Wireless communication method, secure data processing method, aiot device identifier, and related devices
Patent Information
- Authority / Receiving Office
- EP · EP
- Patent Type
- Applications
- Current Assignee / Owner
- GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP LTD
- Filing Date
- 2023-08-16
- Publication Date
- 2026-06-24
Smart Images

Figure CN2023113392_20022025_PF_FP_ABST
Abstract
Description
WIRELESS COMMUNICATION METHOD, SECURE DATA PROCESSING METHOD, AIOT DEVICE IDENTIFIER, AND RELATED DEVICESTECHNICAL FIELD
[0001] The present application relates to wireless communication, and more particularly, to a wireless communication method, secure data processing method, an Ambient Internet of Things (IoT) device identifier, and related devices.BACKGROUND ART
[0002] Communication systems and networks have developed towards being a broadband and mobile system. In cellular wireless communication systems developed by the Third Generation Partnership Project (3GPP) , user equipment (UE) is connected by a wireless link to a radio access network (RAN) . The RAN includes a set of base stations (BSs) which provide wireless links to the UEs located in cells covered by the base station, and an interface to a core network (CN) which provides overall network control. As will be appreciated, the RAN and CN each conduct respective functions in relation to the overall network. The 3GPP has developed the so-called Long Term Evolution (LTE) system, namely, an Evolved Universal Mobile Telecommunication System Territorial Radio Access Network (E-UTRAN) , for a mobile access network where one or more macro-cells are supported by a base station known as an eNodeB or eNB (evolved NodeB) . Evolved from LTE, the so-called 5G or New radio (NR) systems where one or more cells are supported by a base station known as a gNB.
[0003] The 5G NR standard supports a multitude of different services each with very different requirements. These services include Enhanced Mobile Broadband (eMBB) for high data rate transmission, Ultra-Reliable Low Latency Communication (URLLC) for devices requiring low latency and high link reliability and Massive Machine-Type Communication (mMTC) to support a large number of low-power devices for a long life-time requiring highly energy efficient communication.
[0004] The Internet of Things (IoT) has fostered a global connectivity revolution, connecting billions of devices to the Internet. Cellular IoT technologies, such as LTE-M and NB-IoT, have been instrumental in enabling various industries to address their most pressing challenges. However, the use of battery powered IoT devices can present numerous practical limitations. These include deployment in remote or hard-to-reach locations where frequent battery servicing would be logistically difficult or expensive, and large-scale IoT implementations where managing battery replacements would be unfeasible. Similarly, scenarios where devices are embedded in structures, machinery, or even within the human body can make battery replacements unduly complicated or hazardous. Long-term deployments that necessitate years of operation without human intervention also present difficulties for battery-powered devices. Furthermore, in certain environments or sectors, safety-related regulatory constraints may restrict the usage of batteries. Of significant concern as well is the environmental impact of manufacturing, replacing, and disposing of batteries on a large scale. By 2025, it is estimated that 78 million batteries will be discarded worldwide daily. To tackle these challenges, advancements in IoT technology have incorporated ambient energy harvesting, a method that sources power from the environment, circumventing the need for batteries.
[0005] Ambient-powered IoT (AIoT) technology's advent promises to unlock new services and use cases where changing batteries isn't feasible. These include personalized healthcare, intelligent transportation, hazardous location industrial applications, smart logistics, smart warehousing, smart homes, and smart cities. AIoT services are characterized by supporting widespread deployment of low-cost, ultra-low complexity devices with limited functions that require only minor and infrequent data transfers and eschew the need for batteries.
[0006] For example, 5G AIoT services are cellular IoT communication systems in which AIoT devices use harvested energy to generate RF signals for bi-directional information transmission over a 5G system. The 5G AIoT system is designed to meet the needs of Ambient IoT devices, which may be outfitted with or without energy storage capabilities, as defined in the 3GPP Specification TR 22.840.
[0007] Meanwhile, the 3GPP RAN Plenary approved the Rel-18 study item on Ambient IoT. Several aspects, including deployment scenarios, use cases, services relevant to RAN work groups, are captured in TR 38.848. Four connectivity topologies for Ambient IoT networks and devices are defined, where an Ambient IoT device may receive a carrier waveform from other node (s) either within or outside the topology. The working assumption in the study also postulates that the Type A Device has a complexity comparable to UHF RFID ISO18000-6C (EPC C1G2) , and Type C Device with a higher complexity target, yet magnitudes lower than NB-IoT. However, the Type B Device should have a complexity somewhere between Type-ADevice and Type-C Device.
[0008] More recently, in the 3GPP Rel-19 workshop, 5G Ambient IoT was identified as a Rel-19 item moving to the study phase. The Ambient IoT device identification used in the 5G system will be a key issue to investigate.
[0009] Current 5G Identifiers enable various 5G entities and devices to be uniquely identified and interconnected. A fundamental identifier in the 5G network architecture is the International Mobile Subscriber Identity (IMSI) . The IMSI serves as a globally unique identifier for individual mobile subscribers and is used to authenticate and authorize access to the network. It allows the 5G system to associate specific services and policies with a particular subscriber, ensuring secure and personalized connectivity.
[0010] Another significant identifier in the 5G system is the International Mobile Equipment Identity (IMEI) . The IMEI is a unique identifier assigned to each mobile device, including smartphones, tablets, and IoT devices. By using the IMEI, the 5G system can track and manage devices, authenticate their legitimacy, and support features like device blacklisting and stolen device tracking. This helps prevent unauthorized access to the network and enhances overall security.
[0011] Furthermore, current 5G system employs a collection of other identifiers to facilitate efficient and secure communications, including:
[0012] 5G-GUTI (5G Globally Unique Temporary Identifier) : A temporary identifier assigned / re-assigned by Access and Mobility Management Function (AMF) to the UE. 3GPP has also specified a mapping between 5G-GUTI and 4G-GUTI, required by UE mobility between 4G and 5G networks.
[0013] GUAMI (Globally Unique AMF Identifier) : An identifier used in the 5G system to uniquely identify the AMF entities within the core network. It consists of a combination of a globally unique MCC (Mobile Country Code) and MNC (Mobile Network Code) pair along with an AMF region ID. The GUAMI is essential for routing and managing signaling between the RAN and the core network.
[0014] SUPI (Subscription Permanent Identifier) : Uniquely identifies a subscriber’s profile within the network, allowing for seamless service continuity and personalized connectivity across different access networks or devices. The SUPI is used during authentication, authorization, and subscriber-specific service provisioning.
[0015] SUCI (Subscription Concealed Identifier) : A temporary identifier used in the 5G system for authentication and authorization purposes. It is derived from the SUPI but is encrypted to protect the subscriber’s privacy. The SUCI allows for secure communication between the device and the network without revealing the actual SUPI, enhancing privacy and security.
[0016] 5G-TMSI (Temporary Mobile Subscriber Identity) : A temporary identifier assigned to a mobile device by the network to protect the device’s identity during normal operation. The 5G-S-TMSI is a shortened version of the 5G-GUTI, designed to enhance efficiency in radio signaling procedures such as Paging and Service Request. The 5G-S-TMSI includes the AMF Set ID, AMF Pointer, and 5G-TMSI.
[0017] In addition to these identifiers, the 5G system also incorporates various RAN identifiers such as Cell Global Identifier (CGI) , Tracking Area Identifier (TAI) , and Temporary Mobile Group Identity (TMGI) . These identifiers are used within the RAN to manage and track specific cells, coverage areas, and groups of devices, allowing for efficient radio resource allocation and mobility management in the 5G network.
[0018] In summary, an Ambient IoT device, also known as the ambient power-enabled Internet of Things device, is an IoT device powered by energy harvesting. It either has no battery or limited energy storage capability (e.g., using a capacitor) . It represents a new class of battery-less devices with limited energy storage capabilities that complement existing Cellular IoT services. They are characterized by low cost, high density with a massive volume of deployment, ultra-low complexity, and limited device capabilities requiring only small and infrequent data transfers.
[0019] To accommodate this new category of battery-less devices in the 5G system for example, it's essential to provide a unique identifier for 5G Ambient IoT devices to ensure their seamless operation within the 5G system. However, current 3GPP specifications have yet to define an identifier structure, format, usage, and operations for these types of devices. Therefore, there is an urgent need to provide a unique identifier for Ambient IoT devices.
[0020] In various scenarios, for instance, personal health, location tracking, and real-time information about key industrial applications might require additional protection of sensitive data stored on the AIoT devices. Traditionally, UICC (Universal Integrated Circuit Card) or USIM (Universal Subscriber Identity Module) are employed for securely storing keys on mobile equipment. However, for the Ambient IoT devices, utilizing the existing UICC or USIM-based security mechanisms from 5G presents challenges. Therefore, there is also a pressing need for such a unique identifier for Ambient IoT devices, or a new identification mechanism, that can effectively address data protection concerns, particularly when these devices lack a UICC, USIM application, or IMSI.SUMMARY
[0021] In a first aspect, an embodiment of the present application provides a wireless communication method, including: obtaining Electronic Product Code (EPC) Uniform Resource Identifier (URI) from an Ambient Internet of Things (IoT) device; and formulating Network Access Identifier (NAI) format for Subscription Permanent Identifier (SUPI) based on the obtained EPC URI.
[0022] In a second aspect, an embodiment of the present application provides a secure data processing method, including: receiving from an Ambient Internet of Things (IoT) tag user data encrypted with a public key associated with an AIoT service provider; and decrypting the encrypted user data by utilizing a private key associated with the AIoT service provider to obtain decrypted user data of the Ambient IoT tag.
[0023] In a third aspect, an embodiment of the present application provides a secure data processing method, including: exchanging a shared symmetric key with an Ambient Internet of Things (IoT) tag by utilizing public key cryptography; receiving from the Ambient IoT tag user data encrypted with the shared symmetric key; and decrypting the encrypted user data by utilizing the shared symmetric key to obtain decrypted user data of the Ambient IoT tag.
[0024] In a fourth aspect, an embodiment of the present application provides an Ambient Internet of Things (IoT) device, including a storage for storing Electronic Product Code (EPC) Uniform Resource Identifier (URI) .
[0025] In a fifth aspect, an embodiment of the present application provides an Ambien Internet of Things (IoT) device identifier, including Subscription Permanent Identifier (SUPI) with Network Access Identifier (NAI) format, wherein the NAI for SUPI includes a username part and a realm part, and the username part corresponds to Electronic Product Code (EPC) Uniform Resource Identifier (URI) of Ambien IoT device.
[0026] In a sixth aspect, an embodiment of the present application provides a communication device, including a memory and a processor, wherein the processor is configured to call and run the program instructions stored in a memory to execute the method of any of afore-described aspects.
[0027] In a seventh aspect, an embodiment of the present application provides a non-transitory computer readable storage medium, configured to store a computer program, which enables a computer to execute the method of any of afore-described aspects.
[0028] In an eighth aspect, an embodiment of the present application provides a computer readable storage medium provided for storing a computer program, which enables a computer to execute the method of any of afore-described aspects.
[0029] In a ninth aspect, an embodiment of the present application provides a computer program product, which includes computer program instructions enabling a computer to execute the method of any of afore-described aspects.
[0030] In a tenth aspect, an embodiment of the present application provides a computer program, when running on a computer, enabling the computer to execute the method of any of afore-described aspects.DESCRIPTION OF DRAWINGS
[0031] In order to more clearly illustrate the embodiments of the present application or related art, the following figures that will be described in the embodiments are briefly introduced. It is obvious that the drawings are merely some embodiments of the present application, a person having ordinary skill in this field can obtain other figures according to these figures without paying the premise.
[0032] Figure 1 is a block diagram illustrating a communication device and an AIoT device in a communication network system according to an embodiment of the present invention.
[0033] Figure 2 is a flowchart of a wireless communication method according to an embodiment of the present invention.
[0034] Figure 3 is a schematic diagram illustrating a 5G Ambient IoT system architecture according to some embodiments of the present invention.
[0035] Figure 4 is a schematic diagram illustrating SUCI format for Ambient IoT SUPI according to some embodiments of the present invention.
[0036] Figure 5 is a schematic diagram illustrating production of AIoT tags with digitally signed Pure Identity EPC URI according to some embodiments of the present invention.
[0037] Figure 6 is a flowchart of authentication using digital signature according to some embodiments of the present invention.
[0038] Figure 7 is a schematic diagram illustrating AIoT device with X. 509 certificate according to some embodiments of the present invention.
[0039] Figure 8 is a flowchart of enhanced data protection using public key according to some embodiments of the present invention.
[0040] Figure 9 is a schematic diagram illustrating system architecture for enhanced data protection with Symmetric key according to some embodiments of the present invention.
[0041] Figure 10 is a flowchart of enhanced data protection with symmetric key according to some embodiments of the present invention.DETAILED DESCRIPTION OF EMBODIMENTS
[0042] Embodiments of the disclosure are described in detail with the technical matters, structural features, achieved objects, and effects with reference to the accompanying drawings as follows. Specifically, the terminologies in the embodiments of the present application are merely for describing the purpose of the certain embodiment, but not to limit the disclosure.
[0043] In this document, a combination such as “at least one of A, B, or C, ” “one or more of A, B, or C, ” “at least one of A, B, and C, ” “one or more of A, B, and C, ” or “A, B, and / or C” may be A only, B only, C only, A and B, A and C, B and C, or A and B and C, where any combination may contain one or more members of A, B, or C.
[0044] In this document, AIoT stands for Ambient IoT device, which is defined as follows: an ambient power-enabled Internet of Things device is an IoT device powered by energy harvesting, being either battery-less or with limited energy storage capability (e.g., using a capacitor) , and ASP stands for AIoT Service Provider, which is defined as follows: the party who provides AIoT service, device management, life cycle support, and / or data management services.
[0045] Ambient IoT devices have very limited device capabilities and functions. Based on the description in TR 38.848, Type A Ambient IoT Device has a complexity comparable to UHF RFID ISO18000-6C (EPC C1G2) , and Type C Device with a higher complexity target, yet orders-of-magnitude lower than NB-IoT. While Type B Device should have a complexity somewhere between Type-ADevice and Type-B Device.
[0046] Traditionally, USIM smart cards are employed for securely storing keys on mobile equipment, which is larger in size and less restricted in cost compared to Ambient IoT devices. Ambient IoT devices are targeted to cost between 3 cents and 3 dollars, a stark contrast to the approximate $1000 expense of mobile equipment. Given the size and cost constraints intrinsic to Ambient IoT devices, the integration of USIM smart cards is simply not feasible. These limitations necessitate alternative, more cost-effective and compact solutions for Ambient IoT device identification.
[0047] Electronic Product Code (EPC) has been used as a distinctive identifier for product tracking within the supply chain. The EPC code functions as a means to uniquely identify a specific product, encompassing relevant details regarding its manufacturer, product category, and associated attributes. EPC technology finds widespread implementation across various industries such as retail, logistics, and healthcare, primarily aimed at optimizing inventory management, minimizing waste, and enhancing supply chain visibility.
[0048] The GS1's EPC Tag Data Standard (TDS) represents a fundamental framework defining the Electronic Product Code and corresponding specifications pertaining to data carried on EPC-encoded RAIN RFID tags. This includes comprehensive details encompassing the EPC itself, User Memory data, control information, and tag manufacture information. Notably, TDS 2.0 introduces an extensive range of more than 30 coding schemes and 13 coding methods for the EPC code. Furthermore, TDS 2.0 extends support for increased EPC code lengths, accommodating the size of the EPC memory bank, reaching up to 496 bits, across various EPC schemes such as SGTIN+ and CPI+. Importantly, TDS 2.0 ensures seamless backward compatibility with prior versions, thereby preserving the validity of all EPC schemes established in earlier TDS iterations.
[0049] Nevertheless, it should be noted that EPC-coded devices presently do not possess the compatibility required for serving as a viable identifier within the realm of 5G systems for example. Consequently, current 5G systems do not offer support for EPC-coded devices in their operational framework.
[0050] In summary, Ambient IoT devices, with their limited device capabilities, require cost-effective and compact solutions for identification, as they cannot feasibly incorporate USIM smart cards used in larger, more expensive mobile equipment. These devices are expected to cost between 3 cents and 3 dollars, significantly less than the average cost of mobile equipment.
[0051] The Electronic Product Code (EPC) , traditionally used for unique product identification within supply chains, is defined within the GS1's EPC Tag Data Standard (TDS) . The TDS includes details about the EPC, User Memory data, control information, and tag manufacture information. The updated TDS 2.0 introduces a wide array of coding schemes and methods and supports increased EPC code lengths. It also maintains backward compatibility with prior versions.
[0052] However, despite the extensive usage of EPC in industries like retail and logistics, current EPC-coded devices are not compatible with 5G systems, which do not support EPC-coded devices in their frameworks.
[0053] This invention makes improvements on Ambient IoT devices in many aspects as follows.
[0054] -provided is a device identifier, which is compatible for the 5G system for example, enabling battery-less and USIM-less Ambient IoT devices to operate seamlessly within the 5G system.
[0055] -the Ambient IoT device identifier is compliance with the Electronic Product Code (EPC) defined in TDS 2.0 standard for example.
[0056] -the Pure Identity EPC URI is used as part of Ambient IoT device identifier.
[0057] -the Pure Identity EPC URI is used as the username in the NAI format of SUPI for the Ambient IoT device identifier.
[0058] -a method to use the device identifier is provided to formulate SUPI and SUCI which are compatible to identification format currently used in 5G system for example.
[0059] -provided are several digital signature-based mechanisms that facilitate the authentication of USIM-less Ambient IoT devices.
[0060] -provided are various public key-based encryption mechanisms aimed at protecting sensitive data on Ambient IoT devices.
[0061] -provided are several hybrid encryption-based mechanisms intended to safeguard sensitive data on Ambient IoT devices.
[0062] Figure 1 illustrates that, in some embodiments, a communication device 10 and an Ambient IoT device 20 for wireless communication in a communication network system according to an embodiment of the present invention are provided. With reference to Figure 1, the communication device 10 and the Ambient IoT device 20 communicate with each other wirelessly. The communication device 10 and the Ambient IoT device 20 executes embodiments of the method according to the present invention. The communication device 10 may be a User Equipment (UE) , Customer Premises Equipment (CPE) , Base Station (BS) , or RAN node. The communication device 10 includes a transceiver 12 and a processor 14, which are electrically connected with each other. The transceiver 12 of the communication device 10 is configured to transmit a signal to the Ambient IoT device 20 (and receive a signal from the Ambient IoT device 20) and the processor 14 of the communication device 10 processes the signal. In this way, the communication device 10 communicates with the Ambient IoT device 20 each other. At least the processor 14 of the communication device 10 may be configured to implement proposed functions, procedures and / or methods described in this description. The Ambient IoT device 20 may include a storage or tag 22 for storing all kinds of information, such as identification information, secure keys, or user data, either sensitive or non-sensitive. The Ambient IoT device 20 may be a Type A, B or C Ambient IoT device as that defined in TR 38.848. The communication device 10 may read any signal, information or data from the Ambient IoT device 20 or write it to the Ambient IoT device 20.
[0063] The processor 14 may include a general-purpose central processing unit (CPU) , an application-specific integrated circuits (ASICs) , other chipsets, logic circuits and / or data processing devices. The communication device may further include a memory (not shown) , which may include a read-only memory (ROM) , a random access memory (RAM) , a flash memory, a memory card, a storage medium, other storage devices, and / or any combination of the memory and storage devices. The transceiver 12 may include baseband circuitry and radio frequency (RF) circuitry to process radio frequency signals. When the embodiments are implemented in software, the techniques described herein can be implemented with modules, procedures, functions, entities and so on, that perform the functions described herein. The modules can be stored in a memory and executed by the processors. The memory can be implemented within a processor or external to the processor, in which those can be communicatively coupled to the processor via various means are known in the art.
[0064] Figure 2 illustrates a flowchart of a wireless communication method according to an embodiment of the present invention. Referring to Figure 2, the present invention provides a wireless communication method, including: obtaining Electronic Product Code (EPC) Uniform Resource Identifier (URI) from an Ambient Internet of Things (IoT) device; and formulating Network Access Identifier (NAI) format for Subscription Permanent Identifier (SUPI) based on the obtained EPC URI.
[0065] Optionally, the NAI for SUPI follows a first format, which consists of a username part and a realm part, the username part represents user or device identifier, and the realm part specifies authentication domain or realm to which a request is directed.
[0066] Optionally, the username part corresponds to the EPC URI, while the realm part identifies an operator owning the subscription.
[0067] Optionally, in addition to the EPC URI, the username part includes a plurality of components corresponding to other information, and the components are separated by a certain character.
[0068] Optionally, the realm part includes Ambient IoT Service Provider ID (ASP) , and the Ambient IoT Service Provider ID is a globally unique ID when combined with Public Land Mobile Network (PLMN) ID or independent of the PLMN ID.
[0069] Optionally, the realm part is constructed by prefixing Network Domain Name with a label “aiot” and with ASP label.
[0070] Optionally, the SUPI is designed to support Ambient IoT service request or certain applications in defining filtering rules for a group of Ambient IoT devices.
[0071] Optionally, Network Specific Identifier (NSI) is taken as SUPI type or a dedicated type for the Ambient IoT device is adopted when deriving Subscriber Concealed Identifier (SUCI) from the SUPI.
[0072] Optionally, the Ambient IoT device has Subscriber Identity Module (SIM) or a variation of SIM embedded in the Ambient IoT device.
[0073] Optionally, the method further includes: obtaining digital signature of the EPC URI from the Ambient IoT device; decrypting the digital signature by using a public key of the Ambient IoT device to obtain a first hash value of the EPC URI; using a hash function to create a second hash value from the obtained EPC URI; and verifying that the obtained EPC URI is unaltered if the second hash value matches the first hash value.
[0074] Optionally, the method further includes: if the EPC URI is successfully verified, retrieving user data from the Ambient IoT device or retrieving the user data associated with the EPC URI from a local database or a AIoT Service Provider database.
[0075] Optionally, the public key is received from one of the followings: a certificate issued by a Certificate Authority (CA) ; SIM installed on the Ambient IoT device; and a relevant AIoT network element.
[0076] Optionally, the method further includes: generating a number and applying a public key of the Ambient IoT device to encrypt the number; sending the encrypted number to the Ambient IoT device; receiving from the Ambient IoT device a decrypted number, which is decrypted using a private key of the Ambient IoT device; and verifying whether the number is the same as the decrypted number received from the Ambient IoT device.
[0077] Optionally, the method further includes: sending a number to the Ambient IoT device; receiving from the Ambient IoT device digital signature of the number; and decrypting the digital signature of the number by using a public key of the Ambient IoT device to confirm whether the number is originally sent to the Ambient IoT device.
[0078] Optionally, a certificate is embedded in the Ambient IoT device.
[0079] Optionally, the EPC URI is obtained from the certificate embedded in the Ambient IoT device.
[0080] Optionally, the certificate embedded in the Ambient IoT device further includes a public key of the Ambient IoT device or an AIoT service provider.
[0081] Optionally, the certificate embedded in the Ambient IoT device is issued by a cellular network operator or an AIoT service provider.
[0082] Optionally, the method further includes: employing a verification algorithm to validate digital signature associated with the certificate embedded in the Ambient IoT device; and once successful verification takes place, proceeding with registration and connection procedures with a cellular network.
[0083] The present invention further provides a communication device, including a memory and a processor, wherein the processor is configured to call and run the program instructions stored in a memory to execute the above-described method.
[0084] The present invention further provides a non-transitory computer readable storage medium, configured to store a computer program, which enables a computer to execute the above-described method.
[0085] The present invention further provides a secure data processing method, including: receiving from an Ambient Internet of Things (IoT) tag user data encrypted with a public key associated with an AIoT service provider; and decrypting the encrypted user data by utilizing a private key associated with the AIoT service provider to obtain decrypted user data of the Ambient IoT tag.
[0086] Optionally, the public key associated with the AIoT service provider is from a certificate issued by a cellular network operator or a self-signed certificate from the AIoT service provider.
[0087] Optionally, the method further includes: encrypting specific information by using the public key associated with the Ambient IoT tag; and transmitting the encrypted specific information to the Ambient IoT tag for the Ambient IoT tag to decrypt the encrypted specific information by using the private key associated with the Ambient IoT tag.
[0088] Optionally, the public key associated with the Ambient IoT tag is retrieved from an AIoT Network Operator Certificate Authority (CA) or an AIoT Service Provider CA.
[0089] Optionally, Electronic Product Code (EPC) Uniform Resource Identifier (URI) of the Ambient IoT tag serves as an index for obtaining the public key associated with the Ambient IoT tag.
[0090] Optionally, the private key associated with the Ambient IoT tag is stored in a tamper-resistant security space of the Ambient IoT tag.
[0091] The present invention further provides a secure data processing method, including: exchanging a shared symmetric key with an Ambient Internet of Things (IoT) tag by utilizing public key cryptography; receiving from the Ambient IoT tag user data encrypted with the shared symmetric key; and decrypting the encrypted user data by utilizing the shared symmetric key to obtain decrypted user data of the Ambient IoT tag.
[0092] Optionally, the method further includes: encrypting specific information by using the shared symmetric key; and transmitting the encrypted specific information to the Ambient IoT tag for the Ambient IoT tag to decrypt the encrypted specific information by using the shared symmetric key.
[0093] Optionally, the shared symmetric key is for a symmetric cryptography including Rivest Cipher 4 (RC4) , RC5, RC6, Blowfish, Twofish, Data Encryption Standards (DES) , Triple DES, or Advanced Encryption Standard (AES) .
[0094] Optionally, a key exchange protocol is used in exchanging the shared symmetric key.
[0095] Optionally, the key exchange protocol includes Diffie-Hellman.
[0096] The present invention further provides an Ambient Internet of Things (IoT) device, including a storage for storing Electronic Product Code (EPC) Uniform Resource Identifier (URI) .
[0097] Optionally, the Ambient IoT device has Subscriber Identity Module (SIM) or a variation of SIM embedded in the Ambient IoT device.
[0098] Optionally, the storage further stores digital signature of the EPC URI.
[0099] Optionally, the storage further stores user data.
[0100] Optionally, the storage further stores a certificate.
[0101] Optionally, the certificate includes the EPC URI.
[0102] Optionally, the certificate includes X. 509 Certificate, X. 509 Certificate Extensions, Attribute Certificate, Card Verifiable (CV) certificate, Pretty Good Privacy (PGP) certificate, WAP certificate, Simple Public Key Infrastructure (SPKI) certificate, or Traceable Anonymous Certificate.
[0103] The present invention further provides an Ambien Internet of Things (IoT) device identifier, including Subscription Permanent Identifier (SUPI) with Network Access Identifier (NAI) format, wherein the NAI for SUPI includes a username part and a realm part, and the username part corresponds to Electronic Product Code (EPC) Uniform Resource Identifier (URI) of Ambien IoT device.
[0104] Optionally, the username part represents user or device identifier, and the realm part specifies authentication domain or realm to which a request is directed.
[0105] Optionally, the realm part identifies an operator owning the subscription.
[0106] Optionally, in addition to the EPC URI, the username part includes a plurality of components corresponding to other information, and the components are separated by a certain character.
[0107] Optionally, the realm part includes Ambient IoT Service Provider ID (ASP) , and the Ambient IoT Service Provider ID is a globally unique ID when combined with Public Land Mobile Network (PLMN) ID or independent of the PLMN ID.
[0108] Optionally, the realm part is constructed by prefixing Network Domain Name with a label “aiot” and with ASP label.
[0109] Optionally, the SUPI is designed to support Ambient IoT service request or certain applications in defining filtering rules for a group of Ambient IoT devices.
[0110] Further details on the invention are provided below.
[0111] 1 Ambient IoT Identifier
[0112] As illustrated in Figure 3, the method involves obtaining or capturing the EPC URI from an Ambient IoT device, via Ua interface, using a suitable reader protocol installed in a User Equipment (UE) , Customer Premises Equipment (CPE) , Base Station (BS) , or RAN node. The reader, located on the RAN, UE, or other 5G network elements formulates the NAI (Network Access Identifier) format for SUPI (Subscription Permanent Identifier) based on the acquired EPC URI.
[0113] An AIoT Service Provider is an entity responsible for AIoT service deployment, AIoT device management, lifecycle support, data management services, energy management, as well as the charging, billing, and security aspects of AIoT services. The servers or data centers maintained by the AIoT Service Provider store data or information linked to the Pure Identity EPC URI.
[0114] The present invention discloses a method for deriving an Ambient IoT device identifier compatible with the 5G system for example by utilizing the EPC "Pure Identity URI" defined in TDS 2.0.
[0115] The EPC "Pure Identity URI" is a standardized Uniform Resource Identifier (URI) that serves as a unique identifier for a specific product or item within the EPC global network. It follows the format,
[0116] urn: epc: id: scheme: component1. component2...
[0117] where "scheme" represents an EPC scheme and "component1" , "component2" , and subsequent parts denote the specific elements of the EPC scheme being used. The detailed format specification is provided in TDS 2.0.
[0118] The NAI for SUPI follows a first format. For example, the first format may be the username@realm format described in clause 2.2 of IETF RFC 7542. It consists of two parts: the Username part and the Realm part, separated by the “@” symbol. The Username part represents the user or device identifier, and the Realm Part specifies the authentication domain or realm to which the request is directed.
[0119] The Username part of the NAI allows for various characters, including alphanumeric characters and special characters such as dots, dashes, and underscores. It may also include internationalized characters encoded using UTF-8, allowing for multilingual usernames.
[0120] The Realm Part of the NAI is a string that serves to identify the authentication domain. It can take the form of a fully qualified domain name (FQDN) or a realm-specific string. The format and interpretation of the Realm Part may vary depending on the specific deployment and administrative policies in place.
[0121] In the NAI for SUPI, the username part corresponds to the EPC URI, while the realm part identifies the operator owning the subscription.
[0122] If the operator has a PLMN (Public Land Mobile Network) ID, the realm is structured as “5gc. asp<ASP>. mnc<MNC>. mcc<MCC>. 3gppnetwork. org” . For example, if the Ambient IoT Service Provider ID (ASP) is “009” and the PLMN ID is MNC 012 and MCC 345, the realm part will be
[0123] 5gc. asp009. mnc012. mcc345.3gppnetwork. org.
[0124] When used in SUPI, ‘: ’ in the original Pure Identity EPC URI in the username part of the SUPI should be converted to a UTF-8 compatible character, such as ‘-’ , ‘_’ , etc, or just use dot ‘. ’ .
[0125] Consequently, the NAI for SUPI will be:
[0126] urn-epc-id-sgtin-9521141.012345.4711@5gc. asp009. mnc012. mcc345.3gppnetwork. org, or
[0127] urn_epc_id_sgtin_9521141_012345_4711@5gc. asp009. mnc012. mcc345.3gppnetwork. org
[0128] In another embodiment, the username portion might include several components in dot string format, that is,
[0129] component 1. compone 2. component2…conponentN. EPC URI@realm part
[0130] where component_n could be other information, for example, Ambient IoT device type (Type A, Type B, and Type C) , Ambient IoT manufacture code, etc. e.g.
[0131] TypeA. ManufactureA. urn. epc. id. sgtin_9521141.012345.4711@5gc. asp009. mnc012. mcc345.3gppnetwork. org
[0132] The components and EPC URI can be arranged in a various order as long as they ensure unique identification within the realm domain, for example,
[0133] urn. epc. id. sgtin. 9521141.012345.4711. TypeA. ManufactureA@5gc. asp009. mnc012. mcc345.3gppetwork. org
[0134] The assignment of the ASP can be carried out through collaboration between the Ambient IoT service provider and the 5G service provider, ensuring a globally unique combination of the ASP ID and PLMN ID. The ASP code is embedded within the AIoT tag’s certificate to guarantee its authenticity and integrity.
[0135] AIoT Service Provider ID is assigned by 5G network operator. When combined with PLMN, it should be a globally unique ID.
[0136] The AIoT Service Provider ID might also be globally unique independent of the PLMN ID. In that case, AIoT Service Provider ID could be, e.g., assigned by GS1 to a managing entity.
[0137] The AIoT Service Provider ID could be designed as a sufficiently long sequence number that can accommodate the largest possible amount of service providers within a PLMN. For instance, this ID might be structured as an alphanumeric code with a length of up to 16 digits. It could utilize various numbering systems such as hexadecimal (including digits from 0-9 and letters from A-F) , decimal (including digits from 0-9) , or alphanumeric (including digits from 0-9 and letters from A-Z in both uppercase and lower case) , or any combination of them. These formats support a vast range of unique identification assignments, thus accommodating numerous AIoT service providers within the network.
[0138] The AIoT Service Provider ID might also take the form of a human readable name or alias.
[0139] In another embodiment, EPC Class URI syntax could be used to address a class of objects belonging to a given batch or lot of a given Global Trade Item Number (GTIN) .
[0140] In another embodiment, when applying the syntax for the EPC Pure Identity Pattern, the SUPI is designed to support 5G Ambient IoT service request or certain applications in defining filtering rules for a group of Ambient IoT devices. A typical Pattern URI takes the following form,
[0141] urn: epc: idpat: sgtin: 9521141. *. *
[0142] This pattern represents any EPC SGTIN that has GS1 Company Prefix 9521141, while the Item Reference and Serial Number can have any values.
[0143] In another embodiment, to save the storage in the Ambient IoT device, an efficient encoding of Pure Identity EPC URI should be stored in the Ambient IoT device.
[0144] In another embodiment, the Ambient IoT SUPI realm can be constructed by prefixing Home Network Domain Name (5gc. mnc. mcc. 3gppnetwork. org) with the label “aiot” and with ASP label (s) assigned by a PLMN as described below:
[0145] <AIoT Service Provider ID>. aiot. 5gc. mnc. mcc. 3gppnetwork. org
[0146] This format shall be used as a Diameter identity of an AIOT Network Function Instance.
[0147] Additionally, in certain cases such as private 5G networks, SNPN or PNI NPN, or in collaboration with the operator, the issuing organization may be responsible for issuing the SIM card to be used on the equipment with AIoT reader functionality.
[0148] When deriving Subscriber Concealed Identifier (SUCI) from SUPI, the Ambient IoT device ID SUPI type should take Network Specific Identifier (NSI) , or a dedicated type for Ambient IoT device could be reserved, as shown in Figure 4.
[0149] On the other hand, for certain Ambient IoT devices, if Subscriber Identity Module (SIM) or a variation of SIM is equipped on them, the SIM might be embedded, typically soldered on the AIoT tag, and cannot be removed. A light-weight security mechanism might be required. In this case, IMSI, composed of MCC, NC, MSIN will be used to identify the AIoT subscription. And the SUPI type is IMSI.
[0150] Overall, these embodiments of the invention enable the derivation of an Ambient IoT device identifier that is compatible with the 5G system. By utilizing the EPC "Pure Identity URI, " secure and efficient communication is facilitated within the network, supporting improved identification and management of Ambient IoT devices.
[0151] With the implementation of a 5G-compatible Ambient IoT identification scheme, the Ambient IoT device begins with initialization and successful verification of this identification. Following this, a registration process commences where the User Equipment (UE) , Customer Premises Equipment (CPE) , Base Station, or Radio Access Network (RAN) node with AIoT reader function, generates a Subscription Permanent Identifier (SUPI) based on the EPC pure identity URI. This SUPI is then employed to register the AIoT device with the 5G User Data Management (UDM) system. It is significant to note that the primary responsibility for connection management lies with the UE. Moreover, the UE should already be registered with the 5G System (5GS) using its SIM, which has been programmed to support AIoT services.
[0152] Beyond registration, the UE is now capable of retrieving information stored on the AIoT tag, such as location data, temperature readings, or other pertinent parameters. This information is akin to the ACID+ (Additional Carrier Identifier) information stored in the user data memory bank on RFID tags. To ensure data confidentiality during transmission, the tag might also employ the AIoT service provider's private key to encrypt the content.
[0153] In the forthcoming sections, specifically Section 2 and Section 3, we detail the methods of embedding these identifications into AIoT tags using digital signatures and X. 509-based certificates, respectively. Certain categories of Ambient IoT devices / tags, such as Type B and Type C, are likely to have more available memory banks. These could potentially store user data, general information, or even sensitive details related to privacy on the Ambient IoT devices or tags. Consequently, to address these concerns, we further disclose two distinctive methods for protecting user data on Ambient IoT devices / tags in Sections 4 and 5.
[0154] 2 Digital signature of EPC “pure identity URI”
[0155] A digital signature employs a public key cryptography technique to validate the authenticity and integrity of a digital object. Comparable to a traditional handwritten signature, a digital signature provides enhanced security. It is formed by encrypting a unique hash, often using cryptographic algorithms, with the sender's private key. Upon receiving this, the recipient can decode the signature using the sender's public key. This allows the recipient to confirm the sender's identity and ascertain that the transmitted data has not been compromised.
[0156] The generation of a digital signature begins by processing a message or data file through a cryptographic algorithm to produce a distinct hash. This hash function converts the data into a byte string of fixed size. Subsequently, the sender's private key encrypts this hash, thereby creating the digital signature. The original message, alongside its encrypted hash, i.e., the digital signature, is transmitted to the recipient. The hash's uniqueness guarantees that even a minor alteration in the message results in a substantially different hash, while the encryption shields the signature from unauthorized modifications.
[0157] Upon receiving the digitally signed object, the recipient uses the public key (obtained from the sender's digital certificate) to decrypt the received digital signature. This reveals the original hash value generated by the sender. Concurrently, the recipient uses the same hash function to create a new hash value from the received message. If the newly created hash matches the original one, it verifies that the message is unaltered, and the signature is authentic. It confirms the message's integrity and authenticates the sender's identity because only the sender's private key could create a signature decryptable by the sender's public key.
[0158] In the context of Ambient IoT, as depicted in Figure 5, during the production of Ambient IoT tags, the Pure identity EPC URI of an AIoT device is digitally signed by the 5G AIoT Network Operator. This digital signature is affixed to the EPC "pure identity URI" on the AIoT tag.
[0159] As further demonstrated in Figure 3, devices such as UE and CPE, Base Stations, IAB nodes, or repeaters equipped with AIoT reader capabilities utilize the Ua interface to retrieve data from AIoT tags. To access the data stored on the tag, the reader function within the AIoT-compatible network component activates the tag circuitry wirelessly and communicates through its antenna.
[0160] Upon obtaining or fetching the digital signature and the Pure Identity EPC URI, AIoT-capable reader devices or network components employ the public key to decrypt them. Then, the AIoT reader restores the Pure Identity EPC URI using the same hash function and compares it with the received EPC URI. If a match is found, a trust relationship is established. If not, the AIoT reader will cease further operations. This process is governed by a protocol running on the AIoT reader, secured either by a hardware SoC or executed within a Trusted Execution Environment (TEE) in the AIoT reader or on the hosting device.
[0161] In one embodiment, the public key, used by the AIoT reader function to decrypt the obtained or fetched digital signature, is delivered to the AIoT reader via a certificate issued by a Certificate Authority (CA) .
[0162] In another embodiment, the 5G AIoT Network Operators, who typically set up and provision the AIoT-enabled devices, could provide a SIM card to be installed on the AIoT reader. This would allow for the 5G AIoT Network Operator’s public key to be pre-programmed into the SIM card during its issuance or added via an Over the Air (OTA) process typically deployed by 5G Network Operators. The same public key can also be made available in the Operator's AIoT-capable Base Station or other relevant AIoT network elements.
[0163] Subsequently, after successfully validating the AIoT operator-signed Pure Identity EPC URI, the UE or AIoT reader function could formulate a FQDN to reach to the AIoT Service Provider’s server to retrieve user data associated with the Pure Identity EPC URI.
[0164] In one embodiment, the AIoT tag doesn't store any user data, except for the Pure identity EPC URI. Any data related to the item linked with the AIoT tag will be retrieved from the AIoT service provider's database.
[0165] In another embodiment, the aforementioned database could be a local database. For instance, the AIoT Service Provider might offer an application that resides on the UE or other network functions with AIoT reader functionality. The application includes a local database where all the user data linked with the Pure Identity EPC URI is stored. In this case, the UE does not need to retrieve user data from the AIoT service provider’s database.
[0166] In yet another embodiment, the AIoT application first tries to retrieve user data from the local database on the UE.If it cannot retrieve from the local database built into the UE AIoT application, it might reach out to the AIoT Service Provider’s server to retrieve the user data information.
[0167] In yet another embodiment, the user data in the local database or remote database might be encrypted by using public key encryption, symmetric key encryption, or the hybrid algorithm. In the case of public key encryption, to decrypt the user data retrieved from the database, the UE has to use the AIoT reader or AIoT application’s private key which could be stored on the SIM card of the AIoT reader functionality. In this scenario, the application issuing organization collaborates with the operator to securely store the AIoT reader or AIoT application’s private key on the SIM card, which is protected against unauthorized access, for example by a password. More details of the user data protection will be disclosed in Section 4 and 5.
[0168] The aforementioned solution introduces a "passive authentication" mechanism where the AIoT tag does not possess any computational capabilities to perform either encryption or decryption process, or both. However, some AIoT tags might possess such capabilities.
[0169] In another embodiment, an active authentication process can be implemented. This process employs a unique cryptographic key pair and a challenge-response protocol to provide additional security against cloning attempts. Various versions of this challenge-response protocol could exist.
[0170] Typically, the UE or AIoT reader generates a random number and applies the public key (acquired from a Certificate Authority based on the tag’s ID) of the AIoT tag to encrypt the number. Upon receiving this challenge, the AIoT tag decrypts the random number using its private key and then sends the decrypted number back to the UE or AIoT reader. This action confirms that the AIoT tag possesses the private key, thereby verifying that it is the intended communication target for the UE, AIoT reader or other network elements with AIoT reader function.
[0171] In yet another embodiment, the UE or AIoT reader sends a random number in the clear to the AIoT tag. When the AIoT tag receives this challenge, it signs the random number by using its private key and sends the digital signature back to the UE or the AIoT reader. Once receiving the digital signature, the UE or the AIoT reader can confirm whether this is the number originally sent, thereby verifying that the tag is indeed the intended target for this transaction.
[0172] Figure 6 shows the call flow of these embodiments.
[0173] 3 Certificate for AIoT tag
[0174] In this embodiment, as illustrated in Figure 7, Operator-signed AIoT service provider certificates are securely embedded in the AIoT tags. These certificates can take various forms, including X. 509 Certificate, X. 509 Certificate Extensions, Attribute Certificate, Card Verifiable (CV) certificate, Pretty Good Privacy (PGP) certificate, WAP certificate, Simple Public Key Infrastructure (SPKI) certificate, or Traceable Anonymous Certificate. The 5G AIoT Network Operator Certification Authority (CA) typically issues these certificates. However, there is also a possibility that the AIoT service provider self-signed these certificates, effectively acting as its own CA. The authority to issue, revoke, or renew certificates lies solely with the CA.
[0175] In addition to the standard structures of each certificate type, the certificates should include specific information, such as the Application Service Provider ID or name, the public key of the AIoT service provider, and the EPC pure identity URI, which serves as a unique identifier for the AIoT device. Specifically, the certificate should contain:
[0176] · Certificate information, including the version number, certificate authority, etc.
[0177] · Certificate Serial Number: a unique serial number assigned by the issuing authority, in this case, the 5G AIoT Network Operator.
[0178] · Certificate Issuer: the entity or organization issuing the certificate, usually a trusted Certification Authority (CA) , with the issuer's name, organization, and relevant identifying details. In this context, the Certificate Issuer is the 5G AIoT Network Operator.
[0179] · Certificate effective date: the start of the certificate's validity.
[0180] · Certificate expiration date: the end of the certificate's validity.
[0181] · Subject's identity: the entity or subject to whom the certificate is issued, including the Pure identity EPC URI, AIoT service provider's name, organization, email address, or other identifying details.
[0182] · Public Key: the subject's public key, representing the AIoT service provider's public key and AIoT tag's public key.
[0183] · Digital Signature: the certificate's digital signature, ensuring its integrity and validity, issued by the relevant authority.
[0184] · Certificate Extensions: additional information providing specific details or functionality, such as intended usage, certificate policies, key usage restrictions, or custom attributes of the AIoT tag, including its manufacture.
[0185] · Certificate Thumbprint / Fingerprint: a hash value calculated from the certificate's content, often used as a unique identifier or for verifying its integrity.
[0186] · Revocation information: details on how to check the certificate's revocation status, such as Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) responders.
[0187] Figure 7 illustrates an AIoT tag with a certificate. Referring to Figure 7 and its corresponding interaction with the 5G system as shown in Figure 3, when User Equipment (UE) , Customer Premises Equipment (CPE) , or Base Stations with AIoT capabilities interact with the AIoT tags, they utilize the Ua interface. This interface wirelessly powers the tag circuitry and enables communication through its antenna for data retrieval.
[0188] In this embodiment, AIoT-capable devices are typically supported and provisioned by the 5G network operator. For devices equipped with a Subscriber Identity Module (SIM) , the 5G AIoT network operator may include its public key on the SIM and other network elements. These keys facilitate secure communication between the devices and the 5G AIoT network operator's network.
[0189] To establish trust and verify the authenticity of the AIoT tag's data, UE, CPE, or Base Stations with AIoT capabilities employ verification algorithms. These algorithms validate the digital signature associated with the certificate by utilizing the public key of the issuer, which in this case is the 5G AIoT Network Operator. Once successful verification takes place, UE, CPE, or Base Stations with AIoT capabilities can proceed with the 5G registration and connection procedures within the 5G AIoT network operator's network. This process is governed by a protocol running on the AIoT reader, secured either by a hardware SoC or executed within a Trusted Execution Environment (TEE) in the AIoT reader or the hosting device.
[0190] In summary, this embodiment incorporates Operator-signed certificates into AIoT tags. UE, CPE, or RAN devices interact with the tags through the Ua interface and employ verification algorithms to validate the digital signature. These devices utilize their association with the 5G AIoT Network Operator, including the use of SIM cards and public keys, for secure registration and connection within the 5G network.
[0191] 4 Enhanced user data protection using public key
[0192] Certain Ambient IoT tags have the capacity to store user data. This data may include sensitive information such as location data, personal health information, personally identifiable information, financial data, authentication and authorization data, sensitive business or system operating data, and user behavioral data.
[0193] To ensure privacy protection, it is of utmost importance to support user data encryption. Encryption helps maintain data integrity by preventing unauthorized modifications or tampering. It restricts access to unauthorized individuals, mitigates the risk of data breaches, and safeguards sensitive information from unauthorized viewing or reading. Implementing encryption is crucial in upholding privacy and maintaining the security of user data in the Ambient IoT system.
[0194] In one embodiment, as shown in Figure 8, the EPC pure identity URI is stored in plaintext, while the user data on the AIoT tag may be encrypted using the AIoT service provider's public key. The tag obtains this public key from either the aforementioned certificate issued by the 5G AIoT Network Operator or a self-signed certificate from the AIoT service provider. Upon receiving this information, the AIoT service provider utilizes its private key to decrypt the data.
[0195] On the other hand, if the AIoT service provider needs to write specific information to a particular AIoT tag, it encrypts the message using the AIoT tag's public key retrieved from the AIoT Network Operator's CA or the AIoT Service Provider CA. The Pure Identity EPC URI of the Ambient IoT tag serves as an index for obtaining the tag's public key. Subsequently, upon receiving the data, the AIoT tag decrypts the information using its own private key. The private key for the Ambient IoT tag is typically stored in a tamper-resistant security space.
[0196] In summary, in this embodiment, the encrypted information stored in the tag is securely transmitted to Provider A'sserver. Provider A possesses the necessary decryption capabilities to retrieve and decipher the encrypted data. By utilizing the private key associated with the AIoT service provider, Provider A can decrypt the information for further processing or analysis.
[0197] 5 Enhanced data protection using Hybrid Encryption
[0198] The method of uplink data transmission disclosed in Section 4 necessitates that the AIoT tag encrypts user data with the public key of the AIoT service provider. Nevertheless, the implementation of public key cryptography, such as RSA, might pose difficulties on some Ambient IoT tags with less computational capability.
[0199] As an alternative, a hybrid encryption scheme where a session or symmetric key is employed to protect sensitive user data transmission between the Ambient IoT Tag and AIoT Service Provider. Public key encryption is then used for secure exchange of these session keys between the two parties. There are numerous symmetric cryptosystems, such as Rivest Cipher 4 (RC4) , RC5, RC6, Blowfish, Twofish, Data Encryption Standards (DES) , Triple DES, Advanced Encryption Standard (AES) , and their derivatives. These symmetric encryption algorithms typically demand fewer computational resources, facilitating efficient and secure communication between the AIoT tag and the AIoT service provider.
[0200] In the architecture illustrated in Figure 9, both parties use the same key for encryption and decryption, contrasting the method detailed in Section 4. Nodes seeking to employ symmetric cryptography must establish the shared key securely.
[0201] In one embodiment, a key management system can deliver the shared key to both the AIoT tag and the AIoT service provider. This system is in charge of distributing symmetric keys and ensuring their rotation periodically to boost security. It also delivers the necessary infrastructure to manage keys securely throughout their lifecycle, including tasks such as key generation, exchanges, storage, and revocation.
[0202] In another embodiment, a key exchange protocol like Diffie-Hellman could be deployed to generate the shared session key. The Diffie-Hellman key exchange protocol provides a secure method to exchange cryptographic keys over a public communication channel. As one of the pioneering protocols of public-key cryptography, it utilizes the mathematical principle of modular exponentiation. Within this process, two parties, each equipped with a set of public and private keys, exchange their public keys. Each party then performs specific mathematical operations with their private key and the other party's public key, resulting in a shared secret, or session key. Any eavesdropper observing the exchange of public keys is unable to compute this shared secret due to the computational challenges posed by the Discrete Logarithm Problem. The established session key can then be used to secure symmetric encryption of subsequent communications.
[0203] As depicted in the procedures in Figure 10, the key management system or key exchange protocol generates the symmetric cryptographic keys that are shared between the AIoT service provider and the AIoT tag. Consequently, both the AIoT tag and the AIoT service provider utilize the same symmetric encryption key for exchanging protected user data. In the uplink process, the AIoT reader transmits data to the AIoT service provider. Upon receipt of the user data, the AIoT service provider validates authorization through business rules, licenses, entitlements, or policy information. If required, the AIoT service provider will direct a request to the key management system for key issuance. The data is subsequently processed at the AIoT service provider.
[0204] If the AIoT service provider determines that further action or a response needs to be conveyed back to the AIoT tag based on the received user data, it encrypts the response data with the same symmetric key. The encrypted information is then transmitted back to the AIoT reader, which issues the suitable command to write the data into the memory bank of the AIoT tag.
[0205] Advantages of the invention are described below.
[0206] The invention pertaining to the 5G Ambient IoT device identifier extends support for RFID-like battery-less devices to a wider 5G infrastructure coverage, opening up a plethora of applications and use cases.
[0207] The Ambient IoT landscape is expanding rapidly, with diverse applications across various industries. In the healthcare sector, Ambient IoT devices can be used for remote patient monitoring, asset tracking, and optimizing healthcare operations. These devices enable healthcare providers to deliver better patient care, reduce costs, and improve overall operational efficiency.
[0208] Manufacturing industries can leverage Ambient IoT devices for real-time monitoring and control of production processes, predictive maintenance, and supply chain optimization. By integrating Ambient IoT-enabled devices, manufacturing operations can achieve higher productivity, minimize downtime, and facilitate seamless operations integration.
[0209] Logistics and transportation companies can greatly benefit from Ambient IoT devices by utilizing them for asset tracking, shipment monitoring, route optimization, and overall fleet management. These applications lead to streamlined operations, reduced delivery times, and enhanced customer satisfaction.
[0210] In the agriculture sector, Ambient IoT devices play a crucial role in precision farming, environmental monitoring, and optimizing irrigation and fertilization. By leveraging Ambient IoT-enabled agriculture solutions, farmers can adopt sustainable practices, conserve resources, and achieve improved crop yield.
[0211] Moreover, the emerging market for Ambient IoT devices powered by ambient energy sources presents significant opportunities. Devices that can harness energy from ambient sources like solar, kinetic, or thermal energy eliminate the need for traditional power sources or frequent battery replacements. This opens up possibilities for deploying Ambient IoT devices in remote or inaccessible locations where power infrastructure is limited. Environmental monitoring, asset tracking, and smart infrastructure are just a few areas that can greatly benefit from the use of IoT devices powered by ambient energy.
[0212] In addition, considering a large number of items in the store, a huge demand for Ambient IoT tags can be expected in the retail chain market.
[0213] In conclusion, the invention of the 5G Ambient IoT device identifier presents vast market opportunities across various industries and sectors. The expanding IoT landscape, combined with the emerging market for IoT devices powered by ambient energy, further enhances the potential for innovative applications and widespread adoption of IoT technologies.
[0214] The idea of the invention relates to:
[0215] -A method to derive Ambien IoT device identifier from EPC pure identity URI
[0216] -A structure of the Ambient IoT SUPI
[0217] -A application of ASP code in the Ambient IoT SUPI
[0218] -A format of Ambient IoT SUPI
[0219] -A mechanism to insert Operator certificate during Ambient IoT device production
[0220] -A interaction between UE and the Ambient IoT device
[0221] -A mechanism to obtain or capture Ambient IoT device identification and generate SUPI on the UE, CPE or RAN, or another network node
[0222] -A mechanism to insert certificate on Ambient IoT device ID. The certificate could take the form of X. 509, CV, PGP, and many others.
[0223] -A Ambient IoT-related parameters to put in the certificate
[0224] -A format of the certificate specific to Ambient IoT device
[0225] -A structure of the Ambient IoT operator-signed certificate
[0226] -A mechanism to provide ASP code in the certificate
[0227] -A mechanism to have operator private key, public key, ASP public key, ASP private key, ASP content key on the USIM or UICC
[0228] -A mechanism to retrieve or write protected information on the Ambient IoT device based on PKI
[0229] -A usage of SUPI type value 4, 5, 6, or 7 for Ambient IoT identifier
[0230] -A usage of SUPI for Ambient IoT devices
[0231] -A usage of SUPI to reach a group of Ambient IoT devices following EPC pure identity pattern URI
[0232] -A format of the username portion of the Ambient IoT device SUPI
[0233] -A format of the realm portion of the Ambient IoT device SUPI
[0234] -A method of the flexible arrangement of username portion of the Ambient IoT device SUPI
[0235] -Within the AIoT service provider's servers, all information is stored in an encrypted format using the AIoT tag’s public key, or alternatively using a symmetric encryption scheme. This encryption mechanism ensures that sensitive data remains protected and can only be accessed by authorized parties possessing the corresponding private key.
[0236] -To retrieve the encrypted information from the AIoT service provider's servers, UE, RAN, or CPE devices equipped with the AIoT service provider's public key establish a secure connection. The devices utilize the public key to securely retrieve the encrypted information from the AIoT service provider's servers. This ensures that only authorized entities with the corresponding private key can access and decrypt the information, maintaining data confidentiality and integrity throughout the communication process.
[0237] -A mechanism to employ public key to encrypt user data to protect sensitive data on the Ambient IoT tags
[0238] -A mechanism to employ hybrid encryption to protect sensitive user data on Ambient IoT tags
[0239] -A method to employ a Key Management System to generate symmetric key for Ambient IoT tags to perform encryption
[0240] -A method to employ a de-centralized method to generate shared session key between Ambient IoT tags and Ambient IoT service provider
[0241] The embodiment of the present application further provides a computer readable storage medium for storing a computer program. The computer readable storage medium enables a computer to execute corresponding processes implemented by the UE / BS in each of the methods of the embodiments of the present disclosure. For brevity, details will not be described herein again.
[0242] The embodiment of the present application further provides a computer program product including computer program instructions. The computer program product enables a computer to execute corresponding processes implemented by the UE / BS in each of the methods of the embodiments of the present disclosure. For brevity, details will not be described herein again.
[0243] The embodiment of the present application further provides a computer program. The computer program enables a computer to execute corresponding processes implemented by the UE / BS in each of the methods of the embodiments of the present disclosure. For brevity, details will not be described herein again.
[0244] Although not shown in detail any of the devices or apparatus that form part of the network may include at least a processor, a storage unit and a communications interface, wherein the processor unit, storage unit, and communications interface are configured to perform the method of any aspect of the present invention. Further options and choices are described below.
[0245] The signal processing functionality of the embodiments of the invention especially the gNB and the UE may be achieved using computing systems or architectures known to those who are skilled in the relevant art. Computing systems such as, a desktop, laptop or notebook computer, hand-held computing device (PDA, cell phone, palmtop, etc. ) , mainframe, server, client, or any other type of special or general purpose computing device as may be desirable or appropriate for a given application or environment can be used. The computing system can include one or more processors which can be implemented using a general or special-purpose processing engine such as, for example, a microprocessor, microcontroller or other control module.
[0246] The computing system can also include a main memory, such as random access memory (RAM) or other dynamic memory, for storing information and instructions to be executed by a processor. Such a main memory also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by the processor. The computing system may likewise include a read only memory (ROM) or other static storage device for storing static information and instructions for a processor.
[0247] The computing system may also include an information storage system which may include, for example, a media drive and a removable storage interface. The media drive may include a drive or other mechanism to support fixed or removable storage media, such as a hard disk drive, a floppy disk drive, a magnetic tape drive, an optical disk drive, a compact disc (CD) or digital video drive (DVD) read or write drive (R or RW) , or other removable or fixed media drive. Storage media may include, for example, a hard disk, floppy disk, magnetic tape, optical disk, CD or DVD, or other fixed or removable medium that is read by and written to by media drive. The storage media may include a computer-readable storage medium having particular computer software or data stored therein.
[0248] In alternative embodiments, an information storage system may include other similar components for allowing computer programs or other instructions or data to be loaded into the computing system. Such components may include, for example, a removable storage unit and an interface, such as a program cartridge and cartridge interface, a removable memory (for example, a flash memory or other removable memory module) and memory slot, and other removable storage units and interfaces that allow software and data to be transferred from the removable storage unit to computing system.
[0249] The computing system can also include a communications interface. Such a communications interface can be used to allow software and data to be transferred between a computing system and external devices. Examples of communications interfaces can include a modem, a network interface (such as an Ethernet or other NIC card) , a communications port (such as for example, a universal serial bus (USB) port) , a PCMCIA slot and card, etc. Software and data transferred via a communications interface are in the form of signals which can be electronic, electromagnetic, and optical or other signals capable of being received by a communications interface medium.
[0250] In this document, the terms ‘computer program product’ , ‘computer-readable medium’ and the like may be used generally to refer to tangible media such as, for example, a memory, storage device, or storage unit. These and other forms of computer-readable media may store one or more instructions for use by the processor including the computer system to cause the processor to perform specified operations. Such instructions, generally referred to as ‘computer program code’ (which may be grouped in the form of computer programs or other groupings) , when executed, enable the computing system to perform functions of embodiments of the present invention. Note that the code may directly cause a processor to perform specified operations, be compiled to do so, and / or be combined with other software, hardware, and / or firmware elements (e.g., libraries for performing standard functions) to do so.
[0251] The non-transitory computer readable medium may include at least one from a group consisting of: a hard disk, a CD-ROM, an optical storage device, a magnetic storage device, a Read Only Memory, a Programmable Read Only Memory, an Erasable Programmable Read Only Memory, EPROM, an Electrically Erasable Programmable Read Only Memory and a Flash memory. In an embodiment where the elements are implemented using software, the software may be stored in a computer-readable medium and loaded into computing system using, for example, removable storage drive. A control module (in this example, software instructions or executable computer program code) , when executed by the processor in the computer system, causes a processor to perform the functions of the invention as described herein.
[0252] Furthermore, the inventive concept can be applied to any circuit for performing signal processing functionality within a network element. It is further envisaged that, for example, a semiconductor manufacturer may employ the inventive concept in a design of a stand-alone device, such as a microcontroller of a digital signal processor (DSP) , or application-specific integrated circuit (ASIC) and / or any other sub-system element.
[0253] It will be appreciated that, for clarity purposes, the above description has described embodiments of the invention with reference to a single processing logic. However, the inventive concept may equally be implemented by way of a plurality of different functional units and processors to provide the signal processing functionality. Thus, references to specific functional units are only to be seen as references to suitable means for providing the described functionality, rather than indicative of a strict logical or physical structure or organization.
[0254] Aspects of the invention may be implemented in any suitable form including hardware, software, firmware or any combination of these. The invention may optionally be implemented, at least partly, as computer software running on one or more data processors and / or digital signal processors or configurable module components such as field programmable gate array (FPGA) devices.
[0255] Thus, the elements and components of an embodiment of the invention may be physically, functionally and logically implemented in any suitable way. Indeed, the functionality may be implemented in a single unit, in a plurality of units or as part of other functional units. Although the present invention has been described in connection with some embodiments, it is not intended to be limited to the specific form set forth herein. Rather, the scope of the present invention is limited only by the accompanying claims. Additionally, although a feature may appear to be described in connection with particular embodiments, one skilled in the art would recognize that various features of the described embodiments may be combined in accordance with the invention. In the claims, the term ‘comprising’ does not exclude the presence of other elements or steps.
[0256] Furthermore, although individually listed, a plurality of means, elements or method steps may be implemented by, for example, a single unit or processor. Additionally, although individual features may be included in different claims, these may possibly be advantageously combined, and the inclusion in different claims does not imply that a combination of features is not feasible and / or advantageous. Also, the inclusion of a feature in one category of claims does not imply a limitation to this category, but rather indicates that the feature is equally applicable to other claim categories, as appropriate.
[0257] Furthermore, the order of features in the claims does not imply any specific order in which the features must be performed and in particular the order of individual steps in a method claim does not imply that the steps must be performed in this order. Rather, the steps may be performed in any suitable order. In addition, singular references do not exclude a plurality. Thus, references to ‘a’ , ‘an’ , ‘first’ , ‘second’ , etc. do not preclude a plurality.
[0258] While the present application has been described in connection with what is considered the most practical and preferred embodiments, it is understood that the present application is not limited to the disclosed embodiments but is intended to cover various arrangements made without departing from the scope of the broadest interpretation of the appended claims.
Claims
1.A wireless communication method, comprising:obtaining Electronic Product Code (EPC) Uniform Resource Identifier (URI) from an Ambient Internet of Things (IoT) device; andformulating Network Access Identifier (NAI) format for Subscription Permanent Identifier (SUPI) based on the obtained EPC URI.2.The method of claim 1, wherein the NAI for SUPI follows a first format, which consists of a username part and a realm part, the username part represents user or device identifier, and the realm part specifies authentication domain or realm to which a request is directed.3.The method of claim 2, wherein the username part corresponds to the EPC URI, while the realm part identifies an operator owning the subscription.4.The method of claim 3, wherein in addition to the EPC URI, the username part comprises a plurality of components corresponding to other information, and the components are separated by a certain character.5.The method of claim 2, wherein the realm part comprises Ambient IoT Service Provider ID (ASP) , and the Ambient IoT Service Provider ID is a globally unique ID when combined with Public Land Mobile Network (PLMN) ID or independent of the PLMN ID.6.The method of claim 5, wherein the realm part is constructed by prefixing Network Domain Name with a label “aiot” and with ASP label.7.The method of claim 1, wherein the SUPI is designed to support Ambient IoT service request or certain applications in defining filtering rules for a group of Ambient IoT devices.8.The method of claim 1, wherein Network Specific Identifier (NSI) is taken as SUPI type or a dedicated type for the Ambient IoT device is adopted when deriving Subscriber Concealed Identifier (SUCI) from the SUPI.9.The method of claim 1, wherein the Ambient IoT device has Subscriber Identity Module (SIM) or a variation of SIM embedded in the Ambient IoT device.10.The method of claim 1, further comprising:obtaining digital signature of the EPC URI from the Ambient IoT device;decrypting the digital signature by using a public key of the Ambient IoT device to obtain a first hash value of the EPC URI;using a hash function to create a second hash value from the obtained EPC URI; andverifying that the obtained EPC URI is unaltered if the second hash value matches the first hash value.11.The method of claim 10, further comprising:if the EPC URI is successfully verified, retrieving user data from the Ambient IoT device or retrieving the user data associated with the EPC URI from a local database or a AIoT Service Provider database.12.The method of claim 10, wherein the public key is received from one of the followings:a certificate issued by a Certificate Authority (CA) ;SIM installed on the Ambient IoT device; anda relevant AIoT network element.13.The method of claim 1, further comprising:generating a number and applying a public key of the Ambient IoT device to encrypt the number;sending the encrypted number to the Ambient IoT device;receiving from the Ambient IoT device a decrypted number, which is decrypted using a private key of the Ambient IoT device; andverifying whther the number is the same as the decrypted number received from the Ambient IoT device.14.The method of claim 1, further comprising:sending a number to the Ambient IoT device;receiving from the Ambient IoT device digital signature of the number; anddecrypting the digital signature of the number by using a public key of the Ambient IoT device to confirm whether the number is originally sent to the Ambient IoT device.15.The method of claim 1, wherein a certificate is embedded in the Ambient IoT device.16.The method of claim 15, wherein the EPC URI is obtained from the certificate embedded in the Ambient IoT device.17.The method of claim 16, wherein the certificate embedded in the Ambient IoT device further comprises a public key of the Ambient IoT device or an AIoT service provider.18.The method of claim 15, wherein the certificate embedded in the Ambient IoT device is issued by a cellular network operator or an AIoT service provider.19.The method of claim 15, further comprising:employing a verification algorithm to validate digital signature associated with the certificate embedded in the Ambient IoT device; andonce succcessful verfication takes place, procceeding with registration and connection procedures with a celluar network.20.A communication device, comprising a memory and a processor, wherein the processor is configured to call and run the program instructions stored in a memory to execute the method of any of claims 1 to 19.21.A non-transitory computer readable storage medium, configured to store a computer program, which enables a computer to execute the method of any of claims 1 to 19.22.A secure data processing method, comprising:receiving from an Ambient Internet of Things (IoT) tag user data encrypted with a public key associated with an AIoT service provider; anddecrypting the encrypted user data by utilizing a private key associated with the AIoT service provider to obtain decrypted user data of the Ambient IoT tag.23.The method of claim 22, wherein the public key associated with the AIoT service provider is from a certificate issued by a cellular network operator or a self-signed certificate from the AIoT service provider.24.The method of claim 22, further comprising:encrypting specific informaitoin by using the public key associated with the Ambient IoT tag; andtransmiting the encrypted specific information to the Ambient IoT tag for the the Ambient IoT tag to decrypt the encrypted specific information by using the private key associated with the Ambient IoT tag.25.The method of claim 24, wherein the public key associated with the Ambient IoT tag is retrieved from an AIoT Network Operator Certificate Authority (CA) or an AIoT Service Provider CA.26.The method of claim 25, wherein Electronic Product Code (EPC) Uniform Resource Identifier (URI) of the Ambient IoT tag serves as an index for obtaining the the public key associated with the Ambient IoT tag.27.The method of claim 24, wherein the private key associated with the Ambient IoT tag is stored in a tamper-resistant security space of the Ambient IoT tag.28.A secure data processing method, comprising:exchanging a shared symmetric key with an Ambient Internet of Things (IoT) tag by utilizing public key cryptography;receiving from the Ambient IoT tag user data encrypted with the shared symmetric key; anddecrypting the encrypted user data by utilizing the shared symmetric key to obtain decrypted user data of the Ambient IoT tag.29.The method of claim 28, further comprising:encrypting specific informaitoin by using the shared symmetric key; andtransmiting the encrypted specific information to the Ambient IoT tag for the the Ambient IoT tag to decrypt the encrypted specific information by using the shared symmetric key.30.The method of claim 28, wherein the shared symmetic key is for a symmetric cryptography comprising Rivest Cipher 4 (RC4) , RC5, RC6, Blowfish, Twofish, Data Encryption Standards (DES) , Triple DES, or Advanced Encryption Standard (AES) .31.The method of claim 28, wherein a key exchange protocol is used in exchanging the shared symmetric key.32.The method of claim 31, wherein the key exchange protocol comprises Diffie-Hellman.33.An Ambient Internet of Things (IoT) device, comprising a storage for storing Electronic Product Code (EPC) Uniform Resource Identifier (URI) .34.The device of claim 33, wherein the Ambient IoT device has Subscriber Identity Module (SIM) or a variation of SIM embedded in the Ambient IoT device.35.The device of claim 33, wherein the storage further stores digital signature of the EPC URI.36.The device of claim 33, wherein the storage further stores user data.37.The device of claim 33, wherein the storage further stores a certificate.38.The device of claim 37, wherein the certificate comprises the EPC URI.39.The method of claim 37, wherein the certificate comprises X. 509 Certificate, X. 509 Certificate Extensions, Attribute Certificate, Card Verifiable (CV) certificate, Pretty Good Privacy (PGP) certificate, WAP certificate, Simple Public Key Infrastructure (SPKI) certificate, or Traceable Anonymous Certificate.40.An Ambien Internet of Things (IoT) device identifier, comprising Subscription Permanent Identifier (SUPI) with Network Access Identifier (NAI) format, wherein the NAI for SUPI comprises a username part and a realm part, and the username part corresponds to Electronic Product Code (EPC) Uniform Resource Identifier (URI) of Ambien IoT device.41.The AIoT device identifier of claim 40, wherein the username part represents user or device identifier, and the realm part specifies authentication domain or realm to which a request is directed.42.The AIoT device identifier of claim 41, wherein the realm part identifies an operator owning the subscription.43.The AIoT device identifier of claim 42, wherein in addition to the EPC URI, the username part comprises a plurality of components corresponding to other information, and the components are separated by a certain character.44.The AIoT device identifier of claim 41, wherein the realm part comprises Ambient IoT Service Provider ID (ASP) , and the Ambient IoT Service Provider ID is a globally unique ID when combined with Public Land Mobile Network (PLMN) ID or independent of the PLMN ID.45.The AIoT device identifier of claim 44, wherein the realm part is constructed by prefixing Network Domain Name with a label “aiot” and with ASP label.46.The AIoT device identifier of claim 40, wherein the SUPI is designed to support Ambient IoT service request or certain applications in defining filtering rules for a group of Ambient IoT devices.