Abstract: Techniques for authentication and key management for applications (AKMA) in a communication network are disclosed. For example, a method comprises receiving an indication from an application function that a first expiry time of a first application function key, generated using a first random value and configured to enable user equipment to participate in a session with the application function, has expired. The method generates a second application function key for the application function, using a second random value, with a second expiry time.

Abstract: A user equipment in a communication system, a unified subscription identifier data structure is constructed. The unified subscription identifier data structure includes a plurality of fields that specify information for a selected one of two or more subscription identifier types and selectable parameters associated with the selected subscription identifier type, and wherein the information in the unified subscription identifier data structure is useable by the user equipment to access one or more networks associated with the communication system based on an authentication scenario corresponding to the selected subscription identifier type. For example, during different authentication scenarios, the user equipment utilizes the unified subscription identifier data structure to provide the appropriate subscription identifier (e.g., SUPI, SUCI or IMSI) and associated parameters for a given authentication scenario.

Abstract: Techniques for securing an identifier of user equipment for a request external to a communication network are disclosed. For example, a method comprises receiving, at a network entity, a request for identification information for user equipment from an entity external to a communication network to which the network entity belongs. The network entity generates a secure identifier for the user equipment, wherein the secure identifier comprises an encrypted form of a public subscription identifier associated with the user equipment. The network entity sends the secure identifier to the external entity. The network entity receives the secure identifier in a subsequent request from the external entity. The network entity utilizes the received secure identifier to confirm the received secure identifier corresponds to the user equipment.

Abstract: A method for managing memory for applications in a computing system includes receiving a selection of a preferred application. During user-controlled operation over the application, the transitions of selected application between foreground and background are monitored. A retention of the application in memory is triggered upon a transition of the application to background during the user operation. Retention of the application includes compressing memory portions of the application. Accordingly, the application is retained within the memory based on said compressed memory portions. A requirement to restore the retained application is sensed based on either a user selection or an automatically generated prediction and the application is restored from the retained state back to the foreground.

Abstract: The proposed systems and methods provide a fixed set of intelligent, general APIs to manage access to enterprise data stored in a cloud-based data lake. These systems and methods allow a fixed set of APIs to respond to all queries regarding the stored enterprise data by using a cached reference table that locates the container and document in which the requested data is held. The proposed systems and methods provide a framework for a minimal API service code with the capacity for responding to dynamic queries while maintaining stringent privacy control protections.

Abstract: At given user equipment in a communication system, a unified subscription identifier data structure is constructed. The unified subscription identifier data structure includes a plurality of fields that specify information for a selected one of two or more subscription identifier types and selectable parameters associated with the selected subscription identifier type, and wherein the information in the unified subscription identifier data structure is useable by the given user equipment to access one or more networks associated with the communication system based on an authentication scenario corresponding to the selected subscription identifier type. For example, during different authentication scenarios, the given user equipment utilizes the unified subscription identifier data structure to provide the appropriate subscription identifier (e.g., SUPI, SUCI or IMSI) and associated parameters for the given authentication scenario.

Abstract: Systems, methods, apparatuses, and computer program products directed to next generation (e.g., 5G systems) key set identifier(s) are provided. One method includes requesting, by a network node, authentication of a user equipment with an authentication server, receiving a master key and authentication parameters/vectors from the authentication server when authorization is successful, and verifying validity of the authentication request. When the verification is successful, the method may further include instantiating a security context for the user equipment and assigning a security context identifier for next generation system security context to the user equipment, and then sending a security mode command message to instruct the user equipment to instantiate security context using the security context identifier.

Abstract: Systems, methods, apparatuses, and computer program products for creation of a PCS connection between the remote user equipment (UE) and the relay UE. The remote UE may provide its identifier (e.g., a subscription concealed identifier (SUCI)) to the relay UE and the relay UE may forward this identifier to the network so that the network can authenticate the remote UE. The network may check the authorization of using the relay UE and/or for relaying the remote UE (e.g., both the remote UE and the relay UE may be checked for a configuration that permits the relaying). For the authentication and authorization, the access and mobility management function (AMF) associated with the relay UE may forward the messages between the remote UE and the authentication server function (AUSF) of the remote UE. In this way, certain embodiments described herein may address certain security issues related to relaying a remote UE.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, and wherein one of the first and second security edge protection proxy elements is a sending security edge protection proxy element and the other of the first and second security edge protection proxy elements is a receiving security edge protection proxy element, the receiving security edge protection proxy element receives a message from the sending security edge protection proxy element. The receiving security edge protection proxy element detects one or more error conditions associated with the received message. The receiving security edge protection proxy element determines one or more error handling actions to be taken in response to the one or more detected error conditions.

Abstract: Techniques for preventing rogue network functions in a communication network are provided. For example, a method comprises obtaining information identifying one or more network entities suspected of malicious activity operating within the communication network, causing a re-authorization of the one or more network entities suspected of malicious activity, and in response to a re-authorization failure of at least one of the one or more network entities suspected of malicious activity, causing one or more remedial actions to occur within the communication network to prevent the at least one network entity that failed re-authorization from accessing other network entities in the communication network.

Abstract: In given user equipment seeking access to a first communication network (e.g., 5G network), wherein the given user equipment comprises a subscriber identity module (e.g., USIM) configured for a second communication network, and wherein the second communication network is a legacy network with respect to the first communication network (e.g., legacy 4G network), a method includes: initiating an authentication procedure with at least one network entity of the first communication network and selecting an authentication method to be used during the authentication procedure; and participating in the authentication procedure with the at least one network entity using the selected authentication method and, upon successful authentication, the given user equipment obtaining a set of keys to enable the given user equipment to access the first communication network.

Abstract: Techniques for detecting and isolating rogue network entities in a communication network are provided. For example, a method comprises receiving from at least one network entity in a communication network a message identifying one or more network entities suspected of malicious activity operating within the communication network, and initiating one or more remedial actions within the communication network to prevent the one or more network entities suspected of malicious activity operating within the communication network from accessing other network entities in the communication network.

Abstract: Example embodiments of the present disclosure relate to partial integrity protection in telecommunication systems. According to embodiments of the present disclosure, there is provided a solution for implementing partial integrity protection. The terminal device receives configuration of the partial integrity protection and applies the integrity protection on a portion of data packets which are communicated between communication devices. In this way, the communication devices can always provide integrity protection for services, regardless of their bit rate. Thus, security of communication can be improved. It also allows to provide integrity protection with limited impacts to power consumption and overheating.

Abstract: Techniques for preventing sequence number leakage during user equipment authentication in a communication network are provided. For example, a method comprises obtaining a permanent identifier and an authentication sequence value that are unique to user equipment, concealing the permanent identifier and the authentication sequence value, and sending the concealed permanent identifier and the authentication sequence value in a registration message from the user equipment to a communication network. Then, advantageously, in response to receipt of an authentication failure message from the communication network, the user equipment can send a response message to the communication network containing a failure cause indication without a re-synchronization token.

Abstract: An apparatus and a method for reallocation of global unique temporary identifier (GUTI) in 5G networks are disclosed. The method includes receiving, at a user equipment, a first message from a network, the first message including a first global unique temporary identifier and additional information, at least the first global unique temporary identifier being as-signed to the user equipment; receiving a first data transmission including the first global unique temporary identifier from the network; in response to receiving the first data transmission, deriving, at the user equipment, a second global unique temporary identifier based on the first global unique temporary identifier and the additional information; and receiving a second data transmission including the second global unique temporary identifier from the network.

Abstract: Techniques for providing a secure clock source in a communication network are disclosed. For example, a method comprises participating in a bi-directional authentication with a network entity in a communication network, sending a clock service request message to the network entity, receiving a clock service accept message in response to the clock service request message when the apparatus is eligible to use a clock service, and receiving one or more secure clock signals from the network entity. Another method comprises participating in a bi-directional authentication with a requesting device in a communication network, receiving a clock service request message from the requesting device, verifying the eligibility of the requesting device to request a clock service, and sending one or more secure clock signals to the requesting device in response to successfully verifying the requesting device.

Abstract: A fiber distribution hub includes an enclosure defining an interior region and a frame body having a longitudinal axis. The frame body is rotatably mounted within the interior region of the enclosure such that the frame body can rotate about the longitudinal axis relative to the enclosure between a first terminal angular position and a second terminal angular position. The frame body is rotatably mounted within the interior region of the enclosure also such that the entire frame body remains within the interior region as the frame body rotates between the first terminal angular position and the second terminal angular position. The fiber distribution hub also includes a splitter coupled to the frame body and having a splitter input and a splitter output.

Abstract: A method, apparatus and computer program product may be provided for signaling-based remote provisioning and updating of protection policy information in a SEPP of a visited network. A method may include obtaining, at a home network node (hSEPP), protection policy information from a local repository in a home network or via configuration. The hSEPP is a network node at a boundary of the home netowork, and the home network is a public land mobile network (hPLMN). The method includes distributing, via a signaling interface, the protection policy information to a visited network node (vSEPP) within a visited network (vPLMN). The vSEPP is a network node at a boundary of a second network. The protection policy information includes information regarding protection of signaling messages addressed for network functions (NFs) hosted in the hPLMN and is configured for enabling the vSEPP to selectively protect outgoing messages to hSEPP in the home network.

Abstract: Systems, methods, apparatuses, and computer program products for dynamically updating routing identifiers (IDs) are provided. One method may include deciding, at a network node, to update a routing identifier for at least one user equipment. The method may then include obtaining or generating a new routing identifier to be assigned to the at least one user equipment along with authentication vectors, and transmitting the new routing identifier to an authentication entity.

Abstract: Techniques for securing mobile-terminated messages are disclosed. In one example, a method comprises receiving, at user equipment, a concealed message from a communication network with which the user equipment is in an idle state. The method de-conceals the concealed message, at the user equipment, to obtain at least one indicator value using at least a security value previously agreed upon with the communication network. The method generates a decision, at the user equipment, with respect to the idle state based on the obtained at least one indicator value. In one example, the at least one indicator value comprises a paging cause value.