KR20240056515A - Application communication security - Google Patents

Abstract

In embodiments of systems and methods for synchronous content presentation, a user equipment (UE) generates a freshness parameter, generates a unique session key based on the first session key and the freshness parameter, and , and in a configuration where the network device's Network Application Function (NAF) can generate a unique session key, the freshness parameter can be sent to the NAF. The network device may receive the freshness parameter, receive a first session key from a Key Server Function (KSF), and generate a unique session key based on the freshness parameter and the first session key. The UE and network device can then conduct secure communications using the unique session key without exchanging the unique session key between the two devices.

Description

Application communication security

Related Applications

This application claims the benefit of U.S. Provisional Application No. 63/245,692, filed September 17, 2021, entitled “Securing Application Communication,” the entire contents of which are hereby incorporated by reference.

Fifth generation (5G) New Radio (NR) and other communication technologies enable ultra-reliable, low-latency communication with user equipment (UEs), such as wireless devices. One application for these communication systems is providing various services to UEs. In some cases, edge computing architecture may be used to deliver these services. Edge computing architecture allows services to be provided from network devices or elements (e.g., servers) located relatively close to the UE, which reduces end-to-end latency and reduces resource demand and consumption on the communication network. You can. Some applications and services may employ or require communications security to provide one or more functions.

Various aspects include methods performed by a processor of a UE to secure communications. Some aspects include generating a freshness parameter, generating a unique session key based on the first session key and the freshness parameter, and refreshing the Network Application Function (NAF) to the NAF in a configuration wherein the NAF can generate the unique session key. It may include sending nice parameters, and communicating with the NAF using a unique session key.

In some aspects, the freshness parameter may be generated by the UE's secure bootstrapping client, and the UE's application client may communicate with the NAF using a unique session key. In some aspects, the UE's secure bootstrapping client may include either a Generic Bootstrapping Architecture (GBA) client or an Authentication and Key Management for Applications (AKMA) client. In some aspects, the freshness parameter may be associated with a specific application of the UE. In some aspects, a unique session key may be associated with a specific application of the UE and the first session key may be associated with the UE. In these aspects, a particular application may include a particular instantiation of an application.

In some aspects, the freshness parameter can include a random value. In some aspects, the freshness parameter can include an incremented nonce value. In some aspects, sending the freshness parameter to the NAF in a configuration where the NAF can generate a unique session key may include sending the freshness parameter to the NAF in a network service request message.

Additional aspects include a UE having a processor configured to perform one or more operations of any of the methods outlined above. Additional aspects include processing devices for use in a UE configured with processor-executable instructions for performing the operations of any of the methods outlined above. Additional aspects include a non-transitory processor-readable storage medium having processor-executable instructions stored thereon configured to cause a processor of a UE to perform the operations of any of the methods outlined above. Additional aspects include a UE having means to perform the functions of any of the methods outlined above. Additional aspects include a system-on-chip for use in a UE that includes a processor configured to perform one or more operations of any of the methods outlined above.

Various aspects include methods performed by a processor of a network device to secure communications. Some aspects include receiving a freshness parameter from a UE by a NAF, receiving a first session key from a Key Server Function (KSF), and generating a unique session key based on the freshness parameter and the first session key. , and communicating with the UE using a unique session key.

In some aspects, the freshness parameter may be associated with a specific application of the UE. In some aspects, the freshness parameter can include a random value. In some aspects, the freshness parameter can include an incremented nonce value.

In some aspects, a unique session key may be associated with a specific application of the UE and the first session key may be associated with the UE. In these aspects, a particular application may include a particular instantiation of an application. Some aspects may include sending a request to the UE to initiate secure communication. In some aspects, receiving the freshness parameter from the UE by the NAF may include receiving the freshness parameter in a network service request message.

Additional aspects include a network device having a processor configured to perform one or more operations of any of the methods outlined above. Additional aspects include processing devices for use in a network device configured with processor-executable instructions for performing the operations of any of the methods outlined above. Additional aspects include a non-transitory processor-readable storage medium having processor-executable instructions stored thereon configured to cause a processor of a network device to perform the operations of any of the methods outlined above. Additional aspects include a network device having means to perform the functions of any of the methods outlined above. Additional aspects include a system-on-chip for use in a network device that includes a processor configured to perform one or more operations of any of the methods outlined above.

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate example embodiments and, together with the general description given above and the detailed description given below, serve to explain the features of the various embodiments.
1A is a system block diagram illustrating an example communications system suitable for implementing any of the various embodiments.
1B is a system block diagram illustrating an example edge computing system suitable for use with various embodiments.
2 is a component block diagram illustrating an example computing and wireless modem system suitable for implementing any of the various embodiments.
3 is a component block diagram illustrating a software architecture including a wireless protocol stack for user and control planes in wireless communications suitable for implementing any of the various embodiments.
4A and 4B are component block diagrams illustrating a system configured to improve coverage for initial access, according to various embodiments.
5A is a block diagram illustrating an example system for bootstrapping application security suitable for use with various embodiments.
FIG. 5B is a message flow diagram illustrating communications exchanged between user equipment and a network device during a method 500b for securing communications in accordance with various embodiments.
6 is a process flow diagram illustrating a method performed by a processor of a UE to secure communications in accordance with various embodiments.
7 is a process flow diagram illustrating a method performed by a processor of a network device to secure communications in accordance with various embodiments.
8 is a component block diagram of a network device suitable for use in various embodiments.
9 is a component block diagram of a UE suitable for use in various embodiments.

Various embodiments will be described in detail with reference to the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts. References made to specific examples and implementations are for illustrative purposes and are not intended to limit the scope of the claims.

In various embodiments, to secure communications between a user equipment (UE) and a network device or element (e.g., a server), a key generating entity executing within the UE may provide a key generation entity for use by the UE in a communication protocol, such as: It may be configured to generate a freshness parameter that is used to generate a unique session key for the secure bootstrapping operation. The UE sends the freshness parameter to the network device as part of bootstrapping operations, and the network then uses the freshness parameter to generate the same unique session key for use in its communication protocol. The UE and network device then use the generated unique session key to secure communications to a specific application or server. In some implementations, the UE and network device may generate unique session keys for different applications or services. In this way, a UE (e.g., edge applications) and a network device (e.g., edge server) secure (protect) communications for multiple applications using a unique session key for each application's communications. , encryption) can be done. The various embodiments may be used in or as part of Generic Bootstrapping Architecture (GBA), Authentication and Key Management for Applications (AKMA), and other suitable security architectures and protocols. For clarity, some examples may be described herein with reference to a specific security architecture or protocol, but this is not intended as a limitation on any of the concepts described.

The terms “user equipment” and “UE” include relays, wireless router devices, wireless appliances, cellular phones, smartphones, portable computing devices, personal or mobile multimedia players, laptop computers, tablet computers, Smartbooks, Ultrabooks, Palmtop Computers, Wireless Email Receivers, Multimedia Internet-Enabled Cellular Phones, Medical Devices and Equipment, Biometric Sensors/Devices, Smart Watches, Smart Clothing, Smart Glasses, Smart Wristbands, wearable devices including smart jewelry (e.g., smart rings and smart bracelets), entertainment devices (e.g., wireless gaming controllers, music and video players, satellite radios, etc.), smart Wireless network-enabled Internet of Things (IoT) devices including meters/sensors, industrial manufacturing equipment, large and small machines and appliances for home or enterprise use, wireless communication elements in autonomous and semi-autonomous vehicles, and various mobile platforms. Refers to any or all of the endpoint or user devices including UEs, global positioning system devices, and similar electronic devices including memory, wireless communication components, and programmable processors attached to or integrated with It is used in

The term “system on chip” (SOC) is used herein to refer to a single integrated circuit (IC) chip containing multiple resources or processors integrated on a single substrate. A single SOC may include circuitry for digital, analog, mixed signal, and radio frequency functions. A single SOC may also include any number of general-purpose or specialized processors (digital signal processors, modem processors, video processors, etc.), memory blocks (e.g., ROM, RAM, flash, etc.), and resources (e.g., timers). , voltage regulators, oscillators, etc.). SOCs may also include software for controlling peripheral devices as well as integrated resources and processors.

The term “SIP (system in a package)” is used herein to refer to a single module or package containing multiple resources, computational units, cores or processors on two or more IC chips, substrates, or SOCs. It may also be used in . For example, a SIP may include a single substrate with multiple IC chips or semiconductor dies stacked in a vertical configuration. Similarly, a SIP may include one or more multi-chip modules (MCMs) in which multiple ICs or semiconductor dies are packaged on an integrated substrate. A SIP may also include multiple independent SOCs coupled together through high-speed communications circuitry and packaged in close proximity, such as on a single motherboard or in a single wireless device. The proximity of SOCs facilitates high-speed communications and sharing of memory and resources.

As used herein, the terms “network,” “system,” “wireless network,” “cellular network,” and “wireless communications network” refer to a subscription on a wireless device and/or a wireless network of a carrier associated with a wireless device. Some or all of may be referred to interchangeably. The techniques described herein can be used in various wireless communication networks such as code division multiple access (CDMA), time division multiple access (TDMA), FDMA, orthogonal FDMA (OFDMA), single carrier FDMA (SC-FDMA), and other networks. It may also be used for In general, any number of wireless networks may be deployed in a given geographic area. Each wireless network may support at least one radio access technology, which may operate on one or more frequencies or ranges of frequencies. For example, a CDMA network may be an evolved Universal Terrestrial Radio Access (UTRA) (including the Wideband Code Division Multiple Access (WCDMA) standards), (IS-2000, IS-95, and/or IS-856). CDMA2000 (including standards) may also be implemented. In another example, a TDMA network may implement GSM Enhanced Data Rates (EDGE) for GSM Evolution. In other examples, OFDMA networks include Evolved UTRA (E-UTRA) (including the LTE standards), Institute of Electrical and Electronics Engineers (IEEE) 802.11 (WiFi), IEEE 802.16 (WiMAX), IEEE 802.20, Flash-OFDM®, etc. can also be implemented. May refer to wireless networks that use LTE standards, and thus the terms “Evolved Universal Terrestrial Radio Access”, “E-UTRAN” and “eNodeB” will also be used interchangeably herein to refer to a wireless network. It may be possible. However, these references are provided as examples only and are not intended to exclude wireless networks using other communication standards. For example, various third generation (3G) systems, fourth generation (4G) systems, and fifth generation (5G) systems are discussed herein, but these systems are referenced only as examples and future generation systems (e.g. For example, 6th generation (6G) or higher systems) may be replaced in various examples.

Ultra-reliable low-latency communication enabled by 5G NR and other appropriate communication technologies enables the provision of various services to UEs. In some cases, these devices may be provided at least in part using an edge computing architecture, which allows services to be provided from a network device or element (such as a server) located relatively close to the UE. Providing services from edge devices can reduce end-to-end latency and reduce resource demand and consumption on communication networks.

Some applications and services may employ or require communications security to provide one or more functions. For example, Generic Bootstrapping Architecture (GBA) can provide a mechanism to configure a shared secret between the UE and network device using protocols such as 3GPP Authentication and Key Agreement (AKA). As another example, Authentication and Key Management for Applications (AKMA) may utilize similar operations between a UE and a network device (e.g., executing an application function (AF)). In typical approaches, the UE and network device share a single shared secret for all communications by all services and applications.

Various embodiments include computing devices and methods configured to perform methods for securing communications between a UE and a network device providing personalized communication security for an application or service. In some embodiments, the UE may generate the freshness parameter, such as by the UE's secure bootstrapping client (e.g., GBA client). Using the first session key (eg, a root key shared with the network device) and the freshness parameter, the UE can generate a unique session key. In various implementations, the freshness parameter may be associated with a specific application running on or provided to the UE. For example, a UE may have several different edge applications running on the UE's processor that are communicating with the same edge server. As examples, multiple concurrent edge applications may include a navigation application, a media (eg, music) streaming application, and an augmented reality application, each of which should have a different unique key. In various embodiments, each of these different applications may be assigned a unique freshness parameter by both the UE and the edge server, coupled with a first session key, thereby used for communication between the UE and the edge server. Provides a unique session key for each application without changing the first session key.

In some implementations, the freshness parameter can include a random value. In some implementations, the freshness parameter may include an incremented value, such as the value of a counter, that may be incremented each time a new unique session key is required (e.g., for a new application or new instantiation of an application). . In some embodiments, the incremented value may be used as a nonce value (eg, an incremented nonce value).

In various embodiments, the UE may access a network application function (NAF) of a network device (e.g., NAF in GBA, application function in AKMA, or other suitable function) in a configuration that allows the NAF to generate a unique session key. Freshness parameters can be transmitted. In some embodiments, the UE may send the freshness parameter as part of a network service request message (eg, application request message). In various embodiments, the NAF is the same as that used by the UE to generate the same unique session key (i.e., the same unique session key as the unique session key generated by the UE) using the freshness parameter received from the UE. Algorithms can be run. In some embodiments, the NAF is configured to retrieve a first session key (i.e., a session key used by the UE) from a Key Server Function (KSF) (e.g., Bootstrapping Server Function (BSF), AKMA function, or other suitable function) running on the network. may receive (or may request and receive in response to the request) a session key identical to the first session key. Using the freshness parameter and the first session key, NAF can generate a unique session key. The UE and NAF can then communicate using the unique session key without exchanging the unique session key. In various embodiments, the UE and NAF may generate unique session keys for each application or service of the UE (or provided to the UE by a network device).

In some embodiments, the UE may receive a request from the NAF to initiate secure communication. In some embodiments, the request to initiate secure communication may include a domain name of the NAF (e.g., Fully Qualified Domain Name (FQDN)) and a security protocol identifier for the interface between the NAF and the UE, e.g., the Ua interface. You can. In some embodiments, the UE may derive (generate, calculate) the first session key based on the NAF's domain name and security protocol identifier. In some embodiments, the UE may generate a freshness parameter and transmit the freshness parameter to the network device (e.g., to the NAF) in response to a request to initiate secure communication received from the NAF. For example, the UE (e.g., GBA client, AKMA client, or other suitable client) may create a freshness parameter and pass the freshness parameter to the NAF. The UE may also generate a unique session key using the freshness parameter and the first session key. In some embodiments, the first session key may be associated with the UE. For example, a session key, such as Ks_NAF, Ks_int_NAF, or Ks_ext_NAF, may be a session key used in GBA. In some embodiments, the freshness parameter may be associated with a specific application of the UE. In some embodiments, the freshness parameter may be associated with a specific instantiation of the UE's application (or service). Additionally, the NAF may receive a freshness parameter from the UE and a version of the first session key from the KSF, and the NAF may generate its own version of the unique session key using the freshness parameter and the first session key. You can.

In various embodiments, the UE may include the freshness parameter in an existing field of the message exchanged between the UE and the NAF. In this way, various embodiments can be implemented without changing the protocol or architecture of the messages or message exchanges. For example, for devices and networks using the digest AKA protocol, the freshness parameter may be included in the “cnonce” field. As another example, for devices and networks that utilize Transport Layer Security (TLS), the freshness parameter may be included in an existing field of the ClientHello message or other suitable message. In various embodiments, the length of the freshness parameter can be configured to fit within an existing field and/or message. In various embodiments, the UE may generate the freshness parameter at a similar security level as other encryption or session keys and/or in a similarly secured memory portion, and the UE and network device may process it.

Various embodiments allow a UE and a network device to generate a unique key for each application or service for the UE without exchanging personal or secure information, such as a private key. As a result, various embodiments improve the operation of the UE, network device, and communication system by improving the security of communications between the UE and the network device.

1A is a system block diagram illustrating an example communication system 100. Communication system 100 may be a 5G New Radio (NR) network, or any other suitable network, such as a Long Term Evolution (LTE) network. Although Figure 1A illustrates a 5G network, later generation networks may include the same or similar elements. Accordingly, references to 5G networks and 5G network elements in the following descriptions are for illustrative purposes and are not intended to be limiting.

Communication system 100 may include a heterogeneous network architecture including a core network 140 and various UEs (illustrated as UEs 120a-120e in FIG. 1). Communication system 100 may include an edge network 142 to provide network computing resources, applications, and/or services proximate to mobile devices via one or more network devices 142a. Communication system 100 may also include multiple base stations (illustrated as BS 110a, BS 110b, BS 110c, and BS 110d) and other network entities. A base station is an entity that communicates with UEs, and also includes NodeB, LTE evolved NodeB (eNodeB or eNB), access point (AP), radio head, transmit/receive point (TRP), and new radio base station (NR BS). ), 5G Node B (NB), next-generation Node B (g Node B or gNB), etc. Each base station may provide communications coverage for a specific geographic area. In 3GPP, the term “cell” can refer to a coverage area of a base station, a base station subsystem serving this coverage area, or a combination thereof, depending on the context in which the term is used. Core network 140 may be any type of core network, such as an LTE core network (e.g., an evolved packet core (EPC) network), a 5G core network, etc.

Base stations 110a-110d may provide communication coverage for macro cells, pico cells, femto cells, or other types of cells, or combinations thereof. A macro cell may cover a relatively large geographic area (eg, several kilometers in radius) and may allow unrestricted access by UEs with a service subscription. A pico cell may cover a relatively small geographic area and may allow unrestricted access by UEs with a service subscription. A femto cell may cover a relatively small geographic area (e.g., a home), and UEs with an association with the femto cell (e.g., UEs within a closed subscriber group (CSG) You can also allow limited access by . A base station for a macro cell may be referred to as a macro BS. A base station for a pico cell may be referred to as a pico BS. The base station for a femto cell may be referred to as a femto BS or home BS. In the example illustrated in FIG. 1 , base station 110a may be a macro BS for macro cell 102a, base station 110b may be a pico BS for pico cell 102b, and base station 110c may be a femto BS. It may be a femto BS for cell 102c. Base stations 110a-110d may support one or multiple (eg, three) cells. The terms “eNB”, “base station”, “NR BS”, “gNB”, “TRP”, “AP”, “Node B”, “5G NB”, and “cell” are used interchangeably herein. It may be possible.

In some examples, the cell may not be stationary and the cell's geographic area may move depending on the location of the mobile base station. In some examples, base stations 110a-110d may utilize any suitable transport network to connect one or more nodes in communication system 100 via various types of backhaul interfaces, such as a direct physical connection, a virtual network, or a combination thereof. They may be interconnected to each other as well as to other base stations or network nodes (not shown).

Base stations 110a-110d may communicate with core network 140 via wired or wireless communication links 126. UEs 120a - 120e may communicate with base stations 110a - 110d via wireless communication link 122 .

Wired communications links 126 include one such as Ethernet, Point-to-Point Protocol, High-Level Data Link Control (HDLC), Advanced Data Communications Control Protocol (ADCCP), and Transmission Control Protocol/Internet Protocol (TCP/IP). A variety of wired networks (such as Ethernet, TV cable, telephone, fiber optic, and other forms of physical network connections) may be used, which may use the above wired communication protocols.

Communication system 100 may also include relay stations (e.g., relay BS 110d). A relay station is an entity that can receive transmissions of data from an upstream station (eg, a base station or UE) and forward transmissions of data to a downstream station (eg, a UE or base station). A relay station may also be a wireless device (eg, UE) that can relay transmissions for other UEs. In the example shown in FIG. 1 , relay station 110d may communicate with macro base station 110a and UE 120d to facilitate communication between base station 110a and UE 120d. A relay station may also be referred to as a relay base station, relay BS, repeater, etc.

Communication system 100 may be a heterogeneous network that includes different types of base stations, such as macro base stations, pico base stations, femto base stations, repeater base stations, etc. These different types of base stations may have different transmit power levels, different coverage areas, and different impacts on interference in communication system 100. For example, macro base stations may have high transmit power levels (e.g., 5 to 40 watts), while pico base stations, femto base stations, and repeater base stations may have lower transmit power levels (e.g., 0.1 to 2 watts).

Network controller 130 may couple to a set of base stations and provide coordination and control for these base stations. Network controller 130 may communicate with base stations via backhaul. Base stations may also communicate with each other directly or indirectly, for example, via wireless or wired backhaul.

UEs 120a, 120b, 120c may be distributed throughout communication system 100, and each UE may be stationary or mobile. A UE may also be referred to as an access terminal, terminal, mobile station, subscriber unit, station, wireless device, etc.

Macro base station 110a may communicate with communications network 140 via wired or wireless communications links 126. UEs 120a, 120b, and 120c may communicate with base stations 110a through 110d via wireless communication link 122.

Wireless communication links 122 and 124 may include multiple carrier signals, frequencies, or frequency bands, each of which may include multiple logical channels. Wireless communication links 122 and 124 may utilize one or more radio access technologies (RATs). Examples of RATs that may be used in wireless communication links include 3GPP LTE, 3G, 4G, 5G (e.g. NR), GSM, Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), WiMAX (Worldwide Interoperability for Microwave) Access, Time Division Multiple Access (TDMA), and other mobile telephony technologies include cellular RATs. Other examples of RATs that may be used in one or more of the various wireless communication links within communication system 100 include mid-range protocols such as Wi-Fi, LTE-U, LTE-Direct, LAA, MuLTEfire, and relatively short-range RATs such as Includes ZigBee, Bluetooth, and Bluetooth Low Energy (LE).

Certain wireless networks (eg, LTE) utilize orthogonal frequency division multiplexing (OFDM) on the downlink and single carrier frequency division multiplexing (SC-FDM) on the uplink. OFDM and SC-FDM partition the system bandwidth into multiple (K) orthogonal subcarriers, also called tones, bins, etc. Each subcarrier may be modulated with data. Typically, modulation symbols are transmitted in the frequency domain with OFDM and in the time domain with SC-FDMA. The spacing between adjacent subcarriers may be fixed, and the total number of subcarriers (K) may depend on the system bandwidth. For example, the spacing of subcarriers may be 15 kHz and the minimum resource allocation (referred to as a “resource block”) may be 12 subcarriers (or 180 kHz). As a result, the nominal Fast File Transfer (FFT) size may be equal to 128, 256, 512, 1024, or 2048 for system bandwidths of 1.25, 2.5, 5, 10, or 20 megahertz (MHz), respectively. System bandwidth may also be partitioned into subbands. For example, a subband may cover 1.08 MHz (i.e., 6 resource blocks), with 1, 2, 4, 8 or 16 resource blocks for a system bandwidth of 1.25, 2.5, 5, 10 or 20 MHz respectively. Subbands may also exist.

Descriptions of some implementations may use terms and examples associated with LTE technologies, but some implementations may be applicable to other wireless communication systems, such as New Radio (NR) or 5G networks. NR utilizes OFDM with cyclic prefix (CP) on the uplink (UL) and downlink (DL) and may include support for half-duplex operation using time division duplex (TDD). A single component carrier bandwidth of 100 MHz may be supported. NR resource blocks may span 12 subcarriers with a subcarrier bandwidth of 75 kHz over 0.1 millisecond (ms) duration. Each radio frame may consist of 50 subframes with a length of 10 ms. As a result, each subframe may be 0.2 ms long. Each subframe may indicate a link direction (i.e., DL or UL) for data transmission, and the link direction for each subframe may be dynamically switched. Each subframe may include DL/UL data and DL/UL control data. Beamforming may be supported and the beam direction may be dynamically configured. Multiple-input multiple-output (MIMO) transmissions with precoding may also be supported. MIMO configurations in DL may support up to 8 transmit antennas with multi-layer DL transmissions of up to 2 streams and up to 8 streams per UE. Multi-layer transmissions with up to two streams per UE may be supported.

Aggregation of multiple cells may be supported with up to 8 serving cells. Alternatively, NR may support different air interfaces other than OFDM-based air interfaces.

Some UEs may be considered machine-type communication (MTC) or evolved or advanced machine-type communication (eMTC) UEs. MTC and eMTC UEs include, for example, robots, drones, remote devices, sensors, meters, monitors, location tags, etc., which may communicate with a base station, another device (e.g., a remote device), or some other entity. . A wireless computing platform may provide connection to or into a network (e.g., a cellular network or a wide area network such as the Internet), e.g., via a wired or wireless communication link. Some UEs may be considered Internet-of-Things (IoT) devices, or may be implemented as narrowband internet of things (NB-IoT) devices. The UE 120a-120e may be included within a housing that houses components of the UE 120a-120e, such as processor components, memory components, similar components, or combinations thereof.

In general, any number of communication systems and any number of wireless networks may be deployed in a given geographic area. Each communication system and wireless network may support a specific radio access technology (RAT) and may operate on one or more frequencies. RAT may also be referred to as wireless technology, air interface, etc. Frequency may also be referred to as a carrier, frequency channel, etc. Each frequency may support a single RAT in a given geographic area to avoid interference between the communication systems of different RATs. In some cases, 4G/LTE and/or 5G/NR RAT networks may be deployed. For example, a 5G non-standalone (NSA) network may utilize both a 4G/LTE RAT on the 4G/LTE RAN side of a 5G NSA network and a 5G/NR RAT on the 5G/NR RAN side of a 5G NSA network. Both 4G/LTE RAN and 5G/NR RAN may be connected to each other and to a 4G/LTE core network (e.g., Evolved Packet Core (EPC) network) in a 5G NSA network. Other example network configurations may include a 5G standalone (SA) network where the 5G/NR RAN connects to a 5G core network.

In some implementations, two or more UEs (e.g., illustrated as UE 120a and UE 120e) communicate with one another (e.g., without using base stations 110a-d as an intermediary to communicate with each other). Direct communication can also be achieved using the above sidelink channels. For example, UEs 120a-120e may perform peer-to-peer (P2P) communications, device-to-device (D2D) communications, vehicle-to-everything (V2X) protocols (which may -vehicle) protocol, vehicle-to-infrastructure (V2I) protocol, or similar protocols), a mesh network, or similar networks, or combinations thereof. In this case, UEs 120a-120e may perform scheduling operations, resource selection operations, as well as other operations described elsewhere herein as performed by base stations 110a-110d.

FIG. 1B is a system block diagram illustrating an example edge computing system 150 suitable for use with various embodiments. In some embodiments, edge computing system 150 may include an edge network 142 and a UE 170 (e.g., UE 120a-120e) configured to communicate via 3GPP core network 160. . Edge data network 152 may include an edge application server 154 and one or more edge enabler server(s) 156 that communicate with edge configuration server 158. Examples of edge application server 154, edge enabler server(s) 156, and edge configuration server 158 include network device 142a. UE 170 may include application client(s) 172 that communicate with one or more edge enabler client(s) 174. Each of the elements of edge computing system 150 may communicate over an edge interface (e.g., EDGE-1, EDGE-2,... EDGE-9).

Edge application servers 154 and application client(s) 172 may each be configured to process computing tasks and send application data traffic (i.e., data related to computing tasks, applications, services, etc.) via the 3GPP core network 160. ) can also be communicated. Edge enabler server(s) 156 may be configured to maintain and notify applications (e.g., to devices such as UE 170) provided by edge application server(s) 154. . Edge configuration server 158 may be configured to manage communications within and between one or more edge data networks 152 .

Edge application server(s) 154 may provide information regarding its applications and their capabilities to edge enabler server(s) 156 via the EDGE-3 interface. Edge enabler server(s) 156 may provide information regarding the edge data network 152 to edge configuration server 158 via an EDGE-6 interface. Edge application server(s) 154 and edge enabler server(s) 156 may communicate with the 3GPP core network 160 via an EDGE-7 interface and an EDGE-2 interface, respectively.

In some embodiments, edge enabler client(s) 174 can connect to edge enabler server(s) 156 via an EDGE-1 interface (and/or from an edge configuration server via an EDGE-4 interface). 158), information regarding available edge data networks 152 may be obtained. In some embodiments, edge enabler client(s) 174 may obtain information about edge application server(s) 154, such as available applications and their capabilities, via the EDGE-4 interface. there is. In some embodiments, edge enabler client 174, edge enabler server(s) 156, and edge configuration server 158 may employ discovery and provisioning procedures via their respective edge interfaces. .

Application client 172 may communicate with edge enabler client(s) 174 via an EDGE-5 interface. In some embodiments, edge enabler client(s) 174 may obtain information regarding available edge data networks 152 from edge configuration server 158 via the EDGE-4 interface, and EDGE The use of edge application server(s) 154 may be coordinated with edge enabler server(s) 156 via the -1 interface. Edge enabler server(s) 156 may coordinate with each other through the EDGE-9 interface.

FIG. 2 is a component block diagram illustrating an example computing and wireless modem system 200 suitable for implementing any of the various embodiments. The various embodiments may be implemented on a number of single processor and multiprocessor computer systems, including system-on-chip (SOC) or system-in-package (SIP).

1A-2, the illustrated exemplary computing system 200 (which may be a SIP in some embodiments) is configured to be connected to a base station (not shown) via a clock 206, a voltage regulator 208, and an antenna (not shown). and two SOCs 202, 204 coupled to a wireless transceiver 266 configured to transmit and receive wireless communications to and from UEs such as 110a). In some implementations, first SOC 202 is a central processing unit of the UE that executes instructions of software application programs by performing arithmetic, logic, control, and input/output (I/O) operations specified by the instructions. It can also operate as a (CPU). In some implementations, the second SOC 204 may operate as a specialized processing unit. For example, the second SOC 204 is a specialized 5G processing unit responsible for managing high-capacity, high-speed (e.g., 5 Gbps, etc.), or ultra-high frequency shortwave length (e.g., 28 GHz mm-wave spectrum, etc.) communications. It may also operate as .

The first SOC 202 includes a digital signal processor (DSP) 210, a modem processor 212, a graphics processor 214, an applications processor 216, and one or more coprocessors connected to one or more of the processors ( 218) (e.g., vector coprocessor), memory 220, custom circuitry 222, system components and resources 224, interconnect/bus module 226, one or more temperature sensors 230, thermal It may include a management unit 232, and a thermal power envelope (TPE) component 234. The second SOC 204 includes a 5G modem processor 252, a power management unit 254, an interconnect/bus module 264, a plurality of mm-wave transceivers 256, memory 258, and an application processor, packet It may also include various additional processors 260, such as a processor.

Each processor 210, 212, 214, 216, 218, 252, 260 may include one or more cores, and each processor/core may perform operations independent of the other processors/cores. For example, the first SOC 202 includes a processor executing a first type of operating system (e.g. FreeBSD, LINUX, OS X, etc.) and a processor executing a second type of operating system (e.g. MICROSOFT WINDOWS 10). You may. Additionally, any or all of processors 210, 212, 214, 216, 218, 252, 260 may be included as part of a processor cluster architecture (e.g., synchronous processor cluster architecture, asynchronous or heterogeneous processor cluster architecture, etc.) .

The first and second SOCs 202, 204 manage sensor data, analog-to-digital conversions, wireless data transmissions, and perform tasks such as decoding data packets and processing encoded audio and video signals for rendering in a web browser. It may also include various system components, resources, and custom circuitry to perform other specialized operations. For example, system components and resources 224 of first SoC 202 include power amplifiers, voltage regulators, oscillators, phase-locking loops, peripheral bridges, data controllers, memory controllers, It may include system controllers, access ports, timers, and other similar components used to support processors and software clients running on the UE. System components and resources 224 or custom circuitry 222 may also include circuitry for interfacing with peripheral devices, such as cameras, electronic displays, wireless communication devices, external memory chips, etc.

The first and second SOCs 202, 204 may communicate via an interconnect/bus module 250. The various processors 210, 212, 214, 216, 218 are connected to one or more memory elements 220, system components and resources 224, and custom circuitry 222 via an interconnect/bus module 226. , and may be interconnected to thermal management unit 232. Similarly, processor 252 may be interconnected to power management unit 254, mm-wave transceivers 256, memory 258, and various additional processors 260 via interconnect/bus module 264. It may be possible. Interconnect/bus modules 226, 250, 264 may include an array of reconfigurable logic gates or implement a bus architecture (eg, CoreConnect, AMBA, etc.). Communications may be provided by advanced interconnects, such as high-performance network-on-chips (NoCs).

The first or second SOCs 202, 204 may further include an input/output module (not shown) to communicate with resources external to the SOC, such as a clock 206 and a voltage regulator 208. Resources external to the SOC (e.g., clock 206, voltage regulator 208) may be shared by two or more of the internal SOC processors/cores.

In addition to the example SIP 200 discussed above, some implementations may be implemented in a wide variety of computing systems, which may include a single processor, multiple processors, multicore processors, or any combination thereof.

FIG. 3 is a component block diagram illustrating a software architecture 300 including a wireless protocol stack for user and control planes in wireless communications suitable for implementing any of the various embodiments. 1A-3, UE 320 is connected to network device 350 of communication system 100 (e.g., network device 142a in edge network 142) and UE 320. ) (e.g., UEs 120a-120e, 200) may implement a software architecture 300 to facilitate communication between them. In various embodiments, layers in software architecture 300 may form logical connections with corresponding layers in software of network device 350. Software architecture 300 may be distributed among one or more processors (e.g., processors 212, 214, 216, 218, 252, 260). Although illustrated for one wireless protocol stack, multi-SIM (subscriber Identity module) In a UE, software architecture 300 may include multiple protocol stacks, each of which may be associated with a different SIM (e.g., two protocol stacks each in a dual SIM wireless communication device). Although described below with reference to LTE communication layers, software architecture 300 may support any of a variety of standards and protocols for wireless communication. may also include additional protocol stacks supporting any of these wireless communications.

Software architecture 300 may include a non-access layer (NAS) 302 and an access layer (AS) 304. NAS 302 supports packet filtering, security management, mobility control, session management, and traffic and signaling between the UE's SIM(s) (e.g., SIM(s) 204) and its core network 140. It may also include functions and protocols for: AS 304 may include functions and protocols that support communication between SIM(s) (e.g., SIM(s) 204) and entities (e.g., base stations) of supported access networks. . In particular, AS 304 may include at least three layers (Layer 1, Layer 2, and Layer 3), each of which may include various sub-layers.

In the user and control planes, Layer 1 (L1) of AS 304 is the Physical Layer (L1), which may oversee functions that enable transmission or reception over an air interface via a wireless transceiver (e.g., 266). PHY) (306). Examples of such physical layer 306 functions may include cyclic redundancy check (CRC) attachment, coding blocks, scrambling and descrambling, modulation and demodulation, signal measurements, MIMO, etc. The physical layer may include various logical channels, including the Physical Downlink Control Channel (PDCCH) and the Physical Downlink Shared Channel (PDSCH).

In the user and control planes, Layer 2 (L2) of AS 304 may be responsible for the link between UE 320 and network device 350 over physical layer 306. In some implementations, Layer 2 includes the Media Access Control (MAC) sublayer 308, Radio Link Control (RLC) sublayer 310, Packet Data Convergence Protocol (PDCP) 312 sublayer, and Service Data Adaptation Protocol. (SDAP) 317 sublayers, each of which forms a logical connection terminating at a network device 350.

In the control plane, layer 3 (L3) of AS 304 may include radio resource control (RRC) sublayer 3. Although not shown, software architecture 300 may include various upper layers above Layer 3 as well as additional Layer 3 sublayers. In some implementations, RRC sublayer 313 performs functions including broadcasting system information, paging, and establishing and tearing down an RRC signaling connection between UE 320 and network device 350. You can also provide it.

In various embodiments, SDAP sublayer 317 may provide mapping between quality of service (QoS) flows and data radio bearers (DRBs). In some implementations, PDCP sublayer 312 may provide uplink functions including multiplexing between different radio bearers and logical channels, sequence number addition, handover data handling, integrity protection, encryption, and header compression. there is. In the downlink, PDCP sublayer 312 may provide functions including in-sequence delivery of data packets, duplicate data packet detection, integrity verification, decryption, and header decompression.

In the uplink, RLC sublayer 310 may provide segmentation and concatenation of upper layer data packets, retransmission of lost data packets, and automatic repeat request (ARQ). In the downlink, RLC sublayer 310 functions may include reordering of data packets to compensate for out-of-order reception, reassembly of upper layer data packets, and ARQ.

In the uplink, MAC sublayer 308 may provide functions including multiplexing between logical and transport channels, random access procedure, logical channel priority, and Hybrid-ARQ (HARQ) operations. In the downlink, MAC layer functions may include intra-cell channel mapping, demultiplexing, discontinuous reception (DRX), and HARQ operations.

While software architecture 300 may provide functions for transmitting data over physical media, software architecture 300 also includes at least one host layer to provide data transmission services to various applications at UE 320. (314) may be further included. In some implementations, application-specific functions provided by at least one host layer 314 may provide an interface between the software architecture and the general-purpose processor 206.

In other implementations, software architecture 300 may include one or more higher logical layers (eg, transport, session, presentation, application, etc.) that provide host layer functions. For example, in some implementations, software architecture 300 may include a network layer (e.g., an Internet Protocol (IP) layer) whose logical connection terminates at a packet data network (PDN) gateway (PGW). In some implementations, software architecture 300 may include an application layer whose logical connections terminate in another device (eg, end-user device, server, etc.). In some implementations, software architecture 300 may further include a hardware interface 316 in AS 304 between the physical layer 306 and communications hardware (e.g., one or more radio frequency (RF) transceivers) .

FIGS. 4A and 4B are component block diagrams illustrating a system 400 configured to improve coverage for initial access, according to various embodiments. 1A-4B, system 400 includes a UE 402 (e.g., 120a-120e, 170, 320) and a network device 404 (e.g., 142a, 154, 156, 158, 350) may be included. In some embodiments, UE 402 and network device 404 can exchange wireless communications to establish a wireless communication link (e.g., 122).

UE 402 and network device 404 may include electronic storage 426, 430 and one or more processors 428, 432 coupled to a wireless transceiver (e.g., 266). At UE 402 and network device 404, wireless transceiver 266 may be configured to receive messages sent in transmissions and forward such messages to processor(s) 428, 432 for processing. . Similarly, processors 428, 432 may be configured to transmit messages for transmission to wireless transceiver 266.

Referring to UE 402, processor(s) 432 may be configured by machine-readable instructions 434. Machine-readable instructions 406 may include one or more instruction modules. Instruction modules may also include computer program modules. Command modules may include one or more of freshness parameter module 436, unique session key module 438, TX/RX module 440, and/or other command modules.

Freshness parameter module 436 can be configured to generate freshness parameters. In some embodiments, freshness parameter module 436 may run within a secure bootstrapping client of UE 402, such as a GBA client. In some embodiments, freshness parameter module 436 uses a random number generator to generate random numbers for use as freshness parameters. In some embodiments, freshness parameter module 436 can be configured to generate a nonce value for use as a freshness parameter.

Unique session key module 438 may be configured to generate a unique session key based on the first session key and the freshness parameter. In some embodiments, the freshness parameter may be associated with a specific application of UE 402. In some embodiments, the first session key may be associated with UE 402. In some embodiments, the freshness parameter may be associated with a specific application of UE 402.

TX/RX module 440 may be configured to enable communications with network device 404, for example, via wireless transceiver 266.

TX/RX module 440 may be configured to transmit freshness parameters (e.g., via wireless transceiver 266) to the NAF of network device 404 in a configuration that allows the NAF to generate a unique session key. You can. TX/RX module 440 may be configured to communicate with network device 404 using a unique session key. TX/RX module 440 may be configured to receive a request from the NAF to initiate secure communications that include the NAF's domain name and a security protocol identifier.

Referring to network device 404 , processor(s) 428 may be configured by machine-readable instructions 406 . Machine-readable instructions 406 may include one or more instruction modules. Instruction modules may also include computer program modules. Command modules may include one or more of freshness parameter module 408, unique session key module 410, transmit/receive (TX/RX) module 412, and/or other command modules.

Freshness parameter module 408 may be configured to receive freshness parameters from UE 402.

Unique session key module 410 may be configured to receive a first session key from the KSF of network device 404. Unique session key module 410 may be configured to generate a unique session key based on the freshness parameter and the first session key.

TX/RX module 412 may be configured to communicate with UE 402 using a unique session key (e.g., via wireless transceiver 266). TX/RX module 412 may be configured to send a request to UE 402 to initiate secure communications including the domain name of the NAF and a security protocol identifier.

In some embodiments, UE 402 and network device 404 may be operably linked via one or more wireless communication links (e.g., wireless communication link 122). It will be appreciated that this is not intended to be limiting, and that the scope of the present disclosure includes embodiments in which the UE 402 and network device 404 may be operably linked via some other communication medium.

Electronic storage 426, 430 may include non-transitory storage media that store information electronically. Electronic storage media in electronic storage units 426, 430 may be transmitted, for example, through ports (e.g., Universal Serial Bus (USB) ports, FireWire ports, etc.) or drives (e.g., disk drives, etc.). Removable storage removably connectable to the UE 402 and network device 404 and/or system storage provided integrally with the UE 402 and network device 404 (i.e., substantially non-removable) It may include one or both parts. Electronic storage 426, 430 may include optically readable storage media (e.g., optical disks, etc.), magnetically readable storage media (e.g., magnetic tape, magnetic hard drive, floppy drive, etc.), charge-based storage media, etc. It may include one or more of storage media (eg, EEPROM, RAM, etc.), solid-state storage media (eg, flash drives, etc.), and/or other electronically readable storage media. Electronic storage 426, 430 may include one or more virtual storage resources (eg, cloud storage, virtual private network, and/or other virtual storage resources). Electronic storage 426, 430 may store software algorithms, information determined by processor(s) 428, 432, information received from UE 402 and network device 404, or UE 402 and network device 404. 404 may also store other information that enables it to function as described herein.

Processor(s) 428 , 432 may be configured to provide information processing capabilities at UE 402 and network device 404 . Accordingly, processor(s) 428, 432 may be a digital processor, an analog processor, a digital circuit designed to process information, an analog circuit designed to process information, a state machine, and/or other mechanism for electronically processing information. It may include one or more of these. Although processor(s) 428, 432 are illustrated as single entities, this is for illustrative purposes only. In some embodiments, processor(s) 428, 432 may include a plurality of processing units and/or processor cores. Processing units may be physically located within the same device, or processor(s) 428, 432 may represent the processing functionality of multiple devices operating in concert. Processor(s) 428, 432 may include software; hardware; firmware; Some combination of software, hardware, and/or firmware; and/or other mechanisms for configuring processing capabilities on processor(s) 428, 432. It may be possible. As used herein, the term “module” may refer to any component or set of components that perform the functionality attributed to the module. It may involve one or more physical processors during execution of processor-readable instructions, processor-readable instructions, circuitry, hardware, storage media, or any other components.

The description of the functionality provided by the different modules 408-412 and modules 436-440 described below is for illustrative purposes and It is not intended to be limiting, as any module may provide more or less functionality than described. For example, one or more of modules 408-412 and 436-440 may be removed and some or all of its functionality may be removed from other modules 408-412 and 436-440. ) may also be provided by . As another example, processor(s) 428, 432 may include one or more additional modules that may perform some or all of the functionality resulting from modules 408-412 and one of modules 436-440. It can also be configured to run:

FIG. 5A is a block diagram illustrating an example system 500a for bootstrapping application security suitable for use with various embodiments. 1A-5A, system 500a includes UE 502, NAF 504, Key Server Function (KSF) 506, Home Subscriber Server (HSS) 508, and Subscriber Locator Function (SLF). It may include (510).

In various embodiments, UE 502 and KSF 506 may perform authentication operations to authenticate UE 202. In some embodiments, negotiation between KSF 506 and UE 502 may perform authentication operations over the Ub interface and may utilize a protocol such as AKA. UE 502 may communicate with NAF 504, for example, via the Ua interface. In various embodiments, UE 502 and NAF 504 may not have a previous security association. UE 502 may generate a first session key, e.g. Ks_NAF. NAF 504 may receive a first session key (e.g., Ks_NAF) from KSF 506 via the Zn interface.

HSS 508 may be a database or other suitable data store that can store user authentication credentials for UE 502, such as user security settings (USS) (e.g., GBA user security settings (GUSS)). It can function. In some embodiments, HSS 508 may map user authentication credentials to a personal identity, such as an IP Multimedia Personal Identity (IMPI). HSS 508 may communicate this and other information to KSF 506 via the Zh interface. SLF 510 may store and provide information to identify HSS 508 that stores information about UE 502 (i.e., information about a specific UE). KSF 506 and SLF 510 may communicate via the Dz interface.

FIG. 5B is a message flow diagram illustrating communications that may be exchanged between a UE and a network device during a method 500b for securing communications in accordance with various embodiments. 1A-5B , in some embodiments, a UE 520 (e.g., 120a-120e, 170, 320, 404, 502) and a network device 526 (e.g., 142a, 154, 156, 158, 350, 402) may communicate via a wireless communications network, aspects of which are described above with reference to FIGS. 1A and 1B. UE 520 may include a GBA client 522 and an application client 420. Network device 526 may include NAF 528 and KSF 530.

NAF 528 may optionally send message 532 to GBA Client 522. Message 532 may include a request to initiate secure communications that include the NAF's domain name (e.g., FQDN) and a security protocol identifier (e.g., Ua security protocol identifier). In some embodiments, the security protocol identifier can allow different keys to be generated for different protocols. In some embodiments, each key may be limited to one use. In some embodiments, the NAF's domain name may ensure that the key is unique to the NAF 528.

In operation 534, GBA client 522 may generate a freshness parameter. In some embodiments, the freshness parameter may be or include a random number or a pseudorandom number, such as one generated using a random number generation algorithm. In some embodiments, the freshness parameter may be or include an incremented value, such as the value of a counter that is incremented each time a new unique session key is required (e.g., for a new application or new instantiation of an application). there is. In some embodiments, the incremented value may be used as a nonce value (eg, an incremented nonce value).

At operation 536, GBA client 522 may generate a unique session key (which may be referred to as Ks_NAF_unique) based on the first session key (e.g., Ks_NAF) and the freshness parameter. GBA client 522 may send the freshness parameter to application client 524 in message 538.

Application client 524 may send freshness parameters to NAF 528 in message 540. In some embodiments, message 540 may include a network service request message (e.g., an application request message). In some embodiments, the network service request message may include a bootstrapping transaction identifier (B-TID). In some embodiments, the B-TID may function as an identifier of the first session key (eg, Ks_NAF).

NAF 528 may transmit the B-TID to KSF 530 in message 542. In some embodiments, message 542 may also include a NAF identifier. In some embodiments, message 542 may include an authentication request message.

KSF 530 may send a version of the first session key (e.g., Ks_NAF) to NAF 528 in message 544. In some embodiments, message 544 may also include an application specific identifier associated with the UE (e.g., from a user profile associated with the UE). In some embodiments, message 544 may include an authentication response message.

As mentioned above, in various embodiments, a UE 520 (e.g., GBA client 522) and a network device 526 (e.g., NAF 520) may use a protocol of messages or message exchanges. Alternatively, to enable implementation of various embodiments without changing the architecture, one may include a freshness parameter in an existing field of the message between the UE 520 and the network device 526, for example, the Digest AKA protocol. For devices using TLS, the freshness parameter may be included in the “cnonce” field. As another example, for devices using Transport Layer Security (TLS), the freshness parameter may be an existing field in the ClientHello message or other appropriate message. In some embodiments, the length of the freshness parameter may be configured to fit within this existing field and/or message, in various embodiments, with other encryption or session keys. In various embodiments, GBA client 522 and NAF 528 may generate freshness parameters and/or unique session keys at a similar security level and/or in a similarly secured portion of memory. It can be processed, used, processed and/or stored in the secure memory of each device.

At operation 546 , NAF 528 may generate a unique session key based on the first session key received from KSF 530 and the freshness parameter received from UE 520 . Accordingly, in operation 546, the NAF may determine and use a unique session key identical to that generated by the UE without exchanging any private keys or information that could be used to break the cryptographic security provided by the unique session key. This is because the freshness parameter is used only once to generate a unique session key that changes in each communication session.

In operation 548, NAF 528 may store the generated unique session key in memory of NAF 528 (or of network device 526) for use during the communication session.

NAF 528 may send a response message 550 (e.g., in response to message 540, e.g., an application request message) to application client 524. In some embodiments, message 550 may include an application response message.

UE 520 (e.g., application client 524) and network device 526 (e.g., NAF 528) can perform secure communication 552 using a unique session key. As described above, a unique session key may be unique to one application or service of UE 520.

FIG. 6 is a process flow diagram illustrating a method 600 that may be performed by a processor of a UE to secure communications with a network element in accordance with various embodiments. 1A-6, the operations of method 600 may be performed by a processor (e.g., processor 210, 212, 214, 216) of a UE (e.g., 120a-120e, 170, 320, 404, 502, 520). , 218, 252, 260, 432)).

At optional block 602, the processor may receive a request to initiate secure communications from a network application function (NAF) of the network device. In some embodiments, the request may include the NAF's domain name and security protocol identifier. Means for performing the operations of optional block 602 include processors 210, 212, 214, 216, 218, 252, 260, 432, wireless transceiver 266, TX/RX module 440, and GBA client ( 522) may be included.

At block 604, the processor may generate a freshness parameter. In some embodiments, the freshness parameter may be generated by a secure bootstrapping client running on the UE's processor or on another processor (e.g., in a secure processing domain). In some embodiments, the freshness parameter may be associated with a specific application running in the UE or a specific instantiation of the application (e.g., first instantiation, second instantiation, etc.). In some embodiments, the freshness parameter can be or include a random value. In some embodiments, the freshness parameter can be or include an incremented nonce value. Means for performing the operations of block 604 may include processors 210, 212, 214, 216, 218, 252, 260, 432, freshness parameter module 436, and GBA client 522.

At block 606, the processor may generate a unique session key based on the first session key and the freshness parameter. For example, the processor may apply the first session key (e.g., Ks_NAF) and the freshness parameter to a key generation algorithm to generate a unique session key (e.g., Ks_NAF_unique). In some embodiments, a unique session key may be associated with a specific application of the UE and the first session key may be associated with the UE. In some embodiments, a particular application may be or include a particular instantiation (e.g., first instantiation, second instantiation, etc.) of the application. Means for performing the operations of block 606 may include a processor 210, 212, 214, 216, 218, 252, 260, 432, unique session key module 438, and GBA client 522.

At block 608, the processor may send a freshness parameter to the NAF (e.g., 504, 528) in a configuration that allows the NAF to generate a unique session key. In some embodiments, the processor may send the freshness parameter to the NAF in a network service request message (e.g., an application request message). Means for performing the operations of block 608 include processors 210, 212, 214, 216, 218, 252, 260, 432, wireless transceiver 266, TX/RX module 440, and application client 524. may include.

At block 610, the processor may communicate with the NAF using the unique session key (e.g., to encrypt messages sent to the NAF and decrypt messages received from the NAF). In some embodiments, an application client executing on a processor may perform communications with the NAF. Means for performing the operations of block 610 include processors 210, 212, 214, 216, 218, 252, 260, 432, wireless transceiver 266, TX/RX module 440, and application client 524. may include.

FIG. 7 is a process flow diagram illustrating a method 700 that may be performed by a processor of a network device to secure communications with a UE in accordance with various embodiments. 1A-7, the operations of method 700 may be performed by a processor (e.g., processor 210, 212, 214, 216, 218, 252, 260, 432)).

In optional block 702, the processor may send a request to the UE to initiate secure communications. In some embodiments, the request may include the NAF's domain name and security protocol identifier. Means for performing the operations of optional block 702 include processors 210, 212, 214, 216, 218, 252, 260, 432, wireless transceiver 266, TX/RX module 440, and NAF 528. ) may include.

At block 704, the NAF may receive a freshness message from the UE. In some embodiments, the freshness parameter may be associated with a specific application of the UE. In some embodiments, a particular application may be or include a particular instantiation of an application (e.g., a first instantiation, a second instantiation, etc.). In some embodiments, the freshness parameter can be or include a random value. In some embodiments, the freshness parameter can be or include an incremented nonce value. Means for performing the operations of block 704 include processors 210, 212, 214, 216, 218, 252, 260, 432, wireless transceiver 266, freshness parameter module 408, and NAF 528. It can be included.

At block 706, the processor may receive a first session key from a key server function (KSF). In some embodiments, the first session key may be associated with a UE, Ks_NAF session key, for example. Means for performing the operations of block 706 include processors 210, 212, 214, 216, 218, 252, 260, 432, unique session key module 410, NAF 528, and KSF 506, 530. ) may include.

At block 708, the processor may generate a unique session key based on the freshness parameter and the first session key. For example, the processor may include a freshness parameter and a first session key ( For example, Ks_NAF) can be applied and thus generate a unique session key identical to that generated by the UE. In some embodiments, a unique session key may be associated with a specific application of the UE, and the first session key is associated with the UE. In some embodiments, a particular application may be a particular instantiation of an application (e.g., a first instantiation, a second instantiation, etc.). The means for performing the operations of block 706 may include a processor 210, 212, 214, 216, 218, 252, 260, 432), unique session key module 410, and NAF 528.

At block 710, the processor may communicate with the UE using the unique session key (e.g., to encrypt messages sent to the UE and decrypt messages received from the UE). Means for performing the operations of block 710 include processors 210, 212, 214, 216, 218, 252, 260, 432, wireless transceiver 266, TX/RX module 440, and NAF 528. It can be included.

FIG. 8 is a component block diagram of a network device 800 suitable for use in various embodiments. These network devices (e.g., network devices 142a, 154, 156, 158, 350, 404, 526) may include at least the components illustrated in FIG. 8. 1A-8, network device 800 may typically include a processor 801 coupled to volatile memory 802 and a large amount of non-volatile memory, such as a disk drive 808. Network device 800 may also include a peripheral memory access device 806, such as a floppy disk drive, compact disk (CD), or digital video disk (DVD) drive coupled to processor 801. Network device 800 also has network access ports 804 coupled to processor 801 to establish data connections with a network, such as the Internet or a local area network coupled to other system computers and servers. (or interfaces) may be included. Network device 800 may include one or more antennas 807 for transmitting and receiving electromagnetic radiation, which may be connected to a wireless communication link. Network device 800 may include additional access ports such as USB, Firewire, Thunderbolt, etc. for coupling to peripherals, external memory, or other devices.

FIG. 9 is a component block diagram of UE 900 suitable for use in various embodiments. 1A-9, various embodiments may be implemented on UEs 900 (e.g., UEs 120a-120e, 170, 320, 402, 502, 520), such as smart It is shown in Figure 9 in the form of a phone. UE 900 may include a first SOC 202 (e.g., a SOC-CPU) coupled to a second SOC 204 (e.g., a 5G-capable SOC). First and second SOCs 202, 204 may be coupled to internal memory 916, display 912, and speaker 914. Additionally, UE 900 may be configured to transmit and receive electromagnetic radiation, which may be coupled to a wireless transceiver 266 coupled to one or more processors in first and/or second SOCs 202, 204. It may also include an antenna 904. UE 900 may include menu selection buttons or rocker switches 920 to receive user inputs.

UE 900 also performs sound encoding/decoding (which digitizes sound received from a microphone into data packets suitable for wireless transmission and decodes the received sound data packets to generate analog signals that are provided to a speaker to generate sound). CODEC) circuit 910. One or more of the processors in the first and second SOCs 202, 204, wireless transceiver 266, and codec 910 may include digital signal processor (DSP) circuitry (not shown separately).

The processors of network device 800 and UE 900 are any programmable microprocessor that can be configured by software instructions (applications) to perform various functions, including the functions of some implementations described below. , it may be a microcomputer or multiple processor chip or chips. In some UEs, multiple processors may be provided, such as one processor in SOC 204 dedicated to wireless communication functions and one processor in SOC 202 dedicated to running other applications. Software applications may be stored in memory 802, 916 before being accessed and loaded into the processor. Processors may include sufficient internal memory to store application software instructions.

As used in this application, the terms “component,” “module,” “system,” and the like refer to computer-related entities such as, but not limited to, hardware, firmware, a combination of hardware and software, software, or software in execution. Intended to include, they are configured to perform specific operations or functions. For example, a component may be, but is not limited to, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, or a computer. By way of example, both the UE and an application running on a UE may be referred to as a component. One or more components may reside within a process or thread of execution, and a component may be localized to one processor or core or distributed between two or more processors or cores. Additionally, these components may execute from various non-transitory computer-readable media having various instructions or data structures stored thereon. Components may communicate via local or remote processes, function or procedure calls, electronic signals, data packets, memory reads/writes, and other well-known network, computer, processor, or process-related communication methods. .

A number of different cellular and mobile communication services and standards may be available or contemplated in the future, all of which may implement and benefit from various embodiments. Such services and standards include, for example, the Third Generation Partnership Project (3GPP), Long Term Evolution (LTE) systems, Third Generation Wireless Mobile Communications Technology (3G), Fourth Generation Wireless Mobile Communications Technology (4G), The fifth generation of wireless mobile communications technology (5G) as well as the later generations of 3GPP technologies, Global System for Mobile Communications (GSM), Universal Mobile Telecommunications System (UMTS), 3GSM, General Packet Radio Service (GPRS), Code Division Multiple Access ( CDMA) systems (e.g., cdmaOne, CDMA1020TM), enhanced data rates for GSM evolution (EDGE), Advanced Mobile Phone System (AMPS), digital AMPS (IS-136/TDMA), evolution-data optimized (EV-DO), Digitally Enhanced Cordless Telecommunications (DECT), Worldwide Interoperability for Microwave Access (WiMAX), Wireless Local Area Network (WLAN), Wi-Fi Protected Access I & II (WPA, WPA2), and Integrated Digitally Enhanced Network (iDEN) Includes. Each of these technologies involves transmitting and receiving, for example, voice, data, signaling, and/or content messages. Any references to terminology and/or technical details relating to an individual telecommunications standard or technology are for illustrative purposes only and, unless explicitly stated in the claim language, are intended to limit the scope of the claims to a particular telecommunications system or technology. It must be understood that this does not work.

The various embodiments illustrated and described are provided merely as examples to illustrate various features of the claims. However, features shown and described with respect to any given embodiment are not necessarily limited to the associated embodiment and may be used with or combined with other embodiments shown and described. Additionally, the claims are not intended to be limited by any one example embodiment. For example, one or more of the methods and acts disclosed herein may be combined with or replaced with one or more of the acts and acts of the methods.

Implementation examples are described in the following paragraphs. While some of the following implementation examples are described with respect to example methods, additional example implementations include: a UE or network device comprising a processor configured with processor-executable instructions to perform the operations of the following implementation example methods; The example methods discussed in the following paragraphs implemented by; may include the example methods discussed in the following paragraphs implemented by a UE or a network device including means for performing the functions of the methods of the following implementation examples; and the example methods discussed in the following paragraphs as a non-transitory processor-readable storage medium storing processor-executable instructions configured to cause a processor of a UE or network device to perform the operations of the methods of the following implementation examples. It can be implemented.

Example 1. A method of securing communications performed by a processor of a user equipment (UE) includes generating a freshness parameter, generating a first session key and a unique session key based on the freshness parameter, a network application In a configuration where the function (NAF) can generate a unique session key, it includes sending freshness parameters to the NAF, and communicating with the NAF using the unique session key.

Example 2. The method of Example 1, wherein the freshness parameter is generated by a secure bootstrapping client executing on the processor, and the application client executing on the processor communicates with the NAF using a unique session key.

Example 3. In the method of Example 2, the secure bootstrapping client of the UE includes either a Generic Bootstrapping Architecture (GBA) client or an Authentication and Key Management for Applications (AKMA) client.

Example 4. The method of any of Examples 1-3, where the freshness parameter is associated with a specific application of the UE.

Example 5. The method of any of Examples 1-4, wherein the unique session key is associated with a specific application of the UE and the first session key is associated with the UE.

Example 6. The method of Example 5, the specific application includes a specific instantiation of the application.

Example 7. The method of any one of Examples 1-6 further includes receiving a request from the NAF to start secure communication.

Example 8. The method of any of Examples 1-7, wherein the freshness parameter includes a random value.

Example 9. The method of any of Examples 1-8, where the freshness parameter includes an incremented nonce value.

Example 10. The method of any of Examples 1-9, wherein sending the freshness parameter to the NAF in a configuration where the NAF can generate a unique session key includes sending the freshness parameter to the NAF in a network service request message. do.

Example 11. A method of securing communications performed by a processor of a device includes receiving a freshness parameter from a user equipment (UE) by a Network Application Function (NAF), a first session key from a Key Server Function (KSF) receiving, generating a unique session key based on the freshness parameter and the first session key, and communicating with the UE using the unique session key.

Example 12. The method of Example 11, where the freshness parameter is generated by the UE's secure bootstrapping client, and the UE's application client communicates with the NAF using a unique session key.

Example 13. In the method of Example 12, the secure bootstrapping client of the UE includes either a Generic Bootstrapping Architecture (GBA) client or an Authentication and Key Management for Applications (AKMA) client.

Example 14. The method of any of Examples 11-13, where the freshness parameter is associated with a specific application of the UE.

Example 15. The method of any of examples 11-14, wherein the unique session key is associated with a specific application of the UE and the first session key is associated with the UE.

Example 16. The method of any of Examples 11-15, where the specific application includes a specific instantiation of the application.

Example 17. The method of any of Examples 11-16, wherein the freshness parameter includes a random value.

Example 18. The method of any of Examples 11-17, where the freshness parameter includes an incremented nonce value.

Example 19. The method of any one of Examples 11-18 further includes transmitting a request to start secure communication to the UE.

Example 20. The method of any of Examples 11-19, wherein receiving the freshness parameter from the UE by the NAF includes receiving the freshness parameter in a network service request message.

The foregoing method descriptions and process flow diagrams are provided merely as illustrative examples and are not intended to require or imply that the operations of the various embodiments must be performed in the order presented. As will be appreciated by those skilled in the art, the order of operations in the above-described embodiments may be performed in any order. Words such as “thereafter,” “then,” “next,” etc. are not intended to limit the order of operations; These words are used to guide the reader through the description of the methods. Additionally, any reference to claim elements in the singular, e.g., using the articles “a,” “an,” or “the,” shall not be construed as limiting that element to the singular.

The various illustrative logical blocks, modules, components, circuits, and algorithmic operations described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or a combination of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and operations have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software will depend on the specific application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be construed as causing a departure from the scope of the claims.

The hardware used to implement the various illustrative logics, logical blocks, modules, and circuits described in connection with the embodiments disclosed herein include general purpose processors, digital signal processors (DSPs), and application specific integrated circuits (ASICs). , a field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. there is. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. The processor may also be implemented as a combination of receiver smart objects, such as a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors combined with a DSP core, or any other configuration. Alternatively, some operations or methods may be performed by circuitry specific to a given function.

In one or more embodiments, the functions described may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored as one or more instructions or code on a non-transitory computer-readable storage medium or non-transitory processor-readable storage medium. The operations of a method or algorithm disclosed herein may be implemented in processor-executable instructions or processor-executable software modules that may reside on a non-transitory computer-readable or processor-readable storage medium. Non-transitory computer-readable or processor-readable storage media may be any storage media that may be accessed by a computer or processor. By way of example, and not limitation, such non-transitory computer-readable or processor-readable storage media may include RAM, ROM, EEPROM, flash memory, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage smart objects, or any desired storage media. It may be used to store program code in the form of instructions or data structures and may include any other medium that may be accessed by a computer. As used herein, disk and disc include compact disk (CD), laser disk, optical disk, digital versatile disk (DVD), floppy disk, and Blu-ray disk, where disk ( Disks typically reproduce data magnetically, but discs reproduce data optically using lasers. Combinations of the above are also included within the scope of non-transitory computer-readable and processor-readable media. Additionally, the operations of a method or algorithm may reside on a non-transitory processor-readable storage medium and/or computer-readable storage medium as one or any combination or set of codes and/or instructions, which may be a computer program. It can also be integrated into products.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the claims. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other embodiments without departing from the scope of the claims. Accordingly, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the following claims and the principles and novel features disclosed herein.

Claims (34)

As user equipment (UE),
create a freshness parameter;
generate a unique session key based on the first session key and the freshness parameter;
send the freshness parameter to a Network Application Function (NAF) in a configuration where the NAF can generate the unique session key; and
to communicate with the NAF using the unique session key
User equipment, comprising a processor configured with processor-executable instructions. According to claim 1,
the freshness parameter is generated by a secure bootstrapping client executing on the processor; and
An application client executing on the processor communicates with the NAF using the unique session key. According to claim 2,
The user equipment, wherein the secure bootstrapping client of the UE includes one of a Generic Bootstrapping Architecture (GBA) client or an Authentication and Key Management for Applications (AKMA) client. According to claim 1,
The freshness parameter is associated with a specific application of the UE. According to claim 1,
wherein the processor is further configured with processor-executable instructions such that the unique session key is associated with a specific application of the UE and the first session key is associated with the UE. According to claim 5,
The user equipment is further configured with processor-executable instructions that cause the specific application to include a specific instantiation of an application. According to claim 1,
wherein the processor is further configured with processor-executable instructions that cause the freshness parameter to include a random value. According to claim 1,
wherein the processor is further configured with processor-executable instructions that cause the freshness parameter to include an incremented nonce value. According to claim 1,
wherein the processor is further configured with processor-executable instructions for transmitting the freshness parameter to the NAF in a network service request message. A method of securing communications performed by a processor of a user equipment (UE), comprising:
generating a freshness parameter;
generating a unique session key based on the first session key and the freshness parameter;
transmitting the freshness parameter to a Network Application Function (NAF) in a configuration where the NAF is capable of generating the unique session key; and
A method of securing communications performed by a processor of user equipment, comprising communicating with the NAF using the unique session key. According to claim 10,
The freshness parameter is generated by a secure bootstrapping client of the UE; and
An application client of the UE communicates with the NAF using the unique session key. According to claim 11,
A method of securing communications performed by a processor of a user equipment, wherein the secure bootstrapping client of the UE includes one of a Generic Bootstrapping Architecture (GBA) client or an Authentication and Key Management for Applications (AKMA) client. According to claim 10,
The method of claim 1, wherein the freshness parameter is associated with a specific application of the UE. According to claim 10,
The unique session key is associated with a specific application of the UE, and the first session key is associated with the UE. According to claim 14,
A method of securing communications performed by a processor of a user equipment, wherein the specific application comprises a specific instantiation of an application. According to claim 11,
A method of securing communications performed by a processor of user equipment, wherein the freshness parameter includes a random value. According to claim 11,
A method of securing communications performed by a processor of user equipment, wherein the freshness parameter includes an incremented nonce value. According to claim 11,
Sending the freshness parameter to the NAF in a configuration wherein the NAF is capable of generating the unique session key comprises sending the freshness parameter to the NAF in a network service request message. A method of securing communications conducted by . As a network device,
Receive freshness parameters from a user equipment (UE) and from a Network Application Function (NAF);
Receive, from a key server function, a first session key;
generate a unique session key based on the freshness parameter and the first session key; and
to communicate with the UE using the unique session key
A network device comprising a processor configured with processor-executable instructions. According to claim 19,
The freshness parameter is associated with a specific application of the UE. According to claim 19,
The network device wherein the freshness parameter includes a random value. According to claim 19,
The network device of claim 1, wherein the freshness parameter includes an incremented nonce value. According to claim 19,
wherein the unique session key is associated with a specific application of the UE and the first session key is associated with the UE. According to claim 23,
A network device, wherein the specific application includes a specific instantiation of an application. According to claim 19,
The network device is further configured with processor-executable instructions for sending a request to the UE to initiate secure communications. According to claim 19,
The processor is further configured with processor-executable instructions for receiving the freshness parameter in a network service request message. A method of securing communications performed by a processor of a device, comprising:
Receiving freshness parameters from a user equipment (UE) by a Network Application Function (NAF);
Receiving a first session key from a key server function;
generating a unique session key based on the freshness parameter and the first session key; and
A method of securing communications performed by a processor of a device, comprising communicating with the UE using the unique session key. According to clause 27,
A method of securing communications performed by a processor of a device, wherein the freshness parameter is associated with a specific application of the UE. According to clause 27,
A method of securing communications performed by a processor of a device, wherein the freshness parameter includes a random value. According to clause 27,
A method of securing communications performed by a processor of a device, wherein the freshness parameter includes an incremented nonce value. According to clause 27,
wherein the unique session key is associated with a specific application of the UE and the first session key is associated with the UE. According to claim 31,
A method of securing communications performed by a processor of a device, wherein the specific application comprises a specific instantiation of an application. According to clause 27,
A method of securing communications performed by a processor of a device, further comprising transmitting to the UE a request to initiate a secure communication. According to clause 27,
Wherein receiving the freshness parameter from the UE and at the NAF comprises receiving the freshness parameter in a network service request message.

Images