Abstract: Wireless telecommunications networks may implement various forms of authentication. There are a variety of different user and device authentication protocols that follow a similar network architecture, involving various network entities such as a user equipment (UE), a service provider (SP), and an authentication endpoint (AEP). To select an acceptable authentication protocol or credential for authenticating a user or UE, authentication protocol negotiations may take place between various network entities. For example, negotiations may take place in networks implementing a single-sign on (SSO) architecture and/or networks implementing a Generic Bootstrapping Architecture (GBA).

Abstract: Users desire useable security or a seamless means for accessing internet services whereby user interaction in the provisioning of credentials may be kept to a minimum or even eliminated entirely. The Single Sign-On (SSO) identity management (IdM) concept may be a means by which a user may be provided with such ease of use, while enabling user-assisted and network-assisted authentication for access to desired services. To enable seamless authentication services to users, a unified framework and a protocol layer interface for managing multiple authentication methods may be used.

Abstract: Secure communications may be established amongst network entities for performing authentication and/or verification of the network entities. For example, a user equipment (UE) may establish a secure channel with an identity provider, capable of issuing user identities for authentication of the user/UE. The UE may also establish a secure channel with a service provider, capable of providing services to the UE via a network. The identity provider may even establish a secure channel with the service provider for performing secure communications. The establishment of each of these secure channels may enable each network entity to authenticate to the other network entities. The secure channels may also enable the UE to verify that the service provider with which it has established the secure channel is an intended service provider for accessing services.

Abstract: Persistent communication layer credentials generated on a persistent communication layer at one network may be leveraged to perform authentication on another. For example, the persistent communication layer credentials may include application-layer credentials derived on an application layer. The application-layer credentials may be used to establish authentication credentials for authenticating a mobile device for access to services at a network server. The authentication credentials may be derived from the application-layer credentials of another network to enable a seamless handoff from one network to another. The authentication credentials may be derived from the application-layer credentials using reverse bootstrapping or other key derivation functions. The mobile device and/or network entity to which the mobile device is being authenticated may enable communication of authentication information between the communication layers to enable authentication of a device using multiple communication layers.

Abstract: A wireless communications device may be configured to perform integrity checking and interrogation with a network entity to isolate a portion of a failed component on the wireless network device for remediation. Once an integrity failure is determined on a component of the device, the device may identify a functionality associated with the component and indicate the failed functionality to the network entity. Both the wireless network device and the network entity may identify the failed functionality and/or failed component using a component-to-functionality map. After receiving an indication of an integrity failure at the device, the network entity may determine that one or more additional iterations of integrity checking may be performed at the device to narrow the scope of the integrity failure on the failed component. Once the integrity failure is isolated, the network entity may remediate a portion of the failed component on the wireless communications device.

Abstract: A wireless device may perform a local authentication to reduce the traffic on a network. The local authentication may be performed using a local web server and/or a local OpenID provider (OP) associated with the wireless device. The local web server and/or local OP may be implemented on a security module, such as a smartcard or a trusted execution environment for example. The local OP and/or local web server may be used to implement a provisioning phase to derive a session key, associated with a service provider, from an authentication between the wireless device and the network. The session key may be reusable for subsequent local authentications to locally authenticate a user of the wireless device to the service provider.

Abstract: A trusted computing environment, such as a smartcard, UICC, Java card, global platform, or the like may be used as a local host trust center and a proxy for a single-sign on (SSO) provider. This may be referred to as a local SSO provider (OP). This may be done, for example, to keep authentication traffic local and to prevent over the air communications, which may burden an operator network. To establish the OP proxy in the trusted environment, the trusted environment may bind to the SSO provider in a number of ways. For example, the SSO provider may interoperate with UICC-based UE authentication or GBA. In this way, user equipment may leverage the trusted environment in order to provide increased security and reduce over the air communications and authentication burden on the OP or operator network.

Abstract: Systems, methods, and instrumentalities are disclosed that provide for a gateway outside of a network domain to provide services to a plurality of devices. For example, the gateway may act as a management entity or as a proxy for the network domain. As a management entity, the gateway may perform a security function relating to each of the plurality of devices. The gateway may perform the security function without the network domain participating or having knowledge of the particular devices. As a proxy for the network, the gateway may receive a command from the network domain to perform a security function relating to each of a plurality of devices. The network may know the identity of each of the plurality of devices. The gateway may perform the security function for each of the plurality of devices and aggregate related information before sending the information to the network domain.

Abstract: Systems, methods, and instrumentalities are disclosed that may provide for integration of trusted OpenID (TOpenID) with OpenID. The authentication may be accomplished, in part, via communications between a trusted ticket server on a UE and a network application function. The UE may retrieve platform validation data (e.g., from a trusted platform module on the UE). The UE may receive a platform verification in response to the platform validation data. The platform verification may indicate that the network application function has verified the platform validation data and the user. The platform verification may indicate that the platform validation data matches a previously generated reference value.

Abstract: Methods and apparatus are disclosed to provide protection against Unsolicited Communication (UC) in a network, such as, without limitation, an Internet Protocol (IP) Multimedia Subsystem (IMS). A communication may originate from a sending device and may be intended for delivery to a receiving device. A network may determine authentication information associated with the sending device. The network may send the authentication information to a receiving entity to evaluate if the communication is unsolicited using the authentication information. If the communication is determined to be acceptable, a connection associated with the communication may be allowed.

Abstract: A device may include a trusted component. The trusted component may be verified by a trusted third party and may have a certificate of verification stored therein based on the verification by the trusted third party. The trusted component may include a root of trust that may provide secure code and data storage and secure application execution. The root of trust may also be configured to verify an integrity of the trusted component via a secure boot and to prevent access to the certain information in the device if the integrity of the trusted component may not be verified.

Abstract: A method and apparatus for trusted authentication and logon is disclosed. A trusted platform module (TPM) based logon method is presented for authentication and access. A user registers an identity with an identity provider that is tightly bound to the user's specific platform, e.g., the TPM. If the user decides to login, for example to a service provider using this identity, the identity provider challenges the user to provide the correct credentials. The credentials consist of a TPM generated ticket, that is, a credential chain. This allows the user to login without the need for a password at the identity provider.

Abstract: An apparatus and method for providing home evolved node-B (H(e)NB) integrity verification and validation using autonomous validation and semi-autonomous validation is disclosed herein.

Abstract: A method and apparatus are disclosed for performing secure remote subscription management. Secure remote subscription management may include providing the Wireless Transmit/Receive Unit (WTRU) with a connectivity identifier, such as a Provisional Connectivity Identifier (PCID), which may be used to establish an initial network connection to an Initial Connectivity Operator (ICO) for initial secure remote registration, provisioning, and activation. A connection to the ICO may be used to remotely provision the WTRU with credentials associated with the Selected Home Operator (SHO). A credential, such as a cryptographic keyset, which may be included in the Trusted Physical Unit (TPU), may be allocated to the SHO and may be activated. The WTRU may establish a network connection to the SHO and may receive services using the remotely managed credentials. Secure remote subscription management may be repeated to associate the WTRU with another SHO.

Abstract: Methods, components and apparatus for implementing platform validation and management (PVM) are disclosed. PVM provides the functionality and operations of a platform validation entity with remote management of devices by device management components and systems such as a home node-B management system or component. Example PVM operations bring devices into a secure target state before allowing connectivity and access to a core network.