to-Network relay, a security key request to a Proximity-based Service (ProSe) server, wherein the security key request comprises at least one of a remote UE ID, a UE-to-Network relay UE ID and group ID of the remote UE, deriving, by the ProSe server or PKMF, a security key for the UE-to-Network relay to securely transmit data packets to the remote UE, receiving, by the UE-to-Network relay, a security key response from the ProSe server wherein the security key response comprises of ProSe traffic key (PTK) derived for the UE-to-Network relay UE ID, PTK ID and ProSe group Key (PGK) of the remote UE, generating, by the UE-to-Network relay, a ProSe encryption key (PEK UE-to-Network relay) using PTK UE-to-Network relay received in the security key response, transmitting the PGK ID and PTK ID received in the security key response in a signaling message or in a data packer header to the remote UE, and generating security keys (PTK Remote UE and PEK Remote UE) by the remote UE to establish secure communication with the UE-to-Network relay.
According to an embodiment, the remote UE ID comprises of a remote UE group ID if the remote UE belongs to multiple communication groups. The remote UE ID comprises of a remote UE group ID if the remote UE is unique within a communication group.
According to an embodiment, the remote UE uses the PEK Remote-UE for securing the packets transmitted to UE-to-Network relay and for decrypting the data packets received from UE-to-Network relay.
In another embodiment, a method for establishing a secure communication between a remote User Equipment (UE) and a UE-to-Network relay in a Device-to-Device (D2D) group communication is disclosed. The method comprises of transmitting, by the Remote UE, a security key information message to establish secure communication to a UE-to-Network relay, wherein the security key information comprises of at least one of PGK ID and PTK ID of the remote UE, transmitting, by the UE-to-Network relay, a security key request to a proximity-based Service (ProSe) server or ProSe key management function, deriving, by the ProSe server, a first security key for the UE-to-Network relay (PTKUE-to-Network relay-TX) to securely transmit data packets to the remote UE and a second security key for the UE-to-Network relay (PTKUE-to-Network relay-RX) to decrypt packets received from remote UE, receiving the security key response comprising the first security key and the second security key from the ProSe server, generating, by the UE-to-Network relay, ProSe encryption key (PEKUE-to-Network relay-TX) for transmission and for reception (PEKUE-to-Network relay-RX) using (PTK UE-to-Network relay-TX) and (PTK UE-to-Network relay-RX) received in the security key response from the ProSe server, and generating, by the remote UE, security keys (PEK Remote UE-TX and PEK Remote UE-RX) using the information received to establish a secure communication with the UE-to-Network relay.
According to an embodiment, the security key request comprises of at least one of a remote UE ID, a UE-to-Network relay ID, ProSe Group Key (PGK) ID and ProSe Traffic Key (PTK) ID of the remote UE.
According to an embodiment, the security key response comprises of PTKUE-to-Network relay-TX, PTK ID, PGK ID of the remote UE, and PTKUE-to-Network relay-RX.
In yet another embodiment, a method for establishing a secure communication between remote user equipment (UE) and a UE-to-Network relay in a Device-to-Device (D2D) group communication is disclosed. The method comprises of transmitting, by the UE-to-Network relay, a security key request to a proximity-based service (ProSe) server, wherein the security key request comprises of remote UE ID, UE-to-Network relay ID and PGK ID of the remote UE, deriving, by the ProSe server, a first security key for the UE-to-Network relay (PTKUE-to-Network relay-TX) to securely transmit data packets to the remote UE and a second security key for the UE-to-Network relay (PTKUE-to-Network relay-RX) to decrypt packets received from the remote UE, receiving the derived security keys as a security key response from the ProSe server, generating, by the UE-to-Network relay, a ProSe encryption key (PEKUE-to-Network relay-TX) for transmission and for reception (PEKUE-to-Network relay-RX) using (PTK UE-to-Network relay-TX) and (PTK UE-to-Network relay-RX) received in the security key response from the ProSe server, and generating, by the remote UE, a first security key and a second security key using the information received from the UE-to-Network relay to establish a secure communication with the UE-to-Network relay.
According to an embodiment, the security key response comprises of PTKUE-to-Network relay-TX, PGK ID and PTK ID used to derive PTKUE-to-Network relay-TX and PTKUE-to-Network relay-RX, PGK ID and PTK ID used to derive PTKUE-to-Network relay-RX.
According to this embodiment, the first security key generated by the remote UE is a Prose Traffic Key for encrypting data packets transmitted to the UE-to-Network Relay and the second security key generated by the remote UE is a Prose Traffic Key for decrypting data packets received from the UE-to-Network Relay.
In yet another embodiment, a method for establishing a secure communication between a remote user equipment (UE) and a UE-to-Network relay in a Device-to-Device (D2D) group communication is disclosed. The method comprises of transmitting, by a UE-to-Network relay, a security key request to a proximity-based service (ProSe) server, wherein the security key request comprises of remote UE ID, and UE-to-Network relay ID, deriving, by the ProSe server, a security key for the UE-to-Network relay based on at least one input parameter comprising a master key of remote UE, a counter, a nonce, a remote UE ID, and UE-to-Network relay ID, transmitting the security key response along with the at least one of a master key of remote UE, a counter, a nonce, a remote UE ID, and UE-to-Network relay ID to the UE-to-Network relay, generating, by the UE-to-Network relay, a ProSe encryption key (PEK) using PTK received in the security key response from the ProSe server for decrypting packets received from the remote UE, forwarding the at least one of counter and nonce received in the security key response to the remote UE using data packer header or over signaling message, and generating, by the remote UE, the master key using the information received to establish a secure communication with the UE-to-Network relay.
According to one embodiment, the master key is received from a home subscriber server by the ProSe server.
According to one embodiment, the method further comprises of transmitting current PTK ID or all PTK IDs of the group to the proSe server for obtaining a fresh key.
According to one embodiment, the method further comprises of assigning, by ProSe server, one or more ProSe relay group keys (PRGKs) to remote UE and UE-to-Network relay in addition to PGKs, deriving, by remote UE, a security key (PREK remote UE) for encrypting data packets to be transmitted to UE-to-Network relay, deriving, by UE-to-Network relay, a security key (PREK UE-to-Network relay) for encrypting data packets to be transmitted to remote UE, and establishing a secure communication between the remote UE and the UE-to-Network relay using the derived security keys.
Various embodiments herein further describes a system for establishing a secure communication between a remote User Equipment (UE) and UE-to-Network relay in a Device-to-Device (D2D) group communication is disclosed. The system comprises of a remote UE which is out of coverage of network, a UE to Network relay located in proximity to the remote UE and in communication with a ProSe server in the network, wherein the system is configured for: transmitting, by the UE-to-Network relay, a security key request to a Proximity-based Service (ProSe) server, wherein the security key request comprises at least one of a remote UE ID, a UE-to-Network relay’s UE ID and group ID of the remote UE, deriving, by the ProSe server, a security key for the UE-to-Network relay to securely transmit data packets to the remote UE, receiving, by the UE-to-Network relay, a security key response from the ProSe server, wherein the security key response comprises of ProSe traffic key (PTK) derived for the UE-to-Network relay UE ID, PTK ID and ProSe group Key (PGK) of the remote UE, generating, by the UE-to-Network relay, a ProSe encryption key (PEK UE-to-Network relay) using PTK UE-to-Network relay received in the security key response, transmitting the PGK ID and PTK ID received in the security key response in a signaling message or in a data packer header to the remote UE, and generating security keys (PTK Remote UE and PEK Remote UE) by the remote UE to establish secure communication with the UE-to-Network relay.
The foregoing has outlined, in general, the various aspects of the invention and is to serve as an aid to better understanding the more complete detailed description which is to follow. In reference to such, there is to be a clear understanding that the present invention is not limited to the method or application of use described and illustrated herein. It is intended that any other advantages and objects of the present invention that become apparent or obvious from the detailed description or illustrations contained herein are within the scope of the present invention.
BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS
The other objects, features and advantages will occur to those skilled in the art from the following description of the preferred embodiment and the accompanying drawings in which:
Figure 1 is a flow diagram illustrating an exemplary device to device (D2D) communication between a remote user equipment (UE) and a UE to network relay, according to the prior art illustration.
Figure 2 is a flow diagram illustrating a key hierarchy for D2D group communication, according to the prior art illustration.
Figure 3 is a flowchart illustrating an exemplary method for establishing a secure communication between first user equipment and second user equipment, according to one embodiment of the present invention.
Figure 4 is a flow diagram illustrating an exemplary method for establishing a secure communication between Remote UE and UE-to-Network Relay, according to one embodiment of the present invention.
Figure 5 is a flow diagram illustrating an exemplary method for establishing a secure communication between Remote UE and UE-to-Network Relay, according to another embodiment of the present invention.
Figure 6 is a flow diagram illustrating an exemplary method for establishing a secure communication between Remote UE and UE-to-Network Relay, according to yet another embodiment of the present invention.
Figure 7 is a flow diagram illustrating an exemplary method for establishing a secure communication between Remote UE and UE-to-Network Relay, according to further embodiment of the present invention.
Although specific features of the present invention are shown in some drawings and not in others, this is done for convenience only as each feature may be combined with any or all of the other features in accordance with the present invention.
DETAILED DESCRIPTION OF THE INVENTION
The present invention provides a method and system for establishing a secure communication between a remote UE and UE-to-network relay in a device to device communication network. In the following detailed description of the embodiments of the invention, reference is made to the accompanying drawings that form a part hereof, and in which are shown by way of illustration specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention, and it is to be understood that other embodiments may be utilized and that changes may be made without departing from the scope of the present invention. The following detailed description is, therefore, not to be taken in a limiting sense, and the scope of the present invention is defined only by the appended claims.
The specification may refer to “an”, “one” or “some” embodiment(s) in several locations. This does not necessarily imply that each such reference is to the same embodiment(s), or that the feature only applies to a single embodiment. Single features of different embodiments may also be combined to provide other embodiments.
As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless expressly stated otherwise. It will be further understood that the terms “includes”, “comprises”, “including” and/or “comprising” when used in this specification, specify the presence of stated features, integers, steps, operations, elements and/or components, but do not preclude the presence or addition of one or more other features integers, steps, operations, elements, components, and/or groups thereof. As used herein, the term “and/or” includes any and all combinations and arrangements of one or more of the associated listed items.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure pertains. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
Throughout the specification, the terms UE-to-network relay and relay UE are interchangeably used. Throughout this specification, the message between the Remote UE and the UE-to-Network Relay and the message between the UE-to-Network Relay and the ProSe function may be ProSe protocol specific messages. Further, throughout the specification, the terms “proximity-based Service (ProSe) server and ProSe key management function (PKMF) are interchangeably used.
Figure 3 is a flowchart illustrating an exemplary method for establishing a secure communication between first user equipment and second user equipment, according to one embodiment of the present invention. In this embodiment, the first user equipment (UE1) communicates with network via the second user equipment (UE2).
At step 302, a security key request is sent to a Proximity-based Service (ProSe) server or ProSe key management function (PKMF) by UE2. The security key request comprises of UE1 ID and UE2 ID. At step 304, a security key called ProSe traffic key (PTK UE2) is derived by the ProSe server or PKMF for the UE2 to securely transmit data packets to the UE1. At step 306, the security key response including PTK is received by the UE2. At step 308, a ProSe encryption key (PEK UE2) is generated by UE2 using PTK UE2 received in the security key response. The generated PEK UE2 and PGK ID associated with the UE2 is then transmitted to the UE1 signaling message or in a data packer header at step 310. Then, at step 312, security keys (PTK UE1 and PEK UE1) are generated by the UE1 to establish secure communication with the UE 2.
Figure 4 is a flow diagram illustrating an exemplary method for establishing a secure communication between Remote UE and UE-to-Network Relay, according to an embodiment of the present invention. In one embodiment, a UE-to-network relay 404 transmits a security key request to a Proximity-based Service (ProSe) server 406 or ProSe key management function (PKMF). The security key request comprises of remote UE ID and UE-to-Network Relay’s UE ID. The security key request may also comprise a group ID of the remote UE 402. In some embodiments, the Remote UE Group ID may be included in the security key request if the Remote UE 402 belongs to multiple groups. In some embodiments, the Remote UE Group ID may also be included in the security key request if the Remote UE ID is unique within the group. In these embodiments, if the Remote UE ID is unique within the group, then Remote UE ID and Remote UE Group ID together identifies the Remote UE 402. The UE-to-network relay 404 obtains the Remote UE 402 ID and/or Remote UE 402 Group ID of remote UE 402 during the UE-to-network relay discovery process.
Alternately, the UE-to-network relay 404 may receive the Remote UE ID and/or Remote UE Group ID of remote UE from the Remote UE 402 in the communication or connection request message. The UE-to-network relay 404 may transmit a security key request to a Proximity-based Service (ProSe) server 406 or ProSe key management function (PKMF) on receiving the communication or connection request message from remote UE 402.
In response to the security key request, the ProSe server or PKMF derives the security key (PTKUE-to-Network-Relay), a ProSe traffic key (PTK) for the UE-to-network relay 404 to secure data packets transmitted to the Remote UE 402 or to the remote UE’s group. The ProSe server 406 or PKMF derives the security key as follows:
PTKUE-to-Network-Relay = KDF (PGKRemote-UE, PTK ID, UE-to-network relay UE ID)
The PGKRemote-UE is any valid ProSe Group Key of Remote UE 402 if Remote UE 402 is associated with one group. PGKRemote-UE is any valid ProSe Group Key of Remote UE 402 corresponding to the group identified by Remote UE Group ID wherein the Remote UE Group ID is received by ProSe server 406 or PKMF in security key request. The KDF or key derivation function is well known in prior art and hence not explained here.
In an alternate embodiment, the ProSe Server 406 or PKMF may further derive a ProSe encryption key for the UE to Network relay (PEKUE-to-Network-Relay) wherein the PEKUE-to-Network-Relay is derived as follows:.
PEKUE-to-Network-Relay = KDF (PTKUE-to-Network-Relay, Algorithm ID).
Wherein the algorithm ID identifies the security algorithm, for example, SNOW 3G integrity algorithm or AES encryption algorithm. .
The ProSe Server 406 or PKMF transmits the security key response to the UE-to-Network Relay. The security key response comprises of PTKUE-to-Network-Relay, PTK ID and PGK ID. The PTKUE-to-Network-Relay is the security key derived by ProSe Server 406 or PKMF which is to be used by UE-to-network relay 404 to secure the packets transmitted to the Remote UE 402. The PTK ID is the ID used as input to derive the PTKUE-to-Network-Relay and PGK ID is the index of PGKRemote-UE used to derive the PTKUE-to-Network-Relay. In an alternate embodiment, PEKUE-to-Network-Relay is included in security key response instead of PTKUE-to-Network-Relay.
The UE-to-network relay 404 generates PEKUE-to-Network-Relay using PTKUE-to-Network-Relay received in the security key response from ProSe Server 406 or PKMF as follows:
PEKUE-to-Network-Relay = KDF (PTKUE-to-Network-Relay, Algorithm ID)
The PEKUE-to-Network-Relay is then used for transmitting the data packets to the Remote UE 402. Alternatively, the ProSe Server 406 or PKMF transmits the PEKUE-to-Network-Relay in the security key response and is used by UE-to-network relay 404 for securing the packets transmitted to Remote UE 402. The PEKUE-to-Network-Relay is also used by UE-to-network relay 404 to decrypt the packets received from the Remote UE 402. The UE-to-network relay 404 then informs the PGK ID and PTK ID received in security key response to the remote UE 402 in a signaling message and/or in data packet header. The UE-to-network relay 404 may also send MAC-I along with PGK ID and PTK ID. For MAC-I, UE-to-network relay 404 may derive a security key PIKUE-to-Network-Relay as follows
PIKUE-to-Network-Relay = KDF (PTKUE-to-Network-Relay, Algorithm ID).
The method to generate the MAC-I is well known in prior art and hence not explained here.
Upon receiving the security key from the UE-to-Network relay 404, the Remote UE 402 generates the security key i.e. Prose Traffic Key for securely transmitting data packets to UE-to-Network Relay. The security key is derived as follows:
PTKRemote-UE = KDF (PGK corresponding to PGK ID and Remote UE Group ID received from UE-to Network Relay, PTK ID received from UE-to Network Relay, UE-to-network relay UE ID).
PEKRemote-UE = KDF (PEKRemote-UE, Algorithm ID).
Wherein PEKRemote-UE is used by Remote UE 402 for securing the packets transmitted to UE-to-Network relay 404. The PEKRemote-UE is also used by Remote UE 402 for decrypting the packets received from UE-to-Network relay.
In an embodiment in which MAC-I is included, remote UE 402 verifies MAC-I included by UE-to-NW relay using derived keys. For MAC-I, Remote UE 402 may derive a security key PIKRemote UE = KDF (PTKRemote UE, Algorithm ID).
After verification, the remote UE 402 sends a message to UE-to-NW relay 404 with MAC–I. The UE-to-NW relay 404 then verifies MAC-I and accepts the connection with remote UE 402.
In an alternate embodiment, the Remote UE ID may be used in place of UE-to-network relay UE ID in deriving PTKUE-to-Network-Relay and PTKRemote-UE. In another alternate embodiment, the Remote UE ID may be used in addition to UE-to-network relay UE ID in deriving PTKUE-to-Network-Relay and PTKRemote-UE.
Figure 5 is a flow diagram illustrating an exemplary method for establishing a secure communication between Remote UE and UE-to-Network Relay, according to another embodiment of the present invention. In this embodiment, the Remote UE 502 transmits security key information comprising the PGK ID and PTK ID to UE-to-Network Relay 504, where PGK ID is the index of PGK used by the Remote UE for deriving the security key (PTKRemote-UE). The Remote UE 502 derives ProSe encryption key (PEKRemote-UE) from PTKRemote-UE. The PEKRemote-UE is used by the Remote UE 502 to secure the packets transmitted to UE-to-Network Relay 504.
After receiving the security key information from the Remote UE 502, the UE-to-Network Relay 504 transmits a security key request to a ProSe Server 506 or PKMF. The security key request comprises of the Remote UE ID, UE-to-Network Relay’s UE ID, PGK ID received from Remote UE, PTK ID received from Remote UE 502. In some embodiments the Remote UE Group ID may be included in the security key request if the Remote UE 502 belongs to multiple groups. In some embodiments, the Remote UE Group ID may also be included in the security key request if the Remote UE ID is unique within the group. If Remote UE ID is unique only within the group, then Remote UE ID and Remote UE Group ID together identifies the Remote UE. The UE-to-Network Relay obtains the Remote UE ID and/or Remote UE Group ID of remote UE during the UE-to-Network Relay discovery process. Alternately, the UE-to-Network Relay 504 may receive the Remote UE ID and/or Remote UE Group ID of remote UE from the Remote UE 502 in the communication or connection request message. The UE-to-network relay 504 may transmit a security key request to a Proximity-based Service (ProSe) server 506 or ProSe key management function (PKMF) on receiving the communication or connection request message from remote UE 502.
The ProSe Server 506 or PKMF derives a first security key i.e. ProSe Traffic Key 1 which is used by UE-to-Network relay 504 to secure the packets transmitted to the Remote UE 502 or Remote UE’s group where the derivation of the security key is as follows:
PTKUE-to-Network-Relay-TX = KDF (PGKRemote-UE, PTK ID, UE-to-Network Relay UE ID).
The PGKRemote-UE is any valid ProSe Group Key of Remote UE 502 if Remote UE 502 is associated with one group. The PGKRemote-UE is any valid ProSe Group Key of Remote UE corresponding to the group identified by Remote UE Group ID.
In an alternate embodiment, the ProSe Server 506 or PKMF may derive PEKUE-to-Network-Relay-TX wherein PEKUE-to-Network-Relay-TX = KDF (PTKUE-to-Network-Relay-TX, Algorithm ID) wherein the algorithm ID identifies the security algorithm for example, SNOW 3G integrity algorithm or AES encryption algorithm.
The ProSe Server 506 or PKMF further derives a second security key i.e. ProSe Traffic Key 2 to be used by UE-to-Network relay 504 to decrypt the packets received from Remote UE 502 or Remote UE’s group. The derivation of ProSe Traffic Key 2 is as follows:
PTKUE-to-Network-Relay-RX = KDF (PGKRemote-UE, PTK ID, Remote UE ID).
Where PGKRemote-UE is the ProSe Group Key of Remote UE 502 corresponding to PGK ID received from UE-to-Network Relay in security key request. The PTK ID is the PTK ID received from UE-to-Network Relay in security key request. In an alternate embodiment, the ProSe Server or PKMF may derive PEKUE-to-Network-Relay-RX wherein,
PEKUE-to-Network-Relay-RX = KDF (PTKUE-to-Network-Relay-RX, Algorithm ID)
in which the algorithm ID identifies the security algorithm, for example, SNOW 3G integrity algorithm or AES encryption algorithm.
The ProSe Server 506 or PKMF then transmits the security key response to the UE-to-Network Relay. The security key response comprises of PTKUE-to-Network-Relay-TX, PTK ID, PGK ID and PTKUE-to-Network-Relay-RX, where PTKUE-to-Network-Relay-TX is the security derived by ProSe Server 506 or PKMF which is used by UE-to-Network relay 504 to secure the packets transmitted to Remote UE 502. The PTK ID is the ID used as input to derive the PTKUE-to-Network-Relay-TX. The PGK ID is the index of PGKRemote-UE used to derive the PTKUE-to-Network-Relay-TX. The PTKUE-to-Network-Relay-RX is the security derived by ProSe Server 506 or PKMF which is used by UE-to-Network relay 504 to decrypt the packets received from Remote UE 502. In an alternate embodiment, the PEKUE-to-Network-Relay-TX and PEKUE-to-Network-Relay-RX is included in security key response instead of/or along with PTKUE-to-Network-Relay-TX and PTKUE-to-Network-Relay-RX.
The UE-to-Network relay 504 generates two keys one for secure transmission of data packets to remote UE 502 and another for secure reception of data packets from the remote UE502. The UE-to-Network relay 504 generates secure transmission key, (PEKUE-to-Network-Relay-TX) using PTKUE-to-Network-Relay-TX received in the security key response from ProSe Server or PKMF wherein
PEKUE-to-Network-Relay-TX = KDF (PTKUE-to-Network-Relay-TX, Algorithm ID)
The PEKUE-to-Network-Relay-TX is then used for securing the packets transmitted to Remote UE 502. In an alternate embodiment, the PEKUE-to-Network-Relay-TX is received in the security key response from ProSe Server 506 or PKMF and is used by UE-to-Network relay for securing the packets transmitted to Remote UE 502. Further, the PTK ID and the PGK ID received from the ProSe Server 506 or PKMF in the security key response are transmitted by UE-to-Network Relay 504 in header of secured data packets.
Now, the UE-to-Network relay 504 generates PEKUE-to-Network-Relay-RX using PTKUE-to-Network-Relay-RX received in the security key response from ProSe Server 506 or PKMF wherein
PEKUE-to-Network-Relay-RX = KDF (PTKUE-to-Network-Relay-RX, Algorithm ID)
The PEKUE-to-Network-Relay-RX is then used for decrypting the packets received from Remote UE 502. In alternate embodiment, PEKUE-to-Network-Relay-RX is received in the security key response from the ProSe Server 506 or PKMF and is used by the UE-to-Network relay 504 for decrypting the packets received from the Remote UE 502.
The Remote UE generates the security keys on its own. The keys are generated before sending the security key info to the UE-to-NW relay. The Remote UE 502 first generates a security key i.e. Prose Traffic Key for transmission to UE-to-Network Relay 504. The security key is derived as follows:
PTKRemote-UE-TX = KDF (PGK corresponding to PGK ID informed to UE-to-Network Relay, PTK ID informed to UE-to-Network Relay and Remote UE ID)
PEKRemote-UE-TX = KDF (PEKRemote-UE-TX, Algorithm ID)
Where PEKRemote-UE-TX is used by the Remote UE 502 for securing the packets transmitted to UE-to-Network relay 504.
Secondly, the Remote UE 502 generates a security key i.e. Prose Traffic Key for decrypting reception from UE-to-Network Relay 504. The security key is derived as follows:
PTKRemote-UE-RX = KDF (PGK corresponding to PGK ID received in data packet from UE-to-Network Relay 504, PTK ID received in data packet from UE-to-Network Relay 504, UE-to-Network Relay UE ID)
PEKRemote-UE-RX = KDF (PEKRemote-UE-RX, Algorithm ID)
Where PEKRemote-UE-RX is used by Remote UE 502 for decrypting the packets received from UE-to-Network relay 504.
In an alternate embodiment, the Remote UE ID may be used in place of UE-to-Network relay UE ID in deriving PTKUE-to-Network-Relay-TX and PTKRemote-UE-RX. In another alternate embodiment, the Remote UE ID may be used in addition to UE-to-Network relay UE ID in deriving PTKUE-to-Network-Relay-TX and PTKRemote-UE-RX.
Figure 6 is a flow diagram illustrating an exemplary method for establishing a secure communication between Remote UE 602 and UE-to-Network Relay 604, according to yet another embodiment of the present invention. According to this embodiment, the UE-to-Network Relay 604 transmits a security key request to ProSe Server 606 or PKMF. The security key request comprises of Remote UE ID and UE-to-Network Relay’s UE ID. The security key request may also comprise a Remote UE Group ID. In some embodiments the Remote UE Group ID may be included in the security key request if the Remote UE 602 belongs to multiple groups. In some embodiments, the Remote UE Group ID may also be included in the security key request if the Remote UE ID is unique within the group. If Remote UE ID is unique only within the group then Remote UE ID and Remote UE Group ID together identifies the Remote UE 602. In one embodiment, the UE-to-Network Relay 604 obtains the Remote UE ID and/or Remote UE Group ID of Remote UE 602 during the UE-to-Network Relay 604 discovery process. Alternately, the UE-to-Network Relay 604 may receive the Remote UE ID and/or Remote UE Group ID of Remote UE 602 from the Remote UE 602 in the communication or connection request message. The UE-to-Network Relay 604 may transmit a security key request to a Proximity-based Service (ProSe) server 606 or ProSe key management function (PKMF) on receiving the communication or connection request message from remote UE 602.
The ProSe Server 606 or PKMF derives a first security key i.e. ProSe Traffic Key 1 which is used by UE-to-Network Relay 604 to secure data packets transmitted to the Remote UE 602 or Remote UE’s group. The ProSe Server 606 or PKMF derives the security key as follows:
PTKUE-to-Network-Relay-TX = KDF (PGKRemote-UE, PTK ID 1, UE-to-Network Relay 604 UE ID)
Where, PGKRemote-UE is any valid ProSe Group Key of the Remote UE 602 if the Remote UE 602 is associated with one group. The PGKRemote-UE is any valid ProSe Group Key of Remote UE 602 corresponding to the group identified by Remote UE Group ID. In an alternate embodiment, the ProSe Server 606 or PKMF may derive PEKUE-to-Network-Relay-TX wherein
PEKUE-to-Network-Relay-TX = KDF (PTKUE-to-Network-Relay-TX, Algorithm ID)
Where, the Algorithm ID identifies the security algorithm, for example, SNOW 3G integrity algorithm or AES encryption algorithm. Remote UE 602 ProSe Server 606
The ProSe Server 606 or PKMF further derives a second security key i.e. ProSe Traffic Key 2 which is used by the UE-to-Network Relay 604 to decrypt the packets received from Remote UE. The ProSe Server 606 or PKMF derives the security key as follows:
PTKUE-to-Network-Relay-RX = KDF (PGKRemote-UE, PTK ID 2, Remote UE ID)
Where, PGKRemote-UE is any valid ProSe Group Key of Remote UE 602 if Remote UE 602 is associated with one group. PGKRemote-UE is any valid ProSe Group Key of Remote UE 602 corresponding to the group identified by Remote UE Group ID. In an alternate embodiment, the ProSe Server 606 or PKMF may derive PEKUE-to-Network-Relay-RX wherein
PEKUE-to-Network-Relay-RX = KDF (PTKUE-to-Network-Relay-RX, Algorithm ID)
The Algorithm ID identifies the security algorithm, for example, SNOW 3G integrity algorithms or AES encryption algorithm.
The ProSe Server 606 or PKMF transmits the security key response to the UE-to-Network Relay 604. The security key response comprises of PTKUE-to-Network-Relay-TX, PGK ID and PTK ID used to derive PTKUE-to-Network-Relay-TX, PTKUE-to-Network-Relay-RX, PGK ID and PTK ID used to derive PTKUE-to-Network-Relay-RX. The PTKUE-to-Network-Relay-TX is the security key derived by ProSe Server 606 or PKMF which is to be used by UE-to-Network Relay 604 to secure the packets transmitted to Remote UE. The PTK ID is the ID used as input to derive the PTKUE-to-Network-Relay-TX. The PGK ID is the index of PGKRemote-UE used to derive the PTKUE-to-Network-Relay-TX. The PTKUE-to-Network-Relay-RX is the security derived by ProSe Server 606 or PKMF which is used by UE-to-Network Relay 604 to decrypt the packets received from Remote UE. In an alternate embodiment, the PEKUE-to-Network-Relay-TX and PEKUE-to-Network-Relay-RX is included in security key response instead of or along with PTKUE-to-Network-Relay-TX and PTKUE-to-Network-Relay-RX.
The UE-to-Network Relay 604 generates PEKUE-to-Network-Relay-TX using PTKUE-to-Network-Relay-TX received in the security key response from ProSe Server 606 or PKMF wherein
PEKUE-to-Network-Relay-TX = KDF (PTKUE-to-Network-Relay-TX, Algorithm ID)
The PEKUE-to-Network-Relay-TX is then used for securing the packets transmitted to the Remote UE. In alternate embodiment, PEKUE-to-Network-Relay-TX is received in the security key response from ProSe Server 606 or PKMF and is used by UE-to-Network Relay 604 for securing the packets transmitted to Remote UE. Later, the PTK ID and PGK ID received from the ProSe Server 606 or PKMF in security key response are transmitted by UE-to-Network Relay 604 in header of secured data packets.
The UE-to-Network Relay 604 further generates a PEKUE-to-Network-Relay-RX using PTKUE-to-Network-Relay-RX received in the security key response from ProSe Server 606 or PKMF wherein
PEKUE-to-Network-Relay-RX = KDF (PTKUE-to-Network-Relay-RX, Algorithm ID)
The PEKUE-to-Network-Relay-RX is then used for decrypting the packets received from Remote UE. In alternate embodiment, the PEKUE-to-Network-Relay-RX is received in the security key response from ProSe Server 606 or PKMF and is used by UE-to-Network Relay 604 for decrypting data packets received from the Remote UE. The PTK ID and the PGK ID received from the ProSe Server 606 or PKMF in security key response corresponding to PTKUE-to-Network-Relay-RX are transmitted by UE-to-Network Relay 604 in security key information.
The Remote UE 602 generates the security key i.e. Prose Traffic Key for transmission to UE-to-Network Relay 604 . The security key is derived as follows:
PTKRemote-UE-TX = KDF (PGK corresponding to PGK ID received from UE-to-Network Relay 604 , PTK ID received from UE-to-Network Relay 604 and Remote UE ID)
PEKRemote-UE-TX = KDF (PEKRemote-UE-TX, Algorithm ID)
The PEKRemote-UE-TX is used by Remote UE 602 for securing data packets to be transmitted to UE-to-Network Relay 604 .
Further, the Remote UE 602 generates the security key i.e. Prose Traffic Key for decrypting reception from UE-to-Network Relay 604 . The security key is derived as follows:
PTKRemote-UE-RX = KDF (PGK corresponding to PGK ID received in data packet from UE-to-Network Relay 604 , PTK ID received in data packet from UE-to-Network Relay 604 , UE-to-Network Relay UE ID).
PEKRemote-UE-RX = KDF (PEKRemote-UE-RX, Algorithm ID).
The PEKRemote-UE-RX is used by Remote UE 602 for decrypting data packets received from UE-to-Network Relay 604.
In an alternate embodiment, the Remote UE ID may be used in place of UE-to-Network Relay 604 UE ID in deriving PTKUE-to-Network-Relay-TX and PTKRemote-UE-RX. In another alternate embodiment, the Remote UE ID may be used in addition to UE-to-Network Relay 604 UE ID in deriving security keys for transmission and reception (PTKUE-to-Network-Relay-TX and PTKRemote-UE-RX).
Figure 7 is a flow diagram illustrating an exemplary method for establishing a secure communication between Remote UE and UE-to-Network Relay, according to further embodiment of the present invention. As shown in Figure 7, the UE-to-Network Relay 704 transmits a security key request to a ProSe Server 706 or PKMF. The security key request comprises of a Remote UE ID and a UE-to-Network Relay’s UE ID. In some embodiments the Remote UE Group ID may be included in the security key request if the Remote UE 702 belongs to multiple groups. In some embodiments, the Remote UE Group ID may also be included in the security key request if the Remote UE ID is unique within the group. If the Remote UE ID is unique only within the group, then Remote UE ID and Remote UE Group ID together identifies the Remote UE 702. The UE-to-Network Relay 704 may also obtain the Remote UE ID and/or Remote UE Group ID of remote UE 702 during a UE-to-Network Relay discovery process. Alternately, the UE-to-Network Relay 704 may receive the Remote UE ID and/or Remote UE Group ID of remote UE from Remote UE in a connection request procedure.
The ProSe Server 706 or PKMF derives the security key i.e. ProSe Traffic Key which is used to secure communication between Remote UE 702 and UE-to-Network Relay 704. The ProSe Server 706 or PKMF derives the security key as follows:
PTK = KDF (Security Key of Remote UE, COUNTER and/or NONCE and/or Remote UE ID and/or UE-to-Network Relay UE ID)
where the security key of Remote UE 702 is a UE specific key known to the Remote UE 702 and the ProSe server 706 or PKMF. In an embodiment, the security key is a master key (KASME) obtained from a home subscriber server (HSS) by the ProSe server 706 or by PKMF specific to the UE. The KASME is provided to the ProSe server 706 or PKMF along with an authentication vector. In this embodiment, the ProSe server 706 or PKMF transmits an AUTN and RAND along with the PTK/PEK to the UE-to-Network Relay 704. The UE-to-Network Relay 704 forwards the AUTN and RAND to the Remote UE 702, so that the Remote UE 702 derives the KASME and other keys. In an alternate embodiment, ProSe Server 706 or PKMF may derive PEK wherein
PEK = KDF (PTK, Algorithm ID)
The Algorithm ID identifies the security algorithm, for example, SNOW 3G integrity algorithms or AES encryption algorithm. The Algorithm to be used may be pre-configured in the Remote UE 702 by the ProSe server 706 or PKMF for the Group or alternatively the data packets include the algorithm ID in the header. The ProSe Server 706 or PKMF transmits the security key response to the UE-to-Network Relay 704. The security key response comprises of PTK and COUNTER and/or NONCE. In an alternate embodiment, the PEK is included in security key response instead of or along with PTK.
The UE-to-Network relay 704 generates a Prose encryption key (PEK) using PTK received in the security key response from the ProSe Server 706 or PKMF wherein
PEK = KDF (PTK, Algorithm ID)
The PEK is then used for decrypting the packets received from Remote UE 702 and also to encrypt the packets transmitted to remote UE 702. In an alternate embodiment, the PEK is received in the security key response from ProSe Server 706 or PKMF and is used by UE-to-Network relay 704 for decrypting the packets received from Remote UE 702 and also to encrypt the packets transmitted to remote UE 702. The COUNTER and/or NONCE received from the ProSe Server 706 or PKMF in security key response corresponding to PTK are transmitted by UE-to-Network Relay 704 in data packet header or signaling message.
The Remote UE 702 generates the security key i.e. Prose Traffic Key for transmission to UE-to-Network Relay 704. The security key is derived as follows:
PTK = KDF (Security Key of Remote UE, COUNTER and/or NONCE received from UE-to-Network Relay and/or Remote UE ID and/or UE-to-Network Relay UE ID)
PEK = KDF (PEK, Algorithm ID)
Where PEKRemote-UE-TX is used by Remote UE 702 for securing the packets transmitted to UE-to-Network relay 704 and for decrypting the packets received from UE-to-Network Relay 704.
In an alternate embodiment, the ProSe Server 706 or PKMF may derive two PTKs instead of one wherein one is used for securing packets transmitted by UE-to-Network relay 704 and another is used for securing packets transmitted by Remote UE 702. The UE-to-Network Relay 704 further contacts the ProSe server 706 or PKMF in case of any key refresh/key update. For the key refresh/update, the UE-to-Network Relay 704 transmits the current PTK ID and/or all the PTK IDs used for the Group to the ProSe server 706 or PKMF for obtaining fresh key(s).
In yet another embodiment, a method for establishing a secure communication between a Remote UE 702 and UE-to-Network relay 704 in a device to device (D2D) communication is explained as follows.
A ProSe server 706 or PKMF assigns one or more ProSe relay group keys (PRGKs) to the UE-to-Network relay 704. The PRGKs are assigned in addition to assignment of ProSe group Keys (PGKs) corresponding to its affiliated group(s). Further, the ProSe server 706 or PKMF also assigns one or more ProSe relay group keys (PRGKs) to the remote UE 702 in addition to the assignment of ProSe group Keys (PGKs) corresponding to its affiliated group(s).
Using the PRGKs associated with the remote UE 702, the remote UE 702 derives security key for encrypting the data packets transmitted to UE-to-Network relay 704 as follows:
PRTK = KDF (PRGK, PRTK ID, Remote UE ID).
PREK = KDF (PRTK, Algorithm ID)
The Algorithm ID identifies the security algorithm, for example, SNOW 3G integrity algorithms or AES encryption algorithm. The Algorithm to be used may be pre-configured in the Remote UE by the ProSe Server for the Group or alternatively the data packets include the algorithm ID in the header. A PREK is used by Remote UE for encrypting the data packets transmitted to UE-to-Network relay. Further, a PRGK ID corresponding to PRGK and PRTK ID are transmitted along with encrypted data packet in data packet header.
Similarly, the UE-to-Network relay 704 derives the security key for encrypting the data packets transmitted to Remote UE as follows:
PRTK = KDF (PRGK, PRTK ID, UE-to-Network Relay UE ID).
PREK = KDF (PRTK, Algorithm ID)
In the above, the Algorithm ID identifies the security algorithm, for example, SNOW 3G integrity algorithms or AES encryption algorithm. The Algorithm to be used may be pre-configured in the UE-to-Network Relay 704 by the ProSe Server 706 for the Group or alternatively the data packets include the algorithm ID in the header. PREK is used by UE-to-Network Relay 704 for encrypting the data packets transmitted to Remote UE 702. PRGK ID corresponding to PRGK and PRTK ID are transmitted along with encrypted data packet in data packet header.
In all the embodiments, the security mechanisms are applied to the data packets which are relayed by UE-to-Network Relay 704. The UE-to-Network Relay 704 can determine using the PDU Type field in the PDCP header whether the packet is to be relayed or not. Similarly, the Remote UE 702 can determine using the PDU Type field in the PDCP header whether the packet received is relayed by UE-to-Network Relay 704 or not. Alternately, logical channel ID may be used to indicate relay of data packets.
It should be noted that the embodiments of this invention can be applied to communication between any UE1 (instead of remote UE) and UE2 (instead of UE-to-Network relay). The PGKRemote UE used in the present invention can be UE1’s master key instead of group key.
Although the invention of the method and system has been described in connection with the embodiments of the present invention illustrated in the accompanying drawings, it is not limited thereto. It will be apparent to those skilled in the art that various substitutions, modifications and changes may be made thereto without departing from the scope and spirit of the invention.
,CLAIMS:CLAIMS
WE CLAIM:
1. A method for establishing a secure communication between a remote User Equipment (UE) and UE-to-Network relay in a Device-to-Device (D2D) group communication, the method comprising:
transmitting, by the UE-to-Network relay, a security key request to a Proximity-based Service (ProSe) server or ProSe key management function (PKMF), wherein the security key request comprises at least one of a remote UE ID, a UE-to-Network relay UE ID and group ID of the remote UE;
deriving, by the ProSe server or PKMF, a security key for the UE-to-Network relay to securely transmit data packets to the remote UE;
receiving, by the UE-to-Network relay, a security key response from the ProSe server or PKMF, wherein the security key response comprises of ProSe traffic key (PTK) derived for the UE-to-Network relay UE ID, PTK ID and ProSe group Key (PGK) of the remote UE;
generating, by the UE-to-Network relay, a ProSe encryption key (PEK UE-to-Network relay) using PTK UE-to-Network relay received in the security key response;
transmitting the PGK ID and PTK ID received in the security key response in a signaling message or in a data packer header to the remote UE; and
generating security keys (PTK Remote UE and PEK Remote UE) by the remote UE to establish secure communication with the UE-to-Network relay.
2. The method as claimed in claim 1, wherein the remote UE ID comprises of a remote UE group ID if the remote UE belongs to multiple communication groups.
3. The method as claimed in claim 1, wherein the remote UE ID comprises of a remote UE group ID if the remote UE is unique within a communication group.
4. The method as claimed in claim 1, wherein the remote UE uses the PEK Remote-UE for securing the packets transmitted to UE-to-Network relay and for decrypting the data packets received from UE-to-Network relay.
5. A method for establishing a secure communication between a remote User Equipment (UE) and a UE-to-Network relay in a Device-to-Device (D2D) group communication, the method comprising:
transmitting, by the Remote UE, a security key information message to establish a secure communication with a UE-to-Network relay, wherein the security key information comprises of at least one of PGK ID and PTK ID of the remote UE;
transmitting, by the UE-to-Network relay, a security key request to a proximity-based Service (ProSe) server after obtaining security key information from the Remote UE;
deriving, by the ProSe server, a first security key for the UE-to-Network relay (PTKUE-to-Network relay-TX) to securely transmit data packets to the remote UE and a second security key for the UE-to-Network relay (PTKUE-to-Network relay-RX) to decrypt packets received from remote UE ;
receiving the security key response comprising the first security key and the second security key from the ProSe server;
generating, by the UE-to-Network relay, ProSe encryption key (PEKUE-to-Network relay-TX) for transmission and for reception (PEKUE-to-Network relay-RX) using (PTK UE-to-Network relay-TX) and (PTK UE-to-Network relay-RX) received in the security key response from the ProSe server; and
generating, by the remote UE, security keys (PEK Remote UE-TX and PEK Remote UE-RX) using the information received to establish a secure communication with the UE-to-Network relay.
6. The method as claimed in claim 5, wherein the security key request comprises of at least one of a remote UE ID, a UE-to-Network relay ID, ProSe Group Key (PGK) ID and ProSe Traffic Key (PTK) ID of the remote UE.
7. The method as claimed in claim 5, wherein the security key response comprises of PTKUE-to-Network relay-TX, PTK ID, PGK ID of the remote UE, and PTKUE-to-Network relay-RX.
8. A method for establishing a secure communication between a remote user equipment (UE) and a UE-to-Network relay in a Device-to-Device (D2D) group communication, the method comprising:
transmitting, by the UE-to-Network relay, a security key request to a proximity-based service (ProSe) server, wherein the security key request comprises of remote UE ID, UE-to-Network relay ID and PGK ID of the remote UE;
deriving, by the ProSe server, a first security key for the UE-to-Network relay (PTKUE-to-Network relay-TX) to securely transmit data packets to the remote UE and a second security key for the UE-to-Network relay (PTKUE-to-Network relay-RX) to decrypt packets received from the remote UE;
receiving the derived security keys as a security key response from the ProSe server;
generating, by the UE-to-Network relay, a ProSe encryption key (PEKUE-to-Network relay-TX) for transmission and for reception (PEKUE-to-Network relay-RX) using (PTK UE-to-Network relay-TX) and (PTK UE-to-Network relay-RX) received in the security key response from the ProSe server; and
generating, by the remote UE, a first security key and a second security key using the information received from the UE-to-Network relay to establish a secure communication with the UE-to-Network relay.
9. The method as claimed in claim 8, wherein the security key response comprises of PTKUE-to-Network relay-TX, PGK ID and PTK ID used to derive PTKUE-to-Network relay-TX and PTKUE-to-Network relay-RX, PGK ID and PTK ID used to derive PTKUE-to-Network relay-RX.
10. The method as claimed in claim 8, wherein the first security key generated by the remote UE is a Prose Traffic Key for encrypting data packets transmitted to the UE-to-Network Relay and the second security key generated by the remote UE is a Prose Traffic Key for decrypting data packets received from the UE-to-Network Relay.
11. A method for establishing a secure communication between a remote user equipment (UE) and a UE-to-Network relay in a Device-to-Device (D2D) group communication, the method comprising:
transmitting, by the UE-to-Network relay, a security key request to a proximity-based service (ProSe) server, wherein the security key request comprises of remote UE ID, and UE-to-Network relay ID;
deriving, by the ProSe server, a security key for the UE-to-Network relay based on at least one input parameter comprising a master key of remote UE, a counter, a nonce, remote UE ID and UE-to-Network relay ID;
transmitting, the security key response along with the at least one of master key of remote UE, the counter, and the nonce to the UE-to-Network relay;
generating, by the UE-to-Network relay, a ProSe encryption key (PEK) using PTK received in the security key response from the ProSe server for decrypting packets received from the remote UE;
forwarding at least one of the counter and nonce received in the security key response to the remote UE using data packer header or over signaling message; and
generating, by the remote UE, the master key using the information received to establish a secure communication with the UE-to-Network relay
12. The method as claimed in claim 11, wherein the master key is received from a home subscriber server (HSS) by the ProSe server.
13. The method as claimed in claim 11, further comprising:
transmitting current PTK ID or all PTK IDs of the group to the proSe server for obtaining a fresh key.
14. The method as claimed in claim 11, further comprising:
assigning, by a Proximity based service server (ProSe server), one or more ProSe relay group keys (PRGKs) to remote UE and UE-to-Network relay in addition to PGKs;
deriving, by remote UE, a security key (PREK remote UE) for encrypting data packets to be transmitted to UE-to-Network relay;
deriving, by UE-to-Network relay, a security key (PREK UE-to-Network relay) for encrypting data packets to be transmitted to remote UE; and
establishing a secure communication between the remote UE and the UE-to-Network relay using the derived security keys.
15. A system for establishing a secure communication between a remote User Equipment (UE) and UE-to-Network relay in a Device-to-Device (D2D) group communication, comprising:
a remote UE which is out of coverage of network;
a UE to Network relay located in proximity to the remote UE and in communication with a Proximity based service (ProSe) server in the network, wherein the system is configured for:
transmitting, by the UE-to-Network relay, a security key request to the ProSe server, wherein the security key request comprises at least one of a remote UE ID, a UE-to-Network relay’s UE ID and group ID of the remote UE;
deriving, by the ProSe server, a security key for the UE-to-Network relay to securely transmit data packets to the remote UE;
receiving, by the UE-to-Network relay, a security key response from the ProSe server, wherein the security key response comprises of ProSe traffic key (PTK) derived for the UE-to-Network relay UE ID, PTK ID and ProSe group Key (PGK) of the remote UE;
generating, by the UE-to-Network relay, a ProSe encryption key (PEK UE-to-Network relay) using PTK UE-to-Network relay received in the security key response;
transmitting the PGK ID and PTK ID received in the security key response in a signaling message or in a data packer header to the remote UE; and
generating security keys (PTK Remote UE and PEK Remote UE) by the remote UE to establish secure communication with the UE-to-Network relay.
16. The system as claimed in claim 15, wherein the remote UE ID comprises of a remote UE group ID if the remote UE belongs to multiple communication groups.
17. The system as claimed in claim 15, wherein the remote UE ID comprises of a remote UE group ID if the remote UE is unique within a communication group.
18. The system as claimed in claim 15, wherein the remote UE uses the PEK Remote-UE for securing the packets transmitted to UE-to-Network relay and for decrypting the data packets received from UE-to-Network relay.
19. A system for establishing a secure communication between a remote User Equipment (UE) and a UE-to-Network relay in a Device-to-Device (D2D) group communication, comprising:
a remote UE which is out of coverage of network;
a UE to Network relay located in proximity to the remote UE and in communication with a proximity-based Service (ProSe) server in the network, wherein the system is configured for:
transmitting, by the Remote UE, a security key information message to establish secure communication to a UE-to-Network relay, wherein the security key information comprises of at least one of PGK ID and PTK ID of the remote UE;
transmitting, by the UE-to-Network relay, a security key request to the ProSe server after obtaining security key information from the Remote UE;
deriving, by the ProSe server, a first security key for the UE-to-Network relay (PTKUE-to-Network relay-TX) to securely transmit data packets to the remote UE and a second security key for the UE-to-Network relay (PTKUE-to-Network relay-RX) to decrypt packets received from remote UE ;
receiving the security key response comprising the first security key and the second security key from the ProSe server;
generating, by the UE-to-Network relay, ProSe encryption key (PEKUE-to-Network relay-TX) for transmission and for reception (PEKUE-to-Network relay-RX) using (PTK UE-to-Network relay-TX) and (PTK UE-to-Network relay-RX) received in the security key response from the ProSe server; and
generating, by the remote UE, security keys (PEK Remote UE-TX and PEK Remote UE-RX) using the information received to establish a secure communication with the UE-to-Network relay.
20. The system as claimed in claim 19, wherein the security key request comprises of at least one of a remote UE ID, a UE-to-Network relay ID, ProSe Group Key (PGK) ID and ProSe Traffic Key (PTK) ID of the remote UE.
21. The system as claimed in claim 19, wherein the security key response comprises of PTKUE-to-Network relay-TX, PTK ID, PGK ID of the remote UE, and PTKUE-to-Network relay-RX.
22. A system for establishing a secure communication between a remote user equipment (UE) and a UE-to-Network relay in a Device-to-Device (D2D) group communication, comprising:
a remote UE which is out of coverage of network;
a UE to Network relay located in proximity to the remote UE and in communication with a proximity-based service (ProSe) server in the network, wherein the system is configured for:
transmitting, by the UE-to-Network relay, a security key request to the ProSe server, wherein the security key request comprises of remote UE ID, UE-to-Network relay ID and PGK ID of the remote UE,
deriving, by the ProSe server, a first security key for the UE-to-Network relay (PTKUE-to-Network relay-TX) to securely transmit data packets to the remote UE and a second security key for the UE-to-Network relay (PTKUE-to-Network relay-RX) to decrypt packets received from the remote UE;
receiving the derived security keys as a security key response from the ProSe server;
generating, by the UE-to-Network relay, a ProSe encryption key (PEKUE-to-Network relay-TX) for transmission and for reception (PEKUE-to-Network relay-RX) using (PTK UE-to-Network relay-TX) and (PTK UE-to-Network relay-RX) received in the security key response from the ProSe server; and
generating, by the remote UE, a first security key and a second security key using the information received from the UE-to-Network relay to establish a secure communication with the UE-to-Network relay.
23. The system as claimed in claim 22, wherein the security key response comprises of PTKUE-to-Network relay-TX, PGK ID and PTK ID used to derive PTKUE-to-Network relay-TX and PTKUE-to-Network relay-RX, PGK ID and PTK ID used to derive PTKUE-to-Network relay-RX.
The system as claimed in claim 29, wherein the first security key generated by the remote UE is a Prose Traffic Key for encrypting data packets transmitted to the UE-to-Network Relay and the second security key generated by the remote UE is a Prose Traffic Key for decrypting data packets received from the UE-to-Network Relay.
24. A system for establishing a secure communication between a remote user equipment (UE) and a UE-to-Network relay in a Device-to-Device (D2D) group communication, comprising:
a remote UE which is out of coverage of network;
a UE to Network relay located in proximity to the remote UE and in communication with a proximity-based service (ProSe) server in the network, wherein the system is configured for:
transmitting, by the UE-to-Network relay, a security key request to the ProSe server, wherein the security key request comprises of remote UE ID, and UE-to-Network relay ID;
deriving, by the ProSe server, a security key for the UE-to-Network relay based on at least one input parameter comprising a master key of remote UE, a counter, a nonce, remote UE ID and UE-to-Network relay ID;
transmitting, the security key response along with the at least one of the master key of remote UE, the counter and the nonce to the UE-to-Network relay;
generating, by the UE-to-Network relay, a ProSe encryption key (PEK) using PTK received in the security key response from the ProSe server for decrypting packets received from the remote UE;
forwarding at least one of the counter and nonce received in the security key response to the remote UE using data packer header or over signaling message; and
generating, by the remote UE, the master key using the information received to establish a secure communication with the UE-to-Network relay.
25. The system as claimed in claim 24, wherein the master key is received from a home subscriber server (HSS) by the ProSe server.
26. The system as claimed in claim 24, further comprising:
transmitting current PTK ID or all PTK IDs of the group to the proSe server for obtaining a fresh key.
27. The system as claimed in claim 24, further comprising:
assigning, by ProSe server, one or more ProSe relay group keys (PRGKs) to remote UE and UE-to-Network relay in addition to PGKs;
deriving, by remote UE, a security key (PREK remote UE) for encrypting data packets to be transmitted to UE-to-Network relay;
deriving, by UE-to-Network relay, a security key (PREK UE-to-Network relay) for encrypting data packets to be transmitted to remote UE; and
establishing a secure communication between the remote UE and the UE-to-Network relay using the derived security keys.
Documents
Application Documents
| # | Name | Date |
|---|---|---|
| 1 | SRIB-20150113-005_Provisional Specification_ Filed with IPO on 14th January 2015.pdf | 2015-03-12 |
| 2 | SRIB-20150113-005_Drawings_Filed with IPO on 14th January 2015.pdf | 2015-03-12 |
| 3 | POA_Samsung R&D Institute India-new.pdf | 2015-03-12 |
| 4 | 226-CHE-2015 POWER OF ATTORNEY 13-07-2015.pdf | 2015-07-13 |
| 5 | 226-CHE-2015 FORM-1 13-07-2015.pdf | 2015-07-13 |
| 6 | 226-CHE-2015 CORRESPONDENCE OTHERS 13-07-2015.pdf | 2015-07-13 |
| 7 | abstract 226-CHE-2015.jpg | 2015-09-02 |
| 8 | OTHERS [08-12-2015(online)].pdf | 2015-12-08 |
| 9 | Drawing [08-12-2015(online)].pdf | 2015-12-08 |
| 10 | Description(Complete) [08-12-2015(online)].pdf | 2015-12-08 |
| 11 | REQUEST FOR CERTIFIED COPY [02-02-2016(online)].pdf_25.pdf | 2016-02-02 |
| 12 | REQUEST FOR CERTIFIED COPY [02-02-2016(online)].pdf | 2016-02-02 |
| 13 | 226-CHE-2015-FORM 3 [12-01-2018(online)].pdf | 2018-01-12 |
| 14 | 226-CHE-2015-FER.pdf | 2019-09-30 |
| 15 | 226-CHE-2015-FORM 13 [25-10-2019(online)].pdf | 2019-10-25 |
| 16 | 226-CHE-2015-Information under section 8(2) [29-03-2020(online)].pdf | 2020-03-29 |
| 17 | 226-CHE-2015-FORM 3 [29-03-2020(online)].pdf | 2020-03-29 |
| 18 | 226-CHE-2015-OTHERS [30-03-2020(online)].pdf | 2020-03-30 |
| 19 | 226-CHE-2015-FER_SER_REPLY [30-03-2020(online)].pdf | 2020-03-30 |
| 20 | 226-CHE-2015-CORRESPONDENCE [30-03-2020(online)].pdf | 2020-03-30 |
| 21 | 226-CHE-2015-CLAIMS [30-03-2020(online)].pdf | 2020-03-30 |
| 22 | 226-CHE-2015-PatentCertificate18-11-2022.pdf | 2022-11-18 |
| 23 | 226-CHE-2015-IntimationOfGrant18-11-2022.pdf | 2022-11-18 |
| 24 | 226-CHE-2015-RELEVANT DOCUMENTS [13-09-2023(online)].pdf | 2023-09-13 |
Search Strategy
| 1 | 226CHE2015_09-08-2019.pdf |