Search

US-12627986-B2 - Derived credential service for implementing delegated functions

US12627986B2US 12627986 B2US12627986 B2US 12627986B2US-12627986-B2

Abstract

One or more computing devices, systems, and/or methods for hosting a derived credential service for implementing delegated functions are provided. Credentials of a hardware module within a device and authentication of the device with a core network are used to generate a derived credential. The derived credential is mapped to a subscriber associated with the device so that the derived credential service can perform delegated functions over a network, different than the core network, on behalf of the device.

Inventors

  • Stuart G Wilson
  • Robert D Hopley
  • Bjorn Hjelm

Assignees

  • VERIZON PATENT AND LICENSING INC.

Dates

Publication Date
20260512
Application Date
20230621

Claims (20)

  1. 1 . A method, comprising: generating, by a derived credential service of a cellular core network, a derived credential for a subscriber using (i) credentials of a hardware module within a device associated with the subscriber of the cellular core network and (ii) authentication of the device with the cellular core network; generating, by the derived credential service of the cellular core network, a credential mapping that maps the subscriber of the cellular core network to the derived credential for performing delegated functions with an application hosted by a network external to the cellular core network, wherein the network external to the cellular core network comprises at least one of a local area network (LAN), a wide area network (WAN), a public cloud, the web or an enterprise network; in response to the device authenticating with the cellular core network using the credentials of the hardware module within the device associated with the subscriber, routing communication, from the device to the application hosted by the network external to the cellular core network, to the derived credential service of the cellular core network; identifying, by the derived credential service of the cellular core network, the credential mapping as being mapped to the device associated with the subscriber utilizing the routed communication; and performing, by the derived credential service of the cellular core network, a delegated security function, over the network external to the cellular core network, with the application on behalf of the device based on the credential mapping.
  2. 2 . The method of claim 1 , comprising: performing the delegated security function to establish a virtual private network connection from the device through the network to the application.
  3. 3 . The method of claim 1 , comprising: performing the delegated security function to facilitate a remote signing capability where the derived credential service enables a remote signing service relying on the derived credential.
  4. 4 . The method of claim 1 , comprising: performing the delegated security function to provide the device with zero trust network access to the network.
  5. 5 . The method of claim 1 , comprising: performing the delegated security function to provide at least one of integrity verification, authentication, confidentiality, or secure communication from the device to the application.
  6. 6 . The method of claim 1 , further comprising: generating and storing the derived credential and the credential mapping by the derived credential service hosted external to the device, wherein the delegated security function is performed on behalf of the device.
  7. 7 . The method of claim 1 , wherein the credential mapping maps a mobile equipment identifier of the device to the derived credential.
  8. 8 . The method of claim 1 , further comprising generating the derived credential utilizing a privacy preserving technique to anonymize the derived credential for preserving an anonymity of the subscriber.
  9. 9 . The method of claim 1 , comprising: performing a verification check to determine whether the derived credential is stale; and in response to determining that the derived credential is stale, invalidating the derived credential and generating a new derived credential.
  10. 10 . The method of claim 9 , wherein the verification check determines whether the device has connected to the cellular core network within a threshold timespan.
  11. 11 . The method of claim 9 , wherein the verification check determines whether the hardware module has been deactivated.
  12. 12 . A computing device comprising memory storing instructions and comprising a processor that executes the instructions to perform operations comprising: utilizing credentials of a hardware module within a device associated with a subscriber of a cellular core network and authentication of the device with the cellular core network to generate a derived credential for the subscriber of the cellular core network; generating a credential mapping that maps the subscriber of the cellular core network to the derived credential for performing delegated functions with a service hosted by a network external to the cellular core network, wherein the network external to the cellular core network comprises at least one of a local area network (LAN), a wide area network (WAN), a public cloud, the web or an enterprise network; in response to the device authenticating with the cellular core network using the credentials of the hardware module within the device associated with the subscriber, routing communication, from the device to the service hosted by the network external to the cellular core network, to a derived credential service; identifying, by the derived credential service, the credential mapping as being mapped to the device associated with the subscriber utilizing the routed communication; and utilizing, by the derived credential service, the credential mapping to perform a delegated function, over the network external to the cellular core network, with the service on behalf of the device.
  13. 13 . The computing device of claim 12 , wherein the derived credential service is hosted within the cellular core network.
  14. 14 . The computing device of claim 12 , wherein execution of the delegated function is offloaded from the device to the derived credential service hosted external to the device.
  15. 15 . The computing device of claim 12 , wherein the derived credential comprises a private/public key pair with a certificate.
  16. 16 . The computing device of claim 12 , wherein the derived credential comprises at least one of a token or a symmetric key.
  17. 17 . The computing device of claim 12 , wherein the derived credential service subscribes to the cellular core network for status changes of the device, and wherein the derived credential service utilizes the status changes to determine whether the derived credential is stale.
  18. 18 . A non-transitory computer-readable medium storing instructions that when executed facilitate performance of operations comprising: utilizing credentials of a hardware module within a device associated with a subscriber of a core network and authentication of the device with the core network to generate a derived credential for the subscriber of the core network; generating a credential mapping that maps the subscriber of the core network to the derived credential for performing delegated functions for a network external to the core network, wherein at least one of the core network comprises a cellular core network or the network external to the core network comprises at least one of a local area network (LAN), a wide area network (WAN), a public cloud, the web or an enterprise network; in response to the device authenticating with the core network using the credentials of the hardware module within the device associated with the subscriber, routing communication, from the device to the network external to the core network, to a derived credential service; identifying, by the derived credential service, the credential mapping as being mapped to the device associated with the subscriber utilizing the routed communication; and utilizing, by the derived credential service, the credential mapping to perform a delegated function, over the network external to the core network, on behalf of the device.
  19. 19 . The non-transitory computer-readable medium of claim 18 , wherein the hardware module comprises a subscriber identity module (SIM) card.
  20. 20 . The non-transitory computer-readable medium of claim 18 , wherein the hardware module comprises a universal integrated circuit card.

Description

BACKGROUND Many types of devices such as mobile phones, tablets, smart devices, and other devices use hardware modules for authentication with a core network. For example, a wearable smart device of a subscriber includes a subscriber identity module (SIM) card that stores identification information used by a wireless core network to locate, identify, and authenticate the wearable smart device. In particular, the SIM card stores network-specific information used to authenticate and identify the subscriber of the device, such as an international mobile subscriber identity (IMSI) number, an integrated circuit card identifier (ICCID) and related key, security authentication information, and/or other credentials. In this way, the core network can authenticate a device for communicating over the core network. BRIEF DESCRIPTION OF THE DRAWINGS While the techniques presented herein may be embodied in alternative forms, the particular embodiments illustrated in the drawings are only a few examples that are supplemental of the description provided herein. These embodiments are not to be interpreted in a limiting manner, such as limiting the claims appended hereto. FIG. 1 is a diagram illustrating an example of a system for a derived credential service that implements delegated functions, in accordance with an embodiment of the present technology; FIG. 2 is a flow chart illustrating an example method for a derived credential service that implements delegated functions, in accordance with an embodiment of the present technology; FIG. 3A is a flow chart illustrating an example of registering a device with a derived credential service, in accordance with an embodiment of the present technology; FIG. 3B is a flow chart illustrating an example method for a derived credential service that implements delegated functions, in accordance with an embodiment of the present technology; FIG. 4 is a diagram illustrating an example of a system for a derived credential service that implements delegated functions, in accordance with an embodiment of the present technology; FIG. 5 is a diagram illustrating an example of a system for a derived credential service that implements delegated functions, in accordance with an embodiment of the present technology; FIG. 6 is an illustration of example networks that may utilize and/or implement at least a portion of the techniques presented herein; FIG. 7 is an illustration of a scenario involving an example configuration of a computer that may utilize and/or implement at least a portion of the techniques presented herein; FIG. 8 is an illustration of a scenario involving an example configuration of a client that may utilize and/or implement at least a portion of the techniques presented herein; FIG. 9 is an illustration of a scenario featuring an example non-transitory machine readable medium in accordance with one or more of the provisions set forth herein. DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS Subject matter will now be described more fully hereinafter with reference to the accompanying drawings, which form a part hereof, and which show, by way of illustration, specific example embodiments. This description is not intended as an extensive or detailed discussion of known concepts. Details that are well known may have been omitted, or may be handled in summary fashion. The following subject matter may be embodied in a variety of different forms, such as methods, devices, components, and/or systems. Accordingly, this subject matter is not intended to be construed as limited to any example embodiments set forth herein. Rather, example embodiments are provided merely to be illustrative. Such embodiments may, for example, take the form of hardware, software, firmware or any combination thereof. The following provides a discussion of some types of computing scenarios in which the disclosed subject matter may be utilized and/or implemented. One or more systems and/or techniques for a derived credential service that implements delegated functions are provided. Devices connect to a core network, such as a wireless core network, in order to communicate over the core network and/or other networks accessible from the core network. In order for a device to successfully connect with the core network (e.g., a mobile device connecting to a 4G network, a 5G network, a 3GPP network, or any other cellular or communication network), the device authenticates with the core network. As part of authenticating with the core network in order to communicate over the core network, the device utilizes credentials known only to the device and the core network. The credentials may be stored within a hardware module of the device. The hardware module may comprise a subscribe identity module (SIM) card, a universal integrated circuit card (UUIC), an embedded universal integrated circuit card (eUUIC), an integrated universal integrated circuit card (iUUIC), or any other hardware module used to store the credentials such a