User authentication service
The user authentication service in wireless networks authenticates the actual user through a secure connection and biometric verification, addressing the limitations of existing subscriber-based authentication methods by ensuring secure and personalized access control.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- QUALCOMM INC
- Filing Date
- 2025-11-25
- Publication Date
- 2026-06-11
AI Technical Summary
Existing wireless network authentication schemes primarily verify the identity of the wireless subscriber but fail to authenticate the actual user of the device, leading to potential unauthorized access to sensitive information or services.
A user authentication service is implemented through a secure connection with a wireless network, allowing the generation of a public key/private key pair, registration with a user authentication server, and verification using biometric information to authenticate the user.
Ensures secure user authentication by verifying the actual user of the wireless device, preventing unauthorized access and providing personalized access control.
Smart Images

Figure US2025057125_11062026_PF_FP_ABST
Abstract
Description
Qualcomm Ref. No. 2404002WO1USER AUTHENTICATION SERVICEFIELD
[0001] The present disclosure generally relates to wireless communications. For example, aspects of the present disclosure relate to a technique for a user authentication.BACKGROUND
[0002] Wireless communications systems are deployed to provide various telecommunications and data services, including telephony, video, data, messaging, and broadcasts. Broadband wireless communications systems have developed through various generations, including a first- generation analog wireless phone service (1G), a second-generation (2G) digital wireless phone service (including interim 2.5G networks), a third-generation (3G) high speed data, Internet- capable wireless device, and a fourth-generation (4G) service (e.g., Long-Term Evolution (LTE), WiMax). Examples of wireless communications systems include code division multiple access (CDMA) systems, time division multiple access (TDMA) systems, frequency division multiple access (FDMA) systems, orthogonal frequency division multiple access (OFDMA) systems, Global System for Mobile communication (GSM) systems, etc. Other wireless communications technologies include 802.11 Wi-Fi, Bluetooth, among others.
[0003] A fifth-generation (5G) mobile standard calls for higher data transfer speeds, greater number of connections, and better coverage, among other improvements. The 5G standard (also referred to as “New Radio” or “NR”), according to Next Generation Mobile Networks Alliance, is designed to provide data rates of several tens of megabits per second to each of tens of thousands of users, with 1 gigabit per second to tens of workers on an office floor. Several hundreds of thousands of simultaneous connections should be supported in order to support large sensor deployments. A sixth-generation (6G) mobile standard may build on 5 G to offer further increased data transfer speeds, better coverage, and improved security, among other improvements.SUMMARY
[0004] The following presents a simplified summary relating to one or more aspects disclosed herein. Thus, the following summary should not be considered an extensive overview relating to all contemplated aspects, nor should the following summary be considered to identify key orQualcomm Ref. No. 2404002WO2 critical elements relating to all contemplated aspects or to delineate the scope associated with any particular aspect. Accordingly, the following summary presents certain concepts relating to one or more aspects relating to the mechanisms disclosed herein in a simplified form to precede the detailed description presented below.
[0005] Disclosed are systems, methods, apparatuses, and computer-readable media for performing wireless communications. In one illustrative example, an apparatus for user authentication is provided. The apparatus includes a memory system comprising instructions and a processor system coupled to the memory system, wherein the processor system is configured to: establish a secure connection with a service of a wireless network; provide, for a user authentication server, a user authentication registration request to the service via the secure connection; and receive, from the service, an indication that a user profile for user authentication was successfully created based on the user authentication registration request.
[0006] As another example, a method for user authentication is provided. The method includes: establishing, by a wireless device, a secure connection with a service of a wireless network; providing, for a user authentication server, a user authentication registration request to the service via the secure connection; and receiving, from the service, an indication that a user profile for user authentication was successfully created based on the user authentication registration request.
[0007] In another example, a non-transitory computer-readable medium having stored thereon instructions is provided. The instructions, when executed by a processor system, cause the processor system to: establish a secure connection with a service of a wireless network; provide, for a user authentication server, a user authentication registration request to the service via the secure connection; and receive, from the service, an indication that a user profile for user authentication was successfully created based on the user authentication registration request.
[0008] As another example, an apparatus for user authentication is provided. The apparatus includes: means for establishing a secure connection with a service of a wireless network; means for providing, for a user authentication server, a user authentication registration request to the service via the secure connection; and means for receiving, from the service, an indication that a user profile for user authentication was successfully created based on the user authentication registration request.Qualcomm Ref. No. 2404002WO3
[0009] In another example, an apparatus for user authentication is provided. The apparatus including a memory system comprising instructions; and a processor system coupled to the memory system, wherein the processor system is configured to: establish, by a first service of a wireless network, a secure connection with a wireless device using a subscription credential associated with the wireless device; receive a user authentication registration request from the wireless device via the secure connection, the user authentication registration request comprises a public key of a public key-private key pair; transmit, to a user authentication server, the user authentication registration request, a user identifier, and an identifier for the wireless device; and transmit, to the wireless device, an indication that the user authentication registration request was successful.
[0010] As another example, a method for user authentication is provided. The method includes: establishing a secure connection with a wireless device; receiving a user authentication registration request from the wireless device via the secure connection; transmitting, to a user authentication server, the user authentication registration request, a user identifier, and an identifier for the wireless device; and transmitting, to the wireless device, an indication that a user profile for user authentication was successfully created based on the user authentication registration request.
[0011] In another example, a non-transitory computer-readable medium having stored thereon instructions is provided. The instructions, when executed by a processor system, cause the processor system to: establish a secure connection with a wireless device; receive a user authentication registration request from the wireless device via the secure connection; transmit, to a user authentication server, the user authentication registration request, a user identifier, and an identifier for the wireless device; and transmit, to the wireless device, an indication that a user profile for user authentication was successfully created based on the user authentication registration request.
[0012] As another example, an apparatus for user authentication is provided. The apparatus includes: means for establishing a secure connection with a wireless device; means for receiving a user authentication registration request from the wireless device via the secure connection; means for transmitting, to a user authentication server, the user authentication registration request, a user identifier, and an identifier for the wireless device; and means for transmitting, to the wirelessQualcomm Ref. No. 2404002WO4 device, an indication that a user profile for user authentication was successfully created based on the user authentication registration request.
[0013] Aspects generally include a method, apparatus, system, computer program product, non- transitory computer-readable medium, user equipment, base station, wireless communication device, and / or processing system as substantially described herein with reference to and as illustrated by the drawings and specification.
[0014] The foregoing has outlined rather broadly the features and technical advantages of examples according to the disclosure in order that the detailed description that follows may be better understood. Additional features and advantages will be described hereinafter. The conception and specific examples disclosed may be readily utilized as a basis for modifying or designing other structures for carrying out the same purposes of the present disclosure. Such equivalent constructions do not depart from the scope of the appended claims. Characteristics of the concepts disclosed herein, both their organization and method of operation, together with associated advantages, will be better understood from the following description when considered in connection with the accompanying figures. Each of the figures is provided for the purposes of illustration and description, and not as a definition of the limits of the claims.
[0015] While aspects are described in the present disclosure by illustration to some examples, those skilled in the art will understand that such aspects may be implemented in many different arrangements and scenarios. Techniques described herein may be implemented using different platform types, devices, systems, shapes, sizes, and / or packaging arrangements. For example, some aspects may be implemented via integrated chip embodiments or other non-modulecomponent based devices (e.g., end-user devices, vehicles, communication devices, computing devices, industrial equipment, retail / purchasing devices, medical devices, and / or artificial intelligence devices). Aspects may be implemented in chip-level components, modular components, non-modular components, non-chip-level components, device-level components, and / or system-level components. Devices incorporating described aspects and features may include additional components and features for implementation and practice of claimed and described aspects. For example, transmission and reception of wireless signals may include one or more components for analog and digital purposes (e.g., hardware components including antennas, radio frequency (RF) chains, power amplifiers, modulators, buffers, processors, interleavers,Qualcomm Ref. No. 2404002WO5 adders, and / or summers). It is intended that aspects described herein may be practiced in a wide variety of devices, components, systems, distributed arrangements, and / or end-user devices of varying size, shape, and constitution.
[0016] In some aspects, one or more of the apparatuses described herein comprises a mobile device (e.g., a mobile telephone or so-called “smart phone”, a tablet computer, or other type of mobile device), a wearable device, an extended reality device (e.g., a virtual reality (VR) device, an augmented reality (AR) device, or a mixed reality (MR) device), a personal computer, a laptop computer, a video server, a television (e.g., a network-connected television), a vehicle (or a computing device of a vehicle), or other device. In some aspects, the apparatus(es) includes at least one camera for capturing one or more images or video frames. For example, the apparatus(es) can include a camera (e.g., an RGB camera) or multiple cameras for capturing one or more images and / or one or more videos including video frames. In some aspects, the apparatus(es) includes at least one display for displaying one or more images, videos, notifications, or other displayable data. In some aspects, the apparatus(es) includes at least one transmitter configured to transmit one or more video frame and / or syntax data over a transmission medium to at least one device. In some aspects, the at least one processor includes a neural processing unit (NPU), a neural signal processor (NSP), a central processing unit (CPU), a graphics processing unit (GPU), any combination thereof, and / or other processing device or component.
[0017] Other objects and advantages associated with the aspects disclosed herein will be apparent to those skilled in the art based on the accompanying drawings and detailed description.BRIEF DESCRIPTION OF THE DRAWINGS
[0018] Examples of various implementations are described in detail below with reference to the following figures:
[0019] FIG. l is a block diagram illustrating an example of a wireless communication network, in accordance with some examples;
[0020] FIG. 2 is a diagram illustrating a design of a base station and a User Equipment (UE) device that enable transmission and processing of signals exchanged between the UE and the base station, in accordance with some examples;Qualcomm Ref. No. 2404002WO6
[0021] FIG. 3 is a diagram illustrating an example of a disaggregated base station, in accordance with some examples;
[0022] FIG. 4 is a block diagram illustrating components of a user equipment, in accordance with some examples;
[0023] FIG. 5 is a diagram of a security architecture of a wireless network, according to aspects of the disclosure;
[0024] FIG. 6 is a call flow diagram illustrating an example control plane registration procedure for user authentication for a wireless network, in accordance with aspects of the present disclosure;
[0025] FIG. 7 is a call flow diagram illustrating an example user plane registration procedure for user authentication for a wireless network, in accordance with aspects of the present disclosure;
[0026] FIG. 8 is a call flow diagram illustrating an example user authentication procedure for a wireless network, in accordance with aspects of the present disclosure;
[0027] FIG. 9 is a flow diagram illustrating a process for user authentication, in accordance with aspects of the present disclosure;
[0028] FIG. 10 is a flow diagram illustrating a process for user authentication, in accordance with aspects of the present disclosure; and
[0029] FIG. 11 is a diagram illustrating an example of a system for implementing certain aspects of the present technology.DETAILED DESCRIPTION
[0030] Certain aspects and embodiments of this disclosure are provided below. Some of these aspects and embodiments may be applied independently and some of them may be applied in combination as would be apparent to those of skill in the art. In the following description, for the purposes of explanation, specific details are set forth in order to provide a thorough understanding of embodiments of the application. However, it will be apparent that various embodiments may be practiced without these specific details. The figures and description are not intended to be restrictive.Qualcomm Ref. No. 2404002WO7
[0031] The ensuing description provides example embodiments only, and is not intended to limit the scope, applicability, or configuration of the disclosure. Rather, the ensuing description of the exemplary embodiments will provide those skilled in the art with an enabling description for implementing an exemplary embodiment. It should be understood that various changes may be made in the function and arrangement of elements without departing from the spirit and scope of the application as set forth in the appended claims.
[0032] Wireless networks are deployed to provide various communication services, such as voice, video, packet data, messaging, broadcast, and / or the like. A wireless network may support both access links for communication between wireless devices. An access link may refer to any communication link between a client device (e.g., a user equipment (UE), a station (STA), or other client device) and a base station (e.g., a 3rdGeneration Partnership Project (3GPP) gNodeB (gNB) for 5G / NR, a 3GPP eNodeB (eNB) for LTE, a Wi-Fi access point (AP), or other base station) or a component of a disaggregated base station (e.g., a central unit, a distributed unit, and / or a radio unit). In one example, an access link between a UE and a 3 GPP gNB may be over a Uu interface. In some cases, an access link may support uplink signaling, downlink signaling, connection procedures, etc.
[0033] In some cases, it may be useful for services of a wireless network to be able to authenticate a user of a wireless device. For example, a device may be attempting to access private information stored on the wireless network and the wireless network may want to verify that the user is accessing the information, rather than another person borrowing the wireless device. As another example, a single wireless device may be shared among multiple users, such as between a parent and a child, or between multiple employees of a company (e g., between an employee and an information technology (IT) department). It may be useful for a service to verify, for example, whether the child or the parent is attempting to access the service before providing access to the service. Similarly, another service may provide a certain amount of access to certain users, such as employees, and access to additional services, such as administrative services, to other users, such as an administrative employee. Generally, existing authentication schemes for wireless networks, such as STIR / SHAKEN, verify an identity or identifier of the wireless subscriber with the wireless network, but these authentication schemes may not verify / authenticate an actual user of the wireless device.Qualcomm Ref. No. 2404002WO8
[0034] Systems, apparatuses, electronic devices, methods (also referred to as processes), and computer-readable media (collectively referred to herein as “systems and techniques”) are described herein for a user authentication service for a wireless network. In some cases, the wireless device may perform user authentication via a service of the wireless network. For example, where the wireless device performs user authentication via a control plane of the wireless network, user authentication may be performed via a security service. As another example, the wireless device may perform user authentication via a user authentication service, which works with, but is separate from, the security service, through the user plane of the wireless network. In some cases, user authentication for wireless networks may be based on fast identity online (FIDO).
[0035] To perform user authentication, a user of the wireless device may register for user authentication. To register for user authentication, the wireless device may establish a secure connection with the service, for example, through a regular authentication process of the wireless network. The wireless device may generate a public key / private key pair. The wireless device may provide the public key to the service in a user authentication registration request. The user authentication registration request may be a request to register with a user authentication service(such as a FIDO registration request) of the wireless network to authenticate a certain user of the wireless device. In some cases, the wireless device may also provide an identifier, such as a user identifier (ID). The wireless device may also provide a public land mobile network (PLMN) identifier. In some cases, the service may add a user equipment (UE) identifier to the user authentication registration request and pass on the user authentication registration request to a user authentication server / service, such as a FIDO server. The user authentication server may register the user. In some cases, the UE identifier may be provided by the UE. The service or user authentication server may create a user profile on a unified data management (UDM) server. This user profile may include the UE ID, identifier for the public key, user specific information, and / or the like. The service may then indicate back to the wireless device that registration has succeeded and return a user identifier associated with the registration. The wireless device may associate the user identifier with a particular user of the wireless device, for example, using biometric information, passcode, etc.
[0036] In some cases, the user may be authenticated via a service. This service may be, for example, a security service of the wireless network or another service of the wireless network.Qualcomm Ref. No. 2404002WO9After establishing a secure connection with a second service that uses user authentication, the second service may request user authentication, for example, via the security service of the wireless network. The second service or security service may obtain the user profile from the UDM after user authentication. The security service may then trigger user authentication with the wireless device based on the user profile (e.g., for a specific user identifier). The wireless device may then verify the user. For example, the wireless device may request biometric (or other) authentication from the user. If the user is verified, the wireless device may generate user authentication response signed by the private key of the user. The user authentication responses may be sent to the security service. The security service may verify the user authentication response with the user authentication server. For example, the security service may send the user authentication response to the user authentication server and the user authentication server may obtain the public key associated with the user identifier and verify the user authentication response using the public key. If the user is authenticated, the security service may provide an indication that the user is authenticated to the second service.
[0037] Additional aspects of the present disclosure are described in more detail below.
[0038] As used herein, the terms “user equipment” (UE) and “network entity” are not intended to be specific or otherwise limited to any particular radio access technology (RAT), unless otherwise noted. In general, a UE may be any wireless communication device (e.g., a mobile phone, router, tablet computer, laptop computer, and / or tracking device, etc.), wearable (e.g., smartwatch, smart-glasses, wearable ring, and / or an extended reality (XR) device such as a virtual reality (VR) headset, an augmented reality (AR) headset or glasses, or a mixed reality (MR) headset), vehicle (e.g., automobile, motorcycle, bicycle, etc.), and / or Internet of Things (loT) device, etc., used by a user to communicate over a wireless communications network. A UE may be mobile or may (e.g., at certain times) be stationary, and may communicate with a radio access network (RAN). As used herein, the term “UE” may be referred to interchangeably as an “access terminal” or “AT,” a “client device,” a “wireless device,” a “subscriber device,” a “subscriber terminal,” a “subscriber station,” a “user terminal” or “UT,” a “mobile device,” a “mobile terminal,” a “mobile station,” or variations thereof. Generally, UEs may communicate with a core network via a RAN, and through the core network the UEs may be connected with external networks such as the Internet and with other UEs. Of course, other mechanisms of connecting toQualcomm Ref. No. 2404002WO10 the core network and / or the Internet are also possible for the UEs, such as over wired access networks, wireless local area network (WLAN) networks (e.g., based on IEEE 802.11 communication standards, etc.) and so on.
[0039] A network entity may be implemented in an aggregated or monolithic base station architecture, or alternatively, in a disaggregated base station architecture, and may include one or more of a central unit (CU), a distributed unit (DU), a radio unit (RU), a transmission reception point (TRP), a Near-Real Time (Near-RT) RAN Intelligent Controller (RIC), or a Non-Real Time (Non-RT) RIC. A base station (e.g., with an aggregated / monolithic base station architecture or disaggregated base station architecture) may operate according to one of several RATs in communication with UEs depending on the network in which it is deployed, and may be alternatively referred to as an access point (AP), a wireless node, a NodeB (NB), an evolved NodeB (eNB), a next generation eNB (ng-eNB), a New Radio (NR) Node B (also referred to as a gNB or gNodeB), etc. A base station may be used primarily to support wireless access by UEs, including supporting data, voice, and / or signaling connections for the supported UEs. In some systems, a base station may provide edge node signaling functions while in other systems it may provide additional control and / or network management functions. A communication link through which UEs may send signals to a base station is called an uplink (UL) channel (e.g., a reverse traffic channel, a reverse control channel, an access channel, etc.). A communication link through which the base station may send signals to UEs is called a downlink (DL) or forward link channel (e.g., a paging channel, a control channel, a broadcast channel, or a forward traffic channel, etc.). The term traffic channel (TCH), as used herein, may refer to either an uplink, reverse or downlink, and / or a forward traffic channel.
[0040] The term “network entity” or “base station” (e.g., with an aggregated / monolithic base station architecture or disaggregated base station architecture) may refer to a single physical transmit receive point (TRP) or to multiple physical TRPs that may or may not be co-located. For example, where the term “network entity” or “base station” refers to a single physical TRP, the physical TRP may be an antenna of the base station corresponding to a cell (or several cell sectors) of the base station. Where the term “network entity” or “base station” refers to multiple co-located physical TRPs, the physical TRPs may be an array of antennas (e.g., as in a multiple-input multiple-output (MIMO) system or where the base station employs beamforming) of the baseQualcomm Ref. No. 2404002WO11 station. Where the term “base station” refers to multiple non-co-1 ocated physical TRPs, the physical TRPs may be a distributed antenna system (DAS) (a network of spatially separated antennas connected to a common source via a transport medium) or a remote radio head (RRH) (a remote base station connected to a serving base station). Alternatively, the non-co-1 ocated physical TRPs may be the serving base station receiving the measurement report from the UE and a neighbor base station whose reference radio frequency (RF) signals (or simply “reference signals”) the UE is measuring. Because a TRP is the point from which a base station transmits and receives wireless signals, as used herein, references to transmission from or reception at a base station are to be understood as referring to a particular TRP of the base station.
[0041] In some implementations that support positioning of UEs, a network entity or base station may not support wireless access by UEs (e.g., may not support data, voice, and / or signaling connections for UEs), but may instead transmit reference signals to UEs to be measured by the UEs, and / or may receive and measure signals transmitted by the UEs. Such a base station may be referred to as a positioning beacon (e.g., when transmitting signals to UEs) and / or as a location measurement unit (e.g., when receiving and measuring signals from UEs).
[0042] An RF signal comprises an electromagnetic wave of a given frequency that transports information through the space between a transmitter and a receiver. As used herein, a transmitter may transmit a single “RF signal” or multiple “RF signals” to a receiver. However, the receiver may receive multiple “RF signals” corresponding to each transmitted RF signal due to the propagation characteristics of RF signals through multipath channels. The same transmitted RF signal on different paths between the transmitter and receiver may be referred to as a “multipath” RF signal. As used herein, an RF signal may also be referred to as a “wireless signal” or simply a “signal” where it is clear from the context that the term “signal” refers to a wireless signal or an RF signal.
[0043] Various aspects of the systems and techniques described herein will be discussed below with respect to the figures. According to various aspects, FIG. 1 illustrates an example of a wireless communications system 100. The wireless communications system 100 (which may also be referred to as a wireless wide area network (WWAN)) may include various base stations 102 and various UEs 104. In some aspects, the base stations 102 may also be referred to as “network entities,” “wireless nodes,” or “network nodes.” One or more of the base stations 102 may beQualcomm Ref. No. 2404002WO12 implemented in an aggregated or monolithic base station architecture. Additionally, or alternatively, one or more of the base stations 102 may be implemented in a disaggregated base station architecture, and may include one or more of a central unit (CU), a distributed unit (DU), a radio unit (RU), a Near-Real Time (Near-RT) RAN Intelligent Controller (RIC), or a Non-Real Time (Non-RT) RIC. The base stations 102 may include macro cell base stations (high power cellular base stations) and / or small cell base stations (low power cellular base stations). In an aspect, the macro cell base station may include eNBs and / or ng-eNBs where the wireless communications system 100 corresponds to a long term evolution (LTE) network, or gNBs where the wireless communications system 100 corresponds to a NR network, or a combination of both, and the small cell base stations may include femtocells, picocells, microcells, etc.
[0044] The base stations 102 may collectively form a RAN and interface with a core network 170 (e.g., an evolved packet core (EPC) or a 5G core (5GC)) through backhaul links 122, and through the core network 170 to one or more location servers 172 (which may be part of core network 170 or may be external to core network 170). In addition to other functions, the base stations 102 may perform functions that relate to one or more of transferring user data, radio channel ciphering and deciphering, integrity protection, header compression, mobility control functions (e.g., handover, dual connectivity), inter-cell interference coordination, connection setup and release, load balancing, distribution for non-access stratum (NAS) messages, NAS node selection, synchronization, RAN sharing, multimedia broadcast multicast service (MBMS), subscriber and equipment trace, RAN information management (RIM), paging, positioning, and delivery of warning messages. The base stations 102 may communicate with each other directly or indirectly (e g., through the EPC or 5GC) over backhaul links 134, which may be wired and / or wireless.
[0045] The base stations 102 may wirelessly communicate with the UEs 104. Each of the base stations 102 may provide communication coverage for a respective geographic coverage area 110. In an aspect, one or more cells may be supported by a base station 102 in each coverage area 110. A “cell” is a logical communication entity used for communication with a base station (e.g., over some frequency resource, referred to as a carrier frequency, component carrier, carrier, band, or the like), and may be associated with an identifier (e.g., a physical cell identifier (PCI), a virtual cell identifier (VCI), a cell global identifier (CGI)) for distinguishing cells operating via the sameQualcomm Ref. No. 2404002WO13 or a different carrier frequency. Tn some cases, different cells may be configured according to different protocol types (e.g., machine-type communication (MTC), narrowband ToT (NB-IoT), enhanced mobile broadband (eMBB), or others) that may provide access for different types of Ues. Because a cell is supported by a specific base station, the term “cell” may refer to either or both of the logical communication entity and the base station that supports it, depending on the context. In addition, because a TRP is typically the physical transmission point of a cell, the terms “cell” and “TRP” may be used interchangeably. In some cases, the term “cell” may also refer to a geographic coverage area of a base station (e g., a sector), insofar as a carrier frequency may be detected and used for communication within some portion of geographic coverage areas 110.
[0046] While neighboring macro cell base station 102 geographic coverage areas 110 may partially overlap (e.g., in a handover region), some of the geographic coverage areas 110 may be substantially overlapped by a larger geographic coverage area 110. For example, a small cell base station 102’ may have a coverage area 110’ that substantially overlaps with the coverage area 110 of one or more macro cell base stations 102. A network that includes both small cell and macro cell base stations may be known as a heterogeneous network. A heterogeneous network may also include home eNBs (HeNBs), which may provide service to a restricted group known as a closed subscriber group (CSG).
[0047] The communication links 120 between the base stations 102 and the Ues 104 may include uplink (also referred to as reverse link) transmissions from a UE 104 to a base station 102 and / or downlink (also referred to as forward link) transmissions from a base station 102 to a UE 104. The communication links 120 may use MIMO antenna technology, including spatial multiplexing, beamforming, and / or transmit diversity. The communication links 120 may be through one or more carrier frequencies. Allocation of carriers may be asymmetric with respect to downlink and uplink (e.g., more or less carriers may be allocated for downlink than for uplink).
[0048] The wireless communications system 100 may further include a WLAN AP 150 in communication with WLAN stations (STAs) 152 via communication links 154 in an unlicensed frequency spectrum (e.g., 5 Gigahertz (GHz)). When communicating in an unlicensed frequency spectrum, the WLAN STAs 152 and / or the WLAN AP 150 may perform a clear channel assessment (CCA) or listen before talk (LBT) procedure prior to communicating in order to determine whether the channel is available. In some examples, the wireless communicationsQualcomm Ref. No. 2404002WO14 system 100 may include devices (e.g., Ues, etc.) that communicate with one or more Ues 104, base stations 102, Aps 150, etc. utilizing the ultra-wideband (UWB) spectrum. TheUWB spectrum may range from 3.1 to 10.5 GHz.
[0049] The small cell base station 102’ may operate in a licensed and / or an unlicensed frequency spectrum. When operating in an unlicensed frequency spectrum, the small cell base station 102’ may employ LTE or NR technology and use the same 5 GHz unlicensed frequency spectrum as used by the WLAN AP 150. The small cell base station 102’, employing LTE and / or 5G in an unlicensed frequency spectrum, may boost coverage to and / or increase capacity of the access network. NR in unlicensed spectrum may be referred to as NR-U. LTE in an unlicensed spectrum may be referred to as LTE-U, licensed assisted access (LAA), or MulteFire.
[0050] The wireless communications system 100 may further include a millimeter wave (mmW) base station 180 that may operate in mmW frequencies and / or near mmW frequencies in communication with aUE 182. The mmW base station 180 may be implemented in an aggregated or monolithic base station architecture, or alternatively, in a disaggregated base station architecture (e.g., including one or more of a CU, a DU, a RU, a Near-RT RIC, or a Non-RT RIC). Extremely high frequency (EHF) is part of the RF in the electromagnetic spectrum. EHF has a range of 30 GHz to 300 GHz and a wavelength between 1 millimeter and 10 millimeters. Radio waves in this band may be referred to as a millimeter wave. Near mmW may extend down to a frequency of 3 GHz with a wavelength of 100 millimeters. The super high frequency (SHF) band extends between 3 GHz and 30 GHz, also referred to as centimeter wave. Communications using the mmW and / or near mmW radio frequency band have high path loss and a relatively short range. The mmW base station 180 and the UE 182 may utilize beamforming (transmit and / or receive) over an mmW communication link 184 to compensate for the extremely high path loss and short range. Further, it will be appreciated that in alternative configurations, one or more base stations 102 may also transmit using mmW or near mmW and beamforming. Accordingly, it will be appreciated that the foregoing illustrations are merely examples and should not be construed to limit the various aspects disclosed herein.
[0051] In some aspects relating to 5G, the frequency spectrum in which wireless nodes, network nodes, or entities (e.g., base stations 102 / 180, UEs 104 / 182) operate is divided into multiple frequency ranges, FR1 (from 450 to 6000 Megahertz (MHz)), FR2 (from 24250 to 52600 MHz),Qualcomm Ref. No. 2404002WO15FR3 (above 52600 MHz), and FR4 (between FR1 and FR2). In a multi-carrier system, such as 5G, one of the carrier frequencies is referred to as the “primary carrier” or “anchor carrier” or “primary serving cell” or “PCell,” and the remaining carrier frequencies are referred to as “secondary carriers” or “secondary serving cells” or “SCells.” In carrier aggregation, the anchor carrier is the carrier operating on the primary frequency (e.g., FR1) utilized by a UE 104 / 182 and the cell in which the UE 104 / 182 either performs the initial radio resource control (RRC) connection establishment procedure or initiates the RRC connection re-establishment procedure. The primary carrier carries all common and UE-specific control channels and may be a carrier in a licensed frequency (however, this is not always the case). A secondary carrier is a carrier operating on a second frequency (e.g., FR2) that may be configured once the RRC connection is established between the UE 104 and the anchor carrier and that may be used to provide additional radio resources. In some cases, the secondary carrier may be a carrier in an unlicensed frequency. The secondary carrier may contain only necessary signaling information and signals, for example, those that are UE-specific may not be present in the secondary carrier, since both primary uplink and downlink carriers are typically UE-specific. This means that different UEs 104 / 182 in a cell may have different downlink primary carriers. The same is true for the uplink primary carriers. The network is able to change the primary carrier of any UE 104 / 182 at any time. This is done, for example, to balance the load on different carriers. Because a “serving cell” (whether a PCell or an SCell) corresponds to a carrier frequency and / or component carrier over which some base station is communicating, the term “cell,” “serving cell,” “component carrier,” “carrier frequency,” and / or the like may be used interchangeably.
[0052] For example, still referring to FIG. 1, one of the frequencies utilized by the macro cell base stations 102 may be an anchor carrier (or “PCell”) and other frequencies utilized by the macro cell base stations 102 and / or the mmW base station 180 may be secondary carriers (“SCells”). In carrier aggregation, the base stations 102 and / or the UEs 104 may use spectrum up to Y MHz (e.g., 5, 10, 15, 20, 100 MHz) bandwidth per carrier up to a total of Yx MHz (x component carriers) for transmission in each direction. The component carriers may or may not be adjacent to each other on the frequency spectrum. Allocation of carriers may be asymmetric with respect to the downlink and uplink (e.g., more or less carriers may be allocated for downlink than for uplink). The simultaneous transmission and / or reception of multiple carriers enables the UE 104 / 182 to significantly increase its data transmission and / or reception rates. For example, two 20 MHzQualcomm Ref. No. 2404002WO16 aggregated carriers in a multi-carrier system would theoretically lead to a two-fold increase in data rate (i.e., 40 MHz), compared to that attained by a single 20 MHz carrier.
[0053] In order to operate on multiple carrier frequencies, a base station 102 and / or a UE 104 may be equipped with multiple receivers and / or transmitters. For example, a UE 104 may have two receivers, “Receiver 1” and “Receiver 2,” where “Receiver 1” is a multi-band receiver that may be tuned to band (i.e., carrier frequency) ‘X’ or band ‘Y,’ and “Receiver 2” is a one-band receiver tuneable to band ‘Z’ only. In this example, if the UE 104 is being served in band ‘X,’ band ‘X’ would be referred to as the PCell or the active carrier frequency, and “Receiver 1” would need to tune from band ‘X’ to band ‘Y’ (an SCell) in order to measure band ‘ Y’ (and vice versa). In contrast, whether the UE 104 is being served in band ‘X’ or band ‘Y,’ because of the separate “Receiver 2,” the UE 104 may measure band ‘Z’ without interrupting the service on band ‘X’ or band ‘Y.’
[0054] The wireless communications system 100 may further include a UE 164 that may communicate with a macro cell base station 102 over a communication link 120 and / or the mmW base station 180 over an mmW communication link 184. For example, the macro cell base station 102 may support a PCell and one or more SCells for the UE 164 and the mmW base station 180 may support one or more SCells for the UE 164.
[0055] The wireless communications system 100 may further include one or more UEs, such as UE 190, that connects indirectly to one or more communication networks via one or more device- to-device (D2D) peer-to-peer (P2P) links (referred to as “sidelinks”). In the example of FIG. 1, UE 190 has a D2D P2P link 192 with one of the UEs 104 connected to one of the base stations 102 (e.g., through which UE 190 may indirectly obtain cellular connectivity) and a D2D P2P link 194 with WLAN STA 152 connected to the WLAN AP 150 (through which UE 190 may indirectly obtain WLAN-based Internet connectivity). In an example, the D2D P2P links 192 and 194 may be supported with any well-known D2D RAT, such as LTE Direct (LTE-D), Wi-Fi Direct (Wi-Fi- D), Bluetooth®, and so on.
[0056] FIG. 2 shows a block diagram of a design of a base station 102 and a UE 104 that enable transmission and processing of signals exchanged between the UE and the base station, in accordance with some aspects of the present disclosure. Design 200 includes components of a base station 102 and a UE 104, which may be one of the base stations 102 and one of the UEs 104Qualcomm Ref. No. 2404002WO17 in FIG. 1 . Base station 102 may be equipped with T antennas 234a through 234t, and UE 104 may be equipped with R antennas 252a through 252r, where in general T>1 and R>1.
[0057] At base station 102, a transmit processor 220 may receive data from a data source 212 for one or more UEs, select one or more modulation and coding schemes (MCS) for each UE based at least in part on channel quality indicators (CQIs) received from the UE, process (e.g., encode and modulate) the data for each UE based at least in part on the MCS(s) selected for the UE, and provide data symbols for all UEs. Transmit processor 220 may also process system information (e.g., for semi-static resource partitioning information (SRPI) and / or the like) and control information (e.g., CQI requests, grants, upper layer signaling, channel state information, channel state feedback, and / or the like) and provide overhead symbols and control symbols. Transmit processor 220 may also generate reference symbols for reference signals (e.g., the cell-specific reference signal (CRS)) and synchronization signals (e.g., the primary synchronization signal (PSS) and secondary synchronization signal (SSS)). A transmit (TX) multiple-input multipleoutput (MIMO) processor 230 may perform spatial processing (e.g., precoding) on the data symbols, the control symbols, the overhead symbols, and / or the reference symbols, if applicable, and may provide T output symbol streams to T modulators (MODs) 232a through 232t. The modulators 232a through 232t are shown as a combined modulator-demodulator (MOD- DEMOD). In some cases, the modulators and demodulators may be separate components. Each modulator of the modulators 232a to 232t may process a respective output symbol stream, e.g., for an orthogonal frequency -division multiplexing (OFDM) scheme and / or the like, to obtain an output sample stream. Each modulator of the modulators 232a to 232t may further process (e.g., convert to analog, amplify, filter, and upconvert) the output sample stream to obtain a downlink signal. T downlink signals may be transmitted from modulators 232a to 232t via T antennas 234a through 234t, respectively. According to certain aspects described in more detail below, the synchronization signals may be generated with location encoding to convey additional information.
[0058] At UE 104, antennas 252a through 252r may receive the downlink signals from base station 102 and / or other base stations and may provide received signals to demodulators (DEMODs) 254a through 254r, respectively. The demodulators 254a through 254r are shown as a combined modulator-demodulator (MOD-DEMOD). In some cases, the modulators andQualcomm Ref. No. 2404002WO18 demodulators may be separate components. Each demodulator of the demodulators 254a through 254r may condition (e.g., fdter, amplify, downconvert, and digitize) a received signal to obtain input samples. Each demodulator of the demodulators 254a through 254r may further process the input samples (e.g., for OFDM and / or the like) to obtain received symbols. A MIMO detector 256 may obtain received symbols from all R demodulators 254a through 254r, perform MIMO detection on the received symbols if applicable, and provide detected symbols. A receive processor 258 may process (e.g., demodulate and decode) the detected symbols, provide decoded data for UE 104 to a data sink 260, and provide decoded control information and system information to a controller / processor 280. A channel processor may determine reference signal received power (RSRP), received signal strength indicator (RS SI), reference signal received quality (RSRQ), channel quality indicator (CQI), and / or the like.
[0059] On the uplink, at UE 104, a transmit processor 264 may receive and process data from a data source 262 and control information (e.g., for reports comprising RSRP, RSSI, RSRQ, CQI, channel state information, channel state feedback, and / or the like) from controller / processor 280. Transmit processor 264 may also generate reference symbols for one or more reference signals (e.g., based at least in part on a beta value or a set of beta values associated with the one or more reference signals). The symbols from transmit processor 264 may be precoded by a TX-MIMO processor 266 if application, further processed by modulators 254a through 254r (e.g., for DFT-s- OFDM, CP-OFDM, and / or the like), and transmitted to base station 102. At base station 102, the uplink signals from UE 104 and other UEs may be received by antennas 234a through 234t, processed by demodulators 232a through 232t, detected by a MIMO detector 236 if applicable, and further processed by a receive processor 238 to obtain decoded data and control information sent by UE 104. Receive processor 238 may provide the decoded data to a data sink 239 and the decoded control information to controller (processor) 240. Base station 102 may include communication unit 244 and communicate to a network controller 231 via communication unit 244. Network controller 231 may include communication unit 294, controller / processor 290, and memory 292.
[0060] In some aspects, one or more components of UE 104 may be included in a housing. Controller 240 of base station 102, controller / processor 280 of UE 104, and / or any otherQualcomm Ref. No. 2404002WO19 component(s) of FIG. 2 may perform one or more techniques associated with implicit uplink control information (UCI) beta value determination for NR.
[0061] Memories 242 and 282 may store data and program codes for the base station 102 and the UE 104, respectively. A scheduler 246 may schedule UEs for data transmission on the downlink, uplink, and / or sidelink.
[0062] In some aspects, deployment of communication systems, such as 5G new radio (NR) systems, may be arranged in multiple manners with various components or constituent parts. In a 5G NR system, or network, a network node, a network entity, a mobility element of a network, a radio access network (RAN) node, a wireless access node, a wireless node, a core network node, a network element, or a network equipment, such as a base station (BS), or one or more units (or one or more components) performing base station functionality, may be implemented in an aggregated or disaggregated architecture. For example, a BS (such as a Node B (NB), evolved NB (eNB), NR BS, 5G NB, access point (AP), a transmit receive point (TRP), or a cell, etc.) may be implemented as an aggregated base station (also known as a standalone BS or a monolithic BS) or a disaggregated base station.
[0063] An aggregated base station may be configured to utilize a radio protocol stack that is physically or logically integrated within a single RAN node. A disaggregated base station may be configured to utilize a protocol stack that is physically or logically distributed among two or more units (such as one or more central or centralized units (CUs), one or more distributed units (DUs), or one or more radio units (RUs)). In some aspects, a CU may be implemented within a RAN node, and one or more DUs may be co-located with the CU, or alternatively, may be geographically or virtually distributed throughout one or multiple other RAN nodes. The DUs may be implemented to communicate with one or more RUs. Each of the CU, DU and RU also may be implemented as virtual units, i.e., a virtual central unit (VCU), a virtual distributed unit (VDU), or a virtual radio unit (VRU).
[0064] Base station-type operation or network design may consider aggregation characteristics of base station functionality. For example, disaggregated base stations may be utilized in an integrated access backhaul (IAB) network, an open radio access network (O-RAN (such as the network configuration sponsored by the O-RAN Alliance)), or a virtualized radio access network (vRAN, also known as a cloud radio access network (C-RAN)). Disaggregation may includeQualcomm Ref. No. 2404002WO20 distributing functionality across two or more units at various physical locations, as well as distributing functionality for at least one unit virtually, which may enable flexibility in network design. The various units of the disaggregated base station, or disaggregated RAN architecture, may be configured for wired or wireless communication with at least one other unit.
[0065] FIG. 3 shows a diagram illustrating an example disaggregated base station 300 architecture. The disaggregated base station 300 architecture may include one or more central units (CUs) 310 that may communicate directly with a core network 320 via a backhaul link, or indirectly with the core network 320 through one or more disaggregated base station units (such as a Near-Real Time (Near-RT) RAN Intelligent Controller (RIC) 325 via an E2 link, or a NonReal Time (Non-RT) RIC 315 associated with a Service Management and Orchestration (SMO) Framework 305, or both). A CU 310 may communicate with one or more distributed units (DUs) 330 via respective midhaul links, such as an Fl interface. The DUs 330 may communicate with one or more radio units (RUs) 340 via respective fronthaul links. The RUs 340 may communicate with respective UEs 104 via one or more radio frequency (RF) access links. In some implementations, the UE 104 may be simultaneously served by multiple RUs 340.
[0066] Each of the units, e.g., the CUs 310, the DUs 330, the RUs 340, as well as the Near-RT RICs 325, the Non-RT RICs 315 and the SMO Framework 305, may include one or more interfaces or be coupled to one or more interfaces configured to receive or transmit signals, data, or information (collectively, signals) via a wired or wireless transmission medium. Each of the units, or an associated processor or controller providing instructions to the communication interfaces of the units, may be configured to communicate with one or more of the other units via the transmission medium. For example, the units may include a wired interface configured to receive or transmit signals over a wired transmission medium to one or more of the other units. Additionally, the units may include a wireless interface, which may include a receiver, a transmitter or transceiver (such as a radio frequency (RF) transceiver), configured to receive or transmit signals, or both, over a wireless transmission medium to one or more of the other units.
[0067] In some aspects, the CU 310 may host one or more higher layer control functions. Such control functions may include radio resource control (RRC), packet data convergence protocol (PDCP), service data adaptation protocol (SDAP), or the like. Each control function may be implemented with an interface configured to communicate signals with other control functionsQualcomm Ref. No. 2404002WO21 hosted by the CU 310. The CU 310 may be configured to handle user plane functionality (i.e., Central Unit - User Plane (CU-UP)), control plane functionality (i.e., Central Unit - Control Plane (CU-CP)), or a combination thereof In some implementations, the CU 310 may be logically split into one or more CU-UP units and one or more CU-CP units. The CU-UP unit may communicate bidirectionally with the CU-CP unit via an interface, such as the El interface when implemented in an O-RAN configuration. The CU 310 may be implemented to communicate with the DU 330, as necessary, for network control and signaling.
[0068] The DU 330 may correspond to a logical unit that includes one or more base station functions to control the operation of one or more RUs 340. In some aspects, the DU 330 may host one or more of a radio link control (RLC) layer, a medium access control (MAC) layer, and one or more high physical (PHY) layers (such as modules for forward error correction (FEC) encoding and decoding, scrambling, modulation and demodulation, or the like) depending, at least in part, on a functional split, such as those defined by the 3rd Generation Partnership Project (3GPP). In some aspects, the DU 330 may further host one or more low PHY layers. Each layer (or module) may be implemented with an interface configured to communicate signals with other layers (and modules) hosted by the DU 330, or with the control functions hosted by the CU 310.
[0069] Lower-layer functionality may be implemented by one or more RUs 340. In some deployments, an RU 340, controlled by a DU 330, may correspond to a logical node that hosts RF processing functions, or low-PHY layer functions (such as performing fast Fourier transform (FFT), inverse FFT (iFFT), digital beamforming, physical random access channel (PRACH) extraction and filtering, or the like), or both, based at least in part on the functional split, such as a lower layer functional split. In such an architecture, the RU(s) 340 may be implemented to handle over the air (OTA) communication with one or more UEs 104. In some implementations, real-time and non-real-time aspects of control and user plane communication with the RU(s) 340 may be controlled by the corresponding DU 330. In some scenarios, this configuration may enable the DU(s) 330 and the CU 310 to be implemented in a cloud-based RAN architecture, such as a vRAN architecture.
[0070] The SMO Framework 305 may be configured to support RAN deployment and provisioning of non-virtualized and virtualized network elements. For non-virtualized network elements, the SMO Framework 305 may be configured to support the deployment of dedicatedQualcomm Ref. No. 2404002WO22 physical resources for RAN coverage requirements which may be managed via an operations and maintenance interface (such as an 01 interface). For virtualized network elements, the SMO Framework 305 may be configured to interact with a cloud computing platform (such as an open cloud (O-Cloud) 390) to perform network element life cycle management (such as to instantiate virtualized network elements) via a cloud computing platform interface (such as an 02 interface). Such virtualized network elements may include, but are not limited to, CUs 310, DUs 330, RUs 340 and Near-RT RICs 325. In some implementations, the SMO Framework 305 may communicate with a hardware aspect of a 4G RAN, such as an open eNB (O-eNB) 311, via an 01 interface. Additionally, in some implementations, the SMO Framework 305 may communicate directly with one or more RUs 340 via an 01 interface. The SMO Framework 305 also may include a non-RT RIC 315 configured to support functionality of the SMO Framework 305.
[0071] The Non-RT RIC 315 may be configured to include a logical function that enables non- real-time control and optimization of RAN elements and resources, Artificial Intelligence / Machine Learning (AI / ML) workflows including model training and updates, or policy -based guidance of applications / features in the Near-RT RIC 325. The Non-RT RIC 315 may be coupled to or communicate with (such as via an Al interface) the Near-RT RIC 325. The Near-RT RIC 325 may be configured to include a logical function that enables near-real-time control and optimization of RAN elements and resources via data collection and actions over an interface (such as via an E2 interface) connecting one or more CUs 310, one or more DUs 330, or both, as well as an O-eNB, with the Near-RT RIC 325.
[0072] In some implementations, to generate AI / ML models to be deployed in the Near-RT RIC 325, the Non-RT RIC 315 may receive parameters or external enrichment information from external servers. Such information may be utilized by the Near-RT RIC 325 and may be received at the SMO Framework 305 or the Non-RT RIC 315 from non-network data sources or from network functions. In some examples, the Non-RT RIC 315 or the Near-RT RIC 325 may be configured to tune RAN behavior or performance. For example, the Non-RT RIC 315 may monitor long-term trends and patterns for performance and employ AI / ML models to perform corrective actions through the SMO Framework 305 (such as reconfiguration via 01) or via creation of RAN management policies (such as Al policies).Qualcomm Ref. No. 2404002WO23
[0073] FIG. 4 illustrates an example of a computing system 470 of a wireless device 407. The wireless device 407 may include a client device such as a UE (e.g., UE 104, UE 152, UE 190) or other type of device (e.g., a station (STA) configured to communication using a Wi-Fi interface) that may be used by an end-user. For example, the wireless device 407 may include a mobile phone, router, tablet computer, laptop computer, tracking device, wearable device (e.g., a smart watch, glasses, an extended reality (XR) device such as a virtual reality (VR), augmented reality (AR) or mixed reality (MR) device, etc.), Internet of Things (loT) device, access point, and / or another device that is configured to communicate over a wireless communications network. The computing system 470 includes software and hardware components that may be electrically or communicatively coupled via a bus 489 (or may otherwise be in communication, as appropriate). For example, the computing system 470 includes one or more processors 484. The one or more processors 484 may include one or more CPUs, ASICs, FPGAs, APs, GPUs, VPUs, NSPs, microcontrollers, dedicated hardware, any combination thereof, and / or other processing device or system. The bus 489 may be used by the one or more processors 484 to communicate between cores and / or with the one or more memory devices 486.
[0074] The computing system 470 may also include one or more memory devices 486, one or more digital signal processors (DSPs) 482, one or more subscriber identity modules (SIMs) 474, one or more modems 476, one or more wireless transceivers 478, one or more antennas 487, one or more input devices 472 (e.g., a camera, a mouse, a keyboard, a touch sensitive screen, a touch pad, a keypad, a microphone, and / or the like), and one or more output devices 480 (e.g., a display, a speaker, a printer, and / or the like).
[0075] In some aspects, computing system 470 may include one or more radio frequency (RF) interfaces configured to transmit and / or receive RF signals. In some examples, an RF interface may include components such as modem(s) 476, wireless transceiver(s) 478, and / or antennas 487. The one or more wireless transceivers 478 may transmit and receive wireless signals (e g., signal 488) via antenna 487 from one or more other devices, such as other wireless devices, network devices (e.g., base stations such as eNBs and / or gNBs, Wi-Fi access points (APs) such as routers, range extenders or the like, etc.), cloud networks, and / or the like. In some examples, the computing system 470 may include multiple antennas or an antenna array that may facilitate simultaneous transmit and receive functionality. Antenna 487 may be an omnidirectional antenna such that radioQualcomm Ref. No. 2404002WO24 frequency (RF) signals may be received from and transmitted in all directions. The wireless signal 488 may be transmitted via a wireless network. The wireless network may be any wireless network, such as a cellular or telecommunications network (e.g., 3G, 4G, 5G, etc.), wireless local area network (e.g., a Wi-Fi network), a BluetoothTM network, and / or other network.
[0076] In some examples, the wireless signal 488 may be transmitted directly to other wireless devices using sidelink communications (e.g., using a PC5 interface, using a DSRC interface, etc.). Wireless transceivers 478 may be configured to transmit RF signals for performing sidelink communications via antenna 487 in accordance with one or more transmit power parameters that may be associated with one or more regulation modes. Wireless transceivers 478 may also be configured to receive sidelink communication signals having different signal parameters from other wireless devices.
[0077] In some examples, the one or more wireless transceivers 478 may include an RF front end including one or more components, such as an amplifier, a mixer (also referred to as a signal multiplier) for signal down conversion, a frequency synthesizer (also referred to as an oscillator) that provides signals to the mixer, a baseband filter, an analog-to-digital converter (ADC), one or more power amplifiers, among other components. The RF front-end may generally handle selection and conversion of the wireless signals 488 into a baseband or intermediate frequency and may convert the RF signals to the digital domain.
[0078] In some cases, the computing system 470 may include a coding-decoding device (or CODEC) configured to encode and / or decode data transmitted and / or received using the one or more wireless transceivers 478. In some cases, the computing system 470 may include an encryption-decryption device or component configured to encrypt and / or decrypt data (e.g., according to the AES and / or DES standard) transmitted and / or received by the one or more wireless transceivers 478.
[0079] The one or more SIMs 474 may each securely store an international mobile subscriber identity (IMSI) number and related key assigned to the user of the wireless device 407. The IMSI and key may be used to identify and authenticate the subscriber when accessing a network provided by a network service provider or operator associated with the one or more SIMs 474. The one or more modems 476 may modulate one or more signals to encode information for transmission using the one or more wireless transceivers 478. The one or moreQualcomm Ref. No. 2404002WO25 modems 476 may also demodulate signals received by the one or more wireless transceivers 478 in order to decode the transmitted information. In some examples, the one or more modems 476 may include a Wi-Fi modem, a 4G (or LTE) modem, a 5G (or NR) modem, and / or other types of modems. The one or more modems 476 and the one or more wireless transceivers 478 may be used for communicating data for the one or more SIMs 474.
[0080] The computing system 470 may also include (and / or be in communication with) one or more non-transitory machine-readable storage media or storage devices (e.g., one or more memory devices 486), which may include, without limitation, local and / or network accessible storage, a disk drive, a drive array, an optical storage device, a solid-state storage device such as a RAM and / or a ROM, which may be programmable, flash-updateable and / or the like. Such storage devices may be configured to implement any appropriate data storage, including without limitation, various file systems, database structures, and / or the like.
[0081] In various embodiments, functions may be stored as one or more computer-program products (e.g., instructions or code) in memory device(s) 486 and executed by the one or more processor(s) 484 and / or the one or more DSPs 482. The computing system 470 may also include software elements (e.g., located within the one or more memory devices 486), including, for example, an operating system, device drivers, executable libraries, and / or other code, such as one or more application programs, which may comprise computer programs implementing the functions provided by various embodiments, and / or may be designed to implement methods and / or configure systems, as described herein.
[0082] In some previous wireless systems, multiple security contexts exist on layer basis and multiple services may exist with a single security context. For example, a security context, that is a result of an authentication procedure to establish cryptographically secured communication between two elements, may be established between a mobile device, such as a UE, and a core network (e g., a non-access stratum (NAS) security context between a UE and an access and mobility management function (AMF)). This NAS security context may anchor other security contexts as other security contexts may build on the NAS security context. Another security context (e.g., access stratum (AS) security context) may also be established based on the NAS security context through the AMF. Additional application specific security context may then be established via the connection through the AS security context. In some cases, it may be useful toQualcomm Ref. No. 2404002WO26 separate the security contexts from the NAS security context so that the additional security contexts above the NAS are not all dependent on the connection between the mobile device and the AMF. Additionally, having separate security contexts for services may streamline implementation of additional services without having to make sure the AMF supports any security features of the additional services.
[0083] FIG. 5 is a diagram of a security architecture of a wireless network 500, according to aspects of the disclosure. In some cases, it may be useful to define a per-service security context, for example, allow a service of the wireless network to tailor the security between the mobile device and the service. In some cases, services of the wireless network may refer to providers of functionality for the wireless network. In some cases, these services may include essential services, such as registration, mobility management, session management, security, and so forth, as well as value add services, such as location, voice, messaging (e.g., short messaging service (SMS)), and so forth. Wireless network 500 includes a device 502, which may be UE. The device 502 may be coupled to the wireless network 500 via a DU 504. In some cases, the connection between the device 502 and the DU 504 may be secured based on a physical layer and / or medium access control layer security 508. While a disaggregated base station 506 is shown in FIG. 5, it may be understood that any base station / access node design may be used, such as an eNodeB, gNodeB, aggregated / monolithic base station, Wi-Fi access point, and / or the like.
[0084] In some cases, allowing a per-service security context allows a device 502 to establish multiple security contexts with specific services that are being used by the device 502, including for services that would previously fall under core network services, such as, for example, a mobility service 512, transport service 510, and / or the like. In some cases, services of a wireless network 500 may be divided into different types of services. For example, basic services and commonly used services of a wireless network 500 (e.g., similar to those services traditionally provided by a core network of a wireless network, such as routing and handing over the device 502 from base station to base station) may be referred to as horizontal services 520, shown here on a lower portion of FIG. 5. For example, the transport service 510, mobility service 512, security service 514, policy service 516, secure context storage service 518, paging service (not shown) and / or the like may be considered horizontal services 520. Higher level services which more likely to be user facing (e.g., user plane applications) and more likely to be user specific may be referredQualcomm Ref. No. 2404002WO27 to as vertical services 524. Examples of vertical services 524 include location services 528, voice services 530, edge services 532, XR services 534, internet services 536, and / or the like.
[0085] In some cases, a user plane security anchor (UP SA) 526 service may provide general transport security between the device 502 and vertical services 524 and the UPSA 526 may support multiple services. In some cases, where the UPSA 526 is located in the network (e.g., near the edge of the network or closer to the core network) may be flexible. For example, the UPSA 526 may be codocated at the DU 504 or located closer to the vertical services 524 being supported (e.g., co-located with the vertical services 524).
[0086] In some cases, the device 502 may include multiple security contexts 522 where each security context is established with a specific service being used. For example, the device 502 may have a first security context 540 with the security service 514 and the device 502 may also have a second security context 538 with the location services 528. In some cases, the security service 514 may provide security services for the device 502 along with other network functions. For example, the security service 514 may help establish security contexts (e.g., establish authentication keys) between other services and the device 502. In some cases, these security contexts may then be stored in the secure context storage service 518. Other services may then access the secure context storage service 518 to retrieve stored security contexts. Thus, the security service 514 may anchor security establishment between the device 502 and services of the wireless network 500. As an example, a service, such as the mobility service 512, may request a security context from the security service 514. The security service 514 may respond to the mobility service 512 a security key and this security key may be stored in the secure context storage service 518 for later use by the mobility service 512 as needed.
[0087] In some cases, some services previously associated with a wireless node (e.g., gNodeB, DU, CU, etc.) may also be implemented as one or more horizontal services. For example, radio resource management, previously performed by a CU / gNodeB, may be implemented as a service (e.g., horizontal service 520) in a cloud.
[0088] In some cases, when a wireless device connects to a wireless network, the wireless network may authenticate the wireless device using a subscription authentication. This subscription authentication verifies that the wireless device is authorized to connect to, and access services provided by the wireless network. While this subscription authentication verifies theQualcomm Ref. No. 2404002WO28 wireless device, the subscription authentication does not verify the user of the wireless device. Thus, where multiple users have access to a wireless device, subscription authentication by the wireless network may authenticate the wireless device with services of the wireless network, but subscription authentication does not verify / authenticate which user, of the multiple users, is using the wireless device.
[0089] In some cases, it can be useful for certain services to be able to verify a specific user of the wireless device. For example, a wireless device, such as an on-call wireless device, may have a single subscription to a wireless network and may be shared among multiple users and possibly an administrator for the wireless device. The multiple users may each be able to create user profiles on the wireless device. In some cases, it may be useful to be able to have a network service specific profile for each user as well. For example, the service of the wireless network may have private information that other users of the wireless device should not have access to, or a specific user of the wireless device, such as an administrator, may have access to additional features of the network service as compared to other users of the wireless device. Additionally, being able to authenticate different users of the device may be used to allow a single user to create different profiles on a wireless device (e.g., personal / work / school etc.) and a service of the wireless network may be able to authenticate which wireless device profile is being used, for example, to restrict a service to certain wireless device profiles, manage different sets of user consent on a per-profile basis, etc. Thus, a technique for per-user authentication to a wireless network may be useful.
[0090] FIG. 6 is a call flow diagram illustrating an example control plane registration procedure for user authentication for a wireless network 600, in accordance with aspects of the present disclosure. In some cases, the control plane registration procedure for user authentication may be performed on the control plane using NAS signaling, as opposed to user plane based AS signaling. FIG. 6 includes a wireless device 602, wireless node 604 (e.g., BS / eNB / gNB, DU, etc.), security service 606 of a wireless network, FIDO server 608, unified data management (UDM) 610 service, and subscription and policy service 612. In some cases, when the wireless device 602 attempts to access the wireless network, the wireless device 602 may send, as a part of subscription authentication, a service access request 614 to the security service 606 of the wireless network.
[0091] In some cases, the service access request 614 may include an identifier of the wireless device 602, e.g., a temporary identifier such as a globally unique temporary identifier (GUTI) orQualcomm Ref. No. 2404002WO29 context identifier (context ID) of the wireless device 602. The security service 606 may check with the subscription and policy service 612 to verify that the wireless device 602 has access (e.g., a subscription, roaming agreement, etc.) to the wireless network.
[0092] In cases where the wireless device 602 has not previously established a security context with the security service 606 or is performing a reauthentication procedure, the wireless device 602 and security service 606 may perform initial access or reauthentication procedure 616 using, for example, an authentication and key agreement procedure 618 to generate a session root key between the wireless device 602 and security service 606. For example, the wireless device 602 and security service 606 may perform authentication and key agreement procedure 618 using, for example, an authentication and key agreement protocol, to generate a session root key between the wireless device 602 and security service 606. The session root key, and keys derived from the session root key, may be used as a subscription credential to verify that the wireless device 602 has a subscription to the wireless network and / or services of the wireless network. The subscription credential may be used to verify that a specific device, such as the wireless device 602, has access to the wireless network. For example, a user may have a subscription to access a wireless network for a device, and the subscription credential may be used to verify that subscription. In some cases, the authentication and key agreement procedure 618 may use a long-term credential type authentication and key agreement protocol such as 6G AKA, Extensible Authentication Protocol Method for 3rdGeneration Authentication and Key Agreement (EAP-AKA or EAP-AKA’), and / or the like to generate a service key, which may be stored by the security service, for example, in a secure context storage service.
[0093] The session root key may be used to establish a main security context 620 (e.g., perform a security context establishment procedure) between the wireless device 602 and the security service 606 to establish a secure connection with the security service 606. Establishing the main security context 620 may be performed using a service establishment protocol such as a NAS security mode command procedure, a transport layer security (TLS) service establishment protocol, and / or the like. Once the main security context 620 is established, further communications between the wireless device 602 and the security service 606 may be based on the main security context. In some cases, the security service 606 may provide the wireless device 602 one or more service access tokens based on the main security context. In cases where theQualcomm Ref. No. 2404002WO30 wireless device 602 has previously established the main security context with the security service 606 and the main security context is still valid, the security context 620 establishment may not be reperformed, and the secure connection may be established based on the authentication and key agreement procedure 618.
[0094] The service access request 614 may be secured (e.g., encoded) based on a derived service access key. In some cases, the service access request 614 may include a service access token (e.g., if the wireless device 602 previously established a security context with the security service 606 and obtained service access token(s)). In some cases, a service access token may be provided to the wireless device 602 in response to the service access request 614 being sent to the security service 606.
[0095] In some cases, it may be useful to leverage an existing user authentication protocol, such as fast identity online (FIDO), for user authentication to a wireless network. FIDO is a user authentication system which uses public key cryptography techniques to authenticate a user attempting to access a service. In some cases, FIDO may be implemented as a service of the wireless network via a FIDO server 605 and accessed via the security service 606.
[0096] As a part of NAS signaling, the wireless device 602 may transmit a FIDO registration request 622 to the security service 606 (e.g., as opposed to a specific application service via AS signaling). In some cases, the FIDO registration request 622 may include user specific information and / or a user ID. The user specific information may include information that may be used to identify a user profile, for example, in the UDM 610. In some cases, the user ID may be an alias for the FIDO key ID (e.g., identifying a public key used for FIDO, and may be human readable so that the user may recognize the alias), and the FIDO key ID may be referred to as “FIDO key” for brevity hereinafter. In response to the FIDO registration request 622, the security service 606 may perform a FIDO registration procedure 624. In some cases, the FIDO registration procedure 624 may be similar to the procedure in the FIDO universal authentication framework protocol specification.
[0097] As a part of a FIDO registration procedure 624, the wireless device 602 may have an authenticator application and the authenticator application may be used to create a public keyprivate key pair for use with FIDO associated with a specific user. In some cases, the authenticator application may leverage user authentication systems available at the wireless device 602, such asQualcomm Ref. No. 2404002WO31 fingerprint / face recognition / other biometrics, local PIN, security key, etc., and associate an indication of a successful local user authentication by the wireless device 602 with the public / private key pair. The wireless device 602 may transmit the public key, of the public keyprivate key pair, along with an indication of how the user was locally authenticated (e.g., via fingerprint / face recognition / other biometrics, local PIN, security key, etc.) to the security service as a part of the FIDO registration procedure 624. In addition, FIDO information may also be determined and transmitted to the security service 606 as a part of the FIDO registration procedure. For example, an application ID (or app ID) of FIDO may be set to a PLMN ID (and / or security service ID) and a facet ID of FIDO may include the list of authorized service IDs that can use the user authentication.
[0098] The security service 606 may register 626 the FIDO key to the FIDO server 608. In some cases, the registered FIDO key may be service specific and different services may each trigger FIDO registration (e.g., via the control pane or user plane). The security service 606 may also provide an associated wireless device identifier (e.g., UE ID) to the FIDO server 608 as a part of registering 626 with the FIDO server. In some cases, the UE ID may be a subscription identifier, such as a generic public subscriber identifier (GPSI) or another identifier assigned (e.g., by 3GPP or the security service) for user authentication, or both. In some cases, the UE ID may be associated with a SUPI and / or IMSI by the UDM 610. The security service 606 may also store the user specific information, for example, in the UDM 610. In some cases, the user specific information may be stored as a part of a user profile under a subscription profile in the UDM 610.
[0099] In some cases, as a part of the subscription of the wireless device 602 to the wireless network, the wireless network may have a subscription profile about the wireless device 602. The profile about the wireless device 602 may include information about the wireless device 602, such as a vendor / model information for the wireless device, along with capability information about the wireless device 602, such as the capabilities the wireless device 602 includes for authenticating a user, such as whether the wireless device 602 supports fingerprint recognition, facial recognition, other biometrics, how accurate / secure the biometric systems of the wireless device 602 are, and / or the like. In some cases, the subscription profile about the wireless device 602 may be stored in the UDM 610.Qualcomm Ref. No. 2404002WO32
[0100] A FIDO user profile for the user of the wireless device 602 may be created to be associated with the registered FIDO key. In some cases, if the wireless device 602 did not provide a user ID, the security service 606 may allocate a user ID 628 for the user. The security service 606 may transmit a FIDO user profile creation request 630 to the FIDO server 608 or the UDM 610 service / server. For example, the FIDO user profile creation request 630 may be transmitted to the FIDO server 608 and the FIDO server 608 may pass the FIDO user profile creation request to the UDM 610 service. In other cases, the FIDO user profile creation request 630 may be sent to the UDM 610 service by the security service 606, bypassing the FIDO server 608. The UDM 610 service may create a FIDO user profile. In some cases, the FIDO user profile may be created under a subscription profile identified by the UE ID.
[0101] In some cases, the FIDO user profile creation request 630 may include the UE ID (e.g., wireless device identifier), user ID, the indication of how the user was locally authenticated by the wireless device 602, the user specific information, FIDO information, and / or the like. In some cases, the FIDO user profile creation request 630 may also include an authenticator attestation identifier. In some cases, the security service may verify the indication of how the user was locally authenticated against the information about the wireless device 602 in the subscription profile to ensure that the indication of how the user was locally authenticated is possible based on the information about the wireless device 602. After the FIDO user profile is created, the UDM 610 service may send a user profile creation response 632 to the security service 606 indicating that the FIDO user profile was successfully created. The security service 606 may send an indication of the user profile creation result 634 back to the wireless device 602 to indicate that the FIDO user profile was successfully created (e.g., the user authentication registration request was successful). In cases where a user ID was not provided by the wireless device in the FIDO registration request 622, the security service 606 may include the allocated user ID in the indication of the user profile creation result 634.
[0102] FIG. 7 is a call flow diagram illustrating an example user plane registration procedure for user authentication for a wireless network 700, in accordance with aspects of the present disclosure. In some cases, the user plane registration procedure for user authentication may be similar to the control plane registration procedure for user authentication, except that the signaling between a wireless device 702 to a user registration service 750 is performed on the AS plane,Qualcomm Ref. No. 2404002WO33 rather than through the NAS plane directly to a security service 706. The user registration service 750 may be any service of the wireless network which is capable of registering users with a FIDO service.
[0103] FIG. 7 includes the wireless device 702, a wireless node 704, the user registration service 750, the security service 706, a FIDO server 708, a UDM 710 service, and a subscription and policy service 712. In some cases, the wireless device 702, wireless node 704, security service 706, FIDO server 708, UDM 710 service, and subscription and policy service 712 may be substantially similar to wireless device 602, wireless node 604, security service 606 of a wireless network, FIDO server 608, UDM 610 service, and subscription and policy service 612 of FIG. 6, respectively. In some cases, the user plane registration procedure may be more flexible as compared to the control plane registration procedure as the FIDO registration is performed via the user registration service, which does not necessarily directly rely on the security service. The security context may be established using, for example, a security procedure of the wireless network that does not rely on a separate security service. Thus, the user plane registration procedure may be implemented on wireless networks that may not use a standalone security service (e.g., 5G deployments).
[0104] In some aspects, when the wireless device 702 attempts to access the user registration service 750, the wireless device 702 (e.g., a user application of the wireless device 702) may send, as a part of subscription authentication, a service access request 714 to the user registration service 750 of the wireless network. In some cases, the user registration service 750 may send a service key request 716 to the security service 706 to determine whether the wireless device 702 may access the user registration service 750.
[0105] In cases where the wireless device 702 has not previously established a security context with the security service 706 or is performing a reauthentication procedure, the wireless device 702 and security service 706 may perform an authentication and key agreement procedure 718 and security context establishment 720 in a manner substantially similar to the authentication and key agreement procedure 616 and establishing the main security context 620 of FIG. 6. After the security context establishment 720, the security service 706 may send a service key response 722 to the user registration service 750. In some cases, the service key response 722 may include a service access token. In cases where the wireless device 702 has previously established the securityQualcomm Ref. No. 2404002WO34 context with the security service 706, the security service 706 may send a service key response 722 to the user registration service 750 without reperforming the security context establishment 720.
[0106] The wireless device 702 may then establish service security 724 to establish a secure connection with the user registration service 750, for example, based on the service access token. The wireless device may send a FIDO registration request 726 (e.g., user authentication registration request) to the user registration service 750. In some cases, the FIDO registration request 726 may be substantially similar to FIDO registration request 622 of FIG. 6. In response to the FIDO registration request 726, the user registration service 750 may perform a FIDO registration procedure 728. In some cases, the FIDO registration procedure 728 may be substantially similar to FIDO registration procedure 624 of FIG. 6. The user registration service 750 may register 730 the FIDO key to the FIDO server 708 in a manner substantially similar to registering 626 of FIG. 6. The user registration service 750 may provide an associated wireless device identifier (e.g., UE ID) to the FIDO server 708 as a part of registering 730 with the FIDO server.
[0107] A FIDO user profile for the user of the wireless device 702 may be created to be associated with the registered FIDO key. In some cases, if the wireless device 702 did not provide a user ID, the user registration service 750 may allocate a user ID 732 for the user. The user registration service 750 may transmit a FIDO user profile creation request 734 to the security service 706 or the FIDO server 708. The FIDO user profile creation request 734 may be substantially the same as the FIDO user profile creation request 630. In some cases, the user registration service 750 may transmit the FIDO user profile creation request 734 to the security service 706 and the security service 706 may pass the FIDO user profile creation request to the UDM 710 service. In other cases, user registration service 750 may transmit the FIDO user profile creation request 734 to the FIDO server 708, bypassing the FIDO server 708. The FIDO server 708 may pass the FIDO user profile creation request to the UDM 710 service. After the FIDO user profile is created, the UDM 710 service may send a user profile creation response 736 to the user registration service 750 indicating that the FIDO user profile was successfully created. The user registration service 750 may send an indication of the user profile creation result 738 back to the wireless device 702 to indicate that the FIDO user profile was successfully created. In cases whereQualcomm Ref. No. 2404002WO35 a user ID was not provided by the wireless device in the FIDO registration request 726, the user registration service 750 may include the allocated user ID in the indication of the user profde creation result 738.
[0108] FIG. 8 is a call flow diagram illustrating an example user authentication procedure for a wireless network 800, in accordance with aspects of the present disclosure. In some cases, signaling for the user authentication procedure between a wireless device 802 and a service 860 is performed on the AS plane. In some cases, the service 860 may be any service of the wireless network which uses user authentication.
[0109] FIG. 8 includes the wireless device 802, a wireless node 804, the service 860, a security service 806, a FIDO server 808, a UDM 810, and a subscription and policy service 812. In some cases, the wireless device 802, wireless node 804, security service 806, FIDO server 808, UDM 810, and subscription and policy service 812 may be substantially similar to wireless device 602 of FIG. 6 / wireless device 702 of FIG. 7, wireless node 604 of FIG. 6 / wireless node 704 of FIG. 7, security service 606 of FIG. 6 / security service 706 of FIG. 6, FIDO server 608 of FIG. 6 / FIDO server 708 of FIG. 7, UDM 610 service of FIG. 6 / UDM 710 service of FIG. 7, and subscription and policy service 612 of FIG. 6 / subscription and policy service 712 of FIG. 7, respectively. In some cases, the user authentication procedure may be performed after FIDO registration (e.g., where the FIDO key was registered and the user profde created) has been performed.
[0110] In some cases, when the wireless device 802 attempts to access the service 860, the wireless device 802 (e.g., a user application of the wireless device 802) may send a service access request 814 to the service 860 of the wireless network. In some cases, subscription authentication may be performed as a part of accessing the service 860. In some cases, the service 860 may send a service key request 816 to the security service 806 to determine whether the wireless device 802 may access the service 860.[oni] In cases where the wireless device 802 has not previously established a security context with the security service 806 or is performing a reauthentication procedure, the wireless device 802 and security service 806 may perform an authentication and key agreement procedure 818 and security context establishment 820 in a manner substantially similar to the authentication and key agreement procedure 616 and establishing the main security context 620 of FIG. 6. After the security context establishment 820, the security service 806 may send a service key response 822Qualcomm Ref. No. 2404002WO36 to the service 860. In some cases, the service key response 822 may include a service access token. In cases where the wireless device 802 has previously established the security context with the security service 806, the security service 806 may send a service key response 822 to the service 860 without reperforming the security context establishment 820.
[0112] The wireless device 802 may then establish service security 824 with the service 860, for example, based on the service access token. The service 860 may request user authentication to identify the current user and / or associated user profde (e.g., where a single user has multiple user profdes) towards the security service 806 by sending user authentication information 826 to the security service 806. The user authentication information 826 may include, for example, a user ID, GPSI, subscription permanent identifier (SUPI), and / or the like. In some cases, the SUPI may be used for services inside of the wireless system and the SUPI may be owned by a mobile network operator (MNO). In some cases, the user ID may not be used. In some cases, the user authentication information 826 may include a user authentication method used by the wireless device 802, validity time, authenticator attestation, user profile, user ID, etc.
[0113] In some cases, based on the user authentication information 826, the security service 806 may check if user authentication has been performed for the user and wireless device 802 recently (e.g., based on a time window that may be specified in a subscription / policy for the service). If the user authentication has been recently performed, then the security service 806 may return additional user authentication information 826 for the user indicating the user is authenticated. In some cases, if no user authentication information is available (e.g., the user has not been authenticated / not been recently authenticated), the service 860 may determine 828 whether user authentication is needed (e.g., based on a local policy, existing validity time limit, etc.). If user authentication is needed, then the service 860 may transmit a request for user authentication 830 to the security service 806. In some cases, the request for user authentication 830 may be a request for a user profile. Based on the request for user authentication 830, the security service 806 may trigger a FIDO authentication procedure based on a FIDO UAF protocol specification 832.
[0114] As a part of FIDO authentication preparation 834, the security service 806 may transmit a FIDO authentication request to the FIDO server 808 and receive a FIDO authentication request return including FIDO information, such as policy information, challenge, transaction text, etc. The security service 806 may transmit a FIDO authentication request 836, including the FIDOQualcomm Ref. No. 2404002WO37 information, to the service 860. The service 860 may send the FIDO authentication request 838 (e.g., user authentication request), including the FIDO information, to the wireless device 802. The wireless device 802 may then verify, based on the FIDO authentication request 838, a user of the wireless device 802.
[0115] In some cases, an authenticator application on the wireless device 802 may prompt the user for authentication (e.g., via biometric, PIN, etc.) and / or verification. After receiving a response from the user, the authenticator application may respond to the FIDO authentication request 838 with a FIDO authentication response 840 that may include the user identifier associated with the user and may be transmitted to the service 860. In some cases, the FIDO authentication response 840 may be, in part, encoded using the private key of the public keyprivate key pair created during registration. The service 860 may transmit the FIDO authentication response 840 to the security service 806 and the security service may transmit the FIDO authentication response 840 to the FIDO server 808The FIDO server 808 may then verify the FIDO authentication response 840 based on the public key of public key-private key pair created during registration. If the FIDO server 808 verifies the FIDO authentication response 840, the FIDO server 808 may transmit a user authentication result 842 indicating that the user is authenticated to the security service 806.
[0116] In some aspects, the security service 806 may retrieve and / or update a user profile 844 corresponding to the authenticated user from and / or to the UDM 810. In some cases, the user may be identified by a FIDO key ID obtained from the user authentication result 842, GPSI, or a user ID. In some cases, multiple user profiles may be identified by multiple GPSIs and associated with a single subscription identified by a SUPI. The user authentication result may be passed 846 to the service 860 indicating that the user has been authenticated. In some cases, the user profile may be included in the user authentication result passed 846 to the service 860. The service 860 may then allow the wireless device 802 to access the service based on the indication that the user has been authenticated.
[0117] FIG. 9 is a flow diagram illustrating a process 900 for user authentication, in accordance with aspects of the present disclosure. The process 900 can be performed by a wireless device capable of connecting to a wireless node of a wireless network (e.g., BS 102, mmW BS 180, core network 170 of FIG. 1, DU 330 of FIG. 3, CU 310 of FIG. 3, core network 320 of FIG. 3, securityQualcomm Ref. No. 2404002WO38 service 606 of FIG. 6, user registration service 750 of FIG. 7, computing system 1 100 of FIG. 11 , etc.). The wireless device may be a mobile device (e.g., a mobile phone), a network-connected wearable such as a watch, an extended reality (XR) device such as a virtual reality (VR) device or augmented reality (AR) device, a vehicle or component or system of a vehicle, or other type of computing device (e.g., UE 104, of FIGs. 1 and 2, respectively, wireless device 407 of FIG. 4, wireless device 502 of FIG. 5, wireless device 602 of FIG. 6, wireless device 702 of FIG. 7, wireless device 802 of FIG. 8, computing system 1100 of FIG. 11, etc.). The operations of the process 900 may be implemented as software components that are executed and run on one or more processors (e.g., processor 1110 of FIG. 11 or other processor(s)). Further, the transmission and reception of signals by the wireless device (or component of the wireless device) in the process 900 may be enabled, for example, by one or more antennas (e.g., antennas 252 of FIG. 2) and / or one or more transceivers (e.g., modulators / demodulators 254, TX MIMO processor 266, MIMO detector 256, transmit processor 264, receive processor 258 of FIG. 2, etc.).
[0118] At block 902, the computing device (or component thereof) may establish a secure connection (e.g., establish a main security context 620 of FIG. 6, establish service security 724 of FIG. 7, etc.) with a service (e.g., security service 606 of FIG. 6, or user registration service 750 of FIG. 7, etc.) of a wireless network. In some cases, the secure connection is established using a subscription credential associated with the wireless device. For example, a session root key, and keys derived from the session root key, may be used as a subscription credential to verify that the wireless device has a subscription to the wireless network (e.g., with the mobile network operator) and / or services of the wireless network. The session root key may be used to establish a main security context (e.g., perform a security context establishment procedure) between the wireless device and the security service to establish a secure connection with the security service. In some cases, the service comprises a security service of the wireless network or a user registration service of the wireless network.
[0119] At block 904, the wireless device (or component thereof) may provide, for a user authentication server (e.g., FIDO server 608 of FIG. 6, FIDO server 708 of FIG. 7, etc.), a user authentication registration request (e.g., FIDO registration request 622 of FIG. 6, FIDO registration request 726 of FIG. 7, etc.) to the service via the secure connection. In some cases, the user authentication registration request comprises a public key of a public key-private key pair. In someQualcomm Ref. No. 2404002WO39 cases, the computing device (or component thereof) may generate the public key-private key pair for use with user authentication. For example, an application may be used to create a public keyprivate key pair associated with a specific user. The wireless device may transmit the public key, of the public key-private key pair, to the service, such as the security service. In some cases, the user authentication registration request comprises a fast identity online (FIDO) registration request. In some examples, the user authentication registration request comprises a user identifier (e.g., user ID) for a user of the wireless device and / or user specific information. In some cases, the public key and / or an identifier for the wireless device (e.g., UE ID) are provided to the user authentication server (e.g., FIDO server 608 of FIG. 6, FIDO server 708 of FIG. 7, etc.) by the service. In some cases, the identifier for the wireless device comprises a subscription identifier (e.g., SUPI, GPSI, etc.) for the wireless network. In some examples, the computing device (or component thereof) may receive a user authentication request from the service (e.g., via a second service that the wireless device attempts to access); verify, based on the user authentication request, a user of the wireless device; and generate a user authentication response, wherein the user authentication response comprises a user identifier associated with the user. In some cases, the user authentication response is signed based on a private key of the public key-private key pair.
[0120] At block 908, the computing device (or component thereof) may receive, from the service, an indication that a user profile for user authentication was successfully created (e.g., user profile creation result 634 of FIG. 6, user profile creation result 738 of FIG. 7, etc.) based on the user authentication registration request. For example, a security service may send an indication of the user profile creation result back to the wireless device indicating that the user profile was successfully created. In some cases, the computing device (or component thereof) may receive a user identifier along with the indication that a user profile was successfully created. For example, where a user ID was not provided by the wireless device in the FIDO registration request, an allocated user ID may be included in the indication of the user profile creation result.
[0121] FIG. 10 is a flow diagram illustrating a process 1000 for user authentication, in accordance with aspects of the present disclosure. The process 1000 can be performed by a wireless device capable of connecting to a wireless node of a wireless network (e.g., BS 102, mmW BS 180, core network 170 of FIG. 1, DU 330 of FIG. 3, CU 310 of FIG. 3, core network 320 of FIG. 3, security service 606 of FIG. 6, user registration service 750 of FIG. 7, computing system 1100Qualcomm Ref. No. 2404002WO40 of FIG. 1 1, etc ). The wireless device may be a mobile device (e.g., a mobile phone), a network- connected wearable such as a watch, an extended reality (XR) device such as a virtual reality (VR) device or augmented reality (AR) device, a vehicle or component or system of a vehicle, or other type of computing device (e.g., BS 102, mmW BS 180, core network 170 of FIG. 1, DU 330 of FIG. 3, CU 310 of FIG. 3, core network 320 of FIG. 3, security service 606 of FIG. 6, user registration service 750 of FIG. 7, computing system 1100 of FIG. 11, etc.). The operations of the process 1000 may be implemented as software components that are executed and run on one or more processors (e.g., processor 1110 of FIG. 11 or other processor(s)). Further, the transmission and reception of signals by the wireless network (or component of the wireless network, such as the security service) in the process 1000 may be enabled, for example, by one or more antennas (e.g., antennas 234 of FIG. 2) and / or one or more transceivers (e.g., modulators / demodulators 232, TX MIMO processor 230, MIMO detector 236, transmit processor 220, receive processor 238 of FIG. 2, etc.).
[0122] At block 1002, the computing device (or component thereof) at a first service (e.g., security service 606 of FIG. 6, user registration service 750 of FIG. 7, etc.) of a wireless network may establish a secure connection (e.g., establish a main security context 620 of FIG. 6, establish service security 724 of FIG. 7, etc.) with a wireless device (e.g., wireless device 602 of FIG. 6, wireless device 702 of FIG. 7, etc.). In some aspects, the secure connection is established using a subscription credential associated with the wireless device. In some cases, the first service of the wireless network comprises a security service or a user registration service of the wireless network, and the computing device (or component thereof) may receive, from a second service of the wireless network, a request for a user profile; obtain the user profile; and transmit the user profile of a user to the second service. In some examples, the user profile is obtained from a storage service.
[0123] At block 1004, the computing device (or component thereof) may receive a user authentication registration request (e.g., FIDO registration request 622 of FIG. 6, FIDO registration request 726 of FIG. 7, etc.) from the wireless device via the secure connection. In some cases, the user authentication registration request comprises a public key of a public key-private key pair. In some examples, the user authentication registration request comprises a fast identity online (FIDO) registration request. In some cases, the user authentication registration request comprises a userQualcomm Ref. No. 2404002WO41 identifier (e.g., user ID) for a user of the wireless device and / or user specific information. In some examples, a user profile may be created by a storage service (e.g., UDM 610 of FIG. 6, UDM 710 of FIG. 7) based on the user identifier, an identifier for the wireless device (e.g., UE ID, SUPI, GPSI, etc.), and the public key. In some cases, the computing device (or component thereof) may trigger a user authentication request for the wireless device and may receive, from the wireless device, a user authentication response that includes the user identifier. The user authentication response may be signed based on a private key of the public key-private key pair. The user authentication response may be verified based on the public key.
[0124] At block 1006, the computing device (or component thereof) may transmit, to a user authentication server (e.g., FIDO server 608 of FIG. 6, FIDO server 708 of FIG. 7), the user authentication registration request, a user identifier (e.g., user ID), and an identifier for the wireless device (e.g., UE ID, SUPI, GPSI, etc ). In some cases, the identifier for the wireless device comprises a subscription identifier (e.g., SUPI, etc.) for the wireless network. In some examples, the computing device (or component thereof) may generate the user identifier.
[0125] At block 1008, the computing device (or component thereof) may transmit, to the wireless device, an indication that a user profile (e.g., the user profile created by the storage service) used for user authentication was successfully created based on the user authentication registration request, such as based on the user authentication registration request being successful (e.g., user profile creation result 634 of FIG. 6, user profile creation result 738 of FIG. 7, etc.).
[0126] In some examples, the techniques or processes described herein may be performed by a computing device, an apparatus, and / or any other computing device. In some cases, the computing device or apparatus may include a processor, microprocessor, microcomputer, or other component of a device that is configured to carry out the steps of processes described herein. In some examples, the computing device or apparatus may include a camera configured to capture video data (e.g., a video sequence) including video frames. For example, the computing device may include a camera device, which may or may not include a video codec. As another example, the computing device may include a mobile device with a camera (e.g., a camera device such as a digital camera, an IP camera or the like, a mobile phone or tablet including a camera, or other type of device with a camera). In some cases, the computing device may include a display for displaying images. In some examples, a camera or other capture device that captures the video data is separateQualcomm Ref. No. 2404002WO42 from the computing device, in which case the computing device receives the captured video data. The computing device may further include a network interface, transceiver, and / or transmitter configured to communicate the video data. The network interface, transceiver, and / or transmitter may be configured to communicate Internet Protocol (IP) based data or other network data.
[0127] The processes described herein can be implemented in hardware, computer instructions, or a combination thereof. In the context of computer instructions, the operations represent computer-executable instructions stored on one or more computer-readable storage media that, when executed by one or more processors, perform the recited operations. Generally, computerexecutable instructions include routines, programs, objects, components, data structures, and / or the like that perform particular functions or implement particular data types. The order in which the operations are described is not intended to be construed as a limitation, and any number of the described operations can be combined in any order and / or in parallel to implement the processes.
[0128] In some cases, the devices or apparatuses configured to perform the operations of the processes 900, 1000, and / or other processes described herein may include a processor, microprocessor, micro-computer, or other component of a device that is configured to carry out the steps of the processes 900, 1000, and / or other process. In some examples, such devices or apparatuses may include one or more sensors configured to capture image data and / or other sensor measurements. In some examples, such computing device or apparatus may include one or more sensors and / or a camera configured to capture one or more images or videos. In some cases, such device or apparatus may include a display for displaying images. In some examples, the one or more sensors and / or camera are separate from the device or apparatus, in which case the device or apparatus receives the sensed data. Such device or apparatus may further include a network interface configured to communicate data.
[0129] The components of the device or apparatus configured to carry out one or more operations of the processes 900, 1000, and / or other processes described herein can be implemented in circuitry. For example, the components can include and / or can be implemented using electronic circuits or other electronic hardware, which can include one or more programmable electronic circuits (e.g., microprocessors, graphics processing units (GPUs), digital signal processors (DSPs), central processing units (CPUs), and / or other suitable electronic circuits), and / or can include and / or be implemented using computer software, firmware, or any combination thereof, to performQualcomm Ref. No. 2404002WO43 the various operations described herein. The computing device may further include a display (as an example of the output device or in addition to the output device), a network interface configured to communicate and / or receive the data, any combination thereof, and / or other component(s). The network interface may be configured to communicate and / or receive Internet Protocol (IP) based data or other type of data.
[0130] The processes 900 and 1000 are illustrated as a logical flow diagram, the operations of which represent sequences of operations that can be implemented in hardware, computer instructions, or a combination thereof. In the context of computer instructions, the operations represent computer-executable instructions stored on one or more computer-readable storage media that, when executed by one or more processors, perform the recited operations. Generally, computer-executable instructions include routines, programs, objects, components, data structures, and / or the like that perform particular functions or implement particular data types. The order in which the operations are described is not intended to be construed as a limitation, and any number of the described operations can be combined in any order and / or in parallel to implement the processes.
[0131] Additionally, the processes described herein (e.g., the processes 900, 1000, and / or other processes) may be performed under the control of one or more computer systems configured with executable instructions and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications) executing collectively on one or more processors, by hardware, or combinations thereof. As noted above, the code may be stored on a computer- readable or machine-readable storage medium, for example, in the form of a computer program including a plurality of instructions executable by one or more processors. The computer-readable or machine-readable storage medium may be non -transitory.
[0132] Additionally, the processes described herein may be performed under the control of one or more computer systems configured with executable instructions and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications) executing collectively on one or more processors, by hardware, or combinations thereof. As noted above, the code may be stored on a computer-readable or machine-readable storage medium, for example, in the form of a computer program comprising a plurality of instructions executable byQualcomm Ref. No. 2404002WO44 one or more processors. The computer-readable or machine-readable storage medium may be non- transitory.
[0133] FIG. 11 is a diagram illustrating an example of a system for implementing certain aspects of the present technology. In particular, FIG. 11 illustrates an example of computing system 1100, which may be for example any computing device making up internal computing system, a remote computing system, a camera, or any component thereof in which the components of the system are in communication with each other using connection 1105. Connection 1105 may be a physical connection using a bus, or a direct connection into processor 1110, such as in a chipset architecture. Connection 1105 may also be a virtual connection, networked connection, or logical connection.
[0134] In some embodiments, computing system 1100 is a distributed system in which the functions described in this disclosure may be distributed within a datacenter, multiple data centers, a peer network, etc. In some embodiments, one or more of the described system components represents many such components each performing some or all of the function for which the component is described. In some embodiments, the components may be physical or virtual devices.
[0135] Example system 1100 includes at least one processing unit (CPU or processor) 1110 and connection 1105 that communicatively couples various system components including system memory 1115, such as read-only memory (ROM) 1120 and random access memory (RAM) 1125 to processor 1 110. Computing system 1100 may include a cache 1 112 of high-speed memory connected directly with, in close proximity to, or integrated as part of processor 1110.
[0136] Processor 1110 may include any general purpose processor and a hardware service or software service, such as services 1132, 1134, and 1136 stored in storage device 1130, configured to control processor 1110 as well as a special-purpose processor where software instructions are incorporated into the actual processor design. Processor 1110 may essentially be a completely self- contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc. A multi-core processor may be symmetric or asymmetric.
[0137] To enable user interaction, computing system 1100 includes an input device 1145, which may represent any number of input mechanisms, such as a microphone for speech, a touch- sensitive screen for gesture or graphical input, keyboard, mouse, motion input, speech, etc. Computing system 1100 may also include output device 1135, which may be one or more of aQualcomm Ref. No. 2404002WO45 number of output mechanisms. In some instances, multimodal systems may enable a user to provide multiple types of input / output to communicate with computing system 1100.
[0138] Computing system 1100 may include communications interface 1140, which may generally govern and manage the user input and system output. The communication interface may perform or facilitate receipt and / or transmission wired or wireless communications using wired and / or wireless transceivers, including those making use of an audio jack / plug, a microphone jack / plug, a universal serial bus (USB) port / plug, an AppleTM LightningTM port / plug, an Ethernet port / plug, a fiber optic port / plug, a proprietary wired port / plug, 3G, 4G, 5G and / or other cellular data network wireless signal transfer, a Bluetooth TM wireless signal transfer, a Bluetooth TM low energy (BLE) wireless signal transfer, an IBEACONTM wireless signal transfer, a radio-frequency identification (RFID) wireless signal transfer, near-field communications (NFC) wireless signal transfer, dedicated short range communication (DSRC) wireless signal transfer, 802.11 Wi-Fi wireless signal transfer, wireless local area network (WLAN) signal transfer, Visible Light Communication (VLC), Worldwide Interoperability for Microwave Access (WiMAX), Infrared (IR) communication wireless signal transfer, Public Switched Telephone Network (PSTN) signal transfer, Integrated Services Digital Network (ISDN) signal transfer, ad-hoc network signal transfer, radio wave signal transfer, microwave signal transfer, infrared signal transfer, visible light signal transfer, ultraviolet light signal transfer, wireless signal transfer along the electromagnetic spectrum, or some combination thereof. The communications interface 1140 may also include one or more Global Navigation Satellite System (GNSS) receivers or transceivers that are used to determine a location of the computing system 1100 based on receipt of one or more signals from one or more satellites associated with one or more GNSS systems. GNSS systems include, but are not limited to, the US-based Global Positioning System (GPS), the Russia-based Global Navigation Satellite System (GLONASS), the China-based BeiDou Navigation Satellite System (BDS), and the Europe-based Galileo GNSS. There is no restriction on operating on any particular hardware arrangement, and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed.
[0139] Storage device 1130 may be a non-volatile and / or non-transitory and / or computer- readable memory device and may be a hard disk or other types of computer readable media which may store data that are accessible by a computer, such as magnetic cassettes, flash memory cards,Qualcomm Ref. No. 2404002WO46 solid state memory devices, digital versatile disks, cartridges, a floppy disk, a flexible disk, a hard disk, magnetic tape, a magnetic strip / stripe, any other magnetic storage medium, flash memory, memristor memory, any other solid-state memory, a compact disc read only memory (CD-ROM) optical disc, a rewritable compact disc (CD) optical disc, digital video disk (DVD) optical disc, a blu-ray disc (BDD) optical disc, a holographic optical disk, another optical medium, a secure digital (SD) card, a micro secure digital (microSD) card, a Memory Stick® card, a smartcard chip, a EMV chip, a subscriber identity module (SIM) card, a mini / micro / nano / pico SIM card, another integrated circuit (IC) chip / card, random access memory (RAM), static RAM (SRAM), dynamic RAM (DRAM), read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), flash EPROM (FLASHEPROM), cache memory (e.g., Level 1 (LI) cache, Level 2 (L2) cache, Level 3 (L3) cache, Level 4 (L4) cache, Level 5 (L5) cache, or other (L#) cache), resistive random-access memory (RRAM / ReRAM), phase change memory (PCM), spin transfer torque RAM (STT-RAM), another memory chip or cartridge, and / or a combination thereof.
[0140] The storage device 1130 may include software services, servers, services, etc., that when the code that defines such software is executed by the processor 1110, it causes the system to perform a function. In some embodiments, a hardware service that performs a particular function may include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as processor 1110, connection 1105, output device 1135, etc., to carry out the function. The term “computer-readable medium” includes, but is not limited to, portable or non-portable storage devices, optical storage devices, and various other mediums capable of storing, containing, or carrying instruction(s) and / or data. A computer-readable medium may include a non-transitoiy medium in which data may be stored and that does not include carrier waves and / or transitory electronic signals propagating wirelessly or over wired connections. Examples of a non-transitory medium may include, but are not limited to, a magnetic disk or tape, optical storage media such as compact disk (CD) or digital versatile disk (DVD), flash memory, memory or memory devices. A computer-readable medium may have stored thereon code and / or machine-executable instructions that may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of instructions, data structures, or program statements. A code segment may be coupled to anotherQualcomm Ref. No. 2404002WO47 code segment or a hardware circuit by passing and / or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data, etc. may be passed, forwarded, or transmitted via any suitable means including memory sharing, message passing, token passing, network transmission, or the like.
[0141] Specific details are provided in the description above to provide a thorough understanding of the embodiments and examples provided herein, but those skilled in the art will recognize that the application is not limited thereto. Thus, while illustrative embodiments of the application have been described in detail herein, it is to be understood that the inventive concepts may be otherwise variously embodied and employed, and that the appended claims are intended to be construed to include such variations, except as limited by the prior art. Various features and aspects of the above-described application may be used individually or jointly. Further, embodiments may be utilized in any number of environments and applications beyond those described herein without departing from the broader scope of the specification. The specification and drawings are, accordingly, to be regarded as illustrative rather than restrictive. For the purposes of illustration, methods were described in a particular order. It should be appreciated that in alternate embodiments, the methods may be performed in a different order than that described.
[0142] For clarity of explanation, in some instances the present technology may be presented as including individual functional blocks including devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software. Additional components may be used other than those shown in the figures and / or described herein. For example, circuits, systems, networks, processes, and other components may be shown as components in block diagram form in order not to obscure the embodiments in unnecessary detail. In other instances, well-known circuits, processes, algorithms, structures, and techniques may be shown without unnecessary detail in order to avoid obscuring the embodiments.
[0143] Further, those of skill in the art will appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the aspects disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends uponQualcomm Ref. No. 2404002WO48 the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
[0144] Individual embodiments may be described above as a process or method which is depicted as a flowchart, a flow diagram, a data flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations may be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed but could have additional steps not included in a figure. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination may correspond to a return of the function to the calling function or the main function.
[0145] Processes and methods according to the above-described examples may be implemented using computer-executable instructions that are stored or otherwise available from computer- readable media. Such instructions may include, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or a processing device to perform a certain function or group of functions. Portions of computer resources used may be accessible over a network. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, source code. Examples of computer-readable media that may be used to store instructions, information used, and / or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.
[0146] In some embodiments the computer-readable storage devices, mediums, and memories may include a cable or wireless signal containing a bitstream and / or the like. However, when mentioned, non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.
[0147] Those of skill in the art will appreciate that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout theQualcomm Ref. No. 2404002WO49 above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof, in some cases depending in part on the particular application, in part on the desired design, in part on the corresponding technology, etc.
[0148] The various illustrative logical blocks, modules, and circuits described in connection with the aspects disclosed herein may be implemented or performed using hardware, software, firmware, middleware, microcode, hardware description languages, or any combination thereof, and may take any of a variety of form factors. When implemented in software, firmware, middleware, or microcode, the program code or code segments to perform the necessary tasks (e.g., a computer-program product) may be stored in a computer-readable or machine-readable medium. A processor(s) may perform the necessary tasks. Examples of form factors include laptops, smart phones, mobile phones, tablet devices or other small form factor personal computers, personal digital assistants, rackmount devices, standalone devices, and so on. Functionality described herein also may be embodied in peripherals or add-in cards. Such functionality may also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.
[0149] The instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are example means for providing the functions described in the disclosure.
[0150] The techniques described herein may also be implemented in electronic hardware, computer software, firmware, or any combination thereof. Such techniques may be implemented in any of a variety of devices such as general purposes computers, wireless communication device handsets, or integrated circuit devices having multiple uses including application in wireless communication device handsets and other devices. Any features described as modules or components may be implemented together in an integrated logic device or separately as discrete but interoperable logic devices. If implemented in software, the techniques may be realized at least in part by a computer-readable data storage medium including program code including instructions that, when executed, performs one or more of the methods, algorithms, and / or operations described above. The computer-readable data storage medium may form part of a computer program product, which may include packaging materials. The computer-readable medium may include memory orQualcomm Ref. No. 2404002WO50 data storage media, such as random access memory (RAM) such as synchronous dynamic random access memory (SDRAM), read-only memory (ROM), non-volatile random access memory (NVRAM), electrically erasable programmable read-only memory (EEPROM), FLASH memory, magnetic or optical data storage media, and / or the like. The techniques additionally, or alternatively, may be realized at least in part by a computer-readable communication medium that carries or communicates program code in the form of instructions or data structures and that may be accessed, read, and / or executed by a computer, such as propagated signals or waves.
[0151] The program code may be executed by a processor, which may include one or more processors, such as one or more digital signal processors (DSPs), general purpose microprocessors, an application specific integrated circuits (ASICs), field programmable logic arrays (FPGAs), or other equivalent integrated or discrete logic circuitry. Such a processor may be configured to perform any of the techniques described in this disclosure. A general-purpose processor may be a microprocessor; but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration. Accordingly, the term “processor,” as used herein may refer to any of the foregoing structure, any combination of the foregoing structure, or any other structure or apparatus suitable for implementation of the techniques described herein.
[0152] One of ordinary skill will appreciate that the less than (“<”) and greater than (“>”) symbols or terminology used herein may be replaced with less than or equal to (“<”) and greater than or equal to (“>”) symbols, respectively, without departing from the scope of this description.
[0153] Where components are described as being “configured to” perform certain operations, such configuration may be accomplished, for example, by designing electronic circuits or other hardware to perform the operation, by programming programmable electronic circuits (e.g., microprocessors, or other suitable electronic circuits) to perform the operation, or any combination thereof.
[0154] The phrase “coupled to” or “communicatively coupled to” refers to any component that is physically connected to another component either directly or indirectly, and / or any component that is in communication with another component (e.g., connected to the other component over aQualcomm Ref. No. 2404002WO51 wired or wireless connection, and / or other suitable communication interface) either directly or indirectly.
[0155] Claim language or other language reciting “at least one of’ a set and / or “one or more” of a set indicates that one member of the set or multiple members of the set (in any combination) satisfy the claim. For example, claim language reciting “at least one of A and B” or “at least one of A or B” means A, B, or A and B. In another example, claim language reciting “at least one of A, B, and C” or “at least one of A, B, or C” means A, B, C, or A and B, or A and C, or B and C, A and B and C, or any duplicate information or data (e.g., A and A, B and B, C and C, A and A and B, and so on), or any other ordering, duplication, or combination of A, B, and C. The language “at least one of’ a set and / or “one or more” of a set does not limit the set to the items listed in the set. For example, claim language reciting “at least one of A and B” or “at least one of A or B” may mean A, B, or A and B, and may additionally include items not listed in the set of A and B. The phrases “at least one” and “one or more” are used interchangeably herein.
[0156] Claim language or other language reciting “at least one processor configured to,” “at least one processor being configured to,” “one or more processors configured to,” “one or more processors being configured to,” or the like indicates that one processor or multiple processors (in any combination) can perform the associated operation(s). For example, claim language reciting “at least one processor configured to: X, Y, and Z” means a single processor can be used to perform operations X, Y, and Z; or that multiple processors are each tasked with a certain subset of operations X, Y, and Z such that together the multiple processors perform X, Y, and Z; or that a group of multiple processors work together to perform operations X, Y, and Z. In another example, claim language reciting “at least one processor configured to: X, Y, and Z” can mean that any single processor may only perform at least a subset of operations X, Y, and Z.
[0157] Where reference is made to one or more elements performing functions (e.g., steps of a method), one element may perform all functions, or more than one element may collectively perform the functions. When more than one element collectively performs the functions, each function need not be performed by each of those elements (e.g., different functions may be performed by different elements) and / or each function need not be performed in whole by only one element (e.g., different elements may perform different sub-functions of a function). Similarly, where reference is made to one or more elements configured to cause another elementQualcomm Ref. No. 2404002WO52(e.g., an apparatus) to perform functions, one element may be configured to cause the other element to perform all functions, or more than one element may collectively be configured to cause the other element to perform the functions.
[0158] Where reference is made to an entity (e.g., any entity or device described herein) performing functions or being configured to perform functions (e.g., steps of a method), the entity may be configured to cause one or more elements (individually or collectively) to perform the functions. The one or more components of the entity may include at least one memory, at least one processor, at least one communication interface, another component configured to perform one or more (or all) of the functions, and / or any combination thereof. Where reference to the entity performing functions, the entity may be configured to cause one component to perform all functions, or to cause more than one component to collectively perform the functions. When the entity is configured to cause more than one component to collectively perform the functions, each function need not be performed by each of those components (e.g., different functions may be performed by different components) and / or each function need not be performed in whole by only one component (e.g., different components may perform different sub-functions of a function).
[0159] Illustrative aspects of the disclosure include:
[0160] Aspect 1. An apparatus at a wireless device for user authentication, comprising: a memory system comprising instructions; and a processor system coupled to the memory system, wherein the processor system is configured to: establish a secure connection with a service of a wireless network; provide, for a user authentication server, a user authentication registration request to the service via the secure connection; and receive, from the service, an indication that a user profile for user authentication was successfully created based on the user authentication registration request.
[0161] Aspect 2. The apparatus of Aspect 1, wherein the processor system is further configured to: generate a public key-private key pair for use with user authentication; wherein the user authentication registration request comprises a public key of the public key-private key pair.
[0162] Aspect 3. The apparatus of any of Aspects 1-2, wherein the user authentication registration request comprises a fast identity online (FIDO) registration request, and wherein theQualcomm Ref. No. 2404002WO53 service comprises a security service of the wireless network or a user registration service of the wireless network.
[0163] Aspect 4. The apparatus of any of Aspects 1-3, wherein the user authentication registration request comprises at least one of: a user identifier for a user of the wireless device or user specific information.
[0164] Aspect 5. The apparatus of any of Aspects 1-4, wherein at least one of a public key or an identifier for the wireless device are provided to the user authentication server by the service.
[0165] Aspect 6. The apparatus of Aspect 5, wherein the identifier for the wireless device comprises a subscription identifier for the wireless network.
[0166] Aspect 7. The apparatus of any of Aspects 1-6, wherein the processor system is further configured to: receive a user authentication request from the service; verify, based on the user authentication request, a user of the wireless device; and generate a user authentication response, wherein the user authentication response comprises a user identifier associated with the user.
[0167] Aspect 8. The apparatus of any of Aspects 1-7, wherein the processor system is further configured to receive a user identifier along with the indication that a user profile was successfully created.
[0168] Aspect 9. The apparatus of any of Aspects 1-8, wherein the secure connection is established using a subscription credential associated with the wireless device.
[0169] Aspect 10. An apparatus at a first service of a wireless network for user authentication, comprising: a memory system comprising instructions; and a processor system coupled to the memory system, wherein the processor system is configured to: establish a secure connection with a wireless device; receive a user authentication registration request from the wireless device via the secure connection; transmit, to a user authentication server, the user authentication registration request, a user identifier, and an identifier for the wireless device; and transmit, to the wireless device, an indication that a user profile for user authentication was successfully created based on the user authentication registration request.
[0170] Aspect 11. The apparatus of Aspect 10, wherein the user authentication registration request comprises a fast identity online (FIDO) registration request, and wherein the first serviceQualcomm Ref. No. 2404002WO54 comprises a security service of the wireless network or a user registration service of the wireless network.
[0171] Aspect 12. The apparatus of any of Aspects 10-11, wherein the user authentication registration request comprises at least one of: the user identifier for a user of the wireless device or user specific information.
[0172] Aspect 13. The apparatus of any of Aspects 10-12, the processor system is further configured to create the user profile on a storage service based on the user identifier, the identifier for the wireless device, and a public key.
[0173] Aspect 14. The apparatus of any of Aspects 10-13, wherein the identifier for the wireless device comprises a subscription identifier for the wireless network.
[0174] Aspect 15. The apparatus of any of Aspects 10-14, wherein the processor system is further configured to generate the user identifier.
[0175] Aspect 16. The apparatus of any of Aspects 10-15, wherein the first service of the wireless network comprises a security service, and wherein the processor system is further configured to: receive, from a second service of the wireless network, a request for the user profile; obtain the user profile; and transmit the user profile of a user to the second service.
[0176] Aspect 17. The apparatus of Aspect 16, wherein the processor system is further configured to: trigger a user authentication request for the wireless device; and receive, from the wireless device, a user authentication response, wherein the user authentication response comprises the user identifier, and wherein the user authentication response is verified based on a public key of a public key-private key pair.
[0177] Aspect 18. The apparatus of any of Aspects 16-17, wherein the user profile is obtained from a storage service.
[0178] Aspect 19. The apparatus of any of Aspects 10-18, wherein the secure connection is established using a subscription credential associated with the wireless device.
[0179] Aspect 20. A method for user authentication, comprising: establishing, by a wireless device, a secure connection with a service of a wireless network; providing, for a user authentication server, a user authentication registration request to the service via the secureQualcomm Ref. No. 2404002WO55 connection; and receiving, from the service, an indication that a user profile for user authentication was successfully created based on the user authentication registration request.
[0180] Aspect 21. The method of Aspect 20, further comprising: generating a public key -private key pair for use with user authentication; wherein the user authentication registration request comprises a public key of the public key-private key pair.
[0181] Aspect 22. The method of any of Aspects 20-21, wherein the user authentication registration request comprises a fast identity online (FIDO) registration request, and / or wherein the service comprises a security service of the wireless network or a user registration service of the wireless network.
[0182] Aspect 23. The method of any of Aspects 20-22, wherein the user authentication registration request comprises at least one of: a user identifier for a user of the wireless device or user specific information.
[0183] Aspect 24. The method of any of Aspects 20-23, wherein at least one of a public key or an identifier for the wireless device are provided to the user authentication server by the service.
[0184] Aspect 25. The method of Aspect 24, wherein the identifier for the wireless device comprises a subscription identifier for the wireless network.
[0185] Aspect 26. The method of any of Aspects 20-25, further comprising: receiving a user authentication request from the service; verifying, based on the user authentication request, a user of the wireless device; and generating a user authentication response, wherein the user authentication response comprises a user identifier associated with the user.
[0186] Aspect 27. The method of any of Aspects 20-26, further comprising receiving a user identifier along with the indication that a user profile was successfully created.
[0187] Aspect 28. The method of any of any of Aspects 20-27, wherein the secure connection is established using a subscription credential associated with the wireless device.
[0188] Aspect 29. A method for user authentication by a first service of a wireless network, comprising: establishing a secure connection with a wireless device; receiving a user authentication registration request from the wireless device via the secure connection; transmitting, to a user authentication server, the user authentication registration request, a user identifier, and an identifier for the wireless device; and transmitting, to the wireless device, an indication that a userQualcomm Ref. No. 2404002WO56 profile for user authentication was successfully created based on the user authentication registration request.
[0189] Aspect 30. The method of Aspect 29, wherein the user authentication registration request comprises a fast identity online (FIDO) registration request, and wherein the first service comprises a security service of the wireless network or a user registration service of the wireless network.
[0190] Aspect 31. The method of any of Aspects 29-30, wherein the user authentication registration request comprises at least one of the user identifier for a user of the wireless device or user specific information.
[0191] Aspect 32. The method of any of Aspects 29-31, further comprising creating the user profile on a storage service based on the user identifier, the identifier for the wireless device, and a public key.
[0192] Aspect 33. The method of any of Aspects 29-32, wherein the identifier for the wireless device comprises a subscription identifier for the wireless network.
[0193] Aspect 34. The method of any of Aspects 29-33, further comprising generating the user identifier.
[0194] Aspect 35. The method of any of Aspects 29-34, wherein the first service of the wireless network comprises a security service, and further comprising: receiving, from a second service of the wireless network, a request for the user profile; obtaining the user profile; and transmitting the user profile of a user to the second service.
[0195] Aspect 36. The method of Aspect 35, further comprising: triggering a user authentication request for the wireless device; and receiving, from the wireless device, a user authentication response, wherein the user authentication response comprises the user identifier and wherein the user authentication response is verified based on a public key of a public key-private key pair.
[0196] Aspect 37. The method of any of Aspects 35-36, wherein the user profile is obtained from a storage service.
[0197] Aspect 38. The method of any of Aspects 29-37, wherein the secure connection is established using a subscription credential associated with the wireless device.Qualcomm Ref. No. 2404002WO57
[0198] Aspect 39. An apparatus for user authentication comprising one or more means for performing operations according to any of Aspects 20-28
[0199] Aspect 40. An apparatus for user authentication comprising one or more means for performing operations according to any of Aspects 29-38.
Claims
Qualcomm Ref. No. 2404002WO58CLAIMSWHAT IS CLAIMED IS:
1. An apparatus at a wireless device for user authentication, comprising: a memory system comprising instructions; and a processor system coupled to the memory system, wherein the processor system is configured to: establish a secure connection with a service of a wireless network; provide, for a user authentication server, a user authentication registration request to the service via the secure connection; and receive, from the service, an indication that a user profile for user authentication was successfully created based on the user authentication registration request.
2. The apparatus of claim 1, wherein the processor system is further configured to: generate a public key -private key pair for use with user authentication; wherein the user authentication registration request comprises a public key of the public key -private key pair.
3. The apparatus of claim 1, wherein the user authentication registration request comprises a fast identity online (FIDO) registration request, and wherein the service comprises a security service of the wireless network or a user registration service of the wireless network.
4. The apparatus of claim 1, wherein the user authentication registration request comprises at least one of: a user identifier for a user of the wireless device or user specific information.
5. The apparatus of claim 1, wherein at least one of a public key or an identifier for the wireless device are provided to the user authentication server by the service.
6. The apparatus of claim 5, wherein the identifier for the wireless device comprises a subscription identifier for the wireless network.
7. The apparatus of claim 1, wherein the processor system is further configured to:Qualcomm Ref. No. 2404002WO59 receive a user authentication request from the service; verify, based on the user authentication request, a user of the wireless device; and generate a user authentication response, wherein the user authentication response comprises a user identifier associated with the user.
8. The apparatus of claim 1, wherein the processor system is further configured to receive a user identifier along with the indication that a user profile was successfully created.
9. The apparatus of claim 1, wherein the secure connection is established using a subscription credential associated with the wireless device.
10. An apparatus at a first service of a wireless network for user authentication, comprising: a memory system comprising instructions; and a processor system coupled to the memory system, wherein the processor system is configured to: establish a secure connection with a wireless device; receive a user authentication registration request from the wireless device via the secure connection; transmit, to a user authentication server, the user authentication registration request, a user identifier, and an identifier for the wireless device; and transmit, to the wireless device, an indication that a user profile for user authentication was successfully created based on the user authentication registration request.
11. The apparatus of claim 10, wherein the user authentication registration request comprises a fast identity online (FIDO) registration request, and wherein the first service comprises a security service of the wireless network or a user registration service of the wireless network.
12. The apparatus of claim 10, wherein the user authentication registration request comprises at least one of: the user identifier for a user of the wireless device or user specific information.Qualcomm Ref. No. 2404002WO6013. The apparatus of claim 10, the processor system is further configured to create the user profile on a storage service based on the user identifier, the identifier for the wireless device, and a public key.
14. The apparatus of claim 10, wherein the identifier for the wireless device comprises a subscription identifier for the wireless network.
15. The apparatus of claim 10, wherein the processor system is further configured to generate the user identifier.
16. The apparatus of claim 10, wherein the first service of the wireless network comprises a security service, and wherein the processor system is further configured to: receive, from a second service of the wireless network, a request for the user profile; obtain the user profile; and transmit the user profile of a user to the second service.
17. The apparatus of claim 16, wherein the processor system is further configured to: trigger a user authentication request for the wireless device; and receive, from the wireless device, a user authentication response, wherein the user authentication response comprises the user identifier, and wherein the user authentication response is verified based on a public key of a public key-private key pair.
18. The apparatus of claim 16, wherein the user profile is obtained from a storage service.
19. The apparatus of claim 10, wherein the secure connection is established using a subscription credential associated with the wireless device.
20. A method for user authentication, comprising: establishing, by a wireless device, a secure connection with a service of a wireless network;Qualcomm Ref. No. 2404002WO61 providing, for a user authentication server, a user authentication registration request to the service via the secure connection; and receiving, from the service, an indication that a user profile for user authentication was successfully created based on the user authentication registration request.
21. The method of claim 20, further comprising: generating a public key-private key pair for use with user authentication; wherein the user authentication registration request comprises a public key of the public key -private key pair.
22. The method of claim 20, wherein the user authentication registration request comprises a fast identity online (FIDO) registration request, and / or wherein the service comprises a security service of the wireless network or a user registration service of the wireless network.
23. The method of claim 20, wherein the user authentication registration request comprises at least one of: a user identifier for a user of the wireless device or user specific information.
24. The method of claim 20, wherein at least one of a public key or an identifier for the wireless device are provided to the user authentication server by the service.
25. The method of claim 24, wherein the identifier for the wireless device comprises a subscription identifier for the wireless network.
26. The method of claim 20, further comprising: receiving a user authentication request from the service; verifying, based on the user authentication request, a user of the wireless device; and generating a user authentication response, wherein the user authentication response comprises a user identifier associated with the user.
27. The method of claim 20, further comprising receiving a user identifier along with the indication that a user profile was successfully created.Qualcomm Ref. No. 2404002WO6228. The method of claim 20, wherein the secure connection is established using a subscription credential associated with the wireless device.
29. A method for user authentication by a first service of a wireless network, comprising: establishing a secure connection with a wireless device; receiving a user authentication registration request from the wireless device via the secure connection; transmitting, to a user authentication server, the user authentication registration request, a user identifier, and an identifier for the wireless device; and transmitting, to the wireless device, an indication that a user profile for user authentication was successfully created based on the user authentication registration request.
30. The method of claim 29, wherein the user authentication registration request comprises a fast identity online (FIDO) registration request, and wherein the first service comprises a security service of the wireless network or a user registration service of the wireless network.
31. The method of claim 29, wherein the user authentication registration request comprises at least one of the user identifier for a user of the wireless device or user specific information.
32. The method of claim 29, further comprising creating the user profile on a storage service based on the user identifier, the identifier for the wireless device, and a public key.
33. The method of claim 29, wherein the identifier for the wireless device comprises a subscription identifier for the wireless network.
34. The method of claim 29, further comprising generating the user identifier.
35. The method of claim 29, wherein the first service of the wireless network comprises a security service, and further comprising: receiving, from a second service of the wireless network, a request for the user profile;Qualcomm Ref. No. 2404002WO63 obtaining the user profile; and transmitting the user profile of a user to the second service.
36. The method of claim 35, further comprising: triggering a user authentication request for the wireless device; and receiving, from the wireless device, a user authentication response, wherein the user authentication response comprises the user identifier and wherein the user authentication response is verified based on a public key of a public key-private key pair.
37. The method of claim 35, wherein the user profile is obtained from a storage service.
38. The method of claim 29, wherein the secure connection is established using a subscription credential associated with the wireless device.