Multi-factor authentication in private mobile networks
US-2021112411-A1 · Apr 15, 2021 · US
Certificate-based local UE authentication
US11838428B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11838428-B2 |
| Application number | US-202218065914-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 14, 2022 |
| Priority date | Dec 20, 2021 |
| Publication date | Dec 5, 2023 |
| Grant date | Dec 5, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
According to an example aspect of the present invention, there is provided a method comprising: generating a certificate comprising an identifier of a base station, a public key of the base station, and a public key of a terminal; signing the certificate by a signature based on a private key belonging to the public key of the base station; sending the signed certificate to the terminal using an established security association; monitoring whether the base station receives a request for local authentication of the terminal, wherein the request comprises an encrypted certificate unit and a base station identifier; checking whether the base station identifier is the identifier of the base station and, if it is, decrypting the encrypted certificate unit using the private key; and using the public key of the terminal for a communication with the terminal if the certificate unit comprises the signed certificate.
First claim
Opening claim text (preview).
The invention claimed is: 1. An apparatus comprising at least one processor; and at least one memory including computer program code, the at least one memory and computer program code configured to, with the at least one processor, cause the apparatus at least to: check whether a terminal receives, using an established security association between the terminal and a first base station, from the first base station, a first local authentication certificate, wherein the first local authentication certificate comprises a public key of the terminal, a public key of the first base station, and a base station identifier of the first base station; store the first local authentication certificate if the terminal receives the first local authentication certificate; monitor whether the terminal is to be authenticated; and if the terminal is to be authenticated: retrieve the public key of the first base station and the base station identifier from the first local authentication certificate; encrypt a certificate unit with the public key of the first base station to create an encrypted certificate unit, wherein the certificate unit comprises the first local authentication certificate; and send, to a second base station, a request for local authentication of the terminal, wherein the request for local authentication comprises the encrypted certificate unit and the base station identifier, and the base station identifier is not encrypted in the request for local authentication. 2. The apparatus according to claim 1 , wherein the local authentication certificate further comprises a key identifier; and wherein the at least one processor and the at least one memory including the computer program code are further configured to cause the apparatus to: retrieve the key identifier from the first local authentication certificate; and send the key identifier in the request for local authentication, wherein the key identifier is not encrypted in the request for local authentication. 3. The apparatus according to claim 2 , wherein the at least one processor and the at least one memory including the computer program code are further configured to cause the apparatus to: select a nonce; and at least one of protect an uplink message from the terminal to the second base station using the nonce and the communication comprises the uplink message; or verify a downlink message received from the second base station to the terminal using the nonce and the communication comprises the downlink message; wherein the certificate unit comprises a combination of the first local authentication certificate and the nonce. 4. The apparatus according to claim 1 , wherein the at least one processor and the at least one memory including the computer program code are further configured to cause the apparatus to: select a nonce; and at least one of protect an uplink message from the terminal to the second base station using the nonce and the communication comprises the uplink message; or verify a downlink message received from the second base station to the terminal using the nonce and the communication comprises the downlink message; wherein the certificate unit comprises a combination of the first local authentication certificate and the nonce. 5. The apparatus according to claim 4 , wherein the at least one processor and the at least one memory including the computer program code are further configured to cause the apparatus to: determine the base station as authenticated if the downlink message from the second base station to the terminal is verified using the nonce. 6. The apparatus according to claim 1 , wherein the at least one processor and the at least one memory including the computer program code are further configured to cause the apparatus to: generate a pair of a private key of the terminal and the public key of the terminal belonging to the private key of the terminal; and send the public key of the terminal to the first base station using the established security association prior to the checking whether the terminal receives, using the established security association, the first local authentication certificate. 7. The apparatus according to claim 1 , wherein the at least one processor and the at least one memory including the computer program code are further configured to cause the apparatus to: check, for each one of plural base stations including the first base station, whether the terminal receives, using a respective established security association between the terminal and the respective base station, from the respective base station, a respective local authentication certificate, wherein the respective local authentication certificate comprises a respective public key of the terminal, a public key of the respective base station, and a base station identifier of the respective base station; store, for each one of the plural base stations, the respective local authentication certificate if the terminal receives the respective local authentication certificate; and select one of the stored plural local authentication certificates as the first local authentication certificate. 8. An apparatus comprising at least one processor; and at least one memory including computer program code, the at least one memory and computer program code configured to, with the at least one processor, cause the apparatus at least to: generate a local authentication certificate, wherein the local authentication certificate comprises an identifier of a base station, a public key of the base station, and a public key of a terminal; sign the local authentication certificate by a signature based on a private key of the base station, wherein the private key of the base station is belonging to the public key of the base station; send the signed local authentication certificate to the terminal using an established security association between the base station and the terminal; monitor whether the base station receives a request for local authentication of the terminal, wherein the request for local authentication comprises an encrypted certificate unit and a base station identifier; check, without decrypting the received base station identifier, whether the received base station identifier is the identifier of the base station if the base station receives the request for local authentication; decrypt the encrypted certificate unit using the private key of the base station to create a certificate unit if the received base station identifier is the identifier of the base station; check whether the certificate unit comprises the local authentication certificate signed by the signature; and use the public key of the terminal for a communication with the terminal if the certificate unit comprises the local authentication certificate signed by the signature. 9. The apparatus according to claim 8 , wherein the local authentication certificate comprises additionally a key identifier; the key identifier identifies the public key of the base station; and the received request for local authentication comprises a received key identifier; wherein the at least one processor and the at least one memory including the computer program code are further configured to cause the apparatus to: use the private key of the base station belonging to the public key of the base station identified by the received key identifier to decrypt the encrypted certificate unit. 10. The apparatus according to claim 9 , wherein the at least one processor and the at least one memory including the computer program code are further configured to cause the apparatus to: retrieve a nonce from the certificate unit; and at least one of protect a downlink message to t
Assignees
Inventors
Classifications
- H04L9/3263Primary
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
Authentication · CPC title
- H04W12/069Primary
using certificates or pre-shared keys · CPC title
Counter-measures against attacks; Protection against rogue devices · CPC title
Protecting confidentiality, e.g. by encryption · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11838428B2 cover?
- According to an example aspect of the present invention, there is provided a method comprising: generating a certificate comprising an identifier of a base station, a public key of the base station, and a public key of a terminal; signing the certificate by a signature based on a private key belonging to the public key of the base station; sending the signed certificate to the terminal using an…
- Who is the assignee on this patent?
- Nokia Technologies Oy
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3263. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 05 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).