Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network; the method comprises configuring at least a given one of the first and second security edge protection proxy elements to apply application layer security to one or more information elements in a received message from a network function before sending the message to the other one of the first and second security edge protection proxy elements.

Abstract: It is provided a method, comprising instructing a subscription device to indicate an applied privacy protection to a visited network; instructing the subscription device to provide a protected subscription identifier to the visited network, wherein the protected subscription identifier is based on a permanent subscription identifier protected according to the applied privacy protection.

Abstract: In given user equipment seeking access to a first communication network (e.g., 5G network), wherein the given user equipment comprises a subscriber identity module (e.g., USIM) configured for a second communication network, and wherein the second communication network is a legacy network with respect to the first communication network (e.g., legacy 4G network), a method includes: initiating an authentication procedure with at least one network entity of the first communication network and selecting an authentication method to be used during the authentication procedure; and participating in the authentication procedure with the at least one network entity using the selected authentication method and, upon successful authentication, the given user equipment obtaining a set of keys to enable the given user equipment to access the first communication network.

Abstract: At given user equipment in a communication system, a unified subscription identifier data structure is constructed. The unified subscription identifier data structure includes a plurality of fields that specify information for a selected one of two or more subscription identifier types and selectable parameters associated with the selected subscription identifier type, and wherein the information in the unified subscription identifier data structure is useable by the given user equipment to access one or more networks associated with the communication system based on an authentication scenario corresponding to the selected subscription identifier type. For example, during different authentication scenarios, the given user equipment utilizes the unified subscription identifier data structure to provide the appropriate subscription identifier (e.g., SUPI, SUCI or IMSI) and associated parameters for the given authentication scenario.

Abstract: User equipment is registered with a visited public land mobile network, VPLMN, in a process including: producing at the user equipment a concealed identifier; producing at the user equipment a freshness code; and sending by the user equipment to the VPLMN the concealed identifier and the freshness code; receiving by the user equipment an identity request from the VPLMN indicating that the long-term identifier must be transmitted to the VPLMN in a non-concealed form; receiving by the user equipment from the VPLMN a permission authenticator; and verifying at the user equipment if the permission authenticator has been formed with a cryptographic authentication of the home public land mobile network, HPLMN, and the user equipment or a subscription module at the user equipment indicating permission to transmit the long-term identifier to the VPLMN in the non-concealed form and if yes, transmitting the long-term identifier to the VPLMN in the non-concealed form.

Abstract: According to an aspect, there is provided a terminal device comprising means for performing the following. The terminal device transmits a tethering request for setting up a tethering cell over at least one communications network to at least one tethering terminal device capable of setting up a tethering cell. Then, the terminal device performs tethering cell discovery for discovering tethering cells set up by any of said at least one tethering terminal device. In response to discovering a tethering cell provided by a tethering terminal device of said at least one tethering terminal device, the terminal device accesses the tethering cell.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network; the method comprises constructing a message at a network function in the first network destined for the second network, wherein the message comprises at least one information element and an indicator, wherein the indicator is set to specify at least one security operation to be applied to the at least one information element before sending the message to the second security edge protection proxy element of the second network.

Abstract: In a home network of a communication system, wherein one or more cryptographic key pairs are provisioned for utilization by subscribers of the home network to conceal subscriber identifiers provided to one or more access points in the communication system, the method comprises provisioning one or more privacy managing entity identifiers for utilization by the subscribers when providing their concealed subscriber identifiers to the communication system. Each of the one or more privacy managing entity identifiers identify a given privacy managing entity in the communication system configured to de-conceal a given subscriber identifier.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, a method comprises provisioning at least a given one of the first and second security edge protection proxy elements with configuration information that enables the given security edge protection proxy element to identify at least one security operation to be applied to at least one information element in a received message before sending the message to the other one of the first and second security edge protection proxy elements.

Abstract: A short message service (SMS) message is encrypted using an encryption key stored at a user equipment and an access and mobility management function (AMF) and the encrypted SMS message is added to a payload of a non-access stratum (NAS) message that includes an NAS header. Integrity protection is applied to the NAS message using an integrity key stored at the user equipment and the AMF and the integrity-protected NAS message is transmitted. The NAS message is received via an NAS link between the user equipment and the AMF. An integrity check is performed on the NAS message using the integrity key. An encrypted short message service (SMS) message is extracted from a payload of the NAS message in response to the integrity check being successful and the encrypted SMS message is decrypted using the encryption key.

Abstract: It is provided a method, comprising instructing a subscription device to indicate an applied privacy protection to a visited network; instructing the subscription device to provide a protected subscription identifier to the visited network, wherein the protected subscription identifier is based on a permanent subscription identifier protected according to the applied privacy protection.

Abstract: Key identification techniques for determination of appropriate keys for processing messages in communication systems are provided. In one or more methods, an indicator is assigned to each key pair provisioned in a communication system. The indicator is then sent to one or more network elements or functions in the communication system with a message encrypted with a first part of the key pair corresponding to the indicator. A network element or function receiving the encrypted message determines, based on the indicator, a corresponding second part of the key pair to use to process the encrypted message.

Abstract: Privacy management techniques for communication systems are provided. In one or more methods, one or more cryptographic key pairs are provisioned in a home network of a communication system for utilization by subscribers of the home network to conceal subscriber identifiers provided to access points in the communication system. The cryptographic key pairs are managed utilizing an element or function in the home network of the communication system. In one or more other methods, one or more public keys associated with one or more cryptographic key pairs are stored in user equipment, the cryptographic key pairs being provisioned by a home network of a communication system for use by subscribers of the home network to conceal subscriber identifiers provided to access points in the communication network. An element or function of the home network of the communication system is interfaced for management of the public keys stored in the user equipment.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, a method comprises configuring at least a given one of the first and second security edge protection proxy elements to determine whether to apply at least one security operation at the transport level for incoming packets based at least in part on source and destination networks for the incoming packets.

Abstract: A short message service (SMS) message is encrypted using an encryption key stored at a user equipment and an access and mobility management function (AMF) and the encrypted SMS message is added to a payload of a non-access stratum (NAS) message that includes an NAS header. Integrity protection is applied to the NAS message using an integrity key stored at the user equipment and the AMF and the integrity-protected NAS message is transmitted. The NAS message is received via an NAS link between the user equipment and the AMF. An integrity check is performed on the NAS message using the integrity key. An encrypted short message service (SMS) message is extracted from a payload of the NAS message in response to the integrity check being successful and the encrypted SMS message is decrypted using the encryption key.

Abstract: A short message service (SMS) message is encrypted using an encryption key stored at a user equipment and an access and mobility management function (AMF) and the encrypted SMS message is added to a payload of a non-access stratum (NAS) message that includes an NAS header. Integrity protection is applied to the NAS message using an integrity key stored at the user equipment and the AMF and the integrity-protected NAS message is transmitted. The NAS message is received via an NAS link between the user equipment and the AMF. An integrity check is performed on the NAS message using the integrity key. An encrypted short message service (SMS) message is extracted from a payload of the NAS message in response to the integrity check being successful and the encrypted SMS message is decrypted using the encryption key.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network; the method comprises configuring at least a given one of the first and second security edge protection proxy elements to apply application layer security to one or more information elements in a received message from a network function before sending the message to the other one of the first and second security edge protection proxy elements.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, a method comprises configuring at least a given one of the first and second security edge protection proxy elements to determine whether to apply at least one security operation at the transport level for incoming packets based at least in part on source and destination networks for the incoming packets.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network; the method comprises constructing a message at a network function in the first network destined for the second network, wherein the message comprises at least one information element and an indicator, wherein the indicator is set to specify at least one security operation to be applied to the at least one information element before sending the message to the second security edge protection proxy element of the second network.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, a method comprises provisioning at least a given one of the first and second security edge protection proxy elements with configuration information that enables the given security edge protection proxy element to identify at least one security operation to be applied to at least one information element in a received message before sending the message to the other one of the first and second security edge protection proxy elements.