U.S. patent application number 15/150650 was filed with the patent office on 2016-09-01 for authorization of communication links between end user devices using intermediary nodes.
The applicant listed for this patent is Sprint Communications Company L.P.. Invention is credited to Lyle Walter Paczkowski, William M. Parsel, Carl Joseph Persson, Matthew C. Schlesener.
Application Number | 20160255060 15/150650 |
Document ID | / |
Family ID | 56083282 |
Filed Date | 2016-09-01 |
United States Patent
Application |
20160255060 |
Kind Code |
A1 |
Paczkowski; Lyle Walter ; et
al. |
September 1, 2016 |
AUTHORIZATION OF COMMUNICATION LINKS BETWEEN END USER DEVICES USING
INTERMEDIARY NODES
Abstract
Systems, methods, and software for operating communication
systems are provided herein. In one example, method of operating a
communication system to establish secure communications between a
first user device communicating in a first communication network
and a second user device communicating in a second communication
network is presented. The method includes, responsive to a
communication request received from the first user device,
establishing a secure communication link between the first user
device and a first security node. When a second security node has a
security relationship established with the first security node, the
method includes establishing the secure communication link for the
secure communications between the first user device and the second
user device using at least the security relationship between the
first security node and the second security node, and exchanging
the secure communications over the secure communication link.
Inventors: |
Paczkowski; Lyle Walter;
(Mission Hills, KS) ; Schlesener; Matthew C.;
(Shawnee, KS) ; Persson; Carl Joseph; (Olathe,
KS) ; Parsel; William M.; (Overland Park,
KS) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Sprint Communications Company L.P. |
Overland Park |
KS |
US |
|
|
Family ID: |
56083282 |
Appl. No.: |
15/150650 |
Filed: |
May 10, 2016 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
14036454 |
Sep 25, 2013 |
9363090 |
|
|
15150650 |
|
|
|
|
Current U.S.
Class: |
713/168 |
Current CPC
Class: |
H04L 9/3273 20130101;
H04W 12/0608 20190101; H04L 63/06 20130101; H04W 84/042 20130101;
H04L 63/08 20130101; H04L 63/0884 20130101; H04W 12/0804 20190101;
H04W 12/0609 20190101; H04L 63/10 20130101; H04W 12/04 20130101;
H04L 67/10 20130101; H04L 63/0428 20130101; H04L 63/0869
20130101 |
International
Class: |
H04L 29/06 20060101
H04L029/06; H04W 12/08 20060101 H04W012/08; H04W 12/04 20060101
H04W012/04; H04W 12/06 20060101 H04W012/06; H04W 84/04 20060101
H04W084/04; H04L 29/08 20060101 H04L029/08 |
Claims
1. A method of operating a wireless communication network
comprising wireless network nodes and wireless user devices that
have individual security keys that were hard-coded into the nodes
and devices at manufacture, the method comprising: the wireless
network nodes and the wireless user devices processing their
hard-coded security keys to generate and transfer security hash
results; an authorization system receiving and processing the
security hash results to maintain hardware security over the
wireless network nodes and the wireless user devices; the
authorization system receiving a request for a secure communication
session between a pair of the wireless user devices over a
plurality of the wireless network nodes, and the authorization
system granting the request if the pair of the wireless user
devices and the plurality of the wireless network nodes each have
current hardware security; and the pair of the wireless user
devices exchanging user data over the secure communication session
supported by the plurality of the wireless network nodes if the
request is granted.
2. The method of claim 1 further comprising the authorization
system denying the request if one of the pair of the wireless user
devices and the plurality of the wireless network nodes does not
have current hardware security.
3. The method of claim 1 wherein the secure communication session
comprises a voice session.
4. The method of claim 1 wherein the secure communication session
comprises a video session.
5. The method of claim 1 wherein the secure communication session
comprises a data session.
6. The method of claim 1 wherein the wireless network nodes
comprise Long Term Evolution (LTE) gateways.
7. The method of claim 1 wherein the wireless network nodes
comprise Long Term Evolution (LTE) base stations.
8. The method of claim 1 wherein the wireless user devices comprise
Long Term Evolution (LTE) communication devices.
9. The method of claim 1 wherein the authorization system comprises
a computer system with a communication interface and software.
10. The method of claim 1 wherein the wireless network nodes are
coupled over an optical communication network.
11. A wireless communication network comprising: wireless network
nodes having individual security keys that were hard-coded into the
nodes at manufacture; wireless user devices having individual
security keys that were hard-coded into the devices at manufacture;
the wireless network nodes and the wireless user devices are
configured to process their hard-coded security keys to generate
and transfer security hash results; an authorization system
configured to receive and process the security hash results to
maintain hardware security over the wireless network nodes and the
wireless user devices; the authorization system configured to
receive a request for a secure communication session between a pair
of the wireless user devices over a plurality of the wireless
network nodes and configured to grant the request if the pair of
the wireless user devices and the plurality of the wireless network
nodes each have current hardware security; and the pair of the
wireless user devices and the plurality of the wireless network
nodes configured to exchange user data over the secure
communication session if the request is granted.
12. The wireless communication network of claim 11 wherein the
authorization system is configured to deny the request if one of
the pair of the wireless user devices and the plurality of the
wireless network nodes does not have current hardware security.
13. The wireless communication network of claim 11 wherein the
secure communication session comprises a voice session.
14. The wireless communication network of claim 11 wherein the
secure communication session comprises a video session.
15. The wireless communication network of claim 11 wherein the
secure communication session comprises a data session.
16. The wireless communication network of claim 11 wherein the
wireless network nodes comprise Long Term Evolution (LTE)
gateways.
17. The wireless communication network of claim 11 wherein the
wireless network nodes comprise Long Term Evolution (LTE) base
stations.
18. The wireless communication network of claim 11 wherein the
wireless user devices comprise Long Term Evolution (LTE)
communication devices.
19. The wireless communication network of claim 11 wherein the
authorization system comprises a computer system with a
communication interface and software.
20. The wireless communication network of claim 11 wherein the
wireless network nodes are coupled over an optical communication
network.
Description
RELATED CASES
[0001] This patent application is a continuation of U.S. patent
application Ser. No. 14/036,454 that was filed on Sep. 25, 2013 and
is entitled "AUTHORIZATION OF COMMUNICATION LINKS BETWEEN END USER
DEVICES USING INTERMEDIARY NODES." U.S. patent application Ser. No.
14/036,454 is hereby incorporated by reference into this patent
application.
TECHNICAL FIELD
[0002] Aspects of the disclosure are related to the field of
communication systems, and in particular, authorization of a
communication link between end user devices using intermediary
nodes along the communication link path.
TECHNICAL BACKGROUND
[0003] Communication networks typically include routers, gateways,
and various communication links which provide communication
services to end user devices. For example, communication systems
include access systems with equipment such as access nodes along
with various intermediary nodes, such as control nodes, gateway
nodes, and routing nodes, which provide communication access or
routing services to end user devices over wired or wireless links.
The access systems exchange user communications between end user
devices, service providers, and other devices. The user
communications typically include voice calls, data exchange, web
pages, streaming media, or text messages, among other communication
services.
[0004] Some end user devices or intermediary nodes can include
partitioned security `zones` in their associated processing
systems. For example, a first zone can be employed to execute open
or untrusted applications and obtain untrusted or unauthenticated
data, and a second zone can be employed to execute trusted
applications or obtain authenticated data. These security zones can
be implemented on separate microprocessors, in separate cores of a
multi-core microprocessor, or otherwise allocated over different
processing portions of a wireless communication device or
intermediary node.
[0005] Establishing secure and trusted communication links between
end user devices, such as between wireless communication devices
over different wireless communication networks, can be difficult to
achieve. Moreover, some end user devices might not have similar
security hardware or software that other end user devices have,
such as the partitioned security `zones` discussed above.
OVERVIEW
[0006] Systems, methods, and software for operating communication
systems are provided herein. In one example, method of operating a
communication system to establish secure communications between a
first user device communicating in a first communication network
and a second user device communicating in a second communication
network is presented. The method includes, in a first security node
of the first communication network, receiving a communication
request from the first user device for the secure communications
with the second user device, the first security node authorized to
engage in the secure communications by an authorization node.
Responsive to the communication request, the method includes
establishing a secure communication link between the first user
device and the first security node and determining if a second
security node of the second communication network has a security
relationship established with the first security node. When the
second security node has the security relationship established with
the first security node, the method includes establishing the
secure communication link for the secure communications between the
first user device and the second user device using at least the
security relationship between the first security node and the
second security node, and exchanging the secure communications over
the secure communication link between the first user device and the
second user device.
[0007] In another example, a communication system to establish
secure communications between a first user device communicating in
a first communication network and a second user device
communicating in a second communication network is provided. The
communication system includes a first security node of the first
communication network configured to receive a communication request
from the first user device for the secure communications with the
second user device, the first security node authorized to engage in
the secure communications by an authorization node. Responsive to
the communication request, the first security node is configured to
establish a secure communication link between the first user device
and the first security node and determine if a second security node
of the second communication network has a security relationship
established with the first security node. When the second security
node has the security relationship established with the first
security node, the first security node is configured to establish
the secure communication link for the secure communications between
the first user device and the second user device using at least the
security relationship between the first security node and the
second security node. The first user device is configured to
exchange the secure communications over the secure communication
link with the second user device.
[0008] In another example, a communication system is provided. The
communication system includes a first security node of a first
communication network configured to receive a communication request
from a first user device in the first communication network for
secure communications with a second user device in a second
communication network, the first security node authorized to engage
in the secure communications by an authorization system. Responsive
to the communication request, the first security node is configured
to establish a secure communication link between the first user
device and the first security node by at least determining that the
first user device has been authorized by the authorization system
to engage in the secure communications. The first security node is
configured to determine if a second security node of the second
communication network has a security relationship established with
the first security node, the security relationship based in part on
the second security node being authorized to engage in the secure
communications by the authorization system. When the second
security node has the security relationship established with the
first security node, the first security node is configured to
establish the secure communication link for the secure
communications between the first user device and the second user
device using at least the security relationship between the first
security node and the second security node. The first user device
is configured to exchange the secure communications over the secure
communication link with the second user device.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] Many aspects of the disclosure can be better understood with
reference to the following drawings. The components in the drawings
are not necessarily to scale, emphasis instead being placed upon
clearly illustrating the principles of the present disclosure.
Moreover, in the drawings, like reference numerals designate
corresponding parts throughout the several views. While several
embodiments are described in connection with these drawings, the
disclosure is not limited to the embodiments disclosed herein. On
the contrary, the intent is to cover all alternatives,
modifications, and equivalents.
[0010] FIG. 1 is a system diagram illustrating a communication
system.
[0011] FIG. 2 is a flow diagram illustrating a method of operation
of a communication system.
[0012] FIG. 3 is a system diagram illustrating a communication
system.
[0013] FIG. 4 is a flow diagram illustrating a method of operation
of a communication system.
[0014] FIG. 5 is a block diagram illustrating a wireless
communication device.
[0015] FIG. 6 is a block diagram illustrating a security node.
DETAILED DESCRIPTION
[0016] FIG. 1 is a system diagram illustrating communication system
100. Communication system 100 includes security nodes 110-112,
communication network 120, end user devices 130-132, and
authorization system 150. Security nodes 110 and 112 are
intermediary nodes, such as gateway nodes, router nodes, proxy
nodes, or other nodes used for routing or handling communications
transferred over communication links. In typical examples, security
node 110 is associated with a different communication system or
communication network than security node 112. For example, security
node 110 can be in a first wireless communication network operated
by a first wireless network operator, while security node 112 can
be in a second wireless communication network operated by a second
wireless network operator different than the first wireless network
operator.
[0017] User device 130 and security node 110 communicate over at
least link 140. Security node 110 and communication network 120
communicate over link 141. Security node 112 and communication
network 120 communicate over link 142. User device 132 and security
node 112 communicate over at least link 143. Authorization system
150 and communication network 120 communicate over link 144.
[0018] In operation, user device 130 includes one or more
communication transceivers which can communicate over one or more
wireless or wired communication networks, such as over
communication link 140. User device 130 desires to engage in secure
communications with another user device, such as user device 132.
Security node 110 and 112 can facilitate the secure communications
by establishing a secure communication link using at least a trust
relationship or security relationship established between security
node 110 and security node 112.
[0019] FIG. 2 is presented to illustrate an example operation of
the elements of FIG. 1. FIG. 2 is a flow diagram illustrating a
method of operation of communication system 100. The operations of
FIG. 2 are referenced below parenthetically. In FIG. 2, a first
security node receives (201) a communication request from a first
user device for secure communications with a second user device,
the first security node authorized to engage in the secure
communications by an authorization node. The first security node in
this example is security node 110 which receives the communication
request transferred by user device 130 over at least link 140.
[0020] The communication request can include a request for secure
communications that identifies user device 132 as the second user
device, such as a destination device for a voice call, data
session, text communication, or other communication request. In
some examples, user device 130 receives a user request in an
application for secure communications, and the communication
request is responsively transferred by user device 130. The
application is executed on user device 130, such as a voice call
application, a packet voice call application, an audio or video
conferencing application, or other voice call application. The
communication request can be initiated by a user of user device 130
interacting with the application on user device 130, and the
request is indicated or transferred to security node 110 or other
communication nodes. The communication session can be requested to
occur over communication network 120 to destination device 132,
although other networks and destinations can be employed.
[0021] Security node 110 is authorized to engage in secure
communications by an authorization node, such as authorization
process 152 with authorization system 150 in FIG. 1. Authorization
system 150 can authorize or authenticate a node or user device to
partake in secure communications. In some examples, security node
110 includes one or more security keys which can be used to
determine one or more hash results that are used in a security
exchange with authorization system 150 during authorization process
152. Security node 110 can be authorized to engage in secure
communications by authorization process 152 with authorization
system 150 before the communication request is received, or can
seek authorization responsive to the communication request.
[0022] Security node 110 establishes (202) a secure communication
link between user device 130 and first security node 110. The
secure communication link can include a portion of link 162 shown
in FIG. 1, such as the portion over link 140. To establish the
secure communication link between user device 130 and security node
110, security node 110 can allow user device 130 to inherit a
security authorization of security node 110 and allow user device
130 to engage in secure communications due to the security
authorization of security node 110. In other examples, user device
130 can perform an authorization process with authorization system
150. In some examples, user device 130 includes one or more
security keys which can be used to determine one or more hash
results that are used in a security exchange with authorization
system 150 during authorization process 151. Once both user device
130 and security node 110 are authorized to engage in secure
communications, the secure communication link can be established
over link 140.
[0023] Security node 110 determines (203) if a second security node
has a security relationship established with security node 110. In
this example, the second security node is security node 112.
Security relationship 160 can be established between security node
110 and security node 112. In some examples, security node 110 is
authorized to engage in secure communications by authorization
process 152 with authorization system 150. Security node 112 can
also be authorized to engage in secure communications by an
authorization node, such as by authorization system 150 in
authorization process 153. Authorization processes 152 and 153 can
create a security relationship between security node 110 and
security node 112, represented by security relationship 160 in FIG.
1. This security relationship can allow security node 110 and
security node 112 to be trusted to engage in secure communications
over link 141, communication network 120, and link 142, among over
other links and networks. This trust or security relationship can
ensure that any communications transported through the trusted
endpoints comprising security nodes 110 and 112 are also trusted
and considered secure.
[0024] If the security relationship is not established between
security node 110 and security node 112 (204), then security node
110 denies (205) the secure communications. The denial of the
secure communications can be a message transferred to user device
130 responsive to the communication request. In other examples, the
denial can include security node 110 establishing a non-secure
communication link with security node 112.
[0025] If the security relationship is established between security
node 110 and security node 112 (204), then security node 110
establishes (206) the secure communication link for the secure
communications between user device 130 and user device 132 using at
least the security relationship between security node 110 and
security node 112. In this example, security relationship 160 is
established between security node 110 and security node 112.
Security node 110 or security node 112 can then trust
communications with user device 132 without user device 132 going
through an authorization process. Thus, secure communication link
162 can be established between user device 130 and user device
132.
[0026] Security relationship 160 comprises a previously established
security exchange to allow for secure communications between
security node 110 and security node 112. Based on at least security
relationship 160, a secure communication link can be extended to an
unsecure communication device, such as user device 132. Security
relationship 160 can ensure that at least the identities of both
security node 110 and security node 112 are verified by an
authorization system, such as authorization system 150. In examples
where security node 110 is in a first wireless communication
network operated by a first wireless network operator and security
node 112 is in a second wireless communication network operated by
a second wireless network operator different than the first
wireless network operator, security relationship 160 can ensure a
trusted relationship for secure communications between different
wireless communication networks or between different network
operations, such as different wireless companies.
[0027] Security node 110 exchanges (207) the secure communications
over secure communication link 162 between user device 130 and user
device 132. In this example, security node 110 comprises a portion
of secure communication link 162, and all devices, nodes, networks,
and links in FIG. 1 that comprise secure communication link 162 can
transport or carry the secure communications.
[0028] As another example of a communication system, FIG. 3 is
presented. FIG. 3 is a system diagram illustrating communication
system 300. Communication system 300 includes proxy nodes 310, 312,
and 314, wireless access node 311, wireless communication devices
(WCD) 330, 340, and 342, wireless networks 320, 322, and 324, and
authorization node 350.
[0029] WCD 330 and wireless access node 311 communicate over
wireless link 360, which is a Long Term Evolution (LTE) cellular
voice and data link in this example. Wireless access node 311 and
proxy node 310 communicate over backhaul link 361, which is a T1
link in this example. Proxy node 310 and wireless network 320
communicate over link 362 which is an optical voice and data link
in this example. Wireless networks 320, 322, and 324 each
communicate over links 363-365 which are optical networking links
in this example. Proxy node 312 and wireless network 322
communicate over optical voice and data link 366. Proxy node 312
and WCD 340 communicate over cellular voice and data link 368 which
can include wireless access nodes, wireless and wired links, and
other equipment omitted in FIG. 3 for clarity. Proxy node 314 and
wireless network 324 communicate over optical voice and data link
367. Proxy node 314 and WCD 342 communicate over cellular voice and
data link 369 which can include wireless access nodes, wireless and
wired links, and other equipment omitted in FIG. 3 for clarity.
Although authorization node 350 is not shown connected via any
communication link in FIG. 3, it should be understood that
authorization node 350 is communicatively coupled to any of
wireless networks 320, 322, and 324, such as shown for link 144 in
FIG. 1.
[0030] Each of wireless networks 320, 322, and 324 can be cellular
voice and data networks for different service providers, such as
cellular phone companies and the like, which communicate over
interconnection links 363-365 for routing of voice calls, data
sessions, text messages, and other communications between the
various end user devices receiving wireless access to communication
services via the associated wireless network. Each of wireless
networks 320, 322, and 324 can include wireless access nodes
distributed over a geographic area, such as base stations, as well
as other equipment, including elements described for communication
network 120 in FIG. 1.
[0031] Wireless access node 311 includes transceiver and antenna
equipment to provide wireless access to communication services of
wireless network 320 for wireless communication devices. Wireless
access node 311 is included to show example wireless access
equipment for wireless link 360. It should be understood that
further wireless access nodes can be included in links 368 and
369.
[0032] Proxy nodes 310, 312, and 314 each comprise processing
systems and routing equipment that can establish secure links with
other proxy nodes and with associated end user devices, such as WCD
330. In some examples, proxy nodes 310, 312, and 314 are separate
equipment or systems which perform as described herein. In other
examples, proxy nodes 310, 312, and 314 are included in other
systems or equipment of each associated wireless network, such as
intermediary nodes, gateway nodes, packet gateways, routers, access
service network gateways (ASN-GW), packet data switching nodes
(PDSN), Mobility Management Entity (MME) equipment, serving
gateways (SGW), PDN gateways (PGW), or other communications
equipment of wireless communication networks.
[0033] Proxy node 310 also includes open zone 381 and secure zone
382. Each of these zones of proxy node 310 can be implemented in a
separate microprocessor, microprocessor core, system-on-a-chip
processor core, virtual core, or other hardware or software
partition that separates memory spaces, operating systems, drivers,
and other operational hardware and software elements so as to
provide a restricted level of access for applications and users to
secure zone 382, and a non-restricted level of access for open zone
381. In some examples, open zone 381 comprises a standard core of a
processor system, such as for operating a Linux, Android, Windows,
iOS, or other user-accessible operating system. Likewise, secure
zone 382 comprises in some examples, a secure core or "trust zone"
core of a processor system which prevents access to the processing
and memory elements of secure zone 382 unless authorized through a
security exchange or security handshake with authorization node
350. This partitioned configuration of secure zone 382 differs from
user-level password protected access, in that any application that
desires to execute on secure zone 382 must first be authorized by a
security handshaking process with authorization node 350. Open zone
381 might run applications after a user merely "logs in" or passes
a user-level security access, and the applications executed on open
zone 381 are not authorized through a security handshaking process
with authorization node 350. It should be understood that these
partitions can be varied. In this example, proxy node 314 also
includes an open zone and secure zone similar to that indicated for
proxy node 310. In contrast, proxy node 312 does not include and
open zone and secure zone similar to that indicated for proxy node
310.
[0034] WCD 330, 340, and 342 are smartphone devices in this
example, and each can include one or more transceiver portions for
communicating over wireless links using an associated wireless
communication protocol, such as Long Term Evolution (LTE), Code
Division Multiple Access (CDMA), or Global System for Mobile
Communications (GSM) cellular voice and data links. It should be
understood that any number and type of transceiver portions or
transceiver types can be included in each of WCD 330, 340, and 342,
including wired, wireless, optical, and other transceiver types
using any associated communication protocol, frequencies, spectrum,
and the like.
[0035] Authorization node 350 can include communication or network
interfaces, as well as computer systems, microprocessors,
circuitry, cloud-based systems, or some other processing devices or
software systems, and can be distributed among multiple processing
devices. Examples of authorization node 350 can also include
software such as an operating system, logs, databases, utilities,
drivers, networking software, and other software stored on a
computer-readable medium.
[0036] As an example operation of the elements of communication
system 300, FIG. 4 is provided. FIG. 4 is a flow diagram
illustrating a method of operation of communication system 300. The
operations of FIG. 4 are referenced below parenthetically. In FIG.
4, proxy node 310 establishes (401) a security relationship between
proxy node 310 in a first communication network and proxy node 314
in a second communication network. In this example, the first
communication network is wireless network 320, and the second
communication network is wireless network 324. The security
relationship can be established for communications between proxy
node 310 and proxy node 314 over the various interconnecting
communication links and wireless networks shown in FIG. 3, as well
as over other communication links and networks.
[0037] To establish the security relationship, both proxy node 310
and proxy node 314 participate in one or more authorization
processes with authorization node 350. In FIG. 3, a first
authorization process 370 occurs between proxy node 310 and
authorization node 350, while a second authorization process 371
occurs between proxy node 314 and authorization node 350. Once both
proxy node 310 and proxy node 314 are both authorized by
authorization node 350, then proxy node 310 and proxy node 314 have
established a security relationship. This security relationship can
be used to establish secure communications over the various
interconnecting communication links and wireless networks shown in
FIG. 3, among other communication links and networks. For example,
secure link 391 can be established over link 362, wireless network
320, link 364, wireless network 324, and link 367. In some
examples, secure link 391 is a trusted communication link based on
a mutual trust established by both proxy node 310 and proxy node
314 with authorization node 350. Although not required, secure link
391 can incorporate features of a virtual private network (VPN)
link, secure sockets layer (SSL) link, or other encrypted link.
However, in these examples, any associated encrypted link, such as
a VPN link or SSL link, between proxy nodes 310 and 314 is
comprised of endpoints authorized using secure zone security
key-based authorization by authorization node 350, namely proxy
nodes 310 and 314.
[0038] Authorization processes 370 and 371 can each include
verifying or authenticating a hash result generated by the
associated proxy node. Authentication process 370 will be discussed
below, but it should be understood that a similar process can be
performed for authentication process 371. In these examples,
authentication process 370 can be initiated by proxy node 310
responsive to a communication request of WCD 330, or by open zone
381 seeking authentication or authorization for proxy node 310 to
participate in secure communications. For example, secure
communication request 372 can be transferred by open zone 381 to
secure zone 382 responsive to a communication request received from
WCD 330 or responsive to a desire by open zone 381 to initiate a
security relationship with another proxy node. In other examples,
authorization processes 370 and 371 can be initiated during a
startup or power on process of the associated proxy nodes to
establish a security relationship between the associated proxy
nodes.
[0039] To authorize with authorization node 350, proxy node 310 can
authenticate a hash result generated using at least a security key
stored in secure zone 382. The hash result can be determined based
on a cryptographic hash function. For example, a security key can
be processed by a cryptographic hash function such as secure hash
algorithm (SHA) or message digest algorithm (MD) to determine a
cryptographic hash result which is used as the hash result
discussed herein. Secure zone 382 can transfer the hash result
during authorization process 370 for delivery to authorization node
350.
[0040] Responsive to authorization process 370, authorization node
350 processes the included hash result to authorize proxy node 310
to engage in secure communications. The hash result can be
initially generated by secure zone 382 based on seed data, and
authorization node 350 can process the hash result to determine if
the hash result corresponds to the correct seed data originally
used to generate the hash result. To authenticate or authorize the
hash result, authorization node 350 can verify the hash result as a
correct hash result, such as when a hash result might be tampered
with or altered by an unauthorized system or user. In some
examples, the seed data is first transferred by authorization node
350 and the seed data is processed using the security key by secure
zone 382 to generate the hash result. If the hash result is
authenticated or authorized, then authorization node 350 transfers
a security grant message for delivery to proxy node 310. Secure
zone 382 can indicate the authorization success to open zone 381 in
authorization status message 373.
[0041] In yet further examples, in order for proxy node 310 and
proxy node 314 to establish a security relationship for secure
communications between each other, authorization node first must
authorize both proxy node 310 and proxy node 314. For example,
authorization process 370 can identify that proxy node 310 desires
to establish a trust relationship with proxy node 314, and
authorization process 372 can identify that proxy node 314 desires
to establish a security relationship with proxy node 310.
Authorization node 350 can identify that two proxy nodes desire to
initiate a security relationship with each other, and responsively
grant the trust relationship based on both proxy nodes properly
authenticating an associated hash result. In one example, seed data
comprising an identifier or identity of proxy node 314 can be used
to generate the hash result used in authorization process 370,
while seed data comprising an identifier or identity of proxy node
310 can be used to generate the hash result used in authorization
process 371. The seed data can be processed by a security key
stored in the respective secure zone of the associated proxy node
to generate the hash result, as discussed herein. Once
authorization node 350 determines the seed data based on the hash
result, then authorization node 350 can determine the proxy node
identified in the seed data, verify that the two proxy nodes have
identified each other, and transfer security grant messages to each
of proxy node 310 and proxy node 314 indicating that they both are
authorized to participate in secure communications with each
other.
[0042] Once proxy node 310 and proxy node 314 have been authorized
by authorization node 350 and are permitted to participate in
trusted or secure communications based on the security
relationship, then further communications can be handled as secure
communications by each proxy node for other devices communicating
through the associated proxy node. In the process described in FIG.
4, WCD 330 desires to establish secure communications with WCD 342,
even though WCD 330 and WCD 342 might not have a secure
communication link initially established between themselves, and
even though WCD 330 and WCD 342 might not have a security
relationship initially established between themselves. However, WCD
330 is configured to communicate through proxy node 310, and WCD
342 is configured to communicate through proxy node 314.
[0043] Proxy node 310 receives (402) a communication request from a
first user device in a first communication network for secure
communications with a second user device in a second communication
network. In this example, the first communication network includes
at least wireless access node 311, proxy node 310, and wireless
network 320. The second communication network includes at least
proxy node 314 and wireless network 324. The second user device is
WCD 342, and can be identified by WCD 330 using a phone number,
network address, device number, or other device identifier. The
communication request of WCD 330 can be initiated by a user of WCD
330 over a user interface presented by an application executed on
WCD 330, such as a voice call application. The voice call
application can include a phone dialer application, a voice over
Internet Protocol (VoIP) application, a voice over Long Term
Evolution (VoLTE) application, a voice over packet (VoP)
application, or other communication application. Although a voice
call is discussed in this example, it should be understood that a
data session, text message, or other communication session can
instead be employed.
[0044] Responsive to the communication request originating at WCD
330, and the security relationship with proxy node 314 already
having been established, proxy node 310 extends (403) secure
communication link 391 for the secure communications between proxy
node 310 and WCD 330 based on the security relationship between
proxy node 310 and proxy node 314. An additional leg of secure
communication link 391 can be established as extended secure link
390 over at least link 361, wireless access node 311, and wireless
link 360. Extending the security relationship can include
identifying WCD 330 and allowing communication associated with WCD
330 to be transported over secure link 391. In other examples, WCD
330 might undergo a security key authorization process with
authorization node similar to that performed for proxy node 310,
where the security key of WCD 330 is stored in a secure zone of WCD
330. In yet other examples, secure communication link 390 is
established using a VPN or SSL communication link between WCD 330
and proxy node 310, and due to the encryption or security measures
of the VPN or SSL communication link, communications transferred by
WCD 330 can be considered secure when transported by proxy node 310
over secure communication link 391. Other processes to extend
secure communication link 391 over link 390 can be performed.
[0045] Responsive to the communication request identifying the
destination device as WCD 342, and the security relationship with
proxy node 314 already having been established, proxy node 310 or
proxy node 314 extends (404) secure communication link 391 for the
secure communications between proxy node 314 and WCD 342 based on
the security relationship between proxy node 310 and proxy node
314. An additional leg of secure communication link 391 can be
established as extended secure link 392 over at least link 368.
Extending the security relationship can include identifying WCD 342
and allowing communication associated with WCD 342 to be
transported over secure link 392 due to proxy node 314 being
trusted by proxy node 310. In other examples, WCD 342 might undergo
a security key authorization process with authorization node
similar to that performed for proxy nodes 310 or 314, where the
security key of WCD 342 is stored in a secure zone of WCD 342. In
yet other examples, secure communication link 392 is established
using a VPN or SSL communication link between WCD 342 and proxy
node 314, and due to the encryption or security measures of the VPN
or SSL communication link, communications transferred by WCD 342
can be considered secure when transported by proxy node 314 over
secure communication link 391. Other processes to extend secure
communication link 391 over link 392 can be performed.
[0046] Once secure link 391 has been extended to include secure
link 390 and secure link 392, then WCD 330, proxy node 310, proxy
node 314, and WCD 342 exchange (405) the secure communications over
secure communication link 390-391-392 between WCD 330 and WCD 342.
The communications can include a voice call, and thus the voice
call can occur over a secure communication link between WCD 330 and
WCD 342. In other examples, the communications can include data
exchange, and thus the data exchange can occur over a secure
communication link between WCD 330 and WCD 342.
[0047] In FIG. 4, a direct security relationship between WCD 330
and WCD 342 is not established to engage in secure communications.
For example, although a VPN or SSL link can be established by WCD
330 and WCD 342 on top of secure communication link 390-391-392, a
VPN or SSL relationship between these WCD endpoints need not be
established to ensure a secure communication link. Proxy node 310
can trust WCD 342 to engage in secure communications over secure
communication link 390-391-392 based at least upon the security
relationship between proxy node 310 and proxy node 314.
[0048] WCD 330 and WCD 342 might not include secure zones in many
examples, and likewise might not include security keys or hash
results that are authorized by authorization system 350. However,
proxy node 310 and proxy node 314 establish a security relationship
based on associated security keys stored in their secure zones, and
this security relationship can be extended to an associated WCD or
other user device by the associated proxy node. In FIG. 3, proxy
node 312 does not have a security relationship established with
proxy node 310, and thus a secure communication link is not
established between proxy node 310 and proxy node 312, as indicated
by "not authorized" designation 372. A secure communication link
cannot also be extended by proxy node 312 to WCD 340, since a
security relationship is not established between proxy node 310 and
proxy node 312. If WCD 330 attempts to establish a secure
communication session with WCD 340, proxy node 310 can deny any
secure communication link or secure communications.
[0049] FIG. 5 is a block diagram illustrating wireless
communication device 500, as an example of user device 130 found in
FIG. 1 or WCD 330 found in FIG. 3, although variations are
possible. Wireless communication device 500 includes communication
interfaces 510, processing system 520, storage system 530, user
interface 540, security keys 550, and power system 560.
[0050] Communication interface 510, processing system 520, storage
system 530, user interface system 540, and power system 560 are
communicatively coupled, and can communicate over associated
discrete links, common busses, data links, power links, RF links,
or other links. Wireless communication device 500 can be
distributed or consolidated among equipment or circuitry that
together forms the elements of wireless communication device 500.
Wireless communication device 500 can optionally include additional
devices, features, or functionality not discussed here for purposes
of brevity.
[0051] Communication interface 510 comprises one or more
communication transceiver circuitry portions and communication
interface circuitry for communicating over one or more
communication links 570 with one or more communication networks. In
some examples, communication interface 510 includes wireless
transceiver circuitry and antenna equipment for communicating with
base stations of a cellular voice and data network, among other
communication networks. Communication interface 510 could include
transceiver equipment and antenna elements for wirelessly
exchanging user communications and overhead communications over the
associated ones of links 570, among further links. Communication
interface 510 also receives command and control information and
instructions from processing system 520 or user interface system
540 for controlling the operations of communications over links
570. Links 570 could each use various protocols or communication
formats as described herein for links 140-141, including
combinations, variations, or improvements thereof.
[0052] Processing system 520 can comprise one or more
microprocessors and other circuitry that retrieves and executes
software 532 from storage system 530. Processing system 520 can be
implemented within a single processing device but can also be
distributed across multiple processing devices or sub-systems that
cooperate in executing program instructions. Examples of processing
system 520 include general purpose central processing units,
application specific processors, and logic devices, as well as any
other type of processing device, combinations, or variations
thereof.
[0053] In this example, processing system 520 includes open zone
522 and secure zone 524. Each zone of processing system 520 can be
implemented in a separate microprocessor, microprocessor core,
virtual core, or other hardware or software partition that
separates memory spaces, operating systems, drivers, and other
operational hardware and software elements so as to provide a
restricted level of access for applications and users to secure
zone 524, and a non-restricted level of access for open zone 522.
In some examples, open zone 522 comprises a standard core of a
processor system, such as for operating an Android, Windows, iOS,
or other user-accessible operating system. Likewise, secure zone
524 comprises in some examples, a secure core or "trust zone" core
of a processor system which prevents access to the processing and
memory elements of secure zone 524 unless authorized through a
security exchange or security handshake with an external
authorization node.
[0054] This partitioned configuration of secure zone 524 differs
from user-level password protected access, in that any application
that desires to execute on secure zone 524 must first be authorized
by a security handshaking process with an external authorization
node. Whereas open zone 522 might run applications after a user
merely "logs in" or passes a user-level security access, and the
applications executed on open zone 522 are not authorized through a
security handshaking process with an authorization node.
[0055] Storage system 530 can comprise any computer readable
storage media or storage device readable by processing system 520
and capable of storing software 532. In some examples, portions of
storage system 530 stores security keys 550. Storage system 530 can
include volatile and nonvolatile, removable and non-removable media
implemented in any method or technology for storage of information,
such as computer readable instructions, data structures, program
modules, or other data. In addition to storage media, in some
implementations storage system 530 can also include communication
media over which software 532 or other data can be communicated.
Storage system 530 can be implemented as a single storage device
but can also be implemented across multiple storage devices or
sub-systems co-located or distributed relative to each other.
Storage system 530 can comprise additional elements, such as a
controller, capable of communicating with processing system 520.
Examples of storage media include random access memory, read only
memory, magnetic disks, optical disks, flash memory, virtual memory
and non-virtual memory, magnetic cassettes, magnetic tape, magnetic
disk storage or other magnetic storage devices, or any other medium
which can be used to store the desired information and that can be
accessed by an instruction execution system, as well as any
combination or variation thereof, or any other type of storage
media. In no case is the storage media a propagated signal.
[0056] Software 532 can be implemented in program instructions and
among other functions can, when executed by wireless communication
device 500 in general or processing system 520 in particular,
direct wireless communication device 500 or processing system 520
to transfer a communication request for secure communications,
engage in authorization processes with authorization nodes or
systems, and exchange communications over secure communication
links, among other operations. Software 532 can include additional
processes, programs, or components, such as operating system
software, database software, or application software. Software 532
can also comprise firmware or some other form of machine-readable
processing instructions executable by processing system 520.
[0057] In at least one implementation, the program instructions can
include first program instructions that direct processing system
520 to transfer a communication request for secure communications,
engage in authorization processes with authorization nodes or
systems, and exchange communications over secure communication
links.
[0058] In general, software 532 can, when loaded into processing
system 520 and executed, transform processing system 520 overall
from a general-purpose computing system into a special-purpose
computing system customized to transfer a communication request for
secure communications, engage in authorization processes with
authorization nodes or systems, and exchange communications over
secure communication links, among other operations. Encoding
software 532 on storage system 530 can transform the physical
structure of storage system 530. The specific transformation of the
physical structure can depend on various factors in different
implementations of this description. Examples of such factors can
include, but are not limited to the technology used to implement
the storage media of storage system 530 and whether the
computer-storage media are characterized as primary or secondary
storage. For example, if the computer-storage media are implemented
as semiconductor-based memory, software 532 can transform the
physical state of the semiconductor memory when the program is
encoded therein. For example, software 532 can transform the state
of transistors, capacitors, or other discrete circuit elements
constituting the semiconductor memory. A similar transformation can
occur with respect to magnetic or optical media. Other
transformations of physical media are possible without departing
from the scope of the present description, with the foregoing
examples provided only to facilitate this discussion.
[0059] User interface system 540 includes equipment and circuitry
for receiving user input and control, such as for engaging in voice
calls or data sessions, and receiving user instructions for text or
video messages, among other operations. Examples of the equipment
and circuitry for receiving user input and control include push
buttons, touch screens, selection knobs, dials, switches,
actuators, keys, keyboards, pointer devices, microphones,
transducers, potentiometers, non-contact sensing circuitry,
accelerometers, or other human-interface equipment. User interface
system 540 also includes equipment to communicate information to a
user of wireless communication device 500. Examples of the
equipment to communicate information to the user could include
displays, indicator lights, lamps, light-emitting diodes, haptic
feedback devices, audible signal transducers, speakers, buzzers,
alarms, vibration devices, or other indicator equipment, including
combinations thereof.
[0060] Security keys 550 comprise one or more security keys, such
as those discussed herein. Security keys 550 can be encryption
keys, pseudorandom keys, private keys, or other security keys.
Security keys 550 are stored in a data structure, which can be a
sub-portion of storage system 530 accessible only by secure zone
524. In some examples, a separate physical storage device or memory
device is employed to store security keys 550 and make available
security keys 550 to secure zone 524 and not to open zone 522. In
other examples, security keys 550 are stored in a shared memory
space or memory device and accessible only by secure zone 524.
Security keys 550 can be hard coded during manufacture of wireless
communication device 500, such as by including security keys 550 in
programmable read-only memory elements.
[0061] Power system 560 includes circuitry and a power source to
provide power to the elements of wireless communication device 500.
The power source could include a battery, solar cell, flywheel,
capacitor, thermoelectric generator, chemical power source, dynamo,
or other power source. In some examples, power system 560 receives
power from an external source, such as a wall outlet or power
adapter. Power system 560 also includes circuitry to condition,
monitor, and distribute electrical power to the elements of
wireless communication device 500.
[0062] FIG. 6 is a block diagram illustrating security node 600, as
an example of security nodes 110, 112 found in FIG. 1 or proxy
nodes 310, 314 found in FIG. 3, although variations are possible.
Security node 600 includes communication interfaces 610, processing
system 620, storage system 630, and security keys 640.
[0063] Communication interfaces 610, processing system 620, and
storage system 630 are communicatively coupled, and can communicate
over associated discrete links, common busses, data links, power
links, RF links, or other links. Security node 600 can be
distributed or consolidated among equipment or circuitry that
together forms the elements of security node 600. Security node 600
can optionally include additional devices, features, or
functionality not discussed here for purposes of brevity.
[0064] Communication interfaces 610 comprise one or more
communication transceiver circuitry portions and communication
interface circuitry for communicating over one or more
communication links 670 with one or more communication networks.
Communication interface 610 could include transceiver equipment and
routing equipment for exchanging communications over associated
ones of links 670, among further links. In some examples,
communication interface 610 includes wireless transceiver circuitry
and antenna equipment. Communication interface 610 also receives
command and control information and instructions from processing
system 620 for controlling the operations of communications over
links 670. Links 670 could each use various protocols or
communication formats as described herein for links 140-144,
including combinations, variations, or improvements thereof.
[0065] Processing system 620 can comprise one or more
microprocessors and other circuitry that retrieves and executes
software 632 from storage system 630. Processing system 620 can be
implemented within a single processing device but can also be
distributed across multiple processing devices or sub-systems that
cooperate in executing program instructions. Examples of processing
system 620 include general purpose central processing units,
application specific processors, and logic devices, as well as any
other type of processing device, combinations, or variations
thereof.
[0066] In this example, processing system 620 includes open zone
622 and secure zone 624. Each zone of processing system 620 can be
implemented in a separate microprocessor, microprocessor core,
virtual core, or other hardware or software partition that
separates memory spaces, operating systems, drivers, and other
operational hardware and software elements so as to provide a
restricted level of access for applications and users to secure
zone 624, and a non-restricted level of access for open zone 622.
In some examples, open zone 622 comprises a standard core of a
processor system, such as for operating an Android, Linux, Windows,
iOS, embedded operating system, or other user-accessible operating
system. Likewise, secure zone 624 comprises in some examples, a
secure core or "trust zone" core of a processor system which
prevents access to the processing and memory elements of secure
zone 624 unless authorized through a security exchange or security
handshake with an external authorization node.
[0067] This partitioned configuration of secure zone 624 differs
from user-level password protected access, in that any application
that desires to execute on secure zone 624 must first be authorized
by a security handshaking process with an external authorization
node. Whereas open zone 622 might run applications after a user
merely "logs in" or passes a user-level security access, and the
applications executed on open zone 622 are not authorized through a
security handshaking process with an authorization node.
[0068] Storage system 630 can comprise any computer readable
storage media or storage device readable by processing system 620
and capable of storing software 632. In some examples, portions of
storage system 630 stores security keys 640. Storage system 630 can
include volatile and nonvolatile, removable and non-removable media
implemented in any method or technology for storage of information,
such as computer readable instructions, data structures, program
modules, or other data. In addition to storage media, in some
implementations storage system 630 can also include communication
media over which software 632 or other data can be communicated.
Storage system 630 can be implemented as a single storage device
but can also be implemented across multiple storage devices or
sub-systems co-located or distributed relative to each other.
Storage system 630 can comprise additional elements, such as a
controller, capable of communicating with processing system 620.
Examples of storage media include random access memory, read only
memory, magnetic disks, optical disks, flash memory, virtual memory
and non-virtual memory, magnetic cassettes, magnetic tape, magnetic
disk storage or other magnetic storage devices, or any other medium
which can be used to store the desired information and that can be
accessed by an instruction execution system, as well as any
combination or variation thereof, or any other type of storage
media. In no case is the storage media a propagated signal.
[0069] Software 632 can be implemented in program instructions and
among other functions can, when executed by security node 600 in
general or processing system 620 in particular, direct security
node 600 or processing system 620 to receive communication requests
from user devices for secure communications with other user
devices, become authorized to engage in the secure communications
by an authorization node, establish secure communication links
between end user devices, determine if other security nodes have a
security relationship established with security node 600, establish
secure communication links for secure communications between end
user devices, using at least the security relationship between
security node 600 and another security node, and exchange secure
communications over secure communication links, among other
operations. Software 632 can include additional processes,
programs, or components, such as operating system software,
database software, or application software. Software 632 can also
comprise firmware or some other form of machine-readable processing
instructions executable by processing system 620.
[0070] In at least one implementation, the program instructions can
include first program instructions that direct processing system
620 to receive communication requests from user devices for secure
communications with other user devices, become authorized to engage
in the secure communications by an authorization node, establish
secure communication links between end user devices, determine if
other security nodes have a security relationship established with
security node 600, establish secure communication links for secure
communications between end user devices, using at least the
security relationship between security node 600 and another
security node, and exchange secure communications over secure
communication links.
[0071] In general, software 632 can, when loaded into processing
system 620 and executed, transform processing system 620 overall
from a general-purpose computing system into a special-purpose
computing system customized to receive communication requests from
user devices for secure communications with other user devices,
become authorized to engage in the secure communications by an
authorization node, establish secure communication links between
end user devices, determine if other security nodes have a security
relationship established with security node 600, establish secure
communication links for secure communications between end user
devices, using at least the security relationship between security
node 600 and another security node, and exchange secure
communications over secure communication links, among other
operations. Encoding software 632 on storage system 630 can
transform the physical structure of storage system 630. The
specific transformation of the physical structure can depend on
various factors in different implementations of this description.
Examples of such factors can include, but are not limited to the
technology used to implement the storage media of storage system
630 and whether the computer-storage media are characterized as
primary or secondary storage. For example, if the computer-storage
media are implemented as semiconductor-based memory, software 632
can transform the physical state of the semiconductor memory when
the program is encoded therein. For example, software 632 can
transform the state of transistors, capacitors, or other discrete
circuit elements constituting the semiconductor memory. A similar
transformation can occur with respect to magnetic or optical media.
Other transformations of physical media are possible without
departing from the scope of the present description, with the
foregoing examples provided only to facilitate this discussion.
[0072] Security keys 640 comprise one or more security keys, such
as those discussed herein. Security keys 640 can be encryption
keys, pseudorandom keys, private keys, or other security keys.
Security keys 640 are stored in a data structure, which can be a
sub-portion of storage system 630 accessible only by secure zone
624. In some examples, a separate physical storage device or memory
device is employed to store security keys 640 and make available
security keys 640 to secure zone 624 and not to open zone 622. In
other examples, security keys 640 are stored in a shared memory
space or memory device and accessible only by secure zone 624.
Security keys 640 can be hard coded during manufacture of security
node 600, such as by including security keys 640 in programmable
read-only memory elements.
[0073] Referring back to FIG. 1, security nodes 110, 112 each
comprises computer processing systems, routing equipment,
communication interfaces, and other equipment to establish
communication sessions, communication links, secure communication
links, and trust relationships, among other operations. Security
nodes 110, 112 can each include communication or network
interfaces, as well as computer systems, microprocessors,
circuitry, cloud-based systems, or some other processing devices or
software systems, and can be distributed among multiple processing
devices. Examples of security nodes 110, 112 can also each include
software such as an operating system, logs, databases, utilities,
drivers, networking software, and other software stored on a
computer-readable medium. In some examples, security nodes 110, 112
each comprise proxy nodes, intermediary nodes, gateway nodes,
packet gateways, routers, access service network gateways (ASN-GW),
packet data switching nodes (PDSN), Mobility Management Entity
(MME) equipment, or other communications equipment of wireless
communication networks.
[0074] Communication network 120 comprises communication and
control systems for providing access to communication services for
other devices and networks. Communication network 120 can each
provide communication services including communication routing,
link bridging, network communications, data exchange, or other
communication services. In some examples, communication network 120
is a cellular voice and data network that can provide voice calls,
text messages, data access, or other communication services
provided over cellular or wireless communication networks. In some
examples, communication network 120 includes equipment to provide
wireless access to communication services within different coverage
areas to user devices, route communications between content
providers and user devices, and facilitate handoffs between
equipment of different coverage areas, among other operations.
Communication network 120 can also comprise elements such as radio
access network (RAN) equipment, E-UTRAN Node B equipment, eNodeB
equipment, Evolved Node B equipment, Mobility Management Entity
(MME) equipment, interworking functions (IWF), Home Subscriber
Servers (HSS), Evolved Universal Terrestrial Radio Access (E-UTRA)
network equipment, base stations, base transceiver stations (BTS),
base station controllers (BSC), mobile switching centers (MSC),
home location registers (HLR), radio node controllers (RNC), call
processing systems, authentication, authorization and accounting
(AAA) equipment, access service network gateways (ASN-GW), packet
data switching nodes (PDSN), home agents (HA), mobility access
gateways (MAG), Internet access nodes, telephony service nodes,
databases, or other communication and control equipment.
[0075] User device 130 comprises a processing system, a plurality
of transceiver portions, security keys, user interface elements,
and other communication elements. The transceiver portions
typically include amplifiers, filters, modulators, and signal
processing circuitry. The transceiver portions can be used to
communicate over link 140, which can include wired, optical, or
wireless links. The processing system can include one or more
processing portions. User device 130 can also include user
interface systems, memory devices, non-transitory computer-readable
storage mediums, software, processing circuitry, or some other
communication components. User device 130 can be a user device,
user equipment, subscriber equipment, customer equipment, access
terminal, wireless smartphone, computer, mobile Internet appliance,
wireless network interface card, media player, game console, or
some other communication apparatus, including combinations thereof.
User device 132 can comprise similar elements as described for user
device 130.
[0076] Communication links 140-144 each use metal, glass, optical,
air, space, or some other material as the transport media.
Communication links 140-144 can each use various communication
protocols, such as Time Division Multiplex (TDM), asynchronous
transfer mode (ATM), Internet Protocol (IP), Ethernet, synchronous
optical networking (SONET), hybrid fiber-coax (HFC), Universal
Serial Bus (USB), circuit-switched, communication signaling,
wireless communications, or some other communication format,
including combinations, improvements, or variations thereof.
Communication links 140-144 can each be a direct link or can
include intermediate networks, systems, or devices, and can include
a logical network link transported over multiple physical links.
Communication links 140-144 can each include many different signals
sharing the same associated link, as represented by the associated
lines in FIG. 1, comprising resource blocks, access channels,
paging channels, notification channels, forward links, reverse
links, user communications, communication sessions, overhead
communications, carrier frequencies, other channels, timeslots,
spreading codes, transportation ports, logical transportation
links, network sockets, packets, or communication directions.
[0077] In some examples, communication links 140 and 143 are
wireless links, and use the air or space as the transport media.
Wireless links 140 and 143 each comprises one or more wireless
communication links provided over an associated wireless frequency
spectrum or wireless frequency band, and can use various protocols.
In this example, wireless links 140 and 143 can comprise Long Term
Evolution (LTE), LTE Advanced, Code Division Multiple Access
(CDMA), Evolution-Data Optimized (EVDO), single-carrier radio
transmission technology link (1.times.RTT), Global System for
Mobile Communication (GSM), Universal Mobile Telecommunications
System (UMTS), High Speed Packet Access (HSPA), Radio Link Protocol
(RLP), 3rd Generation Partnership Project (3GPP) Worldwide
Interoperability for Microwave Access (WiMAX), Orthogonal
Frequency-Division Multiple Access (OFDMA), Single-carrier
frequency-division multiple access (SC-FDMA), Wideband Code
Division Multiple Access (W-CDMA), Time Division Synchronous Code
Division Multiple Access (TD-SCDMA), IEEE 802.11, Wireless Fidelity
(Wi-Fi), or some other cellular or wireless communication format,
including combinations, improvements, or variations thereof.
[0078] Although one main link for each of links 140-144 is shown in
FIG. 1, it should be understood that links 140-144 are merely
illustrative to show communication modes or access pathways for
user device 130 and user device 132. In other examples, further
links can be shown, with portions of the further wireless links
shared and used for different communication sessions or different
content types, among other configurations.
[0079] The included descriptions and figures depict specific
embodiments to teach those skilled in the art how to make and use
the best mode. For the purpose of teaching inventive principles,
some conventional aspects have been simplified or omitted. Those
skilled in the art will appreciate variations from these
embodiments that fall within the scope of the invention. Those
skilled in the art will also appreciate that the features described
above can be combined in various ways to form multiple embodiments.
As a result, the invention is not limited to the specific
embodiments described above, but only by the claims and their
equivalents.
* * * * *