Abstract: There is provided a method, apparatus and computer program product for causing a network repository function to perform: receiving, from a network function service consumer, an access request for an access authorization token, the request comprising a first identification of the network function service consumer and a first identification of at least one network slice on which access is requested; generating an access token in response to the request, the access token comprising at least one network slice identifier for the at least one network slice identified by the first identification; and providing the generated access token to the network function in response to the request for an access authorization token.

Abstract: Techniques for automated management of a service level agreement between a first communication network and a second communication network are provided. For example, one of the communication networks is a visited network while the other is a home network whereby the service level agreement is a roaming agreement. In one example, a message is received at a first communication network from a second communication network, wherein at least a portion of the message relates to the service level agreement between the first communication network and the second communication network. An automated verification of information in the message is performed at the first communication network to determine compliance with the service level agreement. The message receiving step is performed by a security edge protection proxy function of the first communication network and the automated verification performing step is performed by a service level agreement management function of the first communication network.

Abstract: An apparatus comprises means for: causing information indicating a first security protocol profile of a first security protocol from a first security node of a first network to be sent from a first security node of a first network to a second security node of a second network, wherein the first security profile has one or more of: a modification policy; a data type policy; and a cipher suite; and causing the first security node to communicate with the second security node in accordance with the first security profile.

Abstract: Embodiments of the present disclosure relate to methods, apparatuses and computer readable storage media for inter-network communication. A first edge protection proxy in a first network receives a request for an access token from a network repository function in the first network. The access token is to be used by a first network function in the first network to request a service from a second network function in a second network. The first edge protection proxy validates the request based on configurations allowed to access services provided by networks different from the first network. If the validation of the request is successful, the first edge protection proxy transmits the request to a second edge protection proxy in the second network. The transmitted request comprises verified information concerning the first network function.

Abstract: Techniques for dynamic security management in a communications network are disclosed. For example, a method comprises obtaining, at a network entity in a communication network, security information from one or more other network entities in the communication network. In response to at least a portion of the obtained security information, the method enables, by the network entity, dynamic enforcement within a user plane of the communication network of one or more security policies in accordance with one or more quality-of-service policies to manage one or more behaviors of user equipment.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising means for receiving from a requesting network function, by a network repository function, an access token request, wherein the access token request is related to a network function consumer requesting access to a service provided by a network function producer and comprises an identity of a vendor of the network function consumer requesting access to the service, means for verifying by the network repository function, based at least on the identity of the vendor of the network function consumer, that the network function consumer is allowed to access the service and means for transmitting to the requesting network function, by the network repository function, an access token upon successful verification, wherein the access token generated and signed by the network repository function comprises the identity of the vendor of the network function consumer and an identity of the vendor of the network function produc

Abstract: According to an example aspect, there is provided a method, comprising: receiving, from a first network function consumer, a subscribe request for a second network function consumer to subscribe to a service, wherein the subscribe request comprises a notification address and identifies the second network function consumer, transmitting, to a network repository function, an access token request, comprising the notification address and identifying the second network function consumer, receiving, from the network repository function, an access token response comprising an access token comprising the notification address verified by the network repository function, transmitting, to the second network function consumer, an authorization request for receiving data authorization and comprising the access token, receiving, from the second network function consumer, an authorization response indicative of authorization of the second network function consumer, and transmitting, on the basis of the authorization respons

Abstract: Improved techniques for secure access control in communication systems are provided. In one example, in accordance with an authorization server function, a method comprises receiving a request from a service consumer in a communication system for access to a service type and one or more resources associated with the service type. The method determines whether the service consumer is authorized to access the service type and the one or more resources associated with the service type. The method generates an access token that identifies one or more service producers for the service type and the one or more resources associated with the service type that the service consumer is authorized to access, and sends the access token to the service consumer. The service consumer can then use the access token to access the one or more services and one or more resources. In addition to such resource level access authorization, target network function group access authorization can be performed.

Abstract: There is provided an apparatus configured to protect security of communication in roaming scenarios between a first network and a second network, the apparatus being a first apparatus residing in the first network and comprising means for in response to a selection of transport layer security as a security capability mechanism, transmitting, to a second apparatus residing in the second network and configured to protect security of communication in roaming scenarios between the first network and the second network, a request to terminate connections over a forwarding interface between the first apparatus and the second apparatus.

Abstract: Improved techniques for secure access control in communication systems are provided. Secure access control in one or more examples includes authorization of network function sets. For example, in accordance with an authorization server function, a method includes receiving a request from a service consumer in a communication system for access to a service type, wherein the request comprises information including a service producer set identifier. The method determines whether the service consumer is authorized to access the service type. The method identifies service producer instances that belong to the requested service producer set identifier. The method generates an access token that comprises identifiers for identified ones of the service producer instances that belong to the requested service producer set identifier, and sends the access token to the service consumer.

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured to receive a service request for a service provided by the apparatus, determine whether to provide the service based at least partly on an authentication based on a first identifier, comprised in an access token in the service request, and on a second identifier, comprised in a credential data element in the service request, wherein the authentication is successful when the first identifier and the second identifier identify a same network function instance or same network function instance set, and provide the service responsive to a result of the determination indicating the service is to be provided.

Abstract: Improved security management techniques between user equipment and a communication system are provided. For example, techniques are provided for preventing malicious attacks via a user equipment deregistration process. In one example, a method comprises sending a deregistration request message from the given user equipment to a communication system to which the given user equipment is registered, wherein the deregistration request message is security-protected and comprises a temporary identifier assigned to the given user equipment. By not sending the deregistration request message with a subscription concealed identifier, the given user equipment prevents a malicious actor from succeeding with a deregistration attack replaying the subscription concealed identifier.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to establish a user equipment context for a user equipment registered with the apparatus, the user equipment context being associated with an identity of the user equipment, determine that a plurality of network messages comprising the identity of the user equipment as sender fail a network message integrity process, and trigger, responsive to the determination, at least one of: 1) sending a paging message to the user equipment, and 2) initiating an authentication process with a sender of the network messages, and deletion the user equipment context as a response to successful completion of the authentication process.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising means for receiving, by a network function configured to provide centralized user consent authorization in a cellular communication system, a user consent authorization request from a logical network entity, wherein the user consent authorization request comprises an identity of at least one user equipment whose user consent is requested by the logical network entity, the logical network entity being a network function service consumer or an application function, means for retrieving user consent information concerning the at least one user equipment whose user consent is requested by the logical network entity, wherein said user consent information indicates individually whether the logical network entity is authorized to access data related to each of the at least one user equipment, means for determining, based on said user consent information, whether the logical network entity is authorized to access data r

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured at least to: receive, from a service communication proxy, a request for an access token which authorizes access to a service at a network function provider, transmit an authorization token to the service communication proxy, the authorization token being specific to the request, and provide the access token to the service communication proxy responsive to determining that a cryptographic signature of a network function consumer on a signed version of the authorization token, received in the apparatus from the service communication proxy, is correct. The apparatus may work in a network serving user equipments, for example.

Abstract: In with a network exposure function of a communication network, a method comprises generating at least one application layer cryptographic key based on a request specific to given user equipment received from an application function, and sharing the application layer cryptographic key with the application function. The application layer cryptographic key is configured to enable the application function and the given user equipment to establish a secure communication session.

Abstract: According to an example aspect of the present invention, there is provided method, comprising: generating a first key based on a first input specific to a mobile device, wherein the first input comprises measurement of mutable code of the mobile device and a unique device secret, generating a symmetric second key on the basis of the first key and a second input specific to the mobile device, and generating authentication credentials on the basis of the second key for authenticating the mobile device to a mobile communications network.

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured at least to determine whether a cryptographic signature of a token received in the apparatus from a network function consumer is valid, obtain a cryptographic signature of the apparatus of the token responsive to the cryptographic signature of the token being valid, and provide the token to a peer entity of the apparatus, wherein the cryptographic signature of the apparatus is either included into the token or provided in a header external to the token, wherein the peer entity is comprised in a second network, different from a first network where the apparatus is comprised in. The request may serve a user equipment, directly or indirectly.

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured to initiate a handshake process configured to establish a control plane connection prior to establishing an associated data plane connection from the apparatus to a gateway node in second network, the apparatus being in a first network distinct from the second network, indicate during the establishing of the control plane connection that compression of payload communicated over the data plane connection is requested, and wherein the data plane connection to the gateway node traverses at least one intermediate internet protocol exchange.

Abstract: According to an example aspect of the present invention, there is provided a method comprising, receiving, by an intermediary network function, a subscription request from a network function consumer requesting data of a network function producer, wherein the subscription request comprises a client credential assertion of the network function consumer and an access token, authorizing and authenticating, by the intermediary network function, the network function consumer upon successful validation of the access token and the client credential assertion validation and transmitting, by the intermediary network function, an access token request to an authorization server to get another access token, wherein said another access token is to be used to validate the network function consumer to access services of the network function producer, and the access token request comprises the client credential assertion of the network function consumer requesting data of the network function producer.