WITHOUT USING A CORE CELLULAR NETWORK

BACKGROUND

[0001] Wireless mobile communication technology uses various standards and protocols to transmit data between a node (e.g., a transmission station) and a wireless device (e.g., a mobile device). Standards and protocols that use orthogonal frequency- division multiplexing (OFDM) for signal transmission include the third generation partnership project (3 GPP) long term evolution (LTE), the Institute of Electrical and Electronics Engineers (IEEE) 802.16 standard (e.g., 802.16e, 802.16m), which is commonly known to industry groups as WiMAX (Worldwide interoperability for Microwave Access), and the IEEE 802.11 standard, which is commonly known to industry groups as WiFi.

[0002] In 3GPP radio access network (RAN) LTE systems, the node in an

Evolved Universal Terrestrial Radio Access Network (E-UTRAN) system is referred to as an eNode B (also commonly denoted as evolved Node Bs, enhanced Node Bs, eNodeBs, or eNBs), which communicates with the wireless device, known as a user equipment (UE). The downlink (DL) transmission can be a communication from the node (e.g., eNodeB) to the wireless device (e.g., UE), and the uplink (UL) transmission can be a communication from the wireless device to the node.

[0003] In LTE, data can be transmitted from the eNodeB to the UE via a physical downlink shared channel (PDSCH). A physical uplink control channel (PUCCH) can be used to acknowledge that data was received. Downlink and uplink channels or transmissions can use time-division duplexing (TDD) or frequency-division duplexing (FDD).

BRIEF DESCRIPTION OF THE DRAWINGS

[0004] Features and advantages of the disclosure will be apparent from the detailed description which follows, taken in conjunction with the accompanying drawings, which together illustrate, by way of example, features of the disclosure; and, wherein: [0005] FIG. 1 is a diagram illustrating a high-level view of a network structure in accordance with an example;

[0006] FIG. 2 is a diagram illustrating another high-level view of a network structure in accordance with an example;

[0007] FIG. 3 is a high-level diagram illustrating an example set of procedures that may be used to establish end-to-end (E2E) security in accordance with an example;

[0008] FIG. 4 is a high-level diagram illustrating another example set of procedures that may be used to establish end-to-end (E2E) security;

[0009] FIG. 5 is a high-level diagram illustrating a key-refresh protocol exchange for a UE in a connected mode in accordance with an example;

[0010] FIG. 6 illustrates functionality of a UE (e.g., CIoT device) in accordance with an example;

[0011] FIG. 7 illustrates functionality of cellular base station in accordance with an example;

[0012] FIG. 8 illustrates functionality of an Application Server (AS) that is associated with a Cloud Service Provider (CSP) in accordance with an example;

[0013] FIG. 9 provides an example illustration of a wireless device in accordance with an example;

[0014] FIG. 10 provides an example illustration of a user equipment (UE) device, such as a wireless device, a mobile station (MS), a mobile wireless device, a mobile communication device, a tablet, a handset, or other type of wireless device; and

[0015] FIG. 11 illustrates a diagram of a node (e.g., eNB and/or a Serving GPRS

Support Node) and a wireless device (e.g., UE) in accordance with an example.

[0016] Reference will now be made to the exemplary embodiments illustrated and specific language will be used herein to describe the same. It will nevertheless be understood that no limitation of the scope of is thereby intended.

DETAILED DESCRIPTION

[0017] Before some embodiments are disclosed and described, it is to be understood that the claimed subject matter is not limited to the particular structures, process operations, or materials disclosed herein, but is extended to equivalents thereof as would be recognized by those ordinarily skilled in the relevant arts. It should also be understood that terminology employed herein is used for the purpose of describing particular examples only and is not intended to be limiting. The same reference numerals in different drawings represent the same element. Numbers provided in flow charts and processes are provided for clarity in illustrating operations and do not necessarily indicate a particular order or sequence.

[0018] An initial overview of technology embodiments is provided below and then specific technology embodiments are described in further detail later. This initial summary is intended to aid readers in understanding the technology more quickly, but is not intended to identify key features or essential features of the technology nor is it intended to limit the scope of the claimed subject matter.

[0019] In the near future, it is anticipated that a large number (e.g., billions) of

Cellular Internet-of-Things (CIoT) devices, which often use low power and have limited battery capacity, will be connected to cellular networks throughout the globe. Many of these CIoT devices will perform small, relatively infrequent wireless data transfer. It may be desired to transfer the data in a secure manner. Reducing over-the-air signaling overhead for connecting these CIoT devices without compromising security is an important objective in order to increase network resource efficiency and scalability and minimize CIoT power consumption.

[0020] CIoT devices, such as Machine-to-Machine (M2M devices) and User

Equipments (UEs), may be classified under various CIoT usage categories (e.g., home automation, industry automation, and vehicle-to-vehicle communication). These CIoT devices can be deployed and/or managed by either cellular network operators or third- party cloud service providers (e.g., Google, Facebook, etc.). The term "third-party cloud service provider" can refer to third parties that are outside of the scope of 3GPP and that deploy one or more application servers that may typically reside within a cloud service provider's intranet. The application servers may be connected to the Internet via a security gateway of the third-party cloud service provider. For CIoT devices deployed and/or managed by a cellular network operator (a scenario referred to herein as

"deployment model A"), the cellular network operator provides radio/network access for the CIoT devices and acts as a service provider (e.g., by being in charge of device certification and by offering subscription-based services).

[0021] On the other hand, for CIoT devices deployed and/or managed by a third- party cloud service provider (a scenario referred to herein as "deployment model B"), the cellular network operator provides radio/network access for the CIoT devices and the third-party cloud service provider generally handles customer acquisition, subscription management, accounting, and offering services to end customers. Some technologies provided herein are applicable to deployment model B, wherein the third-party service provider may purchase or lease radio resources from a mobile network operator (MNO). In deployment model B, a radio access network used to communicate with acellular network operator, which provides radio/network access for the CIoT devices, may be directly connected with the third-party cloud service provider (e.g., using a connection that bypasses a core network of the MNO).

[0022] Technologies of the present disclosure enable service providers to remotely provision, connect, and/or manage radio/network access for the CIoT devices (e.g., low-power, substantially stationary CIoT devices that do not generally roam and are generally immobile) while making efficient use of radio resources and using robust end- to-end (E2E) security. Specifically, technologies of the present technology provide efficient, low-overhead mechanisms to establish secure connections between CIoT devices and application servers via a cellular network (e.g., a 3GPP network) without establishment of a full Radio Resource Control (RRC) connection. These mechanisms are well-suited for small, infrequent data transmissions that occur between CIoT devices and the network and allow traditional 3 GPP registration, attach, and authentication procedures to be avoided. By avoiding the establishment of an RRC connection and limiting the traditional attach and authentication procedures for CIoT devices, network traffic is reduced in the core network and power consumption is reduced at the CIoT devices.

[0023] FIG. 1 is a diagram illustrating a high-level view of a network structure

100 in accordance with an example. A UE 102 may be located in a coverage area of a cellular Base Station (BS) 104. The UE 102 can be used, for example, for

communications involving CIoT, Machine-to-Machine (M2M), and Machine-Type Communication (MTC). The BS 104 may be closely associated with a Radio Access Network Secure Gateway (RAN SecGW) 106 that has an Internet Packet (IP) secure tunnel 114 to a service provider. In one embodiment, the service provider can be a cloud service provider (CSP) 110. The IP secure tunnel 114 can enable communication between the UE 102 and the CSP 110 without the aid of the operator core network 108. The RAN SecGW 106 can maintain a mapping table for the UE 102 and other UEs that are connected to the CSP 110. The mapping table can include, for example, a UE identity (ID) of the UE 102, a CSP ID of the CSP 110, a layer-2 connection ID, and/or a security key. The BS 104 may be connected to an operator core network 108 through an SI connection 112.

[0024] FIG. 2 is a diagram illustrating another high-level view of a network structure 200 in accordance with an example. A UE 202 may be located in a coverage area of a cellular Base Station (BS) 204. The UE 202 can be used, for example, for communications involving CIoT, Machine-to-Machine (M2M), and Machine-Type Communication (MTC).The BS 204 and a Radio Access Network Secure Gateway (RAN SecGW) 206 can be part of a cellular access network 236 and may be directly connected to each other via a connection 228. The RAN SecGW 206 can be connected to a service/security Gateway (GW) 216 of a Cloud Service Provider (CSP) 238 via an Internet Packet (IP) secure tunnel 230. The IP secure tunnel 230 can enable

communication between the UE 202 and the Application Server(s) 218 of the CSP 238 without the aid of the operator core network 234. Because of the IP secure tunnel 230, the cellular access network 236 (which may be managed by a Mobile Network Operator (MNO)) can be directly connected to the CSP 238 without the aid of the operator core network 234. Furthermore, the service/security GW 216 may have a secure connection 232 (e.g., effectively an extension of the IP secure tunnel 230) to the Application Server(s) 218. The CSP 238 can also have a service subscription manager 220.

[0025] The BS 204 can be connected to a Mobility Management Entity (MME) 208 of the cellular core network 234 via an SI connection 224. The MME 208 can have a connection 222 to a Home Subscriber Server 212. The cellular core network 234 can also comprise an Authentication Center (AUC) 210 and Application Server(s) (AS) 214. The RAN SecGW 206 can be securely connected to the AS 214 by an IP secure tunnel 226.

[0026] The RAN SecGW 206 can serve a number of purposes. For example, the RAN SecGW 206 can terminate layer-2 messages from the UE 202 that are destined for the Application Server(s) 218 of the CSP 238 and then forward the messages over the IP secure tunnel 230 to the Application Server(s) 218. In addition, the RAN SecGW 206 can terminate messages from the Application Server(s) 218 that are destined for the UE 202 and forward these messages to the BS 204. The RAN SecGW 206 can also maintain a mapping table for the UE 202 and other UEs that are connected to the CSP 238. The mapping table can include, for example, a UE identity (ID) of the UE 202, a CSP ID of the CSP 238, a layer-2 connection ID, and/or a security key. For the purposes of this disclosure, "layer 2" may refer to the Data Link Layer of the Open Systems Interconnection (OSI) model or one or more of the sublayers within the Data Link Layer, such as the Media Access Control (MAC) layer and the Logical Link Control (LLC) layer.

[0027] While FIG. 2 shows the RAN SecGW 206 as being within the cellular access network 236, other configurations are possible. For example, a RAN SecGW can operate as an independent node shared by multiple cellular base stations, such as evolved Node Bs (eNBs). A RAN SecGW can also operate as an independent node that is connected to a Radio Access Network (RAN) and/or shared by multiple RANs. A RAN SecGW can also be a logical entity or function that is used or defined within a legacy cellular network node such as an LTE Serving Gateway. If the RAN SecGW is located remotely relative to a cellular BS with which it is associated, an additional connection may be used between the cellular BS and the RAN SecGW without departing from the scope of the disclosure. However, the figures included herein portray the RAN SecGW as being co-located with the cellular BS for simplicity.

[0028] As shown in FIG. 2, the cellular core network 234 can host application server(s) 214 and the cloud service provider 238 can host application server(s) 218. The UE 202 can request to establish a secure communication channel with the application server(s) 218 by providing an identity (ID) of the CSP 238. When a secure

communication channel between the UE 202 and the application server(s) 218 is sought, deployment model B applies such that the CSP 238 controls and authorizes network access for the UE 202, thereby enabling the cellular access network 236 and the UE 202 to establish a secure session (e.g., with appropriate authentication and integrity) without involving the core cellular network 234. When a secure communication channel between the UE 202 and the application server(s) 214 is sought, the MME 208 and the Home Subscriber Server (HSS) 212 can be bypassed. In some embodiments, the application server(s) 214 may also have their own Service/Security GW.

[0029] In examples of the present disclosure, when an application server is hosted by a third-party CSP, the CSP can be responsible for authentication and authorization of a UE that seeks to establish a secure connection with the CSP without involving a core cellular network. This contrasts with legacy mechanisms in which the UE would be authenticated using an HSS of a core cellular network.

[0030] A cellular radio access network may seek input from the CSP in order to determine whether the cellular radio access network should allow future incoming messages from the UE. In addition, the cellular radio access network may seek additional information, such as a priority -related indication, a traffic/communication

differentiation/characterization, or an access probability to apply when there is network congestion, from the CSP or the UE itself. The cellular network can allow "simple" UE access based on an indication received from the CSP.

[0031] In one embodiment, the UE can be preconfigured by the CSP to communicate via the secure connection with the CSP. Alternatively, the CSP can be configured by the device manufacturer with security key and device information that can be used to form and/or communicate via the secure connection with the CSP. These options will be described more fully in the proceeding paragraphs.

Option 1 for E2E and Radio-Access Security: UE is not preconfigured by the CSP

[0032] FIG. 3 is a high-level diagram illustrating an example set of procedures that may be used to establish end-to-end (E2E) security (e.g., with authentication and confidentiality) between a UE 302 and an application server (AS) 304 associated with a Cloud Service Provider (CSP) 310. In FIG. 3, it is assumed that the UE 302 has been preconfigured beforehand by the CSP 310 to include a Secret Key (SK), CSP information (e.g., an identity of the CSP), device information, and/or device security information. Device information may include, for example, a device model, a serial number, and a manufacturer identity (ID). Device security information may include, for example, a public/private key pair and a Uniform Resource Locator (URL) to a website containing a certificate chain for the UE 302. In addition, in FIG. 3, it is assumed that the UE 302 is a relatively stationary device for which mobility and roaming support would be superfluous.

[0033] An Internet Protocol (IP) Secure tunnel 314 can be pre-established between a cellular Base Station (BS) and RAN SecGW 306 and a CSP Secure Gateway (CSP SecGW) 308 of the CSP 310. Arrow 318 indicates that the UE 302 can be switched on or into an active mode. Arrow 320 represents that the Application Server (AS) 120 of the CSP 310 can retrieve and verify a certificate for the UE 302.

[0034] Arrow 322 represents a layer-2 access-request message that can be sent from the UE 302 and can be received at the BS and RAN SecGW 306. The layer-2 access-request message represented by arrow 322 may include a unique UE identity (ID), device information, and a CSP ID of the CSP 310. The inclusion of the CSP ID can indicate that the UE 302 is seeking to establish a secure connection with the CSP 310. The access-request message can be protected by a Message Integrity Check (MIC) approach that uses a Secret Key (SK) and a random number for freshness.

[0035] Arrow 324 represents that the BS and RAN SecGW 306 can add or update an entry for the UE 302 in a mapping table. For example, the entry in the mapping table for the UE 302 can map the UE ID to a layer-2 (L2) connection ID. The mapping table can also include a connection status of "PENDING" for the access-request message.

[0036] Arrow 326 represents that the access-request message can be forwarded from the BS and RAN SecGW 306 to the CSP Secure Gateway (SecureGW) 308 that is associated with the CSP 310. Arrow 328 represents that the access-request message can be forwarded from the CSP SecureGW 308 can be forwarded to the Application Server (AS) 304 that is associated with the CSP 310.

[0037] The AS 304, upon successful evaluation of the access-request message, can create and send an access-response message (that is ultimately destined for the UE 302), represented by arrow 332, to the CSP SecGW 308. The access-response message can include a radio-access key, a random number for the radio-access key, and end-to-end (E2E) session key, and a random number for the E2E-session key. The radio-access key can be derived using the SK, the random number for the radio-access key, and other input parameters as input for a key derivation function (KDF). The E2E-session key can be derived using the SK, the random number for the E2E-session key, and other input parameters as input for the KDF. Ultimately, the random number for the radio-access key and the random number for the E2E-session key will be delivered to the UE 302 with the other input parameters, but without the radio-access key and the E2E-session key. The UE 302, which already has the SK, can then use the random numbers for the radio-access key and the E2E-session key and the other input parameters as input for the KDF in order to derive the radio-access key and the E2E session key. In addition, the access-response message can include an authorization CSP key (derived from the CSK) in order to authenticate the CSP 310 to the UE 302. The access response can optionally include priority information for the UE 302.

[0038] Arrow 334 represents that the access-response message can be forwarded from the CSP SecGW 308 to the BS and RAN SecGW 306. Arrow 336 represents that the BS and RAN SecGW 306 can update the entry in the mapping table for the UE 302 based on any priority information that is included in the access-response message. The BS and RAN SecGW 306 can also insert a connection ID and/or a layer-2 ID into the access- response message to distinguish multiple sessions from the UE 302 to the AS 304.

[0039] Arrow 338 represents that the BS and RAN SecGW 306 can forward the access-response message to the UE 302. Arrow 340 represents that the UE 302 can verify the authorization CSP key and then use the SK, the random numbers for the radio-access key and the E2E-session key, and the other input parameters as input for the KDF in order to derive the radio-access key and the E2E session key.

[0040] Arrow 344 represents that an access-complete message can be sent from the UE 302 to the BS and RAN SecGW 306. The access-complete message can be protected by a Message Integrity Check (MIC) approach that uses the radio-access key.

Upon receipt of the access-complete message, the BS and RAN SecGW 306 can update the entry in the mapping table for the UE 302 to indicate that access has been granted to the UE 302 and that the connection status is no longer pending. Arrow 346 represents that the access-complete message can be forwarded from the BS and RAN SecGW 306 to the

CSP SecGW 308. Arrow 348 represents that the access-complete message can be forwarded from the CSP SecGW 308 to the AS 304.

[0041] Two-sided arrow 350 represents that, once the access-complete message has been received at the AS 304, a bidirectional secure channel (e.g., with confidentiality and/or integrity) has been established between the UE 302 and the BS and RAN SecGW 306. Two-sided arrow 352 represents that, once the access-complete message has been received at the AS 304, a bidirectional secure channel (e.g., with confidentiality and/or integrity) has also been established between the UE 302 and the AS 304 of the CSP 310. Once these bidirectional secure channels are established, the UE 302 can securely send notifications to the AS 304 and the AS 304 can securely send commands to the UE 302.

Option 2 for E2E and Radio-Access Security: UE is not preconfigured for the CSP

[0042] FIG. 4 is a high-level diagram illustrating another example set of procedures that can be used to establish end-to-end (E2E) security (e.g., with

authentication and confidentiality) between a UE 402 and an application server (AS) 404 associated with a Cloud Service Provider (CSP) 410. In FIG. 4, it is assumed that the UE 402 has been preconfigured beforehand by a manufacturer (rather than the CSP 410) to include a Secret Key (SK), CSP information (e.g., an identity of the CSP), device information, and/or device security information. Device information may include, for example, a device model, a serial number, and a manufacturer identity (ID). Device security information may include, for example, a public/private key pair and a Uniform Resource Locator (URL) to a website containing a certificate chain for the UE 402. In addition, in FIG. 4, it is assumed that the UE 402 is a relatively stationary device for which mobility and roaming support would be superfluous.

[0043] An Internet Protocol (IP) Secure tunnel 414 can be pre-established between a cellular Base Station (BS) and RAN SecGW 406 and a CSP Secure Gateway (CSP SecGW) 408 of the CSP 410. A CSP Mobile Application 412 can read a Uniform Resource Locator (URL) from the UE 402 (e.g., via Near-Field Communication (NFC) if the CSP Mobile Application 412 is running on a mobile device located near the UE). The URL can contain a pointer to a manufacturer certificate repository and device

information. Arrow 416 indicates that the CSP Mobile Application 412 can send the device information to the Application Server (AS) 404 of the CSP 410. Arrow 418 indicates that the UE 402 can be switched on or into an active mode. Arrow 420 represents that the Application Server (AS) 120 of the CSP 410 may receive a certificate (e.g., from a certificate repository server of the manufacturer) and verify the certificate for the UE 402.

[0044] Arrow 422 represents a layer-2 access-request message that can be sent from the UE 402 and can be received at the BS and RAN SecGW 406. The layer-2 access-request message represented by arrow 422 can include a unique UE identity (ID), device information, and a CSP ID of the CSP 410. The inclusion of the CSP ID can indicate that the UE 402 is seeking to establish a secure connection with the CSP 410. The access-request message can be protected by a Message Integrity Check (MIC) approach that uses a Secret Key (SK) and a random number for freshness.

[0045] Arrow 424 represents that the BS and RAN SecGW 406 adds or updates an entry for the UE 402 in a mapping table. For example, the entry in the mapping table for the UE 402 can map the UE ID to a layer-2 (L2) connection ID. The mapping table can also include a connection status of "PENDING" for the access-request message.

[0046] Arrow 426 represents that the access-request message can be forwarded from the BS and RAN SecGW 406 to the CSP Secure Gateway (SecureGW) 408 that is associated with the CSP 410. Arrow 428 represents that the access-request message can be forwarded from the CSP SecureGW 408 can be forwarded to the Application Server (AS) 404 that is associated with the CSP 410. Arrow 430 represents that the AS 404 can retrieve the SK from the manufacturer of the UE 402 over a secure connection. Over the secure connection between the AS 404 and the manufacturer (e.g., a server associated with the manufacturer), the CSP 410 can provide a payload of the access-request message (e.g., that is protected by MIC) in order to prove that the access-request message originated from the UE 402. In some examples, the CSP mobile application 412 can also write the CSP ID to the UE 402 via an NFC channel.

[0047] The AS 404, upon successful evaluation of the access-request message, can create and send an access-response message (that is ultimately destined for the UE 402), represented by arrow 432, to the CSP SecGW 408. The access-response message can include a radio-access key, a random number for the radio-access key, and end-to-end (E2E) session key, and a random number for the E2E-session key. The radio-access key can be derived using the SK, the random number for the radio-access key, and other input parameters as input for a key derivation function (KDF). The E2E-session key can be derived using the SK, the random number for the E2E-session key, and other input parameters as input for the KDF. Ultimately, the random number for the radio-access key and the random number for the E2E-session key will be delivered to the UE 402 with the other input parameters, but without the radio-access key and the E2E-session key. The UE 402, which already has the SK, can then use the random numbers for the radio-access key and the E2E-session key and the other input parameters as input for the KDF in order to derive the radio-access key and the E2E session key. In addition, the access-response message can include an authorization CSP key (derived from the CSK) in order to authenticate the CSP 410 to the UE 402. The access response can optionally include priority information for the UE 402.

[0048] Arrow 434 represents that the access-response message can be forwarded from the CSP SecGW 408 to the BS and RAN SecGW 406. Arrow 436 represents that the BS and RAN SecGW 406 can update the entry in the mapping table for the UE 402 based on any priority information that is included in the access-response message. The BS and RAN SecGW 406 can also insert a connection ID and/or a layer-2 ID into the access- response message to distinguish multiple sessions from the UE 402 to the AS 404.

[0049] Arrow 438 represents that the BS and RAN SecGW 406 can forward the access-response message to the UE 402. Arrow 440 represents that the UE 402 can verify the authorization CSP key and then use the SK, the random numbers for the radio-access key and the E2E-session key, and the other input parameters as input for the KDF in order to derive the radio-access key and the E2E session key.

[0050] Arrow 444 represents that an access-complete message can be sent from the UE 402 to the BS and RAN SecGW 406. The access-complete message can be protected by a Message Integrity Check (MIC) approach that uses the radio-access key. Upon receipt of the access-complete message, the BS and RAN SecGW 406 can update the entry in the mapping table for the UE 402 to indicate that access has been granted to the UE 402 and that the connection status is no longer pending. Arrow 446 represents that the access-complete message can be forwarded from the BS and RAN SecGW 406 to the CSP SecGW 408. Arrow 448 represents that the access-complete message can be forwarded from the CSP SecGW 408 to the AS 404.

[0051] Two-sided arrow 450 represents that, once the access-complete message has been received at the AS 404, a bidirectional secure channel (e.g., with confidentiality and/or integrity) has been established between the UE 402 and the BS and RAN SecGW 406. Two-sided arrow 452 represents that, once the access-complete message has been received at the AS 404, a bidirectional secure channel (e.g., with confidentiality and/or integrity) has also been established between the UE 402 and the AS 404 of the CSP 410. Once these bidirectional secure channels are established, the UE 402 can securely send notifications to the AS 404 and the AS 404 can securely send commands to the UE 402.

[0052] In FIGs. 1-5, the secure link (e.g., IP secure tunnels 114, 226, 230, 314,

414, and 515) between the cellular access network and the external CSP can be in place (e.g., due to a pre-agreement between the CSP and the cellular access network) before the authentication mechanisms described herein are executed. The cellular access network can be apprised of the CSP application to which the UE will be mapped using a connection ID (Conn ID) of the UE. Accordingly, the cellular access network can send appropriate information a specific CSP SecGW for which the information would be included within the header. A "BS+RAN-SecGW address" may be part of the header or may be included within the body of the message. If an MME is not involved in the architecture, primarily, idle mode behavior may be modified in that the BS and the RAN SecGW or the CSP SecGW may assume applicable paging functionality.

[0053] In FIGs. 3-4, once a bidirectional secure channel has been established

(e.g., as in two-sided arrows 352 and 452), secure communications can be exchanged between a UE and an AS. In an uplink communication, the UE can create a packet with source and destination MAC address and send the packet to the AS after authentication is complete. In order for the UE to receive downlink communications if the UE has moved cells while in idle mode, the UE may update its location to the new cell with its old cell information) and a BS serving the new cell can may receive the downlink data from the BS of the cell in which the UE was located when authentication took place. Alternatively, the CSP SecGW can also page the UE across multiple cells. The UE can then connect using the authentication mechanisms described herein to receive downlink data. Key Refresh Policy

[0054] FIG. 5 is a high-level diagram illustrating a key-refresh protocol exchange for a UE 502 in a connected mode in accordance with an example. A mapping table maintained by a BS and RAN SecGW 506 may contain one or more records for UEs in connected mode, such as the UE 502. Each record in the mapping table may include a key expiration time governed by a key security policy configured by the Cloud Service Provider (CSP) 510 when an Internet Protocol (IP) Secure tunnel 514 is established between the Base Station (BS) and RAN SecGW 506 and a CSP Secure Gateway (CSP SecGW) 508 of the CSP 510.

[0055] Arrow 516 represents that a key -refresh request, including an identity (ID) of the UE 502, can be sent from the Base Station (BS) and RAN SecGW 506 to the CSP SecGW 508 of the CSP 510 before a key expiration time for a mapping table record associated with the UE 502. Arrow 518 represents that the key -refresh request can be forwarded to the Application Server (AS) 504 of the CSP 510.

[0056] Arrow 520 represents that the AS 504 can send a key-refresh response message to the CSP SecGW 508. The key-refresh response message can include a UE identity (ID) of the UE 502, a CSP ID of the CSP 510, a radio-access key, a random number for the radio access key, an end-to-end (E2E) session key, and a random number for the E2E session key. Arrow 522 represents that the CSP SecGW 508 can forward the key-refresh response message to the BS and RAN SecGW 506. Arrow 524 represents that the BS and RAN SecGW 506 can install the radio-access key and update the record in the mapping table for the UE 502 based on the key-refresh response message. [0057] Arrow 526 represents that the BS and RAN SecGW 506 can send a key- update message to the UE 502. The key-update message can include the UE ID, a layer-2 connection ID, the random number for the radio-access key, and the random number for the E2E session key. Arrow 528 represents that the UE 502 can derive the radio-access key by using the random number for the radio access key and a secret key (SK) as inputs for a key derivation function (KDF) and that the UE 502 can derive the E2E session key by using the random number for the E2E session key and the secret key (SK) as inputs for the key derivation function (KDF).

[0058] Arrow 530 represents that the UE 502 can send a key-refresh-completed message to the BS and RAN SecGW 506. The key-refresh-completed message can be protected by the radio-access key and the E2E session key. Arrow 532 represents that the BS and RAN SecGW 506 can forward the key-refresh-completed message to the CSP SecGW 508. Arrow 534 represents that the CSP SecGW 508 can verify that the UE 502 has successfully installed the radio-access key.

[0059] Arrow 536 represents that the CSP SecGW 508 can forward the key- refresh-completed message to the AS 536 of the CSP 510. Arrow 538 represents that the AS 536 can verify that the UE 502 has successfully installed the E2E session key.

[0060] In other examples, a key-refresh protocol exchange may be initiated by an

AS rather than by a RAN SecGW. However, since the RAN SecGW is apprised of when a UE is in connected mode, it may be preferable if the key-refresh protocol exchange is initiated by the RAN SecGW (e.g., as shown in FIG. 5).

Attach Signaling procedures to carry messages over-the-air between M2M/IoT/UE device and eNB

[0061] Several signaling options can considered in order to enable the simplified authentication mechanisms of the present disclosure. At attach, if a UE is aware that a direct connection is to be established with an application server (e.g., based on the UE implementation or on an upper layer indication), then the UE can send an access-request message with the appropriate information elements using one of the mechanisms described herein. The access-request message may be sent as part of a message that is already defined in an existing 3GPP Long-term Evolution (LTE) architecture standard. [0062] Alternatively, the access-request message may be included in a dedicated message. Authentication mechanisms such as those described herein can be supported using dedicated messages at attach to access the network and can be followed by applicable security methods. The dedicated messages can also be followed by traditional LTE attach exchange procedures. Since radio bearers are not set up or used in the mechanisms of the present disclosure, the data can be exchanged over layer 2 (e.g., the MAC layer) on a packet-by -packet basis. The UE can request access in a fashion similar to the fashion used by a Radio Resource Control (RRC) 'RRC Connection Request' message in that an establishment cause can be included. In addition, the dedicated message can indicate that the UE prefers a connection through the RAN SecGW to the application server (AS).

[0063] This dedicated message can, for example, follow the Random Access

Channel (RACH) exchange (of the preamble and the Random Access Response (RAR)). Certain dedicated preambles may be defined for this purpose. The Uplink (UL) grant can be requested in the initial message accordingly to support sending an attach request with the information elements to enable connection to an AS within a CSP. Upon initial connection setup (using one of the mechanisms defined above), a UE ID and/or a layer-2 connection ID can be mapped with the UE for subsequent use after the original connection attempt (e.g., in case the UE visits another cell or goes into idle mode and comes back in connected mode). A validity timer that defines the duration of security validity may also be defined and shared between the UE and the network.

[0064] As an alternative to using dedicated messages, existing RRC messages can also be sent as user-plane messages. Since these existing RRC messages terminate at the BS, sending these existing RRC messages over layer 2 (e.g., the MAC layer) does not pose any difficulty. This alternative can be applied when the application layer sends a trigger via certain applications that are mapped to use the network (e.g., as in FIG. 1). This trigger can include the access-request message with certain header parameters that are then utilized in the MAC layer for a grant request and for sending the information to the BS.

[0065] FIG. 6 illustrates functionality 600 of a UE or CIoT device in accordance with an example. The functionality 600 can be implemented as a method or the functionality can be executed as instructions on a machine (e.g., by one or more processors, such as a baseband processor), where the instructions are included on at least one computer-readable storage medium (e.g., a non-transitory computer-readable storage medium).

[0066] As in block 610, the functionality 600 can include signaling a transceiver at the UE to send an access-request message to a cellular base station that is associated with a Radio Access Network Security Gateway (RAN-SecGW), the access-request message indicating that the UE requests to establish a secure connection with a Cloud Service Provider (CSP) and the access-request message including a CSP identifier (CSP ID) indicating the CSP.

[0067] The access-request message can include one or more of: a unique ID of the UE, device information about the UE, or an establishment cause. The RAN-SecGW and the CSP can be connected via an Internet Packet (IP) secure tunnel. The functionality 600 can also include signaling the transceiver to send the access-request message in a Media Access Control Layer of a Data Link Layer (Layer 2) or in a Radio Resource Control (RRC) message.

[0068] The functionality 600 can also include encrypting the access-request message using a Message Integrity Check (MIC) technique, a secret key (SK), and a random number, wherein the authentication CSP key is derived from the SK; and signaling the transceiver at the UE to send the access-request message to the cellular base station in an encrypted form.

[0069] The functionality 600 can also include deriving the radio-access key using a Key Derivation Function (KDF) and using the random number for the radio-access key and the SK as parameters for the KDF; and deriving the E2E session key using the KDF and using the random number for the E2E session key and the SK as parameters for the KDF.

[0070] The UE can be configured beforehand by the CSP with one or more of: the

SK, device information, or a list of identifiers (IDs) of network operators associated with the CSP. The UE can also be configured beforehand by a manufacturer with at least one of: the SK or device information.

[0071] As in block 620, the functionality 600 can include identifying an access- response message received at the UE via the transceiver, wherein the access-response includes an authentication CSP key.

[0072] As in block 630, the functionality 600 can include verifying the identity of the CSP using the authentication CSP key [0073] As in block 640, the functionality 600 can include signaling the transceiver at the UE to send an access-complete message to the cellular base station to facilitate establishment of a secure communication channel between the UE and the CSP. In addition, the functionality 600 can include encrypting the access-complete message using a Message Integrity Check (MIC) technique and the radio-access key; and signal the transceiver at the UE to send the access-complete message to the cellular base station in an encrypted form.

[0074] FIG. 7 illustrates functionality 700 of cellular base station in accordance with an example. The functionality 700 can be implemented as a method or the functionality can be executed as instructions on a machine (e.g., by one or more processors), where the instructions are included on at least one computer-readable storage medium (e.g., a non-transitory computer-readable storage medium).

[0075] As in block 710, the functionality 700 can include identifying an access- request message received from a User Equipment (UE), the access-request message indicating that the UE requests to establish a secure connection with a Cloud Service Provider (CSP) and including a CSP identifier (CSP ID) indicating the CSP

[0076] As in block 720, the functionality 700 can include signaling networking circuitry associated with the RAN-SecGW to send the access-request message to an Application Server (AS) of the CSP via an Internet Packet (IP) secure tunnel outside of a core network associated with the cellular base station.

[0077] The functionality 700 can also include signaling the networking circuitry associated with the RAN-SecGW to send the access-request message to the AS via an Internet Packet (IP) secure tunnel between the RAN-SecGW and a CSP Secure Gateway (CSP-SecGW) associated with the CSP; and signaling the networking circuitry associated with the RAN-SecGW to send the access-complete message to the AS via the IP secure tunnel.

[0078] As in block 730, the functionality 700 can include identifying an access- response message sent from the AS in response to the access-request message for the UE, wherein the access-response includes an authentication CSP key.

[0079] As in block 740, the functionality 700 can include signaling a transceiver associated with the cellular base station to send the access-response message to the UE.

[0080] As in block 750, the functionality 700 can include identifying an access- complete message sent from the UE in response to the access-response message. [0081] As in block 760, the functionality 700 can include modify a mapping table for the UE based on the access-complete message in order to indicate that a secure communication session has been established between the UE and the AS, wherein the RAN-SecGW uses the mapping table to route messages between the UE and the AS.

[0082] The functionality 700 can also include modifying the mapping table for the

UE based on the access-response message to indicate that secure access between the UE and the AS is pending. The mapping table can include one or more of: a Data Link Layer (Layer-2) address of the UE, the CSP ID, or a UE identifier (UE ID) for the UE.

[0083] The functionality 700 can also include assigning a connection identifier (ID) and a Data Link Layer (Layer-2) identifier (ID) for the secure communication session; and signaling the transceiver associated with the cellular base station to send the connection ID and the layer-2 ID to the UE along with the access-response message.

[0084] The functionality 700 can also include identifying a key-expiration time in the mapping table for the secure communication session; signaling the networking circuitry to send a key -refresh request message to the AS for the secure communication session before the key-expiration time is reached; identifying a key-refresh response message that was sent from the AS in response to the key -refresh request message;

updating the mapping table based on the key-refresh response message; signaling the transceiver associated with the cellular base station to send a key-update message to the UE; identifying a key -refresh completion message sent from the UE in response to the key-update message; and signaling the network circuitry to send the key-refresh completion message to the AS.

[0085] The key-refresh response message can include a radio access key and a random number for the radio access key. The functionality 700 can also include installing the radio access key; and signaling the transceiver associated with the cellular base station to send the random number for the radio access key to the UE along with the key-update message. The key-refresh response message can also include one or more of: the CSP ID, a UE identifier (UE ID) for the UE, or a random number for an End-to-End (E2E) session key.

[0086] The key-update message can includes one or more of: a UE identifier (ID) for the UE, a random number for an End-to-End (E2E) session key, or a connection identifier (ID) [0087] As in block 770, the functionality 700 can include signaling the networking circuitry associated with the RAN-SecGW to send the access-complete message to the AS via the IP secure tunnel.

[0088] FIG. 8 illustrates functionality 800 of an Application Server (AS) that is associated with a Cloud Service Provider (CSP) in accordance with an example. The functionality 800 can be implemented as a method or the functionality can be executed as instructions on a machine (e.g., by one or more processors), where the instructions are included on at least one computer-readable storage medium (e.g., a non-transitory computer-readable storage medium).

[0089] As in block 810, the functionality 800 can include identifying an access- request message sent from a Radio Access Network Security Gateway (RAN-SecGW) associated with a cellular base station, the access-request message indicating that a UE requests to establish a secure connection with the CSP.

[0090] As in block 820, the functionality 800 can include deriving a radio-access key using a Key Derivation Function (KDF) and using a random number associated with the radio-access key and a secret key (SK) as parameters for the KDF.

[0091] The functionality 800 can also include signaling networking circuitry associated with the AS to send, via a secure network connection, a request for the SK to a server associated with a manufacturer of the UE.

[0092] As in block 830, the functionality 800 can include deriving an End-To-End

(E2E) session key using the KDF and using a random number associated with the E2E session key and the SK as parameters for the KDF.

[0093] As in block 840, the functionality 800 can include signaling the networking circuitry associated with the AS to send an access-response message to the RAN-SecGW in response to the access-request message, wherein the access-response includes the radio access key, the random number for the radio-access key, the E2E session key, and the random number for the session key.

[0094] The functionality 800 can also include signaling the networking circuitry associated with the AS to send the access-response message to the RAN-SecGW via an Internet Packet (IP) secure tunnel between the AS and the RAN-SecGW. In addition, the functionality 800 can also include identifying an access-complete message sent from the UE to the AS in response to the access-response message; and signaling the networking circuitry associated with the AS to send a communication to the UE using a secure connection that has been established between the AS and the UE based on one or more of: the access-request message, the access-response message, or the access-complete message.

[0095] FIG. 9 provides an example illustration of a mobile device, such as a user equipment (UE), a mobile station (MS), a mobile wireless device, a mobile

communication device, a tablet, a handset, a CIoT device, or other type of wireless device. The mobile device can include one or more antennas configured to communicate with a node, macro node, low power node (LPN), or, transmission station, such as a base station (BS), an evolved Node B (eNB), a baseband processing unit (BBU), a remote radio head (RRH), a remote radio equipment (RRE), a relay station (RS), a radio equipment (RE), or other type of wireless wide area network (WW AN) access point. The mobile device can be configured to communicate using at least one wireless

communication standard such as, but not limited to, 3 GPP LTE, WiMAX, High Speed Packet Access (HSPA), Bluetooth, and WiFi. The mobile device can communicate using separate antennas for each wireless communication standard or shared antennas for multiple wireless communication standards. The mobile device can communicate in a wireless local area network (WLAN), a wireless personal area network (WPAN), and/or a WWAN.

[0096] The mobile device can also comprise a wireless modem. The wireless modem can comprise, for example, a wireless radio transceiver and baseband circuitry (e.g., a baseband processor). The wireless modem can, in one example, modulate signals that the mobile device transmits via the one or more antennas and demodulate signals that the mobile device receives via the one or more antennas.

[0097] The mobile device can include a storage medium. In one aspect, the storage medium can be associated with and/or communication with the application processor, the graphics processor, the display, the non-volatile memory port, and/or internal memory. In one aspect, the application processor and graphics processor are storage mediums.

[0098] FIG. 9 also provides an illustration of a microphone and one or more speakers that can be used for audio input and output from the mobile device. The display screen can be a liquid crystal display (LCD) screen, or other type of display screen such as an organic light emitting diode (OLED) display. The display screen can be configured as a touch screen. The touch screen can use capacitive, resistive, or another type of touch screen technology. An application processor and a graphics processor can be coupled to internal memory to provide processing and display capabilities. A non-volatile memory port can also be used to provide data input/output options to a user. The non-volatile memory port can also be used to expand the memory capabilities of the mobile device. A keyboard can be integrated with the mobile device or wirelessly connected to the wireless device to provide additional user input. A virtual keyboard can also be provided using the touch screen.

[0099] FIG. 10 provides an example illustration of a user equipment (UE) device

1000, such as a wireless device, a mobile station (MS), a mobile wireless device, a mobile communication device, a tablet, a handset, a CIoT device, or other type of wireless device. The UE device 1000 can include one or more antennas configured to

communicate with a node or transmission station, such as a base station (BS), an evolved Node B (eNB), a baseband unit (BBU), a remote radio head (RRH), a remote radio equipment (RRE), a relay station (RS), a radio equipment (RE), a remote radio unit (RRU), a central processing module (CPM), or other type of wireless wide area network (WW AN) access point. The UE device 1000 can be configured to communicate using at least one wireless communication standard such as, but not limited to, 3GPP LTE, WiMAX, High Speed Packet Access (HSPA), Bluetooth, and WiFi. The UE device 1000 can communicate using separate antennas for each wireless communication standard or shared antennas for multiple wireless communication standards. The UE device 1000 can communicate in a wireless local area network (WLAN), a wireless personal area network (WPAN), and/or a WW AN.

[00100] In some embodiments, the UE device 1000 may include application circuitry 1002, baseband circuitry 1004, Radio Frequency (RF) circuitry 1006, front-end module (FEM) circuitry 1008 and one or more antennas 1010, coupled together at least as shown.

[00101] The application circuitry 1002 may include one or more application processors. For example, the application circuitry 1002 may include circuitry such as, but not limited to, one or more single-core or multi-core processors. The processor(s) may include any combination of general-purpose processors and dedicated processors (e.g., graphics processors, application processors, etc.). The processors may be coupled with and/or may include memory /storage (e.g., storage medium 1012) and may be configured to execute instructions stored in the memory /storage (e.g., storage medium 1012) to enable various applications and/or operating systems to run on the system.

[00102] The baseband circuitry 1004 may include circuitry such as, but not limited to, one or more single-core or multi-core processors. The baseband circuitry 1004 may include one or more baseband processors and/or control logic to process baseband signals received from a receive signal path of the RF circuitry 1006 and to generate baseband signals for a transmit signal path of the RF circuitry 1006. Baseband processing circuity 1004 may interface with the application circuitry 1002 for generation and processing of the baseband signals and for controlling operations of the RF circuitry 1006. For example, in some embodiments, the baseband circuitry 1004 may include a second generation (2G) baseband processor 1004a, third generation (3G) baseband processor 1004b, fourth generation (4G) baseband processor 1004c, and/or other baseband processor(s) 1004d for other existing generations, generations in development or to be developed in the future (e.g., fifth generation (5G), 6G, etc.). The baseband circuitry 1004 (e.g., one or more of baseband processors 1004a-d) may handle various radio control functions that enable communication with one or more radio networks via the RF circuitry 1006. The radio control functions may include, but are not limited to, signal

modulation/demodulation, encoding/decoding, radio frequency shifting, etc. In some embodiments, modulation/demodulation circuitry of the baseband circuitry 1004 may include Fast-Fourier Transform (FFT), precoding, and/or constellation

mapping/demapping functionality. In some embodiments, encoding/decoding circuitry of the baseband circuitry 1004 may include convolution, tail-biting convolution, turbo, Viterbi, and/or Low Density Parity Check (LDPC) encoder/decoder functionality.

Embodiments of modulation/demodulation and encoder/decoder functionality are not limited to these examples and may include other suitable functionality in other embodiments.

[00103] In some embodiments, the baseband circuitry 1004 may include elements of a protocol stack such as, for example, elements of an evolved universal terrestrial radio access network (EUTRAN) protocol including, for example, physical (PHY), media access control (MAC), radio link control (RLC), packet data convergence protocol

(PDCP), and/or radio resource control (RRC) elements. A central processing unit (CPU) 1004e of the baseband circuitry 1004 may be configured to run elements of the protocol stack for signaling of the PHY, MAC, RLC, PDCP and/or RRC layers. In some embodiments, the baseband circuitry may include one or more audio digital signal processor(s) (DSP) 1004f. The audio DSP(s) 1004f may include elements for compression/decompression and echo cancellation and may include other suitable processing elements in other embodiments. Components of the baseband circuitry may be suitably combined in a single chip, a single chipset, or disposed on a same circuit board in some embodiments. In some embodiments, some or all of the constituent components of the baseband circuitry 1004 and the application circuitry 1002 may be

implemented together such as, for example, on a system on a chip (SOC).

[00104] In some embodiments, the baseband circuitry 1004 may provide for communication compatible with one or more radio technologies. For example, in some embodiments, the baseband circuitry 1004 may support communication with an evolved universal terrestrial radio access network (EUTRAN) and/or other wireless metropolitan area networks (WMAN), a wireless local area network (WLAN), a wireless personal area network (WPAN). Embodiments in which the baseband circuitry 1004 is configured to support radio communications of more than one wireless protocol may be referred to as multi-mode baseband circuitry.

[00105] The RF circuitry 1006 may enable communication with wireless networks using modulated electromagnetic radiation through a non-solid medium. In various embodiments, the RF circuitry 1006 may include switches, filters, amplifiers, etc. to facilitate the communication with the wireless network. RF circuitry 1006 may include a receive signal path which may include circuitry to down-convert RF signals received from the FEM circuitry 1008 and provide baseband signals to the baseband circuitry 1004. RF circuitry 1006 may also include a transmit signal path which may include circuitry to up-convert baseband signals provided by the baseband circuitry 1004 and provide RF output signals to the FEM circuitry 1008 for transmission.

[00106] In some embodiments, the RF circuitry 1006 may include a receive signal path and a transmit signal path. The receive signal path of the RF circuitry 1006 may include mixer circuitry 1006a, amplifier circuitry 1006b and filter circuitry 1006c. The transmit signal path of the RF circuitry 1006 may include filter circuitry 1006c and mixer circuitry 1006a. RF circuitry 1006 may also include synthesizer circuitry 1006d for synthesizing a frequency for use by the mixer circuitry 1006a of the receive signal path and the transmit signal path. In some embodiments, the mixer circuitry 1006a of the receive signal path may be configured to down-convert RF signals received from the FEM circuitry 1008 based on the synthesized frequency provided by synthesizer circuitry 1006d. The amplifier circuitry 1006b may be configured to amplify the down-converted signals and the filter circuitry 1006c may be a low-pass filter (LPF) or band-pass filter (BPF) configured to remove unwanted signals from the down-converted signals to generate output baseband signals. Output baseband signals may be provided to the baseband circuitry 1004 for further processing. In some embodiments, the output baseband signals may be zero-frequency baseband signals, although other types of baseband signals may be used. In some embodiments, mixer circuitry 1006a of the receive signal path may comprise passive mixers, although the scope of the embodiments is not limited in this respect.

[00107] In some embodiments, the mixer circuitry 1006a of the transmit signal path may be configured to up-convert input baseband signals based on the synthesized frequency provided by the synthesizer circuitry 1006d to generate RF output signals for the FEM circuitry 1008. The baseband signals may be provided by the baseband circuitry 1004 and may be filtered by filter circuitry 1006c. The filter circuitry 1006c may include a low-pass filter (LPF), although the scope of the embodiments is not limited in this respect.

[00108] In some embodiments, the mixer circuitry 1006a of the receive signal path and the mixer circuitry 1006a of the transmit signal path may include two or more mixers and may be arranged for quadrature down-conversion and/or up-conversion respectively. In some embodiments, the mixer circuitry 1006a of the receive signal path and the mixer circuitry 1006a of the transmit signal path may include two or more mixers and may be arranged for image rejection (e.g., Hartley image rejection). In some embodiments, the mixer circuitry 1006a of the receive signal path and the mixer circuitry 1006a may be arranged for direct down-conversion and/or direct up-conversion, respectively. In some embodiments, the mixer circuitry 1006a of the receive signal path and the mixer circuitry 1006a of the transmit signal path may be configured for super-heterodyne operation.

[00109] In some embodiments, the output baseband signals and the input baseband signals may be analog baseband signals, although the scope of the embodiments is not limited in this respect. In some alternate embodiments, the output baseband signals and the input baseband signals may be digital baseband signals. In these alternate embodiments, the RF circuitry 1006 may include analog-to-digital converter (ADC) and digital-to-analog converter (DAC) circuitry and the baseband circuitry 1004 may include a digital baseband interface to communicate with the RF circuitry 1006.

[00110] In some dual-mode embodiments, a separate radio IC circuitry may be provided for processing signals for each spectrum, although the scope of the

embodiments is not limited in this respect.

[00111] In some embodiments, the synthesizer circuitry 1006d may be a fractional-

N synthesizer or a fractional N/N+l synthesizer, although the scope of the embodiments is not limited in this respect as other types of frequency synthesizers may be suitable. For example, synthesizer circuitry 1006d may be a delta-sigma synthesizer, a frequency multiplier, or a synthesizer comprising a phase-locked loop with a frequency divider.

[00112] The synthesizer circuitry 1006d may be configured to synthesize an output frequency for use by the mixer circuitry 1006a of the RF circuitry 1006 based on a frequency input and a divider control input. In some embodiments, the synthesizer circuitry 1006d may be a fractional N/N+l synthesizer.

[00113] In some embodiments, frequency input may be provided by a voltage controlled oscillator (VCO), although other types of devices may provide the frequency input. Divider control input may be provided by either the baseband circuitry 1004 or the applications processor 1002 depending on the desired output frequency. In some embodiments, a divider control input (e.g., N) may be determined from a look-up table based on a channel indicated by the applications processor 1002.

[00114] Synthesizer circuitry 1006d of the RF circuitry 1006 may include a divider, a delay-locked loop (DLL), a multiplexer and a phase accumulator. In some embodiments, the divider may be a dual modulus divider (DMD) and the phase accumulator may be a digital phase accumulator (DP A). In some embodiments, the DMD may be configured to divide the input signal by either N or N+l (e.g., based on a carry out) to provide a fractional division ratio. In some example embodiments, the DLL may include a set of cascaded, tunable, delay elements, a phase detector, a charge pump and a D-type flip-flop. In these embodiments, the delay elements may be configured to break a VCO period up into Nd equal packets of phase, where Nd is the number of delay elements in the delay line. In this way, the DLL provides negative feedback to help ensure that the total delay through the delay line is one VCO cycle.

[00115] In some embodiments, synthesizer circuitry 1006d may be configured to generate a carrier frequency as the output frequency, while in other embodiments, the output frequency may be a multiple of the carrier frequency (e.g., twice the carrier frequency, four times the carrier frequency) and used in conjunction with quadrature generator and divider circuitry to generate multiple signals at the carrier frequency with multiple different phases with respect to each other. In some embodiments, the output frequency may be a LO frequency (fLO). In some embodiments, the RF circuitry 1006 may include an IQ/polar converter.

[00116] FEM circuitry 1008 may include a receive signal path which may include circuitry configured to operate on RF signals received from one or more antennas 1010, amplify the received signals and provide the amplified versions of the received signals to the RF circuitry 1006 for further processing. FEM circuitry 1008 may also include a transmit signal path which may include circuitry configured to amplify signals for transmission provided by the RF circuitry 1006 for transmission by one or more of the one or more antennas 1010.

[00117] In some embodiments, the FEM circuitry 1008 may include a TX/RX switch to switch between transmit mode and receive mode operation. The FEM circuitry may include a receive signal path and a transmit signal path. The receive signal path of the FEM circuitry may include a low-noise amplifier (LNA) to amplify received RF signals and provide the amplified received RF signals as an output (e.g., to the RF circuitry 1006). The transmit signal path of the FEM circuitry 1008 may include a power amplifier (PA) to amplify input RF signals (e.g., provided by RF circuitry 1006), and one or more filters to generate RF signals for subsequent transmission (e.g., by one or more of the one or more antennas 1010.

[00118] In some embodiments, the UE device 1000 may include additional elements such as, for example, memory /storage, display (e.g., touch screen), camera, antennas, keyboard, microphone, speakers, sensor, and/or input/output (I/O) interface.

[00119] FIG. 11 illustrates a diagram 1 100 of a node 1 110 (e.g., eNB and/or a

Serving GPRS Support Node) and a wireless device 1120 (e.g., UE) in accordance with an example. The node can include a base station (BS), a Node B (NB), an evolved Node B (eNB), a baseband unit (BBU), a remote radio head (RRH), a remote radio equipment (RRE), a remote radio unit (RRU), or a central processing module (CPM). In one aspect, the node can be a Serving GPRS Support Node. The node 1 1 10 can include a node device 1 112. The node device 1 112 or the node 1 110 can be configured to communicate with the wireless device 1 120. The node device 1 112 can be configured to implement technologies described herein. The node device 1112 can include a processing module 1114 and a transceiver module 1116. In one aspect, the node device 1112 can include the transceiver module 1116 and the processing module 1114 forming a circuitry for the node 1110. In one aspect, the transceiver module 1116 and the processing module 1114 can form a circuitry of the node device 1112. The processing module 1114 can include one or more processors and memory. In one embodiment, the processing module 1122 can include one or more application processors. The transceiver module 1116 can include a transceiver and one or more processors and memory. In one embodiment, the transceiver module 1116 can include a baseband processor. In some examples, components of the transceiver module 1116 can be included in separate devices. For example, selected components of the transceiver module 1116 may be located in a cloud radio access network (C-RAN).

The wireless device 1120 can include a transceiver module 1124 and a processing module 1122. The processing module 1122 can include one or more processors and memory. In one embodiment, the processing module 1122 can include one or more application processors. The transceiver module 1124 can include a transceiver and one or more processors and memory. In one embodiment, the transceiver module 1124 can include a baseband processor. The wireless device 1120 can be configured to implement technologies described herein. The node 1110 and the wireless devices 1120 can also include one or more storage mediums, such as the transceiver module 1116, 1124 and/or the processing module 1114, 1122.

Examples

[00120] The following examples pertain to specific embodiments and point out specific features, elements, or steps that can be used or otherwise combined in achieving such embodiments.

[00121] Example 1 includes apparatus of a User Equipment (UE), the apparatus comprising one or more processors and memory configured to: signal a transceiver at the UE to send an access-request message to a cellular base station that is associated with a Radio Access Network Security Gateway (RAN-SecGW), the access-request message indicating that the UE requests to establish a secure connection with a Cloud Service Provider (CSP) and the access-request message including a CSP identifier (CSP ID) indicating the CSP; identify an access-response message received at the UE via the transceiver, wherein the access-response includes an authentication CSP key; verify the identity of the CSP using the authentication CSP key; and signal the transceiver at the UE to send an access-complete message to the cellular base station to facilitate establishment of a secure communication channel between the UE and the CSP.

[00122] Example 2 includes the apparatus of example 1, wherein the RAN-SecGW and the CSP are connected via an Internet Packet (IP) secure tunnel.

[00123] Example 3 includes the apparatus of example 1 or 2, wherein the access- request message includes one or more of: a unique ID of the UE, device information about the UE, or an establishment cause.

[00124] Example 4 includes the apparatus of example 1 or 2, wherein the one or more processors and memory are further configured to signal the transceiver to send the access-request message in a Media Access Control Layer of a Data Link Layer (Layer 2) or in a Radio Resource Control (RRC) message.

[00125] Example 5 includes the apparatus of example 1, wherein the one or more processors and memory are further configured to: encrypt the access-request message using a Message Integrity Check (MIC) technique, a secret key (SK), and a random number, wherein the authentication CSP key is derived from the SK; and signal the transceiver at the UE to send the access-request message to the cellular base station in an encrypted form.

[00126] Example 6 includes the apparatus of example 5, wherein the access- response message includes a random number for a radio-access key and a random number for an End-to-End (E2E) session key, and wherein the one or more processors are further configured to: derive the radio-access key using a Key Derivation Function (KDF) and using the random number for the radio-access key and the SK as parameters for the KDF; and derive the E2E session key using the KDF and using the random number for the E2E session key and the SK as parameters for the KDF.

[00127] Example 7 includes the apparatus of example 5 or 6, wherein the UE has been configured by the CSP with one or more of: the SK, device information, or a list of identifiers (IDs) of network operators associated with the CSP.

[00128] Example 8 includes the apparatus of example 5 or 6, wherein the UE has been configured by a manufacturer with at least one of: the SK or device information.

[00129] Example 9 includes the apparatus of example 6, wherein the one or more processors and memory are further configured to: encrypt the access-complete message using a Message Integrity Check (MIC) technique and the radio-access key; and signal the transceiver at the UE to send the access-complete message to the cellular base station in an encrypted form.

[00130] Example 10 includes the apparatus of example 1, 2, 5, 6, or 9, wherein the one or more processors include a baseband processor.

[00131] Example 11 includes an apparatus of a Radio Access Network Security Gateway (RAN-SecGW) associated with a cellular base station, the apparatus comprising one or more processors and memory configured to: identify an access-request message received from a User Equipment (UE), the access-request message indicating that the UE requests to establish a secure connection with a Cloud Service Provider (CSP) and including a CSP identifier (CSP ID) indicating the CSP; signal networking circuitry associated with the RAN-SecGW to send the access-request message to an Application Server (AS) of the CSP via an Internet Packet (IP) secure tunnel outside of a core network associated with the cellular base station; identify an access-response message sent from the AS in response to the access-request message for the UE, wherein the access-response includes an authentication CSP key; signal a transceiver associated with the cellular base station to send the access-response message to the UE; identify an access-complete message sent from the UE in response to the access-response message; modify a mapping table for the UE based on the access-complete message in order to indicate that a secure communication session has been established between the UE and the AS, wherein the RAN-SecGW uses the mapping table to route messages between the UE and the AS; and signal the networking circuitry associated with the RAN-SecGW to send the access- complete message to the AS via the IP secure tunnel.

[00132] Example 12 includes the apparatus of example 11, wherein the one or more processors and memory are further configured to: modify the mapping table for the UE based on the access-response message to indicate that secure access between the UE and the AS is pending.

[00133] Example 13 includes the apparatus of example 11 or 12, wherein the mapping table includes one or more of: a Data Link Layer (Layer-2) address of the UE, the CSP ID, or a UE identifier (UE ID) for the UE.

[00134] Example 14 includes the apparatus of example 11 or 12, wherein the one or more processors and memory are further configured to: assign a connection identifier (ID) and a Data Link Layer (Layer-2) identifier (ID) for the secure communication session; and signal the transceiver associated with the cellular base station to send the connection ID and the layer-2 ID to the UE along with the access-response message.

[00135] Example 15 includes the apparatus of example 11 or 12, wherein the one or more processors and memory are further configured to: identify a key-expiration time in the mapping table for the secure communication session; signal the networking circuitry to send a key -refresh request message to the AS for the secure communication session before the key-expiration time is reached; identify a key-refresh response message that was sent from the AS in response to the key-refresh request message; update the mapping table based on the key -refresh response message; signal the transceiver associated with the cellular base station to send a key-update message to the UE; identify a key-refresh completion message sent from the UE in response to the key -update message; and signal the network circuitry to send the key-refresh completion message to the AS.

[00136] Example 16 includes the apparatus of example 15, wherein the key-refresh response message includes a radio access key and a random number for the radio access key, and wherein the one or more processors and memory are further configured to: install the radio access key; and signal the transceiver associated with the cellular base station to send the random number for the radio access key to the UE along with the key- update message.

[00137] Example 17 includes the apparatus of example 15, wherein the key-refresh response message includes one or more of: the CSP ID, a UE identifier (UE ID) for the UE, or a random number for an End-to-End (E2E) session key.

[00138] Example 18 includes the apparatus of example 15, wherein the key-update message includes one or more of: a UE identifier (ID) for the UE, a random number for an End-to-End (E2E) session key, or a connection identifier (ID).

[00139] Example 19 includes the apparatus of example 11, wherein the one or more processors and memory are further configured to: signal the networking circuitry associated with the RAN-SecGW to send the access-request message to the AS via an Internet Packet (IP) secure tunnel between the RAN-SecGW and a CSP Secure Gateway (CSP-SecGW) associated with the CSP; and signal the networking circuitry associated with the RAN-SecGW to send the access-complete message to the AS via the IP secure tunnel. [00140] Example 20 apparatus of an Application Server (AS) associated with a

Cloud Service Provider (CSP), the apparatus comprising one or more processors and memory configured to: identify an access-request message sent from a Radio Access Network Security Gateway (RAN-SecGW) associated with a cellular base station, the access-request message indicating that a UE requests to establish a secure connection with the CSP; derive a radio-access key using a Key Derivation Function (KDF) and using a random number associated with the radio-access key and a secret key (SK) as parameters for the KDF; derive an End-To-End (E2E) session key using the KDF and using a random number associated with the E2E session key and the SK as parameters for the KDF; and signal networking circuitry associated with the AS to send an access- response message to the RAN-SecGW in response to the access-request message, wherein the access-response includes the radio access key, the random number for the radio- access key, the E2E session key, and the random number for the session key.

[00141] Example 21 includes the apparatus of example 20, wherein the one or more processors and memory are further configured to signal the networking circuitry associated with the AS to send the access-response message to the RAN-SecGW via an Internet Packet (IP) secure tunnel between the AS and the RAN-SecGW.

[00142] Example 22 includes the apparatus of example 20 or 21, wherein the one or more processors and memory are further configured to: signal the networking circuitry associated with the AS to send, via a secure network connection, a request for the SK to a server associated with a manufacturer of the UE.

[00143] Example 23 includes the apparatus of example 20, wherein the one or more processors and memory are further configured to: identify an access-complete message sent from the UE to the AS in response to the access-response message; and signal the networking circuitry associated with the AS to send a communication to the UE using a secure connection that has been established between the AS and the UE based on one or more of: the access-request message, the access-response message, or the access- complete message.

[00144] Example 24 includes an apparatus of a User Equipment (UE), the apparatus comprising one or more processors and memory configured to: signal a transceiver at the UE to send an access-request message to a cellular base station that is associated with a Radio Access Network Security Gateway (RAN-SecGW), the access- request message indicating that the UE requests to establish a secure connection with a Cloud Service Provider (CSP) and the access-request message including a CSP identifier (CSP ID) indicating the CSP; identify an access-response message received at the UE via the transceiver, wherein the access-response includes an authentication CSP key; verify the identity of the CSP using the authentication CSP key; and signal the transceiver at the UE to send an access-complete message to the cellular base station to facilitate establishment of a secure communication channel between the UE and the CSP.

[00145] Example 25 includes the apparatus of example 24, wherein the RAN-

SecGW and the CSP are connected via an Internet Packet (IP) secure tunnel.

[00146] Example 26 includes the apparatus of example 24, wherein the access- request message includes one or more of: a unique ID of the UE, device information about the UE, or an establishment cause.

[00147] Example 27 includes the apparatus of example 24, wherein the one or more processors and memory are further configured to signal the transceiver to send the access-request message in a Media Access Control Layer of a Data Link Layer (Layer 2) or in a Radio Resource Control (RRC) message.

[00148] Example 28 includes the apparatus of example 24, wherein the one or more processors and memory are further configured to: encrypt the access-request message using a Message Integrity Check (MIC) technique, a secret key (SK), and a random number, wherein the authentication CSP key is derived from the SK; and signal the transceiver at the UE to send the access-request message to the cellular base station in an encrypted form.

[00149] Example 29 includes the apparatus of example 28, wherein the access- response message includes a random number for a radio-access key and a random number for an End-to-End (E2E) session key, and wherein the one or more processors are further configured to: derive the radio-access key using a Key Derivation Function (KDF) and using the random number for the radio-access key and the SK as parameters for the KDF; and derive the E2E session key using the KDF and using the random number for the E2E session key and the SK as parameters for the KDF.

[00150] Example 30 includes the apparatus of example 29, wherein the UE has been configured by the CSP with one or more of: the SK, device information, or a list of identifiers (IDs) of network operators associated with the CSP.

[00151] Example 31 includes the apparatus of example 29, wherein the UE has been configured by a manufacturer with at least one of: the SK or device information. [00152] Example 32 includes the apparatus of example 29, wherein the one or more processors and memory are further configured to: encrypt the access-complete message using a Message Integrity Check (MIC) technique and the radio-access key; and signal the transceiver at the UE to send the access-complete message to the cellular base station in an encrypted form.

[00153] Example 33 includes the apparatus of example 32, wherein the one or more processors include a baseband processor.

[00154] Example 34 apparatus of a Radio Access Network Security Gateway (RAN-SecGW) associated with a cellular base station, the apparatus comprising one or more processors and memory configured to: identify an access-request message received from a User Equipment (UE), the access-request message indicating that the UE requests to establish a secure connection with a Cloud Service Provider (CSP) and including a CSP identifier (CSP ID) indicating the CSP; signal networking circuitry associated with the RAN-SecGW to send the access-request message to an Application Server (AS) of the CSP via an Internet Packet (IP) secure tunnel outside of a core network associated with the cellular base station; identify an access-response message sent from the AS in response to the access-request message for the UE, wherein the access-response includes an authentication CSP key; signal a transceiver associated with the cellular base station to send the access-response message to the UE; identify an access-complete message sent from the UE in response to the access-response message; modify a mapping table for the UE based on the access-complete message in order to indicate that a secure

communication session has been established between the UE and the AS, wherein the RAN-SecGW uses the mapping table to route messages between the UE and the AS; and signal the networking circuitry associated with the RAN-SecGW to send the access- complete message to the AS via the IP secure tunnel.

[00155] Example 35 includes the apparatus of example 34, wherein the one or more processors and memory are further configured to: modify the mapping table for the UE based on the access-response message to indicate that secure access between the UE and the AS is pending.

[00156] Example 36 includes the apparatus of example 35, wherein the mapping table includes one or more of: a Data Link Layer (Layer-2) address of the UE, the CSP ID, or a UE identifier (UE ID) for the UE. [00157] Example 37 includes the apparatus of example 35, wherein the one or more processors and memory are further configured to: assign a connection identifier (ID) and a Data Link Layer (Layer-2) identifier (ID) for the secure communication session; and signal the transceiver associated with the cellular base station to send the connection ID and the layer-2 ID to the UE along with the access-response message.

[00158] Example 38 includes the apparatus of example 35, wherein the one or more processors and memory are further configured to: identify a key-expiration time in the mapping table for the secure communication session; signal the networking circuitry to send a key-refresh request message to the AS for the secure communication session before the key-expiration time is reached; identify a key-refresh response message that was sent from the AS in response to the key-refresh request message; update the mapping table based on the key-refresh response message; signal the transceiver associated with the cellular base station to send a key-update message to the UE; identify a key -refresh completion message sent from the UE in response to the key -update message; and signal the network circuitry to send the key-refresh completion message to the AS.

[00159] Example 39 includes the apparatus of example 38, wherein the key-refresh response message includes a radio access key and a random number for the radio access key, and wherein the one or more processors and memory are further configured to: install the radio access key; an signal the transceiver associated with the cellular base station to send the random number for the radio access key to the UE along with the key- update message.

[00160] Example 40 includes the apparatus of example 38, wherein the key-refresh response message includes one or more of: the CSP ID, a UE identifier (UE ID) for the UE, or a random number for an End-to-End (E2E) session key.

[00161] Example 41 includes the apparatus of example 38, wherein the key-update message includes one or more of: a UE identifier (ID) for the UE, a random number for an End-to-End (E2E) session key, or a connection identifier (ID).

[00162] Example 42 includes the apparatus of example 34, wherein the one or more processors and memory are further configured to: signal the networking circuitry associated with the RAN-SecGW to send the access-request message to the AS via an Internet Packet (IP) secure tunnel between the RAN-SecGW and a CSP Secure Gateway (CSP-SecGW) associated with the CSP; and signal the networking circuitry associated with the RAN-SecGW to send the access-complete message to the AS via the IP secure tunnel.

[00163] Example 43 includes an apparatus of an Application Server (AS) associated with a Cloud Service Provider (CSP), the apparatus comprising one or more processors and memory configured to: identify an access-request message sent from a Radio Access Network Security Gateway (RAN-SecGW) associated with a cellular base station, the access-request message indicating that a UE requests to establish a secure connection with the CSP; derive a radio-access key using a Key Derivation Function (KDF) and using a random number associated with the radio-access key and a secret key (SK) as parameters for the KDF; derive an End-To-End (E2E) session key using the KDF and using a random number associated with the E2E session key and the SK as parameters for the KDF; and signal networking circuitry associated with the AS to send an access-response message to the RAN-SecGW in response to the access-request message, wherein the access-response includes the radio access key, the random number for the radio-access key, the E2E session key, and the random number for the session key.

[00164] Example 44 includes the apparatus of example 43, wherein the one or more processors and memory are further configured to signal the networking circuitry associated with the AS to send the access-response message to the RAN-SecGW via an Internet Packet (IP) secure tunnel between the AS and the RAN-SecGW.

[00165] Example 45 includes the apparatus of example 44, wherein the one or more processors and memory are further configured to: signal the networking circuitry associated with the AS to send, via a secure network connection, a request for the SK to a server associated with a manufacturer of the UE.

[00166] Example 46 includes the apparatus of example 43, wherein the one or more processors and memory are further configured to: identify an access-complete message sent from the UE to the AS in response to the access-response message; and signal the networking circuitry associated with the AS to send a communication to the UE using a secure connection that has been established between the AS and the UE based on one or more of: the access-request message, the access-response message, or the access- complete message.

[00167] Example 47 includes an apparatus of a User Equipment (UE), the apparatus comprising one or more processors and memory configured to: signal a transceiver at the UE to send an access-request message to a cellular base station that is associated with a Radio Access Network Security Gateway (RAN-SecGW), the access- request message indicating that the UE requests to establish a secure connection with a Cloud Service Provider (CSP) and the access-request message including a CSP identifier (CSP ID) indicating the CSP; identify an access-response message received at the UE via the transceiver, wherein the access-response includes an authentication CSP key; verify the identity of the CSP using the authentication CSP key; and signal the transceiver at the UE to send an access-complete message to the cellular base station to facilitate establishment of a secure communication channel between the UE and the CSP.

[00168] Example 48 includes the apparatus of example 47, wherein the RAN- SecGW and the CSP are connected via an Internet Packet (IP) secure tunnel wherein the access-request message includes one or more of: a unique ID of the UE, device information about the UE, or an establishment cause.

[00169] Example 49 includes the apparatus of example 47 or 48, wherein the one or more processors and memory are further configured to: signal the transceiver to send the access-request message in a Media Access Control Layer of a Data Link Layer (Layer 2) or in a Radio Resource Control (RRC) message: encrypt the access-request message using a Message Integrity Check (MIC) technique, a secret key (SK), and a random number, wherein the authentication CSP key is derived from the SK; and signal the transceiver at the UE to send the access-request message to the cellular base station in an encrypted form.

[00170] In example 50, the subject matter of example 47 or any of the examples described herein may further include, wherein the access-response message includes a random number for a radio-access key and a random number for an End-to-End (E2E) session key, and wherein the one or more processors are further configured to: derive the radio-access key using a Key Derivation Function (KDF) and using the random number for the radio-access key and the SK as parameters for the KDF; and derive the E2E session key using the KDF and using the random number for the E2E session key and the SK as parameters for the KDF.

[00171] In example 51, the subject matter of example 47 or any of the examples described herein may further include, wherein the UE has been configured by the CSP with one or more of: the SK, device information, or a list of identifiers (IDs) of network operators associated with the CSP, and wherein the UE has been configured by a manufacturer with at least one of: the SK or device information. [00172] In example 52, the subject matter of example 47 or any of the examples described herein may further include, wherein the one or more processors and memory are further configured to: encrypt the access-complete message using a Message Integrity Check (MIC) technique and the radio-access key; and signal the transceiver at the UE to send the access-complete message to the cellular base station in an encrypted

form, wherein the one or more processors include a baseband processor.

[00173] Example 53 includes an apparatus of a Radio Access Network Security Gateway (RAN-SecGW) associated with a cellular base station, the apparatus comprising one or more processors and memory configured to: identify an access-request message received from a User Equipment (UE), the access-request message indicating that the UE requests to establish a secure connection with a Cloud Service Provider (CSP) and including a CSP identifier (CSP ID) indicating the CSP; signal networking circuitry associated with the RAN-SecGW to send the access-request message to an Application Server (AS) of the CSP via an Internet Packet (IP) secure tunnel outside of a core network associated with the cellular base station; identify an access-response message sent from the AS in response to the access-request message for the UE, wherein the access-response includes an authentication CSP key; signal a transceiver associated with the cellular base station to send the access-response message to the UE; identify an access-complete message sent from the UE in response to the access-response message; modify a mapping table for the UE based on the access-complete message in order to indicate that a secure communication session has been established between the UE and the AS, wherein the RAN-SecGW uses the mapping table to route messages between the UE and the AS; and signal the networking circuitry associated with the RAN-SecGW to send the access- complete message to the AS via the IP secure tunnel.

[00174] Example 54 includes the apparatus of example 53, wherein the one or more processors and memory are further configured to: modify the mapping table for the UE based on the access-response message to indicate that secure access between the UE and the AS is pending, and wherein the mapping table includes one or more of: a Data Link Layer (Layer-2) address of the UE, the CSP ID, or a UE identifier (UE ID) for the UE.

[00175] Example 55 includes the apparatus of example 53 or 54, wherein the one or more processors and memory are further configured to: assign a connection identifier (ID) and a Data Link Layer (Layer-2) identifier (ID) for the secure communication session; signal the transceiver associated with the cellular base station to send the connection ID and the layer-2 ID to the UE along with the access-response message; identify a key-expiration time in the mapping table for the secure communication session; signal the networking circuitry to send a key -refresh request message to the AS for the secure communication session before the key-expiration time is reached; identify a key- refresh response message that was sent from the AS in response to the key-refresh request message; update the mapping table based on the key-refresh response message; signal the transceiver associated with the cellular base station to send a key-update message to the UE; identify a key -refresh completion message sent from the UE in response to the key- update message; or signal the network circuitry to send the key-refresh completion message to the AS.

[00176] In example 56, the subject matter of example 53 or any of the examples described herein may further include, wherein the key-refresh response message includes a radio access key and a random number for the radio access key, and wherein the one or more processors and memory are further configured to: install the radio access key; and signal the transceiver associated with the cellular base station to send the random number for the radio access key to the UE along with the key-update message.

[00177] In example 57, the subject matter of example 53 or any of the examples described herein may further include, wherein the key-refresh response message includes one or more of: the CSP ID, a UE identifier (UE ID) for the UE, or a random number for an End-to-End (E2E) session key, and wherein the key-update message includes one or more of: a UE identifier (ID) for the UE, a random number for an End-to-End (E2E) session key, or a connection identifier (ID).

[00178] In example 58, the subject matter of example 53 or any of the examples described herein may further include, wherein the one or more processors and memory are further configured to: signal the networking circuitry associated with the RAN- SecGW to send the access-request message to the AS via an Internet Packet (IP) secure tunnel between the RAN-SecGW and a CSP Secure Gateway (CSP-SecGW) associated with the CSP; and signal the networking circuitry associated with the RAN-SecGW to send the access-complete message to the AS via the IP secure tunnel.

[00179] Example 59 includes an apparatus of an Application Server (AS) associated with a Cloud Service Provider (CSP), the apparatus comprising one or more processors and memory configured to: identify an access-request message sent from a Radio Access Network Security Gateway (RAN-SecGW) associated with a cellular base station, the access-request message indicating that a UE requests to establish a secure connection with the CSP; derive a radio-access key using a Key Derivation Function (KDF) and using a random number associated with the radio-access key and a secret key (SK) as parameters for the KDF; derive an End-To-End (E2E) session key using the KDF and using a random number associated with the E2E session key and the SK as parameters for the KDF; and signal networking circuitry associated with the AS to send an access-response message to the RAN-SecGW in response to the access-request message, wherein the access-response includes the radio access key, the random number for the radio-access key, the E2E session key, and the random number for the session key.

[00180] Example 60 includes the apparatus of example 59, wherein the one or more processors and memory are further configured to signal the networking circuitry associated with the AS to send the access-response message to the RAN-SecGW via an Internet Packet (IP) secure tunnel between the AS and the RAN-SecGW.

[00181] Example 61 includes the apparatus of example 59 or 60, wherein the one or more processors and memory are further configured to: signal the networking circuitry associated with the AS to send, via a secure network connection, a request for the SK to a server associated with a manufacturer of the UE; identify an access-complete message sent from the UE to the AS in response to the access-response message; and signal the networking circuitry associated with the AS to send a communication to the UE using a secure connection that has been established between the AS and the UE based on one or more of: the access-request message, the access-response message, or the access- complete message.

[00182] Example 62 includes a device comprising: means for identifying an access-request message sent from a Radio Access Network Security Gateway (RAN- SecGW) associated with a cellular base station, the access-request message indicating that a UE requests to establish a secure connection with the CSP; means for deriving a radio- access key using a Key Derivation Function (KDF) and using a random number associated with the radio-access key and a secret key (SK) as parameters for the KDF; means for deriving an End-To-End (E2E) session key using the KDF and using a random number associated with the E2E session key and the SK as parameters for the KDF; and means for signalling networking circuitry associated with the AS to send an access- response message to the RAN-SecGW in response to the access-request message, wherein the access-response includes the radio access key, the random number for the radio- access key, the E2E session key, and the random number for the session key.

[00183] Example 63 includes the device of claim 62, further comprising means for signalling the networking circuitry associated with the AS to send the access-response message to the RAN-SecGW via an Internet Packet (IP) secure tunnel between the AS and the RAN-SecGW.

[00184] Example 64 includes the device of claim 62, further comprising means for signalling the networking circuitry associated with the AS to send, via a secure network connection, a request for the SK to a server associated with a manufacturer of the UE.

[00185] Example 65 includes the device of claim 62, further comprising means for: identifying an access-complete message sent from the UE to the AS in response to the access-response message; and signalling the networking circuitry associated with the AS to send a communication to the UE using a secure connection that has been established between the AS and the UE based on one or more of: the access-request message, the access-response message, or the access-complete message.

[00186] Various techniques, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as floppy diskettes, compact disc-read-only memory (CD-ROMs), hard drives, non-transitory computer readable storage medium, or any other machine-readable storage medium wherein, when the program code is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the various techniques. A non-transitory computer readable storage medium can be a computer readable storage medium that does not include signal. In the case of program code execution on programmable computers, the computing device may include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. The volatile and non-volatile memory and/or storage elements may be a random-access memory (RAM), erasable programmable read only memory (EPROM), flash drive, optical drive, magnetic hard drive, solid state drive, or other medium for storing electronic data. The node and wireless device may also include a transceiver module (i.e., transceiver), a counter module (i.e., counter), a processing module (i.e., processor), and/or a clock module (i.e., clock) or timer module (i.e., timer). One or more programs that may implement or utilize the various techniques described herein may use an application programming interface (API), reusable controls, and the like. Such programs may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) may be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language, and combined with hardware implementations.

[00187] As used herein, the term "circuitry" may refer to, be part of, or include an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (shared, dedicated, or group), and/or memory (shared, dedicated, or group) that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable hardware components that provide the described functionality. In some embodiments, the circuitry may be implemented in, or functions associated with the circuitry may be implemented by, one or more software or firmware modules. In some embodiments, circuitry may include logic, at least partially operable in hardware.

[00188] While the flowcharts presented for this technology may imply a specific order of execution, the order of execution may differ from what is illustrated. For example, the order of two more blocks may be rearranged relative to the order shown. Further, two or more blocks shown in succession may be executed in parallel or with partial parallelization. In some configurations, one or more blocks shown in the flow chart may be omitted or skipped. Any number of counters, state variables, warning semaphores, or messages may be added to the logical flow for enhanced utility, accounting, performance, measurement, troubleshooting, or other purposes.

[00189] As used herein, the word "or" indicates an inclusive disjunction. For example, as used herein, the phrase "A or B" represents an inclusive disjunction of exemplary conditions A and B. Hence, "A or B" is false only if both condition A is false and condition B is false. When condition A is true and condition B is also true, "A or B" is also true. When condition A is true and condition B is false, "A or B" is true. When condition B is true and condition A is false, "A or B" is true. In other words, the term "or," as used herein, should not be construed as an exclusive disjunction. The term "xor" is used where an exclusive disjunction is intended.

[00190] As used herein, the term processor can include general-purpose processors, specialized processors such as VLSI, FPGAs, and other types of specialized processors, as well as base-band processors used in transceivers to send, receive, and process wireless communications. [00191] It should be understood that many of the functional units described in this specification have been labeled as modules, in order to more particularly emphasize their implementation independence. For example, a module can be implemented as a hardware circuit (e.g., an application-specific integrated circuit (ASIC)) comprising custom VLSI circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components. A module can also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.

[00192] Modules can also be implemented in software for execution by various types of processors. An identified module of executable code can, for instance, comprise one or more physical or logical blocks of computer instructions, which can, for instance, be organized as an object, procedure, or function. Nevertheless, the executables of an identified module do not have to be physically located together, but can comprise disparate instructions stored in different locations which, when joined logically together, comprise the module and achieve the stated purpose for the module.

[00193] Indeed, a module of executable code can be a single instruction, or many instructions, and can even be distributed over several different code segments, among different programs, and across several memory devices. Similarly, operational data can be identified and illustrated herein within modules, and can be embodied in any suitable form and organized within any suitable type of data structure. The operational data can be collected as a single data set, or can be distributed over different locations including over different storage devices, and can exist, at least partially, merely as electronic signals on a system or network. The modules can be passive or active, including agents operable to perform desired functions.

[00194] As used herein, the term "processor" can include general purpose processors, specialized processors such as VLSI, FPGAs, and other types of specialized processors, as well as base band processors used in transceivers to send, receive, and process wireless communications.

[00195] Reference throughout this specification to "an example" means that a particular feature, structure, or characteristic described in connection with the example is included in at least one embodiment. Thus, appearances of the phrases "in an example" in various places throughout this specification are not necessarily all referring to the same embodiment. [00196] As used herein, a plurality of items, structural elements, compositional elements, and/or materials can be presented in a common list for convenience. However, these lists should be construed as though each member of the list is individually identified as a separate and unique member. Thus, no individual member of such list should be construed as a de facto equivalent of any other member of the same list solely based on their presentation in a common group without indications to the contrary. In addition, various embodiments and examples can be referred to herein along with alternatives for the various components thereof. It is understood that such embodiments, examples, and alternatives are not to be construed as de facto equivalents of one another, but are to be considered as separate and autonomous.

[00197] Furthermore, the described features, structures, or characteristics can be combined in any suitable manner in one or more embodiments. In the foregoing description, numerous specific details are provided, such as examples of layouts, distances, network examples, etc., to provide a thorough understanding of some embodiments. One skilled in the relevant art will recognize, however, that the some embodiments can be practiced without one or more of the specific details, or with other methods, components, layouts, etc. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of different embodiments.

[00198] While the forgoing examples are illustrative of the principles used in various embodiments in one or more particular applications, it will be apparent to those of ordinary skill in the art that numerous modifications in form, usage and details of implementation can be made without the exercise of inventive faculty, and without departing from the principles and concepts of the embodiments. Accordingly, it is not intended that the claimed matter be limited, except as by the claims set forth below.