TW202320557A - Securing application communication - Google Patents

Abstract

In embodiments of systems and methods for synchronous content presentation, a user equipment (UE) may generate a freshness parameter, generate a unique session key based on a first session key and the freshness parameter, and send the freshness parameter to a Network Application Function (NAF) of a network device in a configuration that will enable the NAF to generate the unique session key. The network device may receive the freshness parameter, receive from a Key Server Function (KSF) the first session key, and generate based on the freshness parameter and the first session key the unique session key. The UE and the network device may then conduct secure communications using the unique session key without exchanging the unique session key between the two devices.

Description

Secure Application Communications

This patent application claims the benefit of priority to U.S. Provisional Application No. 63/245,692, filed September 17, 2021, entitled "SECURING APPLICATION COMMUNICATION," which is hereby incorporated by reference in its entirety Incorporated herein for all purposes.

This disclosure is about protecting application communications.

Fifth-generation (5G) New Radio (NR) and other communications technologies enable ultra-reliable, low-latency communications with user equipment (UE) such as wireless devices. One application for such a communication system is to provide various services to UEs. In some cases, edge computing architectures can be used to deliver such services. The edge computing architecture enables services to be provided from network devices or components (such as servers) located relatively close to UEs, which reduces end-to-end latency and reduces resource requirements and consumption on the communication network. Some applications and services may employ or may require communication security to provide one or more functions.

Various aspects include a method performed by a processor of a UE for securing communications. Some aspects may include: generating a freshness parameter; generating a unique session key based on the first session key and the freshness parameter; at a time that will enable a network application function (NAF) to generate the unique session key sending the freshness parameter to the NAF during configuration; and using the unique communication session key to communicate with the NAF.

In some aspects, the freshness parameter can be generated by the UE's security pull client, and the UE's application client can use the unique session key to communicate with the NAF. In some aspects, the secure pull client for the UE may include one of a Generic Pull Architecture (GBA) client or an Authentication and Key Management for Applications (AKMA) client. In some aspects, the freshness parameter can be associated with a specific application of the UE. In some aspects, the unique session key can be associated with a specific application of the UE, and the first session key can be associated with the UE. In such aspects, the particular application may include a particular instantiation of the application.

In some aspects, the freshness parameter can include a random value. In some aspects, the freshness parameter may include an incrementing random value. In some aspects, sending the freshness parameter to the NAF in a configuration that will enable the NAF to generate the unique session key may include sending the freshness parameter to the NAF in a web service request message.

Further aspects include a UE having a processor configured to perform one or more operations of any of the methods outlined above. Further aspects include processing means for use in a UE configured with processor-executable instructions to perform the operations of any of the methods outlined above. A further aspect includes a non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor of the UE to perform any of the methods outlined above The operation of the method. Further aspects include a UE having means for performing the function of any of the methods outlined above. Further aspects include a system-on-a-chip for use in a UE comprising a processor configured to perform one or more operations of any of the methods outlined above.

Various aspects include a method performed by a processor of a network device for securing communications. Some aspects may include: receiving, by the NAF, a freshness parameter from the UE; receiving a first session key from a key server function (KSF); generating a unique session based on the freshness parameter and the first session key a key; and using the unique communication period key to communicate with the UE.

In some aspects, the freshness parameter can be associated with a specific application of the UE. In some aspects, the freshness parameter can include a random value. In some aspects, the freshness parameter may include an increasing random value.

In some aspects, the unique session key can be associated with a specific application of the UE, and the first session key can be associated with the UE. In such aspects, the particular application may include a particular instantiation of the application. Some aspects may include sending a request to the UE to initiate secure communication. In some aspects, receiving the freshness parameter from the UE by the NAF may include receiving the freshness parameter in a network service request message.

Further aspects include a network device having a processor configured to perform one or more operations of any of the methods outlined above. Further aspects include processing means for use in a network device configured with processor-executable instructions to perform the operations of any of the methods outlined above. A further aspect includes a non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor of a network device to perform one of the methods outlined above. operation of any method. A further aspect includes a network device having means for performing the function of any of the methods outlined above. Further aspects include a system-on-chip for use in a network device comprising a processor configured to perform one or more operations of any of the methods outlined above.

Various embodiments will be described in detail with reference to the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts. References to specific examples and implementations are for illustrative purposes and are not intended to limit the scope of the patent claims.

In various embodiments, in order to secure communications between a user equipment (UE) and a network device or element (such as a server), a key generation entity executing within the UE may be configured to generate a freshness parameter, wherein the UE Use this parameter to generate unique communication session keys for use in communication protocols such as SafeTow operation. The UE sends the freshness parameter to the network device as part of the pulling operation, and the network then uses the freshness parameter to generate the same unique session key for use in the protocol. The generated unique communication session key is then used by the UE and the network device to secure the communication for the specific application or service. In some embodiments, the UE and the network device can generate unique communication session keys for different applications or services. In this way, UEs (e.g., edge applications) and network devices (e.g., edge servers) can protect (secure, encrypt) communications for multiple applications using a unique session key for each application's communications . Various embodiments may be used in or as part of Generic Traction Architecture (GBA), Authentication and Key Management for Applications (AKMA), and other suitable security architectures and protocols. For clarity, some examples may be described herein with reference to particular security architectures or protocols, but this is not intended as a limitation on any of the concepts described.

The terms "user equipment" and "UE" are used herein to refer to any or all of an endpoint or user device, including wireless devices, wireless router devices, wireless appliances, cellular phones, smartphones, Portable Computing Devices, Personal or Mobile Media Players, Laptops, Tablets, Smart Computers, Ultrabooks, PDAs, Wireless Email Receivers, Multimedia Internet-Enabled Cellular Phones, Medical Devices and devices, biometric sensors/devices, wearable devices (including smart watches, smart clothing, smart glasses, smart wristbands, smart jewelry (such as smart rings and smart bracelets)), entertainment devices (such as wireless game controllers , music and video players, satellite radio units, etc.), wireless network-enabled Internet of Things (IoT) devices (including smart meters/sensors, industrial manufacturing equipment, large and small machinery and appliances, wireless communication components in autonomous and semi-autonomous vehicles), UEs attached to or incorporated into various mobile platforms, GPS devices, and similar electronic devices including memory, wireless communication components, and programmable processors.

The term "system on a chip" (SOC) is used herein to refer to a single integrated circuit (IC) die containing multiple resources or processors integrated on a single substrate. A single SOC can contain circuits for digital, analog, mixed-signal and radio functions. A single SOC can also include any number of general-purpose or special-purpose processors (digital signal processors, modem processors, video processors, etc.), memory blocks (such as ROM, RAM, flash memory, etc.), and resources (such as timers, voltage regulators, oscillators, etc.). The SOC may also include software for controlling integrated resources and processors and for controlling peripheral devices.

The term "system-in-package" (SIP) may be used herein to refer to a single module or package containing multiple resources, computing units, cores or processors on two or more IC dies, substrates or SOCs. For example, a SIP may include a single substrate on which multiple IC dies or semiconductor dies are stacked in a vertical configuration. Similarly, a SIP may include one or more multi-chip modules (MCMs) on which multiple ICs or semiconductor die are packaged into a unified substrate. A SIP may also include multiple independent SOCs coupled together via high-speed communication circuits and tightly packaged, such as on a single motherboard or in a single wireless device. The proximity of the SOC facilitates high-speed communication and sharing of memory and resources.

As used herein, the terms "network," "system," "wireless network," "cellular network," and "wireless communication network" are used interchangeably to refer to Part or all of the wireless network of the connected carrier. The techniques described in this paper can be used in various wireless communication networks such as Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), FDMA, Orthogonal FDMA (OFDMA), Single Carrier FDMA (SC-FDMA) and other networks. In general, any number of wireless networks may be deployed in a given geographic area. Each wireless network can support at least one radio access technology, which can operate on one or more frequencies or frequency ranges. For example, a CDMA network may implement Universal Terrestrial Radio Access (UTRA) (including Wideband Code Division Multiple Access (WCDMA) standards), CDMA2000 (including IS-2000, IS-95 and/or IS-856 standards), and the like. In another example, a TDMA network may implement Enhanced Data Rates for GSM (EDGE) for GSM Evolution. In another example, an OFDMA network may implement Evolved UTRA (E-UTRA) (including LTE standards), Institute of Electrical and Electronics Engineers (IEEE) 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), IEEE 802.20, Fast Flash OFDM® etc. Reference may be made to wireless networks using the LTE standard, and thus the terms "Evolved Universal Terrestrial Radio Access", "E-UTRAN" and "eNodeB" may also be used interchangeably herein to refer to wireless networks. However, such references are provided as examples only and are not intended to exclude wireless networks using other communication standards. For example, although various third-generation (3G) systems, fourth-generation (4G) systems, and fifth-generation (5G) systems are discussed herein, such systems are cited as examples only and may be substituted in each instance Future generations of systems (for example, sixth generation (6G) or higher systems).

Ultra-reliable and low-latency communication enabled by 5G NR and other suitable communication technologies can provide various services to UE. In some cases, such services may be provided at least in part using an edge computing architecture that enables services to be provided from network devices or elements (eg, servers) located relatively close to the UE. Providing services from edge devices reduces end-to-end latency and reduces resource requirements and consumption on the communication network.

Some applications and services may employ or may require communication security to provide one or more functions. For example, a Generic Pull Architecture (GBA) may provide a mechanism for configuring a shared secret between a UE and a network device using a protocol such as 3GPP Authentication and Key Agreement (AKA). As another example, Authentication and Key Management for Applications (AKMA) may employ similar operations between UEs and network devices (eg, performing Application Functions (AF)). In known approaches, UEs and network devices share a single common secret for all communications by all services and applications.

Various embodiments include methods and computing devices configured to perform a method for securing communications between a UE and a network device providing personalized communication security for an application or service. In some embodiments, the UE may generate the freshness parameter (eg, via the UE's secure pull client (eg, GBA client)). Using the first session key (eg, the root key shared with the network device) and the freshness parameter, the UE can generate a unique session key. In various implementations, the freshness parameter may be associated with a particular application executing on or being provided to the UE. For example, a UE may have several different edge applications executing on the UE's processor that are communicating with the same edge server. For example, multiple simultaneous edge applications may include a navigation application, a media (eg, music) streaming application, and an augmented reality application, each of which should have a different unique key. In various embodiments, the UE and the edge server may assign to each of the different applications a unique freshness parameter combined with the first communication session key, thereby providing each application with a unique communication session key without changing the first communication session key used for communication between the UE and the edge server.

In some implementations, the freshness parameter may include a random value. In some implementations, the freshness parameter may include an incremented value, eg, a counter may be incremented each time a new unique session key is required (eg, for a new application or a new instantiation of an application). In some embodiments, incrementing values may be used as nonce values (eg, incrementing nonce values).

In various embodiments, the UE may request a network application function (NAF) to a network device's NAF (e.g., NAF in GBA, application function in AKMA, or other suitable function) to send the freshness parameter. In some embodiments, the UE may send the freshness parameter as part of a network service request message (eg, an application request message). In various embodiments, the NAF may execute the same algorithm as used by the UE to use the freshness parameters received from the UE to generate the same unique communication session key (i.e., identical to the unique communication session key generated by the UE key with the same unique communication session key). In some embodiments, the NAF may receive (or may request and respond to Received upon request) a first session key (ie, the same session key as the first session key used by the UE). Using the freshness parameter and the first session key, the NAF can generate a unique session key. Subsequently, the UE and the NAF can communicate using the unique session key without exchanging the unique session key. In various embodiments, the UE and the NAF may generate (or be provided to the UE by the network device) a unique communication session key for each application or service of the UE.

In some embodiments, the UE may receive a request from the NAF to initiate secure communication. In some embodiments, the request for initiating secure communication may include the NAF's domain name (e.g., Full Network Domain Name (FQDN)) and security protocol identifier (e.g., the interface between the NAF and the UE, such as the Ua interface) . In some embodiments, the UE may derive (generate, calculate) the first session key based on the domain name of the NAF and the security protocol identifier. In some embodiments, the UE may generate the freshness parameter and send the freshness parameter to the network device (eg, to the NAF) in response to a request received from the NAF to initiate secure communication. For example, a UE (eg, a GBA client, AKMA client, or other suitable client) may generate a freshness parameter and pass the freshness parameter to the NAF. The UE may also use the freshness parameter and the first session key to generate a unique session key. In some embodiments, a first session key may be associated with the UE. For example, a communication session key (such as Ks_NAF, Ks_int_NAF or Ks_ext_NAF) may be a communication session key used in GBA. In some embodiments, the freshness parameter may be associated with a specific application (or service) of the UE. In some embodiments, a freshness parameter may be associated with a specific instantiation of the UE's application (or service). Furthermore, the NAF may receive the freshness parameter from the UE and the version of the first session key from the KSF, and the NAF may use the freshness parameter and the first session key to generate its own version of the unique session key.

In various embodiments, the UE may include a freshness parameter in an existing field of messages exchanged between the UE and the NAF. In this way, various embodiments may be implemented without changing the protocol or architecture of messages or message exchanges. For example, for devices and networks employing the Digest AKA protocol, a freshness parameter may be included in the "cnonce" field. As another example, for devices and networks employing Transport Layer Security (TLS), the freshness parameter may be included in an existing field of the ClientHello message or other suitable message. In various embodiments, the length of the freshness parameter can be configured to fit within existing fields and/or messages. In various embodiments, the UE may generate the freshness parameter in a similar security level and/or a similar protected portion of memory as other encryption keys or session keys, and the UE and network device may process the freshness parameter.

Various embodiments enable UE and network devices to generate unique keys for each application or service of the UE without exchanging private or secure information such as private keys. Accordingly, various embodiments improve the operation of UEs, network devices, and communication systems by increasing the security of communications between the UE and network devices.

FIG. 1A is a system block diagram illustrating an example communication system 100 . The communication system 100 can be a 5G New Radio (NR) network, or any other suitable network (such as a Long Term Evolution (LTE) network). Although FIG. 1A illustrates a 5G network, future generations of networks may include the same or similar elements. Accordingly, references to 5G networks and 5G network elements in the following description are for illustrative purposes and are not intended to be limiting.

The communication system 100 may include a heterogeneous network architecture including a core network 140 and various UEs (shown as UEs 120a - 120e in FIG. 1 ). The communication system 100 may include an edge network 142 to provide network computing resources, applications and/or services close to the mobile device via one or more network devices 142a. Communication system 100 may also include multiple base stations (shown as BS 110a, BS 110b, BS 110c, and BS 110d) and other network entities. A base station is an entity that communicates with a UE and may also be referred to as Node B, LTE Evolved NodeB (eNodeB or eNB), Access Point (AP), Radio Head, Transceiver Point (TRP), New Radio Base Station (NR BS), 5G NodeB (NB), Next Generation Node B (gNodeB or gNB), etc. Each base station provides communication coverage for a specific geographic area. In 3GPP, the term "cell" can refer to a coverage area of a base station, a base station subsystem serving the coverage area, or a combination thereof, depending on the context in which the term is used. The core network 140 can be any type of core network, such as an LTE core network (eg, an evolved packet core (EPC) network), a 5G core network, and the like.

The base stations 110a-110d may provide communication coverage for macrocells, picocells, femtocells, another type of cell, or a combination thereof. A macrocell may cover a relatively large geographic area (eg, several kilometers in radius) and may allow unrestricted access by UEs with service subscription. A picocell may cover a relatively small geographic area and may allow unrestricted access by UEs with a service subscription. A femtocell may cover a relatively small geographic area (e.g., a residence) and may allow limited storage by UEs associated with the femtocell (e.g., UEs in a Closed Subscriber Group (CSG)). Pick. A base station for a macro cell may be referred to as a macro BS. A base station for a pico cell may be referred to as a pico BS. A base station for a femto cell may be called a femto BS or a home BS. In the example shown in FIG. 1, base station 110a may be a macro BS for macro cell 102a, base station 110b may be a pico BS for pico cell 102b, and base station 110c may be a pico BS for femto cell 102b. Femto BS of cell 102c. The base stations 110a-110d may support one or more (eg, three) cells. The terms "eNB", "base station", "NR BS", "gNB", "TRP", "AP", "Node B", "5G NB" and "cell" are used interchangeably herein.

In some instances, a cell may not be stationary, and the geographic area of the cell may move depending on the location of the mobile base station. In some examples, the base stations 110a-110d can be interconnected with each other and with the communication system 100 through various types of backhaul interfaces (such as direct physical connections, virtual networks, or combinations thereof) using any suitable transmission network. One or more other base stations or network nodes (not shown) are interconnected.

Base stations 110 a - 110 d may communicate with core network 140 over wired or wireless communication links 126 . UEs 120a-120e may communicate over wireless communication link 122 with base stations 110a-110d.

Wired communication link 126 can use various wired networks (such as Ethernet, television cable, telephone, fiber optics, and other forms of physical network connections) that can use one or more wired communication protocols (such as Ethernet, Point-to-Point Protocol, High-Level Data Link Control (HDLC), Advanced Data Communication Control Protocol (ADCCP), and Transmission Control Protocol/Internet Protocol (TCP/IP)).

The communication system 100 may also include a relay station (such as the relay BS 110d). A relay station is an entity that may receive data transmissions from upstream stations (eg, base stations or UEs) and send data transmissions to downstream stations (eg, UEs or base stations). A relay station may also be a wireless device (eg, UE) capable of relaying transmissions for other UEs. In the example shown in FIG. 1 , relay station 110d may communicate with macro base station 110a and UE 120d to facilitate communication between base station 110a and UE 120d. A repeater station may also be called a repeater base station, repeater base station, repeater, etc.

The communication system 100 may be a heterogeneous network including different types of base stations (eg, macro base stations, pico base stations, femto base stations, relay base stations, etc.). The different types of base stations may have different transmit power levels, different coverage areas, and different effects on interference in the communication system 100 . For example, macro base stations may have high transmit power levels (e.g., 5 to 40 watts), while pico, femto, and relay base stations may have lower transmit power levels (e.g., 0.1 to 40 watts). 2 watts).

A network controller 130 can be coupled to a group of base stations and can provide coordination and control for the base stations. The network controller 130 can communicate with the base station via the backhaul. Base stations may also communicate with each other directly or indirectly, eg, via wireless or wired backhaul.

UEs 120a, 120b, 120c may be dispersed throughout communication system 100, and each UE may be stationary or mobile. A UE may also be called an access terminal, terminal, mobile station, user unit, station, wireless device, and the like.

Macro base station 110 a can communicate with communication network 140 over wired or wireless communication link 126 . UEs 120a, 120b, 120c may communicate over wireless communication link 122 with base stations 110a-110d.

Wireless communication links 122 and 124 may include a plurality of carrier signals, frequencies or frequency bands, each of which may include a plurality of logical channels. Wireless communication links 122 and 124 may utilize one or more radio access technologies (RATs). Examples of RATs that can be used in wireless communication links include 3GPP LTE, 3G, 4G, 5G (such as NR), GSM, Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Global Interoperable microwave access (WiMAX), time-division multiple access (TDMA) and other mobile phone communication technologies cellular RAT. Additional examples of RATs that may be used in one or more of the various wireless communication links within the communication system 100 include medium-range protocols (e.g., Wi-Fi, LTE-U, LTE Direct, LAA, MuLTEfire) and relatively short-range RATs such as ZigBee, Bluetooth, and Bluetooth Low Energy (LE).

Certain wireless networks (eg, LTE) utilize Orthogonal Frequency Division Multiplexing (OFDM) on the downlink and Single Carrier Frequency Division Multiplexing (SC-FDM) on the uplink. OFDM and SC-FDM divide the system bandwidth into multiple (K) orthogonal sub-carriers, which are also commonly referred to as tones, frequency bands, and the like. Data can be used to modulate each subcarrier. In general, modulation symbols are sent in the frequency domain with OFDM and in the time domain with SC-FDM. The spacing between adjacent subcarriers may be fixed, and the total number of subcarriers (K) may depend on the system bandwidth. For example, the spacing of subcarriers may be 15 kHz and the minimum resource allocation (referred to as a "resource block") may be 12 subcarriers (or 180 kHz). Thus, the nominal fast file transfer (FFT) size may be equal to 128, 256, 512, 1024 or 2048 for a system bandwidth of 1.25, 2.5, 5, 10 or 20 megahertz (MHz), respectively. The system bandwidth may also be divided into sub-bands. For example, a sub-band may cover 1.08 MHz (i.e., 6 resource blocks), and there may be 1, 2, 4, 8 or 16 sub-bands for a system bandwidth of 1.25, 2.5, 5, 10 or 20 MHz, respectively. frequency band.

Although some implementations may be described using terms and examples associated with LTE technology, some implementations are applicable to other wireless communication systems, such as New Radio (NR) or 5G networks. NR may utilize OFDM with a cyclic prefix (CP) on the uplink (UL) and downlink (DL), and may include support for half-duplex operation using time division duplex (TDD). It can support a single component carrier bandwidth of 100 MHz. An NR resource block may span 12 subcarriers with a subcarrier bandwidth of 75 kHz for a 0.1 millisecond (ms) duration. Each radio frame may consist of 50 subframes with a length of 10 ms. Therefore, each subframe may have a length of 0.2 ms. Each subframe can indicate the link direction (ie, DL or UL) used for data transmission, and the link direction for each subframe can be dynamically switched. Each subframe can include DL/UL data and DL/UL control data. Beamforming can be supported and the beam direction can be dynamically configured. Multiple-input multiple-output (MIMO) transmission with precoding may also be supported. MIMO configurations in DL can support up to eight transmit antennas, with multi-layer DL transmission up to eight streams and up to two streams per UE. Multi-layer transmission with up to 2 streams per UE can be supported.

Aggregation of multiple cells with up to eight serving cells can be supported. Alternatively, NR may support different air interfaces other than OFDM-based air interfaces.

Some UEs may be considered as machine type communication (MTC) or evolved or enhanced machine type communication (eMTC) UEs. MTC and eMTC UEs include, for example, robots, drones, remote devices, sensors, meters, monitors, location tags, etc., which may interact with a base station, another device (e.g., a remote device), or some other entity communication. A wireless computing platform may provide connectivity to or to a network (eg, a wide area network such as the Internet or a cellular network), eg, via wired or wireless communication links. Some UEs may be considered Internet of Things (IoT) devices or may be implemented as NB-IoT (Narrow Band Internet of Things) devices. The UEs 120a-120e may be included inside housings housing components of the UEs 120a-120e, such as processor components, memory components, the like, or combinations thereof.

In general, any number of communication systems and any number of wireless networks may be deployed in a given geographic area. Each communication system and wireless network may support a specific radio access technology (RAT) and may operate on one or more frequencies. A RAT may also be referred to as a radio technology, an air interface, and the like. A frequency may also be referred to as a carrier, frequency channel, or the like. Each frequency can support a single RAT in a given geographic area in order to avoid interference between communication systems of different RATs. In some cases, 4G/LTE and/or 5G/NR RAT networks may be deployed. For example, a 5G non-standalone (NSA) network could utilize 4G/LTE RAT on the 4G/LTE RAN side of the 5G NSA network and utilize 5G/NR RAT on the 5G/NR RAN side of the 5G NSA network. Both the 4G/LTE RAN and the 5G/NR RAN are connectable to each other and to the 4G/LTE core network (eg, Evolved Packet Core (EPC) network) in the 5G NSA network. Other example network configurations may include 5G Standalone (SA) networks where the 5G/NR RAN is connected to the 5G core network.

In some embodiments, two or more UEs 120a-120e (eg, shown as UE 120a and UE 120e) may communicate directly using one or more sidelink channels (eg, without using a base station 110a-110d act as intermediaries for communicating with each other). For example, UEs 120a-120e may use peer-to-peer (P2P) communications, device-to-device (D2D) communications, vehicle-to-everything (V2X) protocols (which may include vehicle-to-vehicle (V2V) protocols, vehicle-to-infrastructure (V2I) protocol or similar), mesh network, or similar network, or a combination thereof. In such cases, UEs 120a-120e may perform scheduling operations, resource selection operations, and other operations described elsewhere herein as being performed by base stations 110a-110d.

FIG. 1B is a system block diagram illustrating an example edge computing system 150 suitable for use with various embodiments. In some embodiments, edge computing system 150 may include edge network 142 and UEs 170 (eg, UEs 120a - 120e ) configured to communicate via 3GPP core network 160 . The edge data network 152 may include an edge application server 154 and one or more edge enabling servers 156 in communication with an edge provisioning server 158 . Examples of edge application server 154, edge enabling server 156, and edge configuration server 158 include network device 142a. UE 170 may include an application client 172 in communication with one or more edge enabler clients 174 . Each of the elements of the edge computing system 150 can communicate via an edge interface (eg, EDGE-1, EDGE-2, . . . , EDGE-9).

Edge application server 154 and application client 172 may each be configured to process computing tasks, and may transmit application data traffic (ie, data related to computing tasks, applications, services, etc.) via 3GPP core network 160 . Edge-enabled server 156 may be configured to maintain and advertise (eg, to devices such as UE 170 ) applications provided by edge application server 154 . Edge configuration server 158 may be configured to manage communications within and between one or more edge data networks 152 .

The edge application server 154 can provide information about its applications and their functions to the edge enabling server 156 via the EDGE-3 interface. The edge enabling server 156 can provide information about the edge data network 152 to the edge provisioning server 158 via the EDGE-6 interface. The edge application server 154 and the edge enablement server 156 can communicate with the 3GPP core network 160 through the EDGE-7 interface and the EDGE-2 interface respectively.

In some embodiments, the edge enabler client 174 may obtain information about available edge data networks from the edge enablement server 156 via the EDGE-1 interface (and/or from the edge configuration server 158 via the EDGE-4 interface). Information on Lu 152. In some embodiments, the edge enabler client 174 can obtain information about the edge application server 154 via the EDGE-4 interface, such as available applications and their functions. In some embodiments, edge enabler client 174, edge enablement server 156, and edge configuration server 158 may employ discovery and provisioning procedures via their respective edge interfaces.

The application client 172 can communicate with the edge enabler client 174 via the EDGE-5 interface. In some embodiments, the edge enabler client 174 can obtain information about available edge data networks 152 from the edge configuration server 158 via the Edge-4 interface, and can communicate with the edge enabler via the EDGE-1 interface. Server 156 coordinates use of edge application server 154 . Edge-enabled servers 156 may coordinate with each other via the EDGE-9 interface.

FIG. 2 is a block diagram illustrating components of an example computing and wireless modem system 200 suitable for implementing any of the various embodiments. Various embodiments may be implemented on a number of single-processor and multi-processor computer systems including systems on a chip (SOC) or system-in-package (SIP).

Referring to Figures 1A-2, an example computing system 200 is shown (which may be a SIP in some embodiments) including: two SOCs 202, 204 coupled to a clock 206; a voltage regulator 208; and a wireless transceiver 266, which is configured to send/receive wireless communication to/from the UE (eg, base station 110a) via an antenna (not shown). In some implementations, the first SOC 202 can operate as the central processing unit (CPU) of the UE by executing arithmetic, logic, control, and input/output (I/O) operations specified by instructions of a software application. carry out such instructions. In some implementations, the second SOC 204 can operate as a dedicated processing unit. For example, the second SOC 204 can operate as a dedicated 5G processing unit responsible for managing high-capacity, high-speed (eg, 5 Gbps, etc.) or very high-frequency short-wavelength (eg, 28 GHz mmWave spectrum, etc.) communications.

The first SOC 202 may include a digital signal processor (DSP) 210, a modem processor 212, a graphics processor 214, an application processor 216, one or more auxiliary processor 218 (e.g., vector coprocessor), memory 220, custom circuitry 222, system components and resources 224, interconnect/bus module 226, one or more temperature sensors 230, thermal management unit 232, and thermal power envelope (TPE) component 234 . The second SOC 204 may include a 5G modem processor 252, a power management unit 254, an interconnect/bus module 264, multiple mmWave transceivers 256, memory 258, and various additional processors 260 (such as application processors , packet processor, etc.).

Each processor 210, 212, 214, 216, 218, 252, 260 may include one or more cores, and each processor/core may perform operations independently of the other processors/cores. For example, the first SOC 202 may include a processor executing a first type of operating system (such as FreeBSD, LINUX, OS X, etc.) and a processor executing a second type of operating system (such as MICROSOFT WINDOWS 10). Additionally, any or all of the processors 210, 212, 214, 216, 218, 252, 260 may be included in a processor cluster architecture (e.g., a synchronous processor cluster architecture, an asynchronous or heterogeneous processor cluster architecture etc.) part.

The first SOC 202 and the second SOC 204 may include various system components, resources, and custom circuits for managing sensor data, analog-to-digital conversion, wireless data transfer, and for performing other specialized operations, such as decoding data packets and Process encoded audio and video signals for presentation in a web browser. For example, system components and resources 224 of the first SOC 202 may include power amplifiers, voltage regulators, oscillators, phase locked loops, peripheral bridges, data controllers, memory controllers, system controllers, access ports, timers and other similar components for supporting processors and software clients executing on UEs. System components and resources 224 or custom circuits 222 may also include circuits that interface with peripheral devices (eg, cameras, electronic displays, wireless communication devices, external memory chips, etc.).

The first SOC 202 and the second SOC 204 can communicate via the interconnect/bus module 250 . The various processors 210, 212, 214, 216, 218 may be interconnected via an interconnect/bus module 226 to one or more memory elements 220, system components and resources 224, and custom circuitry 222, and a thermal management unit 232. Similarly, processor 252 may be interconnected to power management unit 254 , mmWave transceiver 256 , memory 258 and various additional processors 260 via interconnect/bus module 264 . The interconnect/bus modules 226, 250, 264 may include arrays of reconfigurable logic gates or implement a bus architecture (eg, CoreConnect, AMBA, etc.). Communications can be provided via advanced interconnects such as high performance on-chip networks (NoCs).

The first SOC 202 or the second SOC 204 may also include an input/output module (not shown) for communicating with resources external to the SOC, such as the clock 206 and the voltage regulator 208 . Resources external to the SOC (eg clock 206, voltage regulator 208) may be shared by two or more of the internal SOC processors/cores.

In addition to the example SIP 200 discussed above, some implementations may be implemented in a wide variety of computing systems, which may include a single processor, multiple processors, multi-core processors, or any combination thereof.

3 is a block diagram illustrating components of a software architecture 300 suitable for implementing any of the various embodiments, the software architecture 300 including a radio protocol stack for user and control planes in wireless communications. 1A-3, UE 320 can implement software architecture 300 to facilitate communication between UE 320 (eg, UE 120a-120e, 200) and network device 350 (eg, in edge network 142) in communication system (eg, 100). communication between network devices 142a). In various embodiments, layers in the software architecture 300 may form logical connections with corresponding layers in the software of the network device 350 . Software architecture 300 may be distributed among one or more processors (eg, processors 212, 214, 216, 218, 252, 260). Although described with respect to one radio protocol stack, in a multi-SIM (Subscriber Identity Module) UE, the software architecture 300 may include multiple protocol stacks, where each protocol stack may be associated with a different SIM (e.g., respectively Two protocol stacks associated with two SIMs in a dual SIM wireless communication device). Although described below with reference to the LTE communication layer, the software architecture 300 may support and/or may include support for any of the various standards and protocols for wireless communications Additional protocol stacks.

The software architecture 300 may include a non-access layer (NAS) 302 and an access layer (AS) 304 . NAS 302 may include functions and protocols to support packet filtering, security management, mobility control, session management, and traffic and signaling between a UE's SIM (eg, SIM 204 ) and its core network 140 . AS 304 may include functions and protocols to support communication between SIMs, such as SIM 204, and supported entities accessing the network, such as base stations. Specifically, AS 304 may include at least three layers (Layer 1, Layer 2, and Layer 3), where each layer may contain various sub-layers.

In the user and control plane, layer 1 (L1) of AS 304 may be a physical layer (PHY) 306, which may oversee the function of transmitting or receiving over the air interface via a wireless transceiver (eg, 266). Examples of such physical layer 306 functions may include cyclic redundancy check (CRC) appending, coding blocks, scrambling and descrambling, modulation and demodulation, signal measurements, MIMO, and the like. The physical layer may include various logical channels, including a physical downlink control channel (PDCCH) and a physical downlink shared channel (PDSCH).

Layer 2 (L2) of AS 304 may be responsible for the link between UE 320 and network device 350 above physical layer 306 in the user and control planes. In some embodiments, Layer 2 may include a Media Access Control (MAC) sublayer 308, a Radio Link Control (RLC) sublayer 310, a Packet Data Convergence Protocol (PDCP) 312 sublayer, and a Service Data Adaptation Protocol (SDAP) sublayer. ) 317 sublayers, each of which forms a logical connection terminated at network device 350 .

In the control plane, Layer 3 (L3) of AS 304 may include a Radio Resource Control (RRC) sublayer 3 . Although not shown, software architecture 300 may include additional Layer 3 sub-layers and various upper layers above Layer 3 . In some embodiments, the RRC sublayer 313 may provide functions including broadcasting system information, paging, and establishing and releasing an RRC signaling connection between the UE 320 and the network device 350 .

In various embodiments, the SDAP sublayer 317 may provide mapping between quality of service (QoS) flows and data radio bearers (DRBs). In some embodiments, the PDCP sublayer 312 may provide uplink functions including multiplexing between different radio bearers and logical channels, sequence number addition, handover data handling, integrity protection, encryption and header compression. In the downlink, the PDCP sublayer 312 may provide functions including in-sequence delivery of data packets, duplicate data packet detection, integrity verification, decryption, and header decompression.

In the uplink, the RLC sublayer 310 may provide segmentation and concatenation of upper layer data packets, retransmission of lost data packets, and automatic repeat request (ARQ). While in the downlink, RLC sublayer 310 functions may include data packet reordering to compensate for out-of-order reception, upper layer data packet reassembly, and ARQ.

In the uplink, the MAC sublayer 308 may provide functions including multiplexing between logical lanes and transport lanes, random access procedures, logical lane prioritization, and hybrid ARQ (HARQ) operation. In the downlink, MAC layer functions may include intracellular channel mapping, demultiplexing, discontinuous reception (DRX) and HARQ operations.

Although the software architecture 300 may provide functions for transmitting data via physical media, the software architecture 300 may also include at least one host layer 314 to provide data transmission services to various applications in the UE 320 . In some implementations, application-specific functionality provided by at least one host layer 314 may provide an interface between the software architecture and the general-purpose processor 206 .

In other embodiments, the software architecture 300 may include one or more higher logic layers (eg, transport, communication, presentation, application, etc.) that provide host layer functionality. For example, in some implementations, the software architecture 300 may include a network layer (eg, an Internet Protocol (IP) layer) where logical connections are terminated at a packet data network (PDN) gateway (PGW). In some implementations, the software architecture 300 may include an application layer where a logical connection terminates at another device (eg, an end user device, server, etc.). In some embodiments, the software architecture 300 may also include a hardware interface 316 in the AS 304 between the physical layer 306 and communication hardware, such as one or more radio frequency (RF) transceivers.

4A and 4B are block diagrams illustrating components of a system 400 configured to enhance coverage for initial access, according to various embodiments. Referring to Figures 1A-4B, a system 400 may include a UE 402 (eg, 120a-120e, 170, 320) and a network device 404 (eg, 142a, 154, 156, 158, 350). In some embodiments, UE 402 and network device 404 may exchange wireless communications to establish a wireless communication link (eg, 122 ).

The UE 402 and network device 404 may include one or more processors 428, 432 coupled to electronic storage devices 426, 430 and wireless transceivers (eg, 266). In UE 402 and network device 404, wireless transceiver 266 may be configured to receive messages sent in transmission and pass such messages to processors 428, 432 for processing. Similarly, the processors 428, 432 may be configured to send a message for transmission to the wireless transceiver 266 for transmission.

Referring to UE 402 , processor 432 may be configured by machine-readable instructions 434 . Machine-readable instructions 406 may include one or more instruction modules. The command module may include a computer program module. The command module may include one or more of the freshness parameter module 436 , the unique communication period key module 438 , the TX/RX module 440 and/or other command modules.

The freshness parameter module 436 may be configured to generate a freshness parameter. In some embodiments, the freshness parameter module 436 may execute within a secure pull client (eg, a GBA client) of the UE 402 . In some embodiments, the freshness parameter module 436 uses a random number generator to generate a nonce for use as the freshness parameter. In some embodiments, the freshness parameter module 436 uses a counter to generate random values for use as the freshness parameter.

The unique session key module 438 may be configured to generate a unique session key based on the first session key and the freshness parameter. In some embodiments, a freshness parameter may be associated with a particular application of UE 402 . In some embodiments, a first session key may be associated with UE 402 . In some embodiments, a unique session key may be associated with a particular application of UE 402 .

The TX/RX module 440 can be configured to communicate with the network device 404 , such as via the wireless transceiver 266 .

TX/RX module 440 may be configured to send the freshness parameter to the NAF of network device 404 (eg, via wireless transceiver 266 ) in a configuration that will enable the NAF to generate a unique session key. The TX/RX module 440 can be configured to communicate with the network device 404 using a unique session key. The TX/RX module 440 may be configured to receive a request from the NAF for initiating secure communication, the request including the NAF's domain name and security protocol identifier.

Referring to network device 404 , processor 428 may be configured by machine readable instructions 406 . Machine-readable instructions 406 may include one or more instruction modules. The command module may include a computer program module. The command module may include one or more of the freshness parameter module 408 , the unique session key module 410 , the transmit/receive (TX/RX) module 412 and/or other command modules.

Freshness parameter module 408 may be configured to receive a freshness parameter from UE 402 .

The unique session key module 410 may be configured to receive a first session key from the KSF of the network device 404 . The unique session key module 410 may be configured to generate a unique session key based on the freshness parameter and the first session key.

TX/RX module 412 may be configured to communicate with UE 402 using a unique communication session key (eg, via wireless transceiver 266). The TX/RX module 412 may be configured to send a request to the UE 402 for initiating secure communication, the request including the domain name of the NAF and the security protocol identifier.

In some embodiments, UE 402 and network device 404 may be operatively coupled via one or more wireless communication links (eg, wireless communication link 122 ). It will be understood that this is not intended to be limiting and that the scope of the present disclosure includes embodiments in which UE 402 and network device 404 may be operatively linked via some other communication medium.

Electronic storage devices 426, 430 may include non-transitory storage media that store information electronically. The electronic storage media of electronic storage devices 426, 430 may include one or both of: system storage provided integrally (ie, substantially non-removable) with UE 402 and network device 404; and/or A removable storage device that is removably connected to the UE 402 and the network via, for example, a port (e.g., a Universal Serial Bus (USB) port, a FireWire port, etc.) or a drive (e.g., a disk drive, etc.) Road 404. Electronic storage devices 426, 430 may include one or more of the following: optically readable storage media (e.g., optical discs, etc.), magnetically readable storage media (e.g., magnetic tape, magnetic hard disks, floppy drives, etc.) , charge-based storage media (eg, EEPROM, RAM, etc.), solid-state storage media (eg, flash memory drives, etc.), and/or other electronically readable storage media. Electronic storage devices 426, 430 may include one or more virtual storage resources (eg, cloud storage, virtual private network, and/or other virtual storage resources). Electronic storage devices 426, 430 may store software algorithms, information determined by processors 428, 432, information received from UE 402 and network device 404, or to enable UE 403 and network device 40 to execute as described herein other information.

Processors 428 , 432 may be configured to provide information processing capabilities in UE 402 and network device 404 . Accordingly, the processors 428, 432 may include one or more of the following: digital processors, analog processors, digital circuits designed to process information, analog circuits designed to process information, state machines, and and/or other mechanisms for electronically processing information. Although processors 428, 432 are shown as a single entity, this is for illustrative purposes only. In some embodiments, the processors 428, 432 may include a plurality of processing units and/or processor cores. The processing units may be physically located within the same device, or the processors 428, 432 may represent the processing functionality of a plurality of devices operating in concert. Processors 428, 432 may be configured to execute modules 408-412, modules 436-440, and/or other modules via: software; hardware; firmware; software, hardware, and/or firmware and/or other mechanisms for configuring processing capabilities on the processors 428, 432. As used herein, the term "module" may refer to any component or collection of components that performs the functionality attributed to the module. This may include one or more physical processors, processor-readable instructions, circuits, hardware, storage media, or any other component during execution of processor-readable instructions.

The description of the functionality provided by the various modules 408-412 and modules 436-440 described below is for illustrative purposes and is not intended to be limiting, as any of the modules 408-412 and models 436-440 Either may provide more or less functionality than described. For example, one or more of modules 408-412 and modules 436-440 may be eliminated and some or all of their functionality may be provided by other modules 408-412 and models 436-440. As another example, processors 428, 432 may be configured to execute one or more additional modules that may perform some or all of the functions ascribed below to one of modules 408-412 and modules 436-440. All functions.

FIG. 5A is a block diagram illustrating an example system 500a for towing application safety suitable for use with various embodiments. Referring to FIGS. 1A-5A , system 500a may include UE 502 , NAF 504 , Key Server Function (KSF) 506 , Home Subscriber Server (HSS) 508 and Subscriber Locator Function (SLF) 510 .

In various embodiments, UE 502 and KSF 506 may perform authentication operations to authenticate UE 202 . In some embodiments, the negotiation between KSF 506 and UE 502 may perform authentication operations via the Ub interface, and may employ a protocol such as AKA. UE 502 can communicate with NAF 504 via Ua interface. In various embodiments, UE 502 and NAF 504 may have no previous security association. UE 502 may generate a first session key, such as Ks_NAF. NAF 504 may receive a first session key (eg, Ks_NAF) from KSF 506 via the Zn interface.

HSS 508 may act as a database or other suitable data store that may store user authentication credentials, such as user security settings (USS) (eg, GBA user security settings (GUSS)) for UE 502 . In some embodiments, HSS 508 may map user authentication credentials to a private identity, such as an IP Multimedia Private Identity (IMPI). HSS 508 may communicate this and other information to KSF 506 via the Zh interface. SLF 510 may store and provide information identifying HSS 508 that stores information about UE 502 (ie, about a particular UE). KSF 506 and SLF 510 can communicate via Dz interface.

Figure 5B is a message flow diagram illustrating communications that may be exchanged between a UE and a network device during a method 500b for securing communications, according to various embodiments. 1A-5B, in some embodiments, UE 520 (eg, 120a-120e, 170, 320, 404, 502) and network device 526 (eg, 142a, 154, 156, 158, 350, 402) may Communication is performed via a wireless communication network, various aspects of which are described above with reference to FIGS. 1A and 1B . UE 520 may include GBA client 522 and application client 420 . Network device 526 may include NAF 528 and KSF 530 .

NAF 528 may optionally send request message 532 to GBA client 522 . Message 532 may include a request to initiate secure communication, the request including the NAF's domain name (eg, FQDN) and security protocol identifier (eg, Ua security protocol identifier). In some embodiments, the security protocol identifier enables different keys to be generated for different protocols. In some embodiments, each key may be limited to one use. In some embodiments, the domain name of the NAF may make the key unique to the NAF 528 .

In operation 534, the GBA client 522 may generate a freshness parameter. In some embodiments, the freshness parameter may be or include nonces or pseudo-digits, such as generated using a nonce generation algorithm. In some embodiments, the freshness parameter may be or include an incremental value, such as the value of a counter that is incremented each time a new unique session key is required (eg, for a new application or new instantiation of an application). In some embodiments, incrementing values may be used as nonce values (eg, incrementing nonce values).

In operation 536, the GBA client 522 may generate a unique session key (which may be referred to as Ks_NAF_unique) based on the first session key (eg, Ks_NAF) and the freshness parameter. GBA client 522 may send the freshness parameter to application client 524 in message 538 .

Application client 524 may send the freshness parameter to NAF 528 in message 540 . In some embodiments, the message 540 may include a web service request message (eg, an application request message). In some embodiments, the web service request message may include a pull transaction identifier (B-TID). In some embodiments, the B-TID may be used as an identifier for the first session key (eg, Ks_NAF).

NAF 528 may send the B-TID to KSF 530 in message 542 . In some embodiments, message 542 may also include a NAF identifier. In some embodiments, message 542 may include an authentication request message.

KSF 530 may send a version of the first term key (eg, Ks_NAF) to NAF 528 in message 544 . In some embodiments, the message 544 may also include an application specific identifier associated with the UE (eg, from a user profile associated with the UE). In some embodiments, the message 544 may include an authentication response message.

As previously mentioned, in various embodiments, UE 520 (e.g., GBA client 522) and network device 526 (e.g., NAF 520) may include fresh degree parameters to enable implementation of various embodiments without changing the protocol or architecture of messages or message exchanges. For example, for devices employing the Digest AKA protocol, a freshness parameter may be included in the "cnonce" field. As another example, for devices employing Transport Layer Security (TLS), the freshness parameter may be included in an existing field of the ClientHello message or other suitable message. In some embodiments, the length of the freshness parameter may be configured to fit within such existing fields and/or messages. In various embodiments, the GBA client 522 may generate the freshness parameter at a similar security level and/or in a similarly protected portion of memory as other encryption keys or session keys. In various embodiments, the GBA client 522 and the NAF 528 may handle, use, process and/or store the freshness parameter and/or the unique session key in the secure memory of the respective devices.

In operation 546 , the NAF 528 may generate a unique session key based on the first session key received from the KSF 530 and the freshness parameter received from the UE 520 . Thus, in operation 546, the NAF is able to determine and use the same unique session key as generated by the UE without exchanging any private keys or information that could be used to break the cryptographic security provided by the unique session key , since the freshness parameter is only used once to generate a unique session key that changes in each session.

In operation 548, the NAF 528 may store the generated unique session key in the memory of the NAF 528 (or the network device 526) for use during the communication session.

NAF 528 may send response message 550 to application client 524 (eg, in response to message 540, eg, an application request message). In some embodiments, the message 550 may include an application response message.

UE 520 (eg, application client 524 ) and network device 526 (eg, NAF 528 ) may perform secure communication 552 using a unique session key. As mentioned above, the unique session key may be unique to one application or service of the UE 520 .

FIG. 6 is a program flow diagram illustrating a method 600 executable by a processor of a UE for securing communications with network elements according to various embodiments. 1A-6, the operation of method 600 may be performed by a processor (such as processor 210, 212, 214, 216, 218, 252, 260, 432) to execute.

In optional block 602, the processor may receive a request from a network application function (NAF) of a network device to initiate a secure communication. In some embodiments, the request may include the NAF's domain name and security protocol identifier. Means for performing the operations of optional block 602 may include processors 210 , 212 , 214 , 216 , 218 , 252 , 260 , 432 , wireless transceiver 266 , TX/RX module 440 and GBA client 522 .

In block 604, the processor may generate a freshness parameter. In some embodiments, the freshness parameter may be generated by a secure pull client executing in the processor or in another processor of the UE (eg in a secure processing domain). In some embodiments, the freshness parameter may be associated with a specific application or a specific instantiation of an application (eg, a first instantiation, a second instantiation, etc.) executing in the UE. In some embodiments, the freshness parameter may be or include a random value. In some embodiments, the freshness parameter may comprise or increment a random value. Means for performing the operations of block 604 may include processors 210 , 212 , 214 , 216 , 218 , 252 , 260 , 432 , freshness parameter module 436 , and/or GBA client 522 .

In block 606, the processor may generate a unique session key based on the first session key and the freshness parameter. For example, the processor may apply the first session key (eg, Ks_NAF) and the freshness parameter to a key generation algorithm to generate a unique session key (eg, Ks_NAF_unique). In some embodiments, a unique session key may be associated with a particular application of the UE, and a first session key may be associated with the UE. In some embodiments, a particular application can be or include a particular instantiation of an application (eg, a first instantiation, a second instantiation, etc.). Means for performing the operations of block 606 may include processors 210 , 212 , 214 , 216 , 218 , 252 , 260 , 432 , unique session key module 438 , and GBA client 522 .

In block 608, the processor may send the freshness parameter to the NAF (eg, 504, 528) in a configuration that will enable the NAF to generate a unique session key. In some embodiments, the processor may send the freshness parameter to the NAF in a web service request message (eg, an application request message). Means for performing the operations of block 608 may include processors 210 , 212 , 214 , 216 , 218 , 252 , 260 , 432 , wireless transceiver 266 , TX/RX module 440 , and application client 524 .

In block 610, the processor may use the unique session key to communicate with the NAF (eg, to encrypt messages sent to the NAF and to decrypt messages received from the NAF). In some embodiments, an application client executing in a processor may perform communication with the NAF. Means for performing the operations of block 610 may include processors 210 , 212 , 214 , 216 , 218 , 252 , 260 , 432 , wireless transceiver 266 , TX/RX module 440 and application client 524 .

FIG. 7 is a process flow diagram illustrating a method 700 executable by a processor of a network device for securing communications with a UE according to various embodiments. 1A-7, the operations of method 700 may be performed by processors (eg, processors 210, 212, 214, 216, 218, 252, 260, 432) to execute.

In optional block 702, the processor may send a request to the UE to initiate secure communication. In some embodiments, the request may include the NAF's domain name and security protocol identifier. Means for performing the operations of optional block 702 may include processors 210 , 212 , 214 , 216 , 218 , 252 , 260 , 432 , wireless transceiver 266 , TX/RX module 440 and NAF 528 .

In block 704, the NAF may receive a freshness parameter from the UE. In some embodiments, the freshness parameter may be associated with a particular application of the UE. In some embodiments, a particular application can be or include a particular instantiation of an application (eg, a first instantiation, a second instantiation, etc.). In some embodiments, the freshness parameter may be or include a random value. In some embodiments, the freshness parameter may be or include an incrementing random value. Means for performing the operations of block 704 may include processors 210 , 212 , 214 , 216 , 218 , 252 , 260 , 432 , wireless transceiver 266 , freshness parameter module 408 , and NAF 528 .

In block 706, the processor may receive a first session key from a key server function (KSF). In some embodiments, a first session key may be associated with the UE, eg, a Ks_NAF session key. Means for performing the operations of block 706 may include processors 210 , 212 , 214 , 216 , 218 , 252 , 260 , 432 , unique session key module 410 , NAF 528 and KSF 506 , 530 .

In block 708, the processor may generate a unique session key based on the freshness parameter and the first session key. For example, the processor may apply the freshness parameter and the first session key (e.g., Ks_NAF) to the same key generation algorithm as used by the UE in block 606 of method 600 to generate a unique session key (eg, Ks_NAF_unique), and thus generate the same unique session key as generated by the UE. In some embodiments, a unique session key may be associated with a particular application of the UE, and a first session key is associated with the UE. In some embodiments, a particular application may be a particular instantiation of an application (eg, a first instantiation, a second instantiation, etc.). Means for performing the operations of block 706 may include processors 210 , 212 , 214 , 216 , 218 , 252 , 260 , 432 , unique session key module 410 , NAF 528 .

In block 710, the processor may communicate with the UE using the unique session key to encrypt messages sent to the UE and decrypt messages received from the UE. Means for performing the operations of block 710 may include processors 210 , 212 , 214 , 216 , 218 , 252 , 260 , 432 , wireless transceiver 266 , TX/RX module 440 and NAF 528 .

FIG. 8 is a block diagram of components of a network device 800 suitable for use with various embodiments. Such network devices (eg, network devices 142a, 154, 156, 158, 350, 404, 526) may include at least the components shown in FIG. 8 . Referring to FIGS. 1A-8 , a network device 800 may generally include a processor 801 coupled to a volatile memory 802 and a large capacity non-volatile memory (eg, a disk drive 808 ). The network device 800 may also include a peripheral memory access device 806 such as a floppy disk drive, compact disk (CD) or digital video disk (DVD) drive coupled to the processor 801 . The network device 800 may also include a network access port 804 (or interface) coupled to the processor 801 for establishing a network connection such as the Internet or a local area network coupled to other system computers and servers. data connection. Network device 800 may include one or more antennas 807 connectable to a wireless communication link for transmitting and receiving electromagnetic radiation. The network device 800 may include additional access ports such as USB, Firewire, Thunderbolt, etc. for coupling to peripheral devices, external memory or other devices.

Figure 9 is a block diagram of components of a UE 900 suitable for use with various embodiments. Referring to Figures 1A-9, various embodiments may be implemented on various UEs 900 (eg, UEs 120a-120e, 170, 320, 402, 502, 520), an example of which is illustrated in Figure 9 in the form of a smartphone. The UE 900 may include a first SOC 202 (eg, SOC-CPU) coupled to a second SOC 204 (eg, a 5G capable SOC). First SOC 202 and second SOC 204 may be coupled to internal memory 916 , display 912 and speaker 914 . Additionally, the UE 900 may include an antenna 904 for transmitting and receiving electromagnetic radiation, which may be connected to a wireless transceiver 266 coupled to one or more processing devices in the first SOC 202 and/or the second SOC 204 device. UE 900 may include a menu selection button or rocker switch 920 for receiving user input.

The UE 900 may include a sound encoding/decoding (CODEC) circuit 910 that digitizes sound received from a microphone into data packets suitable for wireless transmission, and decodes the received sound packets to generate an analog signal, which is provided Give the speakers to produce sound. One or more of the processors in first SOC 202 and second SOC 204 , wireless transceiver 266 and CODEC 910 may include digital signal processor (DSP) circuitry (not separately shown).

The processors of network device 800 and UE 900 can be any programmable microprocessor, microcomputer, or one or more multiprocessor chips that can be configured by software instructions (applications) to perform various functions, including the Some implemented functions. In some UEs, multiple processors may be provided, such as one processor within SOC 204 dedicated to wireless communication functions and one processor within SOC 202 dedicated to executing other applications. The software application may be stored in memory 802, 916 before it is accessed and loaded into the processor. The processor may include internal memory sufficient to store application software instructions.

As used in this case, the terms "component", "module", "system" and the like are intended to include computer-related entities such as, but not limited to, hardware, firmware, a combination of hardware and software, software, or software in execution , which is configured to perform a specific operation or function. For example, a component may be, but is not limited to being, a program executing on a processor, a processor, an object, an executable, a thread of execution, a program, or a computer. By way of illustration, both an application executing on a UE and the UE may be referred to as a component. One or more components may reside within a program or thread of execution, and a component may be localized on one processor or core or distributed between two or more processors or cores. In addition, these components can execute from various non-transitory computer-readable media having various instructions or data structures stored thereon. Components can communicate via local or remote programs, function or program calls, electrical signals, data packets, memory read/write, and other known communication methods associated with networks, computers, processors, or programs .

Many different cellular and mobile communication services and standards are available or expected in the future, all of which can be implemented and benefit from various embodiments. Such services and standards include, for example, the 3rd Generation Partnership Project (3GPP), Long Term Evolution (LTE) systems, third generation wireless mobile communication technology (3G), fourth generation wireless mobile communication technology (4G), fifth generation Wireless mobile communication technology (5G) and its offspring 3GPP technology, Global System for Mobile Communications (GSM), Universal Mobile Telecommunications System (UMTS), 3GSM, Universal Packet Radio Service (GPRS), Code Division Multiple Access (CDMA) systems (such as , cdmaOne, CDMA1020TM), Enhanced GSM Evolution Data Rate (EDGE), Advanced Mobile Phone System (AMPS), Digital AMPS (IS-136/TDMA), Evolution Data Optimization (EV-DO), Digital Enhanced No Power Wired Telecommunications (DECT), Worldwide Interoperability for Microwave Access (WiMAX), Wireless Local Area Networks (WLAN), Wi-Fi Protected Access I and II (WPA, WPA2) and Integrated Digital Enhanced Networking (iDEN). Each of these technologies involves, for example, the transmission and reception of voice, data, signaling and/or content information. It should be understood that unless specifically recited in the language of the claimed item, any reference to terms or technical details related to individual telecommunications standards and/or technologies is for illustrative purposes only and is not intended to The scope is limited to a specific communication system or technology.

The various embodiments shown and described are provided by way of example only to illustrate various features of the claimed item. However, features shown and described with respect to any given embodiment are not necessarily limited to the associated embodiment, and may be used or combined with other embodiments shown and described. Furthermore, the claims are not intended to be limited by any one example embodiment. For example, one or more of the methods and operations described herein may be substituted for or combined with one or more of the methods and operations.

Implementation examples are described in the following paragraphs. Although some implementation examples in the following implementation examples are described in terms of example methods, further example implementations may include: the example methods discussed in the following paragraphs implemented by a UE or a network device comprising a device configured to process Processor executable instructions to perform the following operations implementing the method of the example; the example method implemented by the UE or network device discussed in the following paragraphs, the UE or the network device includes functionality for performing the following method implementing the example and the example methods discussed in the following paragraphs may be implemented as a non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause the UE or A processor of the network device performs the following operations to implement the exemplary method.

Example 1. A method of securing a communication performed by a processor of a user equipment (UE), comprising: generating a freshness parameter; generating a unique communication session key based on a first communication session key and the freshness parameter; sending the freshness parameter to the NAF in a configuration enabling a network application function (NAF) to generate the unique session key; and communicating with the NAF using the unique session key.

Example 2. The method of example 1, wherein the freshness parameter is generated by a secure pull client executing in the processor; and wherein an application client executing in the processor uses the unique session key to communicate with the NAF, including using the unique communication session key to communicate with the NAF.

Example 3. The method of example 2, wherein the secure pull client of the UE comprises one of a Generic Pull Architecture (GBA) client or an Authentication and Key Management for Applications (AKMA) client.

Example 4. The method of any of examples 1-3, wherein the freshness parameter is associated with a specific application of the UE.

Example 5. The method of any of examples 1-4, wherein the unique session key is associated with a specific application of the UE, and the first session key is associated with the UE.

Example 6. The method of example 5, wherein the specific application comprises a specific instantiation of the application.

Example 7. The method of any one of examples 1-6, further comprising receiving a request from the NAF to initiate secure communication.

Example 8. The method of any of examples 1-7, wherein the freshness parameter comprises a random value.

Example 9. The method of any of examples 1-8, wherein the freshness parameter comprises an incrementing random value.

Example 10. The method of any of examples 1-9, wherein sending the freshness parameter to the NAF in a configuration that will enable the NAF to generate the unique session key comprises: in a web service request message Send the freshness parameter to the NAF.

Example 11. A method, performed by a processor of a device, of securing a communication comprising: receiving, by a network application function (NAF), a freshness parameter from a user equipment (UE); receiving a first a session key; generating a unique session key based on the freshness parameter and the first session key; and communicating with the UE using the unique session key.

Example 12. The method of example 11, wherein the freshness parameter is generated by a security pull client at the UE; and an application client of the UE communicates with the NAF using the unique session key.

Example 13. The method of example 12, wherein the secure pull client of the UE comprises one of a Generic Pull Architecture (GBA) client or an Authentication and Key Management for Applications (AKMA) client.

Example 14. The method of any of examples 11-13, wherein the freshness parameter is associated with a specific application of the UE.

Example 15. The method of any of examples 11-14, wherein the unique session key is associated with a specific application of the UE, and the first session key is associated with the UE.

Example 16. The method of any of examples 11-15, wherein the specific application comprises a specific instantiation of the application.

Example 17. The method of any of examples 11-16, wherein the freshness parameter comprises a random value.

Example 18. The method of any of examples 11-17, wherein the freshness parameter comprises an incrementing random value.

Example 19. The method of any one of Examples 11-18, further comprising: sending a request to the UE to initiate secure communication.

Example 20. The method of any of examples 11-19, wherein receiving the freshness parameter from the UE via the NAF comprises receiving the freshness parameter in a web service request message.

The foregoing method descriptions and program flow charts are provided as illustrative examples only, and are not intended to require or imply that the operations of the various embodiments must be performed in the order provided. As will be apparent to those skilled in the art, the sequence of operations in the foregoing embodiments may be performed in any order. Words such as "thereafter," "then," "next," etc. are not intended to limit the order of operations; such words are used to guide the reader through the description of the methods. Furthermore, any reference to a claim element in the singular (for example, using the articles "a", "an", or "the") shall not be construed as limiting that element to the singular .

The various illustrative logical blocks, modules, components, circuits, and algorithmic operations described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or a combination of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and operations have been described above generally in terms of their functionality. Whether such functions are implemented as hardware or as software depends on the specific application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the claims.

A general-purpose processor, digital signal processor (DSP), application-specific integrated circuit (ASIC), field-programmable gate array (FPGA), or other programmable logic device designed to perform the functions described herein may be utilized, Individual gate or transistor logic, individual hardware components, or any combination thereof implement or execute the hardware for implementing the various illustrative logic, logic blocks, modules, and circuits described in connection with the embodiments disclosed herein. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any general processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of receiver smart objects, eg, a combination of a DSP and a microprocessor, multiple microprocessors, one or more microprocessors combined with a DSP core, or any other such configuration. Alternatively, some operations or methods may be performed by circuitry specific to a given function.

In one or more embodiments, the functionality may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored as one or more instructions or code on a non-transitory computer-readable storage medium or a non-transitory processor-readable storage medium. The operations of the methods or algorithms disclosed herein may be embodied in processor-executable software modules or processor-executable instructions, which may reside in non-transitory computer-readable or on a processor-readable storage medium. A non-transitory computer-readable or processor-readable storage medium can be any storage medium that can be accessed by a computer or a processor. By way of example and not limitation, such non-transitory computer-readable or processor-readable storage media may include RAM, ROM, EEPROM, flash memory, CD-ROM or other optical disk storage, magnetic disk storage or other A magnetic storage smart object, or any other medium that can be used to store desired code in the form of instructions or data structures and that can be accessed by a computer. Disk and disc, as used herein, includes compact disc (CD), laser disc, compact disc, digital versatile disc (DVD), floppy disc, and Blu-ray disc, where disks usually reproduce data magnetically and discs use Injection optically reproduces data. Combinations of the above are also included within the scope of non-transitory computer-readable and processor-readable media. In addition, the operation of the method or algorithm may be implemented as one or any combination of codes and/or instructions, or codes and/or instructions set resident on a non-transitory processor-readable storage medium and/or computer-readable storage medium , the non-transitory processor-readable storage medium and/or computer-readable storage medium can be incorporated into a computer program product.

The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the claimed terms. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other embodiments without departing from the scope of the patent claims. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the appended claims and the principles and novel features disclosed herein.

100: Communication system 102a: Macrocytosis 102b: pico cells 102c: Femtocells 110a:BS 110b:BS 110c:BS 110d:BS 120a:UE 120b:UE 120c:UE 120d:UE 120e:UE 122: Wireless communication link 124: Wireless communication link 126: Wired communication link 130: Network controller 140: core network 142:Edge network 142a: Network device 150:Edge Computing System 154:Edge application server 156:Edge-enabled server 158:Edge configuration server 160: 3GPP core network 170:UE 172: Application client 174:Edge enabler client 200: Computing and wireless modem systems 202: SOC 204: SOC 206: clock 208:Voltage regulator 210: Digital Signal Processor 212: modem processor 214: graphics processor 216: application processor 218: auxiliary processor 220: memory 222: Custom circuit 224: System Components and Resources 226:Interconnection/bus module 230: temperature sensor 232: thermal management unit 234: Thermal Power Envelope (TPE) Components 250: Interconnect/bus module 252: 5G modem processor 254: Power management unit 256: millimeter wave transceiver 258: memory 260: Processor 264: Interconnect/bus module 266: wireless transceiver 300: Software Architecture 302:NAS 304: AS 306:PHY 308: Media Access Control (MAC) sublayer 310: Radio Link Control (RLC) sublayer 312: Packet Data Convergence Protocol (PDCP) sublayer 313: RRC sublayer 314: host layer 316: hardware interface 317: Service Data Adaptation Protocol (SDAP) sublayer 320:UE 350: network device 400: system 402:UE 404: Network device 406: Machine Readable Instructions 408: Freshness parameter module 410: Unique communication period key module 412: Send/receive (TX/RX) module 426: Electronic storage device 428: Processor 430: Electronic storage device 432: Processor 434: Machine Readable Instructions 436:Freshness parameter module 438: Unique communication period key module 440:TX/RX module 500a: System 500b: method 502:UE 504:NAF 506:KSF 508: Home User Server (HSS) 510: User Locator Function (SLF) 520:UE 522: GBA client 524: application client 526: network device 528:NAF 530:KSF 532: request message 534: Operation 536: Operation 538: message 540: message 542: message 544: message 546: Operation 548:Operation 550: message 552: Secure communication 600: method 602: Operation 604: Operation 606: Operation 608: Operation 610: Operation 700: method 702: Operation 704: Operation 706: Operation 708: Operation 710: Operation 800: network device 801: Processor 802: Volatile memory 804: Network access port 806:Peripheral memory access device 807:antenna 808:Disk drive 900:UE 904: Antenna 910: Sound encoding/decoding (CODEC) circuit 912: display 914:Speaker 916: internal memory 920: menu selection button | rocker switch Dz: interface Dz EDGE-1: Edge interface EDGE-1 EDGE-2: Edge interface EDGE-1 EDGE-3: Edge interface EDGE-1 EDGE-4: Edge interface EDGE-1 EDGE-5: Edge interface EDGE-1 EDGE-6: Edge interface EDGE-1 EDGE-7: Edge Interface EDGE-1 EDGE-9: Edge interface EDGE-1 L1: Layer 1 L2: Layer 2 L3: Layer 3 MAC: Media Access Control PDCP: Packet Data Convergence Protocol PHY: physical layer RLC: Radio Link Control RRC: Radio Resource Control SDAP: Service Data Adaptation Protocol Ua: Interface Ua Ub: Interface Ub Zh: Interface Zh Zn: Interface Zn

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments and, together with the general description provided above and the detailed description provided below, serve to explain features of various embodiments.

Figure 1A is a system block diagram illustrating an example communication system suitable for implementing any of the various embodiments.

Figure IB is a system block diagram illustrating an example edge computing system suitable for use with various embodiments.

Figure 2 is a block diagram illustrating components of an example computing and wireless modem system suitable for implementing any of the various embodiments.

3 is a component block diagram illustrating a software architecture suitable for implementing any of the various embodiments, the software architecture including a radio protocol stack for user and control planes in wireless communications.

4A and 4B are block diagrams illustrating components of a system configured to enhance overlays for initial access, according to various embodiments.

5A is a block diagram illustrating an example system for towing application security suitable for use with various embodiments.

5B is a message flow diagram illustrating communications exchanged between network devices during a method 500b for securing communications, according to various embodiments.

FIG. 6 is a program flow diagram illustrating a method for securing communications performed by a processor of a UE according to various embodiments.

FIG. 7 is a program flow diagram illustrating a method for securing communications executed by a processor of a network device according to various embodiments.

Figure 8 is a block diagram of components of a network device suitable for use with various embodiments.

Figure 9 is a block diagram of components of a UE suitable for use with various embodiments.

Domestic deposit information (please note in order of depositor, date, and number) none Overseas storage information (please note in order of storage country, institution, date, and number) none

600: method

602: Operation

604: Operation

606: Operation

608: Operation

610: Operation

Claims (34)

A user equipment (UE), comprising: A processor configured with processor-executable instructions to: generate a freshness parameter; generating a unique session key based on a first session key and the freshness parameter; sending the freshness parameter to a network application function (NAF) in a configuration that will enable the NAF to generate the unique session key; and Use the unique session key to communicate with the NAF. Such as the UE of claim item 1, wherein: the freshness parameter is generated by a secure pull client executing in the processor; and An application client executing in the processor communicates with the NAF using the unique session key. The UE of claim 2, wherein the secure pull client of the UE includes one of a Generic Pull Architecture (GBA) client or an Authentication and Key Management for an Application (AKMA) client. The UE of claim 1, wherein the freshness parameter is associated with a specific application of the UE. The UE of claim 1, wherein the processor is also configured with processor-executable instructions such that the unique session key is associated with a specific application of the UE, and the first session key is associated with the UE . The UE of claim 5, wherein the processor is also configured with processor-executable instructions such that the specific application includes a specific instantiation of the application. The UE of claim 1, wherein the processor is also configured with processor-executable instructions such that the freshness parameter includes a random value. The UE of claim 1, wherein the processor is also configured with processor-executable instructions such that the freshness parameter includes an increasing random value. The UE of claim 1, wherein the processor is also configured with processor-executable instructions to send the freshness parameter to the NAF in a network service request message. A method of securing communications performed by a processor of a user equipment (UE), comprising: generate a freshness parameter; generating a unique session key based on a first session key and the freshness parameter; sending the freshness parameter to a network application function (NAF) in a configuration that will enable the NAF to generate the unique session key; and Use the unique session key to communicate with the NAF. The method of claim 10, wherein: The freshness parameter is generated by a security pull client of the UE; and An application client of the UE uses the unique session key to communicate with the NAF. The method of claim 11, wherein the secure pull client of the UE comprises one of a Generic Pull Architecture (GBA) client or an Applied Authentication and Key Management (AKMA) client. The method of claim 10, wherein the freshness parameter is associated with a specific application of the UE. The method of claim 10, wherein the unique session key is associated with a specific application of the UE, and the first session key is associated with the UE. The method of claim 14, wherein the specific application includes a specific instantiation of the application. The method of claim 11, wherein the freshness parameter includes a random value. The method of claim 11, wherein the freshness parameter includes an increasing random value. The method of claim 11, wherein sending the freshness parameter to the NAF in a configuration that will enable the NAF to generate the unique session key comprises: sending the freshness parameter to the NAF in a web service request message parameter. A network device, comprising: A processor configured with processor-executable instructions to: receiving a freshness parameter from a user equipment (UE) at a network application function (NAF); receiving a first session key from a key server function; generating a unique session key based on the freshness parameter and the first session key; and communicate with the UE using the unique communication session key. The network device according to claim 19, wherein the freshness parameter is associated with a specific application of the UE. The network device according to claim 19, wherein the freshness parameter includes a random value. The network device according to claim 19, wherein the freshness parameter includes an increasing random value. The network device according to claim 19, wherein the unique session key is associated with a specific application of the UE, and the first session key is associated with the UE. The network device of claim 23, wherein the specific application includes a specific instantiation of the application. The network device according to claim 19, wherein the processor is also configured with processor-executable instructions to send a request for initiating secure communication to the UE. The network device according to claim 19, wherein the processor is also configured with processor-executable instructions to receive the freshness parameter in a network service request message. A method of securing communications performed by a processor of a device, comprising: receiving a freshness parameter from a user equipment (UE) by a network application function (NAF); receiving a first session key from a key server function; generating a unique session key based on the freshness parameter and the first session key; and communicate with the UE using the unique communication session key. The method of claim 27, wherein the freshness parameter is associated with a specific application of the UE. The method of claim 27, wherein the freshness parameter includes a random value. The method of claim 27, wherein the freshness parameter includes an increasing random value. The method of claim 27, wherein the unique session key is associated with a specific application of the UE, and the first session key is associated with the UE. The method of claim 31, wherein the specific application comprises a specific instantiation of the application. The method according to claim 27, further comprising: sending a request for starting secure communication to the UE. The method of claim 27, wherein receiving the freshness parameter from the UE at the NAF comprises: receiving the freshness parameter in a web service request message.

Images