Abstract: Security management techniques for roaming service authorization for communication systems are provided. In one or more methods, a first element or function in a visiting network of a communication system receives a first service discovery request from a second element or function in the visiting network for services provided by at least a third element or function in a home network of the communication system, sends a second service discovery request to a fourth element or function in the home network of the communication system responsive to authenticating the second element or function, receives from the fourth element or function a first service discovery response comprising an access token for the second element or function, and provides to the second element or function a second service discovery response comprising the access token, the access token being used by the second element or function to access the one or more services provided by the third element or function.

Abstract: Privacy management techniques for communication systems are provided. In one or more methods, one or more cryptographic key pairs are provisioned in a home network of a communication system for utilization by subscribers of the home network to conceal subscriber identifiers provided to access points in the communication system. The cryptographic key pairs are managed utilizing an element or function in the home network of the communication system. In one or more other methods, one or more public keys associated with one or more cryptographic key pairs are stored in user equipment, the cryptographic key pairs being provisioned by a home network of a communication system for use by subscribers of the home network to conceal subscriber identifiers provided to access points in the communication network. An element or function of the home network of the communication system is interfaced for management of the public keys stored in the user equipment.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, a method comprises configuring at least a given one of the first and second security edge protection proxy elements to determine whether to apply at least one security operation at the transport level for incoming packets based at least in part on source and destination networks for the incoming packets.

Abstract: A short message service (SMS) message is encrypted using an encryption key stored at a user equipment and an access and mobility management function (AMF) and the encrypted SMS message is added to a payload of a non-access stratum (NAS) message that includes an NAS header. Integrity protection is applied to the NAS message using an integrity key stored at the user equipment and the AMF and the integrity-protected NAS message is transmitted. The NAS message is received via an NAS link between the user equipment and the AMF. An integrity check is performed on the NAS message using the integrity key. An encrypted short message service (SMS) message is extracted from a payload of the NAS message in response to the integrity check being successful and the encrypted SMS message is decrypted using the encryption key.

Abstract: In accordance with the occurrence of a mobility event whereby user equipment moves from accessing a source network to accessing a target network in a communication system environment, the user equipment sends a control plane message to the target network comprising an integrity verification parameter associated with the source network and an integrity verification parameter associated with the target network. By providing integrity verification parameters for both the source network and the target network in an initial message sent by the user equipment to the mobility management element of the target network, the mobility management element of the target network can verify the user equipment on its own or seek the assistance of the source network.

Abstract: A short message service (SMS) message is encrypted using an encryption key stored at a user equipment and an access and mobility management function (AMF) and the encrypted SMS message is added to a payload of a non-access stratum (NAS) message that includes an NAS header. Integrity protection is applied to the NAS message using an integrity key stored at the user equipment and the AMF and the integrity-protected NAS message is transmitted. The NAS message is received via an NAS link between the user equipment and the AMF. An integrity check is performed on the NAS message using the integrity key. An encrypted short message service (SMS) message is extracted from a payload of the NAS message in response to the integrity check being successful and the encrypted SMS message is decrypted using the encryption key.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network; the method comprises configuring at least a given one of the first and second security edge protection proxy elements to apply application layer security to one or more information elements in a received message from a network function before sending the message to the other one of the first and second security edge protection proxy elements.

Abstract: Security management techniques for service authorization for communication systems are provided. In one or more methods, a first element or function in a home network of a communication system registers a second element or function in the home network as a service consumer of one or more services provided by at least a third element or function in the home network, receives a request from the second element or function, and provides an access token to the second element or function responsive to authenticating the second element or function, the access token being used by the second element or function to access the one or more services provided by the third element or function.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, a method comprises provisioning at least a given one of the first and second security edge protection proxy elements with configuration information that enables the given security edge protection proxy element to identify at least one security operation to be applied to at least one information element in a received message before sending the message to the other one of the first and second security edge protection proxy elements.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, a method comprises configuring at least a given one of the first and second security edge protection proxy elements to determine whether to apply at least one security operation at the transport level for incoming packets based at least in part on source and destination networks for the incoming packets.

Abstract: Security management techniques for roaming service authorization for communication systems are provided. In one or more methods, a first element or function in a visiting network of a communication system receives a first service discovery request from a second element or function in the visiting network for services provided by at least a third element or function in a home network of the communication system, sends a second service discovery request to a fourth element or function in the home network of the communication system responsive to authenticating the second element or function, receives from the fourth element or function a first service discovery response comprising an access token for the second element or function, and provides to the second element or function a second service discovery response comprising the access token, the access token being used by the second element or function to access the one or more services provided by the third element or function.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network; the method comprises constructing a message at a network function in the first network destined for the second network, wherein the message comprises at least one information element and an indicator, wherein the indicator is set to specify at least one security operation to be applied to the at least one information element before sending the message to the second security edge protection proxy element of the second network.

Abstract: In accordance with the occurrence of a mobility event whereby user equipment moves from accessing a source network to accessing a target network in a communication system environment, the user equipment sends a control plane message to the target network comprising an integrity verification parameter associated with the source network and an integrity verification parameter associated with the target network. By providing integrity verification parameters for both the source network and the target network in an initial message sent by the user equipment to the mobility management element of the target network, the mobility management element of the target network can verify the user equipment on its own or seek the assistance of the source network.

Abstract: A short message service (SMS) message is encrypted using an encryption key stored at a user equipment and an access and mobility management function (AMF) and the encrypted SMS message is added to a payload of a non-access stratum (NAS) message that includes an NAS header. Integrity protection is applied to the NAS message using an integrity key stored at the user equipment and the AMF and the integrity-protected NAS message is transmitted. The NAS message is received via an NAS link between the user equipment and the AMF. An integrity check is performed on the NAS message using the integrity key. An encrypted short message service (SMS) message is extracted from a payload of the NAS message in response to the integrity check being successful and the encrypted SMS message is decrypted using the encryption key.

Abstract: Privacy management techniques for communication systems are provided. In one or more methods, one or more cryptographic key pairs are provisioned in a home network of a communication system for utilization by subscribers of the home network to conceal subscriber identifiers provided to access points in the communication system. The cryptographic key pairs are managed utilizing an element or function in the home network of the communication system. In one or more other methods, one or more public keys associated with one or more cryptographic key pairs are stored in user equipment, the cryptographic key pairs being provisioned by a home network of a communication system for use by subscribers of the home network to conceal subscriber identifiers provided to access points in the communication network. An element or function of the home network of the communication system is interfaced for management of the public keys stored in the user equipment.