摘要:
Secure communications may be established amongst network entities for performing authentication and/or verification of the network entities. For example, a user equipment (UE) may establish a secure channel with an identity provider, capable of issuing user identities for authentication of the user/UE. The UE may also establish a secure channel with a service provider, capable of providing services to the UE via a network. The identity provider may even establish a secure channel with the service provider for performing secure communications. The establishment of each of these secure channels may enable each network entity to authenticate to the other network entities. The secure channels may also enable the UE to verify that the service provider with which it has established the secure channel is an intended service provider for accessing services.
摘要:
A trusted computing environment, such as a smartcard, UICC, Java card, global platform, or the like may be used as a local host trust center and a proxy for a single-sign on (SSO) provider. This may be referred to as a local SSO provider (OP). This may be done, for example, to keep authentication traffic local and to prevent over the air communications, which may burden an operator network. To establish the OP proxy in the trusted environment, the trusted environment may bind to the SSO provider in a number of ways. For example, the SSO provider may interoperate with UICC-based UE authentication or GBA. In this way, user equipment may leverage the trusted environment in order to provide increased security and reduce over the air communications and authentication burden on the OP or operator network.
摘要:
A method and apparatus are disclosed for performing secure remote subscription management. Secure remote subscription management may include providing the Wireless Transmit/Receive Unit (WTRU) with a connectivity identifier, such as a Provisional Connectivity Identifier (PCID), which may be used to establish an initial network connection to an Initial Connectivity Operator (ICO) for initial secure remote registration, provisioning, and activation. A connection to the ICO may be used to remotely provision the WTRU with credentials associated with the Selected Home Operator (SHO). A credential, such as a cryptographic keyset, which may be included in the Trusted Physical Unit (TPU), may be allocated to the SHO and may be activated. The WTRU may establish a network connection to the SHO and may receive services using the remotely managed credentials. Secure remote subscription management may be repeated to associate the WTRU with another SHO.
摘要:
Persistent communication layer credentials generated on a persistent communication layer at one network may be leveraged to perform authentication on another. For example, the persistent communication layer credentials may include application-layer credentials derived on an application layer. The application-layer credentials may be used to establish authentication credentials for authenticating a mobile device for access to services at a network server. The authentication credentials may be derived from the application-layer credentials of another network to enable a seamless handoff from one network to another. The authentication credentials may be derived from the application-layer credentials using reverse bootstrapping or other key derivation functions. The mobile device and/or network entity to which the mobile device is being authenticated may enable communication of authentication information between the communication layers to enable authentication of a device using multiple communication layers.
摘要:
Users desire useable security or a seamless means for accessing internet services whereby user interaction in the provisioning of credentials may be kept to a minimum or even eliminated entirely. The Single Sign-On (SSO) identity management (IdM) concept may be a means by which a user may be provided with such ease of use, while enabling user-assisted and network-assisted authentication for access to desired services. To enable seamless authentication services to users, a unified framework and a protocol layer interface for managing multiple authentication methods may be used.
摘要:
A Home Node B or Home evolved Node B (HN(e)B) apparatus and methods are disclosed. The HN(e)B includes a Trusted Environment (TrE) and interfaces including unprotected interfaces, cryptographically protected interfaces, and hardware protected interfaces. The H(e)NB includes security/authentication protocols for communication between the H(e)NB and external network elements, including a Security Gateway (SGW).
摘要:
Universal integrated circuit card (UICC) having a virtual subscriber identity module functionality is disclosed. A wireless transmit/receive unit (WTRU) comprises a mobile equipment (ME) configured to perform wireless communication and a UICC. The UICC is configured to perform security functionalities. The UICC supports multiple isolated domains including UICC issuer's domain. Each domain is owned by a separate owner so that each owner stores and executes an application on the UICC under a control of an UICC issuer and the UICC issuer's domain controls creation and deletion of other domains and defines and enforces security rules for authorizing third parties to have an access to the domains. The UICC is configured to verify integrity of operating system functions and applications stored on the UICC. The UICC is configured to control an access to information regarding applications according to security policies stored within the UICC.
摘要:
A method and apparatus for performing secure Machine-to-Machine (M2M) provisioning and communication is disclosed. In particular a temporary private identifier, or provisional connectivity identification (PCID), for uniquely identifying machine-to-machine equipment (M2ME) is also disclosed. Additionally, methods and apparatus for use in validating, authenticating and provisioning a M2ME is also disclosed. The validation procedures disclosed include an autonomous, semi-autonomous, and remote validation are disclosed. The provisioning procedures include methods for re-provisioning the M2ME. Procedures for updating software, and detecting tampering with the M2ME are also disclosed.
摘要:
A method and apparatus to establish a trustworthy local time based on trusted computing methods are described. The concepts are scaling because they may be graded by the frequency and accuracy with which a reliable external time source is available for correction and/or reset, and how trustworthy this external source is in a commercial scenario. The techniques also take into account that the number of different paths and number of hops between the device and the trusted external time source may vary. A local clock related value which is protected by a TPM securely bound to an external clock. A system of Accuracy Statements (AS) is added to introduce time references to the audit data provided by other maybe cheaper sources than the time source providing the initial time.
摘要:
A method and apparatus for performing secure Machine-to-Machine (M2M) provisioning and communication is disclosed. In particular a temporary private identifier, or provisional connectivity identification (PCID), for uniquely identifying machine-to-machine equipment (M2ME) is also disclosed. Additionally, methods and apparatus for use in validating, authenticating and provisioning a M2ME is also disclosed. The validation procedures disclosed include an autonomous, semi-autonomous, and remote validation are disclosed. The provisioning procedures include methods for re-provisioning the M2ME. Procedures for updating software, and detecting tampering with the M2ME are also disclosed.