Abstract: The present invention discloses several methods to strengthen the integrity of entities, messages, and processing related to content distribution as defined by the Open Mobile Alliance (OMA) Digital Rights Management (DRM). The methods use techniques related to the Trusted Computing Group (TCG) specifications. A first embodiment uses TCG techniques to verify platform and DRM software integrity or trustworthiness, both with and without modifications to the DRM rights object acquisition protocol (ROAP) and DRM content format specifications. A second embodiment uses TCG techniques to strengthen the integrity of ROAP messages, constituent information, and processing without changing the existing ROAP protocol. A third embodiment uses TCG techniques to strengthen the integrity of the ROAP messages, information, and processing with some changes to the existing ROAP protocol.

Abstract: A method and apparatus for generating physical layer security keys is provided. Channel impulse response (CIR) measurements are recorded. Each CIR measurement is associated with a time-stamp. Where possible, the time-stamps are paired with time-stamps that are associated with another plurality of CIR measurements. The CIR data associated with the paired time-stamps is aggregated. Each of the aggregated CIR measurements is aligned, and at least one CIR measurement is selected for use in secret key generation.

Abstract: Systems, methods, and apparatus are provided for generating verification data that may be used for validation of a wireless transmit-receive unit (WTRU). The verification data may be generated using a tree structure having protected registers, represented as root nodes, and component measurements, represented as leaf nodes. The verification data may be used to validate the WTRU. The validation may be performed using split-validation, which is a form of validation described that distributes validation tasks between two or more network entities. Subtree certification is also described, wherein a subtree of the tree structure may be certified by a third party.

Abstract: Methods and instrumentalities are disclosed that enable one or more domains on one or more devices to be owned or controlled by one or more different local or remote owners, while providing a level of system-wide management of those domains. Each domain may have a different owner, and each owner may specify policies for operation of its domain and for operation of its domain in relation to the platform on which the domain resides, and other domains. A system-wide domain manager may be resident on one of the domains. The system-wide domain manager may enforce the policies of the domain on which it is resident, and it may coordinate the enforcement of the other domains by their respective policies in relation to the domain in which the system-wide domain manager resides. Additionally, the system-wide domain manager may coordinate interaction among the other domains in accordance with their respective policies. A domain application may be resident on one of the domains.

Abstract: Methods and instrumentalities are disclosed that enable one or more domains on one or more devices to be owned or controlled by one or more different local or remote owners, while providing a level of system-wide management of those domains. Each domain may have a different owner, and each owner may specify policies for operation of its domain and for operation of its domain in relation to the platform on which the domain resides, and other domains. A system-wide domain manager may be resident on one of the domains. The system-wide domain manager may enforce the policies of the domain on which it is resident, and it may coordinate the enforcement of the other domains by their respective policies in relation to the domain in which the system-wide domain manager resides. Additionally, the system-wide domain manager may coordinate interaction among the other domains in accordance with their respective policies. A domain application may be resident on one of the domains.

Abstract: In a machine-to-machine/Internet-of-things environment, end-to-end authentication of devices separated by multiple hops is achieved via direct or delegated/intermediated negotiations using pre-provisioned hop-by-hop credentials, uniquely generated hop-by-hop credentials, and-or public key certificates, whereby remote resources and services may be discovered via single-hop communications, and then secure communications with the remote resources may be established using secure protocols appropriate to the resources and services and capabilities of end devices, and communication thereafter conducted directly without the overhead or risks engendered hop-by-hop translation.

Abstract: The present invention is related to a wireless transmit/receive unit (WTRU) for providing advanced security functions. The WTRU includes trusted platform module (TPM) for performing trusted computing operations; and a secure time component (STC) for providing a secure measurement of a current time. The STC and the TPM are integrated to provide accurate trusted time information to internal and external to the WTRU. The STC may be located on an expanded a subscriber identity module (SIM), on the WTRU platform, or two STCs may be used, one in each location. Similarly, the TPM may be located on an expanded SIM, on the WTRU platform, or two TPMs may be used, one in each location. Preferably, the STC will include a real time clock (RTC); a tamper detection and power failure unit; and a time report and sync controller.

Abstract: An abstract and method for providing home evolved node-B (H(e)NB) integrity verification and validation using autonomous validation and semi-autonomous validation is disclosed herein.

Abstract: A method and apparatus to establish a trustworthy local time based on trusted computing methods are described. The concepts are scaling because they may be graded by the frequency and accuracy with which a reliable external time source is available for correction and/or reset, and how trustworthy this external source is in a commercial scenario. The techniques also take into account that the number of different paths and number of hops between the device and the trusted external time source may vary. A local clock related value which is protected by a TPM securely bound to an external clock. A system of Accuracy Statements (AS) is added to introduce time references to the audit data provided by other maybe cheaper sources than the time source providing the initial time.

Abstract: Systems, methods, and apparatus are provided for generating verification data that may be used for validation of a wireless transmit-receive unit (WTRU). The verification data may be generated using a tree structure having protected registers, represented as root nodes, and component measurements, represented as leaf nodes. The verification data may be used to validate the WTRU. The validation may be performed using split-validation, which is a form of validation described that distributes validation tasks between two or more network entities. Subtree certification is also described, wherein a subtree of the tree structure may be certified by a third party.

Abstract: One or more wireless communications device may include one or more domains that may be owned or controlled by one or more different owners. One of the domains may include a security domain having ultimate control over the enforcement of security policies on the one or more wireless communications devices. Another one of the domains may include a system-wide domain manager that is subsidiary to the security domain and may enforce the policies of one or more subsidiary domains. The system-wide domain manager may enforce its policies based on a privilege level received from the security domain. The privilege level may be based on the level of trust between an external stakeholder, such as an owner of a domain that is subsidiary to the system-wide domain manager, and the security domain.

Abstract: WTRUs, ARSs, APs, WLG/AAA proxies, networks, and methods thereon are disclosed for fast security setup on a multi-RAT WTRU. Methods of sharing security associations between RATs on a multi-RAT WTRU are disclosed. Methods of caching security associations are disclosed. Methods are disclosed for alerting an ANDSF server of an AP that should be considered for association. Enhancements to advertisements from an AP are disclosed where the advertisements may include SSID with a FQDN, a HESSID type information, or TAI type information. Methods of resolving AP identities to a reachable address are disclosed. An address resolution protocol is disclosed for resolving AP identities. ARSs are disclosed that may resolve a BSSID to a network routable address. Protocols for carrying AP identities and security parameters are disclosed. Methods are disclosed of using ANDSF to provide the WTRU with security information and parameters of an AP. An RSN may indicate security capabilities.

Abstract: As users gain access to different services, the grade of the services may vary, for example, from low value services to high value services. A low value may indicate that a low strength of authentication is required, while a high value may indicate that a high strength of authentication is required to access the service. There is disclosed a method for authenticating a device comprising the determination (204) of an authentication requirement to access a first service that is provided by a service provider, SP, the discovery (208) of one or more authentication factors, associated with the device or the user, that are available for the authentication, the determination (210) whether at least one of the discovered authentication factors are sufficient to achieve the authentication requirement and, if so, the performance (212-228) of corresponding authentication procedures.

Abstract: A wireless device may perform a local authentication to reduce the traffic on a network. The local authentication may be performed using a local web server and/or a local OpenID provider (OP) associated with the wireless device. The local web server and/or local OP may be implemented on a security module, such as a smartcard or a trusted execution environment for example. The local OP and/or local web server may be used to implement a provisioning phase to derive a session key, associated with a service provider, from an authentication between the wireless device and the network. The session key may be reusable for subsequent local authentications to locally authenticate a user of the wireless device to the service provider.

Abstract: Systems, methods and apparatus embodiments are described herein for leveraging security associations to enhance security of proximity services. Existing security associations are leveraged to create security associations that are used by proximity services. For example, existing keys may be leveraged to derive new keys that may be used to secure peer-to-peer communications.

Abstract: A method and apparatus for cooperation in wireless communications. Cooperation is considered among a number of network elements, including at least one wireless transmit-receive unit, at least one relay station, and at least one base station.

Abstract: A method and apparatus for performing secure Machine-to-Machine (M2M) provisioning and communication is disclosed. In particular a temporary private identifier, or provisional connectivity identification (PCID), for uniquely identifying machine-to-machine equipment (M2ME) is also disclosed. Additionally, methods and apparatus for use in validating, authenticating and provisioning a M2ME is also disclosed. The validation procedures disclosed include an autonomous, semi-autonomous, and remote validation are disclosed. The provisioning procedures include methods for re-provisioning the M2ME. Procedures for updating software, and detecting tampering with the M2ME are also disclosed.

Abstract: An occupancy detector provides for an automated means of detecting the location of an occupant. Methods to determine with a high degree of certainty if a user is at (or occupying) a specific physical location or region are provided, using a wide variety of radio signaling technologies readily available on a wide scale due to the prevalence of wireless radio communications systems. The occupancy detector may be used to deliver a variety of services from targeted advertising in a supermarket to home automation systems. An example of a system for controlling the climate in a dwelling comprising multiple zones representing small areas such as for example rooms is described using the occupancy detection algorithms.

Abstract: An apparatus and method for providing home evolved node-B (H(e)NB) integrity verification and validation using autonomous validation and semi-autonomous validation is disclosed herein.

Abstract: WTRUs, ARSs, APs, WLG/AAA proxies, networks, and methods thereon are disclosed for fast security setup on a multi-RAT WTRU. Methods of sharing security associations between RATs on a multi-RAT WTRU are disclosed. Methods of caching security associations are disclosed. Methods are disclosed for alerting an ANDSF server of an AP that should be considered for association. Enhancements to advertisements from an AP are disclosed where the advertisements may include SSID with a FQDN, a HESSID type information, or TAI type information. Methods of resolving AP identities to a reachable address are disclosed. An address resolution protocol is disclosed for resolving AP identities. ARSs are disclosed that may resolve a BSSID to a network routable address. Protocols for carrying AP identities and security parameters are disclosed. Methods are disclosed of using ANDSF to provide the WTRU with security information and parameters of an AP. An RSN may indicate security capabilities.