Abstract: Network equipment is configured for use in one of multiple different core network domains of a wireless communication system. The network equipment is configured to receive a message that has been, or is to be, transmitted between the different core network domains. The network equipment is also configured to apply inter-domain security protection to, or remove inter-domain security protection from, one or more portions of the content of a field in the message according to a protection policy. The protection policy includes information indicating to which one or more portions of the content inter-domain security protection is to be applied or removed. The network equipment is also configured to forward the message, with inter-domain security protection applied or removed to the one or more portions, towards a destination of the message.

Abstract: In order to ensure that a Subscription Concealed Identifier, SUCI, is calculated in the Universal Subscriber Identity Module, USIM, part of a User Equipment, UE, when intended, when a SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, a network node sets proprietary information, which is not known to a Mobile Equipment, ME, part of the UE, as required for calculation of the SUCI. The USIM facilitates calculation of the SUCI in the ME part of the UE only when the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the ME. When the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, the ME part deletes any locally stored information required for calculation of the SUCI.

Abstract: A wireless device requests a network slice from a network by, first, identifying at least one network slice to be requested. Based on a mapping method that is specific to the wireless device, the wireless device forms a slice pseudonym for the or each network slice to be requested. The wireless device then transmits a request message to the network, wherein the request message comprises the or each slice pseudonym. The network node receives the request message sent by the wireless device, wherein the request message comprises at least one slice pseudonym. Based on a mapping method that is used by the wireless device and that is specific to the wireless device, the network node identifies at least one requested network slice from the or each received slice pseudonym. The network node then permits use of the requested network slice.

Abstract: Network equipment (300, 400) is configured for use in one of multiple different core network domains of a wireless communication system (10). The network equipment (300, 400) is configured to receive a message (60) that has been, or is to be, transmitted between the different core network domains. The network equipment (300, 400) is also configured to apply inter-domain security protection to, or remove inter-domain security protection from, one or more portions of the content of a field in the message according to a protection policy (80). The protection policy (80) includes information indicating to which one or more portions of the content inter-domain security protection is to be applied or removed. The network equipment (300, 400) is also configured to forward the message (60), with inter-domain security protection applied or removed to the one or more portions, towards a destination of the message (60).

Abstract: Methods and network equipment in a core network for intercepting protected communication between core network (CN) network functions (NFs). A method performed by network equipment in a core network may include establishing a first connection with a first NF for which the network equipment serves as a proxy and establishing, on behalf of the first NF, a second connection that is towards a second NF and that is secure. The method may also include selectively forwarding communication between the first and second NFs over the first and second connections, including transmitting and/or receiving the communication on behalf of the first NF over the second connection. The method may further include intercepting the communication that the network equipment selectively forwards between the first and second NFs.

Abstract: A network function performs a method to identify an invalid subscription concealed identifier, SUCI. When the network function receives a message containing a SUCI, it determines a size of the SUCI contained in the received message, and also determines an expected size of the SUCI in the received message. The network function then determines whether the size of the SUCI contained in the received message satisfies a criterion associated with the expected size. If the size of the SUCI contained in the received message does not satisfy the criterion associated with the expected size, the network function determines that the SUCI in the received message is invalid, and it rejects the SUCI in the received message if it is determined to be invalid.

Abstract: In order to ensure that a Subscription Concealed Identifier, SUCI, is calculated in the Universal Subscriber Identity Module, USIM, part of a User Equipment, UE, when intended, when a SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, a network node sets proprietary information, which is not known to a Mobile Equipment, ME, part of the UE, as required for calculation of the SUCI. The USIM facilitates calculation of the SUCI in the ME part of the UE only when the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the ME. When the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, the ME part deletes any locally stored information required for calculation of the SUCI.

Abstract: A method performed by a UE. The method incudes generating a SUCI comprising: i) an encrypted part in which a Mobile Subscription Identification Number of a SUPI is encrypted and ii) a clear-text part comprising: a) a Mobile Country Code of the SUPI, b) a Mobile Network Code of the SUPI, c) a public key identifier for a public key of a home network of the user equipment, and d) an encryption scheme identifier that identifies an encryption scheme used by the UE to encrypt the Mobile Subscription Identification Number in the SUCI. The method also includes transmitting the SUCI to an authentication server in the home network for forwarding of the SUCI to a de-concealing server capable of decrypting the Mobile Subscription Identification Number.

Abstract: In order to ensure that a Subscription Concealed Identifier, SUCI, is calculated in the Universal Subscriber Identity Module, USIM, part of a User Equipment, UE, when intended, when a SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, a network node sets proprietary information, which is not known to a Mobile Equipment, ME, part of the UE, as required for calculation of the SUCI. The USIM facilitates calculation of the SUCI in the ME part of the UE only when the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the ME. When the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, the ME part deletes any locally stored information required for calculation of the SUCI.

Abstract: A wireless device requests a network slice from a network by, first, identifying at least one network slice to be requested. Based on a mapping method that is specific to the wireless device, the wireless device forms a slice pseudonym for the or each network slice to be requested. The wireless device then transmits a request message to the network, wherein the request message comprises the or each slice pseudonym. The network node receives the request message sent by the wireless device, wherein the request message comprises at least one slice pseudonym. Based on a mapping method that is used by the wireless device and that is specific to the wireless device, the network node identifies at least one requested network slice from the or each received slice pseudonym. The network node then permits use of the requested network slice.

Abstract: A method performed by an authentication server for provisioning a user equipment (1), UE. The method comprises: obtaining a message authentication code, MAC, based on a provisioning key specific to the UE to the UE and a privacy key of a home network (3) of the UE, wherein the provisioning key is a shared secret between the authentication server (14) and the UE and the privacy key comprises a public key of the home network; and transmitting the privacy key and the MAC to the UE. Methods performed by a de-concealing server and the UE, respectively are also disclosed as well as authentication servers, de-concealing servers and UEs. A computer program and a memory circuitry (13) are also disclosed.

Abstract: A wireless device requests a network slice from a network by, first, identifying at least one network slice to be requested. Based on a mapping method that is specific to the wireless device, the wireless device forms a slice pseudonym for the or each network slice to be requested. The wireless device then transmits a request message to the network, wherein the request message comprises the or each slice pseudonym. The network node receives the request message sent by the wireless device, wherein the request message comprises at least one slice pseudonym. Based on a mapping method that is used by the wireless device and that is specific to the wireless device, the network node identifies at least one requested network slice from the or each received slice pseudonym. The network node then permits use of the requested network slice.

Abstract: The disclosure relates to methods of validating a SUCI implemented by a network node in a mobile network. The network node receives a message including the SUCI. Responsive to receipt of the message, the network node obtains a first set of encryption parameters used to generate the SUCI. The network node uses the first set of encryption parameters to de-conceal the SUCI to obtain subscription information associated with a subscription. Subsequently, the network node obtains a second set of encryption parameters associated with the subscription using the subscription information and validates the SUCI based on the second set of encryption parameters. As one example, the network node validates the SUCI by comparing the first set of encryption parameters to the second set of encryption parameters and determining if there is a match.

Abstract: A network function performs a method to identify an invalid subscription concealed identifier, SUCI. When the network function receives a message containing a SUCI, it determines a size of the SUCI contained in the received message, and also determines an expected size of the SUCI in the received message. The network function then determines whether the size of the SUCI contained in the received message satisfies a criterion associated with the expected size. If the size of the SUCI contained in the received message does not satisfy the criterion associated with the expected size, the network function determines that the SUCI in the received message is invalid, and it rejects the SUCI in the received message if it is determined to be invalid.

Abstract: A network function performs a method to identify an invalid subscription concealed identifier, SUCI. When the network function receives a message containing a SUCI, it determines a size of the SUCI contained in the received message, and also determines an expected size of the SUCI in the received message. The network function then determines whether the size of the SUCI contained in the received message satisfies a criterion associated with the expected size. If the size of the SUCI contained in the received message does not satisfy the criterion associated with the expected size, the network function determines that the SUCI in the received message is invalid, and it rejects the SUCI in the received message if it is determined to be invalid.

Abstract: A method performed by an authentication server in a home network of a UE for obtaining a subscription permanent identifier, SUPI. The method comprises: receiving a SUCI which comprises an encrypted part in which at least a part of the SUPI is encrypted, and a clear-text part which comprises a home network identifier and an encryption scheme identifier that identifies an encryption scheme used by the UE to encrypt the SUPI in the SUCI; determining a de-concealing server to use to decrypt the encrypted part of the SUCI; sending the SUCI to the de-concealing server; and receiving the SUPI in response. Methods performed by a UE and a de-concealing server are also disclosed. Furthermore, UEs, de-concealing servers, authentication servers, computer program and a memory circuitry are also disclosed.

Abstract: A method performed by an authentication server for provisioning a user equipment (1), UE. The method comprises: obtaining a message authentication code, MAC, based on a provisioning key specific to the UE to the UE and a privacy key of a home network (3) of the UE, wherein the provisioning key is a shared secret between the authentication server (14) and the UE and the privacy key comprises a public key of the home network; and transmitting the privacy key and the MAC to the UE. Methods performed by a de-concealing server and the UE, respectively are also disclosed as well as authentication servers, de-concealing servers and UEs. A computer program and a memory circuitry (13) are also disclosed.

Abstract: In order to ensure that a Subscription Concealed Identifier, SUCI, is calculated in the Universal Subscriber Identity Module, USIM, part of a User Equipment, UE, when intended, when a SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, a network node sets proprietary information, which is not known to a Mobile Equipment, ME, part of the UE, as required for calculation of the SUCI. The USIM facilitates calculation of the SUCI in the ME part of the UE only when the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the ME. When the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, the ME part deletes any locally stored information required for calculation of the SUCI.

Abstract: Methods and network equipment in a core network for intercepting protected communication between core network (CN) network functions (NFs). A method performed by network equipment in a core network may include establishing a first connection with a first NF for which the network equipment serves as a proxy and establishing, on behalf of the first NF, a second connection that is towards a second NF and that is secure. The method may also include selectively forwarding communication between the first and second NFs over the first and second connections, including transmitting and/or receiving the communication on behalf of the first NF over the second connection. The method may further include intercepting the communication that the network equipment selectively forwards between the first and second NFs.

Abstract: The disclosure provides techniques for negotiating security mechanisms between security gateways (102A, 102B). In these techniques, an initiating security gateway (102A) sends (302) a request message to a responding security gateway (102B) over a first connection established between the security gateways. The first connection provides integrity protection for 5 the messages. The request message includes one or more security mechanisms supported by the initiating security gateway. Upon receipt, the responding security gateway selects (406) one of the security mechanisms and transmits (408) a response message to the initiating security gateway indicating the selected security mechanism. Signaling messages are then communicated (310, 412) between the security gateways using the selected security 10 mechanism.