Abstract: This disclosure provides methods, devices and systems for using a variable authentication identifier (AID) for access point (AP) privacy. For example, instead of a persistent SSID, an AID is used by a station (STA) to authenticate the AP before connecting to the AP. The AP is associated with a service set, and the STA has stored a secret token associated with the service set. Before connecting to the AP, a broadcasted probe request from the STA includes no identifying information other than the token. The AP generates the AID from the token and provides the AID in a probe response. The STA is able to identify the AP as being associated with a service set and connect to the AP using the token and AID without the token and the AID being used by another device not associated with the service set to identify the AP.

Abstract: Certain aspects provide a method for wireless communication. The method generally includes deriving a network specific identifier (NSI) in a network access identifier (NAI) format, the NSI including a network identifier (NID) stored at the UE, generating a subscription concealed identifier (SUCI) based on the NSI for authentication of the UE with a non-public network (NPN), and sending the SUCI to a network entity for the authentication of the UE with the NPN.

Abstract: Embodiments may include a user equipment (UE) configured to obtain a Mobile Subscriber Identification Number (MSIN) from an International Mobile Subscriber Identity (IMSI) of the UE, encrypt the MSIN to generate a Subscription Concealed Identifier (SUCI) in a Network Access Identifier (NAI) format, and send the SUCI to the non-3GPP access network for authentication of the UE, and a network element of a home 3GPP network configured to receive, by a 5G Non-seamless WLAN Offload (NSWO) Function, an authentication request including the SUCI from the non-3GPP access network, determine, by the 5G NSWO Function, based on the SUCI, that the UE should be authenticated by an authentication function of the home 3GPP network, and provide the authentication request including the SUCI to the authentication function of the home 3GPP network for processing based on the determination that the UE should be authenticated by the authentication function.

Abstract: Techniques are described for wireless communication. A method for wireless communication at a user equipment (UE) includes performing an extensible authentication protocol (EAP) procedure with an authentication server via an authenticator. The EAP procedure is based at least in part on a set of authentication credentials exchanged between the UE and the authentication server. The method also includes deriving, as part of performing the EAP procedure, a master session key (MSK) and an extended master session key (EMSK) that are based at least in part on the authentication credentials and a first set of parameters; determining a network type associated with the authenticator; and performing, based at least in part on the determined network type, at least one authentication procedure with the authenticator. The at least one authentication procedure is based on an association of the MSK or the EMSK with the determined network type.

Abstract: A user device having a security context with a first network based on a first key may establish a security context with a second network. In a method, the user device may generate a key identifier based on the first key and a network identifier of the second network. The user device may forward the key identifier to the second network for forwarding to the first network by the second network to enable the first network to identify the first key at the first network. The user device may receive a key count from the second network. The key count may be associated with a second key forwarded to the second network from the first network. The user device may generate the second key based on the first key and the received key count thereby establishing a security context between the second network and the user device.

Abstract: Embodiments include devices and methods for providing secure communications between a first computing device and a second computing device are disclosed. A processor of the first computing device may determine in a first application software first security key establishment information. The processor may provide the first security key establishment information to a communication layer of the first computing device for transmission to the second computing device. The processor may receive, in the first application software from the communication layer of the first computing device, second security key establishment information received from the second computing device. The processor may determine a first security key by the first application software based at least in part on the second security key establishment information. The processor may provide the first security key to the communication layer for protecting messages from the first application software to the second computing device.

Abstract: Methods, systems, and devices for wireless communications are described. A user equipment (UE) may receive a system parameter identified by a network entity (e.g., a public key generator (PKG)), and receive a cell identifier during a connection procedure between the UE and a base station in wireless communication with the UE. The cell identifier may be associated with the base station. The UE may encrypt at least a portion of a message associated with the connection procedure using the cell identifier and the system parameter. In some examples, the portion of the message may include private information. The UE may transmit the message to the base station as part of the connection procedure.

Abstract: Certain aspects of the present disclosure provide techniques for managing security keys for enciphering and deciphering packets transmitted in a wireless communications system. According to certain aspects, a method of wireless communication by a user equipment (UE) is provided. The method generally includes obtaining an indication of a key area identifier (ID) of a first cell node, wherein the key area ID identifies a set of cell nodes that are associated with a network node that uses a first key for enciphering or deciphering messages and communicating a first set of messages with the first cell node using the first key for enciphering or deciphering the first set of messages.

Abstract: Various aspects of the present disclosure generally relate to wireless communication. In some aspects, a first wireless communication device may receive, from a second wireless communication device, a discovery message that includes a service code. The first wireless communication device may verify the service code. The first wireless communication device may transmit, to the second wireless communication device, a connection message that includes a protected service code that is derived from the service code. Numerous other aspects are described.

Abstract: Systems and techniques are disclosed to protect a user equipment's international mobile subscriber identity by providing a privacy mobile subscriber identity instead. In an attach attempt to a serving network, the UE provides the PMSI instead of IMSI, protecting the IMSI from exposure. The PMSI is determined between a home network server and the UE so that intermediate node elements in the serving network do not have knowledge of the relationship between the PMSI and the IMSI. Upon receipt of the PMSI in the attach request, the server generates a next PMSI to be used in a subsequent attach request and sends the next PMSI to the UE for confirmation. The UE confirms the next PMSI to synchronize between the UE and server and sends an acknowledgment token to the server. The UE and the server then each update local copies of the current and next PMSI values.

Abstract: Certain aspects provide a method for wireless communication. The method generally includes deriving a network specific identifier (NSI) in a network access identifier (NAI) format, the NSI including a network identifier (NID) stored at the UE, generating a subscription concealed identifier (SUCI) based on the NSI for authentication of the UE with a non-public network (NPN), and sending the SUCI to a network entity for the authentication of the UE with the NPN.

Abstract: Techniques are described for wireless communication. A method for wireless communication at a user equipment (UE) includes performing an extensible authentication protocol (EAP) procedure with an authentication server via an authenticator. The EAP procedure is based at least in part on a set of authentication credentials exchanged between the UE and the authentication server. The method also includes deriving, as part of performing the EAP procedure, a master session key (MSK) and an extended master session key (EMSK) that are based at least in part on the authentication credentials and a first set of parameters; determining a network type associated with the authenticator; and performing, based at least in part on the determined network type, at least one authentication procedure with the authenticator. The at least one authentication procedure is based on an association of the MSK or the EMSK with the determined network type.

Abstract: A user equipment (UE) may receive system information from a base station and may calculate a hash value using the system information as input to a hashing function. Similarly, prior to transmitting the system information, a valid base station may calculate a hash value using the system information as input to a hashing function. The base station may transmit the calculated hash value (e.g., which represent or be included in a set of hash values) to the UE in an access stratum (AS) security mode command (SMC) message. The UE may determine whether the received system information was modified based on the hash value (e.g., by comparing the UE calculated hash value and the set of hash values received from the base station in the AS SMC). If the UE indicates a mismatch of hash information, the base station may re-transmit the system information (e.g., in an integrity protected message).

Abstract: Techniques are described for wireless communication. A method of wireless communication at a transmitting wireless device includes generating a first Message Authentication Code for a data packet based at least in part on a first security key used to communicate with a receiving wireless device; generating a second message authentication code for the data packet based at least in part on a second security key used to communicate with a relay user equipment (UE), in which the relay UE is included in a data routing path between the transmitting wireless device and the receiving wireless device; and transmitting the data packet to the relay UE with at least the first message authentication code and the second message authentication code.

Abstract: One feature pertains to a method for secure wireless communication at an apparatus of a network. The method includes receiving a user equipment identifier identifying a user equipment and a cryptographic key from a wireless wide area network node, and using the cryptographic key as a pairwise master key (PMK). A PMK identifier (PKMID) is generated based on the PMK and the two are stored at the network. A PMK security association is initialized by associating the PMK with at least the PMKID and an access point identifier identifying an access point of the apparatus. An association request is received that includes a PMKID from the user equipment, and it's determined that the PMKID received from the user equipment matches the PMKID stored. A key exchange is initiated with the user equipment based on the PMK to establish a wireless local area network security association with the user equipment.

Abstract: Various aspects of the present disclosure generally relate to wireless communication. In some aspects, a user equipment (UE) may transmit, to a relay UE, a first message comprising a first freshness parameter, an identity of the UE, and authentication information, where the authentication information is used by a network node to authenticate the UE with security context information of the UE. The UE may derive a relay key for security establishment between the UE and the relay UE based on the first freshness parameter, a set of key generation parameters, and a shared key with the network node. The UE may derive a relay session key for security establishment between the UE and the relay UE based on the relay key, a first nonce of the UE, and a second nonce of the relay UE. Numerous other aspects are described.

Abstract: In an aspect, a network supporting client devices includes one or more network nodes implementing network functions. Such network functions enable a client device to apply a security context to communications with the network when the client device is not in a connected mode. The client device obtains a user plane key shared with a user plane network function implemented at a first network node and/or a control plane key shared with a control plane network function implemented at a second network node. The client device protects a data packet with the user plane key or a control packet with the control plane key. The data packet includes first destination information indicating the first network node and the control packet includes second destination information indicating the second network node. The client device transmits the data packet or control packet.

Abstract: Wireless communications systems and methods related to globally unique temporary identity (GUTI) reallocation for cellular-Internet of thing (CIoT) are provided. A user equipment (UE) receives, from a network, a paging associated with a mobile-terminated early data transmission (MT-EDT). The UE transmits, by the UE to the network, a data request in response to the paging. The UE receives, from the network in response to the data request, a message including a global unique temporary identifier (GUTI) and at least one of data associated with the paging or a connection release indication.

Abstract: One feature pertains to a method for secure wireless communication at an apparatus of a network. The method includes receiving a user equipment identifier identifying a user equipment and a cryptographic key from a wireless wide area network node, and using the cryptographic key as a pairwise master key (PMK). A PMK identifier (PKMID) is generated based on the PMK and the two are stored at the network. A PMK security association is initialized by associating the PMK with at least the PMKID and an access point identifier identifying an access point of the apparatus. An association request is received that includes a PMKID from the user equipment, and it's determined that the PMKID received from the user equipment matches the PMKID stored. A key exchange is initiated with the user equipment based on the PMK to establish a wireless local area network security association with the user equipment.

Abstract: Methods, systems, and devices for wireless communications are described. A user equipment (UE) may participate in a registration procedure with an access and mobility management function (AMF). The UE may transmit to the AMF, as part of the registration procedure, an indication of one or more single network slice selection assistance information (S-NSSAI) or a network slice selection assistance information (NSSAI). Following, the UE may receive a control message from the AMF, wherein the control message includes one or more encrypted S-NSSAI values or an encrypted NSSAI value based on the indication. The UE may then transmit the encrypted S-NSSAI or the encrypted NSSAI to a base station as part of a message.