WO2023175541A1 - Authentication and registration of personal internet of things network elements - Google Patents

Authentication and registration of personal internet of things network elements Download PDF

Info

Publication number
WO2023175541A1
WO2023175541A1 PCT/IB2023/052540 IB2023052540W WO2023175541A1 WO 2023175541 A1 WO2023175541 A1 WO 2023175541A1 IB 2023052540 W IB2023052540 W IB 2023052540W WO 2023175541 A1 WO2023175541 A1 WO 2023175541A1
Authority
WO
WIPO (PCT)
Prior art keywords
request message
processor
pin element
pin
credentials
Prior art date
Application number
PCT/IB2023/052540
Other languages
French (fr)
Inventor
Andreas Kunz
Sheeba Backia Mary BASKARAN
Original Assignee
Lenovo (Singapore) Pte. Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo (Singapore) Pte. Ltd. filed Critical Lenovo (Singapore) Pte. Ltd.
Publication of WO2023175541A1 publication Critical patent/WO2023175541A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration

Definitions

  • the subject matter disclosed herein relates generally to wireless communications and more particularly relates to authentication and registration of personal internet of things network (“PIN”) elements.
  • PIN personal internet of things network
  • PIN elements may be used.
  • the PIN elements may need to be authenticated.
  • One embodiment of a method includes performing, at a first network device, a local authentication and registration of PIN elements with preconfigured credentials.
  • the method includes generating a first request message to establish a non-access stratum (“NAS”) registration request with a first access and mobility management function (“AMF”).
  • the first request message includes a list of locally registered PIN element identifiers without third generation partnership program (“3GPP”) credentials.
  • the method includes receiving, in response to the first request message, a NAS registration accept message includes the list of locally registered PIN element identifiers without 3GPP credentials that further includes a respective list of single network slice selection assistance information (“S-NSSAI”) and a binding policy for operator managed PIN elements.
  • S-NSSAI single network slice selection assistance information
  • One apparatus for authentication and registration of PIN elements includes a first network device.
  • the apparatus includes a transceiver.
  • the apparatus includes a processor coupled to the transceiver.
  • the transceiver performs a local authentication and registration of PIN elements with preconfigured credentials.
  • the processor generates a first request message to establish a NAS registration request with a first AMF.
  • the first request message includes a list of locally registered PIN element identifiers without 3GPP credentials.
  • the transceiver receives, in response to the first request message, a NAS registration accept message including the list of locally registered PIN element identifiers without 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
  • Another embodiment of a method for authentication and registration of PIN elements includes performing, at a PIN element, a local authentication and registration of the PIN element with preconfigured credentials.
  • the method includes receiving information for setting up a secure layer 2 connection with a first network device.
  • the method includes setting up the secure layer 2 connection.
  • Another apparatus for authentication and registration of PIN elements includes a PIN element.
  • the apparatus includes a transceiver.
  • the apparatus includes a processor coupled to the transceiver.
  • the transceiver performs a local authentication and registration of the PIN element with preconfigured credentials.
  • the transceiver receives information for setting up a secure layer 2 connection with a first network device.
  • the processor sets up the secure layer 2 connection.
  • a further embodiment of a method for authentication and registration of PIN elements includes receiving, at a second network device, a first request message to establish a NAS registration request.
  • the first request message includes a list of locally registered PIN element identifiers with 3GPP credentials.
  • the method includes transmitting, in response to the first request message, a NAS registration accept message including the list of locally registered PIN element identifiers with 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
  • a further apparatus for authentication and registration of PIN elements includes a second network device.
  • the apparatus includes a transceiver.
  • the apparatus includes a processor coupled to the transceiver.
  • the transceiver receives a first request message to establish a NAS registration request.
  • the first request message includes a list of locally registered PIN element identifiers with 3GPP credentials.
  • the transceiver transmits, in response to the first request message, a NAS registration accept message including the list of locally registered PIN element identifiers with 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
  • Figure 1 is a schematic block diagram illustrating one embodiment of a wireless communication system for authentication and registration of PIN elements
  • Figure 2 is a schematic block diagram illustrating one embodiment of an apparatus that may be used for authentication and registration of PIN elements
  • Figure 3 is a schematic block diagram illustrating one embodiment of an apparatus that may be used for authentication and registration of PIN elements
  • Figure 4 is a schematic block diagram illustrating one embodiment of a system including PIN elements
  • Figure 5 is a schematic block diagram illustrating one embodiment of a system for registration and authentication of devices without 3GPP credentials for PIN elements
  • FIG. 6 is a schematic block diagram illustrating one embodiment of a system for registration of a PIN element with management capabilities (“PEMC”) and/or a PIN element with gateway capabilities (“PEGC”) (“PEMC/PEGC”) in a fifth generation core (“5GC”);
  • PEMC PIN element with management capabilities
  • PEGC PIN element with gateway capabilities
  • 5GC fifth generation core
  • Figure 7 is a schematic block diagram illustrating one embodiment of a system for registration of PIN elements with 3GPP credentials locally and in a 5GC;
  • Figure 8 is a schematic block diagram illustrating one embodiment of a system for binding local registered PIN elements
  • Figure 9 is a schematic block diagram illustrating one embodiment of a system with a service request for PIN elements without 3GPP credentials to send data via a 5GC;
  • Figure 10 is a flow chart diagram illustrating one embodiment of a method for authentication and registration of PIN elements
  • Figure 11 is a flow chart diagram illustrating another embodiment of a method for authentication and registration of PIN elements.
  • Figure 12 is a flow chart diagram illustrating a further embodiment of a method for authentication and registration of PIN elements.
  • embodiments may be embodied as a system, apparatus, method, or program product. Accordingly, embodiments may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, embodiments may take the form of a program product embodied in one or more computer readable storage devices storing machine readable code, computer readable code, and/or program code, referred hereafter as code. The storage devices may be tangible, non-transitory, and/or non-transmission. The storage devices may not embody signals. In a certain embodiment, the storage devices only employ signals for accessing code.
  • modules may be implemented as a hardware circuit comprising custom very-large-scale integration (“VLSI”) circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components.
  • VLSI very-large-scale integration
  • a module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
  • Modules may also be implemented in code and/or software for execution by various types of processors.
  • An identified module of code may, for instance, include one or more physical or logical blocks of executable code which may, for instance, be organized as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may include disparate instructions stored in different locations which, when joined logically together, include the module and achieve the stated purpose for the module.
  • a module of code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices.
  • operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different computer readable storage devices.
  • the software portions are stored on one or more computer readable storage devices.
  • the computer readable medium may be a computer readable storage medium.
  • the computer readable storage medium may be a storage device storing the code.
  • the storage device may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, holographic, micromechanical, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • a storage device More specific examples (a non-exhaustive list) of the storage device would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (“RAM”), a read-only memory (“ROM”), an erasable programmable read-only memory (“EPROM” or Flash memory), a portable compact disc readonly memory (“CD-ROM”), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
  • a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Code for carrying out operations for embodiments may be any number of lines and may be written in any combination of one or more programming languages including an object oriented programming language such as Python, Ruby, Java, Smalltalk, C++, or the like, and conventional procedural programming languages, such as the "C" programming language, or the like, and/or machine languages such as assembly languages.
  • the code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (“LAN”) or a wide area network (“WAN”), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider an Internet Service Provider
  • the code may also be stored in a storage device that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the storage device produce an article of manufacture including instructions which implement the function/act specified in the schematic flowchart diagrams and/or schematic block diagrams block or blocks.
  • the code may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the code which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • each block in the schematic flowchart diagrams and/or schematic block diagrams may represent a module, segment, or portion of code, which includes one or more executable instructions of the code for implementing the specified logical function(s).
  • Figure 1 depicts an embodiment of a wireless communication system 100 for authentication and registration of PIN elements.
  • the wireless communication system 100 includes remote units 102 and network units 104. Even though a specific number of remote units 102 and network units 104 are depicted in Figure 1, one of skill in the art will recognize that any number of remote units 102 and network units 104 may be included in the wireless communication system 100.
  • the remote units 102 may include computing devices, such as desktop computers, laptop computers, personal digital assistants (“PDAs”), tablet computers, smart phones, smart televisions (e.g., televisions connected to the Internet), set-top boxes, game consoles, security systems (including security cameras), vehicle on-board computers, network devices (e.g., routers, switches, modems), aerial vehicles, drones, or the like.
  • the remote units 102 include wearable devices, such as smart watches, fitness bands, optical head-mounted displays, or the like.
  • the remote units 102 may be referred to as subscriber units, mobiles, mobile stations, users, terminals, mobile terminals, fixed terminals, subscriber stations, UE, user terminals, a device, or by other terminology used in the art.
  • the remote units 102 may communicate directly with one or more of the network units 104 via UL communication signals. In certain embodiments, the remote units 102 may communicate directly with other remote units 102 via sidelink communication.
  • the network units 104 may be distributed over a geographic region.
  • a network unit 104 may also be referred to and/or may include one or more of an access point, an access terminal, a base, a base station, a location server, a core network (“CN”), a radio network entity, a Node-B, an evolved node-B (“eNB”), a 5G node-B (“gNB”), a Home Node-B, a relay node, a device, a core network, an aerial server, a radio access node, an access point (“AP”), new radio (“NR”), a network entity, an access and mobility management function (“AMF”), a unified data management (“UDM”), a unified data repository (“UDR”), a UDM/UDR, a policy control function (“PCF”), a radio access network (“RAN”), a network slice selection function (“NSSF”), an operations, administration, and management (“OAM”), a session management function (“SMF”)
  • CN core network
  • the network units 104 are generally part of a radio access network that includes one or more controllers communicab ly coupled to one or more corresponding network units 104.
  • the radio access network is generally communicably coupled to one or more core networks, which may be coupled to other networks, like the Internet and public switched telephone networks, among other networks. These and other elements of radio access and core networks are not illustrated but are well known generally by those having ordinary skill in the art.
  • the wireless communication system 100 is compliant with NR protocols standardized in 3GPP, wherein the network unit 104 transmits using an orthogonal frequency division multiplexing (“OFDM”) modulation scheme on the downlink (“DL”) and the remote units 102 transmit on the uplink (“UL”) using a single-carrier frequency division multiple access (“SC-FDMA”) scheme or an OFDM scheme. More generally, however, the wireless communication system 100 may implement some other open or proprietary communication protocol, for example, WiMAX, institute of electrical and electronics engineers (“IEEE”) 802.
  • GSM global system for mobile communications
  • GPRS general packet radio service
  • UMTS universal mobile telecommunications system
  • LTE long term evolution
  • CDMA2000 code division multiple access 2000
  • Bluetooth® ZigBee
  • Sigfoxx among other protocols.
  • the present disclosure is not intended to be limited to the implementation of any particular wireless communication system architecture or protocol.
  • the network units 104 may serve a number of remote units 102 within a serving area, for example, a cell or a cell sector via a wireless communication link.
  • the network units 104 transmit DL communication signals to serve the remote units 102 in the time, frequency, and/or spatial domain.
  • a network unit 104 may perform, at a first network device, a local authentication and registration of PIN elements with preconfigured credentials.
  • the network unit 104 may generate a first request message to establish a NAS registration request with a first AMF.
  • the first request message includes a list of locally registered PIN element identifiers without 3GPP credentials.
  • the network unit 104 may receive, in response to the first request message, a NAS registration accept message includes the list of locally registered PIN element identifiers without 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements. Accordingly, the network unit 104 may be used for authentication and registration of PIN elements.
  • a remote unit 102 and/or a network unit 104 may perform, at a PIN element, a local authentication and registration of the PIN element with preconfigured credentials.
  • the remote unit 102 and/or the network unit 104 may receive information for setting up a secure layer 2 connection with a first network device.
  • the remote unit 102 and/or the network unit 104 may set up the secure layer 2 connection. Accordingly, the remote unit 102 and/or the network unit 104 may be used for authentication and registration of PIN elements.
  • a network unit 104 may receive, at a second network device, a first request message to establish a NAS registration request.
  • the first request message includes a list of locally registered PIN element identifiers with 3GPP credentials.
  • the network unit 104 may transmit, in response to the first request message, a NAS registration accept message including the list of locally registered PIN element identifiers with 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements. Accordingly, the network unit 104 may be used for authentication and registration of PIN elements.
  • Figure 2 depicts one embodiment of an apparatus 200 that may be used for authentication and registration of PIN elements.
  • the apparatus 200 includes one embodiment of the remote unit 102.
  • the remote unit 102 may include a processor 202, a memory 204, an input device 206, a display 208, a transmitter 210, and a receiver 212.
  • the input device 206 and the display 208 are combined into a single device, such as a touchscreen.
  • the remote unit 102 may not include any input device 206 and/or display 208.
  • the remote unit 102 may include one or more of the processor 202, the memory 204, the transmitter 210, and the receiver 212, and may not include the input device 206 and/or the display 208.
  • the processor 202 may include any known controller capable of executing computer-readable instructions and/or capable of performing logical operations.
  • the processor 202 may be a microcontroller, a microprocessor, a central processing unit (“CPU”), a graphics processing unit (“GPU”), an auxiliary processing unit, a field programmable gate array (“FPGA”), or similar programmable controller.
  • the processor 202 executes instructions stored in the memory 204 to perform the methods and routines described herein.
  • the processor 202 is communicatively coupled to the memory 204, the input device 206, the display 208, the transmitter 210, and the receiver 212.
  • the memory 204 in one embodiment, is a computer readable storage medium.
  • the memory 204 includes volatile computer storage media.
  • the memory 204 may include a RAM, including dynamic RAM (“DRAM”), synchronous dynamic RAM (“SDRAM”), and/or static RAM (“SRAM”).
  • the memory 204 includes non-volatile computer storage media.
  • the memory 204 may include a hard disk drive, a flash memory, or any other suitable non-volatile computer storage device.
  • the memory 204 includes both volatile and non-volatile computer storage media.
  • the memory 204 also stores program code and related data, such as an operating system or other controller algorithms operating on the remote unit 102.
  • the input device 206 may include any known computer input device including a touch panel, a button, a keyboard, a stylus, a microphone, or the like.
  • the input device 206 may be integrated with the display 208, for example, as a touchscreen or similar touch-sensitive display.
  • the input device 206 includes a touchscreen such that text may be input using a virtual keyboard displayed on the touchscreen and/or by handwriting on the touchscreen.
  • the input device 206 includes two or more different devices, such as a keyboard and a touch panel.
  • the display 208 may include any known electronically controllable display or display device.
  • the display 208 may be designed to output visual, audible, and/or haptic signals.
  • the display 208 includes an electronic display capable of outputting visual data to a user.
  • the display 208 may include, but is not limited to, a liquid crystal display (“UCD”), a light emitting diode (“FED”) display, an organic light emitting diode (“OEED”) display, a projector, or similar display device capable of outputting images, text, or the like to a user.
  • UCD liquid crystal display
  • FED light emitting diode
  • OEED organic light emitting diode
  • the display 208 may include a wearable display such as a smart watch, smart glasses, a heads-up display, or the like. Further, the display 208 may be a component of a smart phone, a personal digital assistant, a television, a table computer, a notebook (laptop) computer, a personal computer, a vehicle dashboard, or the like. [0051] In certain embodiments, the display 208 includes one or more speakers for producing sound. For example, the display 208 may produce an audible alert or notification (e.g., a beep or chime). In some embodiments, the display 208 includes one or more haptic devices for producing vibrations, motion, or other haptic feedback.
  • a wearable display such as a smart watch, smart glasses, a heads-up display, or the like.
  • the display 208 may be a component of a smart phone, a personal digital assistant, a television, a table computer, a notebook (laptop) computer, a personal computer, a vehicle dashboard, or the like
  • all or portions of the display 208 may be integrated with the input device 206.
  • the input device 206 and display 208 may form a touchscreen or similar touch-sensitive display.
  • the display 208 may be located near the input device 206.
  • the remote unit 102 may have any suitable number of transmitters 210 and receivers 212.
  • the transmitter 210 and the receiver 212 may be any suitable type of transmitters and receivers.
  • the transmitter 210 and the receiver 212 may be part of a transceiver.
  • the transceiver performs a local authentication and registration of the PIN element with preconfigured credentials. In some embodiments, the transceiver receives information for setting up a secure layer 2 connection with a first network device. In various embodiments, the processor 202 sets up the secure layer 2 connection.
  • FIG. 3 depicts one embodiment of an apparatus 300 that may be used for authentication and registration of PIN elements.
  • the apparatus 300 includes one embodiment of the network unit 104.
  • the network unit 104 may include a processor 302, a memory 304, an input device 306, a display 308, a transmitter 310, and a receiver 312.
  • the processor 302, the memory 304, the input device 306, the display 308, the transmitter 310, and the receiver 312 may be substantially similar to the processor 202, the memory 204, the input device 206, the display 208, the transmitter 210, and the receiver 212 of the remote unit 102, respectively.
  • the transceiver performs a local authentication and registration of PIN elements with preconfigured credentials.
  • the processor 302 generates a first request message to establish a NAS registration request with a first AMF.
  • the first request message includes a list of locally registered PIN element identifiers without 3GPP credentials.
  • the transceiver receives, in response to the first request message, a NAS registration accept message including the list of locally registered PIN element identifiers without 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
  • the transceiver performs a local authentication and registration of the PIN element with preconfigured credentials. In some embodiments, the transceiver receives information for setting up a secure layer 2 connection with a first network device. In various embodiments, the processor 302 sets up the secure layer 2 connection.
  • the transceiver receives a first request message to establish a NAS registration request.
  • the first request message includes a list of locally registered PIN element identifiers with 3GPP credentials.
  • the transceiver transmits, in response to the first request message, a NAS registration accept message including the list of locally registered PIN element identifiers with 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
  • security may be used by a device for authentication, authorization, data protection, and registration to a mobile core network.
  • there may be security protection and access control that indicates 1) how a fifth generation system (“5GS”) supports secure protection for communications between personal internet of things (“loT”) network (“PIN”) elements (e.g., via a PEGC or via 5GC, or for communications between PIN elements and PEGC; and/or 2) gap analysis on how a 5GS supports mitigation of repeated and unauthorized attempts to access PIN elements (e.g., the from internet, or from other PIN elements via a PEGC).
  • 5GS fifth generation system
  • PIN personal internet of things
  • PIN elements need to authenticate with each other and with a PEMC as well as the PEGC; 2) a role of the PEMC and the PEGC may be defined; 3) PEGC is connected vianon-3GPP access to the 5GC; 4) locally authenticated and authorized PIN element identities are registered to the 5GC to allow communication between PIN elements inside and outside a personal loT network; and/or 5) local authentication with PIN elements with 3 GPP managed credentials is different to local authentication with other credentials.
  • PIN elements may connect to a non-3GPP network.
  • a non-3GPP access network e.g., trusted, untrusted access
  • device capabilities e.g., devices with 3GPP credentials with NAS capabilities, without NAS capabilities, behind a residential gateway or direct connection to the non-3GPP access point (“AP”)).
  • devices without 3GPP credentials are limited to a residential gateway and not to end user devices (e.g., PIN elements).
  • a local binding for a direct communication within a local personal network may be performed and a service request procedure for data access to a data network (“DN”) via a 5GC may be made.
  • DN data network
  • FIG. 4 is a schematic block diagram illustrating one embodiment of a system 400 including PIN elements.
  • the system 400 includes a PIN element #A 402 (e.g., motion sensor) that communicates a trigger to a PIN element #B 404 (e.g., surveillance camera).
  • the PIN element #A 402 sends a motion detected (e.g., via locally encrypted commands) signal to a PIN element with management capabilities 406.
  • the PIN element #B 404 sends data to a PIN element with gateway capabilities 408.
  • the PIN element with management capabilities 406 provides a list of registered PIN elements to the PIN element with gateway capabilities 408.
  • the PIN element with management capabilities 406 provides an indication to turn a light switch (e.g., via locally encrypted commands) on to a PIN element #C 410 (e.g., light).
  • the PIN element with gateway capabilities 408 sends information to a 5GC 412, and the 5GC 412 sends information to a PIN element #D 414 (e.g., smartphone).
  • the PIN element with gateway capabilities 408 registers all the local PIN elements in the fifth generation (“5G”) core network (“CN”).
  • 5G fifth generation
  • CN fifth generation core network
  • a PEMC and a PEGC may be collocated as one function within a same entity or may be implemented as two separate functions.
  • the PEMC and/or the PEGC may be considered as a user equipment (“UE”) from the 5GC point of view with additional capabilities (e.g., registration of local PIN elements without 3GPP credentials to the 5GC).
  • UE user equipment
  • PIN elements without 3GPP credentials there may be local registration and authentication for PIN elements without 3GPP credentials.
  • PIN elements without 3GPP credentials it is assumed that the credentials are preconfigured in the PIN element and in a PEMC and/or PEGC.
  • FIG. 5 is a schematic block diagram illustrating one embodiment of a system 500 for registration and authentication of devices without 3GPP credentials for PIN elements.
  • the system 500 includes a PIN element #A 502, a PEMC/PEGC 504, and a PIN element #B 506.
  • Each of the communications in the system 500 may include one or more messages.
  • the PIN element #A 502 sends a registration request to the PEMC/PEGC 504.
  • the PEMC/PEGC 504 selects 510 an authentication method based on a PIN element identifier (“ID”) and corresponding preconfigured credentials.
  • ID PIN element identifier
  • the PEMC/PEGC 504 performs authentication according to the authentication method (e.g., extensible authentication protocol (“EAP”) authentication and key agreement (“AKA”)).
  • the authentication method is a key generating method that results in a security key for protecting communication between the PIN Element #A 502 and the PEMC/PEGC 504.
  • a fourth communication 514 the PEMC/PEGC 504 acknowledges successful local registration. Moreover, in a fifth communication 516, steps 508 through 514 may be performed between the PEMC/PEGC 504 and the PIN element #B 506.
  • a PEMC/PEGC in a 5GC including local authenticated PIN elements without 3GPP credentials.
  • the PEMC/PEGC needs to register to the 5GC and needs to provide a list of the locally authenticated PIN elements.
  • the operator may have PIN elements that are managed by an operator (e.g., which are mapped to a different traffic connection (e.g., protocol data unit (“PDU”) session, single (“S”) network slice selection assistance information (“NSSAI”) (“S-NSSAI”), and so forth) to retrieve a dedicated service).
  • PDU protocol data unit
  • S-NSSAI network slice selection assistance information
  • the PEMC/PEGC connects to the 5GC via a non-3GPP interworking function (‘N3IWF”) similar to an untrusted non-3GPP access procedure.
  • N3IWF non-3GPP interworking function
  • FIG. 6 is a schematic block diagram illustrating one embodiment of a system 600 for registration of a PEMC/PEGC in a 5GC.
  • the system 600 includes a PEMC/PEGC 602, an N3IWF 604, an AMF 606, an authentication server function (“AUSF”) 608, and aUDM 610.
  • Each of the communications 600 in the system may include one or more messages.
  • the PEMC/PEGC 602 acts like a UE connecting to the 5GC via untrusted non-3GPP access.
  • the PEMC/PEGC 602 performs the authentication with the 5GC with the selected authentication method from the UDM 610.
  • the PEMC/PEGC 602 may indicate in a non-access stratum (‘NAS”) registration request that it registers as the PEMC/PEGC 602.
  • NAS non-access stratum
  • the AMF 606 sends an NAS security mode command to the PEMC/PEGC 602.
  • the PEMC/PEGC 602 sets up NAS security and provides back a full initial NAS message including a list of the locally authenticated PIN element IDs without 3GPP credentials and their associated requested NSSAIs.
  • the AMF 606 stores the list of the local authenticated PIN elements without 3GPP credentials and provides a KNSIWF key to the N3IWF 604.
  • the N3IWF 604 performs an IKE AUTH exchange and an internet protocol (“IP”) security (“IPsec”) child stand-alone (“SA”) establishment with a UE based on the KNSIWF.
  • IP internet protocol
  • SA child stand-alone
  • the AMF 606 sends a Numd_SDM_Get request to the UDM 610 to retrieve a subscription profde of the PEMC/PEGC 602.
  • the UDM 610 provides, in a Nudm_SDM_Get_Response, a subscription profile including a list of the operator managed PIN element IDs and their related S-NSSAIs.
  • the operator managed PIN elements are associated with the subscription profile of the PEMC/PEGC 602, but it could be done at the time of purchase of a PIN element from an operator store.
  • Operator managed PIN elements IDs may have 3 GPP credentials or may not have 3GPP credentials.
  • the UDM 610 may have additional binding policy information for managed PIN elements in a local network to be enforced by the PEMC/PEGC 602.
  • the AMF 606 compares 628 the retrieved list of PIN elements without 3 GPP credentials from the PEMC/PEGC 602 with one of the operator managed PIN elements from the UDM 610 for the PEMC/PEGC 602.
  • the AMF 606 assigns the operator managed PIN elements respective S-NSSAIs.
  • the AMF 606 may assign a default S-NSSAI for unmanaged PIN elements.
  • the AMF 606 sends a registration accept message to the PEMC/PEGC 602 including a list of PIN elements, their respective list of S-NSSAIs, and additional binding policy information for managed PIN elements in the local network to be enforced by the PEMC/PEGC 602.
  • a PEMC/PEGC acts as a trusted network access point (“TNAP”) and/or trusted non-3GPP gateway function (‘TNGF”) for trusted access or as a wireless (“W”) access gateway function (“AGF”) (“W-AGF”) for fixed network access.
  • TNAP trusted network access point
  • TNGF trusted non-3GPP gateway function
  • W-AGF wireless access gateway function
  • a PEMC/PEGC supports PIN elements with 3GPP credentials but without NAS capabilities.
  • the PEMC/PEGC acts as a W-AGF or as a trusted wireless local area network (“WLAN”) interworking function (‘TWIF”) and terminates a NAS protocol on behalf of a PIN element while allowing the authentication being terminated at the PIN element.
  • W-AGF trusted wireless local area network
  • TWIF trusted wireless local area network interworking function
  • FIG. 7 is a schematic block diagram illustrating one embodiment of a system 700 for registration of PIN elements with 3GPP credentials locally and in a 5GC.
  • the system 700 includes PIN element 702 (e.g., with 3GPP credentials), a PEMC/PEGC 704, an N3IWF 706, an AMF 708, an AUSF 710, and a UDM 712.
  • PIN element 702 e.g., with 3GPP credentials
  • PEMC/PEGC 704 e.g., with 3GPP credentials
  • N3IWF 706, an AMF 708, an AUSF 710 e.g., an AUSF 710
  • UDM 712 e.g., a GSM 711
  • Each of the communications in the system 700 include one or more messages.
  • the PEMC/PEGC 704 is registered to the 5GC according to the procedure in Figure 6.
  • L2 layer 2
  • the PIN element 702 sends a NAS registration request with its subscription concealed identifier (“SUCI”) or fifth generation (“5G”) globally unique temporary UE identity (“GUTI”) (“5G-GUTI”) and PIN capabilities to the PEMC/PEGC 704 embedded in a L2 message (e.g., EAP message).
  • the PEMC/PEGC 704 forwards the NAS message through a tunnel established with the N3IWF 706 to the AMF 708 as a proxy.
  • the AUSF 710 performs authentication with the PIN element 702.
  • the AMF 708 may perform a NAS security mode command (“SMC”) with the PIN element 702. This step is only performed if the PIN element 702 also supports the NAS protocol, or else this step is skipped. If the NAS SMC is skipped, the NAS security from the PEMC/PEGC 704 may be reused, but since the transport between the PEMC/PEGC 704 and the N3IWF 706 is already protected with an IPsec SA, it is not necessarily required.
  • SMC NAS security mode command
  • the AMF 708 derives a key KPIN for the PIN element 702 based on the PIN capabilities.
  • the KPIN is used in a similar way as a TNAP key KTMAP for the PIN element 702 to setup a wireless connection at a local access point (“AP”) (e.g., the PEMC/PEGC 704 with the difference that the key is already derived at the AMF 708 and provided to the PEMC/PEGC 704).
  • AP local access point
  • the PIN element may not have NAS capabilities, it may not be able to derive an AMF key.
  • the input key for the PIN key KPIN derivation may be: KAUSF, KSEAF, and/or KAMF.
  • the input parameters may be any parameters visible to the PIN element 702 (e.g., the PIN element identifier (e.g., international mobile security identifier (“IMSI”), network access identifier (“NAI”), global cable identifier (“GCI”), global line identifier (“GLI”), or any other local identifier part of the list of locally registered PIN element identifiers sent by the PEMC/PEGC 704 in Figure 6), a PEMC/PEGC identifier, a personal network name, and so forth).
  • IMSI international mobile security identifier
  • NAI network access identifier
  • GCI global cable identifier
  • GLI global line identifier
  • the AMF 708 sends the key KPIN to the PEMC/PEGC 704.
  • the PEMC/PEGC 704 stores 728 the key KPIN and binds it with the PIN element 702.
  • the PIN element 702 is locally registered at the PEMC/PEGC 704.
  • the PIN element 702 derives the same KPIN in the same way as the AMF 708 and sets up a secure layer 2 connection with the PEMC/PEGC 704.
  • the PEMC/PEGC 704 responds to the AMF 708 with an N2 initial context setup response message.
  • an NAS registration accept message is sent by the AMF 708 and is forwarded to the PIN element 702 (e.g., only if it supports the NAS protocol, else the message is terminated in the PEMC/PEGC 704) via an established connection.
  • a twelfth communication 738 only if the PIN element 702 supports an NAS protocol, it initiates a PDU session establishment and the PEMC/PEGC 704 may establish one or more IPSec child SA’s per PDU session. User plane data for the established PDU session is transported between the PIN element 702 and the PEMC/PEGC 704 inside the established IPSec child SA.
  • a binding of local registered PIN elements there may be a binding of local registered PIN elements.
  • PIN elements subject for binding and establishment of a direct connection have to be registered locally either with 3GPP credentials or without.
  • the direct connection may be via a PEGC and/or AP but may be with the same or different radio technology in a real direct communication manner without the AP, depending on the PIN element radio capabilities.
  • FIG. 8 is a schematic block diagram illustrating one embodiment of a system 800 for binding local registered PIN elements.
  • the system 800 includes a PIN element #A 802, a PEMC/PEGC 804, and a PIN element #B 806.
  • Each of the communications in the system 800 may include one or more messages.
  • the PIN element #A 802 and the PIN element #B 806 register and authenticate to the PEMC/PEGC 804 as described herein.
  • the PEMC/PEGC 804 may have information about the binding either for managed PIN elements from the operator retrieved during the registration of the PEMC/PEGC 804 or they may be configured by the user. This binding information may be a trigger PIN element (e.g., motion sensor) and an execution PIN element (e.g., light bulb).
  • the PEMC/PEGC 804 is configured to link the PIN elements directly if the radio capabilities allow, or via the PEGC and/or AP.
  • a direct communication key KDC is derived.
  • a root key K roo t for a KDF for the key derivation of the KDC may be based on the keys available in the PEMC/PECG 804 (e.g., the PEMC/PEGC specific keys: KAUSF, KSEAF, KAMF, and/or the key KPIN in case PIN element #A 802 or PIN element #B 806 has 3GPP credentials and is registered to the 5GC. If both have 3GPP credentials, then both KPINS could be concatenated as an input root key.
  • the following parameters may be used: IDs of the PIN elements to be paired (e.g., PIN element #A 802 or PIN element #B 806, but could be more than two paired PIN elements), a nonce (e.g., which may be a random number), a counter, and so forth.
  • the PEMC/PEGC 804 generates 812 an access token which is used to mutually authenticate the two PIN elements among each other.
  • the access token may be an OAuth token or any other token. In some embodiments, it may be a sufficient long random number.
  • the PEMC/PEGC 804 sends the security key KDC, an access token, and a PIN element #B ID to the PIN element #A 802 in a protected paring request message.
  • the PEMC/PEGC 804 sends the security key KDC, the access token, and a PIN element #A ID to the PIN Element #B 806 in a protected paring request message.
  • the PIN element #A 802 and the PIN element #B 806 perform authentication between them by sending either the access token and verify it, or performing a mutual exchange.
  • the PIN element #A 802 sends an authentication message to the PIN element #B 804 (e.g., including a hash (e.g., SHA1, SHA2, or SHA3 with their variants) of the access token and its PIN Element ID #A).
  • the PIN element #B 806 receives the message and performs a hash over the access token and the PIN element #A ID and compares it with the one received from the PIN element #A 802.
  • the PIN element #B 806 sends also an authentication response with the hash of the access token and the PIN element #B ID, the receiving PIN element #A 802 then computes the hash and compares it. Then, the PIN Element #A 802 sets up a secure connection with the security key KDC- This can be done either with an IPsec SA establishment, using a block cipher, and so forth.
  • a service request for PIN elements without 3GPP credentials to send data via a 5GC may be a service request for PIN elements without 3GPP credentials to send data via a 5GC.
  • PIN elements without 3GPP credentials may not have access to an external DN since a PEGC is connected to the 5GC for external DN access via a UPF.
  • a pre-registered PIN element if it wants to send data to the DN, needs to perform a service request to get a PDU session assigned (e.g., based on a requested S-NSSAI). Since the PIN element without 3GPP credentials also does not support an NAS protocol, a PEGC may create a respective NAS message on behalf of the PIN element.
  • a PEGC may create a respective NAS message on behalf of the PIN element.
  • FIG. 9 is a schematic block diagram illustrating one embodiment of a system 900 with a service request for PIN elements without 3GPP credentials to send data via a 5GC.
  • the system 900 includes a PIN element #A 902, a PEMC/PEGC 904, an N3IWF 906, an AMF 908, and a UPF 910.
  • Each of the communications in the system 900 may include one or more messages.
  • the PIN element #A 902 performs a local authentication and security setup and the PEMC/PEGC 904 is registered to the 5GC.
  • the PIN element #A 902 sends a data request to the PEMC/PEGC 904.
  • the PEMC/PEGC 904 In a third communication 916 and a fourth communication 918, the PEMC/PEGC 904 generates a NAS service request message and includes its SUCI or 5G-GUTI and a PIN element #A ID.
  • the AMF 908 checks 920 whether the PIN Element ID #A was already registered and checks allowed NSSAI for that specific PIN element.
  • a fifth communication 922 if the PIN element #A 902 requires a specific PDU session (e.g., for a specific S-NSSAI), the PDU session is not established towards the PEMC/PEGC 904.
  • a specific PDU session e.g., for a specific S-NSSAI
  • the AMF 908 sends a service accept with the allowed NSSAI for the PIN element #A 902.
  • the PEMC/PEGC 904 sends a data request acknowledgement to the PIN element #A 902.
  • the PIN element #A 902 starts to send data to the PEMC/PEGC 904.
  • the PEMC/PEGC 904 selects 932 the PDU session according to the allowed NSSAI and maps the data from the PIN Element #A 902 to that PDU session.
  • the PEMC/PEGC 904 forwards the data in the PDU session to the UPF 910 and further to a destination DN.
  • FIG 10 is a flow chart diagram illustrating one embodiment of a method 1000 for authentication and registration of PIN elements.
  • the method 1000 is performed by an apparatus, such as the network unit 104.
  • the method 1000 may be performed by a processor executing program code, for example, a microcontroller, a microprocessor, a CPU, a GPU, an auxiliary processing unit, a FPGA, or the like.
  • the method 1000 includes performing 1002, at a first network device, a local authentication and registration of PIN elements with preconfigured credentials.
  • the method 1000 includes generating 1004 a first request message to establish a NAS registration request with a first AMF.
  • the first request message includes a list of locally registered PIN element identifiers without 3GPP credentials.
  • the method 1000 includes receiving 1006, in response to the first request message, a NAS registration accept message includes the list of locally registered PIN element identifiers without 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
  • the method 1000 further comprises receiving a second request message from a local PIN element with 3GPP credentials. In some embodiments, the method 1000 further comprises sending a third request message comprising a NAS registration request message for a second AMF, wherein the third request message comprises the second request message from the local PIN element with 3GPP credentials. In various embodiments, the method 1000 further comprises receiving a security key (KPIN) from the second AMF.
  • KPIN security key
  • the method 1000 further comprises storing the KPIN. In certain embodiments, the method 1000 further comprises binding the KPIN with the local PIN element with 3GPP credentials. In some embodiments, the method 1000 further comprises setting up a secure layer 2 connection with the local PIN element with 3GPP credentials.
  • the method 1000 further comprises determining a binding of two or more locally registered PIN elements. In one embodiment, the method 1000 further comprises deriving a direct communication key (KDC) and an access token. In certain embodiments, the method 1000 further comprises sending a protected pairing request message to the two or more locally registered PIN elements including the KDC and the access token.
  • KDC direct communication key
  • the method 1000 further comprises receiving a data send request from a locally registered PIN element without 3GPP credentials. In various embodiments, the method 1000 further comprises generating a fourth request message comprising a NAS service request message comprising an identifier of a first apparatus and a PIN element identifier corresponding to the locally registered PIN element without 3GPP credentials. In one embodiment, the method 1000 further comprises sending the fourth request message to a second AMF.
  • the method 1000 further comprises receiving a service request accept message with allowed network slice selection assistance information (NSSAI) for the PIN element identifier.
  • NSSAI network slice selection assistance information
  • the method 1000 further comprises mapping received data traffic from the locally registered PIN element without 3 GPP credentials to a corresponding protocol data unit (PDU) session with the allowed NSSAI.
  • the first network device comprises a PIN element with gateway capabilities (PEGC), a PIN element with management capabilities (PEMC), or a combination thereof.
  • FIG 11 is a flow chart diagram illustrating another embodiment of a method 1100 for authentication and registration of PIN elements.
  • the method 1100 is performed by an apparatus, such as the remote unit 102 and/or the network unit 104.
  • the method 1100 may be performed by a processor executing program code, for example, a microcontroller, a microprocessor, a CPU, a GPU, an auxiliary processing unit, a FPGA, or the like.
  • the method 1100 includes performing 1102, at a PIN element, a local authentication and registration of the PIN element with preconfigured credentials.
  • the method 1100 includes receiving 1104 information for setting up a secure layer 2 connection with a first network device.
  • the method 1100 includes setting up 1106 the secure layer 2 connection.
  • the method 1100 further comprises receiving a pairing request message from the first network device, the pairing request message comprises a direct communication key (KDC), an access token, at least one target PIN element identifier associated with at least one fourth network device, or some combination thereof.
  • the method 1100 further comprises computing an authentication value using a hash function, the access token, and the at least one target PIN element identifier.
  • the method 1100 further comprises transmitting an authentication request to the at least one fourth network device, and the authentication request comprises an authentication value.
  • the method 1100 further comprises receiving an authentication request comprising an authentication value from a network device with the at least one PIN element identifier from the pairing request message. In certain embodiments, the method 1100 further comprises computing an authentication value using a hash function, the access token, and the at least one PIN element identifier, and compares the authentication value with the authentication value received from the network device with the at least one PIN element identifier from the pairing request message. In some embodiments, the method 1100 further comprises setting up the secure layer 2 connection by deriving a security key (KPIN).
  • KPIN security key
  • Figure 12 is a flow chart diagram illustrating a further embodiment of a method 1200 for authentication and registration of PIN elements.
  • the method 1200 is performed by an apparatus, such as the network unit 104.
  • the method 1200 may be performed by a processor executing program code, for example, a microcontroller, a microprocessor, a CPU, a GPU, an auxiliary processing unit, a FPGA, or the like.
  • the method 1200 includes receiving 1202, at a second network device, a first request message to establish a NAS registration request.
  • the first request message includes a list of locally registered PIN element identifiers with 3GPP credentials.
  • the method 1200 includes transmitting 1204, in response to the first request message, a NAS registration accept message including the list of locally registered PIN element identifiers with 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
  • the method 1200 further comprises deriving a security key (KPIN). In some embodiments, the method 1200 further comprises transmitting the KPIN. In various embodiments, the second network device comprises an AMF.
  • an apparatus comprises a first network device.
  • the apparatus further comprises: a transceiver; and a processor coupled to the transceiver, wherein: the transceiver performs a local authentication and registration of PIN elements with preconfigured credentials; the processor generates a first request message to establish a NAS registration request with a first AMF, wherein the first request message comprises a list of locally registered PIN element identifiers without 3GPP credentials; and the transceiver receives, in response to the first request message, a NAS registration accept message comprising the list of locally registered PIN element identifiers without 3GPP credentials that further comprises a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
  • the transceiver receives a second request message from a local PIN element with 3GPP credentials.
  • the transceiver sends a third request message comprising a NAS registration request message for a second AMF, wherein the third request message comprises the second request message from the local PIN element with 3GPP credentials.
  • the transceiver receives a security key (KPIN) from the second AMF.
  • KPIN security key
  • the processor stores the KPIN.
  • the processor binds the KPIN with the local PIN element with 3GPP credentials.
  • the processor sets up a secure layer 2 connection with the local PIN element with 3GPP credentials.
  • the processor determines a binding of two or more locally registered PIN elements. [0135] In one embodiment, the processor derives a direct communication key (KDC) and an access token.
  • KDC direct communication key
  • the transceiver sends a protected pairing request message to the two or more locally registered PIN elements including the KDC and the access token.
  • the transceiver receives a data send request from a locally registered PIN element without 3GPP credentials.
  • the processor generates a fourth request message comprising a NAS service request message comprising an identifier of a first apparatus and a PIN element identifier corresponding to the locally registered PIN element without 3GPP credentials.
  • the transceiver sends the fourth request message to a second AMF.
  • the transceiver receives a service request accept message with allowed network slice selection assistance information (NSSAI) for the PIN element identifier.
  • NSSAI network slice selection assistance information
  • the processor maps received data traffic from the locally registered PIN element without 3GPP credentials to a corresponding protocol data unit (PDU) session with the allowed NSSAI.
  • PDU protocol data unit
  • the first network device comprises a PIN element with gateway capabilities (PEGC), a PIN element with management capabilities (PEMC), or a combination thereof.
  • PEGC PIN element with gateway capabilities
  • PEMC PIN element with management capabilities
  • a method of a first network device comprises: performing a local authentication and registration of PIN elements with preconfigured credentials; generating a first request message to establish a NAS registration request with a first AMF, wherein the first request message comprises a list of locally registered PIN element identifiers without 3 GPP credentials; and receiving, in response to the first request message, a NAS registration accept message comprising the list of locally registered PIN element identifiers without 3GPP credentials that further comprises a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
  • the method further comprises receiving a second request message from a local PIN element with 3GPP credentials.
  • the method further comprises sending a third request message comprising a NAS registration request message for a second AMF, wherein the third request message comprises the second request message from the local PIN element with 3GPP credentials.
  • the method further comprises receiving a security key (KPIN) from the second AMF.
  • KPIN security key
  • the method further comprises storing the KPIN.
  • the method further comprises binding the KPIN with the local PIN element with 3GPP credentials.
  • the method further comprises setting up a secure layer 2 connection with the local PIN element with 3GPP credentials.
  • the method further comprises determining a binding of two or more locally registered PIN elements.
  • the method further comprises deriving a direct communication key (KDC) and an access token.
  • KDC direct communication key
  • the method further comprises sending a protected pairing request message to the two or more locally registered PIN elements including the KDC and the access token.
  • the method further comprises receiving a data send request from a locally registered PIN element without 3GPP credentials.
  • the method further comprises generating a fourth request message comprising a NAS service request message comprising an identifier of a first apparatus and a PIN element identifier corresponding to the locally registered PIN element without 3 GPP credentials.
  • the method further comprises sending the fourth request message to a second AMF.
  • the method further comprises receiving a service request accept message with allowed network slice selection assistance information (NS SAI) for the PIN element identifier.
  • NS SAI network slice selection assistance information
  • the method further comprises mapping received data traffic from the locally registered PIN element without 3GPP credentials to a corresponding protocol data unit (PDU) session with the allowed NSSAI.
  • PDU protocol data unit
  • the first network device comprises a PIN element with gateway capabilities (PEGC), a PIN element with management capabilities (PEMC), or a combination thereof.
  • PEGC PIN element with gateway capabilities
  • PEMC PIN element with management capabilities
  • an apparatus comprises a PIN element.
  • the apparatus further comprises: a transceiver; and a processor coupled to the transceiver, wherein: the transceiver performs a local authentication and registration of the PIN element with preconfigured credentials; the transceiver receives information for setting up a secure layer 2 connection with a first network device; and the processor sets up the secure layer 2 connection.
  • the transceiver receives a pairing request message from the first network device, the pairing request message comprises a direct communication key (KDC), an access token, at least one target PIN element identifier associated with at least one fourth network device, or some combination thereof.
  • KDC direct communication key
  • the processor computes an authentication value using a hash function, the access token, and the at least one target PIN element identifier.
  • the transceiver transmits an authentication request to the at least one fourth network device, and the authentication request comprises an authentication value.
  • the transceiver receives an authentication request comprising an authentication value from a network device with the at least one PIN element identifier from the pairing request message.
  • the processor computes an authentication value using a hash function, the access token, and the at least one PIN element identifier, and compares the authentication value with the authentication value received from the network device with the at least one PIN element identifier from the pairing request message.
  • the processor sets up the secure layer 2 connection by deriving a security key (KPIN).
  • KPIN security key
  • a method of a PIN element comprises: performing a local authentication and registration of the PIN element with preconfigured credentials; receiving information for setting up a secure layer 2 connection with a first network device; and setting up the secure layer 2 connection.
  • the method further comprises receiving a pairing request message from the first network device, the pairing request message comprises a direct communication key (KDC), an access token, at least one target PIN element identifier associated with at least one fourth network device, or some combination thereof.
  • KDC direct communication key
  • the method further comprises computing an authentication value using a hash function, the access token, and the at least one target PIN element identifier.
  • the method further comprises transmitting an authentication request to the at least one fourth network device, and the authentication request comprises an authentication value.
  • the method further comprises receiving an authentication request comprising an authentication value from a network device with the at least one PIN element identifier from the pairing request message.
  • the method further comprises computing an authentication value using a hash function, the access token, and the at least one PIN element identifier, and compares the authentication value with the authentication value received from the network device with the at least one PIN element identifier from the pairing request message.
  • the method further comprises setting up the secure layer 2 connection by deriving a security key (KPIN).
  • KPIN security key
  • an apparatus comprises a second network device.
  • the apparatus further comprises: a transceiver; and a processor coupled to the transceiver, wherein: the transceiver receives a first request message to establish a NAS registration request, wherein the first request message comprises a list of locally registered PIN element identifiers with 3GPP credentials; and the transceiver transmits, in response to the first request message, a NAS registration accept message comprising the list of locally registered PIN element identifiers with 3 GPP credentials that further comprises a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
  • the processor derives a security key (KPIN).
  • KPIN security key
  • the transceiver transmits the KPIN.
  • the second network device comprises an AMF.
  • a method of a second network device comprises: receiving a first request message to establish a NAS registration request, wherein the first request message comprises a list of locally registered PIN element identifiers with 3GPP credentials; and transmitting, in response to the first request message, a NAS registration accept message comprising the list of locally registered PIN element identifiers with 3GPP credentials that further comprises a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
  • the method further comprises deriving a security key (KPIN).
  • KPIN security key
  • the method further comprises transmitting the KPIN.
  • the second network device comprises an AMF.

Abstract

Apparatuses, methods, and systems are disclosed for authentication and registration of personal internet of things network ("PIN") elements. One method (1000) includes performing (1002), at a first network device, a local authentication and registration of PIN elements with preconfigured credentials. The method (1000) includes generating (1004) a first request message to establish a non-access stratum ("NAS") registration request with a first access and mobility management function ("AMF"). The first request message includes a list of locally registered PIN element identifiers without third generation partnership program ("3GPP") credentials. The method (1000) includes receiving (1006), in response to the first request message, a NAS registration accept message includes the list of locally registered PIN element identifiers without 3GPP credentials that further includes a respective list of single network slice selection assistance information ("S-NSSAI") and a binding policy for operator managed PIN elements.

Description

AUTHENTICATION AND REGISTRATION OF PERSONAL INTERNET OF THINGS
NETWORK ELEMENTS
FIELD
[0001] The subject matter disclosed herein relates generally to wireless communications and more particularly relates to authentication and registration of personal internet of things network (“PIN”) elements.
BACKGROUND
[0002] In certain wireless communications networks, PIN elements may be used. In such networks, the PIN elements may need to be authenticated.
BRIEF SUMMARY
[0003] Methods for authentication and registration of PIN elements are disclosed. Apparatuses and systems also perform the functions of the methods. One embodiment of a method includes performing, at a first network device, a local authentication and registration of PIN elements with preconfigured credentials. In some embodiments, the method includes generating a first request message to establish a non-access stratum (“NAS”) registration request with a first access and mobility management function (“AMF”). The first request message includes a list of locally registered PIN element identifiers without third generation partnership program (“3GPP”) credentials. In certain embodiments, the method includes receiving, in response to the first request message, a NAS registration accept message includes the list of locally registered PIN element identifiers without 3GPP credentials that further includes a respective list of single network slice selection assistance information (“S-NSSAI”) and a binding policy for operator managed PIN elements.
[0004] One apparatus for authentication and registration of PIN elements includes a first network device. In some embodiments, the apparatus includes a transceiver. In various embodiments, the apparatus includes a processor coupled to the transceiver. In certain embodiments, the transceiver performs a local authentication and registration of PIN elements with preconfigured credentials. In some embodiments, the processor generates a first request message to establish a NAS registration request with a first AMF. The first request message includes a list of locally registered PIN element identifiers without 3GPP credentials. In various embodiments, the transceiver receives, in response to the first request message, a NAS registration accept message including the list of locally registered PIN element identifiers without 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
[0005] Another embodiment of a method for authentication and registration of PIN elements includes performing, at a PIN element, a local authentication and registration of the PIN element with preconfigured credentials. In some embodiments, the method includes receiving information for setting up a secure layer 2 connection with a first network device. In certain embodiments, the method includes setting up the secure layer 2 connection.
[0006] Another apparatus for authentication and registration of PIN elements includes a PIN element. In some embodiments, the apparatus includes a transceiver. In various embodiments, the apparatus includes a processor coupled to the transceiver. In certain embodiments, the transceiver performs a local authentication and registration of the PIN element with preconfigured credentials. In some embodiments, the transceiver receives information for setting up a secure layer 2 connection with a first network device. In various embodiments, the processor sets up the secure layer 2 connection.
[0007] A further embodiment of a method for authentication and registration of PIN elements includes receiving, at a second network device, a first request message to establish a NAS registration request. The first request message includes a list of locally registered PIN element identifiers with 3GPP credentials. In some embodiments, the method includes transmitting, in response to the first request message, a NAS registration accept message including the list of locally registered PIN element identifiers with 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
[0008] A further apparatus for authentication and registration of PIN elements includes a second network device. In some embodiments, the apparatus includes a transceiver. In various embodiments, the apparatus includes a processor coupled to the transceiver. In certain embodiments, the transceiver receives a first request message to establish a NAS registration request. The first request message includes a list of locally registered PIN element identifiers with 3GPP credentials. In some embodiments, the transceiver transmits, in response to the first request message, a NAS registration accept message including the list of locally registered PIN element identifiers with 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] A more particular description of the embodiments briefly described above will be rendered by reference to specific embodiments that are illustrated in the appended drawings. Understanding that these drawings depict only some embodiments and are not therefore to be considered to be limiting of scope, the embodiments will be described and explained with additional specificity and detail through the use of the accompanying drawings, in which:
[0010] Figure 1 is a schematic block diagram illustrating one embodiment of a wireless communication system for authentication and registration of PIN elements;
[0011] Figure 2 is a schematic block diagram illustrating one embodiment of an apparatus that may be used for authentication and registration of PIN elements;
[0012] Figure 3 is a schematic block diagram illustrating one embodiment of an apparatus that may be used for authentication and registration of PIN elements;
[0013] Figure 4 is a schematic block diagram illustrating one embodiment of a system including PIN elements;
[0014] Figure 5 is a schematic block diagram illustrating one embodiment of a system for registration and authentication of devices without 3GPP credentials for PIN elements;
[0015] Figure 6 is a schematic block diagram illustrating one embodiment of a system for registration of a PIN element with management capabilities (“PEMC”) and/or a PIN element with gateway capabilities (“PEGC”) (“PEMC/PEGC”) in a fifth generation core (“5GC”);
[0016] Figure 7 is a schematic block diagram illustrating one embodiment of a system for registration of PIN elements with 3GPP credentials locally and in a 5GC;
[0017] Figure 8 is a schematic block diagram illustrating one embodiment of a system for binding local registered PIN elements;
[0018] Figure 9 is a schematic block diagram illustrating one embodiment of a system with a service request for PIN elements without 3GPP credentials to send data via a 5GC;
[0019] Figure 10 is a flow chart diagram illustrating one embodiment of a method for authentication and registration of PIN elements;
[0020] Figure 11 is a flow chart diagram illustrating another embodiment of a method for authentication and registration of PIN elements; and
[0021] Figure 12 is a flow chart diagram illustrating a further embodiment of a method for authentication and registration of PIN elements.
DETAILED DESCRIPTION
[0022] As will be appreciated by one skilled in the art, aspects of the embodiments may be embodied as a system, apparatus, method, or program product. Accordingly, embodiments may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, embodiments may take the form of a program product embodied in one or more computer readable storage devices storing machine readable code, computer readable code, and/or program code, referred hereafter as code. The storage devices may be tangible, non-transitory, and/or non-transmission. The storage devices may not embody signals. In a certain embodiment, the storage devices only employ signals for accessing code.
[0023] Certain of the functional units described in this specification may be labeled as modules, in order to more particularly emphasize their implementation independence. For example, a module may be implemented as a hardware circuit comprising custom very-large-scale integration (“VLSI”) circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
[0024] Modules may also be implemented in code and/or software for execution by various types of processors. An identified module of code may, for instance, include one or more physical or logical blocks of executable code which may, for instance, be organized as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may include disparate instructions stored in different locations which, when joined logically together, include the module and achieve the stated purpose for the module.
[0025] Indeed, a module of code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices. Similarly, operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different computer readable storage devices. Where a module or portions of a module are implemented in software, the software portions are stored on one or more computer readable storage devices.
[0026] Any combination of one or more computer readable medium may be utilized. The computer readable medium may be a computer readable storage medium. The computer readable storage medium may be a storage device storing the code. The storage device may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, holographic, micromechanical, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
[0027] More specific examples (a non-exhaustive list) of the storage device would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (“RAM”), a read-only memory (“ROM”), an erasable programmable read-only memory (“EPROM” or Flash memory), a portable compact disc readonly memory (“CD-ROM”), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
[0028] Code for carrying out operations for embodiments may be any number of lines and may be written in any combination of one or more programming languages including an object oriented programming language such as Python, Ruby, Java, Smalltalk, C++, or the like, and conventional procedural programming languages, such as the "C" programming language, or the like, and/or machine languages such as assembly languages. The code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (“LAN”) or a wide area network (“WAN”), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
[0029] Reference throughout this specification to “one embodiment,” “an embodiment,” or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. Thus, appearances of the phrases “in one embodiment,” “in an embodiment,” and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment, but mean “one or more but not all embodiments” unless expressly specified otherwise. The terms “including,” “comprising,” “having,” and variations thereof mean “including but not limited to,” unless expressly specified otherwise. An enumerated listing of items does not imply that any or all of the items are mutually exclusive, unless expressly specified otherwise. The terms “a,” “an,” and “the” also refer to “one or more” unless expressly specified otherwise.
[0030] Furthermore, the described features, structures, or characteristics of the embodiments may be combined in any suitable manner. In the following description, numerous specific details are provided, such as examples of programming, software modules, user selections, network transactions, database queries, database structures, hardware modules, hardware circuits, hardware chips, etc., to provide a thorough understanding of embodiments. One skilled in the relevant art will recognize, however, that embodiments may be practiced without one or more of the specific details, or with other methods, components, materials, and so forth. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of an embodiment.
[0031] Aspects of the embodiments are described below with reference to schematic flowchart diagrams and/or schematic block diagrams of methods, apparatuses, systems, and program products according to embodiments. It will be understood that each block of the schematic flowchart diagrams and/or schematic block diagrams, and combinations of blocks in the schematic flowchart diagrams and/or schematic block diagrams, can be implemented by code. The code may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the schematic flowchart diagrams and/or schematic block diagrams block or blocks.
[0032] The code may also be stored in a storage device that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the storage device produce an article of manufacture including instructions which implement the function/act specified in the schematic flowchart diagrams and/or schematic block diagrams block or blocks.
[0033] The code may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the code which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
[0034] The schematic flowchart diagrams and/or schematic block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of apparatuses, systems, methods and program products according to various embodiments. In this regard, each block in the schematic flowchart diagrams and/or schematic block diagrams may represent a module, segment, or portion of code, which includes one or more executable instructions of the code for implementing the specified logical function(s).
[0035] It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the Figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. Other steps and methods may be conceived that are equivalent in function, logic, or effect to one or more blocks, or portions thereof, of the illustrated Figures.
[0036] Although various arrow types and line types may be employed in the flowchart and/or block diagrams, they are understood not to limit the scope of the corresponding embodiments. Indeed, some arrows or other connectors may be used to indicate only the logical flow of the depicted embodiment. For instance, an arrow may indicate a waiting or monitoring period of unspecified duration between enumerated steps of the depicted embodiment. It will also be noted that each block of the block diagrams and/or flowchart diagrams, and combinations of blocks in the block diagrams and/or flowchart diagrams, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and code.
[0037] The description of elements in each figure may refer to elements of proceeding figures. Like numbers refer to like elements in all figures, including alternate embodiments of like elements.
[0038] Figure 1 depicts an embodiment of a wireless communication system 100 for authentication and registration of PIN elements. In one embodiment, the wireless communication system 100 includes remote units 102 and network units 104. Even though a specific number of remote units 102 and network units 104 are depicted in Figure 1, one of skill in the art will recognize that any number of remote units 102 and network units 104 may be included in the wireless communication system 100.
[0039] In one embodiment, the remote units 102 may include computing devices, such as desktop computers, laptop computers, personal digital assistants (“PDAs”), tablet computers, smart phones, smart televisions (e.g., televisions connected to the Internet), set-top boxes, game consoles, security systems (including security cameras), vehicle on-board computers, network devices (e.g., routers, switches, modems), aerial vehicles, drones, or the like. In some embodiments, the remote units 102 include wearable devices, such as smart watches, fitness bands, optical head-mounted displays, or the like. Moreover, the remote units 102 may be referred to as subscriber units, mobiles, mobile stations, users, terminals, mobile terminals, fixed terminals, subscriber stations, UE, user terminals, a device, or by other terminology used in the art. The remote units 102 may communicate directly with one or more of the network units 104 via UL communication signals. In certain embodiments, the remote units 102 may communicate directly with other remote units 102 via sidelink communication.
[0040] The network units 104 may be distributed over a geographic region. In certain embodiments, a network unit 104 may also be referred to and/or may include one or more of an access point, an access terminal, a base, a base station, a location server, a core network (“CN”), a radio network entity, a Node-B, an evolved node-B (“eNB”), a 5G node-B (“gNB”), a Home Node-B, a relay node, a device, a core network, an aerial server, a radio access node, an access point (“AP”), new radio (“NR”), a network entity, an access and mobility management function (“AMF”), a unified data management (“UDM”), a unified data repository (“UDR”), a UDM/UDR, a policy control function (“PCF”), a radio access network (“RAN”), a network slice selection function (“NSSF”), an operations, administration, and management (“OAM”), a session management function (“SMF”), a user plane function (“UPF”), an application function, an authentication server function (“AUSF”), security anchor functionality (“SEAF”), trusted non- 3 GPP gateway function (“TNGF”), or by any other terminology used in the art. The network units 104 are generally part of a radio access network that includes one or more controllers communicab ly coupled to one or more corresponding network units 104. The radio access network is generally communicably coupled to one or more core networks, which may be coupled to other networks, like the Internet and public switched telephone networks, among other networks. These and other elements of radio access and core networks are not illustrated but are well known generally by those having ordinary skill in the art.
[0041] In one implementation, the wireless communication system 100 is compliant with NR protocols standardized in 3GPP, wherein the network unit 104 transmits using an orthogonal frequency division multiplexing (“OFDM”) modulation scheme on the downlink (“DL”) and the remote units 102 transmit on the uplink (“UL”) using a single-carrier frequency division multiple access (“SC-FDMA”) scheme or an OFDM scheme. More generally, however, the wireless communication system 100 may implement some other open or proprietary communication protocol, for example, WiMAX, institute of electrical and electronics engineers (“IEEE”) 802. 11 variants, global system for mobile communications (“GSM”), general packet radio service (“GPRS”), universal mobile telecommunications system (“UMTS”), long term evolution (“LTE”) variants, code division multiple access 2000 (“CDMA2000”), Bluetooth®, ZigBee, Sigfoxx, among other protocols. The present disclosure is not intended to be limited to the implementation of any particular wireless communication system architecture or protocol.
[0042] The network units 104 may serve a number of remote units 102 within a serving area, for example, a cell or a cell sector via a wireless communication link. The network units 104 transmit DL communication signals to serve the remote units 102 in the time, frequency, and/or spatial domain.
[0043] In some embodiments, a network unit 104 may perform, at a first network device, a local authentication and registration of PIN elements with preconfigured credentials. In some embodiments, the network unit 104 may generate a first request message to establish a NAS registration request with a first AMF. The first request message includes a list of locally registered PIN element identifiers without 3GPP credentials. In certain embodiments, the network unit 104 may receive, in response to the first request message, a NAS registration accept message includes the list of locally registered PIN element identifiers without 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements. Accordingly, the network unit 104 may be used for authentication and registration of PIN elements.
[0044] In various embodiments, a remote unit 102 and/or a network unit 104 may perform, at a PIN element, a local authentication and registration of the PIN element with preconfigured credentials. In some embodiments, the remote unit 102 and/or the network unit 104 may receive information for setting up a secure layer 2 connection with a first network device. In certain embodiments, the remote unit 102 and/or the network unit 104 may set up the secure layer 2 connection. Accordingly, the remote unit 102 and/or the network unit 104 may be used for authentication and registration of PIN elements.
[0045] In certain embodiments, a network unit 104 may receive, at a second network device, a first request message to establish a NAS registration request. The first request message includes a list of locally registered PIN element identifiers with 3GPP credentials. In some embodiments, the network unit 104 may transmit, in response to the first request message, a NAS registration accept message including the list of locally registered PIN element identifiers with 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements. Accordingly, the network unit 104 may be used for authentication and registration of PIN elements.
[0046] Figure 2 depicts one embodiment of an apparatus 200 that may be used for authentication and registration of PIN elements. The apparatus 200 includes one embodiment of the remote unit 102. Furthermore, the remote unit 102 may include a processor 202, a memory 204, an input device 206, a display 208, a transmitter 210, and a receiver 212. In some embodiments, the input device 206 and the display 208 are combined into a single device, such as a touchscreen. In certain embodiments, the remote unit 102 may not include any input device 206 and/or display 208. In various embodiments, the remote unit 102 may include one or more of the processor 202, the memory 204, the transmitter 210, and the receiver 212, and may not include the input device 206 and/or the display 208.
[0047] The processor 202, in one embodiment, may include any known controller capable of executing computer-readable instructions and/or capable of performing logical operations. For example, the processor 202 may be a microcontroller, a microprocessor, a central processing unit (“CPU”), a graphics processing unit (“GPU”), an auxiliary processing unit, a field programmable gate array (“FPGA”), or similar programmable controller. In some embodiments, the processor 202 executes instructions stored in the memory 204 to perform the methods and routines described herein. The processor 202 is communicatively coupled to the memory 204, the input device 206, the display 208, the transmitter 210, and the receiver 212.
[0048] The memory 204, in one embodiment, is a computer readable storage medium. In some embodiments, the memory 204 includes volatile computer storage media. For example, the memory 204 may include a RAM, including dynamic RAM (“DRAM”), synchronous dynamic RAM (“SDRAM”), and/or static RAM (“SRAM”). In some embodiments, the memory 204 includes non-volatile computer storage media. For example, the memory 204 may include a hard disk drive, a flash memory, or any other suitable non-volatile computer storage device. In some embodiments, the memory 204 includes both volatile and non-volatile computer storage media. In some embodiments, the memory 204 also stores program code and related data, such as an operating system or other controller algorithms operating on the remote unit 102.
[0049] The input device 206, in one embodiment, may include any known computer input device including a touch panel, a button, a keyboard, a stylus, a microphone, or the like. In some embodiments, the input device 206 may be integrated with the display 208, for example, as a touchscreen or similar touch-sensitive display. In some embodiments, the input device 206 includes a touchscreen such that text may be input using a virtual keyboard displayed on the touchscreen and/or by handwriting on the touchscreen. In some embodiments, the input device 206 includes two or more different devices, such as a keyboard and a touch panel.
[0050] The display 208, in one embodiment, may include any known electronically controllable display or display device. The display 208 may be designed to output visual, audible, and/or haptic signals. In some embodiments, the display 208 includes an electronic display capable of outputting visual data to a user. For example, the display 208 may include, but is not limited to, a liquid crystal display (“UCD”), a light emitting diode (“FED”) display, an organic light emitting diode (“OEED”) display, a projector, or similar display device capable of outputting images, text, or the like to a user. As another, non-limiting, example, the display 208 may include a wearable display such as a smart watch, smart glasses, a heads-up display, or the like. Further, the display 208 may be a component of a smart phone, a personal digital assistant, a television, a table computer, a notebook (laptop) computer, a personal computer, a vehicle dashboard, or the like. [0051] In certain embodiments, the display 208 includes one or more speakers for producing sound. For example, the display 208 may produce an audible alert or notification (e.g., a beep or chime). In some embodiments, the display 208 includes one or more haptic devices for producing vibrations, motion, or other haptic feedback. In some embodiments, all or portions of the display 208 may be integrated with the input device 206. For example, the input device 206 and display 208 may form a touchscreen or similar touch-sensitive display. In other embodiments, the display 208 may be located near the input device 206.
[0052] Although only one transmitter 210 and one receiver 212 are illustrated, the remote unit 102 may have any suitable number of transmitters 210 and receivers 212. The transmitter 210 and the receiver 212 may be any suitable type of transmitters and receivers. In one embodiment, the transmitter 210 and the receiver 212 may be part of a transceiver.
[0053] In certain embodiments, the transceiver performs a local authentication and registration of the PIN element with preconfigured credentials. In some embodiments, the transceiver receives information for setting up a secure layer 2 connection with a first network device. In various embodiments, the processor 202 sets up the secure layer 2 connection.
[0054] Figure 3 depicts one embodiment of an apparatus 300 that may be used for authentication and registration of PIN elements. The apparatus 300 includes one embodiment of the network unit 104. Furthermore, the network unit 104 may include a processor 302, a memory 304, an input device 306, a display 308, a transmitter 310, and a receiver 312. As may be appreciated, the processor 302, the memory 304, the input device 306, the display 308, the transmitter 310, and the receiver 312 may be substantially similar to the processor 202, the memory 204, the input device 206, the display 208, the transmitter 210, and the receiver 212 of the remote unit 102, respectively.
[0055] In certain embodiments, the transceiver performs a local authentication and registration of PIN elements with preconfigured credentials. In some embodiments, the processor 302 generates a first request message to establish a NAS registration request with a first AMF. The first request message includes a list of locally registered PIN element identifiers without 3GPP credentials. In various embodiments, the transceiver receives, in response to the first request message, a NAS registration accept message including the list of locally registered PIN element identifiers without 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
[0056] In some embodiments, the transceiver performs a local authentication and registration of the PIN element with preconfigured credentials. In some embodiments, the transceiver receives information for setting up a secure layer 2 connection with a first network device. In various embodiments, the processor 302 sets up the secure layer 2 connection.
[0057] In various embodiments, the transceiver receives a first request message to establish a NAS registration request. The first request message includes a list of locally registered PIN element identifiers with 3GPP credentials. In some embodiments, the transceiver transmits, in response to the first request message, a NAS registration accept message including the list of locally registered PIN element identifiers with 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
[0058] It should be noted that two or more embodiments described herein may be combined together. In certain embodiments, security may be used by a device for authentication, authorization, data protection, and registration to a mobile core network. In some embodiments, there may be security protection and access control that indicates 1) how a fifth generation system (“5GS”) supports secure protection for communications between personal internet of things (“loT”) network (“PIN”) elements (e.g., via a PEGC or via 5GC, or for communications between PIN elements and PEGC; and/or 2) gap analysis on how a 5GS supports mitigation of repeated and unauthorized attempts to access PIN elements (e.g., the from internet, or from other PIN elements via a PEGC).
[0059] In various embodiments: 1) PIN elements need to authenticate with each other and with a PEMC as well as the PEGC; 2) a role of the PEMC and the PEGC may be defined; 3) PEGC is connected vianon-3GPP access to the 5GC; 4) locally authenticated and authorized PIN element identities are registered to the 5GC to allow communication between PIN elements inside and outside a personal loT network; and/or 5) local authentication with PIN elements with 3 GPP managed credentials is different to local authentication with other credentials.
[0060] In certain embodiments, PIN elements may connect to a non-3GPP network. In some embodiments, there may be different trust relationships with a non-3GPP access network (e.g., trusted, untrusted access) as well as different device capabilities (e.g., devices with 3GPP credentials with NAS capabilities, without NAS capabilities, behind a residential gateway or direct connection to the non-3GPP access point (“AP”)).
[0061] In various embodiments, there may be local registration and/or authentication at a gateway in a personal network for devices with and without 3GPP credentials. In certain embodiments, there may be registration of devices without 3GPP credentials in a 5GC and/or data connectivity for those devices explicitly with operator controlled traffic connection configuration. In some embodiment, devices without 3GPP credentials are limited to a residential gateway and not to end user devices (e.g., PIN elements). In various embodiments, a local binding for a direct communication within a local personal network may be performed and a service request procedure for data access to a data network (“DN”) via a 5GC may be made.
[0062] Figure 4 is a schematic block diagram illustrating one embodiment of a system 400 including PIN elements. The system 400 includes a PIN element #A 402 (e.g., motion sensor) that communicates a trigger to a PIN element #B 404 (e.g., surveillance camera). The PIN element #A 402 sends a motion detected (e.g., via locally encrypted commands) signal to a PIN element with management capabilities 406. Further, the PIN element #B 404 sends data to a PIN element with gateway capabilities 408. Moreover, the PIN element with management capabilities 406 provides a list of registered PIN elements to the PIN element with gateway capabilities 408. Also, the PIN element with management capabilities 406 provides an indication to turn a light switch (e.g., via locally encrypted commands) on to a PIN element #C 410 (e.g., light). The PIN element with gateway capabilities 408 sends information to a 5GC 412, and the 5GC 412 sends information to a PIN element #D 414 (e.g., smartphone). After all PIN elements are locally authenticated and registered, the PIN element with gateway capabilities 408 registers all the local PIN elements in the fifth generation (“5G”) core network (“CN”).
[0063] In certain embodiments there may be: 1) local registration and authentication with PIN elements without 3GPP credentials at the PEMC and/or PEGC in a PIN; 2) registration of the PEMC and/or PEGC in a 5GC including local authenticated PIN elements without 3GPP credentials; 3) registration of PIN elements with 3GPP credentials locally and in the 5GC; 4) binding of local PIN elements; and/or 5) a service request for PIN elements without 3GPP credentials to send data via the 5GC.
[0064] In some embodiments, a PEMC and a PEGC may be collocated as one function within a same entity or may be implemented as two separate functions. The PEMC and/or the PEGC may be considered as a user equipment (“UE”) from the 5GC point of view with additional capabilities (e.g., registration of local PIN elements without 3GPP credentials to the 5GC).
[0065] In a first embodiment, there may be local registration and authentication for PIN elements without 3GPP credentials. For PIN elements without 3GPP credentials, it is assumed that the credentials are preconfigured in the PIN element and in a PEMC and/or PEGC.
[0066] Figure 5 is a schematic block diagram illustrating one embodiment of a system 500 for registration and authentication of devices without 3GPP credentials for PIN elements. The system 500 includes a PIN element #A 502, a PEMC/PEGC 504, and a PIN element #B 506. Each of the communications in the system 500 may include one or more messages.
[0067] In a first communication 508, the PIN element #A 502 sends a registration request to the PEMC/PEGC 504. [0068] The PEMC/PEGC 504 selects 510 an authentication method based on a PIN element identifier (“ID”) and corresponding preconfigured credentials.
[0069] In a third communication 512, the PEMC/PEGC 504 performs authentication according to the authentication method (e.g., extensible authentication protocol (“EAP”) authentication and key agreement (“AKA”)). The authentication method is a key generating method that results in a security key for protecting communication between the PIN Element #A 502 and the PEMC/PEGC 504.
[0070] In a fourth communication 514, the PEMC/PEGC 504 acknowledges successful local registration. Moreover, in a fifth communication 516, steps 508 through 514 may be performed between the PEMC/PEGC 504 and the PIN element #B 506.
[0071] In a second embodiment, there may be registration of a PEMC/PEGC in a 5GC including local authenticated PIN elements without 3GPP credentials. In such an embodiment, the PEMC/PEGC needs to register to the 5GC and needs to provide a list of the locally authenticated PIN elements. The operator may have PIN elements that are managed by an operator (e.g., which are mapped to a different traffic connection (e.g., protocol data unit (“PDU”) session, single (“S”) network slice selection assistance information (“NSSAI”) (“S-NSSAI”), and so forth) to retrieve a dedicated service). Further, the PEMC/PEGC connects to the 5GC via a non-3GPP interworking function (‘N3IWF”) similar to an untrusted non-3GPP access procedure.
[0072] Figure 6 is a schematic block diagram illustrating one embodiment of a system 600 for registration of a PEMC/PEGC in a 5GC. The system 600 includes a PEMC/PEGC 602, an N3IWF 604, an AMF 606, an authentication server function (“AUSF”) 608, and aUDM 610. Each of the communications 600 in the system may include one or more messages.
[0073] In a first communication 612, the PEMC/PEGC 602 acts like a UE connecting to the 5GC via untrusted non-3GPP access. The PEMC/PEGC 602 performs the authentication with the 5GC with the selected authentication method from the UDM 610. The PEMC/PEGC 602 may indicate in a non-access stratum (‘NAS”) registration request that it registers as the PEMC/PEGC 602.
[0074] In a second communication 614 and a third communication 616, after successful authentication, the AMF 606 sends an NAS security mode command to the PEMC/PEGC 602.
[0075] In a fourth communication 618 and a fifth communication 620, the PEMC/PEGC 602 sets up NAS security and provides back a full initial NAS message including a list of the locally authenticated PIN element IDs without 3GPP credentials and their associated requested NSSAIs. [0076] In a sixth communication 622, the AMF 606 stores the list of the local authenticated PIN elements without 3GPP credentials and provides a KNSIWF key to the N3IWF 604. The N3IWF 604 performs an IKE AUTH exchange and an internet protocol (“IP”) security (“IPsec”) child stand-alone (“SA”) establishment with a UE based on the KNSIWF. Thus, the communication between the PEMC/PEGC 602 and the N3IWF 604 is transport layer protected.
[0077] In a seventh communication 624, the AMF 606 sends a Numd_SDM_Get request to the UDM 610 to retrieve a subscription profde of the PEMC/PEGC 602.
[0078] In an eighth communication 626, the UDM 610 provides, in a Nudm_SDM_Get_Response, a subscription profile including a list of the operator managed PIN element IDs and their related S-NSSAIs. The operator managed PIN elements are associated with the subscription profile of the PEMC/PEGC 602, but it could be done at the time of purchase of a PIN element from an operator store. Operator managed PIN elements IDs may have 3 GPP credentials or may not have 3GPP credentials. The UDM 610 may have additional binding policy information for managed PIN elements in a local network to be enforced by the PEMC/PEGC 602.
[0079] The AMF 606 compares 628 the retrieved list of PIN elements without 3 GPP credentials from the PEMC/PEGC 602 with one of the operator managed PIN elements from the UDM 610 for the PEMC/PEGC 602. The AMF 606 assigns the operator managed PIN elements respective S-NSSAIs. The AMF 606 may assign a default S-NSSAI for unmanaged PIN elements.
[0080] In a ninth communication 630 and a tenth communication 632, the AMF 606 sends a registration accept message to the PEMC/PEGC 602 including a list of PIN elements, their respective list of S-NSSAIs, and additional binding policy information for managed PIN elements in the local network to be enforced by the PEMC/PEGC 602.
[0081] In a third embodiment, there may be registration of PIN elements with 3GPP credentials locally and in a 5GC. In the third embodiment, there may be a precondition that a PEMC/PEGC is already registered to a 5GC. The PEMC/PEGC acts as a trusted network access point (“TNAP”) and/or trusted non-3GPP gateway function (‘TNGF”) for trusted access or as a wireless (“W”) access gateway function (“AGF”) (“W-AGF”) for fixed network access. In some embodiments, a PEMC/PEGC supports PIN elements with 3GPP credentials but without NAS capabilities. In such embodiments, the PEMC/PEGC acts as a W-AGF or as a trusted wireless local area network (“WLAN”) interworking function (‘TWIF”) and terminates a NAS protocol on behalf of a PIN element while allowing the authentication being terminated at the PIN element.
[0082] Figure 7 is a schematic block diagram illustrating one embodiment of a system 700 for registration of PIN elements with 3GPP credentials locally and in a 5GC. The system 700 includes PIN element 702 (e.g., with 3GPP credentials), a PEMC/PEGC 704, an N3IWF 706, an AMF 708, an AUSF 710, and a UDM 712. Each of the communications in the system 700 include one or more messages.
[0083] In a first communication 714, the PEMC/PEGC 704 is registered to the 5GC according to the procedure in Figure 6.
[0084] In a second communication 716, the PIN element 702 and the PEMC/PEGC 704 exchange layer 2 (“L2”) messages (e.g., layer connection setup, layer 2 EAP identity requestresponse, and so forth).
[0085] In a third communication 718 and a fourth communication 720, the PIN element 702 sends a NAS registration request with its subscription concealed identifier (“SUCI”) or fifth generation (“5G”) globally unique temporary UE identity (“GUTI”) (“5G-GUTI”) and PIN capabilities to the PEMC/PEGC 704 embedded in a L2 message (e.g., EAP message). The PEMC/PEGC 704 forwards the NAS message through a tunnel established with the N3IWF 706 to the AMF 708 as a proxy.
[0086] In a fifth communication 722, the AUSF 710 performs authentication with the PIN element 702.
[0087] In a sixth communication 724, after successful authentication, the AMF 708 may perform a NAS security mode command (“SMC”) with the PIN element 702. This step is only performed if the PIN element 702 also supports the NAS protocol, or else this step is skipped. If the NAS SMC is skipped, the NAS security from the PEMC/PEGC 704 may be reused, but since the transport between the PEMC/PEGC 704 and the N3IWF 706 is already protected with an IPsec SA, it is not necessarily required.
[0088] In a seventh communication 726, the AMF 708 derives a key KPIN for the PIN element 702 based on the PIN capabilities. The KPIN is used in a similar way as a TNAP key K™AP for the PIN element 702 to setup a wireless connection at a local access point (“AP”) (e.g., the PEMC/PEGC 704 with the difference that the key is already derived at the AMF 708 and provided to the PEMC/PEGC 704). Since the PIN element may not have NAS capabilities, it may not be able to derive an AMF key. Therefore, depending on the PIN element 702 capabilities, the input key for the PIN key KPIN derivation may be: KAUSF, KSEAF, and/or KAMF. The input parameters may be any parameters visible to the PIN element 702 (e.g., the PIN element identifier (e.g., international mobile security identifier (“IMSI”), network access identifier (“NAI”), global cable identifier (“GCI”), global line identifier (“GLI”), or any other local identifier part of the list of locally registered PIN element identifiers sent by the PEMC/PEGC 704 in Figure 6), a PEMC/PEGC identifier, a personal network name, and so forth). The AMF 708 sends the key KPIN to the PEMC/PEGC 704. [0089] The PEMC/PEGC 704 stores 728 the key KPIN and binds it with the PIN element 702. The PIN element 702 is locally registered at the PEMC/PEGC 704.
[0090] In an eighth communication 730, the PIN element 702 derives the same KPIN in the same way as the AMF 708 and sets up a secure layer 2 connection with the PEMC/PEGC 704.
[0091] In a ninth communication 732, the PEMC/PEGC 704 responds to the AMF 708 with an N2 initial context setup response message.
[0092] In a tenth communication 734, and an eleventh communication 736, an NAS registration accept message is sent by the AMF 708 and is forwarded to the PIN element 702 (e.g., only if it supports the NAS protocol, else the message is terminated in the PEMC/PEGC 704) via an established connection.
[0093] In a twelfth communication 738, only if the PIN element 702 supports an NAS protocol, it initiates a PDU session establishment and the PEMC/PEGC 704 may establish one or more IPSec child SA’s per PDU session. User plane data for the established PDU session is transported between the PIN element 702 and the PEMC/PEGC 704 inside the established IPSec child SA.
[0094] In a fourth embodiment, there may be a binding of local registered PIN elements. As a prerequisite, PIN elements subject for binding and establishment of a direct connection have to be registered locally either with 3GPP credentials or without. The direct connection may be via a PEGC and/or AP but may be with the same or different radio technology in a real direct communication manner without the AP, depending on the PIN element radio capabilities.
[0095] Figure 8 is a schematic block diagram illustrating one embodiment of a system 800 for binding local registered PIN elements. The system 800 includes a PIN element #A 802, a PEMC/PEGC 804, and a PIN element #B 806. Each of the communications in the system 800 may include one or more messages.
[0096] In a first communication 808 and a second communication 810, the PIN element #A 802 and the PIN element #B 806 register and authenticate to the PEMC/PEGC 804 as described herein.
[0097] The PEMC/PEGC 804 may have information about the binding either for managed PIN elements from the operator retrieved during the registration of the PEMC/PEGC 804 or they may be configured by the user. This binding information may be a trigger PIN element (e.g., motion sensor) and an execution PIN element (e.g., light bulb). The PEMC/PEGC 804 is configured to link the PIN elements directly if the radio capabilities allow, or via the PEGC and/or AP. A direct communication key KDC is derived. A root key Kroot for a KDF for the key derivation of the KDC may be based on the keys available in the PEMC/PECG 804 (e.g., the PEMC/PEGC specific keys: KAUSF, KSEAF, KAMF, and/or the key KPIN in case PIN element #A 802 or PIN element #B 806 has 3GPP credentials and is registered to the 5GC. If both have 3GPP credentials, then both KPINS could be concatenated as an input root key. As input to the KDF, the following parameters may be used: IDs of the PIN elements to be paired (e.g., PIN element #A 802 or PIN element #B 806, but could be more than two paired PIN elements), a nonce (e.g., which may be a random number), a counter, and so forth. The PEMC/PEGC 804 generates 812 an access token which is used to mutually authenticate the two PIN elements among each other. The access token may be an OAuth token or any other token. In some embodiments, it may be a sufficient long random number.
[0098] In a third communication 814, the PEMC/PEGC 804 sends the security key KDC, an access token, and a PIN element #B ID to the PIN element #A 802 in a protected paring request message.
[0099] In a fourth communication 816, the PEMC/PEGC 804 sends the security key KDC, the access token, and a PIN element #A ID to the PIN Element #B 806 in a protected paring request message.
[0100] In a fifth communication 818, the PIN element #A 802 and the PIN element #B 806 perform authentication between them by sending either the access token and verify it, or performing a mutual exchange. Specifically, the PIN element #A 802 sends an authentication message to the PIN element #B 804 (e.g., including a hash (e.g., SHA1, SHA2, or SHA3 with their variants) of the access token and its PIN Element ID #A). The PIN element #B 806 receives the message and performs a hash over the access token and the PIN element #A ID and compares it with the one received from the PIN element #A 802. If identical, the PIN element #B 806 sends also an authentication response with the hash of the access token and the PIN element #B ID, the receiving PIN element #A 802 then computes the hash and compares it. Then, the PIN Element #A 802 sets up a secure connection with the security key KDC- This can be done either with an IPsec SA establishment, using a block cipher, and so forth.
[0101] In a fifth embodiment, there may be a service request for PIN elements without 3GPP credentials to send data via a 5GC. PIN elements without 3GPP credentials may not have access to an external DN since a PEGC is connected to the 5GC for external DN access via a UPF. A pre-registered PIN element, if it wants to send data to the DN, needs to perform a service request to get a PDU session assigned (e.g., based on a requested S-NSSAI). Since the PIN element without 3GPP credentials also does not support an NAS protocol, a PEGC may create a respective NAS message on behalf of the PIN element. One embodiment of the procedure is shown in Figure 9. [0102] Figure 9 is a schematic block diagram illustrating one embodiment of a system 900 with a service request for PIN elements without 3GPP credentials to send data via a 5GC. The system 900 includes a PIN element #A 902, a PEMC/PEGC 904, an N3IWF 906, an AMF 908, and a UPF 910. Each of the communications in the system 900 may include one or more messages.
[0103] In a first communication 912, the PIN element #A 902 performs a local authentication and security setup and the PEMC/PEGC 904 is registered to the 5GC.
[0104] In a second communication 914, the PIN element #A 902 sends a data request to the PEMC/PEGC 904.
[0105] In a third communication 916 and a fourth communication 918, the PEMC/PEGC 904 generates a NAS service request message and includes its SUCI or 5G-GUTI and a PIN element #A ID.
[0106] The AMF 908 checks 920 whether the PIN Element ID #A was already registered and checks allowed NSSAI for that specific PIN element.
[0107] In a fifth communication 922, if the PIN element #A 902 requires a specific PDU session (e.g., for a specific S-NSSAI), the PDU session is not established towards the PEMC/PEGC 904.
[0108] In a sixth communication 924 and a seventh communication 926, the AMF 908 sends a service accept with the allowed NSSAI for the PIN element #A 902.
[0109] In an eighth communication 928, the PEMC/PEGC 904 sends a data request acknowledgement to the PIN element #A 902.
[0110] In a nineth communication 930, the PIN element #A 902 starts to send data to the PEMC/PEGC 904.
[0111] The PEMC/PEGC 904 selects 932 the PDU session according to the allowed NSSAI and maps the data from the PIN Element #A 902 to that PDU session.
[0112] In a tenth communication 934 and an eleventh communication 936, the PEMC/PEGC 904 forwards the data in the PDU session to the UPF 910 and further to a destination DN.
[0113] Figure 10 is a flow chart diagram illustrating one embodiment of a method 1000 for authentication and registration of PIN elements. In some embodiments, the method 1000 is performed by an apparatus, such as the network unit 104. In certain embodiments, the method 1000 may be performed by a processor executing program code, for example, a microcontroller, a microprocessor, a CPU, a GPU, an auxiliary processing unit, a FPGA, or the like.
[0114] In various embodiments, the method 1000 includes performing 1002, at a first network device, a local authentication and registration of PIN elements with preconfigured credentials. In some embodiments, the method 1000 includes generating 1004 a first request message to establish a NAS registration request with a first AMF. The first request message includes a list of locally registered PIN element identifiers without 3GPP credentials. In certain embodiments, the method 1000 includes receiving 1006, in response to the first request message, a NAS registration accept message includes the list of locally registered PIN element identifiers without 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
[0115] In certain embodiments, the method 1000 further comprises receiving a second request message from a local PIN element with 3GPP credentials. In some embodiments, the method 1000 further comprises sending a third request message comprising a NAS registration request message for a second AMF, wherein the third request message comprises the second request message from the local PIN element with 3GPP credentials. In various embodiments, the method 1000 further comprises receiving a security key (KPIN) from the second AMF.
[0116] In one embodiment, the method 1000 further comprises storing the KPIN. In certain embodiments, the method 1000 further comprises binding the KPIN with the local PIN element with 3GPP credentials. In some embodiments, the method 1000 further comprises setting up a secure layer 2 connection with the local PIN element with 3GPP credentials.
[0117] In various embodiments, the method 1000 further comprises determining a binding of two or more locally registered PIN elements. In one embodiment, the method 1000 further comprises deriving a direct communication key (KDC) and an access token. In certain embodiments, the method 1000 further comprises sending a protected pairing request message to the two or more locally registered PIN elements including the KDC and the access token.
[0118] In some embodiments, the method 1000 further comprises receiving a data send request from a locally registered PIN element without 3GPP credentials. In various embodiments, the method 1000 further comprises generating a fourth request message comprising a NAS service request message comprising an identifier of a first apparatus and a PIN element identifier corresponding to the locally registered PIN element without 3GPP credentials. In one embodiment, the method 1000 further comprises sending the fourth request message to a second AMF.
[0119] In certain embodiments, the method 1000 further comprises receiving a service request accept message with allowed network slice selection assistance information (NSSAI) for the PIN element identifier. In some embodiments, the method 1000 further comprises mapping received data traffic from the locally registered PIN element without 3 GPP credentials to a corresponding protocol data unit (PDU) session with the allowed NSSAI. In various embodiments, the first network device comprises a PIN element with gateway capabilities (PEGC), a PIN element with management capabilities (PEMC), or a combination thereof.
[0120] Figure 11 is a flow chart diagram illustrating another embodiment of a method 1100 for authentication and registration of PIN elements. In some embodiments, the method 1100 is performed by an apparatus, such as the remote unit 102 and/or the network unit 104. In certain embodiments, the method 1100 may be performed by a processor executing program code, for example, a microcontroller, a microprocessor, a CPU, a GPU, an auxiliary processing unit, a FPGA, or the like.
[0121] In various embodiments, the method 1100 includes performing 1102, at a PIN element, a local authentication and registration of the PIN element with preconfigured credentials. In some embodiments, the method 1100 includes receiving 1104 information for setting up a secure layer 2 connection with a first network device. In certain embodiments, the method 1100 includes setting up 1106 the secure layer 2 connection.
[0122] In certain embodiments, the method 1100 further comprises receiving a pairing request message from the first network device, the pairing request message comprises a direct communication key (KDC), an access token, at least one target PIN element identifier associated with at least one fourth network device, or some combination thereof. In some embodiments, the method 1100 further comprises computing an authentication value using a hash function, the access token, and the at least one target PIN element identifier. In various embodiments, the method 1100 further comprises transmitting an authentication request to the at least one fourth network device, and the authentication request comprises an authentication value.
[0123] In one embodiment, the method 1100 further comprises receiving an authentication request comprising an authentication value from a network device with the at least one PIN element identifier from the pairing request message. In certain embodiments, the method 1100 further comprises computing an authentication value using a hash function, the access token, and the at least one PIN element identifier, and compares the authentication value with the authentication value received from the network device with the at least one PIN element identifier from the pairing request message. In some embodiments, the method 1100 further comprises setting up the secure layer 2 connection by deriving a security key (KPIN).
[0124] Figure 12 is a flow chart diagram illustrating a further embodiment of a method 1200 for authentication and registration of PIN elements. In some embodiments, the method 1200 is performed by an apparatus, such as the network unit 104. In certain embodiments, the method 1200 may be performed by a processor executing program code, for example, a microcontroller, a microprocessor, a CPU, a GPU, an auxiliary processing unit, a FPGA, or the like. [0125] In various embodiments, the method 1200 includes receiving 1202, at a second network device, a first request message to establish a NAS registration request. The first request message includes a list of locally registered PIN element identifiers with 3GPP credentials. In some embodiments, the method 1200 includes transmitting 1204, in response to the first request message, a NAS registration accept message including the list of locally registered PIN element identifiers with 3GPP credentials that further includes a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
[0126] In certain embodiments, the method 1200 further comprises deriving a security key (KPIN). In some embodiments, the method 1200 further comprises transmitting the KPIN. In various embodiments, the second network device comprises an AMF.
[0127] In one embodiment, an apparatus comprises a first network device. The apparatus further comprises: a transceiver; and a processor coupled to the transceiver, wherein: the transceiver performs a local authentication and registration of PIN elements with preconfigured credentials; the processor generates a first request message to establish a NAS registration request with a first AMF, wherein the first request message comprises a list of locally registered PIN element identifiers without 3GPP credentials; and the transceiver receives, in response to the first request message, a NAS registration accept message comprising the list of locally registered PIN element identifiers without 3GPP credentials that further comprises a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
[0128] In certain embodiments, the transceiver receives a second request message from a local PIN element with 3GPP credentials.
[0129] In some embodiments, the transceiver sends a third request message comprising a NAS registration request message for a second AMF, wherein the third request message comprises the second request message from the local PIN element with 3GPP credentials.
[0130] In various embodiments, the transceiver receives a security key (KPIN) from the second AMF.
[0131] In one embodiment, the processor stores the KPIN.
[0132] In certain embodiments, the processor binds the KPIN with the local PIN element with 3GPP credentials.
[0133] In some embodiments, the processor sets up a secure layer 2 connection with the local PIN element with 3GPP credentials.
[0134] In various embodiments, the processor determines a binding of two or more locally registered PIN elements. [0135] In one embodiment, the processor derives a direct communication key (KDC) and an access token.
[0136] In certain embodiments, the transceiver sends a protected pairing request message to the two or more locally registered PIN elements including the KDC and the access token.
[0137] In some embodiments, the transceiver receives a data send request from a locally registered PIN element without 3GPP credentials.
[0138] In various embodiments, the processor generates a fourth request message comprising a NAS service request message comprising an identifier of a first apparatus and a PIN element identifier corresponding to the locally registered PIN element without 3GPP credentials.
[0139] In one embodiment, the transceiver sends the fourth request message to a second AMF.
[0140] In certain embodiments, the transceiver receives a service request accept message with allowed network slice selection assistance information (NSSAI) for the PIN element identifier.
[0141] In some embodiments, the processor maps received data traffic from the locally registered PIN element without 3GPP credentials to a corresponding protocol data unit (PDU) session with the allowed NSSAI.
[0142] In various embodiments, the first network device comprises a PIN element with gateway capabilities (PEGC), a PIN element with management capabilities (PEMC), or a combination thereof.
[0143] In one embodiment, a method of a first network device comprises: performing a local authentication and registration of PIN elements with preconfigured credentials; generating a first request message to establish a NAS registration request with a first AMF, wherein the first request message comprises a list of locally registered PIN element identifiers without 3 GPP credentials; and receiving, in response to the first request message, a NAS registration accept message comprising the list of locally registered PIN element identifiers without 3GPP credentials that further comprises a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
[0144] In certain embodiments, the method further comprises receiving a second request message from a local PIN element with 3GPP credentials.
[0145] In some embodiments, the method further comprises sending a third request message comprising a NAS registration request message for a second AMF, wherein the third request message comprises the second request message from the local PIN element with 3GPP credentials. [0146] In various embodiments, the method further comprises receiving a security key (KPIN) from the second AMF.
[0147] In one embodiment, the method further comprises storing the KPIN.
[0148] In certain embodiments, the method further comprises binding the KPIN with the local PIN element with 3GPP credentials.
[0149] In some embodiments, the method further comprises setting up a secure layer 2 connection with the local PIN element with 3GPP credentials.
[0150] In various embodiments, the method further comprises determining a binding of two or more locally registered PIN elements.
[0151] In one embodiment, the method further comprises deriving a direct communication key (KDC) and an access token.
[0152] In certain embodiments, the method further comprises sending a protected pairing request message to the two or more locally registered PIN elements including the KDC and the access token.
[0153] In some embodiments, the method further comprises receiving a data send request from a locally registered PIN element without 3GPP credentials.
[0154] In various embodiments, the method further comprises generating a fourth request message comprising a NAS service request message comprising an identifier of a first apparatus and a PIN element identifier corresponding to the locally registered PIN element without 3 GPP credentials.
[0155] In one embodiment, the method further comprises sending the fourth request message to a second AMF.
[0156] In certain embodiments, the method further comprises receiving a service request accept message with allowed network slice selection assistance information (NS SAI) for the PIN element identifier.
[0157] In some embodiments, the method further comprises mapping received data traffic from the locally registered PIN element without 3GPP credentials to a corresponding protocol data unit (PDU) session with the allowed NSSAI.
[0158] In various embodiments, the first network device comprises a PIN element with gateway capabilities (PEGC), a PIN element with management capabilities (PEMC), or a combination thereof.
[0159] In one embodiment, an apparatus comprises a PIN element. The apparatus further comprises: a transceiver; and a processor coupled to the transceiver, wherein: the transceiver performs a local authentication and registration of the PIN element with preconfigured credentials; the transceiver receives information for setting up a secure layer 2 connection with a first network device; and the processor sets up the secure layer 2 connection.
[0160] In certain embodiments, the transceiver receives a pairing request message from the first network device, the pairing request message comprises a direct communication key (KDC), an access token, at least one target PIN element identifier associated with at least one fourth network device, or some combination thereof.
[0161] In some embodiments, the processor computes an authentication value using a hash function, the access token, and the at least one target PIN element identifier.
[0162] In various embodiments, the transceiver transmits an authentication request to the at least one fourth network device, and the authentication request comprises an authentication value.
[0163] In one embodiment, the transceiver receives an authentication request comprising an authentication value from a network device with the at least one PIN element identifier from the pairing request message.
[0164] In certain embodiments, the processor computes an authentication value using a hash function, the access token, and the at least one PIN element identifier, and compares the authentication value with the authentication value received from the network device with the at least one PIN element identifier from the pairing request message.
[0165] In some embodiments, the processor sets up the secure layer 2 connection by deriving a security key (KPIN).
[0166] In one embodiment, a method of a PIN element comprises: performing a local authentication and registration of the PIN element with preconfigured credentials; receiving information for setting up a secure layer 2 connection with a first network device; and setting up the secure layer 2 connection.
[0167] In certain embodiments, the method further comprises receiving a pairing request message from the first network device, the pairing request message comprises a direct communication key (KDC), an access token, at least one target PIN element identifier associated with at least one fourth network device, or some combination thereof.
[0168] In some embodiments, the method further comprises computing an authentication value using a hash function, the access token, and the at least one target PIN element identifier.
[0169] In various embodiments, the method further comprises transmitting an authentication request to the at least one fourth network device, and the authentication request comprises an authentication value. [0170] In one embodiment, the method further comprises receiving an authentication request comprising an authentication value from a network device with the at least one PIN element identifier from the pairing request message.
[0171] In certain embodiments, the method further comprises computing an authentication value using a hash function, the access token, and the at least one PIN element identifier, and compares the authentication value with the authentication value received from the network device with the at least one PIN element identifier from the pairing request message.
[0172] In some embodiments, the method further comprises setting up the secure layer 2 connection by deriving a security key (KPIN).
[0173] In one embodiment, an apparatus comprises a second network device. The apparatus further comprises: a transceiver; and a processor coupled to the transceiver, wherein: the transceiver receives a first request message to establish a NAS registration request, wherein the first request message comprises a list of locally registered PIN element identifiers with 3GPP credentials; and the transceiver transmits, in response to the first request message, a NAS registration accept message comprising the list of locally registered PIN element identifiers with 3 GPP credentials that further comprises a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
[0174] In certain embodiments, the processor derives a security key (KPIN).
[0175] In some embodiments, the transceiver transmits the KPIN.
[0176] In various embodiments, the second network device comprises an AMF.
[0177] In one embodiment, a method of a second network device comprises: receiving a first request message to establish a NAS registration request, wherein the first request message comprises a list of locally registered PIN element identifiers with 3GPP credentials; and transmitting, in response to the first request message, a NAS registration accept message comprising the list of locally registered PIN element identifiers with 3GPP credentials that further comprises a respective list of S-NSSAI and a binding policy for operator managed PIN elements.
[0178] In certain embodiments, the method further comprises deriving a security key (KPIN).
[0179] In some embodiments, the method further comprises transmitting the KPIN.
[0180] In various embodiments, the second network device comprises an AMF.
[0181] Embodiments may be practiced in other specific forms. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description. All changes which come within the meaning and range of equivalency of the claims are to be embraced within their scope.

Claims

1 . An apparatus comprising: a processor; and a memory coupled to the processor, the memory comprising instructions executable by the processor to cause the apparatus to: perform a local authentication and registration of personal internet of things network (PIN) elements with preconfigured credentials; generate a first request message to establish a non-access stratum (NAS) registration request with a first access and mobility management function (AMF), wherein the first request message comprises a list of locally registered PIN element identifiers without third generation partnership program (3 GPP) credentials; and receive, in response to the first request message, a NAS registration accept message comprising the list of locally registered PIN element identifiers without 3GPP credentials that further comprises a respective list of single network slice selection assistance information (S-NSSAI) and a binding policy for operator managed PIN elements.
2. The apparatus of claim 1, wherein the instructions are further executable by the processor to cause the apparatus to receive a second request message from a local PIN element with 3GPP credentials.
3. The apparatus of claim 2, wherein the instructions are further executable by the processor to cause the apparatus to send a third request message comprising a NAS registration request message for a second AMF, wherein the third request message comprises the second request message from the local PIN element with 3GPP credentials.
4. The apparatus of claim 3, wherein the instructions are further executable by the processor to cause the apparatus to receive a security key (KPIN) from the second AMF. The apparatus of claim 4, wherein the instructions are further executable by the processor to cause the apparatus to store the KPIN. The apparatus of claim 5, wherein the instructions are further executable by the processor to cause the apparatus to bind the KPIN with the local PIN element with 3GPP credentials. The apparatus of claim 6, wherein the instructions are further executable by the processor to cause the apparatus to set up a secure layer 2 connection with the local PIN element with 3GPP credentials. An apparatus comprising: a processor; and a memory coupled to the processor, the memory comprising instructions executable by the processor to cause the apparatus to: perform a local authentication and registration of a personal internet of things network (PIN) element with preconfigured credentials; receive information for setting up a secure layer 2 connection with a first network device; and set up the secure layer 2 connection. The apparatus of claim 8, wherein the instructions are further executable by the processor to cause the apparatus to receive a pairing request message from the first network device, the pairing request message comprises a direct communication key (KDC), an access token, at least one target PIN element identifier associated with at least one fourth network device, or some combination thereof. The apparatus of claim 9, wherein the instructions are further executable by the processor to cause the apparatus to compute an authentication value using a hash function, the access token, and the at least one target PIN element identifier. The apparatus of claim 8, wherein the instructions are further executable by the processor to cause the apparatus to set up the secure layer 2 connection by deriving a security key (KPIN). An apparatus comprising: a processor; and a memory coupled to the processor, the memory comprising instructions executable by the processor to cause the apparatus to: receive a first request message to establish a non-access stratum (NAS) registration request, wherein the first request message comprises a list of locally registered personal internet of things network (PIN) element identifiers with third generation partnership program (3GPP) credentials; and transmit, in response to the first request message, a NAS registration accept message comprising the list of locally registered PIN element identifiers with 3GPP credentials that further comprises a respective list of single network slice selection assistance information (S-NSSAI) and a binding policy for operator managed PIN elements. The apparatus of claim 12, wherein the instructions are further executable by the processor to cause the apparatus to derive a security key (KPIN). The apparatus of claim 13, wherein the instructions are further executable by the processor to cause the apparatus to transmit the KPIN. The apparatus of claim 12, wherein the apparatus comprises an access and mobility management function (AMF).
PCT/IB2023/052540 2022-03-15 2023-03-15 Authentication and registration of personal internet of things network elements WO2023175541A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202263319879P 2022-03-15 2022-03-15
US63/319,879 2022-03-15

Publications (1)

Publication Number Publication Date
WO2023175541A1 true WO2023175541A1 (en) 2023-09-21

Family

ID=85795438

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2023/052540 WO2023175541A1 (en) 2022-03-15 2023-03-15 Authentication and registration of personal internet of things network elements

Country Status (1)

Country Link
WO (1) WO2023175541A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021199582A1 (en) * 2020-04-02 2021-10-07 日本電気株式会社 Wireless access network node device, ue, and method therefor

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021199582A1 (en) * 2020-04-02 2021-10-07 日本電気株式会社 Wireless access network node device, ue, and method therefor

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Customer Network Gateway (CNG) Architecture and Reference Points;STQ(10)0028_TISPAN_Draft_TS_185_003_v3.1.0_on_Customer_Network_Gateway_architecture_and_reference_points", ETSI DRAFT; STQ(10)0028_TISPAN_DRAFT_TS_185_003_V3.1.0_ON_CUSTOMER_NETWORK_GATEWAY_ARCHITECTURE_AND_REFERENCE_POINTS, EUROPEAN TELECOMMUNICATIONS STANDARDS INSTITUTE (ETSI), 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS ; FRANCE, vol. STQ, no. V3.1.0, 11 January 2010 (2010-01-11), pages 1 - 36, XP014101850 *
ERICSSON: "General cleanup of specification", vol. SA WG2, no. E (e-meeting) Elbonia ;20201116 - 20201120, 9 November 2020 (2020-11-09), XP051952485, Retrieved from the Internet <URL:https://ftp.3gpp.org/tsg_sa/WG2_Arch/TSGS2_142e_Electronic/Docs/S2-2008428.zip S2-2008428_23502-Mega-CR.docx> [retrieved on 20201109] *

Similar Documents

Publication Publication Date Title
US11153083B2 (en) Rogue unit detection information
WO2018077232A1 (en) Network authentication method, and related device and system
US20220338115A1 (en) Indicating a network for a remote unit
US20220104165A1 (en) Indicating a network for a remote unit
US20230105597A1 (en) Re-authentication key generation
US20220116769A1 (en) Notification in eap procedure
WO2023175541A1 (en) Authentication and registration of personal internet of things network elements
US20240121088A1 (en) Provisioning server selection in a cellular network
WO2023175461A1 (en) Establishing an application session corresponding to a pin element
US20240114335A1 (en) Network security based on routing information
US20230292114A1 (en) Securing communications between user equipment devices
WO2022130065A1 (en) Application registration with a network
US20230199483A1 (en) Deriving a key based on an edge enabler client identifier
WO2024088552A1 (en) Improving user plane function performance in a wireless communication network
WO2022195461A1 (en) Registration authentication based on a capability
WO2024017487A1 (en) Authorizing a non-seamless wireless local area network offload route
WO2024017486A1 (en) Tunnel establishment for non-seamless wlan offloading
WO2023037220A1 (en) Determining release information based on registration information
CA3230489A1 (en) Communicating and storing aerial system security information
JP2023537729A (en) UAS authentication and security establishment
CN117223275A (en) Allowing connectivity between UAV and UAV-C

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23714603

Country of ref document: EP

Kind code of ref document: A1