The present invention relates to an apparatus, a system and a method for security management, and particularly to a technique to manage security context for a UE (User Equipment).
In the current EPS (Evolved Packet System), as disclosed in e.g., NPL 1, AKA (Authentication and Key Agreement) procedure and NAS (Non Access Stratum) SMC (Security Mode Command) procedure are performed, so that NAS security context for a UE (hereinafter, sometimes referred to as “UE context” or simply “security context”) is shared between the UE and an MME (Mobility Management Entity).
The NAS security context includes Kasme with the associated KSI (Key Set Identifier), and the like. The Kasme and the KSI are used for deriving the same NAS keys at both the UE and the MME. The NAS keys are used for protecting integrity and confidentiality of traffic between the UE and the MME.
NPL 1: 3GPP TS 33.401, “3GPP System Architecture Evolution (SAE); Security architecture (Release 12)”, V12.13.0, 2014-12
However, the inventors of this application have found that the following problems may arise in the current architecture.
Specifically, in mobility, new MME has to retrieve the UE context from an old MME or SGSN (Serving GPRS (General Packet Radio Service) Support Node). It requires that the UE indicate the old MME/SGSN (MME or SGSN) in GUTI (Globally Unique Temporary Identity) or P-TMSI (Packet-TMSI (Temporary Mobile Subscriber Identity)). Note that the new MME is the one to which the UE newly attaches, and the old MME/SGSN is the one to which the UE previously attached.
Meanwhile, the old MME/SGSN may have already removed the UE context. In this case, AKA/NAS SMC (AKA and NAS SMC) procedures are performed again under the initiative of the new MME. Such redundant performance causes signaling overload to devices/nodes (devices and nodes), in particular the MME, involved in the AKA/NAS SMC procedures and all interfaces therebetween. As the number of UEs increases, such overload will become much more pronounced.
Moreover, it is predicted that virtualization will need to create and/or remove the MME on demand. In this case, the UE context will be retrieved and/or removed frequently. Therefore, the overload will be caused as in the mobility case.
Accordingly, an exemplary object of the present invention is to provide a solution for alleviating overload on AKA/NAS SMC procedures.
In order to achieve the above-mentioned object, first exemplary aspect of the present invention provides a network system including: one or more first MMEs; and a second MME separated from the first MMEs. The first MME pushes, to the second MME, security context for a UE that attaches to the first MME. The second MME stores the security context.
According to second exemplary aspect of the present invention, there is provided an MME including: pushing means for pushing, to a second MME separated from the MME, security context for a UE that attaches to the MME. The second MME is also separated from one or more first MMEs to which the UE can attach and which is different from the MME.
According to third exemplary aspect of the present invention, there is provided a method of managing security context in an MME. This method includes: pushing, to a second MME separated from the MME, security context for a UE that attaches to the MME. The second MME is also separated from one or more first MMEs to which the UE can attach and which is different from the MME.
According to fourth exemplary aspect of the present invention, there is provided a method of managing security context in an MME separated from one or more first MMEs. This method includes: receiving security context pushed from the first MME, the security context for a UE that attaches to the first MME; and storing the security context.
According to fifth exemplary aspect of the present invention, there is provided a network system including: one or more first MMEs; and a second MME separated from the first MMEs. The second MME generates security context for a UE that requests to attach to the first MME, and pushes the security context to the first MME. The first MME stores the security context.
According to sixth exemplary aspect of the present invention, there is provided an MME including: receiving means for receiving, from a second MME separated from the MME, security context for a UE that requests to attach to the MME; and storing means for storing the security context. The second MME is also separated from one or more first MMEs to which the UE can attach and which is different from the MME.
According to seventh exemplary aspect of the present invention, there is provided an MME separated from one or more first MMEs. This MME includes: generating means for generating security context for a UE that requests to attach to the first MME; and pushing means for pushing the security context to the first MME.
According to eighth exemplary aspect of the present invention, there is provided a method of managing security context in an MME. This method includes: receiving, from a second MME separated from the MME, security context for a UE that requests to attach to the MME; and storing the security context. The second MME is also separated from one or more first MMEs to which the UE can attach and which is different from the MME.
According to ninth exemplary aspect of the present invention, there is provided a method of managing security context in an MME separated from one or more first MMEs. This method includes: generating security context for a UE that requests to attach to the first MME; and pushing the security context to the first MME.
According to tenth exemplary aspect of the present invention, there is provided a network system including: one or more first MMEs; and a second MME separated from the first MMEs. The second MME centrally manages security context for a UE that requests to attach to a network, through a direct connection to an eNB to which the UE wirelessly connects. The first MME supports mobility of the UE to the second MME.
According to eleventh exemplary aspect of the present invention, there is provided an MME separated from one or more first MMEs. This MME includes: managing means for centrally managing security context for a UE that requests to attach to a network, through a direct connection to an eNB to which the UE wirelessly connects. The first MME supports mobility of the UE to the MME.
According to twelfth exemplary aspect of the present invention, there is provided a method of managing security context in an MME separated from one or more first MMEs. This method includes: centrally managing security context for a UE that requests to attach to a network, through a direct connection to an eNB to which the UE wirelessly connects. The first MME supports mobility of the UE to the MME.
According to the present invention, it is possible to provide a solution for alleviating overload on AKA/NAS SMC procedures, thereby solving at least a part or the whole of the above-mentioned problems.
Hereinafter, an exemplary embodiment of an apparatus, a system and a method according to the present invention will be described with reference to the accompanying drawings.
As shown in
Briefly, the cMME 40 serves as the offload location for e.g., storing security context for a UE 10. Here, the UE 10 wirelessly connects to any one of eNBs 20_1 to 20_3 (hereinafter, sometimes collectively denoted by the symbol 20). Moreover, as will be described later, the UE 10 attaches to any one of the MMEs 30_1 and 30_2 as well as the cMME 40, through the eNB 20. Note that although one UE and three eNBs are shown in
In other words, the security context is stored in cloud (cMME 40), not in the MME 30 itself. Any MME going live will have context to securely connect with the offload location (cMME 40). The offload location can be distributed or centralized. Virtual image of the offload location could be brought up or down at a given location based on pattern — user, usage etc. Moreover, the offload location may be configured not only by the cloud but also by a tangible MME which represents the pool of MMEs, for example.
Further, the MME 30 and the cMME 40 can access an HSS (Home Subscriber Server) 50 on demand to acquire credentials necessary for authenticating the UE 10 in the AKA procedure.
Next, there will be described operation examples of this exemplary embodiment, as to the following cases A to C with reference to
This case “A” deals with a case where the cMME 40 serves as storage only for the security context.
That is, as conceptually shown in
On the other hand, the MME 30 includes a security function unit 201, a mobility management unit 202, a sending unit 203 and a receiving unit 204. The security function unit 201 creates and updates security context for the UE 10. The mobility management unit 202 manages mobility of the UE 10. The sending unit 203 and the receiving unit 204 send and receive various signaling messages from and to the UE 10, the MME 30 and the HSS 50. In particular, the sending unit 203 sends the security context and a request therefor to the cMME 40.
The receiving unit 204 receives the security context from the cMME 40. Functionalities of the MME 30 are simplified compared with a typical MME, because the security context storage is shifted to the cMME 40.
Briefly, in this case “A”, the following operations (1) to (4) are carried out.
(1) AKA and NAS SMC procedures (carried by the MME 30) will result in keys that should be stored in the storage (cMME 40).
(2) Current security context is stored in storage (cMME 40).
(3) Every time the MME 30 switches off or goes down, the MME 30 updates all security context stored in the storage (cMME 40).
(4) When the UE 10 connects to the MME 30 (Attach or Mobility), the security context can be pulled from the storage (cMME 40).
In the above operation (1), as shown by dotted lines in
Specifically, as shown in
The MME 30 performs the existing AKA and NAS SMC procedures, as in NPL 1 (steps 512a and 512b). Successful NAS SMC procedure results in the UE 10 and the MME 30 sharing same NAS security context which includes NAS keys (step 512c).
After that, the UE 10 and the eNB 20 interact with each other to perform AS (Access Stratum) SMC procedure (step 512d). Successful AS SMC procedure results in the UE 10 and the eNB 20 sharing same AS security context which includes AS keys (step 512e). Note that the AS keys are used for protecting integrity and confidentiality of traffic at RRC (Radio Resource Control) protocol layer between the UE 10 and the eNB 20.
In parallel with the AS SMC procedure, the MME 30 sends a Security Context Update message to the cMME 40 (step 513a). This message includes UE ID (identifier of the UE 10) and NAS security context which contains KSI, Kasme and NAS keys.
The cMME 40 stores the security context received at step S13a (step S13b), and sends a Security Context Update Ack (Acknowledgment) message to the MME 30 (step S13c).
The MME 30 sends an Attach response message to the UE 10 (step S14).
After that, due to power-off, overload or system down, the MME 30 starts Switch-off procedure (step S21).
In this procedure, the MME 30 sends a Security Context Update message to the cMME 40 (step S22a). This message includes the UE ID and the latest NAS security context which contains KSI, Kasme and NAS keys.
The cMME 40 updates the security context stored for the given UE 10 with the latest security context received at step S22a (step S22b), and sends a Security Context Update Ack message to the MME 30 (step S22c).
Then, the MME 30 removes the security context which the MME 30 kept local (step S23).
On the other hand, in mobility, the network system operates as shown in
Specifically, the UE 10 sends an Attach Request message, a TAU Request message, or a Handover Request message to the New MME 30_2 (step S31).
The New MME 30_2 will not go to the Old MME 30_1, but request for security context from the cMME 40, by sending a Security Context Request message including the UE ID to the cMME 40 (step S32a).
The cMME 40 retrieves the UE's context corresponding to the received UE ID, and sends back to the New MME 30_2 a Security Context Response message including the UE ID and the retrieved NAS security context which contains KSI, Kasme and NAS keys (step S32b).
Then, the New MME 30_2 sends a response message to the Attach or Mobility request back to the UE 10 (step S33). This message can be protected by the NAS keys received from the cMME 40.
According to this case “A”, the security context is stored on the cloud MME, instead of the (local) MME itself. Thus, it is possible to reduce signaling messages when the UE changes an MME or when the MME is down, because of avoiding redundant AKA/NAS SMC procedures to be performed. Accordingly, it is possible to alleviate overload on the AKA/NAS SMC procedures, such as signaling overload to devices/nodes, in particular the MME, involved in the AKA/NAS SMC procedures and all interfaces therebetween.
This case “B” deals with a case where the cMME 40 has complete security functionalities.
That is, as conceptually shown in
On the other hand, the security function unit 201 shown in
Briefly, in this case “B”, the following operations (1) to (3) are carried out.
(1) AKA and NAS SMC procedures happen at the offload location (cMME 40).
(2) NAS keys are passed to the MME 30 after SMC.
(3) On handover (S1 or X2), NH (Next Hop) is calculated at the offload location (cMME 40) and passed to the eNB 20.
In the above operations (1) to (3), as shown by thick lines in
Specifically, as shown in
AKA and NAS SMC procedures are carried between the UE 10 and the cMME 40 (step S42a), and the cMME 40 interacts with the HSS 50 on demand (step S42b). Successful NAS SMC procedure results in the UE 10 and the cMME 40 sharing same NAS security context (step S42c).
After that, the UE 10 and the eNB 20 interact with each other to perform AS SMC procedure (step S42d). Successful AS SMC procedure results in the UE 10 and the eNB 20 sharing same AS security context (step S42e).
In parallel with the AS SMC procedure, the c MME 40 sends a Security Context Update message to the MME 30 (step S43a). This message includes the UE ID and the NAS security context which contains KSI, Kasme and NAS keys.
The MME 30 stores the security context received at step S43a (step S43b), and sends a Security Context Update Ack message to the cMME 40 (step S43c).
Then, the MME 30 sends an Attach response message to the UE 10 (step S44).
After that, due to power-off, overload or system down, the MME 30 starts Switch-off procedure (step S51).
In this procedure, unlike the above case “A”, the MME 30 merely removes the security context which the MME 30 kept local (step S52).
On the other hand, in mobility, the network system operates as shown in
Specifically, the UE 10 sends an Attach Request message, a TAU Request message, or a Handover Request message to the New MME 30_2 (step S61). The New MME 30_2 will not go to the Old MME 30_1, forward the message from the UE 10 to the cMME 40.
The cMME 40 sends the latest UE context to the MME 30, by sending a Security Context Update message including the UE ID and the NAS security context which contains KSI, Kasme and NAS keys (step S62a).
The MME 30 stores the received security context (step S62b), and sends a Security Context Update Ack message back to the cMME 40 (step S62c).
Then, the cMME 40 sends a Response message to the Attach or Mobility request to the UE 10 (step S64).
Moreover, in Mobility, the cMME 40 also generates or calculates NH (step S63), and sends the NH to the eNB 20 (step S65). Note that the NH is one of parameters necessary for AS security.
According to this case “B”, as with the above case “A”, it is possible to reduce signaling messages when the UE changes an MME or when the MME is down, because of avoiding redundant AKA/NAS SMC procedures to be performed. Accordingly, it is possible to alleviate overload on the AKA/NAS SMC procedures, such as signaling overload to devices/nodes, in particular the MME, involved in the AKA/NAS SMC procedures and all interfaces therebetween.
In addition, according to this case “B”, the cMME performs AKA and NAS SMC procedures as a substitute for the MME, and sends the security context to the local MME. Therefore, it is also possible to reduce cost for the MME and the like.
This case “C” deals with a case where the cMME 40 has complete security functionalities and direct connection to the eNB 20.
Conceptually, the cMME 40 and the MME 30 in this case “C” can be configured as with those shown in
Briefly, in this case “C”, the following operations (1) and (2) are carried out.
(1) Everything will happen similar to the above case “B” except that the MME 30 will not be in middle.
(2) Offload location (cMME 40) will send keying material to the MME 30 and the eNB 20.
In the above operations (1) and (2), as shown by thick lines in
Specifically, as shown in
AKA and NAS SMC procedures are carried between the UE 10 and the cMME 40 (step S72a), and the cMME 40 interacts with the HSS 50 on demand (step S72b). Successful NAS SMC procedure results in the UE 10 and the cMME 40 sharing same NAS security context (step S72c).
Here, the MME 30 supports initial communication/connection (communication and/or connection) set up between the UE 10 and the cMME 40. After that, (NAS) security related function shifts to the cMME 40, and the rest stays at the MME 30. NAS security protection and check are carried out at the cMME 40.
Therefore, no security context needs to be handled at the MME 30. Moreover, upon the Switch-off procedure, no action needs to be taken at the MME 30.
On the other hand, in mobility, the network system operates as shown in
Specifically, the UE 10 sends an Attach Request message, a TAU Request message, or a Handover Request message directly to the cMME 40 (step S81). The cMME 40 takes full responsibility for security.
Path Switch procedure can be forwarded by the New MME 30_2 (step S82). The New MME 30_2 only forwards messages but has no security function, does not perform key generation, message protection and check.
Moreover, in Mobility, the cMME 40 calculates NH (step S83), and sends the NH to the eNB 20 (step S84)
According to this case “C”, as with the above cases “A” and “B”, it is possible to reduce signaling messages when the UE changes an MME or when the MME is down, because security function and context management are centralized into the cMME to avoid redundant AKA/NAS SMC procedures to be performed. Accordingly, it is possible to alleviate overload on the AKA/NAS SMC procedures, such as signaling overload to devices/nodes, in particular the MME, involved in the AKA/NAS SMC procedures and all interfaces therebetween. Moreover, such centralization will be also efficient for virtualization.
In addition, according to this case “C”, the cMME has full security function and direct interface with the eNB. Therefore, it is also possible to reduce large amount of signaling especially in mobility.
Next, there will be described configuration examples of the MME 30 and the cMME 40 with reference to
Firstly regarding the configuration of the MME 30 in the above case “A”, as shown in
In the above case “B”, as shown in
These units 31 to 34 as well as other element(s) of the MME 30 can be implemented by at least hardware such as a transceiver which conducts communication with the eNB 20, the cMME 40 and the HSS 50, as well as a controller like a CPU (Central Processing Unit) which control this transceivers to execute the processes shown in each of
Next regarding the configuration of the cMME 40 in the above case “A”, as shown in
In the above case “B”, as shown in
In the above case “C”, as shown in
These units 41 to 48 as well as other element(s) of the cMME 40 can be implemented by at least hardware such as a transceiver which conducts communication with the eNB 20, the MME 30 and the HSS 50, as well as a controller like a CPU which control this transceivers to execute the processes shown in each of
Note that the present invention is not limited to the above-mentioned exemplary embodiment, and it is obvious that various modifications can be made by those of ordinary skill in the art based on the recitation of the claims.
Also, the above-described program can be stored and provided to the computer using any type of non-transitory computer readable medium. The non-transitory computer readable medium includes any type of tangible storage medium. Examples of the non-transitory computer readable medium include magnetic storage media (such as floppy disks, magnetic tapes, hard disk drives, etc.), optical magnetic storage media (e.g. magneto-optical disks), CD-ROM (Read Only Memory), CD-R , CD-R/W, and semiconductor memories (such as mask ROM, PROM (Programmable ROM), EPROM (Erasable PROM), flash ROM, RAM (Random Access Memory), etc.). The program may be provided to a computer using any type of transitory computer readable medium. Examples of the transitory computer readable medium include electric signals, optical signals, and electromagnetic waves. The transitory computer readable medium can provide the program to a computer via a wired communication line such as an electric wire or optical fiber or a wireless communication line.
The whole or part of the exemplary embodiment disclosed above can be described as, but not limited to, the following supplementary notes.
New architecture—partially offload MME security function or all.
MME do not need to keep the security context when UE moves away.
MME does not need to know previous MME/SGSN to retrieve security context.
Centralized security function and/or context management, efficiency for virtualization.
New messages—security context update and Ack, security context request and response.
Storing security context on cloud MME, instead of (local) MME itself. This can reduce signaling message when UE changes a MME, or when MME is down.
cMME performs AKA and NAS SMC, and send the security context to local MME. This can reduce MME cost; and achieve the merit in Supplementary not 6.
cMME has full security function, and direct NEW interface with eNB. This can reduce large signaling especially in mobility.
Number | Date | Country | Kind |
---|---|---|---|
2015-026201 | Feb 2015 | JP | national |
This application is a Continuation of U.S. application Ser. No. 17/306,125 filed May 3, 2021, which is a Continuation of U.S. application Ser. No. 16/985,763 filed Aug. 5, 2020, issued as U.S. Pat. No. 11,032,747 on Jun. 8, 2021, which is a Continuation of U.S. application Ser. No. 16/146,694 filed Sep. 28, 2018, issued as U.S. Pat. No. 10,986,544 on Apr. 20, 2021, which is a Continuation of U.S. application Ser. No. 15/549,269 filed Aug. 7, 2017, which is a National Stage of International Application No. PCT/JP2016/000512 filed Feb. 2, 2016, which is based upon and claims the benefit of priority from Japanese patent application No. 2015-026201, filed on Feb. 13, 2015, the disclosures of which are incorporated herein by reference in their entirety.
Number | Date | Country | |
---|---|---|---|
Parent | 17306125 | May 2021 | US |
Child | 18222192 | US | |
Parent | 16985763 | Aug 2020 | US |
Child | 17306125 | US | |
Parent | 16146694 | Sep 2018 | US |
Child | 16985763 | US | |
Parent | 15549269 | Aug 2017 | US |
Child | 16146694 | US |