公开(公告)号：WO2012094602A1

公开(公告)日：2012-07-12

申请号：PCT/US2012/020496

申请日：2012-01-06

Applicant: INTERDIGITAL PATENT HOLDINGS, INC. ,  CHA, Inhyok ,  SCHMIDT, Andreas ,  LEICHER, Andreas

Inventor： CHA, Inhyok ,  SCHMIDT, Andreas ,  LEICHER, Andreas

IPC: H04L29/06

CPC classification number: H04L61/302 ,  H04L61/1511 ,  H04L63/08 ,  H04L63/0815 ,  H04L63/0853 ,  H04L63/10 ,  H04L63/102

Abstract: A user of a mobile communications device may access services in a target domain using a source domain identity that is used to access services in a source domain. To enable such a use of the source domain identity in the target domain, the source domain identity may first be enrolled in the target domain. The enrollment may be facilitated by an enrollment entity at the target domain, such as a gateway or an OpenID server for example. The enrollment entity may establish a secure channel with the user's device for enabling enrollment of the source domain identity. Once enrolled, the source domain identity may be used for authentication of the user in the target domain. Enrollment of the source domain identity and/or authentication of the user based on the enrolled source domain identity may be implemented using a local OpenID provider (OP) residing on the user's device.

Abstract translation: 移动通信设备的用户可以使用用于访问源域中的服务的源域标识来访问目标域中的服务。 为了使目标域中的源域标识能够使用，可以首先将源域标识注册到目标域中。 可以通过目标域的注册实体（例如网关或OpenID服务器）来促进注册。 注册实体可以与用户设备建立安全通道，以使得能够注册源域标识。 一旦注册，源域标识可以用于目标域中的用户的认证。 可以使用驻留在用户设备上的本地OpenID提供商（OP）来实现基于注册的源域标识的用户域的源域标识和/或认证的注册。

公开(公告)号：WO2012092604A2

公开(公告)日：2012-07-05

申请号：PCT/US2011/068206

申请日：2011-12-30

Applicant: INTERDIGITAL PATENT HOLDINGS, INC. ,  SHAH, Yogendra, C. ,  CHA, Inhyok ,  SCHMIDT, Andreas ,  GUCCIONE, Louis, J. ,  CASE, Lawrence ,  LEICHER, Andreas ,  TARGALI, Yousif

Inventor： SHAH, Yogendra, C. ,  CHA, Inhyok ,  SCHMIDT, Andreas ,  GUCCIONE, Louis, J. ,  CASE, Lawrence ,  LEICHER, Andreas ,  TARGALI, Yousif

IPC: H04L29/06

CPC classification number: H04L63/08 ,  H04L63/0209 ,  H04L63/0815 ,  H04L63/0892 ,  H04L63/10 ,  H04L63/18 ,  H04W12/04 ,  H04W12/06 ,  H04W12/08 ,  H04W36/0038

Abstract: Persistent communication layer credentials generated on a persistent communication layer at one network may be leveraged to perform authentication on another. For example, the persistent communication layer credentials may include application- layer credentials derived on an application layer. The application-layer credentials may be used to establish authentication credentials for authenticating a mobile device for access to services at a network server. The authentication credentials may be derived from the application- layer credentials of another network to enable a seamless handoff from one network to another. The authentication credentials may be derived from the application- layer credentials using reverse bootstrapping or other key derivation functions. The mobile device and/or network entity to which the mobile device is being authenticated may enable communication of authentication information between the communication layers to enable authentication of a device using multiple communication layers.

Abstract translation: 可以利用在一个网络上的持久通信层上生成的持久通信层凭证来对另一网络执行认证。 例如，持久通信层凭证可以包括在应用层上派生的应用层凭证。 应用层凭证可以用于建立用于认证移动设备以访问网络服务器处的服务的认证证书。 身份验证凭证可以从另一个网络的应用层凭证导出，以实现从一个网络到另一个网络的无缝切换。 认证证书可以使用反向自举或其他密钥派生函数从应用层证书派生。 移动设备正在被认证的移动设备和/或网络实体可以启用通信层之间的认证信息的通信，以使得能够使用多个通信层来认证设备。

公开(公告)号：WO2012078570A2

公开(公告)日：2012-06-14

申请号：PCT/US2011/063423

申请日：2011-12-06

Applicant: INTERDIGITAL PATENT HOLDINGS, INC. ,  GUCCIONE, Louis ,  MEYERSTEIN, Michael ,  CHA, Inhyok ,  SCHMIDT, Andreas ,  LEICHER, Andreas ,  SHAH, Yogendra

Inventor： GUCCIONE, Louis ,  MEYERSTEIN, Michael ,  CHA, Inhyok ,  SCHMIDT, Andreas ,  LEICHER, Andreas ,  SHAH, Yogendra

IPC: H04L29/06 ,  G06F21/00 ,  H04W12/00

CPC classification number: G06F21/604 ,  G06F21/10 ,  G06F21/6218 ,  H04L63/00 ,  H04L63/205 ,  H04W12/08 ,  H04W12/10 ,  H04W12/12

公开(公告)号：WO2011100331A1

公开(公告)日：2011-08-18

申请号：PCT/US2011/024200

申请日：2011-02-09

Applicant: INTERDIGITAL PATENT HOLDINGS, INC ,  CHA, Inhyok ,  SCHMIDT, Andreas ,  LEICHER, Andreas ,  SHAH, Yogendra, C. ,  GUCCIONE, Louis, J. ,  HOWRY, Dolores, F.

Inventor： CHA, Inhyok ,  SCHMIDT, Andreas ,  LEICHER, Andreas ,  SHAH, Yogendra, C. ,  GUCCIONE, Louis, J. ,  HOWRY, Dolores, F.

IPC: H04L29/06 ,  G06F21/00

CPC classification number: H04L63/0815 ,  G06F21/34 ,  G06F21/35 ,  G06F2221/2115 ,  H04L63/0853 ,  H04W12/06

Abstract: A trusted computing environment, such as a smartcard, UICC, Java card, global platform, or the like may be used as a local host trust center and a proxy for a single-sign on (SSO) provider. This may be referred to as a local SSO provider (OP). This may be done, for example, to keep authentication traffic local and to prevent over the air communications, which may burden an operator network. To establish the OP proxy in the trusted environment, the trusted environment may bind to the SSO provider in a number of ways. For example, the SSO provider may interoperate with UICC-based UE authentication or GBA. In this way, user equipment may leverage the trusted environment in order to provide increased security and reduce over the air communications and authentication burden on the OP or operator network.

Abstract translation: 可以使用诸如智能卡，UICC，Java卡，全球平台等的可信计算环境作为本地主机信任中心和用于单点登录（SSO）提供商的代理。 这可以被称为本地SSO提供商（OP）。 这可以被实现，例如，保持认证流量本地并且防止空中通信，这可能会对运营商网络造成负担。 要在受信任的环境中建立OP代理，可信环境可以通过多种方式绑定到SSO提供者。 例如，SSO提供商可以与基于UICC的UE认证或GBA进行互操作。 以这种方式，用户设备可以利用可信环境来提供增加的安全性并减少OP或运营商网络上的空中通信和认证负担。

公开(公告)号：WO2012129503A1

公开(公告)日：2012-09-27

申请号：PCT/US2012/030352

申请日：2012-03-23

Applicant: INTERDIGITAL PATENT HOLDINGS, INC. ,  CHA, Inhyok ,  GUCCIONE, Louis, J. ,  SCHMIDT, Andreas ,  LEICHER, Andreas ,  SHAH, Yogendra, C.

Inventor： CHA, Inhyok ,  GUCCIONE, Louis, J. ,  SCHMIDT, Andreas ,  LEICHER, Andreas ,  SHAH, Yogendra, C.

IPC: H04W12/06 ,  H04L29/06

CPC classification number: H04L9/0819 ,  G06F21/335 ,  G06F21/42 ,  G06F21/53 ,  G06F21/575 ,  G06F2221/2107 ,  G06F2221/2149 ,  H04L9/3271 ,  H04L63/0272 ,  H04L63/062 ,  H04L63/0869 ,  H04L63/168 ,  H04L67/02 ,  H04L67/42 ,  H04W12/02 ,  H04W12/04 ,  H04W12/06

Abstract: Secure communications may be established amongst network entities for performing authentication and/or verification of the network entities. For example, a user equipment (UE) may establish a secure channel with an identity provider, capable of issuing user identities for authentication of the user/UE. The UE may also establish a secure channel with a service provider, capable of providing services to the UE via a network. The identity provider may even establish a secure channel with the service provider for performing secure communications. The establishment of each of these secure channels may enable each network entity to authenticate to the other network entities. The secure channels may also enable the UE to verify that the service provider with which it has established the secure channel is an intended service provider for accessing services.

Abstract translation: 可以在用于执行网络实体的认证和/或验证的网络实体之间建立安全通信。 例如，用户设备（UE）可以建立具有身份提供商的安全信道，能够发出用户/ UE用户身份。 UE还可以与服务提供商建立安全信道，能够经由网络向UE提供服务。 身份提供商甚至可以与服务提供商建立用于执行安全通信的安全信道。 这些安全信道中的每一个的建立可以使每个网络实体能够对其他网络实体进行认证。 安全信道还可以使得UE能够验证其已建立安全信道的服务提供商是用于接入服务的预期服务提供商。

公开(公告)号：WO2012027706A1

公开(公告)日：2012-03-01

申请号：PCT/US2011/049417

申请日：2011-08-26

Applicant: INTERDIGITAL PATENT HOLDINGS, INC. ,  SCHMIDT, Andreas ,  LEICHER, Andreas ,  SHAH, Yogendra, C. ,  REZNIK, Alexander

Inventor： SCHMIDT, Andreas ,  LEICHER, Andreas ,  SHAH, Yogendra, C. ,  REZNIK, Alexander

IPC: H04L29/06 ,  H04L12/58

CPC classification number: H04L65/1079 ,  H04L51/12 ,  H04L51/38 ,  H04L63/20 ,  H04M3/436

Abstract: A trustworthiness of a sender and/or a sending device of a network communication may be assessed prior to enabling a connection between the sending device and a receiving device. A scorecard associated with the sender may be used to assess the trustworthiness of the sender and/or the sending device. The scorecard may include information, such as a claim, a category of claim types, a score, and/or an attribute/state field, that is used to indicate the trustworthiness associated with the sender and/or the sending device. The trustworthiness of the sender may also be assessed based on a verification of the information in the scorecard. The information in the scorecard be verified by a network entity and an indication may be added to the scorecard indicating that the information in the scorecard has been verified.

Abstract translation: 可以在启用发送设备和接收设备之间的连接之前评估网络通信的发送者和/或发送设备的可信赖性。 可以使用与发送者相关联的记分卡来评估发送者和/或发送设备的可信赖性。 记分卡可以包括用于指示与发送者和/或发送设备相关联的可信赖性的诸如权利要求，索赔类型的类别，分数和/或属性/状态字段的信息。 还可以基于记分卡中的信息的验证来评估发件人的可信度。 记分卡中的信息由网络实体验证​​，并且可以向记分卡添加指示已经验证了记分卡中的信息的指示。

公开(公告)号：WO2011109772A3

公开(公告)日：2011-10-27

申请号：PCT/US2011027287

申请日：2011-03-04

Applicant: INTERDIGITAL PATENT HOLDINGS ,  SCHMIDT ANDREAS ,  LEICHER ANDREAS ,  CHA INHYOK ,  PATTAR SUDHIR B ,  SHAH YOGENDRA C

Inventor： SCHMIDT ANDREAS ,  LEICHER ANDREAS ,  CHA INHYOK ,  PATTAR SUDHIR B ,  SHAH YOGENDRA C

IPC: H04L9/32

CPC classification number: G06F21/57 ,  G06F17/30327 ,  G06F21/53 ,  G06F21/64 ,  G06F2221/034 ,  H04L9/3234 ,  H04L9/3265 ,  H04L63/02 ,  H04L63/123 ,  H04L63/126 ,  H04L2209/30 ,  H04L2209/805 ,  H04W4/005 ,  H04W12/08 ,  H04W12/10

Abstract: Systems, methods, and apparatus are provided for generating verification data that may be used for validation of a wireless transmit-receive unit (WTRU). The verification data may be generated using a tree structure having protected registers, represented as root nodes, and component measurements, represented as leaf nodes. The verification data may be used to validate the WTRU. The validation may be performed using split-validation, which is a form of validation described that distributes validation tasks between two or more network entities. Subtree certification is also described, wherein a subtree of the tree structure may be certified by a third party.

Abstract translation: 系统，方法和设备被提供用于生成可用于验证无线发射 - 接收单元（WTRU）的验证数据。 验证数据可以使用具有受保护的寄存器的树结构（被表示为根节点）以及被表示为叶节点的组件测量来生成。 验证数据可以用于验证WTRU。 可以使用分裂验证来执行验证，分裂验证是描述的在两个或更多个网络实体之间分配验证任务的验证形式。 还描述了子树认证，其中树结构的子树可以由第三方认证。

公开(公告)号：WO2011091313A1

公开(公告)日：2011-07-28

申请号：PCT/US2011/022141

申请日：2011-01-21

Applicant: INTERDIGITAL PATENT HOLDINGS, INC. ,  CHA, Inhyok ,  SCHMIDT, Andreas ,  LEICHER, Andreas ,  SHAH, Yogendra, C.

Inventor： CHA, Inhyok ,  SCHMIDT, Andreas ,  LEICHER, Andreas ,  SHAH, Yogendra, C.

IPC: G06F21/00 ,  H04L29/06

CPC classification number: H04W12/06 ,  G06F21/335 ,  G06F21/57 ,  G06F2221/2115 ,  H04L63/0807 ,  H04L2463/121

Abstract: Systems, methods, and instrumentalities are disclosed that may provide for integration of trusted OpenID (TOpenID) with OpenID. The authentication may be accomplished, in part, via Communications between a trusted ticket server on a UE and a network application function. The UE may retrieve platform validation data (e.g., from a trusted platform module on the UE). The UE may receive a platform verification in response to the platform validation data. The platform verification may indicate that the network application function has verified the platform validation data and the user. The platform verification may indicate that the platform validation data matches a previously generated reference value.

Abstract translation: 公开了可以提供可信OpenID（TOpenID）与OpenID的集成的系统，方法和工具。 认证可以部分地通过UE上的信任票据服务器和网络应用功能之间的通信来实现。 UE可以检索平台验证数据（例如，从UE上的可信平台模块）。 UE可以响应于平台验证数据而接收平台验证。 平台验证可以指示网络应用功能已经验证了平台验证数据和用户。 平台验证可以指示平台验证数据与先前生成的参考值相匹配。

公开(公告)号：WO2011050235A1

公开(公告)日：2011-04-28

申请号：PCT/US2010/053672

申请日：2010-10-22

Applicant: INTERDIGITAL PATENT HOLDINGS, INC. ,  GUCCIONE, Louis, J. ,  CHA, Inhyok ,  SCHMIDT, Andreas ,  LEICHER, Andreas ,  GREINER, David, G. ,  HOWRY, Dolores, F.

Inventor： GUCCIONE, Louis, J. ,  CHA, Inhyok ,  SCHMIDT, Andreas ,  LEICHER, Andreas ,  GREINER, David, G. ,  HOWRY, Dolores, F.

IPC: H04L29/06 ,  H04L12/58 ,  G06F21/00 ,  H04W12/06

CPC classification number: H04L63/101 ,  G06F21/33 ,  G06F21/36 ,  H04L51/12 ,  H04L63/0227 ,  H04L63/08 ,  H04L63/0869 ,  H04L63/145 ,  H04L65/1016 ,  H04W12/06

Abstract: Methods and apparatus are disclosed to provide protection against Unsolicited Communication (UC) in a network, such as, without limitation, an Internet Protocol (IP) Multimedia Subsystem (IMS). A communication may originate from a sending device (210) and may be intended for delivery to a receiving device (250). A network may determine authentication information associated with the sending device. The network may send the authentication information to a receiving entity to evaluate if the communication is unsolicited using the authentication information. If the communication is determined to be acceptable, a connection associated with the communication may be allowed.

Abstract translation: 披露了一种方法和装置，用于提供对网络中的非请求通信（UC）的保护，例如但不限于互联网协议（IP）多媒体子系统（IMS）。 通信可以来自发送设备（210），并且可以用于传送到接收设备（250）。 网络可以确定与发送设备相关联的认证信息。 网络可以将认证信息发送到接收实体，以使用认证信息评估该通信是否是主动的。 如果通信被确定为可接受的，则可以允许与该通信相关联的连接。

公开(公告)号：WO2012149384A1

公开(公告)日：2012-11-01

申请号：PCT/US2012/035540

申请日：2012-04-27

Applicant: INTERDIGITAL PATENT HOLDINGS, INC. ,  SHAH, Yogendra, C. ,  SCHMIDT, Andreas ,  CHA, Inhyok ,  GUCCIONE, Louis, J. ,  LEICHER, Andreas

Inventor： SHAH, Yogendra, C. ,  SCHMIDT, Andreas ,  CHA, Inhyok ,  GUCCIONE, Louis, J. ,  LEICHER, Andreas

IPC: H04L29/06

CPC classification number: H04W12/06 ,  H04L63/0815 ,  H04L63/205 ,  H04L2463/082

Abstract: Users desire useable security or a seamless means for accessing internet services whereby user interaction in the provisioning of credentials may be kept to a minimum or even eliminated entirely. The Single Sign-On identity management concept enables user- assisted and network- assisted authentication for access to desired services. To enable seamless authentication services to users, a unified framework and a protocol layer interface for managing multiple authentication methods may be used. A user equipment, UE, comprises a user application (202, 204) configured to communicate with a service provider to access a service and a plurality of network- assisted authentication modules (208 - 216), each network-assisted authentication module corresponding to a different network-assisted authentication protocol. The UE further comprises a single sign-on subsystem (206) configured to authenticate a user of the UE based on user-assisted authentication information at the UE and/or network and to select one of the network-assisted authentication modules based on one more policies.

Abstract translation: 用户希望可用的安全性或用于访问互联网服务的无缝手段，从而可以将凭证提供中的用户交互保持最小或甚至完全消除。 单点登录身份管理概念使得用户辅助和网络协助的身份验证能够访问所需的服务。 为了实现对用户的无缝认证服务，可以使用用于管理多种认证方法的统一框架和协议层接口。 用户设备UE包括被配置为与服务提供商通信以访问服务的用户应用（202,204）和多个网络辅助认证模块（208-216），每个网络辅助认证模块对应于 不同的网络辅助认证协议。 UE还包括单个登录子系统（206），其被配置为基于UE和/或网络处的用户辅助的认证信息来认证UE的用户，并且基于多个网络辅助认证模块选择一个 政策。