Abstract: A method of operating a radio access network, RAN, node of a wireless communication system, includes preparing, at the RAN node, a handover request to handover a user equipment, UE, to a target node. The handover request includes a user plane integrity protection, UP IP, policy associated with the UE. The method further includes transmitting the handover request to the target node.

Abstract: A network node configured to perform a process that includes receiving a PDU Session Establishment Request message for establishing a PDU session, wherein the PDU Session Establishment Request message was transmitted by a UE and includes a PDU session ID. The process also includes communicating a Session Management (SM) Request comprising the PDU Session Establishment Request to an SMF. The process also includes receiving from the SMF a message that includes: i) the PDU Session ID identifying the PDU session, ii) a PDU Session Establishment Accept message, and iii) a user plane (UP) security policy for the PDU session, wherein the UP security policy for the PDU session indicates: i) whether UP confidentiality protection shall be activated or not for all data radio bearers (DRBs) belonging to the PDU session, and/or ii) whether UP integrity protection shall be activated or not for all data radio bearers (DRBs) belonging to the PDU session.

Abstract: There is provided a solution for managing security contexts at idle mode mobility of a wireless communication device between different wireless communication systems including a first wireless communication system and a second wireless communication system. The first wireless communication system is a 5G/NGS system and the second wireless communication system is a 4G/EPS system. The solution is based on obtaining (S1) a 5G/NGS security context, and mapping (S2) the 5G/NGS security context to a 4G/EPS security context.

Abstract: A method for re-establishing a Radio Resource Control (RRC) connection between a UE and a target eNB. The method is performed by the UE. The method includes the UE receiving an RRC Connection Reestablishment message from the target eNB, the RRC Connection Reestablishment message including a DL authentication token which has been generated by an MME and has had a Non Access Stratum integrity key as input. The method also includes the UE authenticating the received DL authentication token.

Abstract: A method performed by a user equipment, UE, for enabling user plane integrity protection of data in a packet data convergence protocol, PDCP, in a radio access network is provided. The method includes sending a session establishment request towards a session management node that includes an indication of a user plane integrity protection mode supported by the UE. The method further includes receiving an activation message from a receiving radio access node that includes an indication to the UE to activate the user plane integrity protection mode for a data radio bearer established with the receiving radio access node. Methods performed by a session management node, a target access and mobility node, and a radio access node are also provided.

Abstract: A key management is provided that enables security activation before handing over a user equipment from a source 5G wireless communication system, i.e., a Next Generation System (NGS), to a target 4G wireless communication system, i.e., a Evolved Packet System (EPS)/Long Term Evolution (LTE). The key management achieves backward security, i.e., prevents the target 4G wireless communication system from getting knowledge of 5G security information used in the source 5G wireless communication system.

Abstract: There is provided a solution for managing security contexts at idle mode mobility of a wireless communication device between different wireless communication systems including a first wireless communication system and a second wireless communication system. The first wireless communication system is a 5G/NGS system and the second wireless communication system is a 4G/EPS system. The solution is based on obtaining (S1) a 5G/NGS security context, and mapping (S2) the 5G/NGS security context to a 4G/EPS security context.

Abstract: A method is provided to operate a CN node to determine UP security activation. A UP session establishment request is obtained for a wireless device. An indication is obtained that the UP session establishment request is associated with an emergency session and/or that null ciphering and/or null integrity protection are applied to a CP associated with a CP session for the wireless device. It is determined that a UP should be configured for the UP session without activating integrity and/or confidentiality protection for the UP based on the indication. A UP security policy is provided to a RAN node associated with the wireless device, wherein the UP security policy indicates to configure the UP for the UP session without activating integrity and/or confidentiality protection based on determining that a UP should be configured for the UP session without activating integrity and/or confidentiality protection.

Abstract: Methods for operating a UE, a network node, a Session Management Function (SMF) and a Unified Data Management (UDM) are disclosed. The methods include transmitting, by a UE, a Protocol Data Unit (PDU) Session Establishment Request message toward an SMF in the communication network (902A), and receiving at the UE a policy decision on security protection of User Plane (UP) data terminating in a RAN for the PDU Session (904A). The policy decision received at the UE may be in accordance with a UP security policy provided by the SMF to the RAN during PDU Session Establishment. Also disclosed are a UE, network node, SMF and UDM.

Abstract: A first communication node may provide first and second NAS connection identifications for respective first and second NAS connections between the first and a second communication node, with the first and second NAS connection identifications being different and the first and second NAS connections being different. A first NAS message may be communicated between the first and second communication nodes over the first NAS connection, including at performing integrity protection for the first NAS message using the first NAS connection identification and/or performing confidentiality protection for the first NAS message using the first NAS connection identification.

Abstract: A method at a UE may include providing a first NAS connection with a network node through a first access node, wherein a first NAS CID is associated with the first NAS connection. While providing the first NAS connection, a second NAS CID may be allocated for a second NAS connection with the network node through a second access node. A registration request message may be transmitted to the network node to request the second NAS connection, wherein transmitting the registration request message includes performing integrity protection for the registration request message using the second NAS CID. A security mode command message may be received from the network node, wherein the security mode command message corresponds to the registration request message. Responsive to receiving the security mode command message, a security mode complete message may be transmitted to the network node through the second access node.

Abstract: A serving network establishes a connection with a UE via an N3AN using a trusted registration procedure to establish a secure access link between the UE and the serving network via the N3AN. The serving network sends a trust indication message via the N3AN to the UE using the secure access link to identify the N3AN as trusted or untrusted. When the received trust indication message indicates the N3AN is untrusted, the serving network executes an untrusted registration procedure with the UE using the secure access link to establish the connection between the UE and the serving network. When the received trust indication message indicates the N3AN is trusted, the serving network continues execution of the initial registration with the UE using the trusted registration procedure to establish the connection between the UE and the serving network. The UE and serving network exchange messages via the established connection.

Abstract: A method of operating an Access and Mobility Management Function (AMF) of a communications system that includes an access node (AN) configured to communicate through a wireless air interface with user equipments (UEs) and that has a Session Management Function (SMF), is provided. The method includes receiving an indication of a Max Data Radio Bearer Integrity Protection, DRB-IP, rate indicating a maximum computational capacity of the UE to process DRBs that have integrity protection during Packet Data Unit (PDU) sessions. A PDU session establishment request NAS message is received from the UE for establishing a PDU session. A PDU session create message is communicated toward the SMF. A SMF message is received that contains an indication of an allocated DRB-IP rate for DRBs that are to be integrity protected for a PDU session being established.

Abstract: A network node of a mobile communications network may need to generate at least one new Input Offset Value, IOV value, for use in protecting communications between the network node and a mobile station. The network node then associates a fresh counter value with the or each new IOV value; calculates a Message Authentication Code based on at least the at least one new IOV value, the fresh counter value associated with the or each new IOV value, and a constant indicating that the Message Authentication Code is calculated to protect the new IOV value; and transmits the at least one new IOV value, the fresh counter value associated with the or each new IOV value, and the calculated Message Authentication Code to the mobile station.

Abstract: A method (200) for operating a User Equipment (UE) is disclosed, the UE configured to connect to a communication network. The method comprises: indicating to the communication network an Integrity Protection for User Plane (IPUP) mode supported by the UE when requesting registration with the communication network (202). The IPUP mode comprises one of: use of Integrity Protection for User Plane data exchanged with the UE (202a), non-use of Integrity Protection for User Plane data exchanged with the UE (202b), or use of Integrity Protection for User Plane data, and non-use of Confidentiality Protection for User Plane data (202c). Also disclosed are an apparatus for operating a UE, methods and apparatus for operating a radio access node and a core node of a communication network, and a computer program operable to carry out methods for operating a UE, a radio access node and/or a core node of a communication network.

Abstract: There is provided mechanisms for configuring use of keys for security protecting packets communicated between a wireless device and a network node. A method is performed by the wireless device. The method comprises exchanging key use information with the network node in conjunction with performing a key change procedure with the network node during which a first key is replaced with a second key. The key use information indicates which of the packets are security protected using which of the first key and the second key.

Abstract: In order to ensure that a Subscription Concealed Identifier, SUCI, is calculated in the Universal Subscriber Identity Module, USIM, part of a User Equipment, UE, when intended, when a SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, a network node sets proprietary information, which is not known to a Mobile Equipment, ME, part of the UE, as required for calculation of the SUCI. The USIM facilitates calculation of the SUCI in the ME part of the UE only when the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the ME. When the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, the ME part deletes any locally stored information required for calculation of the SUCI.

Abstract: A method of operating a Master gNodeB (MgNB) in a radio access network RAN is disclosed. An indication of a user plane security policy is received from a core network node, wherein the user plane security policy requires user plane integrity protection for a protocol data unit PDU session. Responsive to the user plane security policy requiring user plane integrity protection for the PDU session and responsive to determining that a secondary base station supporting the user plane security policy requiring user plane integrity protection is unavailable, a data radio bearer DRB of the PDU session is established directly between the MgNB and a user equipment UE. Related MgNBs are also discussed.

Abstract: There is provided a method performed by a network unit, and a corresponding network unit as well as a corresponding wireless communication device, for supporting interworking and/or idle mode mobility between different wireless communication systems, including a higher generation wireless system and a lower generation wireless system, to enable secure communication with the wireless communication device. The method comprises selecting, in connection with a registration procedure and/or a security context activation procedure of the wireless communication device with the higher generation wireless system, at least one security algorithm of the lower generation wireless system, also referred to as lower generation security algorithm(s). The method also comprises sending a control message including information on the selected lower generation security algorithm(s) to the wireless communication device.

Abstract: The present disclosure provides a security mechanism to mitigate the risk of trackability of a UE engaged in groupcast communication. The security mechanism makes use of cryptographic functions and thus provides a cryptographic-grade protection for groupcast communications. The security mechanism can be implemented without any additional signaling for even additional parameters in existing signaling message.