WO2013118096A1

WO2013118096A1 - Method, apparatus and computer program for facilitating secure d2d discovery information

Info

Publication number: WO2013118096A1
Application number: PCT/IB2013/051060
Authority: WO
Inventors: Timo Koskela; Sami-Jukka Hakola; Samuli Turtinen; Anna Pantelidou
Original assignee: Renesas Mobile Corporation
Priority date: 2012-02-10
Filing date: 2013-02-08
Publication date: 2013-08-15
Also published as: GB2499247B; GB2499247A; GB201202376D0

Abstract

A method is provided for facilitating secure device-to-device discovery. The method may include receiving, at a terminal(104), a device-to-device (D2D) discovery signal. The D2D discovery signal may include D2D discovery information and an indication of a security level applied to the D2D discovery information included in the D2D discovery signal. The method may include determining, based at least in part on the indication, the security level applied to the D2D discovery information. A corresponding apparatus and computer program product are also provided.

Description

METHOD, APPARATUS AND COMPUTER PROGRAM FOR

FACILITATING SECURE D2D DISCOVERY INFORMATION

Cross Reference to Related Application

This application claims the benefit under 35 U.S.C. § 119 and 37 CFR § 1.55 to UK patent application no. 1202376.8, filed on February 10th, 2012, the entire content of which is incorporated herein by reference.

Technical Field

The present invention relates to a method, apparatus and computer program for determining the security level of D2D discovery information, and to a method, apparatus and computer program for distributing a security key relating to a D2D discovery signal. Embodiments of the present invention relate generally to wireless communication technology and, in particular embodiments, relate to an apparatus, method and computer program product for facilitating secure device-to-device discovery.

Background

The modern communications era has brought about a tremendous expansion of wireless network technology, driven by consumer demands. This expansion of wireless and mobile networking technologies has addressed related consumer demands, while providing more flexibility and immediacy of information transfer and providing convenience to users. Current and future networking technologies continue to facilitate ease of information transfer and convenience to users. In order to provide easier or faster information transfer and convenience, telecommunication industry service providers are developing improvements to existing networks. One ongoing area of development in networking and communication technology is the development of device-to-device (D2D) communication technologies. D2D communication technologies may use radio resources of a hosting cellular system, but allow two computing devices, such as mobile terminals (also referred to as user equipment (UEs) or stations (STAs)), to communicate directly with each other without routing their communications through components of the cellular system.

Use of D2D communication may offer several advantages. For example, the direct communication link between mobile terminals engaged in D2D communication may result in reduced end-to-end delay time for data exchanged between the terminals as compared to indirect communication via cellular system components. Further, since communications may be offloaded from the cellular network to D2D communication links, network load may be reduced. Additional benefits of D2D communication may include improved local area coverage, improved serving network resource efficiency, and conservation of transmission power by both UEs and network access points. Additionally, D2D communication may support a variety of end user services, such as peer-to-peer applications, social applications, voice over internet protocol (VoIP) conversation, head-to-head gaming applications, collaborative applications, local advertising, network offloading, and/or other services that may involve transfer of data between computing devices that may be within relatively close proximity of each other.

Summary

According to a first aspect of the present invention, there is provided a method comprising receiving, at a terminal, a device-to-device (D2D) discovery signal, the D2D discovery signal comprising D2D discovery information and an indication of a security level applied to the D2D discovery information included in the D2D discovery signal; and determining, based at least in part on the indication, the security level applied to the D2D discovery information. The method of the first example embodiment provides for secure device-to-device discovery.

According to a second aspect of the present invention, there is provided apparatus for use in a communication terminal, the apparatus comprising a processing system arranged to cause the apparatus to at least: determine a security level applied to D2D discovery information received in a device-to-device (D2D) discovery signal based at least in part on an indication received in the device-to-device (D2D) discovery signal of the security level applied to the D2D discovery information included in the D2D discovery signal. The apparatus of the second example embodiment provides for secure device-to-device discovery. According to a third aspect of the present invention, there is provided a computer program comprising instructions, which when performed by an apparatus, are arranged to cause the apparatus to at least: determine a security level applied to D2D discovery information received in a device-to-device (D2D) discovery signal based at least in part on an indication received in the device-to-device (D2D) discovery signal of the security level applied to the D2D discovery information included in the D2D discovery signal. The computer program product of the third example embodiment provides for secure device-to-device discovery.

There is also provided apparatus comprising: means for determining a security level applied to D2D discovery information received in a device-to-device (D2D) discovery signal based at least in part on an indication received in the device- to-device (D2D) discovery signal of the security level applied to the D2D discovery information included in the D2D discovery signal. This provides for secure device-to- device discovery.

According to a fourth aspect of the present invention, there is provided a method comprising: determining that a terminal that has associated with a network has been authenticated to be permitted to receive a security key usable for one or more of decrypting or encrypting at least a portion of a device-to-device (D2D) discovery signal; and responsive to the determination, causing the security key to be distributed to the terminal. The method of the fifth example embodiment facilitates secure device-to-device discovery.

According to a fifth aspect of the present invention, there is provided apparatus for use in a network entity, the apparatus comprising a processing system arranged to cause the apparatus to at least: determine that a terminal that has associated with a network has been authenticated to be permitted to receive a security key usable for one or more of decrypting or encrypting at least a portion of a device- to-device (D2D) discovery signal; and responsive to the determination, cause the security key to be distributed to the terminal. The apparatus of the sixth example embodiment facilitates secure device-to-device discovery.

According to a sixth aspect of the present invention, there is provided a computer program comprising instructions, which when performed by an apparatus, are arranged to cause the apparatus to at least: determine that a terminal that has associated with a network has been authenticated to be permitted to receive a security key usable for one or more of decrypting or encrypting at least a portion of a device- to-device (D2D) discovery signal; and responsive to the determination, cause the security key to be distributed to the terminal. The computer program product of the seventh example embodiment facilitates secure device-to-device discovery. There is also provided apparatus comprising: means for determining that a terminal that has associated with a network has been authenticated to be permitted to receive a security key usable for one or more of decrypting or encrypting at least a portion of a device-to-device (D2D) discovery signal; and means for, responsive to the determination, causing the security key to be distributed to the terminal. This facilitates secure device-to-device discovery.

The computer programs described above may be stored in or on a computer program product comprising at least one non-transitory computer-readable storage medium having computer-readable program code stored therein, the computer- readable program code including or providing the instructions referred to above.

The processing systems described above may be provided by at least one processor and at least one memory including computer program instructions, the at least one memory and the computer program instructions being configured to, with the at least one processor, cause the apparatus at least to perform as described above. Methods, apparatus and computer program products are provided herein for facilitating secure device-to-device discovery. Embodiments provided herein may provide several advantages to network providers, wireless service providers, computing devices, and computing device users. In this regard, some example embodiments provide varying levels of security that may be applied to D2D discovery signalling. An indication of the level of security applied to D2D discovery signalling may be included in a D2D discovery signal. Accordingly, a device receiving the D2D discovery signal may determine the level of security applied to the signal and determine whether the device is permitted to access discovery information included in the D2D discovery signal and/or how to access discovery information in the D2D discovery signal. If a device receives a D2D discovery signal having information that the device is not permitted to access, the device may discard the received signal to avoid processing overhead. In some example embodiments, a varying level of encryption security may be applied to information included within a D2D discovery signal. Some such example embodiments provide security keys distributed by a network entity that may be used for encryption and/or decryption of D2D discovery signals. Distribution of security keys of some such example embodiments is limited to a group of permitted devices, such that only devices permitted to receive a security key needed to decrypt an encrypted portion of a D2D discovery signal may obtain the security key and decrypt the encrypted portion. Accordingly, some example embodiments allow only those devices that belong to the same predefined group to discover each other's D2D discovery signalling and establish a D2D link with each other.

The above summary is provided merely for purposes of summarising some example embodiments of the invention so as to provide a basic understanding of some aspects of the invention. Accordingly, it will be appreciated that the above described example embodiments are merely examples and should not be construed to narrow the scope or spirit of the invention in any way. It will be appreciated that the scope of the invention encompasses many potential embodiments, some of which will be further described below, in addition to those here summarised. Brief Description of the Drawings

Having thus described embodiments of the invention in general terms, reference will now be made to the accompanying drawings, which are not necessarily drawn to scale, and wherein:

FIG. 1 shows schematically an example system for facilitating secure D2D discovery according to some example embodiments; FIG. 2 shows a schematic block diagram of a network apparatus in accordance with some example embodiments;

FIG. 3 shows a schematic block diagram of a terminal apparatus in accordance with some example embodiments;

FIG. 4 shows schematically an example an example D2D discovery signal frame according to some example embodiments;

FIG. 5 shows schematically an example system for facilitating secure D2D discovery according to some example embodiments;

FIG. 6 shows a flowchart according to an example method for obtaining a common security key according to some example embodiments; FIG. 7 shows a flowchart according to an example method for obtaining a private security key according to some example embodiments;

FIG. 8 shows a flowchart according to an example method for updating a security key according to some example embodiments;

FIG. 9 shows a flowchart according to an example method for generating a secure D2D discovery signal according to some example embodiments; FIG. 10 shows a flowchart according to an example method for processing a received D2D discovery signal according to some example embodiments; FIG. 11 shows a flowchart according to another example method for processing a received D2D discovery signal according to some example embodiments;

FIG. 12 shows a flowchart according to an example method for facilitating secure D2D discovery according to some example embodiments;

FIG. 13 shows a flowchart according to an example method for distributing a common security key according to some example embodiments; and FIG. 14 shows a flowchart according to an example method for distributing a private security key according to some example embodiments.

Detailed Description

Some embodiments of the present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which some, but not all embodiments of the invention are shown. Indeed, various embodiments of the invention may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will satisfy applicable legal requirements. Like reference numerals refer to like elements throughout.

As used herein, the terms "data", "content", "information" and similar terms may be used interchangeably to refer to data capable of being transmitted, received, displayed and/or stored in accordance with various example embodiments. Thus, use of any such terms should not be taken to limit the spirit and scope of the disclosure. Further, where a computing device is described herein to receive data from another computing device, it will be appreciated that the data may be received directly from the another computing device or may be received indirectly via one or more intermediary computing devices, such as, for example, one or more servers, relays, routers, network access points, base stations, and/or the like. Additionally, where a computing device is described herein to send data "to" or "towards" another computing device, it will be appreciated that the data may be sent directly to the destination computing device, or may be relayed via one or more intermediary computing devices, such as, for example, one or more servers, relays, routers, network access points, base stations and/or the like towards the destination computing device. As used in this specification, the term "circuitry" refers to all of the following:

(a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and (b) to combinations of circuits and software (and/or firmware), such as (as applicable): (i) to a combination of processor(s) or (ii) to portions ofprocessor(s)/software (including digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and (c) to circuits, such as a microprocessor(s) or a portion of a microprocessor(s), that require software or firmware for operation, even if the software or firmware is not physically present. This definition of "circuitry" applies to all uses of this term in this specification, including in any claims. As a further example, as used in this specification, the term "circuitry" would also cover an implementation of merely a processor (or multiple processors) or portion of a processor and its (or their) accompanying software and/or firmware. The term "circuitry" would also cover, for example and if applicable to the particular claim element, a baseband integrated circuit or applications processor integrated circuit for a mobile phone or a similar integrated circuit in server, a cellular network device or other network device.

FIG. 1 illustrates an example system 100 for facilitating secure D2D discovery in accordance with some example embodiments. It will be appreciated that the system 100 as well as the illustrations in other figures are each provided as an example of an embodiment(s) and should not be construed to narrow the scope or spirit of the disclosure in any way. In this regard, the scope of the disclosure encompasses many potential embodiments in addition to those illustrated and described herein. As such, while FIG. 1 illustrates one example of a configuration of a system for facilitating secure D2D discovery, embodiments of the present invention may be implemented in systems having numerous other configurations.

In at least some embodiments, the system 100 includes a network apparatus 102 and a plurality of terminal apparatus 104. Two such terminal apparatus 104 are illustrated in FIG. 1 by way of example. However, it will be appreciated that the system 100 may include any number of terminal apparatus 104. In at least some embodiments, the system 100 further comprises a network 106. The network 106 may comprise one or more wireline networks, one or more wireless networks, or some combination thereof. In some example embodiments, the network 106 comprises a public land mobile network (for example, a cellular network), such as may be implemented by a network operator (for example, a cellular access provider). The network 106 may, for example, operate in accordance with current and future implementations of Third Generation Partnership Project (3 GPP) Long Term Evolution (LTE) standards, including Long Term Evolution- Advanced (LTE-A) standards and/or the like. However, it will be appreciated that the network 106 is not limited to embodiment as an LTE network. In this regard, in embodiments wherein the network 106 comprises one or more cellular networks, the network 106 may employ a network implementing any type of mobile and/or wireless access mechanism, such as LTE, LTE-A, Time Division Synchronous Code Division Multiple Access (TD-SCDMA), wideband code division multiple access (W-CDMA), CDMA2000, global system for mobile communications (GSM), general packet radio service (GPRS), a wireless local area network (WLAN) access mechanism (e.g., Institute for Electrical and Electronics Engineers (IEEE) 802.11), a WIMAX access mechanism (e.g. IEEE 802.16), a wireless regional area network access mechanism (e.g. IEEE 802.22), and/or the like. As such, it will be appreciated, that where references herein are made to a particular network standard and/or terminology particular to a network standard, the references are provided merely by way of example and not by way of limitation. Thus, for example, where terminology such as "evolved Node B" or "eNB" is used, it will be appreciated that, when appropriate, terminology such as "base station", "base transceiver station", "node B", "Access Point (AP)" and appropriate networking standards may be readily used in corresponding embodiments of the invention.

A terminal apparatus 104 may comprise any computing device configured to associate with the network 106 so as to receive network access via the network 106 and to establish a D2D communication link, such as the D2D communication link 108 with another computing device, such as another terminal apparatus 104. By way of non- limiting example, a terminal apparatus 104 may be embodied as a mobile communication device, mobile telephone, personal digital assistant (PDA), smart phone, tablet computing device, pager, laptop computer, desktop computer with a cellular network adapter, portable game device, audio/video player, television device, radio receiver, a digital camera/camcorder, positioning device, some combination thereof, or the like. In some example embodiments, the terminal apparatus 104 may be embodied as a user equipment (UE) device, which may be configured to access a cellular network, such as an LTE network. It will be appreciated, however, that illustrations and discussion referencing a UE(s) are provided by way of example, and not by way of limitation, so that, where examples are described and/or illustrated to use UEs, any type of terminal apparatus may be substituted for a UE within the scope of the disclosure.

In some example embodiments, a terminal apparatus 104 may associate with and receive network access from the network 106 via a network access point, which may, for example, form a portion of a radio access network (RAN). The network access point may be configured to provide access to the network 106 to one or more terminal apparatus 104 via a radio uplink. The radio uplink may comprise a radio uplink conforming to a cellular networking standard, such as by way of non-limiting example, an LTE standard. By way of non-limiting example, a network access point through which a terminal apparatus 104 may associate with and access the network 106 may comprise a base station, base transceiver station (BTS), node B, evolved node B (eNB), and/or the like A terminal apparatus 104 may be configured to communicate with the network apparatus 102 over the network 106. In this regard, the network apparatus 102 may comprise a node of the network 106. For example, in some embodiments, the network apparatus 102 may be at least partially embodied on one or more computing devices that comprise a core network (CN) entity of the network 106. In this regard, the network apparatus 102 may, for example, be at least partially embodied on a mobility management entity (MME) of the core network. Additionally or alternatively, the network apparatus may comprise one or more dedicated computing devices, such as a D2D server that may comprise a portion of a CN portion of the network 106. The network apparatus 106 may additionally or alternatively be at least partially embodied on or by one or more computing devices that comprise an element of a radio access network (RAN) portion of the network 106. In this regard, the network apparatus 102 may, for example, be at least partially embodied on an access point of the network 106, such as a base station, BTS, node B, eNB, WLAN AP and/or the like.

It will be appreciated that in some example embodiments, the network apparatus 102 may be embodied as a plurality of computing devices that collectively provide functionality attributed to the network apparatus 102 herein. In such example embodiments, the plurality of computing devices may, for example, be located in a CN portion of the network 106, a RAN portion of the network 106, or some combination thereof. A terminal apparatus 104 may be configured with cognitive radio (CR) capabilities such that a terminal apparatus 104 may be configured to sense other terminal apparatus 104 within a proximate range and detect whether such sensed terminal apparatus 104 are configured for device-to-device (D2D) communication. In some example embodiments, terminal apparatus 104 may be configured to exchange D2D discovery signalling to enable device discovery and facilitate establishment of D2D links between devices. Accordingly, two or more terminal apparatus 104 may establish a D2D connection 108 with each other in order to engage in D2D communication with each other. A D2D connection 108 may, for example, comprise a direct radio link between two or more terminal apparatus 104 and may enable the terminal apparatus 104 engaged in D2D communication to communicate directly with each other without routing their communications via one or more elements of the network 106. The D2D connection 108 may utilise resources within a band that may be used for radio access to the network 106, such as a cellular band. Additionally or alternatively, the D2D connection 108 may utilise an unlicensed band, such as a band in the industrial, scientific, and medical (ISM) range, to facilitate wireless transmission of data between devices.

FIG. 2 illustrates a block diagram of a network apparatus 202 in accordance with some example embodiments. In this regard, the network apparatus 202 illustrates an example of an apparatus that may be implemented on a network apparatus 102 in accordance with some example embodiments. However, it should be noted that the components, devices or elements illustrated in and described with respect to FIG. 2 below may not be mandatory and thus some may be omitted in certain embodiments. Additionally, some embodiments may include further or different components, devices or elements beyond those illustrated in and described with respect to FIG. 2.

In some example embodiments, the network apparatus 202 may be implemented on an MME, a home subscriber server (HSS), a dedicated D2D server, some combination thereof, or the like. Accordingly, it will be appreciated that while the network apparatus 202 is illustrated as a single apparatus, it will be appreciated that the network apparatus 202 may comprise a plurality of separate apparatus, which may collectively comprise the network apparatus 202. Thus, for example, a first functionality attributed to the network apparatus 202 may be performed by an MME, while a second functionality that may be attributed to the network apparatus 202 may be performed by a separate entity, such as a dedicated D2D server. In embodiments wherein the network apparatus 202 comprises a plurality of separate apparatus, elements illustrated in FIG. 2 may be distributed among the plurality of apparatus. For example, a processing circuitry 210, communication interface 216, and/or the like may be implemented on each of the apparatus that may comprise the network apparatus 202. As another example, the key management controller 218 may be implemented on a first apparatus, such as an MME, HSS, and/or the like, while the D2D registration controller 220 may be implemented on a second apparatus, such as a D2D server.

In some example embodiments, the network apparatus 202 may include or otherwise be in communication with processing circuitry 210 that is configurable to perform actions in accordance with one or more example embodiments disclosed herein. In this regard, the processing circuitry 210 may be configured to perform and/or control performance of one or more functionalities of the network apparatus 202 in accordance with various example embodiments, and thus may provide means for performing functionalities of the network apparatus 202 in accordance with various example embodiments. The processing circuitry 210 may be configured to perform data processing, application execution and/or other processing and management services according to one or more example embodiments. In some embodiments, the network apparatus 202 or a portion(s) or component(s) thereof, such as the processing circuitry 210, may be embodied as or comprise a chip or chip set. In other words, the network apparatus 202 or the processing circuitry 210 may comprise one or more physical packages (e.g. chips) including materials, components and/or wires on a structural assembly (e.g. a baseboard). The structural assembly may provide physical strength, conservation of size, and/or limitation of electrical interaction for component circuitry included thereon. The network apparatus 202 or the processing circuitry 210 may therefore, in some cases, be configured to implement an embodiment of the invention on a single chip or as a single "system-on-a-chip". As such, in some cases, a chip or chipset may constitute means for performing one or more operations for providing the functionalities described herein.

In some example embodiments, the processing circuitry 210 may include a processor 212 and, in some embodiments, such as that illustrated in FIG. 2, may further include memory 214. The processing circuitry 210 may be in communication with or otherwise control a communication interface 216, key management controller 218, and/or a D2D registration controller 220. The processing circuitry 210 may be embodied as a circuit chip (e.g. an integrated circuit chip) configured (e.g. with hardware, software or a combination of hardware and software) to perform operations described herein. However, in some embodiments, the processing circuitry 210 may be embodied as a portion of a server, computer, workstation or other computing device.

In some example embodiments, one or more of the elements illustrated in FIG. 2 may provide a processing system, which may be arranged to perform one or more functionalities attributed to the network apparatus 202 in accordance with various example embodiments. In this regard, in some example embodiments, the processing circuitry 210, processor 212, memory 214, communication interface 216, key management controller 218, D2D registration controller 220, or some combination thereof may form a processing system.

The processor 212 may be embodied in a number of different ways. For example, the processor 212 may be embodied as various processing means such as one or more of a microprocessor or other processing element, a coprocessor, a controller or various other computing or processing devices including integrated circuits such as, for example, an ASIC (application specific integrated circuit), an FPGA (field programmable gate array), or the like. Although illustrated as a single processor, it will be appreciated that the processor 212 may comprise a plurality of processors. The plurality of processors may be in operative communication with each other and may be collectively configured to perform one or more functionalities of the network apparatus 202 as described herein. The plurality of processors may be embodied on a single computing device or distributed across a plurality of computing devices collectively configured to function as the network apparatus 202. In some example embodiments, the processor 212 may be configured to execute instructions stored in the memory 214 or otherwise accessible to the processor 212. As such, whether configured by hardware or by a combination of hardware and software, the processor 212 may represent an entity (e.g. physically embodied in circuitry, in the form of processing circuitry 210) capable of performing operations according to embodiments of the present invention while configured accordingly. Thus, for example, when the processor 212 is embodied as an ASIC, FPGA or the like, the processor 212 may be specifically configured hardware for conducting the operations described herein. Alternatively, as another example, when the processor 212 is embodied as an executor of software instructions, the instructions may specifically configure the processor 212 to perform one or more operations described herein.

In some example embodiments, the memory 214 may include one or more non-transitory memory devices such as, for example, volatile and/or non-volatile memory that may be either fixed or removable. In this regard, the memory 214 may comprise a non-transitory computer-readable storage medium. It will be appreciated that while the memory 214 is illustrated as a single memory, the memory 214 may comprise a plurality of memories. The plurality of memories may be embodied on a single computing device or may be distributed across a plurality of computing devices collectively configured to function as the network apparatus 202. The memory 214 may be configured to store information, data, applications, instructions or the like for enabling the network apparatus 202 to carry out various functions in accordance with one or more example embodiments. For example, the memory 214 may be configured to buffer input data for processing by the processor 212. Additionally or alternatively, the memory 214 may be configured to store instructions for execution by the processor 212. As yet another alternative, the memory 214 may include one or more databases that may store a variety of files, contents or data sets. Among the contents of the memory 214, applications may be stored for execution by the processor 212 in order to carry out the functionality associated with each respective application. In some cases, the memory 214 may be in communication with one or more of the processor 212, communication interface 216, key management controller 218, or D2D registration controller 220 via a bus(es) for passing information among components of the network apparatus 202. The communication interface 216 may include one or more interface mechanisms for enabling communication with other devices and/or networks. In some example embodiments, the communication interface 216 may be any means such as a device or circuitry embodied in either hardware, or a combination of hardware and software that is configured to receive and/or transmit data from/to a network and/or any other device or module that may be in communication with the processing circuitry 210. By way of example, the communication interface 216 may be configured to facilitate communication between one or more terminal apparatus 104 and the network apparatus 202. The communication interface 216 may accordingly include, for example, an antenna (or multiple antennas) and supporting hardware and/or software for enabling communications with a wireless communication network and/or a communication modem or other hardware/software for supporting communication via cable, digital subscriber line (DSL), universal serial bus (USB), Ethernet or other methods.

In some example embodiments, the processor 212 (or the processing circuitry 210) may be embodied as, include, or otherwise control a key management controller 218. As such, the key management controller 218 may be embodied as various means, such as circuitry, hardware, a computer program product comprising a computer readable medium (for example, the memory 214) storing computer readable program instructions executable by a processing device (for example, the processor 212), or some combination thereof. The key management controller 218 may be capable of communication with one or more of the memory 214, communication interface 216, or D2D registration controller 220 to access, receive, and/or send data as may be needed to perform one or more of the functionalities of the key management controller 218 as described herein. In some example embodiments, the processor 212 (or the processing circuitry

210) may additionally or alternatively be embodied as, include, or otherwise control a D2D registration controller 220. As such, the D2D registration controller 220 may be embodied as various means, such as circuitry, hardware, a computer program product comprising a computer readable medium (for example, the memory 214) storing computer readable program instructions executable by a processing device (for example, the processor 212), or some combination thereof. The D2D registration controller 220 may be capable of communication with one or more of the memory 214, communication interface 216, or key management controller 218 to access, receive, and/or send data as may be needed to perform one or more of the functionalities of the D2D registration controller 220 as described herein. FIG. 3 illustrates a block diagram of a terminal apparatus 302 in accordance with some example embodiments. The terminal apparatus 302 may comprise an apparatus that may be implemented on a terminal apparatus 104 in accordance with some example embodiments. It should be noted, however, that the components, devices or elements illustrated in and described with respect to FIG. 3 below may not be mandatory and thus some may be omitted in certain embodiments. Additionally, some embodiments may include further or different components, devices or elements beyond those illustrated in and described with respect to FIG. 3.

In some example embodiments, the terminal apparatus 302 may include or otherwise be in communication with processing circuitry 310 that is configurable to perform actions in accordance with one or more example embodiments disclosed herein. In this regard, the processing circuitry 310 may be configured to perform and/or control performance of one or more functionalities of the terminal apparatus 302 in accordance with various example embodiments, and thus may provide means for performing functionalities of the terminal apparatus 302 in accordance with various example embodiments. The processing circuitry 310 may be configured to perform data processing, application execution and/or other processing and management services according to one or more example embodiments. In some embodiments, the terminal apparatus 302 or a portion(s) or component(s) thereof, such as the processing circuitry 310, may be embodied as or comprise a chip or chip set. In other words, the terminal apparatus 302 or the processing circuitry 310 may comprise one or more physical packages (e.g. chips) including materials, components and/or wires on a structural assembly (e.g. a baseboard). The structural assembly may provide physical strength, conservation of size, and/or limitation of electrical interaction for component circuitry included thereon. The terminal apparatus 302 or the processing circuitry 310 may therefore, in some cases, be configured to implement an embodiment of the invention on a single chip or as a single "system-on-a-chip". As such, in some cases, a chip or chipset may constitute means for performing one or more operations for providing the functionalities described herein.

In some example embodiments, the processing circuitry 310 may include a processor 312 and, in some embodiments, such as that illustrated in FIG. 3, may further include memory 314. The processing circuitry 310 may be in communication with or otherwise control a user interface 316, a communication interface 318, and/or a D2D discovery controller 320. As such, the processing circuitry 310 may be embodied as a circuit chip (e.g. an integrated circuit chip) configured (e.g. with hardware, software or a combination of hardware and software) to perform operations described herein.

In some example embodiments, one or more of the elements illustrated in FIG. 3 may provide a processing system, which may be arranged to perform one or more functionalities attributed to the terminal apparatus 302 in accordance with various example embodiments. In this regard, in some example embodiments, the processing circuitry 310, processor 312, memory 314, user interface 316, communication interface 318, D2D discovery controller 320, or some combination thereof may form a processing system.

The processor 312 may be embodied in a number of different ways. For example, the processor 312 may be embodied as various processing means such as one or more of a microprocessor or other processing element, a coprocessor, a controller or various other computing or processing devices including integrated circuits such as, for example, an ASIC (application specific integrated circuit), an FPGA (field programmable gate array), or the like. Although illustrated as a single processor, it will be appreciated that the processor 312 may comprise a plurality of processors. The plurality of processors may be in operative communication with each other and may be collectively configured to perform one or more functionalities of the terminal apparatus 302 as described herein. The plurality of processors may be embodied on a single computing device or distributed across a plurality of computing devices collectively configured to function as the terminal apparatus 302. In some example embodiments, the processor 312 may be configured to execute instructions stored in the memory 314 or otherwise accessible to the processor 312. As such, whether configured by hardware or by a combination of hardware and software, the processor 312 may represent an entity (e.g. physically embodied in circuitry, in the form of processing circuitry 310) capable of performing operations according to embodiments of the present invention while configured accordingly. Thus, for example, when the processor 312 is embodied as an ASIC, FPGA or the like, the processor 312 may be specifically configured hardware for conducting the operations described herein. Alternatively, as another example, when the processor 312 is embodied as an executor of software instructions, the instructions may specifically configure the processor 312 to perform one or more operations described herein.

In some example embodiments, the memory 314 may include one or more non-transitory memory devices such as, for example, volatile and/or non-volatile memory that may be either fixed or removable. In this regard, the memory 314 may comprise a non-transitory computer-readable storage medium. It will be appreciated that while the memory 314 is illustrated as a single memory, the memory 314 may comprise a plurality of memories. The plurality of memories may be embodied on a single computing device or may be distributed across a plurality of computing devices collectively configured to function as the terminal apparatus 302. The memory 314 may be configured to store information, data, applications, instructions or the like for enabling the terminal apparatus 302 to carry out various functions in accordance with one or more example embodiments. For example, the memory 314 may be configured to buffer input data for processing by the processor 312. Additionally or alternatively, the memory 314 may be configured to store instructions for execution by the processor 312. As yet another alternative, the memory 314 may include one or more databases that may store a variety of files, contents or data sets. Among the contents of the memory 314, applications may be stored for execution by the processor 312 in order to carry out the functionality associated with each respective application. In some cases, the memory 314 may be in communication with one or more of the processor 312, user interface 316, communication interface 318, or D2D discovery controller 320 via a bus(es) for passing information among components of the terminal apparatus 302.

The user interface 316 (if implemented) may be in communication with the processing circuitry 310 to receive an indication of a user input at the user interface 316 and/or to provide an audible, visual, mechanical or other output to the user. As such, the user interface 316 may include, for example, a keyboard, a mouse, a joystick, a display, a touch screen, a microphone, a speaker, and/or other input/output mechanisms.

The communication interface 318 may include one or more interface mechanisms for enabling communication with other devices and/or networks. In some cases, the communication interface 318 may be any means such as a device or circuitry embodied in either hardware, or a combination of hardware and software that is configured to receive and/or transmit data from/to a network and/or any other device or module in communication with the processing circuitry 310. By way of example, the communication interface 318 may be configured to provide a cellular network interface (e.g. a cellular modem) to enable the terminal apparatus 302 to interface with a cellular network, such as via an access point. Accordingly, in some example embodiments, the communication interface 318 may be configured to enable the terminal apparatus 302 to associate with and access the network 106. As another example, the communication interface 318 may provide an interface to enable the terminal apparatus 302 to engage in D2D communication with another terminal apparatus, such as via a D2D connection 108. The communication interface 318 may include, for example, an antenna (or multiple antennas) and supporting hardware and/or software for enabling communications with a wireless communication network (e.g. a cellular network, WSN, and/or the like) and/or a communication modem or other hardware/software for supporting communication via cable, digital subscriber line (DSL), universal serial bus (USB), Ethernet or other methods.

In some example embodiments, the processor 312 (or the processing circuitry 310) may be embodied as, include, or otherwise control a D2D discovery controller 320. As such, the D2D discovery controller 320 may be embodied as various means, such as circuitry, hardware, a computer program product comprising computer readable program instructions stored on a computer readable medium (for example, the memory 314) and executed by a processing device (for example, the processor 312), or some combination thereof. The D2D discovery controller 320 may be capable of communication with one or more of the memory 314, user interface 316, or communication interface 318 to access, receive, and/or send data as may be needed to perform one or more of the functionalities of the D2D discovery controller 320 as described herein.

In some example embodiments, the D2D discovery controller 320 may be configured to generate and/or process a D2D discovery signal frame, which may be sent by a terminal, such as a terminal 104 to facilitate device discovery and setup of a D2D connection. The D2D discovery signal frame may include a portion containing D2D discovery information. In some example embodiments, the D2D discovery information that may be included in a D2D discovery signal may be protected with various levels of security that may be applied to D2D discovery information.

For example, an "open" level of security may be applied to D2D discovery information included in a D2D discovery signal. In some example embodiments, in an instance in which an open security level is applied to D2D discovery information, the D2D discovery information is not encrypted.

As another example, a "common" level of security may be applied to D2D discovery information included in a D2D discovery signal. In some example embodiments, in an instance in which a common level of security is applied, the D2D discovery information may be encrypted with a common security key. The common security key may, for example, be generated and distributed by the network apparatus 102 to any terminal apparatus that has associated with the network 106. In some example embodiments, a common security key may be used across the network 106. Additionally or alternatively, in some example embodiments, a common security key may be used across a portion of the network 106, such as within a single serving cell, a group of cells, a single D2D discovery area, a group of D2D discovery areas, a tracking area, a group of tracking areas, and/or the like.

In some example embodiments, multiple common security keys may be used within a given network portion. In such example embodiments, the multiple common security keys may offer multiple levels of security. In this regard, by way of example, each common security key may have a different length, thus offering a different level of protection to data encrypted with the key. In some example embodiments, the key management controller 218 may be configured to generate and control distribution of common keys and/or other security keys that may be used for encrypting and/or decrypting portions of D2D discovery signals. In this regard, as will be described further herein below, the key management controller 218 may be configured in some example embodiments to cause common security keys to be distributed to terminal apparatus 104 that have successfully authenticated themselves to and are associated with the network 106. In some example embodiments, the D2D registration controller 220 may be configured to authenticate that a terminal apparatus 104 has associated with the network 106, and the key management controller 218 may selectively control distribution of a common security key to a terminal apparatus 104 based at least in part on whether the D2D registration controller 220 has authenticated the terminal apparatus 104.

As a further example, a "private" level of security may be applied to D2D discovery information included in a D2D discovery signal. In some example embodiments, in an instance in which a private level of security is applied, the D2D discovery information may be encrypted with a private security key that may be available to only a predefined group of one or more devices.

A private security key may, for example, be generated by the network apparatus 102, and may be associated with a predefined group of one or more devices. The network apparatus 102 may be configured to distribute a private security key to a terminal apparatus 104 only if the terminal apparatus 104 successfully authenticates itself as a member of the predefined group of one or more devices with which the private key is associated. If a terminal apparatus requesting a private security key is not a member of the group with which the private security key is associated and/or is not successfully authenticated as a member of the group with which the private security key is associated, the key request may be denied. In some example embodiments, a key management controller 218 that may be associated with a network apparatus 102 may be configured to control generation and distribution of a private security key. In some example embodiments, the D2D registration controller 220 may be configured to maintain a record of membership in one or more private groups. A single terminal apparatus may be registered as a member of multiple private groups in some example embodiments. In some example embodiments, a terminal apparatus 104 and/or user thereof may provide registration information for registration of a terminal apparatus 104 as a member of a group. For example, in some example embodiments, members of a group may be known to the D2D registration controller 220 based at least in part on a higher level identifier, such as a Skype account identifier, email address, a user name/password combination, an Internet handle, and/or the like. A D2D registration controller 220 that may be associated with a terminal apparatus 104 may cause the terminal apparatus 104 to provide registration information to the network apparatus 102 for registering the terminal apparatus 104 as a member of a group. The registration information may enable the D2D registration controller 220 to authenticate that the terminal apparatus 104 is a member of a group. For example, the registration information may comprise a higher level identifier that may be usable by the D2D registration controller 220 to verify that the terminal apparatus 104 and/or user thereof is a member of the group and a lower level identifier of the terminal apparatus 104, such as an International Mobile Subscriber Identity (IMSI) or the like. The D2D registration controller 220 may be configured to create and maintain a binding between the higher level identifier and the lower level identifier so that the terminal apparatus 104 may be authenticated as a member of the group while associated with the network.

In some example embodiments, multiple private security keys may associated with a given group of one or more devices. In such example embodiments, the multiple private security keys may offer multiple levels of security. In this regard, by way of example, each private security key may have a different length, thus offering a different level of protection to data encrypted with the key.

In some example embodiments, a D2D discovery signal may include an indication of the security level applied to D2D discovery information included in the D2D discovery signal. The indication of the security level may, for example, be included in a header of the D2D discovery signal, such as in a header portion of a D2D discovery frame that may comprise the signal. For example, the indication may be included in a field of the header.

The indication of the security level may, for example, comprise a predefined set of bits that may be included in the D2D discovery signal. Predefined bit values may indicate specified levels of security. For example, in some example embodiments a 2 bit field may be used to indicate the security level. By way of example, the following bit value-security level associations may be defined and used in accordance with some example embodiments:

Bits Meaning

00 Open (no) security

01 Common Security

10 Private Security

11 reserved

In some example embodiments, a D2D discovery signal may additionally include an indication of a group identification. The indication of group identification may, for example, be included in a header portion of the D2D discovery signal. The group identification may identify a group for which a security key needed to decrypt D2D discovery information is an instance in which a private level of security is applied to the D2D discovery information.

In some example embodiments, a D2D discovery signal may further include an indication of a D2D transmitter identity (ID). The indication of the D2D transmitter ID may, for example, identify a terminal apparatus that may generate and send the D2D discovery signal. In some example embodiments, the D2D signal transmitter ID may be usable by a terminal receiving the D2D discovery signal to determine a security key that may be needed to decrypt a portion of the D2D discovery signal. In this regard, a D2D signal transmitter ID may be usable in addition to or in lieu of a group identification to identify a security key that may be needed to decrypt a portion of the D2D discovery signal.

FIG. 4 illustrates an example D2D discovery signal frame according to some example embodiments. The example signal frame of FIG. 4 may include a header portion 402 and an information portion 404. The information portion 404 may include D2D discovery information, which may be encrypted depending on the level of security applied to the D2D discovery information. In some example embodiments, the header portion 402 may include a field 406 indicating a D2D signal transmitter ID that may be associated with a terminal that may have generated and sent the D2D discovery signal. The header portion 402 may additionally or alternatively include a field 408 that may indicate a group identification. The group identification field 408 may be used in an instance in which the D2D discovery frame is intended only for terminals belonging to a particular group, such as in an instance in which a private level of security may be applied to the D2D discovery information. The header portion 402 may further include a field 410 that may indicate a security level that may be applied to the D2D discovery information that may be included in the information portion 404. In some example embodiments, a D2D discovery controller 320 that may be associated with a terminal apparatus receiving a D2D discovery signal in accordance with various example embodiments, such as the D2D discovery signal frame illustrated in FIG. 4, may be configured to determine the security level applied to the D2D discovery information in the D2D discovery signal based at least in part on the indication of the applied security level which may be included in the D2D discovery signal. The D2D discovery controller 320 may be configured to determine how to process the received signal based at least in part on the applied level of security.

In an instance in which an open level of security has been applied, the D2D discovery controller 320 may be configured in some example embodiments to read and process the D2D discovery information included in the signal as received. In this regard, when an open level of security is applied in some example embodiments, the D2D discovery information is not encrypted. Accordingly, the D2D discovery information may be processed in the form in which it is received, without having to be decrypted.

In an instance in which the D2D discovery information has been encrypted, the D2D discovery controller 320 may be configured to determine a security key needed to decrypt the encrypted D2D discovery information based at least in part on the applied security level. For example, if a common level of security has been applied, the D2D discovery controller 320 may determine that a common security key is needed to decrypt the D2D discovery information. As another example, if a private level of security has been applied, the D2D discovery controller 320 may determine that a private security key is needed to decrypt the D2D discovery information. In some example embodiments, the D2D discovery controller 320 may be configured to use a group identifier and/or a D2D transmitter ID that may be included in the D2D discovery signal to identify which private security key may be needed.

If a terminal apparatus receiving a D2D discovery signal having an encrypted portion is permitted access to a security key needed to decrypt the encrypted portion, the D2D discovery controller 320 may use the security key to decrypt the encrypted portion, and may process the D2D discovery information. If, however, the receiving terminal is not permitted access to the needed security key, the D2D discovery controller 320 may discard the received signal without processing the signal. Accordingly, the D2D discovery controller 320 may avoid unnecessary processing overhead.

If a terminal apparatus receiving a D2D discovery signal comprising an encrypted portion has already received the security key needed to decrypt the encrypted portion, the D2D discovery controller 320 may use the pre-stored security key to decrypt the encrypted portion. If, however, the receiving terminal does not already have the required security key, the D2D discovery controller 320 may cause the terminal to send a request to the network apparatus 102 for the required security key. In an instance in which the terminal is permitted access to the key, the key management controller 218 may cause the requested security key to be distributed to the terminal in response to the request.

In example embodiments wherein the D2D discovery controller 320 is configured to generate a D2D discovery signal, the D2D discovery controller 320 may be configured to use one or more security keys that may be distributed by the network apparatus 102 to encrypt one or more portions of the D2D discovery signal. Accordingly, the D2D discovery controller 320 may be configured to request a security key(s), if not already obtained, that may be needed to apply a desired level of security to a D2D discovery signal.

In some example embodiments, a header portion of a D2D discovery signal may be encrypted in addition to D2D discovery information in the D2D discovery signal. The header portion may be encrypted with the same or a different key as a security key that is used to encrypt the D2D discovery information.

For example, a common security key may be used to encrypt a header portion, while a private security key may be used to encrypt the D2D discovery information. This arrangement may, for example, be represented as follows:

I Common Key 1| Private Key 1

[D2D Discovery Frame Header] [D2D discovery Frame Message Part] As a further example, a first common security key may be used to encrypt a header portion, while a second common security key may be used to encrypt the D2D discovery information. This arrangement may, for example, be represented as follows:

I Common Key 1 1| Common Key 2 1

[D2D Discovery Frame Header] [D2D discovery Frame Message Part] As yet another example, a first private security key may be used to encrypt a header portion, while a second private security key may be used to encrypt the D2D discovery information. This arrangement may, for example, be represented as follows: I Private Key 1 1| Private Key 2 1

[D2D Discovery Frame Header] [D2D discovery Frame Message Part]

In this example, the first private security key (e.g. private key 1) used to encrypt the header portion may differ in length compared to the second private security key (e.g. private key 2) used to encrypt the D2D discovery information portion. For example, the D2D discovery information portion may be encrypted with a key offering stronger encryption than a key that may be used to encrypt the header portion. However, it will be appreciated that embodiments are not so limited, as alternatively the header portion may be encrypted with a key offering stronger encryption than a key that may be used to encrypt the D2D discovery information portion. As still a further example, the D2D discovery information portion and header portion may be encrypted with separate keys that may offer the same level of encryption. The header portion of a D2D discovery signal may, for example, be encrypted using a private key for communications for which it may be desirable and/or necessary to be entirely encrypted, such as communications that may be sent and/or received by public safety entities, military units, government agencies, and/or the like. For example, a designated private security key that may only be available to authorised policemen may be used to cipher a header portion of a D2D discovery signal intended for other policemen. There may be a separate designated private security key for firemen communicating to other firemen. As an example:

Private Key 1-1 may be used for/by firemen;

Private Key 1-2 may be used for/by policemen; etc...

I Private Key 1-1 11 Private Key 2-1 1

[D2D Discovery Frame Header] [D2D discovery Frame Message Part] I Private Key 1-2 11 Private Key 2-2 1

[D2D Discovery Frame Header] [D2D discovery Frame Message Part]

This way, the potential intercepting party cannot detect what kind of traffic is transmitted in the direct communication network (and by which entity) even if the interceptor may obtain the private key (e.g. the private key 1-1). Private Key 2-1 and Private Key 2-2 may each respectively be any private security key that may be used by the sending and intended receiving entities. In some example embodiments, the key management controller 218 may be configured to periodically regenerate security keys. In this regard, a security key may be replaced with an updated security key, such that the replaced security key may no longer be valid for use. Key regeneration may accordingly mitigate instances in which a security key may be obtained by an unauthorised entity. The regeneration period may be defined based at least in part on a desired level of security. In this regard, a shorter regeneration period may be enforced if a higher level of security is desired. In an instance in which a security key is replaced with an updated security key, the key management controller 218 may be configured to cause a terminal apparatus 104 to be notified, such as via a push notification. A D2D discovery controller 320 may obtain the updated security key responsive to the notification. For example, the D2D discovery controller 320 may request the updated security key from the network apparatus 102. Alternatively, as another example, the updated security key may automatically be provided to the terminal apparatus such that the D2D discovery controller 320 may receive the updated security key automatically sent to the terminal. FIG. 5 illustrates an example system for facilitating secure D2D discovery according to some example embodiments. The system of FIG. 5 may comprise a D2D server 502 and an MME 504, which may be implemented in a core network portion of a network, such as the network 106. The D2D server 502 may be configured to handle D2D registration and management of private groups, while the MME 504 may be configured to manage generation and distribution of security keys. The D2D server 502 and MME 504 may be implemented on separate apparatus, or may comprise separate logical entities that may be implemented on a single apparatus. In this regard, the system of FIG. 5 illustrates an example of an embodiment in which functionality of the network apparatus 102 may be divided among multiple logical entities. A D2D registration controller 220 may be associated with the D2D server 502, and may be configured to control D2D registration and group management functionality of the D2D server 502. A key management controller 218 may be associated with the MME 504, and may be configured to control key management functionalities of the MME 504.

The system of FIG. 5 may further comprise a radio access network, which may be provided at least in part by one or more network access points 506. A network access point 506 may, for example, comprise an eNB or the like. One or more UEs 508 may access the network via the RAN, such as via a radio uplink to a network access point 506. The D2D server 502 and MME 504 may be configured to interface with each other via the interface 510. The interface 510 may, for example, be used to enable the D2D server 502 and MME 504 to communicate information regarding authentication of a UE 508 as associated with the network and/or as an authenticated member of a private group. In this regard, the MME 504 may consult the D2D server 502 via the interface 510 for validation that a UE 508 is permitted access to a requested security key.

A UE 508 may be configured to interface with the D2D server 502 via an interface 512. In this regard, the interface 512 may facilitate authentication of a UE 502, registration of a UE 502 to a private group, and/or the like. A UE 508 may be configured to interface with the MME 504 via an interface 514. In this regard, the interface 514 may facilitate distribution of security keys to a UE 508. Communications over the interfaces 512 and 514 may, for example, be relayed via the network access point(s) 506.

FIG. 6 illustrates a flowchart according to an example method for obtaining a common security key according to some example embodiments. In this regard, FIG. 6 illustrates operations that may be performed at a terminal apparatus 302. The operations illustrated in and described with respect to FIG. 6 may, for example, be performed by, with the assistance of, and/or under the control of one or more of the processing circuitry 310, processor 312, memory 314, user interface 316, communication interface 318, or D2D discovery controller 320. The operations of the method of FIG. 6 may, for example, be performed prior to a need for the security key, such as prior to the security key being needed to decrypt a portion of a received D2D discovery signal. Additionally or alternatively, the operations of the method of FIG. 6 may be performed responsive to a determination that the security key is needed, such as to decrypt an encrypted portion of a received D2D discovery signal or to encrypt a portion of a D2D discovery signal to be sent.

Operation 600 may comprise a higher level, such as a user application or the network, initiating a D2D discovery process. The processing circuitry 310, processor 312, memory 314, user interface 316, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 600. Operation 610 may comprise authenticating the terminal apparatus to the cellular network. The processing circuitry 310, processor 312, memory 314, user interface 316, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 610. Operation 620 may comprise registering to a network apparatus (e.g., the network apparatus 102, D2D server 502, or the like). The processing circuitry 310, processor 312, memory 314, user interface 316, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 620. Operation 630 may comprise obtaining at least a common security key from the network responsive to authentication and registration of the terminal. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 630.

FIG. 7 illustrates a flowchart according to an example method for obtaining a private security key according to some example embodiments. In this regard, FIG. 7 illustrates operations that may be performed at a terminal apparatus 302. The operations illustrated in and described with respect to FIG. 7 may, for example, be performed by, with the assistance of, and/or under the control of one or more of the processing circuitry 310, processor 312, memory 314, user interface 316, communication interface 318, or D2D discovery controller 320. The operations of the method of FIG. 7 may, for example, be performed prior to a need for the security key, such as prior to the security key being needed to decrypt a portion of a received D2D discovery signal. Additionally or alternatively, the operations of the method of FIG. 7 may be performed responsive to a determination that the security key is needed, such as to decrypt an encrypted portion of a received D2D discovery signal or to encrypt a portion of a D2D discovery signal to be sent. Operation 700 may comprise a higher level, such as a user application or the network, initiating a D2D discovery process. The processing circuitry 310, processor 312, memory 314, user interface 316, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 700. Operation 710 may comprise authenticating the terminal apparatus to the cellular network. The processing circuitry 310, processor 312, memory 314, user interface 316, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 710. Operation 720 may comprise registering to a network apparatus (e.g., the network apparatus 102, D2D server 502, or the like). The processing circuitry 310, processor 312, memory 314, user interface 316, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 720. Operation 730 may comprise registering as a member of at least one private D2D group. The processing circuitry 310, processor 312, memory 314, user interface 316, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 730. Operation 740 may comprise obtaining at least a private security key from the network responsive to registration and authentication of the terminal as a member of the D2D group. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 740. FIG. 8 illustrates a flowchart according to an example method for updating a security key according to some example embodiments. In this regard, FIG. 8 illustrates operations that may be performed at a terminal apparatus 302. The operations illustrated in and described with respect to FIG. 8 may, for example, be performed by, with the assistance of, and/or under the control of one or more of the processing circuitry 310, processor 312, memory 314, user interface 316, communication interface 318, or D2D discovery controller 320. Operation 800 may comprise receiving a notification from the network indicating that a security key has been replaced with an updated security key. The received notification may, for example, comprise a push notification. In some example embodiments, the notification may comprise an indication that may be included in received system information. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 800. Operation 810 may comprise obtaining the updated security key in response to the notification. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 810.

FIG. 9 illustrates a flowchart according to an example method for generating a secure D2D discovery signal according to some example embodiments. In this regard, FIG. 9 illustrates operations that may be performed at a terminal apparatus 302. The operations illustrated in and described with respect to FIG. 9 may, for example, be performed by, with the assistance of, and/or under the control of one or more of the processing circuitry 310, processor 312, memory 314, user interface 316, communication interface 318, or D2D discovery controller 320. Operation 900 may optionally comprise using a security key distributed by a network entity to encrypt D2D discovery information to be included in a D2D discovery signal. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 900. Operation 910 may comprise generating a D2D discovery signal for transmission. The generated D2D discovery signal may comprise D2D discovery information and an indication of a security level applied to the D2D discovery information. In an instance in which operation 900 is performed, the D2D discovery information included in the D2D discovery signal may comprise encrypted D2D discovery information, and the indication of the security level may be indicative of a security level of encryption applied to the D2D discovery information and a security key that may be needed to decrypt the D2D discovery information. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 910.

FIG. 10 illustrates a flowchart according to an example method for processing a received D2D discovery signal according to some example embodiments. In this regard, FIG. 10 illustrates operations that may be performed at a terminal apparatus 302. The operations illustrated in and described with respect to FIG. 10 may, for example, be performed by, with the assistance of, and/or under the control of one or more of the processing circuitry 310, processor 312, memory 314, user interface 316, communication interface 318, or D2D discovery controller 320. Operation 1000 may comprise receiving a D2D discovery signal comprising D2D discovery information and an indication of a security level applied to the D2D discovery information. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 1000. Operation 1010 may comprise determining, based at least in part on the indication, the security level applied to the D2D discovery information. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 1010.

FIG. 11 illustrates a flowchart according to another example method for processing a received D2D discovery signal according to some example embodiments. In this regard, FIG. 11 illustrates operations that may be performed at a terminal apparatus 302. The operations illustrated in and described with respect to FIG. 11 may, for example, be performed by, with the assistance of, and/or under the control of one or more of the processing circuitry 310, processor 312, memory 314, user interface 316, communication interface 318, or D2D discovery controller 320. Operation 1100 may comprise receiving a D2D discovery signal. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 1100. Operation 1110 may comprise determining the security level applied to an information part of the D2D discovery signal that includes D2D discovery information. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 1110. In an instance in which it is determined at operation 1110 that an open level of security was applied, the method may proceed to operation 1120, which may comprise processing the information part as it was received in the D2D discovery signal. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 1120. Alternatively, in an instance in which it is determined at operation 1110 that a common level of security was applied, the method may proceed to operation 1130, which may comprise utilising a common key to decrypt the information part. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 1130. As still a further alternative, in an instance in which it is determined at operation 1110 that a private level of security was applied, the method may proceed to operation 1140. Operation 1140 may comprise checking one or more of a group identifier (ID) or a D2D transmitter ID that may be included in the D2D discovery signal, such as in a header portion of the signal. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 1140. Operation 1150 may comprise using the group ID and/or D2D transmitter ID to determine if the terminal has already obtained (e.g., has a pre-stored) a private security key that is usable to decrypt the information part. In this regard, operation 1150 may comprise determining whether the terminal has previously obtained a private security key associated with the group ID and/or with the D2D transmitter ID. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 1150.

In an instance in which it is determined at operation 1150 that the terminal has previously obtained the needed private security key, the method may proceed to operation 1160. Operation 1160 may comprise utilising the private key for decrypting the information part. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 1160. If, however, it is determined at operation 1 150 that the terminal has not previously obtained the needed private security key, the method may proceed to operation 1170. Operation 1170 may comprise requesting the private security key from the network (e.g. from the network apparatus 102). The request may, for example, reference the group ID and/or D2D transmitter ID so that the network apparatus 102 may determine the appropriate private security key. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 1170. Operation 1180 may comprise authentication of the terminal. In this regard, authentication of the terminal may enable the network apparatus 102 to verify that the terminal is permitted to receive the requested private security key. Provided that the terminal is authenticated as permitted to receive the requested private security key, operation 1190 may comprise receiving the requested security key. The processing circuitry 310, processor 312, memory 314, communication interface 318, and/or D2D discovery controller 320 may, for example, provide means for performing operation 1190. In response to receiving the requested security key, the method may proceed to operation 1160 in which the received security key may be used to decrypt the information part. FIG. 12 illustrates a flowchart according to an example method for facilitating secure D2D discovery according to some example embodiments. In this regard, FIG. 12 illustrates operations that may be performed at a network apparatus 202. The operations illustrated in and described with respect to FIG. 12 may, for example, be performed by, with the assistance of, and/or under the control of one or more of the processing circuitry 210, processor 212, memory 214, communication interface 218, key management controller 218, or D2D registration controller 220. Operation 1200 may comprise determining that a terminal that has associated with a network has been authenticated to be permitted to receive a security key usable for one or more of decrypting or encrypting at least a portion of a D2D discovery signal. The processing circuitry 210, processor 212, memory 214, communication interface 218, key management controller 218, and/or D2D registration controller 220 may, for example, provide means for performing operation 1200. Operation 1210 may comprise, responsive to the determination, causing the security key to be distributed to the terminal. The processing circuitry 210, processor 212, memory 214, communication interface 218, key management controller 218, and/or D2D registration controller 220 may, for example, provide means for performing operation 1210.

FIG. 13 illustrates a flowchart according to an example method for distributing a common security key according to some example embodiments. In this regard, FIG. 13 illustrates operations that may be performed at a network apparatus 202. The operations illustrated in and described with respect to FIG. 13 may, for example, be performed by, with the assistance of, and/or under the control of one or more of the processing circuitry 210, processor 212, memory 214, communication interface 218, key management controller 218, or D2D registration controller 220. Operation 1300 may comprise generating a common security key. The processing circuitry 210, processor 212, memory 214, communication interface 218, and/or key management controller 218 may, for example, provide means for performing operation 1300. Operation 1310 may comprise causing distribution of the common security key to an authenticated terminal. An authenticated terminal may, for example, comprise a terminal that has successfully authenticated itself to the network and associated with the network. The processing circuitry 210, processor 212, memory 214, communication interface 218, key management controller 218, and/or D2D registration controller 220 may, for example, provide means for performing operation 1310.

The method may optionally further comprise operation 1320, which may comprise regenerating the common security key at predefined intervals and notifying the terminal that the previously distributed security key has been replaced with an updated security key. In this regard, operation 1320 may be performed in instances in which a higher degree of security is desired whereby security keys are periodically replaced. The processing circuitry 210, processor 212, memory 214, communication interface 218, key management controller 218, and/or D2D registration controller 220 may, for example, provide means for performing operation 1320. FIG. 14 illustrates a flowchart according to an example method for distributing a private security key according to some example embodiments. In this regard, FIG. 14 illustrates operations that may be performed at a network apparatus 202. The operations illustrated in and described with respect to FIG. 14 may, for example, be performed by, with the assistance of, and/or under the control of one or more of the processing circuitry 210, processor 212, memory 214, communication interface 218, key management controller 218, or D2D registration controller 220. Operation 1400 may comprise generating a unique private security key for a D2D group. The processing circuitry 210, processor 212, memory 214, communication interface 218, and/or key management controller 218 may, for example, provide means for performing operation 1400. Operation 1410 may comprise associating the private security group with an identifier for the group and/or with identifiers for members of the group (e.g. transmitter IDs for members of the group). In some example embodiments wherein a group identifier may be associated with the private security group along with identifiers for members of the group, the group identifier may facilitate decoding information encrypted using the private security key even if a single transmitter is a member of multiple private groups such that an identifier associated with the terminal may not be usable to uniquely identify the private security key. The processing circuitry 210, processor 212, memory 214, communication interface 218, key management controller 218, and/or D2D registration controller 220 may, for example, provide means for performing operation 1410. Operation 1420 may comprise causing distribution of the private security key to an authenticated terminal. An authenticated terminal may, for example, comprise a terminal that has registered to the D2D group associated with the private security key and been successfully authenticated as a member of the group. The processing circuitry 210, processor 212, memory 214, communication interface 218, key management controller 218, and/or D2D registration controller 220 may, for example, provide means for performing operation 1420. In some example embodiments, the method may optionally further include operation 1430, which may comprise maintaining a mapping of the private security key with the D2D group ID for the D2D group and/or D2D transmitter IDs associated with members of the D2D group. In this regard, the maintained mapping may be later used to facilitate key regeneration. The processing circuitry 210, processor 212, memory 214, communication interface 218, key management controller 218, and/or D2D registration controller 220 may, for example, provide means for performing operation 1430.

In some example embodiments, the method may optionally additionally include operation 1440, which may comprise regenerating the private security key at predefined configured intervals and notifying the terminal that the previously distributed security key has been replaced with an updated security key. In this regard, operation 1440 may be performed in instances in which a higher degree of security is desired whereby security keys are periodically replaced. The processing circuitry 210, processor 212, memory 214, communication interface 218, key management controller 218, and/or D2D registration controller 220 may, for example, provide means for performing operation 1440.

FIGS. 6 to 14 are flowcharts of operation of a system, method and program product according to example embodiments of the invention. It will be understood that each block of the flowcharts, and combinations of blocks in the flowcharts, may be implemented by various means, such as hardware, firmware, processor, circuitry and/or other device associated with execution of software including one or more computer program instructions. For example, one or more of the procedures described above may be embodied by computer program instructions. In this regard, the computer program instructions which embody the procedures described above may be stored by a memory device of an apparatus employing an embodiment of the present invention and executed by a processor in the apparatus. As will be appreciated, any such computer program instructions may be loaded onto a computer or other programmable apparatus (e.g., hardware) to produce a machine, such that the resulting computer or other programmable apparatus provides for implementation of the functions specified in the flowcharts block(s). These computer program instructions may also be stored in a non-transitory computer-readable storage memory that may direct a computer or other programmable apparatus to function in a particular manner, such that the instructions stored in the computer-readable storage memory produce an article of manufacture the execution of which implements the function specified in the flowcharts block(s). The computer program instructions may also be loaded onto a computer or other programmable apparatus to cause a series of operations to be performed on the computer or other programmable apparatus to produce a computer-implemented process such that the instructions which execute on the computer or other programmable apparatus provide operations for implementing the functions specified in the flowcharts block(s).

Accordingly, blocks of the flowcharts support combinations of means for performing the specified functions and combinations of operations for performing the specified functions. It will also be understood that one or more blocks of the flowcharts, and combinations of blocks in the flowcharts, can be implemented by special purpose hardware-based computer systems which perform the specified functions, or combinations of special purpose hardware and computer instructions.

The above embodiments are to be understood as illustrative examples of the invention. Further embodiments of the invention are envisaged. It is to be understood that any feature described in relation to any one embodiment may be used alone, or in combination with other features described, and may also be used in combination with one or more features of any other of the embodiments, or any combination of any other of the embodiments. Furthermore, equivalents and modifications not described above may also be employed without departing from the scope of the invention, which is defined in the accompanying claims.

Claims

1. A method comprising:

receiving, at a terminal, a device-to-device (D2D) discovery signal, the D2D discovery signal comprising D2D discovery information and an indication of a security level applied to the D2D discovery information included in the D2D discovery signal; and

determining, based at least in part on the indication, the security level applied to the D2D discovery information.

2. A method according to claim 1 , wherein in an instance in which it is determined based at least in part on the security level applied to the D2D discovery information that the D2D discovery information has been encrypted, the method comprises:

determining, based at least in part on the security level applied to the D2D discovery information, a security key needed to decrypt the encrypted D2D discovery information; and

in an instance in which the terminal has rights to access the security key needed to decrypt the encrypted D2D discovery information, using the determined security key to decrypt the encrypted D2D discovery information.

3. A method according to claim 2, comprising, in an instance in which it is determined that the security level applied to the D2D discovery information is a private security level in which only a predefined group of one or more devices is permitted access to the security key needed to decrypt the encrypted D2D discovery information:

determining, based at least in part on the D2D discovery signal, an identifier associated with the predefined group of one or more devices permitted access to the security key needed to decrypt the encrypted D2D discovery information; and

using the identifier to determine the security key needed to decrypt the encrypted D2D discovery information, wherein the terminal has rights to access the security key needed to decrypt the encrypted D2D discovery information in an instance in which the terminal is a member of the predefined group of one or more devices permitted access to the security key.

4. A method according to claim 2 or claim 3, wherein in an instance in which it is determined that the security level applied to the D2D discovery information is common security in which any terminal that has associated with a network through which the terminal is receiving access is permitted access to a common security key needed to decrypt the D2D discovery information, determining the security key needed to decrypt the D2D discovery information comprises determining that the common security key is needed to decrypt the D2D discovery information.

5. A method according to any of claims 2 to 4, comprising:

receiving, at the terminal, the security key needed to decrypt the encrypted D2D discovery information, wherein the security key is selectively distributed to the terminal by a network entity responsible for managing distribution of security keys.

6. A method according to claim 5, wherein the received security key comprises a common security key that is available to any terminal that has associated with a network through which the terminal is receiving access, and wherein receiving the security key comprises receiving a common security key distributed to the terminal based at least in part on authentication of the terminal to the network.

7. A method according to claim 5, wherein the received security key comprises a private security key available to only a predefined group of one or more devices, the method comprising:

causing the terminal to register as a member of the group to the network entity, wherein receiving the security key comprises receiving the private security key responsive to registration of the terminal as a member of the group, and wherein distribution of the private security key to the terminal is contingent upon successful authentication of the terminal as a member of the group by the network entity.

8. A method according to any of claims 5 to 7, comprising:

determining that the terminal does not have the security key needed to decrypt the encrypted D2D discovery information; and

causing a request for the security key to be sent toward the network entity; wherein receiving the security key comprises receiving a security key distributed to the terminal in response to the request.

9. A method according to any of claims 1 to 8, wherein in an instance in which determining the security level applied to the D2D discovery information comprises determining that an open security level in which the D2D discovery information is not encrypted has been applied to the D2D discovery information, the method comprises processing the D2D discovery information as received in the D2D discovery signal.

10. A method according to any of claims 1 to 9, comprising:

generating a D2D discovery signal for transmission by the terminal, the generated D2D discovery signal comprising D2D discovery information and an indication of a security level applied to the D2D discovery information included in the generated D2D discovery signal.

11. A method according to claim 10, comprising:

using a security key distributed to the terminal by a network entity to encrypt the D2D discovery information included in the generated D2D discovery signal;

wherein the indication of the security level applied to the D2D discovery information included in the generated D2D discovery signal is indicative of the security key used to encrypt the D2D discovery information.

12. A method according to any of claims 1 to 11, comprising:

receiving, at the terminal, a notification originated by a network entity responsible for managing distribution of security keys security keys that a security key previously distributed to the terminal has been replaced with an updated security key; and obtaining, by the terminal, the updated security key.

13. Apparatus for use in a communication terminal, the apparatus comprising a processing system arranged to cause the apparatus to at least:

determine a security level applied to D2D discovery information received in a device-to-device (D2D) discovery signal based at least in part on an indication received in the device-to-device (D2D) discovery signal of the security level applied to the D2D discovery information included in the D2D discovery signal.

14. Apparatus according to claim 13, wherein the processing system is arranged to cause the apparatus, in an instance in which it is determined based at least in part on the security level applied to the D2D discovery information that the D2D discovery information has been encrypted, to:

determine, based at least in part on the security level applied to the D2D discovery information, a security key needed to decrypt the encrypted D2D discovery information; and

in an instance in which the terminal has rights to access the security key needed to decrypt the encrypted D2D discovery information, use the determined security key to decrypt the encrypted D2D discovery information.

15. Apparatus according to claim 14, wherein the processing system is arranged to cause the apparatus, in an instance in which it is determined that the security level applied to the D2D discovery information is a private security level in which only a predefined group of one or more devices is permitted access to the security key needed to decrypt the encrypted D2D discovery information to:

determine, based at least in part on the D2D discovery signal, an identifier associated with the predefined group of one or more devices permitted access to the security key needed to decrypt the encrypted D2D discovery information; and

use the identifier to determine the security key needed to decrypt the encrypted D2D discovery information, wherein the terminal has rights to access the security key needed to decrypt the encrypted D2D discovery information in an instance in which the terminal is a member of the predefined group of one or more devices permitted access to the security key.

16. Apparatus according to claim 14 or claim 15, wherein the processing system is arranged to cause the apparatus, in an instance in which it is determined that the security level applied to the D2D discovery information is common security in which any terminal that has associated with a network through which the terminal is receiving access is permitted access to a common security key needed to decrypt the D2D discovery information, to determine the security key needed to decrypt the D2D discovery information at least in part by determining that the common security key is needed to decrypt the D2D discovery information.

17. Apparatus according to any of claims 14 to 16, wherein the processing system is arranged to cause the apparatus to:

receive the security key needed to decrypt the encrypted D2D discovery information, wherein the security key is selectively distributed to the terminal by a network entity responsible for managing distribution of security keys.

18. Apparatus according to claim 17, wherein the received security key comprises a common security key that is available to any terminal that has associated with a network through which the terminal is receiving access, and wherein the received security key is distributed to the terminal based at least in part on authentication of the terminal to the network.

19. Apparatus according to claim 17, wherein the received security key comprises a private security key available to only a predefined group of one or more devices, and wherein the processing system is arranged to cause the apparatus to: cause the terminal to register as a member of the group to the network entity; and

receive the security key at least in part by receiving the private security key responsive to registration of the terminal as a member of the group, and wherein distribution of the private security key to the terminal is contingent upon successful authentication of the terminal as a member of the group by the network entity.

20. Apparatus according to any of claims 17 to 19, wherein the processing system is arranged to cause the apparatus to:

determine if the terminal does not have the security key needed to decrypt the encrypted D2D discovery information; and, if so:

cause a request for the security key to be sent toward the network entity;

wherein the received security key comprises a security key distributed to the terminal in response to the request.

21. Apparatus according to any of claims 13 to 20, wherein the processing system is arranged to cause the apparatus, in an instance in which the security level applied to the D2D discovery information is determined to be an open security level in which the D2D discovery information is not encrypted, to process the D2D discovery information as received in the D2D discovery signal.

22. Apparatus according to any of claims 13 to 21, wherein the processing system is arranged to cause the apparatus to:

generate a D2D discovery signal for transmission by the terminal, the generated D2D discovery signal comprising D2D discovery information and an indication of a security level applied to the D2D discovery information included in the generated D2D discovery signal.

23. Apparatus according to claim 22, wherein the processing system is arranged to cause the apparatus to:

use a security key distributed to the terminal by a network entity to encrypt the D2D discovery information included in the generated D2D discovery signal;

24. Apparatus according to any of claims 13 to 23, wherein the processing system is arranged to cause the apparatus to:

receive a notification originated by a network entity responsible for managing distribution of security keys security keys that a security key previously distributed to the terminal has been replaced with an updated security key; and

obtain the updated security key.

25. Apparatus according to any of claims 13 to 24, wherein the apparatus is arranged to be used in a Long Term Evolution cellular network.

26. Apparatus according to any of claims 13 to 25, wherein the apparatus is implemented on a mobile phone, the mobile phone comprising:

user interface circuitry; and

user interface software arranged to facilitate user control of at least some functions of the mobile phone through use of a display.

27. A computer program comprising instructions, which when performed by an apparatus, are arranged to cause the apparatus to at least:

28. A computer program according to claim 27, wherein the program comprises instructions arranged to cause the apparatus, in an instance in which it is determined based at least in part on the security level applied to the D2D discovery information that the D2D discovery information has been encrypted, to:

determine, based at least in part on the security level applied to the D2D discovery information, a security key needed to decrypt the encrypted D2D discovery information; and in an instance in which the terminal has rights to access the security key needed to decrypt the encrypted D2D discovery information, use the determined security key to decrypt the encrypted D2D discovery information.

29. A computer program according to claim 28, wherein the program comprises instructions arranged to cause the apparatus, in an instance in which it is determined that the security level applied to the D2D discovery information is a private security level in which only a predefined group of one or more devices is permitted access to the security key needed to decrypt the encrypted D2D discovery information to :

30. A computer program according to claim 28 or claim 29, wherein the program comprises instructions arranged to cause the apparatus, in an instance in which it is determined that the security level applied to the D2D discovery information is common security in which any terminal that has associated with a network through which the terminal is receiving access is permitted access to a common security key needed to decrypt the D2D discovery information, to determine the security key needed to decrypt the D2D discovery information at least in part by determining that the common security key is needed to decrypt the D2D discovery information.

31. A computer program according to any of claims 28 to 30, wherein the program comprises instructions arranged to cause the apparatus to: receive, at the terminal, the security key needed to decrypt the encrypted D2D discovery information, wherein the security key is selectively distributed to the terminal by a network entity responsible for managing distribution of security keys.

32. A computer program according to claim 31 , wherein the received security key comprises a common security key that is available to any terminal that has associated with a network through which the terminal is receiving access, and wherein the common security key is distributed to the terminal based at least in part on authentication of the terminal to the network.

33. A computer program according to claim 31 , wherein the received security key comprises a private security key available to only a predefined group of one or more devices, and wherein the program comprises instructions arranged to cause the apparatus to:

cause the terminal to register as a member of the group to the network entity, receive the security key at least in part by receiving the private security key responsive to registration of the terminal as a member of the group, and wherein distribution of the private security key to the terminal is contingent upon successful authentication of the terminal as a member of the group by the network entity.

34. A computer program according to any of claims 31 to 33, wherein the program comprises instructions arranged to cause the apparatus to:

cause a request for the security key to be sent toward the network entity;

wherein the received security key is distributed to the terminal in response to the request.

35. A computer program according to any of claims 27 to 34, wherein the program comprises instructions arranged to cause the apparatus, in an instance in which it is determined that the security level applied to the D2D discovery information comprises an open security level in which the D2D discovery information is not encrypted, to process the D2D discovery information as received in the D2D discovery signal.

36. A computer program according to any of claims 27 to 35, wherein the program comprises instructions arranged to cause the apparatus to:

37. A computer program according to claim 36, wherein the program comprises instructions arranged to cause the apparatus to:

38. A computer program according to any of claims 27 to 37, wherein the program comprises instructions arranged to cause the apparatus to:

obtain the updated security key.

39. A method comprising:

determining that a terminal that has associated with a network has been authenticated to be permitted to receive a security key usable for one or more of decrypting or encrypting at least a portion of a device-to-device (D2D) discovery signal; and

responsive to the determination, causing the security key to be distributed to the terminal.

40. A method according to claim 39, wherein, in an instance in which the security key comprises a common security key to which any terminal that has associated with the network is permitted access, determining that the terminal has been authenticated to be permitted to receive the security key comprises determining that the terminal has associated with and authenticated itself to the network.

41. A method according to claim 39 or claim 40, wherein, in an instance in which the security key comprises a private security key to which the terminal is only permitted access if it is a member of a predefined group of one or more devices, determining that the terminal has been authenticated to be permitted to receive the security key comprises:

receiving registration information for registering the terminal to the group; and authenticating the terminal as a member of the group based at least in part on the received registration information.

42. A method according to any of claims 39 to 41, comprising, subsequent to causing the security key to be distributed to the terminal:

generating an updated security key as a replacement for the distributed security key; and

causing a notification to be provided to the terminal that the previously distributed security key has been replaced with the updated security key.

43. Apparatus for use in a network entity, the apparatus comprising a processing system arranged to cause the apparatus to at least:

determine that a terminal that has associated with a network has been authenticated to be permitted to receive a security key usable for one or more of decrypting or encrypting at least a portion of a device-to-device (D2D) discovery signal; and

responsive to the determination, cause the security key to be distributed to the terminal.

44. Apparatus according to claim 43, wherein the processing system is arranged to cause the apparatus, in an instance in which the security key comprises a common security key to which any terminal that has associated with the network is permitted access, to determine that the terminal has been authenticated to be permitted to receive the security key at least in part by determining that the terminal has associated with and authenticated itself to the network.

45. Apparatus according to claim 43 or claim 44, wherein the processing system is arranged to cause the apparatus, in an instance in which the security key comprises a private security key to which the terminal is only permitted access if it is a member of a predefined group of one or more devices, to determine that the terminal has been authenticated to be permitted to receive the security key at least in part by: receiving registration information for registering the terminal to the group; and authenticating the terminal as a member of the group based at least in part on the received registration information.

46. Apparatus according to any of claims 43 to 45, wherein the processing system is arranged to cause the apparatus, subsequent to causing the security key to be distributed to the terminal, to :

generate an updated security key as a replacement for the distributed security key; and

cause a notification to be provided to the terminal that the previously distributed security key has been replaced with the updated security key.

47. A computer program comprising instructions, which when performed by an apparatus, are arranged to cause the apparatus to at least:

48. A computer program according to claim 47, comprising instructions arranged to cause the apparatus, in an instance in which the security key comprises a common security key to which any terminal that has associated with the network is permitted access, to determine that the terminal has been authenticated to be permitted to receive the security key at least in part by determining that the terminal has associated with and authenticated itself to the network.

49. A computer program according to claim 47 or claim 48, comprising instructions arranged to cause the apparatus, in an instance in which the security key comprises a private security key to which the terminal is only permitted access if it is a member of a predefined group of one or more devices, to determine that the terminal has been authenticated to be permitted to receive the security key at least in part by: receiving registration information for registering the terminal to the group; and authenticating the terminal as a member of the group based at least in part on the received registration information.

50. A computer program according to any of claims 47 to 49, comprising instructions arranged to cause the apparatus, subsequent to causing the security key to be distributed to the terminal, to: