Abstract: Systems, apparatuses, methods, and program products to provision a user plane (UP) security policy at a granularity level that is per data radio bearer (DRB) within a protocol data unit (PDU) session or per quality of service (QoS) flow within one or more DRB of the PDU session.

Abstract: A user equipment (UE) may attempt to access an edge data network. The UE generates a first credential based on a second credential, the second credential generated for a procedure between the UE and a cellular network, generating an identifier corresponding to the first credential, and generates a multi-access edge computing (MEC) authorization parameter. The UE then transmits an application registration request message to a server associated with an edge data network, the application registration request message including an indication of the first credential, the identifier corresponding to the first credential and the first authorization parameter. The UE then receives an authentication accept message or an authentication reject message from the server associated with the edge data network.

Abstract: A user equipment (UE) establishes a first type of connection to a first public land mobile network (PLMN), the first type of connection having a first non-access stratum (NAS) Count pair corresponding to a first NAS security context associated with the first PLMN, establishes a second type of connection to a second PLMN, wherein a previous second type of connection was established with the first PLMN, wherein the previous second type of connection has a second NAS Count pair corresponding to the first NAS security context, wherein the second type of connection has a third NAS Count pair corresponding to a second NAS security context associated with the second PLMN and deregisters the previous second type of connection with the first PLMN to reset the second NAS count pair at the first PLMN.

Abstract: The exemplary embodiments relate to a user equipment (UE) providing an indication of user consent to a network for access to UE information. The UE may perform operations including transmitting an indication of user consent to a first network. The user consent corresponds to a network function acquiring UE information. The operations also include transmitting the UE information to the first network and establishing a connection with a second network. The network function performs operations related to establishing the connection between the UE and the second network using the UE information.

Abstract: Apparatuses, systems, and methods for application function (AF) key generation and AF key renewal. A user equipment device (UE) may communicate with an application function (AF) via a radio access network (RAN) using a first AF key and determine that the first AF key has expired. The UE may derive a second AF key based on at least an Architecture for Authentication and Key Management for Applications (AKMA) anchor key (KAKMA) and a counter parameter and communicate with the AF via the RAN using the second AF key. At least one of the UE, the AF, and/or an AKMA Anchor Function (AAnF) may be configured to monitor expiration of the first AF key based on an associated lifetime of the first AF key. The first and second AF keys may be derived using a key derivation function that includes at least one variable parameter.

Abstract: Methods and apparatuses for verifying HeNB. A method reduces and/or avoids affecting the operator's network due to the attack from HeNB, and ensures the safety of the users who have accessed the network.

Abstract: A device level lock policy, which applies to all smart secure platform (SSP) applications of a mobile device, is used to determine whether a particular SSP application can be activated. A tamper resistant hardware secure element (SE) includes a primary platform with a low level operating system (OS) and one or more SSP applications within one or more secondary platform bundles that include secondary platforms with high level OSs specific to the secondary platform bundles. The low level OS enforces the device level lock policy for all secondary platform bundles by verifying whether a lock policy for the SSP application is consistent with the device level lock policy. When verification succeeds, activation is allowed, and when verification fails, activation is disallowed. Subscription identifiers are not provided in unencrypted form to processing circuitry of the mobile device external to the tamper resistant hardware SE to provide subscriber identity privacy protection.

Abstract: A user equipment (UE) includes first and second subscriber identity modules (SIMs), possibly subscribed to different carriers. When the first SIM is in a connected state and the second SIM is in an idle state, the UE may need to periodically tune away a radio from a first frequency used for communication under the first SIM to a second frequency used for idle mode activity under the second SIM. The UE may provide to the network of the first SIM the second SIMs traffic activity pattern and/or serving frequency so that the network may provide coordinated configuration and/or scheduling for the UE device, e.g., in order to make the action of tuning away (and tuning back) the radio more efficient and/or to decrease the network impact of such radio tune aways (e.g., to decrease wasted uplink scheduling and wasted downlink transmissions for the first SIM).

Abstract: A user equipment (UE) includes first and second subscriber identity modules (SIMs), possibly subscribed to different carriers. When the first SIM is in a connected state and the second SIM is in an idle state, the UE may need to periodically tune away a radio from a first frequency used for communication under the first SIM to a second frequency used for idle mode activity under the second SIM. The UE may provide to the network of the first SIM the second SIMs traffic activity pattern and/or serving frequency so that the network may provide coordinated configuration and/or scheduling for the UE device, e.g., in order to make the action of tuning away (and tuning back) the radio more efficient and/or to decrease the network impact of such radio tune aways (e.g., to decrease wasted uplink scheduling and wasted downlink transmissions for the first SIM).

Abstract: Apparatuses, systems, and methods for generating and utilizing improved initialization vectors (IVs) when performing encryption and authentication in wireless communications. In some scenarios, a wireless communication device may generate one or more pseudorandom multi-bit values, e.g., using a respective plurality of key derivation functions (KDFs). A first portion of each value may be used as a respective key for encryption or authentication of traffic on the user plane or the control plane. A second portion of each value may be used as a nonce value in a respective IV for use with a respective key for encryption or authentication of traffic on the user plane or the control plane. In some scenarios, the nonce values may instead be generated as part of an additional pseudorandom value (e.g., by executing an additional KDF), from which all of the IVs may be drawn.

Abstract: Techniques to protect subscriber identity in messages communicated between a user equipment (UE) and a cellular wireless network entity by using multiple ephemeral asymmetric keys are disclosed. The UE determines multiple ephemeral UE public and secret key pairs, while the cellular wireless network entity provides a network public key to the UE. The network public key may be updated over time. Multiple encryption keys based on the multiple ephemeral UE secret keys and the public network key are derived and used to encrypt a subscription permanent identifier (SUPI) to generate multiple subscription concealed identifiers (SUCIs). Each SUCI is used only once for messages communicated to a cellular wireless network and discarded after use. New SUCI are generated when the network public key is updated.

Abstract: Techniques for identity-based message integrity protection and verification between a user equipment (UE) and a wireless network entity, include use of signatures derived from identity-based keys. To protect against attacks from rogue network entities before activation of a security context with a network entity, the UE verifies integrity of messages by checking a signature using an identity-based public key PKID derived by the UE based on (i) an identity value (ID) of the network entity and (ii) a separate public key PKPKG of a private key generator (PKG) server. The network entity generates signatures for messages using an identity-based private key SKID obtained from the PKG server, which generates the identity-based private key SKID using (i) the ID value of the network entity and (ii) a private key SKPKG that is known only by the PKG server and corresponds to the public key PKPKG.

Abstract: The present application discloses a method for configuring and transmitting a key, which includes that: a) a serving cell (PCell) of UE determines a key (KeNB) used by a SCell and transmits the KeNB to the SCell; and b) the PCell transmits configuration information for configuring the SCell to the UE after receiving a response message from the SCell, and receives a response message from the UE. Or, the method includes that: a SCell of UE transmits a cell key request to an MME and receives key information from the MME; and the SCell transmits the key information received from the MME to the UE, and receives a response message from the UE. By the present application, data of the SCell is transmitted after being encrypted, so as to avoid a case that the data is decoded by other users, and further guarantee the security of the data.

Abstract: Described herein are apparatuses, systems and methods for enhancing short message service (“SMS”) over Internet protocol (“IP”). The methods including at, a user equipment (“UE”) connected to a network, receiving an indication from the network, wherein the indication identifies whether the network supports an SMS over IP session, when the indication identifies that the network supports the SMS over IP session, registering the UE for voice communication and the SMS over IP session with the network, and when the indication identifies that the network does not support the SMS over IP session, registering the UE for voice communication without the SMS over IP session with the network.

Abstract: Techniques for identity-based message integrity protection and verification between a user equipment (UE) and a wireless network entity, include use of signatures derived from identity-based keys. To protect against attacks from rogue network entities before activation of a security context with a network entity, the UE verifies integrity of messages by checking a signature using an identity-based public key PKID derived by the UE based on (i) an identity value (ID) of the network entity and (ii) a separate public key PKPKG of a private key generator (PKG) server. The network entity generates signatures for messages using an identity-based private key SKID obtained from the PKG server, which generates the identity-based private key SKID using (i) the ID value of the network entity and (ii) a private key SKPKG that is known only by the PKG server and corresponds to the public key PKPKG.

Abstract: A method for supporting indication of a failure event to a source access system is provided. The method includes notifying, by the source access system, information of a source cell to a target access system, routing, by the target access system, a message to the base station or the base station controller of the source access through a core network by use of the information of the source cell received from the source access system when the target access system needs to transmit a message to the source access system. By use of the method provided by the present disclosure, a problem of mobility robustness optimization (MRO) among different radio access technology (RAT) may be notified to the source access system, so as to avoid impact for a terminal, reduce operator configuration.

Abstract: A method for handover of User Entity (UE) by a source Base Station (BS) is provided. The method includes determining whether to handover the UE using an X2 interface, transmitting a handover request message to a target BS, the handover request message including Closed Subscriber Group (CSG) information of the target BS, and receiving a handover request acknowledgement message from the target BS, wherein the determining of whether to handover the UE using the X2 interface includes, if there is the X2 interface between the source BS and the target BS, and if the target BS does not support a CSG or the target BS supports a same CSG supported by the source BS, determining to perform the handover of the UE using the X2 interface, and obtaining the CSG information of the target BS through an X2 interface set up procedure.

Abstract: This disclosure relates to techniques, base stations, and user equipment devices (UEs) for performing base station authentication through access stratum signaling transmissions. The UE may operate in idle mode and may receive an authentication message from a base station through the wireless interface while operating in idle mode. The UE may determine whether a signature comprised within the authentication message is valid, and the UE may continue a connection procedure with the base station based on a determination that the signature is valid. If it is determined that the signature is invalid, the UE may designate the base station as a barred base station and may perform cell re-selection. The authentication message may be one of a radio resource control (RRC) connection setup message, a special RRC message, a media access control (MAC) message, or a random access channel (RACH) message comprising a random access response (RAR) message.

Abstract: A method enabling an relay node (RN) to support multiple wireless access techniques is provided, which includes: a mobility management element (MME) requests a DeNB to establish evolved radio access bearers (ERAB) of EUTRAN and indicates access network information that will be transmitted by each of the ERABs; the DeNB requests an RN to establish radio bearers (RB) and indicates the access network information that will be transmitted by each of the RBs. The above method makes fewer modifications to conventional networks and techniques, guarantees service quality provided for a UE accessing an LTE system, and enables an RN to support access of UEs using multiple access techniques.

Abstract: A method for supporting indication of a failure event to a source access system is provided. The method includes notifying, by the source access system, information of a source cell to a target access system, routing, by the target access system, a message to the base station or the base station controller of the source access through a core network by use of the information of the source cell received from the source access system when the target access system needs to transmit a message to the source access system. By use of the method provided by the present disclosure, a problem of mobility robustness optimization (MRO) among different radio access technology (RAT) may be notified to the source access system, so as to avoid impact for a terminal, reduce operator configuration.