Abstract: Methods, systems, and devices for wireless communications are described. A user equipment (UE) may participate in a registration procedure with an access and mobility management function (AMF). The UE may transmit to the AMF, as part of the registration procedure, an indication of one or more single network slice selection assistance information (S-NSSAI) or a network slice selection assistance information (NSSAI). Following, the UE may receive a control message from the AMF, wherein the control message includes one or more encrypted S-NSSAI values or an encrypted NSSAI value based on the indication. The UE may then transmit the encrypted S-NSSAI or the encrypted NSSAI to a base station as part of a message.

Abstract: In an aspect, a network supporting a number of client devices includes a network device that generates a context for a client device. The client device context may include network state information for the client device that enables the network to communicate with the client device. The client device may obtain, from a network device that serves a first service area of the network, information that includes a first client device context. The client device may enter a second service area of the network served by a second network device. Instead of performing a service area update procedure with the network, the client device may transmit a packet in the different service area with the information that includes the client device context. The client device may receive a service relocation message including information associated with the different network device in response to the transmission.

Abstract: Aspects of security schemes (e.g., integrity protection, encryption, or both) are described. A measure of access stratum security can be realized without overhead associated with establishing and/or maintaining the per-cellular-device access stratum security context at a Cellular Internet of Things (CIoT) base station (C-BS). A gateway (e.g., a CIoT Serving Gateway Node (C-SGN)) may derive a first key. The first key may be only known to the C-SGN. The C-SGN may derive a second key from the first key and a parameter unique to the C-BS. The C-SGN may also derive a third key from the second key and an identity of a cellular device. The C-SGN may send the second and third keys to the C-BS and cellular device, respectively. Small data messages encrypted and/or integrity protected by the cellular device may be decrypted and/or verified by the C-BS.

Abstract: Techniques are described for wireless communication. A method of wireless communication at a transmitting wireless device includes generating a first Message Authentication Code (MAC) for a data packet based at least in part on a first security key used to communicate with a receiving wireless device; generating a second MAC for the data packet based at least in part on a second security key used to communicate with a relay user equipment (UE), in which the relay UE is included in a data routing path between the transmitting wireless device and the receiving wireless device; and transmitting the data packet to the relay UE with at least the first MAC and the second MAC.

Abstract: One feature pertains to a method for secure wireless communication at an apparatus of a network. The method includes receiving a user equipment identifier identifying a user equipment and a cryptographic key from a wireless wide area network node, and using the cryptographic key as a pairwise master key (PMK). A PMK identifier (PKMID) is generated based on the PMK and the two are stored at the network. A PMK security association is initialized by associating the PMK with at least the PMKID and an access point identifier identifying an access point of the apparatus. An association request is received that includes a PMKID from the user equipment, and it's determined that the PMKID received from the user equipment matches the PMKID stored. A key exchange is initiated with the user equipment based on the PMK to establish a wireless local area network security association with the user equipment.

Abstract: Certain aspects of the present disclosure relate to methods and apparatus for updating a routing ID associated with a user equipment in a wireless network. An exemplary method generally includes receiving a downlink control plane message including updated configuration information for a Unified Data Management (UDM) entity in the network; determining whether a universal subscriber identification module (USIM) of the UE supports one or more parameters stored in the USIM to be updated; based on the determination, storing the received configuration information in at least one of: the USIM if the USIM supports the one or more parameters to be updated; or memory of the UE if the USIM does not support the one or more parameters to be updated; generating an identifier for the UE based on the stored updated configuration information; and transmitting at least one message using the generated identifier.

Abstract: Techniques are described for wireless communication. A wireless device may generate a secured query message based at least in part on a security credential of the wireless device. The secured query message may be generated prior to performing an authentication and key agreement (AKA) with a network. The wireless device may transmit the secured query message to the network, and receive a response to the secured query message. The wireless device may then determine whether or not to perform the AKA with the network based on the received response (e.g., the wireless device may determine whether or not the response is associated with the security credential of the wireless communication device and a network security credential of the network). The wireless device may establish a secure connection with the network or refrain from considering the response based on the determination.

Abstract: A device that identifies entry into a new service area, transmits a service area update request to a network device associated with a network, receives a control plane message from the network indicating control plane device relocation or a key refresh due to a service area change in response to transmitting the service area update request, and derives a first key based in part on data included in the control plane message and a second key shared between the device and a key management device. Another device that receives a handover command from a network device associated with a network, the handover command indicating a new service area, derives a first key based on data included in the handover command and on a second key shared between the device and a key management device, and sends a handover confirmation message that is secured based on the first key.

Abstract: Techniques are described for wireless communication. A method for wireless communication at a user equipment (UE) includes performing an extensible authentication protocol (EAP) procedure with an authentication server via an authenticator. The EAP procedure is based at least in part on a set of authentication credentials exchanged between the UE and the authentication server. The method also includes deriving, as part of performing the EAP procedure, a master session key (MSK) and an extended master session key (EMSK) that are based at least in part on the authentication credentials and a first set of parameters; determining a network type associated with the authenticator; and performing, based at least in part on the determined network type, at least one authentication procedure with the authenticator. The at least one authentication procedure is based on an association of the MSK or the EMSK with the determined network type.

Abstract: One feature pertains to a method that includes establishing a radio communication connection with a first radio access node (RAN) that uses control plane signaling connections to carry user plane data. The method also includes determining that the wireless communication device is experiencing radio link failure (RLF) with the first RAN and that the radio communication connection should be reestablished with a second RAN. A reestablishment request message is transmitted to the second RAN that includes parameters that enable a core network node communicatively coupled to the second RAN to authenticate the wireless communication device and allow or reject reestablishment of the radio communication connection. The parameters include at least a message authentication code (MAC) based in part on one or more bits of a non-access stratum (NAS) COUNT value maintained at the wireless communication device.

Abstract: The present disclosure provides techniques that may be applied, for example, in a multi-slice network for maintaining privacy when attempting to access the network. An exemplary method generally includes transmitting a registration request message to a serving network to register with the serving network; receiving a first confirmation message indicating a secure connection with the serving network has been established; transmitting, after receiving the first confirmation message, a secure message to the serving network comprising an indication of at least one configured network slice that the UE wants to communicate over, wherein the at least one configured network slice is associated with a privacy flag that is set; and receiving a second confirmation message from the serving network indicating that the UE is permitted to communicate over the at least one configured network slice.

Abstract: Systems and techniques are disclosed to protect a user equipment's international mobile subscriber identity by providing a privacy mobile subscriber identity instead. In an attach attempt to a serving network, the UE provides the PMSI instead of IMSI, protecting the IMSI from exposure. The PMSI is determined between a home network server and the UE so that intermediate node elements in the serving network do not have knowledge of the relationship between the PMSI and the IMSI. Upon receipt of the PMSI in the attach request, the server generates a next PMSI to be used in a subsequent attach request and sends the next PMSI to the UE for confirmation. The UE confirms the next PMSI to synchronize between the UE and server and sends an acknowledgment token to the server. The UE and the server then each update local copies of the current and next PMSI values.

Abstract: Methods, systems, and devices for wireless communication are described. A user equipment (UE) may perform authentication procedures using an alternative identity (e.g., a privacy mobile subscriber identity (PMSI)) instead of an international mobile subscriber identity (IMSI) to protect the privacy of the user. If the UE does not have a PMSI, it may include a request for a PMSI initialization in an attach request. In some cases, the PMSI may be used once, and a new PMSI may be generated for the next attachment procedure. In some cases, a universal subscriber identity module (USIM) of the UE may not support storage of a PMSI. So a privacy module of the UE may communicate with the USIM according to the USIM's capabilities and may maintain a PMSI separately for communication with the network.

Abstract: A method, an apparatus, and a computer program product for wireless communication are provided. A method includes transmitting a request to a serving network with a nonce and a signature request directed to a network function of the serving network, receiving a response to the request from the serving network, and authenticating the serving network based on the signature of the network function. The nonce may provide replay protection. The response may include a signature of the network function. The request sent to the serving network may include a radio resource control (RRC) message or a tracking area update (TAU) request. The serving network may be authenticated using a trusted third party to verify a certificate associated with the serving network.

Abstract: One feature pertains to a method that includes establishing a radio communication connection with a first radio access node (RAN) that uses control plane signaling connections to carry user plane data. The method also includes determining that the wireless communication device is experiencing radio link failure (RLF) with the first RAN and that the radio communication connection should be reestablished with a second RAN. A reestablishment request message is transmitted to the second RAN that includes parameters that enable a core network node communicatively coupled to the second RAN to authenticate the wireless communication device and allow or reject reestablishment of the radio communication connection. The parameters include at least a message authentication code (MAC) based in part on one or more bits of a non-access stratum (NAS) COUNT value maintained at the wireless communication device.

Abstract: A device that identifies entry into a new service area, transmits a service area update request to a network device associated with a network, receives a control plane message from the network indicating control plane device relocation or a key refresh due to a service area change in response to transmitting the service area update request, and derives a first key based in part on data included in the control plane message and a second key shared between the device and a key management device. Another device that receives a handover command from a network device associated with a network, the handover command indicating a new service area, derives a first key based on data included in the handover command and on a second key shared between the device and a key management device, and sends a handover confirmation message that is secured based on the first key.

Abstract: Securing user-plane data traffic between a device and a packet data network gateway (P-GW) may be accomplished at the device (e.g., chip component, client device) by obtaining, at the device, a first shared key, and obtaining, at the device, a second shared key based on the first shared key. The second shared key may be for securing user-plane data traffic during transit between the device and the P-GW. The second shared key is shared by the device and the P-GW. The data traffic may be secured based on the second shared key to produce first secured data traffic. The first secured data traffic may be sent to the P-GW via an access node. The P-GW and the access node are distinct network entities. The second shared key is unknown to the access node. The P-GW obtains the second shared key from a network entity that is distinct from the device.

Abstract: Aspects directed towards steering of roaming (SoR) are disclosed. In one example, a communication from a public land mobile network (PLMN) is received by a user equipment (UE) in which the communication indicates an acceptance of a UE registration with the PLMN. This example further includes performing a determination of whether an SoR indicator associated with a home PLMN (HPLMN) is embedded within the communication. The UE then manages PLMN selection according to the determination. In another example, a UE is configured to operate according to an SoR configuration in which the UE is configured to ascertain whether an SoR indicator is embedded within a communication from a PLMN. An SoR indicator associated with an HPLMN is then generated and subsequently transmitted from the HPLMN to the UE via the PLMN.

Abstract: In an aspect, a network supporting client devices includes one or more network nodes implementing network functions. Such network functions enable a client device to apply a security context to communications with the network when the client device is not in a connected mode. The client device obtains a user plane key shared with a user plane network function implemented at a first network node and/or a control plane key shared with a control plane network function implemented at a second network node. The client device protects a data packet with the user plane key or a control packet with the control plane key. The data packet includes first destination information indicating the first network node and the control packet includes second destination information indicating the second network node. The client device transmits the data packet or control packet.

Abstract: In an aspect, a network supporting client devices includes one or more network nodes implementing network functions. Such network functions enable a client device to apply a security context to communications with the network when the client device is not in a connected mode. The client device obtains a user plane key shared with a user plane network function implemented at a first network node and/or a control plane key shared with a control plane network function implemented at a second network node. The client device protects a data packet with the user plane key or a control packet with the control plane key. The data packet includes first destination information indicating the first network node and the control packet includes second destination information indicating the second network node. The client device transmits the data packet or control packet.