Some content of this application is unavailable at the moment.
If this situation persist, please contact us atFeedback&Contact
41. (WO2019028698) SUBSCRIBER IDENTITY PRIVACY PROTECTION
Document

Description

Title of Invention 0001   0002   0003   0004   0005   0006   0007   0008   0009   0010   0011   0012   0013   0014   0015   0016   0017   0018   0019   0020   0021   0022   0023   0024   0025   0026   0027   0028   0029   0030   0031   0032   0033   0034   0035   0036   0037   0038   0039   0040   0041   0042   0043   0044   0045   0046   0047   0048   0049   0050   0051   0052   0053   0054   0055   0056  

Claims

1   2   3   4   5   6   7   8   9   10   11   12   13   14   15   16   17   18   19   20   21   22   23   24   25   26   27   28   29   30   31   32   33   34   35   36   37   38   39   40   41   42   43   44   45   46   47   48   49   50   51   52   53   54   55   56   57   58   59   60   61   62   63   64   65   66   67   68   69   70   71   72   73   74   75   76   77   78   79   80   81   82   83   84   85   86   87   88   89   90  

Drawings

0001   0002   0003   0004   0005   0006   0007   0008   0009   0010   0011   0012   0013   0014   0015   0016   0017   0018   0019   0020   0021  

Description

Title of Invention : SUBSCRIBER IDENTITY PRIVACY PROTECTION

FIELD

[0001]
The described embodiments set forth techniques for protecting subscriber identity in messages communicated between a wireless device and a cellular wireless network entity by using ephemeral asymmetric keys to achieve perfect forward secrecy (PFS) .

BACKGROUND

[0002]
Many wireless devices are configured to use removable Universal Integrated Circuit Cards (UICCs) that enable the wireless devices to access services provided by Mobile Network Operators (MNOs) . In particular, each UICC includes at least a microprocessor and a read-only memory (ROM) , where the ROM is configured to store an MNO profile that the wireless device can use to register and interact with an MNO to obtain wireless services via a cellular wireless network. Typically, a UICC takes the form of a small removable card, (commonly referred to as a Subscriber Identity Module (SIM) card) , which is configured to be inserted into a UICC-receiving bay included in a wireless device. In more recent implementations, UICCs are being embedded directly into system boards of wireless devices. These embedded UICCs (eUICCs) can provide several advantages over traditional, removable UICCs. For example, some eUICCs include a rewritable memory that can facilitate installation, modification, and/or deletion of one or more eSIMs, which can provide for new and/or different services and/or updates for accessing extended features provided by MNOs. An eUICC can store a number of MNO profiles—also referred to herein as eSIMs—and can eliminate the need to include UICC-receiving bays in wireless devices.
[0003]
An MNO profile includes an International Mobile Subscriber Identity (IMSI) by which a user that subscribes to services provided by the MNO can be identified uniquely by cellular wireless networks. The IMSI includes a mobile country code (MCC) , a mobile network code (MNC) , and a Mobile Subscriber Identification Number (MSIN) . Certain messages sent between the cellular wireless network and the wireless device may include the IMSI in a clear, readable, unencrypted format, and as such the IMSI is open to snooping by passive listening or active request and reply capture techniques.
[0004]
SUMMARY
[0005]
Representative embodiments set forth techniques for protecting subscriber identity, such as a mobile subscriber identifier, in messages communicated between a wireless device and a cellular wireless network entity by using ephemeral asymmetric keys to achieve perfect forward secrecy (PFS) . The wireless device, such as a user equipment (UE) , determines an ephemeral UE public and secret key pair and generates an encryption key based on the ephemeral UE secret key and a static network public key that can be preconfigured in the UE. The UE encrypts a mobile subscriber identifier, such as an MSIN portion of the UE’s IMSI, using the encryption key and sends an uplink (UL) message to a cellular wireless network entity, such as to an evolved NodeB (eNodeB) or to a next generation NodeB (gNB) , the UL message including the ephemeral UE public key and the encrypted mobile subscriber identifier, which the cellular wireless network entity can decrypt by generating the encryption key using the ephemeral UE public key and a static network secret key that corresponds to the static network public key. The cellular wireless network entity generates an ephemeral network public and secret key pair and sends a downlink (DL) message to the UE that includes the ephemeral network public key and a corresponding signature signed with a secret network key. When the signature is verified, the UE can store the ephemeral network public key to use in combination with a newly generated ephemeral UE secret key to generate a new encryption key to encrypt the mobile subscriber identifier included in a subsequent message. The UE and the cellular wireless network entity can generate ephemeral public and secret key pairs for each message sent that includes the mobile subscriber identifier or to use for a particular communication session or to use within a certain time period. In some embodiments, the cellular wireless network entity communicates an initial DL message to the UE, the initial DL message including an ephemeral network public key for the UE to use in place of the static network public key. In some embodiments, the UE generates, based on an elliptic curve Diffie-Hellman (ECDH) key agreement protocol, a first shared secret using the ephemeral UE secret key and the ephemeral network public key and a second shared secret using the ephemeral UE secret key and the static network public key. Subsequently, the UE derives the encryption key based on the first and second shared secrets. Similarly, in some embodiments, the cellular wireless network entity generates, based on the ECDH key agreement protocol, the first shared secret using the ephemeral UE public key and the ephemeral network secret key and the second shared secret using the ephemeral UE public key and the static network secret key, and subsequently derives the encryption key based on the first and second shared secrets. The UE and the cellular wireless network entity can each generate new ephemeral public and secret key pairs to use to generate new encryption keys with which to encrypt the mobile subscriber identifier in different messages. PFS is achieved by using ephemeral network key pairs rather than only static network key pairs.
[0006]
This Summary is provided merely for purposes of summarizing some example embodiments so as to provide a basic understanding of some aspects of the subject matter described herein. Accordingly, it will be appreciated that the above-described features are merely examples and should not be construed to narrow the scope or spirit of the subject matter described herein in any way. Other features, aspects, and advantages of the subject matter described herein will become apparent from the following Detailed Description, Figures, and Claims.
[0007]
Other aspects and advantages of the embodiments described herein will become apparent from the following detailed description taken in conjunction with the accompanying drawings which illustrate, by way of example, the principles of the described embodiments.

BRIEF DESCRIPTION OF THE DRAWINGS

[0008]
The included drawings are for illustrative purposes and serve only to provide examples of possible structures and arrangements for the disclosed inventive apparatuses and methods for providing wireless computing devices. These drawings in no way limit any changes in form and detail that may be made to the embodiments by one skilled in the art without departing from the spirit and scope of the embodiments. The embodiments will be readily understood by the following detailed description in conjunction with the accompanying drawings, wherein like reference numerals designate like structural elements.
[0009]
FIG. 1 illustrates a block diagram of different components of an exemplary system configured to implement the various techniques described herein, according to some embodiments.
[0010]
FIGS. 2A and 2B illustrate flow diagrams of a prior art encryption technique to protect a subscriber identity.
[0011]
FIG. 3 illustrates an exemplary message exchange of a first technique to protect the privacy of a subscriber identity, according to some embodiments.
[0012]
FIG. 4 illustrates an exemplary message exchange of a second technique to protect the privacy of a subscriber identity, according to some embodiments.
[0013]
FIG. 5 illustrates an exemplary message exchange of a variant of the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments.
[0014]
FIG. 6 illustrates an exemplary message exchange of a variant of the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments.
[0015]
FIG. 7 illustrates a block diagram of an example of overlapping time periods for the use of keys.
[0016]
FIGS. 8A and 8B illustrate exemplary flow diagrams of actions performed by a UE to implement the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments.
[0017]
FIGS. 9A and 9B illustrate exemplary flow diagrams of actions performed by a cellular wireless network entity to implement the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments.
[0018]
FIG. 10 illustrates an exemplary flow diagram of actions performed by a UE to implement the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments.
[0019]
FIG. 11 illustrates an exemplary flow diagram of actions performed by a cellular wireless network entity to implement the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments.
[0020]
FIGS. 12A and 12B illustrate exemplary flow diagrams of actions performed by a UE to implement the first variant technique of FIG. 5 to protect the privacy of a subscriber identity, according to some embodiments.
[0021]
FIGS. 13A and 13B illustrate exemplary flow diagrams of actions performed by a cellular wireless network entity to implement the first variant technique of FIG. 5 to protect the privacy of a subscriber identity, according to some embodiments.
[0022]
FIG. 14 illustrates an exemplary flow diagram of actions performed by a UE to implement the second variant technique of FIG. 6 to protect the privacy of a subscriber identity, according to some embodiments.
[0023]
FIG. 15 illustrates an exemplary flow diagram of actions performed by a cellular wireless network entity to implement the second variant technique of FIG. 6 to protect the privacy of a subscriber identity, according to some embodiments.
[0024]
FIG. 16 illustrates a detailed view of a representative computing device that can be used to implement various methods described herein, according to some embodiments.

DETAILED DESCRIPTION

[0025]
Representative applications of apparatuses and methods according to the presently described embodiments are provided in this section. These examples are being provided solely to add context and aid in the understanding of the described embodiments. It will thus be apparent to one skilled in the art that the presently described embodiments can be practiced without some or all of these specific details. In other instances, well known process steps have not been described in detail in order to avoid unnecessarily obscuring the presently described embodiments. Other applications are possible, such that the following examples should not be taken as limiting.
[0026]
In accordance with various embodiments described herein, the terms “wireless communication device, ” “wireless device, ” “mobile device, ” “mobile station, ” and “user equipment” (UE) may be used interchangeably herein to describe one or more common consumer electronic devices that may be capable of performing procedures associated with various embodiments of the disclosure. In accordance with various implementations, any one of these consumer electronic devices may relate to: a cellular phone or a smart phone, a tablet computer, a laptop computer, a notebook computer, a personal computer, a netbook computer, a media player device, an electronic book device, a device, a wearable computing device, as well as any other type of electronic computing device having wireless communication capability that can include communication via one or more wireless communication protocols such as used for communication on: a wireless wide area network (WWAN) , a wireless metro area network (WMAN) a wireless local area network (WLAN) , a wireless personal area network (WPAN) , a near field communication (NFC) , a cellular wireless network, a fourth generation (4G) Long Term Evolution (LTE) , LTE Advanced (LTE-A) , and/or fifth generation (5G) or other present or future developed advanced cellular wireless networks.
[0027]
The wireless communication device, in some embodiments, can also operate as part of a wireless communication system, which can include a set of client devices, which can also be referred to as stations, client wireless devices, or client wireless communication devices, interconnected to an access point (AP) , e.g., as part of a WLAN, and/or to each other, e.g., as part of a WPAN and/or an “ad hoc” wireless network. In some embodiments, the client device can be any wireless communication device that is capable of communicating via a WLAN technology, e.g., in accordance with a wireless local area network communication protocol. In some embodiments, the WLAN technology can include a Wi-Fi (or more generically a WLAN) wireless communication subsystem or radio, the Wi-Fi radio can implement an Institute of Electrical and Electronics Engineers (IEEE) 802.11 technology, such as one or more of:IEEE 802.11a; IEEE 802.11b; IEEE 802.11g; IEEE 802.11-2007; IEEE 802.11n; IEEE 802.11-2012; IEEE 802.11ac; or other present or future developed IEEE 802.11 technologies.
[0028]
Additionally, it should be understood that some UEs described herein may be configured as multi-mode wireless communication devices that are also capable of communicating via different third generation (3G) and/or second generation (2G) RATs. In these scenarios, a multi-mode user equipment (UE) can be configured to prefer attachment to LTE networks offering faster data rate throughput, as compared to other 3G legacy networks offering lower data rate throughputs. For instance, in some implementations, a multi-mode UE may be configured to fall back to a 3G legacy network, e.g., an Evolved High Speed Packet Access (HSPA+) network or a Code Division Multiple Access (CDMA) 2000 Evolution-Data Only (EV-DO) network, when LTE and LTE-Anetworks are otherwise unavailable.
[0029]
Representative embodiments of methods and apparatus presented herein set forth techniques for protecting subscriber identity in messages communicated between a wireless device and a cellular wireless network entity by using ephemeral asymmetric keys to achieve perfect forward secrecy (PFS) . PFS is achieved by using ephemeral network key pairs rather than a static network key pair (and/or by limiting the use of a static network key pair) .
[0030]
In some embodiments, the cellular wireless network entity, such as an evolved NodeB (eNodeB) , is pre-configured with a static network public key and a static network secret key, while the wireless device, such as a user equipment (UE) , is pre-configured with the static network public key. The cellular wireless network entity generates an ephemeral network public key and an ephemeral network secret key and sends to the UE a downlink (DL) message that includes the ephemeral network public key and a signature of the ephemeral public network key signed by the static network secret key. When the signature is verified using the static network public key, the UE generates an ephemeral UE public key and an ephemeral UE secret key and derives an encryption key based on the ephemeral UE secret key and the ephemeral network public key. The UE encrypts a mobile subscriber identifier, such as a mobile subscriber identification number (MSIN) portion of the UE’s IMSI, using the encryption key and sends to the cellular wireless network entity an uplink (UL) message that includes the ephemeral UE public key and the encrypted mobile subscriber identifier, which the cellular wireless network entity can decrypt by generating the encryption key using the ephemeral UE public key and the ephemeral network secret key. The cellular wireless network entity can then generate a new ephemeral network public and secret key pair and provide the new ephemeral network public key along with a signature to the UE. When the signature is verified, the UE can store the new ephemeral network public key to use in combination with a newly generated ephemeral UE secret key to generate a new encryption key to encrypt the mobile subscriber identifier included in a subsequent message.
[0031]
The UE and the cellular wireless network entity can generate ephemeral public and secret key pairs for each message sent that includes the mobile subscriber identifier or to use for a particular communication session or to use within a certain time period. In some embodiments, the cellular wireless network entity communicates an initial DL message to the UE, the initial DL message including an ephemeral network public key for the UE to use in place of the static network public key. The encryption key can be derived as an Advanced Encryption Standard (AES) key. In some embodiments, DL messages sent to the UE by the cellular wireless network entity include both an ephemeral network public key and a signature with which to verify the ephemeral network public key. In some embodiments, UL messages sent to the cellular wireless network entity by the UE include an ephemeral UE public key, an encrypted mobile subscriber identifier, and a key identifier (ID) , which can include an ephemeral network public key, a hash of the ephemeral network public key, or a count value. In some embodiments, when an ephemeral network public and secret key pair are explicitly linked to a communication session, such as generated specifically for a particular communication session, the inclusion of a key ID can be optional.
[0032]
In some embodiments, the UE generates an initial AES encryption key using a pre-configured static network public key and an ephemeral UE secret key generated by the UE. The UE can encrypt the mobile subscriber identifier using the initial AES encryption key and send the encrypted MSIN to the cellular wireless network entity along with an ephemeral UE public key that corresponds to the ephemeral UE secret key. The cellular wireless network entity can derive the initial AES encryption key using the ephemeral UE public key received from the UE and a static network secret key that corresponds to the static network public key. The cellular wireless network entity can decrypt the mobile subscriber identifier using the initial AES encryption key and subsequently generate an ephemeral network public key and an ephemeral network secret key pair. The cellular wireless network entity can send the ephemeral network public key and a signature for verification to the UE, which can store the ephemeral network public key when the signature is verified. Subsequently, the UE can use the ephemeral network public key and a newly generated ephemeral UE secret key to derive a new AES encryption key with which to encrypt the mobile subscriber identifier and send to the cellular wireless network entity. The cellular wireless network entity can derive the new AES encryption key based on the previously generated ephemeral network secret key and the ephemeral UE public key received from the UE, where the new AES encryption key can be used to decrypt the mobile subscriber identifier. The process can continue with newly generated ephemeral keys for each message sent or by reusing the ephemeral keys for a particular communication session between the UE and the cellular wireless network entity or to use within a certain time period.
[0033]
In some embodiments, the UE and the cellular wireless network entity derive AES encryption keys based on pairs of shared secrets. The UE can generate, based on an elliptic curve Diffie-Hellman (ECDH) key agreement protocol, a first shared secret using an ephemeral UE secret key and an ephemeral network public key (received from the cellular wireless network entity in a DL message) and a second shared secret using the ephemeral UE secret key and a pre-configured static network public key. The UE can derive the AES encryption key based on the generated first and second shared secrets. Similarly, the cellular wireless network entity can generate, based on the ECDH key agreement protocol, the first shared secret using an ephemeral UE public key (received from the UE in a UL message) and an ephemeral network secret key (corresponding to the ephemeral network public key sent to the UE in the DL message) and the second shared secret using the ephemeral UE public key and the pre-configured static network secret key. The cellular wireless network entity can derive the AES encryption key based on the derived first and second shared secrets and can decrypt an mobile subscriber identifier that was encrypted by the UE using the same AES encryption key. The UE and the cellular wireless network entity can each generate new ephemeral public and secret key pairs to use to generate new AES encryption keys with which to encrypt the mobile subscriber identifier in different messages.
[0034]
In some embodiments, DL messages sent from the cellular wireless network entity to the UE include ephemeral network public keys with signatures for verification. In some embodiments, DL messages sent from the cellular wireless network entity to the UE include ephemeral network public keys without signatures for verification. In some embodiments, UL messages sent from the UE to the cellular wireless network entity include a key ID (which can include an ephemeral public network key received form the cellular wireless network entity or a hash thereof, or a count value) to allow the cellular wireless network entity to ascertain the ephemeral network public key used by the UE to generate the encryption key. In some embodiments, the use of the key ID can be optional for a particular communication session when a particular ephemeral network public key and ephemeral network secret key pair is established for use during the communication session.
[0035]
In some embodiments, static network public keys (and corresponding static network secret keys) can be rotated over time, such as by providing an over the air (OTA) update using a secure communication channel from the cellular wireless network entity to the UE. In some embodiments, use of static network key pairs and/or of ephemeral network key pairs can overlap for a limited period of time. Thus, a previous network key pair (static or ephemeral) can be used for a limited period of time by the UE after receipt of a new network key pair (static or ephemeral) . Either the previous “old” network key pair or the “new” network key pair can be used during the overlapping limited period of time. This allows for rotation of the network key pairs with robustness, as a failure of communication of the newest network key pair can be corrupted in transit and require retransmission or the UE can fail during processing and thus not properly receive and update the network key pair.
[0036]
These and other embodiments are discussed below with reference to FIGS. 1 through 16; however, those skilled in the art will readily appreciate that the detailed description given herein with respect to these figures is for explanatory purposes only and should not be construed as limiting.
[0037]
FIG. 1 illustrates a block diagram of different components of a system 100 that is configured to implement the various techniques described herein, according to some embodiments. The system 100 includes a UE 102, which includes an IMSI 104 by which a subscription for a user of the UE 102 can be uniquely identified, in communication with an evolved NodeB (eNodeB) 106. The UE 102 and the cellular wireless network entity 350 can communicate via a Uu interface, which for some messages or for certain periods of time, such as prior to establishment of a secure connection between the UE 102 and the eNodeB 106, can be subject to eavesdropping by a third party. While the eNodeB 106 connects to a Mobility Management Entity (MME) 108 of the core network via a secure S1-MME interface, and the MME 108 connects to a Home Subscriber Server (HSS) 110 via a secure S6a interface, the eNodeB 106 can send some messages to and receive some messages from the UE 102 “in the clear” , in some instances. For example, a Radio Resource Control (RRC) paging message sent from the eNodeB 106 to the UE 102 can include the IMSI 104 of the UE 102 in an unprotected manner. Similarly, certain RRC network access stratum (NAS) messages send from the UE 102 to the eNodeB 106 can also include the IMSI 104 of the UE 102 without encryption to protect the IMSI 104 value from eavesdroppers. Example RRC NAS messages include an RRC Attach Request message, a UE originating RRC Detach Request message, and an RRC Identity Response message. A passive eavesdropping entity, such as passive IMSI catcher 112, can listen for communication sent from the eNodeB 106, such as paging messages, or sent from the UE 102, such as attach/detach request messages, and ascertain the IMSI 104 of the UE 102. In addition an active eavesdropping entity, such as active IMSI catcher 114, can mimic communication from the eNodeB 106 and send a Request Identity message to the UE 102 and receive an Identity Response message that includes the IMSI 104 of the UE 102. The Uu interface between the UE 102 and the eNodeB 106 is susceptible to IMSI exposure due to passive and/or active attacks. By having the UE 102 and the eNodeB 106 securely encrypt at least a portion of the IMSI 104, such as the mobile subscriber identification number (MSIN) , when communicating over an insecure communication link, the IMSI 104 can be protected from eavesdropping. Moreover, with the use of ephemeral public/secret key pairs, the IMSI 104 can be protected from future decryption as well, thereby achieving perfect forward secrecy should a secret key be compromised.
[0038]
More generally, the techniques presented herein can apply to any messages that include a mobile subscriber identifier and are communicated between the UE 102 and a cellular wireless network entity, including over insecure connections susceptible to eavesdropping. Examples of a wireless network entity include a radio access network entity, such as the eNodeB 106 or a next generation NodeB (also referred to as a gNodeB or gNB) , or a core network entity, such as the MME 108, the HSS 110, an authentication server function (AUSF) , or an access and mobility function (AMF) . The messages may include a mobile subscriber identifier, such as the MSIN of the IMSI 104, which can be encrypted securely with perfect forward secrecy as described further herein to protect privacy of the mobile subscriber identifier. Mobile subscriber identifiers other than the MSIN or the IMSI 104 can be similarly encrypted and decrypted using combinations of keys as described further herein to protect them from eavesdropping when communicated between the UE 102 and a cellular wireless network entity.
[0039]
FIGS. 2A and 2B illustrate flow diagrams 200/250 of a prior art encryption technique to protect a subscriber identity. For the UE side encryption flow diagram 200, the UE 102 generates ephemeral key pairs, which include an ephemeral UE public key that can be provided to another party, such as to a network side entity, e.g., the cellular wireless network entity 350, and an ephemeral UE private key (which can also be referred to as a secret key) . Based on a key agreement, which both the UE 102 and the cellular wireless network entity 350 know, the UE 102 can generate a shared key (which can also be referred to as a shared secret) based on ephemeral UE private key and a static public network key (also referred as a public ECC key for the Home Public Land Mobile Network or HPLMN) . Similarly the network side entity, e.g., the eNodeB 106, can generate the shared key based on the key agreement using the ephemeral UE public key provided by the UE 102 to the network side entity and a static private network key that corresponds to the static public network key known to the UE 102. The UE 102 and the network side entity can use a common key derivation technique to determine an ephemeral encryption key with which to encrypt/decrypt the MSIN portion of an IMSI of the UE 102. As shown, the MCC/MNC portion of the IMSI can remain unencrypted. Both the UE side encryption and the network side encryption can be based on an Elliptic Curve Integrated Encryption Scheme (ECIES) . The encryption technique illustrated in FIGS. 2A and 2B uses static network public and private (secret) keys and as such, should the static network private key be compromised, previous communications that include the MSIN encrypted with the static network public key can be decrypted. Thus, perfect forward secrecy cannot be achieved with the use of static network public keys. As discussed herein, using ephemeral network public keys overcomes this deficiency.
[0040]
FIG. 3 illustrates an exemplary message exchange 300 of a first technique to protect the privacy of a subscriber identity, according to some embodiments. Initially, the UE 102 can be pre-configured with a static network public key (PKnw) , while the cellular wireless network entity 350 can be pre-configured with a corresponding network secret key (SKnw) and PKnw. (Note that the term “secret key” is used herein synonymously for the term “private key” ) . At 304, the cellular wireless network entity 350 can generate an ephemeral key pair, namely an ephemeral network public key (ePKnw) and a corresponding ephemeral network secret key (eSKnw) . At 306, the cellular wireless network entity 350 can send to the UE 102 a first downlink (DL) message that includes ePKnw and a signature of ePKnw signed with the pre-configured SKnw. At 308, the UE 102 can verify the signature of ePKnw using the pre-configured PKnw. When the signature is verified, the UE 102 can generate its own ephemeral key pair, namely an ephemeral UE public key (ePKue) and a corresponding ephemeral UE secret key (eSKue) . In some embodiments, at 302, the UE 102 pre-generates the ephemeral UE key pair (ePKue, eSKue) to reduce processing time required after receipt of the first DL message. The UE 102 derives an encryption key, e.g., an Advanced Encryption Standard (AES) encryption key (K AES) using the UE-generated eSKue and the cellular wireless network entity-generated ePKnw. The UE 102 uses K AES to encrypt a mobile subscriber identifier, such as the MSIN portion of the IMSI 104 of the UE 102. At 310, the UE 102 sends to the cellular wireless network entity 350 a first uplink (UL) message that includes ePKue and the MSIN encrypted using the derived K AES. In some embodiments, the first UL message also includes a key identifier (ID) , such as the previously received ePKnw, a hash of ePKnw, or a count value, where the cellular wireless network entity 350 can ascertain which ephemeral network public key the UE 102 used to generate the encryption key with which the MSIN is encrypted. In some embodiments, the use of a key ID can be optional based on an explicit link of an ephemeral network key pair to a communication session, e.g., when the ephemeral network key pair is generated per communication session and used only for that communication session. At 312, the cellular wireless network entity 350 derives the encryption key K AES based on ePKue received from the UE 102 and the previously generated eSKnw. The cellular wireless network entity 350 decrypts the MSIN using the derived encryption key K AES. Subsequently, the cellular wireless network entity 350 generates a second ephemeral network key pair, namely a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) , where the newly generated ephemeral keys are used to encrypt the MSIN in a subsequent message. At 314, the cellular wireless network entity 350 sends to the UE 102 a second DL message that includes ePKnw’and a corresponding signature of ePKnw’signed by SKnw. At 316, the UE 102 can verify the signature of ePKnw’using the pre-configured PKnw and store ePKnw’when the signature is verified. Subsequently, at 318, the UE 102 can generate a second ephemeral UE key pair, namely a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . Using ePKnw’received from the cellular wireless network entity 350 and the newly generated eSKue’, the UE 102 can derive a second AES encryption key (K AES’) to encrypt the MSIN included in a subsequent UL message sent to the cellular wireless network entity 350. At 320, the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the MSIN encrypted with K AES’. The cellular wireless network entity 350 can derive K AES’using ePKue’and eSKnw’and decrypt the MSIN. In some embodiments, the second UL message includes a second key ID to indicate which ephemeral network public key was used by the UE 102 to generate the encryption key used to encrypt the MSIN included in the second UL message. The process from 312 to 316 can repeat again with a new ephemeral network key pair generated and stored for used in a subsequent message that includes an encrypted MSIN. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, a mobile subscriber identifier other than the MSIN can be encrypted and decrypted in the sequence of messages communicated between the UE 102 and the cellular wireless network entity 350.
[0041]
FIG. 4 illustrates an exemplary message exchange 400 of a second technique to protect the privacy of a subscriber identity, according to some embodiments. Initially, the UE 102 can be pre-configured with a static network public key (PKnw) , while the cellular wireless network entity 350 can be pre-configured with a corresponding network secret key (SKnw) and PKnw. Unlike, the first technique illustrated in FIG. 3, the cellular wireless network entity 350 does not generate an initial ephemeral network public/secret key pair and send the ephemeral network public key to the UE 102. Instead, the UE 102 uses for an initial encoding the static network public key PKnw. At 402, the UE 102 pre-generates an ephemeral UE key pair (ePKue, eSKue) . At 404, the UE 102 derives a first AES encryption key K AES, using the UE-generated ephemeral secret key eSKue and the pre-configured static network public key PKnw, and uses K AES to encrypt a mobile subscriber identifier, such as the MSIN of the IMSI 104 of the UE 102. At 406, the UE 102 sends to the cellular wireless network entity 350 a first uplink (UL) message that includes the ePKue and the MSIN encrypted using the derived K AES. At 408, the cellular wireless network entity 350 derives the encryption key K AES based on ePKue received from the UE 102 and the pre-configured static SKnw. The cellular wireless network entity 350 decrypts the MSIN using the derived encryption key K AES. Subsequently, the cellular wireless network entity 350 generates a first ephemeral network key pair, namely a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) . At 410, the cellular wireless network entity 350 sends to the UE 102 a DL message that includes ePKnw and a corresponding signature of ePKnw signed by SKnw. At 412, the UE 102 can verify the signature of ePKnw using the pre-configured PKnw and store ePKnw when the signature is verified. Subsequently, at 414, the UE 102 can generate a second ephemeral UE key pair, namely a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . Using ePKnw received from the cellular wireless network entity 350 and the newly generated eSKue’, the UE 102 can derive a second AES encryption key (K AES’) to encrypt the MSIN included in a second UL message sent to the cellular wireless network entity 350. At 416, the UE sends to the cellular wireless network entity 350 the second UL message that includes a key ID, ePKue’, and the MSIN encrypted with K AES’. At 418, the cellular wireless network entity 350 can derive K AES’using ePKue’and eSKnw and decrypt the MSIN. The key ID included in the second UL message indicates which ephemeral network public key was used by the UE 102 to generate the encryption key used to encrypt the MSIN included in the second UL message. The process from 408 to 418 can repeat again with a new ephemeral network key pair generated and stored for used in a subsequent message that includes an encrypted MSIN. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, a mobile subscriber identifier other than the MSIN can be encrypted and decrypted in the sequence of messages communicated between the UE 102 and the cellular wireless network entity 350.
[0042]
FIG. 5 illustrates an exemplary message exchange 500 of a variant of the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments. Initially, the UE 102 can be pre-configured with a static network public key (PKnw) , while the cellular wireless network entity 350 can be pre-configured with a corresponding network secret key (SKnw) and PKnw. At 504, the cellular wireless network entity 350 can generate an ephemeral key pair, namely an ephemeral network public key (ePKnw) and a corresponding ephemeral network secret key (eSKnw) . At 506, the cellular wireless network entity 350 can send to the UE 102 a first DL message that includes ePKnw. At 508, the UE 102 generates its own ephemeral key pair, namely an ephemeral UE public key (ePKue) and a corresponding ephemeral UE secret key (eSKue) . In some embodiments, at 502, the UE 102 pre-generates the ephemeral UE key pair (ePKue, eSKue) to reduce processing time required after receipt of the first DL message. The UE 102 derives an encryption key, e.g., an Advanced Encryption Standard (AES) encryption key (K AES) using the UE-generated eSKue, the pre-configured static PKnw, and the cellular wireless network entity-generated ephemeral ePKnw. The UE 102 derives a first shared secret SHS1 using an Elliptic Curve Diffie-Hellman (ECDH) key agreement based on eSKue and ePKnw and a second shared secret SHS2 using the ECDH key agreement based on eSKue and PKnw. The UE 102 then derives the AES encryption key K AES, using a key derivation function (KDF) using SHS1 and SHS2, and encrypts a mobile subscriber identifier, such as the MSIN of the IMSI 104 of the UE 102, using K AES. At 510, the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and the MSIN encrypted using the derived K AES. In some embodiments, the first UL message also includes a key identifier (ID) , such as the previously received ePKnw, a hash of ePKnw, or a count value, where the cellular wireless network entity 350 can ascertain which ephemeral network public key the UE 102 used to generate the encryption key with which the MSIN is encrypted. In some embodiments, the use of a key ID can be optional based on an explicit link of an ephemeral network key pair to a communication session, e.g., when the ephemeral network key pair is generated per communication session and used only for that communication session. At 512, the cellular wireless network entity 350 derives the encryption key K AES using the KDF on the shared secrets SHS1 and SHS2 derived from ePKue, received form the UE 102, the previously generated eSKnw (for SHS1) , and the pre-configured SKnw (for SHS2) . The cellular wireless network entity 350 decrypts the MSIN using the derived encryption key K AES. Subsequently, the cellular wireless network entity 350 generates a second ephemeral network key pair, namely a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) , where the newly generated ephemeral keys are used to encrypt the MSIN in a subsequent message. At 514, the cellular wireless network entity 350 sends to the UE 102 a second DL message that includes ePKnw’. At 316, the UE 102 stores ePKnw’. Subsequently, at 518, the UE 102 generates a second ephemeral UE key pair, namely a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . Using ePKnw’received from the cellular wireless network entity 350 and the newly generated eSKue’, the UE 102 derives a second AES encryption key (K AES’) to encrypt the MSIN included in a subsequent UL message sent to the cellular wireless network entity 350. The UE 102 uses the ECDH key agreement to derive new shared secrets SHS1’from eSKue’and ePKnw’and SHS2’from eSKue’and PKnw and the KDF to derive the second AES encryption key K AES’. At 520, the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the MSIN encrypted with K AES’. The cellular wireless network entity 350 can derive K AES’using ePKue’, eSKnw’, and eSKnw and decrypt the MSIN. In some embodiments, the second UL message includes a second key ID to indicate which ephemeral network public key was used by the UE 102 to generate the encryption key used to encrypt the MSIN included in the second UL message. The process from 512 to 516 can repeat again with a new ephemeral network key pair generated and stored for used in a subsequent message that includes an encrypted MSIN. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, a mobile subscriber identifier other than the MSIN can be encrypted and decrypted in the sequence of messages communicated between the UE 102 and the cellular wireless network entity 350.
[0043]
FIG. 6 illustrates an exemplary message exchange 600 of a variant of the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments. Initially, the UE 102 can be pre-configured with a static network public key (PKnw) , while the cellular wireless network entity 350 can be pre-configured with a corresponding network secret key (SKnw) and PKnw. At 602, the UE 102 pre-generates an ephemeral UE key pair (ePKue, eSKue) . At 604, the UE 102 derives a first AES encryption key K AES, using the UE-generated eSKue and the pre-configured static PKnw, and encrypts a mobile subscriber identifier, such as the MSIN of the IMSI 104 of the UE 102, using K AES. At 606, the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and the MSIN encrypted using the derived K AES. At 608, the cellular wireless network entity 350 derives the encryption key K AES based on ePKue received from the UE 102 and the pre-configured static SKnw. The cellular wireless network entity 350 decrypts the MSIN using the derived encryption key K AES. Subsequently, the cellular wireless network entity 350 generates a first ephemeral network key pair, namely a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) . At 610, the cellular wireless network entity 350 sends to the UE 102 a DL message that includes ePKnw. At 612, the UE 102 stores ePKnw received from the cellular wireless network entity 350. Subsequently, at 614, the UE 102 can generate a second ephemeral UE key pair, namely a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . Using ePKnw received from the cellular wireless network entity 350, the newly generated eSKue’, and the pre-configured static PKnw, the UE 102 derives a second AES encryption key (K AES’) to encrypt the MSIN included in a second UL message sent to the cellular wireless network entity 350. The UE 102 derives a first shared secret SHS1 using an Elliptic Curve Diffie-Hellman (ECDH) key agreement based on eSKue’and ePKnw and a second shared secret SHS2 using the ECDH key agreement based on eSKue’and PKnw. The UE 102 then derives the AES encryption key K AES’using a key derivation function (KDF) using SHS1 and SHS2. At 616, the UE sends to the cellular wireless network entity 350 the second UL message that includes a key ID, ePKue’, and the MSIN encrypted with K AES’. The cellular wireless network entity 350 derives K AES’using the KDF on shared secrets SHS1 and SHS2 derived from ePKue’, received from the UE 102, the previously generated eSKnw (for SHS1) , and the pre-configured SKnw (for SHS2) . The cellular wireless network entity 350 decrypts the MSIN using the derived K AES’. The key ID included in the second UL message indicates which ephemeral network public key was used by the UE 102 to generate the encryption key used to encrypt the MSIN included in the second UL message. In some embodiments, the key ID includes ePKnw, a hash of ePKnw, or a count value. In some embodiments, the use of the key ID is optional, e.g., when ephemeral network key pairs are shared with more than one UE 102. The process can repeat for each additional message that includes an MSIN, with the cellular wireless network entity 350 generating an ephemeral network key pair (as at 608) , communicating the ephemeral network public key to the UE 102 (as at 610) , the UE 102 generating its own ephemeral key pair to use with the most recent ephemeral network public key and the static network public key to derive a new encryption key (as at 614) to encrypt the MSIN and send to the cellular wireless network entity 350 (as at 616) . The cellular wireless network entity 350 can derive the new encryption key (as at 618) to decrypt the MSIN. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, a mobile subscriber identifier other than the MSIN can be encrypted and decrypted in the sequence of messages communicated between the UE 102 and the cellular wireless network entity 350.
[0044]
FIG. 7 illustrates a block diagram 700 of an example of overlapping time periods for the use of keys. At a time indicated by 702, a first key K 1 is established for use over a time period indicated as the K 1 lifetime. When changing between different keys, such as when updating ephemeral keys, a lifetime of a previous key can overlap with a lifetime of a newest key. For example, at a time indicated by 704, the second key K 2 is established for use over a time period indicated as the K 2 lifetime. As indicated in FIG. 7, the K 1 and K 2 lifetimes span an overlapping time period 712, where both the first key K 1 and the second key K 2 can be validly used before the first key K 1 expires at time 706. The overlap allows for a variable time that the UE 102 can use to switch from using the first key K 1 to using the second key K 2. Similarly when a third key K 3 is established at time 708, the lifetime of the third key K 3 overlaps for the time period 714 until expiration of the second key K 2 at time 710. In some embodiments, static network key pairs can be updated by the cellular wireless network entity 350, using an over-the-air (OTA) secure connection between the cellular wireless network entity 350 and the UE 102. Similarly, in some embodiments, the ephemeral network key pairs can overlap in time to allow for unplanned interruptions of transfer of the ephemeral network public key from the cellular wireless network entity 350 to the UE 102 and for delays in updating the ephemeral network public key at the UE 102. Robust key rotation can be achieved by keeping both old and new keys live (e.g., valid for use by the UE 102) during overlapping lifetimes. As discussed herein, some UL messages from the UE 102 can include a key ID to indicate which ephemeral network public key was used by the UE 102 when deriving the encryption key with which the mobile subscriber identifier, such as the MSIN of the IMSI 104 of the UE 102, was encrypted.
[0045]
FIGS. 8A and 8B illustrate exemplary flow diagrams 800 and 820 of actions performed by a UE 102 to implement the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments. At 802, the UE 102 receives, from a cellular wireless network entity 350, a first DL message that includes a first ephemeral network public key (ePKnw) and a signature of ePKnw signed using a network secret key SKnw (which can be pre-configured in some embodiments and/or static and/or semi-static lasting for a period of time before replacement by the cellular wireless network entity 350) . At 804, the UE 102 determines whether the signature can be verified using a corresponding network public key (PKnw) . When the signature is verified, at 806, the UE 102 generates a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) . At 808, the UE 102 determines a first encryption key (K AES) using eSKue and ePKnw. At 810, the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and a mobile subscriber identifier encrypted with K AES. At 812, the UE 102 receives from the cellular wireless network entity 350 a second DL message that includes a second ephemeral network public key (ePKnw’) and a signature of ePKnw’s igned using SKnw. At 814, the UE 102 determines whether the signature can be verified using PKnw. When the signature is verified, at 816, the UE stores ePKnw. At 822, the UE 102 generates a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . At 824, the UE 102 determines a second encryption key (K AES) using eSKue’and ePKnw’. At 826, the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the mobile subscriber identifier encrypted with K AES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
[0046]
FIGS. 9A and 9B illustrate exemplary flow diagrams 900 and 920 of actions performed by a cellular wireless network entity 350 to implement the first technique of FIG. 3 to protect the privacy of a subscriber identity, according to some embodiments. At 902, the cellular wireless network entity 350 generates a first ephemeral network public key (ePKnw) and a second ephemeral network secret key (eSKnw) . At 904, the cellular wireless network entity 350 sends to the UE 102 a first DL message that includes ePKnw and a signature of ePKnw signed using a network secret key (SKnw) , which can be pre-configured and/or static in some embodiments. At 906, the cellular wireless network entity 350 receives from the UE 102 a first UL message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier (of the UE 102) encrypted with a first encryption key (K AES) . At 908, the cellular wireless network entity 350 determines K AES using ePKue and eSKnw. At 910, the cellular wireless network entity 350 decryptes the mobile subscriber identifier using K AES. At 912, the cellular wireless network entity 350 generates a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) . At 914, the cellular wireless network entity 350 sends to the UE 102 a second DL message that includes ePKnw’and a signature of ePKnw’signed using SKnw. At 922, the cellular wireless network entity 350 receives from the UE 102 a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier of the UE 102 encrypted with a second encryption key K AES’. At 924, the cellular wireless network entity 350 determines K AES’using ePKue’received from the UE 102 and eSKnw’. At 926, the cellular wireless network entity 350 decrypts the mobile subscriber identifier using K AES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
[0047]
FIG. 10 illustrates an exemplary flow diagram 1000 of actions performed by a UE 102 to implement the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments. At 1002, the UE 102 generates a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) . At 1004, the UE 102 determines a first encryption key (K AES) using eSKue and a public network key (PKnw) . In some embodiments the UE is pre-configured with PKnw. At 1006, the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and an MSIN of the UE 102 encrypted with K AES. At 1008, the UE 102 receives from the cellular wireless network entity 350 a first DL message that includes a first ephemeral network public key (ePKnw) and a signature of ePKnw signed using a network secret key (SKnw) . At 1010, the UE 102 determines with the signature can be verified using PKnw. When the signature is verified, at 1012, the UE 102 stores ePKnw. At 1014, the UE 102 generates a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . At 1016, the UE 102 determines a second encryption key K AES’using eSKue’and ePKnw. At 1018, the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and a mobile subscriber identifier of the UE 102 encrypted with K AES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
[0048]
FIG. 11 illustrates an exemplary flow diagram 1100 of actions performed by a cellular wireless network entity 350 to implement the second technique of FIG. 4 to protect the privacy of a subscriber identity, according to some embodiments. At 1102, the cellular wireless network entity 350 recieves from the UE 102 a first UL message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE 102 encrypted with a first encryption key (K AES) . At 1104, the cellular wireless network entity 350 determines K AES using ePKue receive from the UE 102 and a network secret key (SKnw) . In some embodiments, the cellular wireless network entity 350 is pre-configured with PKnw and SKnw. In some embodiments, PKnw and SKnw are static or infrequently updated by the cellular wireless network entity 350. At 1106, the cellular wireless network entity 350 decrypts the mobile subscriber identifier using K AES. At 1108, the cellular wireless network entity 350 generates a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) . At 1110, the cellular wireless network entity 350 sends to the UE 102 a first downlink (DL) message that includes ePKnw and a signature of ePKnw signed using SKnw. At 1112, the cellular wireless network entity 350 receives from the UE 102 a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier of the UE 102 encrypted with a second encryption key (K AES’) . At 1114, the cellular wireless network entity 350 determines K AES’using ePKue’received from the UE 102 and eSKnw. At 1116, the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102 using K AES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
[0049]
FIGS. 12A and 12B illustrate exemplary flow diagrams 1200 and 1220 of actions performed by a UE 102 to implement the first variant technique of FIG. 5 to protect the privacy of a subscriber identity, according to some embodiments. At 1202, a UE 102 receives from a cellular wireless network entity 350 a first DL message that includes a first ephemeral network public key (ePKnw) . At 1204, the UE 102 generates a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) . At 1206, the UE 102 generates a first shared secret (SHS1) using ePKnw and eSKue. At 1208, the UE 102 generates a second shared secret (SHS2) using a network public key (PKnw) and eSKue. In some embodiments, the UE 102 is pre-configured with PKnw. In some embodiments, the UE 102 generates SHS1 and SHS2 using an Elliptic Curve Diffie-Hellman (ECDH) key agreement. At 1210, the UE 102 determines a first encryption key (K AES) using SHS1 and SHS2. In some embodiments, the UE 102 determines K AES using a key derivation function (KDF) . At 1212, the UE 102 sends to the cellular wireless network entity 350 a first UL message that includes ePKue and a mobile subscriber identifier of the UE 102 encrypted with K AES. At 1214, the UE 102 receives from the cellular wireless network entity 350 a second DL message that includes a second ephemeral network public key (ePKnw’) . At 1216, the UE 102 stores ePKnw’. At 1222, the UE 102 generates a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . At 1224, the UE 102 generates a third shared secret (SHS1’) using ePKnw’and eSKue’. At 1226, the UE 102 generates a fourth shared secret (SHS2’) using PKnw and eSKue’. At 1228, the UE 102 determines a second encryption key (K AES’) using SHS1’and SHS2’. At 1230, the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the mobile subscriber identifier of the UE 102 encrypted with K AES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
[0050]
FIGS. 13A and 13B illustrate exemplary flow diagrams 1300 and 1320 of actions performed by a cellular wireless network entity 350 to implement first variant technique of FIG. 5 to protect the privacy of a subscriber identity, according to some embodiments. At 1302, the cellular wireless network entity 350, the cellular wireless network entity 350 generates a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) . At 1304, the cellular wireless network entity 350 sends to a UE 102 a first DL message that includes ePKnw. At 1306, the cellular wireless network entity 350 receives from the UE 102 a first Ul message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE 102 encrypted with a first encryption key (K AES) . At 1308, the cellular wireless network entity 350 generates a first shared secret (SHS1) using ePKue and eSKnw. At 1310, the cellular wireless network entity 350 generates a second shared secret (SHS2) using ePKue and SKnw. In some embodiments, the cellular wireless network entity 350 is pre-configured with SKnw. At 1312, the cellular wireless network entity 350 determines K AES using SHS1 and SHS2. In some embodiments, the cellular wireless network entity 350 generates SHS1 and SHS2 using an ECDH key agreement. In some embodiments, the cellular wireless network entity 350 generates K AES using a key derivation function (KDF) . At 1314, the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102 using K AES. At 1316, the cellular wireless network entity 350 generates a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) . At 1318, the cellular wireless network entity 350 sends to the UE 102 a second DL message that includes ePKnw’. At 1322, the cellular wireless network entity 350 receives from the UE 102 a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier of the UE 102 encrypted with a second encryption key (K AES’) . At 1324, the cellular wireless network entity 350 generates a third shared secret (SHS1’) using ePKue’and eSKnw’. At 1326, the cellular wireless network entity 350 generates and a fourth shared secret (SHS2’) using ePKue’and SKnw. In some embodiments, the cellular wireless network entity 350 determines SHS1’and SHS2’using the ECDH key agreement. At 1328, the cellular wireless network entity 350 determines K AES’using SHS1’and SHS2’. At 1330, the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102 using K AES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
[0051]
FIG. 14 illustrates an exemplary flow diagram 1400 of actions performed by a UE 102 to implement the second variant technique of FIG. 6 to protect the privacy of a subscriber identity, according to some embodiments. At 1402, the UE 102 generates a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) . At 1404, the UE 102 determines a first encryption key (K AES) using eSKue and a network public key (PKnw) . In some embodiments, the UE 102 is pre-configured with PKnw. At 1406, the UE 102 sends to a cellular wireless network entity 350 a first Ul message that includes ePKue and mobile subscriber identifier of the UE 102 encrypted with K AES. At 1408, the UE 102 receives from the cellular wireless network entity 350 a first DL message that includes a first ephemeral network public key (ePKnw) . At 1410, the UE 102 stores ePKnw. At 1412, the UE 102 generates a second ephemeral UE public key (ePKue’) and a second ephemeral UE secret key (eSKue’) . At 1414, the UE 102 generates a first shared secret (SHS1) using ePKnw and eSKue’. At 1416, the UE 102 generates a second shared secret (SHS2) using PKnw and eSKue’. In some embodiments, the UE 102 generates SHS1 and SHS2 using an ECDH key agreement. At 1418, the UE 102 determines a second encryption key (K AES’) using SHS1 and SHS2. In some embodiments, the UE 102 determines K AES’from SHS1 and SHS2 using a key derivation function (KDF) . At 1420, the UE 102 sends to the cellular wireless network entity 350 a second UL message that includes ePKue’and the mobile subscriber identifier of the UE 102 encrypted with K AES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
[0052]
FIG. 15 illustrates an exemplary flow diagram 1500 of actions performed by a cellular wireless network entity 350 to implement the second variant technique of FIG. 6 to protect the privacy of a subscriber identity, according to some embodiments. At 1502, the cellular wireless network entity 350 receives from a UE 102 a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE 102 encrypted with a first encryption key (K AES) . At 1504, the cellular wireless network entity 350 determines the K AES using ePKue and a network secret key (SKnw) . In some embodiments, the cellular wireless network entity 350 is pre-configured with SKnw. At 1506, the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102 using K AES. At 1508, the cellular wireless network entity 350 generates a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) . At 1510, the cellular wireless network entity 350 sends to the UE 102 a first DL message that includes ePKnw. At 1512, the cellular wireless network entity 350 receives from the UE 102 a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier of the UE 102 encrypted with a second encryption key (K AES) . At 1514, the cellular wireless network entity 350 generates a first shared secret (SHS1) using ePKue’and eSKnw. At 1516, the cellular wireless network entity 350 generates a second shared secret (SHS2) using ePKue’and SKnw. At 1518, the cellular wireless network entity 350 determines K AES’using SHS1 and SHS2. At 1520, the cellular wireless network entity 350 decrypts the mobile subscriber identifier of the UE 102 using K AES’. In some embodiments, the cellular wireless network entity 350 includes the eNodeB 106. In some embodiments, the mobile subscriber identifier includes the MSIN of the IMSI 104 of the UE 102.
[0053]
FIG. 16 illustrates a detailed view of a representative computing device 1600 that can be used to implement various methods described herein, according to some embodiments. In particular, the detailed view illustrates various components that can be included in the UE 102 illustrated in FIG. 1. As shown in FIG. 16, the computing device 1600 can include a processor 1602 that represents a microprocessor or controller for controlling the overall operation of computing device 1600. The computing device 1600 can also include a user input device 1608 that allows a user of the computing device 1600 to interact with the computing device 1600. For example, the user input device 1608 can take a variety of forms, such as a button, keypad, dial, touch screen, audio input interface, visual/image capture input interface, input in the form of sensor data, etc. Still further, the computing device 1600 can include a display 1610 (screen display) that can be controlled by the processor 1602 to display information to the user. A data bus 1616 can facilitate data transfer between at least a storage device 1640, the processor 1602, and a controller 1613. The controller 1613 can be used to interface with and control different equipment through and equipment control bus 1614. The computing device 1600 can also include a network/bus interface 1611 that couples to a data link 1612. In the case of a wireless connection, the network/bus interface 1611 can include a wireless transceiver.
[0054]
The computing device 1600 also includes a storage device 1640, which can comprise a single disk or a plurality of disks (e.g., hard drives) , and includes a storage management module that manages one or more partitions within the storage device 1640. In some embodiments, storage device 1640 can include flash memory, semiconductor (solid state) memory or the like. The computing device 1600 can also include a Random Access Memory (RAM) 1620 and a Read-Only Memory (ROM) 1622. The ROM 1622 can store programs, utilities or processes to be executed in a non-volatile manner. The RAM 1620 can provide volatile data storage, and stores instructions related to the operation of the computing device 1600. The computing device 1600 can further include a secure element 1650, which can represent a eUICC of the UE 102.
[0055]
The various aspects, embodiments, implementations or features of the described embodiments can be used separately or in any combination. Software, hardware, or a combination of hardware and software can implement various aspects of the described embodiments. The described embodiments can also be embodied as computer readable code on a non-transitory computer readable medium. The non-transitory computer readable medium is any data storage device that can store data, which can thereafter be read by a computer system. Examples of the non-transitory computer readable medium include read-only memory, random-access memory, CD-ROMs, DVDs, magnetic tape, hard disk drives, solid state drives, and optical data storage devices.
[0056]
The foregoing description, for purposes of explanation, used specific nomenclature to provide a thorough understanding of the described embodiments. However, it will be apparent to one skilled in the art that the specific details are not required in order to practice the described embodiments. Thus, the foregoing descriptions of specific embodiments are presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the described embodiments to the precise forms disclosed. It will be apparent to one of ordinary skill in the art that many modifications and variations are possible in view of the above teachings.

Claims

[Claim 1]
A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising: by the UE: receiving from a cellular wireless network entity a first downlink (DL) message that includes a first ephemeral network public key (ePKnw) and a signature of ePKnw signed using a network secret key (SKnw) ; determining whether the signature of ePKnw is verified using a network public key (PKnw) that corresponds to SKnw; and when the signature of ePKnw is verified: generating a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) ; determining a first encryption key using eSKue and ePKnw; and sending to the cellular wireless network entity a first uplink (UL) message that includes ePKue and an encrypted version of a mobile subscriber identifier of the UE encrypted with the first encryption key.
[Claim 2]
The method of claim 1, further comprising: by the UE: receiving from the cellular wireless network entity a second DL message that includes a second ephemeral network public key (ePKnw’) and a signature of ePKnw’signed using SKnw; determining whether the signature of ePKnw’is verified using PKnw; and when the signature of ePKnw’is verified, storing ePKnw’to use for future encryption of the mobile subscriber identifier of the UE.
[Claim 3]
The method of claim 2, further comprising: by the UE: generating a second ephemeral UE public key (ePKue’) and a second UE secret key (eSKue’) ; determining a second encryption key using eSKue’and previously stored ePKnw’; and sending to the cellular wireless network entity a second UL message that includes ePKue’and the mobile subscriber identifier of the UE encrypted with the second encryption key.
[Claim 4]
The method of claim 1, wherein the UE is pre-configured with PKnw.
[Claim 5]
The method of claim 1, wherein the first encryption key is an Advanced Encryption Standard (AES) encryption key.
[Claim 6]
The method of claim 1, wherein the UE pre-generates ePKue and eSKue before receipt of the first DL message from the cellular wireless network entity.
[Claim 7]
The method of claim 1, wherein the first UL message includes a key identifier (ID) that indicates to the cellular wireless network entity which ephemeral public network key the UE used to determine the first encryption key.
[Claim 8]
The method of claim 7, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
[Claim 9]
The method of claim 1, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
[Claim 10]
The method of claim 1, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
[Claim 11]
An apparatus configurable for operation in a user equipment (UE) , the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 1 to 10.
[Claim 12]
A user equipment (UE) comprising: wireless circuitry configurable for wireless communication with a wireless network; and processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 1 to 10.
[Claim 13]
A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising: by a cellular wireless network entity: generating a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) ; sending to the UE a first downlink (DL) message that includes ePKnw and a signature of ePKnw signed using a network secret key (SKnw) ; receiving from the UE a first uplink (UL) message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE encrypted with a first encryption key; determining the first encryption key using ePKue and eSKnw; and decrypting the mobile subscriber identifier using the first encryption key.
[Claim 14]
The method of claim 13, further comprising: by the cellular wireless network entity: generating a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) ; and sending to the UE a second DL message that includes ePKnw’and a signature of ePKnw’signed using SKnw, wherein ePKnw’is to be used by the UE for encryption of a subsequently communicated message that includes the mobile subscriber identifier.
[Claim 15]
The method of claim 14, further comprising: by the cellular wireless network entity: receiving from the UE a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier encrypted with a second encryption key; determining the second encryption key using ePKue’and eSKnw’; and decrypting the mobile subscriber identifier using the second encryption key.
[Claim 16]
The method of claim 13, wherein the cellular wireless network entity is pre-configured with PKnw and SKnw.
[Claim 17]
The method of claim 13, wherein the first encryption key is an Advanced Encryption Standard (AES) encryption key.
[Claim 18]
The method of claim 13, wherein the first UL message includes a key identifier (ID) and the method further comprises: by the cellular wireless network entity: determining to use eSKnw to determine the first encryption key based on the key ID.
[Claim 19]
The method of claim 18, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
[Claim 20]
The method of claim 13, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
[Claim 21]
The method of claim 13, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
[Claim 22]
An apparatus configurable for operation in a cellular wireless network entity, the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 13 to 21.
[Claim 23]
A cellular wireless network entity comprising: wireless circuitry configurable for wireless communication with a user equipment (UE) ; and processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 13 to 21.
[Claim 24]
A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising: by the UE: generating a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) ; determining a first encryption key using eSKue and a network public key (PKnw) ; sending to a cellular wireless network entity a first uplink (UL) message that includes ePKue and an encrypted version of a mobile subscriber identifier of the UE encrypted with the first encryption key; receiving from the cellular wireless network entity a first downlink (DL) message that includes a first ephemeral network public key (ePKnw) and a signature of ePKnw signed using a network secret key (SKnw) that corresponds to PKnw; determining whether the signature of ePKnw is verified using PKnw; and storing ePKnw, when the signature of ePKnw is verified.
[Claim 25]
The method of claim 24, further comprising: by the UE: generating a second ephemeral UE public key (ePKue’) and a second UE secret key (eSKue’) ; determining a second encryption key using eSKue’and ePKnw; and sending to the cellular wireless network entity a second UL message that includes ePKue’and the mobile subscriber identifier of the UE encrypted with the second encryption key.
[Claim 26]
The method of claim 25, wherein the second UL message includes a key identifier (ID) that indicates to the cellular wireless network entity which ephemeral public network key the UE used to determine the second encryption key.
[Claim 27]
The method of claim 26, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
[Claim 28]
The method of claim 24, wherein the UE is pre-configured with PKnw.
[Claim 29]
The method of claim 24, wherein the first encryption key is an Advanced Encryption Standard (AES) encryption key.
[Claim 30]
The method of claim 24, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
[Claim 31]
The method of claim 24, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
[Claim 32]
An apparatus configurable for operation in a user equipment (UE) , the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 24 to 31.
[Claim 33]
A user equipment (UE) comprising: wireless circuitry configurable for wireless communication with a wireless network; and processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 24 to 31.
[Claim 34]
A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising: by a cellular wireless network entity: receiving from the UE a first uplink (UL) message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE encrypted with a first encryption key; determining the first encryption key using ePKue and a network secret key (SKnw) ; decrypting the mobile subscriber identifier using the first encryption key; generating a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) ; and sending to the UE a first downlink (DL) message that includes ePKnw and a signature of ePKnw signed using SKnw.
[Claim 35]
The method of claim 34, further comprising: by the cellular wireless network entity: receiving from the UE a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier encrypted with a second encryption key; determining the second encryption key using ePKue’and eSKnw; and decrypting the mobile subscriber identifier using the second encryption key.
[Claim 36]
The method of claim 35, wherein the second UL message includes a key identifier (ID) and the method further comprises: by the cellular wireless network entity: determining to use eSKnw to determine the second encryption key based on the key ID.
[Claim 37]
The method of claim 36, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
[Claim 38]
The method of claim 34, wherein the cellular wireless network entity is pre-configured with PKnw and SKnw.
[Claim 39]
The method of claim 34, wherein the first encryption key is an Advanced Encryption Standard (AES) encryption key.
[Claim 40]
The method of claim 34, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
[Claim 41]
The method of claim 34, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
[Claim 42]
An apparatus configurable for operation in a cellular wireless network entity, the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 34 to 41.
[Claim 43]
A cellular wireless network entity comprising: wireless circuitry configurable for wireless communication with a user equipment (UE) ; and processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 34 to 41.
[Claim 44]
A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising: by the UE: receiving from a cellular wireless network entity a first downlink (DL) message that includes a first ephemeral network public key (ePKnw) ; generating a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) ; generating a first shared secret (SHS1) using ePKnw and eSKue; generating a second shared secret (SHS2) using PKnw and eSKue; determining a first encryption key using SHS1 and SHS2; and sending to the cellular wireless network entity a first uplink (UL) message that includes ePKue and an encrypted version of a mobile subscriber identifier of the UE encrypted with the first encryption key.
[Claim 45]
The method of claim 44, further comprising: by the UE: receiving from the cellular wireless network entity a second DL message that includes a second ephemeral network public key (ePKnw’) ; and storing ePKnw’to use for future encryption of the mobile subscriber identifier of the UE.
[Claim 46]
The method of claim 45, further comprising: by the UE: generating a second ephemeral UE public key (ePKue’) and a second UE secret key (eSKue’) ; generating a third shared secret (SHS1’) using ePKnw’and eSKue’; generating a fourth shared secret (SHS2’) using PKnw and eSKue’; determining a second encryption key using SHS1’and SHS2’; and sending to the cellular wireless network entity a second UL message that includes ePKue’and the mobile subscriber identifier of the UE encrypted with the second encryption key.
[Claim 47]
The method of claim 44, wherein the UE is pre-configured with PKnw.
[Claim 48]
The method of claim 44, wherein the first encryption key is an Advanced Encryption Standard (AES) encryption key determined using a key derivation function (KDF) that includes SHS1 and SHS2 as inputs.
[Claim 49]
The method of claim 44, wherein SHS1 and SHS2 are generated using an Elliptic Curve Diffie-Hellman (ECDH) key agreement.
[Claim 50]
The method of claim 44, wherein the UE pre-generates ePKue and eSKue before receipt of the first DL message from the cellular wireless network entity.
[Claim 51]
The method of claim 44, wherein the first UL message includes a key identifier (ID) that indicates to the cellular wireless network entity which ephemeral public network key the UE used to determine the first encryption key.
[Claim 52]
The method of claim 51, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
[Claim 53]
The method of claim 44, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
[Claim 54]
The method of claim 44, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
[Claim 55]
An apparatus configurable for operation in a user equipment (UE) , the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 44 to 54.
[Claim 56]
A user equipment (UE) comprising: wireless circuitry configurable for wireless communication with a wireless network; and processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 44 to 54.
[Claim 57]
A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising: by a cellular wireless network entity: generating a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) ; sending to the UE a first downlink (DL) message that includes ePKnw; receiving from the UE a first uplink (UL) message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE encrypted with a first encryptionkey; generating a first shared secret (SHS1) using ePKue and eSKnw; generating a second shared secret (SHS2) using ePKue and SKnw; determining the first encryption key using SHS1 and SHS2; and decrypting the mobile subscriber identifier using the first encryption key.
[Claim 58]
The method of claim 57, further comprising: by the cellular wireless network entity: generating a second ephemeral network public key (ePKnw’) and a second ephemeral network secret key (eSKnw’) ; and sending to the UE a second DL message that includes ePKnw’, wherein ePKnw’is to be used by the UE for encryption of a subsequently communicated message that includes the mobile subscriber identifier.
[Claim 59]
The method of claim 58, further comprising: by the cellular wireless network entity: receiving from the UE a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier encrypted with a second encryption key; generating a third shared secret (SHS1’) using ePKue’and eSKnw’; generating a fourth shared secret (SHS2’) using ePKue’and SKnw; determining the second encryption key using SHS1’and SHS2’; and decrypting the mobile subscriber identifier using the second encryption key.
[Claim 60]
The method of claim 57, wherein the cellular wireless network entity is pre-configured with PKnw and SKnw.
[Claim 61]
The method of claim 57, wherein the first encryption key is an Advanced Encryption Standard (AES) encryption key determined using a key derivation function (KDF) that includes SHS1 and SHS2 as inputs.
[Claim 62]
The method of claim 57, wherein SHS1 and SHS2 are generated using an Elliptic Curve Diffie-Hellman (ECDH) key agreement.
[Claim 63]
The method of claim 57, wherein the first UL message includes a key identifier (ID) and the method further comprises: by the cellular wireless network entity: determining to use eSKnw to determine the first encryption key based on the key ID.
[Claim 64]
The method of claim 63, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
[Claim 65]
The method of claim 57, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
[Claim 66]
The method of claim 57, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
[Claim 67]
An apparatus configurable for operation in a cellular wireless network entity, the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 57 to 66.
[Claim 68]
A cellular wireless network entity comprising: wireless circuitry configurable for wireless communication with a user equipment (UE) ; and processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 57 to 66.
[Claim 69]
A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising: by the UE: generating a first ephemeral UE public key (ePKue) and a first ephemeral UE secret key (eSKue) ; determining a first encryption key using eSKue and a network public key (PKnw) ; sending to a cellular wireless network entity a first uplink (UL) message that includes ePKue and an encrypted version of a mobile subscriber identifier of the UE encrypted with the first encryption key; receiving from the cellular wireless network entity a first downlink (DL) message that includes a first ephemeral network public key (ePKnw) ; and storing ePKnw.
[Claim 70]
The method of claim 69, further comprising: by the UE: generating a second ephemeral UE public key (ePKue’) and a second UE secret key (eSKue’) ; generating a first shared secret (SHS1) using ePKnw and eSKue’; generating a second shared secret (SHS2) using PKnw and eSKue’; determining a second encryption key using SHS1 and SHS2; and sending to the cellular wireless network entity a second UL message that includes ePKue’and the mobile subscriber identifier of the UE encrypted with the second encryption key.
[Claim 71]
The method of claim 70, wherein the second UL message includes a key identifier (ID) that indicates to the cellular wireless network entity which ephemeral public network key the UE used to determine the second encryption key.
[Claim 72]
The method of claim 71, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
[Claim 73]
The method of claim 70, wherein the second encryption key is an Advanced Encryption Standard (AES) encryption key determined using a key derivation function (KDF) that includes SHS1 and SHS2 as inputs.
[Claim 74]
The method of claim 70, wherein SHS1 and SHS2 are generated using an Elliptic Curve Diffie-Hellman (ECDH) key agreement.
[Claim 75]
The method of claim 69, wherein the UE is pre-configured with PKnw.
[Claim 76]
The method of claim 69, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
[Claim 77]
The method of claim 69, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
[Claim 78]
An apparatus configurable for operation in a user equipment (UE) , the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 69 to 77.
[Claim 79]
A user equipment (UE) comprising: wireless circuitry configurable for wireless communication with a wireless network; and processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the UE to perform the method of any one of claims 69 to 77.
[Claim 80]
A method for protecting privacy of a subscriber identity included in a user equipment (UE) , the method comprising: by a cellular wireless network entity: receiving from the UE a first uplink (UL) message that includes a first ephemeral UE public key (ePKue) and a mobile subscriber identifier of the UE encrypted with a first encryption key; determining the first encryption key using ePKue and a network secret key (SKnw) ; decrypting the mobile subscriber identifier using the first encryption key; generating a first ephemeral network public key (ePKnw) and a first ephemeral network secret key (eSKnw) ; sending to the UE a first downlink (DL) message that includes ePKnw and a signature of ePKnw signed using SKnw; receiving from the UE a second UL message that includes a second ephemeral UE public key (ePKue’) and the mobile subscriber identifier encrypted with a second encryption key; generating a first shared secret (SHS1) using ePKue’and eSKnw; generating a second shared secret (SHS2) using ePKue’and SKnw; determining the second encryption key using SHS1 and SHS2; and decrypting the mobile subscriber identifier using the second encryption key.
[Claim 81]
The method of claim 80, wherein the second UL message includes a key identifier (ID) and the method further comprises: by the cellular wireless network entity: determining to use eSKnw to determine SHS1 based on the key ID.
[Claim 82]
The method of claim 81, wherein the key ID comprises ePKnw, a hash of ePKnw, or a count value.
[Claim 83]
The method of claim 80, wherein the cellular wireless network entity is pre-configured with PKnw and SKnw.
[Claim 84]
The method of claim 80, wherein the first encryption key is an Advanced Encryption Standard (AES) encryption key.
[Claim 85]
The method of claim 80, wherein the second encryption key is an Advanced Encryption Standard (AES) encryption key determined using a key derivation function (KDF) that includes SHS1 and SHS2 as inputs.
[Claim 86]
The method of claim 80, wherein SHS1 and SHS2 are generated using an Elliptic Curve Diffie-Hellman (ECDH) key agreement.
[Claim 87]
The method of claim 80, wherein the cellular wireless network entity comprises an evolved NodeB (eNodeB) or a next generation NodeB (gNB) .
[Claim 88]
The method of claim 80, wherein the mobile subscriber identifier comprises a mobile subscriber identification number (MSIN) .
[Claim 89]
An apparatus configurable for operation in a cellular wireless network entity, the apparatus comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 80 to 88.
[Claim 90]
A cellular wireless network entity comprising: wireless circuitry configurable for wireless communication with a user equipment (UE) ; and processing circuitry communicatively coupled to the wireless circuitry and comprising a processor and a memory storing instructions that, when executed by the processor, cause the cellular wireless network entity to perform the method of any one of claims 80 to 88.

Drawings

[ Fig. 0001]  
[ Fig. 0002]  
[ Fig. 0003]  
[ Fig. 0004]  
[ Fig. 0005]  
[ Fig. 0006]  
[ Fig. 0007]  
[ Fig. 0008]  
[ Fig. 0009]  
[ Fig. 0010]  
[ Fig. 0011]  
[ Fig. 0012]  
[ Fig. 0013]  
[ Fig. 0014]  
[ Fig. 0015]  
[ Fig. 0016]  
[ Fig. 0017]  
[ Fig. 0018]  
[ Fig. 0019]  
[ Fig. 0020]  
[ Fig. 0021]