Search

JP-7856793-B2 - Enabling cellular-based zero-trust network access

JP7856793B2JP 7856793 B2JP7856793 B2JP 7856793B2JP-7856793-B2

Inventors

  • ハダッド, ワッシム ミシェル
  • バーガレラ, ジュセッペ
  • マジアーリ, マッシミリアーノ

Assignees

  • テレフオンアクチーボラゲット エルエム エリクソン(パブル)

Dates

Publication Date
20260511
Application Date
20230128
Priority Date
20220521

Claims (18)

  1. A method performed by a user device (901) to establish a secure connection with an application entity (904) in an enterprise network, wherein the method is: Sending an establishment request to a Secure Access Secure Edge (SASE) entity (903) , The process involves receiving an establishment response from the application entity (904), the establishment response indicating that the SASE entity (903) has authorized the establishment request and decided to allow the General Purpose Bootstrapping Architecture/Application Authentication Key Management (GBA/AKMA) platform (902) to share a session key with the application entity (904) , and Establishing a connection with the application entity (904) based on the session key, A method of having.
  2. The method according to claim 1, further, If the SASE entity (903) decides not to allow the establishment request, an error message is received from the SASE entity (903), Upon receiving the aforementioned error message, the connection between the user device (901) and the application entity (904) is terminated . A method of having.
  3. A method according to claim 1 or 2, further, Before sending the establishment request to the SASE entity (903), generate a session key with the GBA/AKMA platform (902), A method of having.
  4. A method according to claim 1 or 2, further, Before sending the establishment request to the SASE entity (903), establish a virtual private network (VPN) tunnel with the SASE entity (903). A method of having.
  5. A method according to claim 1 or 2, wherein the session key is calculated by the GBA/AKMA platform (902).
  6. A method according to claim 1 or 2, further, Providing user data, Transferring the user data to the host via transmission to the application entity (904), A method of having.
  7. A method performed by a Secure Access Secure Edge (SASE) entity (903) for establishing a secure connection between a user device (901) and an application entity (904) in an enterprise network, wherein the method is: Receiving an establishment request from the user device (901), To decide whether to permit the aforementioned establishment request, If the SASE entity (903) decides to grant the establishment request, it sends a start message to the General Purpose Bootstrapping Architecture/Application Authentication Key Management (GBA/AKMA) platform (902), Receiving an acknowledgment (ACK) response from the GBA/AKMA platform (902), The process includes sending a session establishment request message to the application entity (904), The method for the commencement message includes permission to share the session key with the application entity (904).
  8. The method according to claim 7, further, If the SASE entity (903) decides not to allow the establishment request, it sends an error message to the user device (901) in order to terminate the connection between the user device (901) and the application entity (904). A method of having.
  9. A method according to claim 7 or 8, wherein the establishment request includes a session key identifier.
  10. The method according to claim 9, wherein the start message is One or more properties assigned to the session key based on the credentials of the user device (901), or The aforementioned session key identifier, A method that includes at least one of the following.
  11. A method performed by a computer implementation controller for establishing a secure connection between a user device (901) and an application entity (904) in an enterprise network, wherein the method is: Receiving an establishment request from the user device, To decide whether to permit the aforementioned establishment request, If the computer implementation controller decides to allow the establishment request, it sends a start message to the General Purpose Bootstrapping Architecture/Application Authentication Key Management (GBA/AKMA) platform (902), Receiving an acknowledgment (ACK) response from the GBA/AKMA platform (902), The process involves sending a session establishment request message to the application entity (904), The method for the commencement message includes permission to share the session key with the application entity (904).
  12. The method according to claim 11, further, If the computer implementation controller decides not to allow the establishment request, it sends an error message to the user device to terminate the connection between the user device and the application entity (904). A method of having.
  13. A method according to claim 11 or 12, wherein the establishment request includes a session key identifier.
  14. The method according to claim 13, wherein the start message is One or more properties assigned to the session key based on the user device credentials, or The aforementioned session key identifier, A method that includes at least one of the following.
  15. A user device for establishing a secure connection with an application entity (904) in an enterprise network, A processing circuit, Sending an establishment request to a Secure Access Secure Edge (SASE) entity (903), The process involves receiving an establishment response from the application entity (904), the establishment response indicating that the SASE entity (903) has authorized the establishment request and decided to allow the General-Purpose Bootstrapping Architecture/Application Authentication Key Management (GBA/AKMA) platform (902) to share the session key with the application entity (904) , and Establishing a connection with the application entity (904) based on the session key, The processing circuit is configured to perform the following: A power supply circuit configured to supply power to the aforementioned processing circuit, A user device having the following features.
  16. A computer implementation controller for establishing a secure connection between a user device and an application entity (904) within an enterprise network, wherein the computer implementation controller is: A processing circuit, Receiving an establishment request from the user device, To decide whether to permit the aforementioned establishment request, If the processing circuit decides to grant the establishment request, it sends a start message to the General Purpose Bootstrapping Architecture/Application Authentication Key Management (GBA/AKMA) platform (902), Receiving an acknowledgment (ACK) response from the GBA/AKMA platform (902), The processing circuit is configured to perform the following actions: sending a session establishment request message to the application entity (904); Here, the start message includes permission to share the session key with the application entity (904), A power supply circuit configured to supply power to the aforementioned processing circuit, A computer-implemented controller having
  17. In an enterprise network, a user device is used to establish a secure connection with an application entity (904). Sending an establishment request to a Secure Access Secure Edge (SASE) entity (903), The process involves receiving an establishment response from the application entity (904), the establishment response indicating that the SASE entity (903) has authorized the establishment request and decided to allow the General-Purpose Bootstrapping Architecture/Application Authentication Key Management (GBA/AKMA) platform (902) to share the session key with the application entity (904) , and Establishing a connection with the application entity (904) based on the session key, A computer program that executes an action.
  18. A computer implementation controller for establishing a secure connection between user devices and application entities (904) within an enterprise network, Receiving an establishment request from the user device, To decide whether to permit the aforementioned establishment request, If it is decided to grant the aforementioned establishment request, a start message is sent to the General Purpose Bootstrapping Architecture/Application Authentication Key Management (GBA/AKMA) platform (902), Receiving an acknowledgment (ACK) response from the GBA/AKMA platform (902), Send a session establishment request message to the application entity (904) and perform the following actions: Herein, the start message includes permission to share the session key with the application entity (904), a computer program.

Description

Cross-reference to related applications: This application claims priority under 35 U.S.C. §119(e) of U.S. Provisional Patent Application No. 63/344,538, filed on 21 May 2022, entitled “Enabling 4G and 5G-based Zero Trust Networks.” The entire content of this application is incorporated herein by reference for all purposes. This disclosure relates in general to communication systems, and more specifically to methods and apparatus for establishing secure connections between user devices and application entities in an enterprise network. Remote employees rely on virtual private network (VPN) technology to access corporate information technology (IT) services. For this purpose, a VPN tunnel is set up between the employee's device, such as a laptop or tablet, and a dedicated VPN gateway (GW) for remote work. The VPN gateway is placed behind the corporate firewall. In such a setup, it is difficult for the IT department to gain the desired visibility into the activity of remote user devices. For example, they cannot have the same level of visibility as when the user is working in the office. In reality, to improve visibility into user device activity, IT departments often collect logs from various enterprise applications, which can be a challenging task. Furthermore, IT departments desire dynamic and granular control over user devices and what they can access, as well as the location and time of access. This specification describes various computer implementations, methods, and products for establishing secure connections to enterprise application entities within enterprise networks. According to several embodiments, a method is disclosed for a user device (UE) to establish a secure connection with an application entity in an enterprise network. The method comprises sending an establishment request to a Secure Access Secure Edge (SASE) entity, receiving an establishment response from the application entity if the SASE entity decides to authorize the establishment request and allow the General-Purpose Bootstrapping Architecture/Application Authentication Key Management (GBA/AKMA) platform to share a session key with the application entity, and establishing a connection with the application entity based on the session key. In the following description, the user device is also referred to as an end-user device. According to several embodiments, a method is disclosed for a Secure Access Secure Edge (SASE) entity to establish a secure connection between a user device and an application entity in an enterprise network. This method includes receiving an establishment request from the user device, determining whether to permit the establishment request, and, if the SASE entity decides to permit the establishment request, sending an initiation message to a General-Purpose Bootstrapping Architecture/Application Authentication Key Management (GBA/AKMA) platform, receiving an acknowledgment (ACK) response from the GBA/AKMA platform, and sending a session establishment request message to the application entity. The initiation message includes permission to share the session key with the application entity. According to several embodiments, a method is disclosed for establishing a secure connection between a user device and an application entity within an enterprise network, performed by a computer implementation controller. This method includes receiving an establishment request from the user device, determining whether to permit the establishment request, and, if the computer implementation controller decides to permit the establishment request, sending an initiation message to the GBA/AKMA platform, receiving an acknowledgment (ACK) response from the GBA/AKMA platform, and sending a session establishment request message to the application entity. The initiation message includes permission to share a session key with the application entity. Embodiments of the UE and computer-implemented controller are also provided according to embodiments of the method described above. To better understand the various embodiments described, the following detailed descriptions should be referred to in conjunction with the following drawings, where similar reference numbers throughout the drawings refer to corresponding parts. This shows exemplary communication systems according to several embodiments. This shows exemplary user devices according to several embodiments. This shows exemplary network nodes according to several embodiments. This shows block diagrams of the host according to several embodiments. This shows a block diagram illustrating a virtualization environment according to several embodiments. This shows a communication diagram of a host communicating with a user device via a network node through a partial wireless connection , according to several embodiments. This diagram illustrates the communication of an end-user device to an enterprise application entity via a Secure Access Secure Edge (SASE) entity, using a VPN between th