Abstract: There is provided mechanisms for authenticating a first radio communication device with a network. A method is performed by the first radio communication device. The method comprises obtaining credentials for a network subscription to the network. The method comprises obtaining an upper part of a radio protocol stack, according to which radio protocol stack the first radio communication device is configured to communicate with the network. The method comprises authenticating with the network. The method comprises providing, to a second radio communication device, at least one key, as derived from the credentials during the authenticating, for use by the second radio communication device when executing the remaining part of the radio protocol stack for communication between the second radio communication device and the network.

Abstract: A key management is provided that enables security activation before handing over a user equipment from a source 5G wireless communication system, i.e., a Next Generation System (NGS), to a target 4G wireless communication system, i.e., a Evolved Packet System (EPS)/Long Term Evolution (LTE). The key management achieves backward security, i.e., prevents the target 4G wireless communication system from getting knowledge of 5G security information used in the source 5G wireless communication system.

Abstract: A communication device (2) obtains a subscription identifier (50) that identifies a subscription to a first communication network (10). The subscription identifier (50) includes a first network identifier (52) that identifies the first communication network (10) and includes a second network identifier (54) that identifies a second communication network serving the first communication network (10). In some embodiments, the subscription identifier (50) conceals the first network identifier (52). Alternatively or additionally, the subscription identifier (50) is an International Mobile Subscriber Identity, IMSI, or is a Network Access Identifier, NAI, that includes the first network identifier (52) in a username part of the NAI. Regardless, the communication device (2) transmits the subscription identifier (50).

Abstract: A communication device (2) generates a cryptographic key (20K) as a function of information (20B) bound to an intermediate communication network (20) via which the communication device (2) authenticates a subscription to a subscribed communication network (10). Here, the communication device (2) is served by a serving communication network (30) that differs from the intermediate communication network (20). The communication device (2) protects communication for the communication device (2) based on the generated cryptographic key (20K).

Abstract: A first network node (20N) in a first communication network (20) transmits information to a second network node (10N) in a second communication network (10). The information indicates a third communication network (30) is in a control signaling path (15) between a communication device (2) and the second communication network (10). In some embodiments, the first network node (20N) and/or the second network node (10N) may apply one or more policies based on the information, e.g., whether to authenticate a subscription of the communication device (2) to the second communication network (10).

Abstract: Methods of operating a user equipment (UE) in a mobile communication network are disclosed. An authentication process start message may be transmitted from the UE to the mobile communication network, wherein the authentication process start message includes an identifier for the UE. After transmitting the authentication process start message from the UE, a request commit message may be received from the mobile communication network. Responsive to receiving the request commit message, a response commit message may be transmitted to the mobile communication network. After transmitting the response commit message, an authentication challenge message may be received corresponding to the authentication process start message. Related methods of operating network nodes are also discussed.

Abstract: A method may be provided at a wireless terminal to support communications with a network node of a wireless communication network. An IKE SA may be initiated to establish a NAS connection between the wireless terminal and the network node through a non-3GPP access network and a non-3GPP interworking function network node. After initiating the IKE SA, an IKE authorization request may be transmitted through the non-3GPP access network to the N3IWF network node, with the IKE authorization request including an identifier of the wireless terminal. An access network key may be derived for the NAS connection through the non-3GPP access network at the wireless terminal, with the access network key being derived based on a NAS count for the wireless terminal and an anchor key. An IKE authorization response corresponding to the IKE authorization request may be received.

Abstract: A method for a user equipment (UE) to obtain security credentials for accessing a non-public network (NPN) is provided. The method comprises sending, to an onboarding network (ON), a registration request that includes an identifier of the UE, and obtaining an indication of a credential provisioning protocol (CPP) used by a provisioning server (PS) for provisioning security credentials to access the NPN. The method further comprises obtaining, from the PS via the ON using the indicated CPP, security credentials for the UE to access the NPN.

Abstract: A message authentication code, for a message transmitted and received over a communications network, is formed by applying inputs to an integrity algorithm acting on the message. The inputs comprise: an integrity key; a value indicating a transfer direction; and a frame-dependent integrity input, wherein the frame-dependent integrity input is a frame-dependent modulo count value that also depends on a random value and on a frame-specific sequence number.

Abstract: A method for improving data transmission security at a user equipment comprises receiving, from a source network node, a connection release message including instructions for computing a hash value for data to be included in a connection request message; computing the hash value based on the instructions included in the connection release message; calculating a token based on the hash value, and sending, to a target network node, the connection request message including the token. The method may further forward the data from the target network node directly to a gateway after the token has been verified. The method may reduce a signaling overhead by having a fixed-size hash value for data. Furthermore, the method may improve a transmission security by including the token in an RRC message, in which the token is calculated based on the hash value representing the data.

Abstract: A method performed by an application function (AF) associated with a communication network is provided. The method comprises sending, to a network function (NF) of the communication network, a key request for a security key (KAF) associated with an application session between 5 the AF and a user equipment (UE), wherein the key request includes one of the following: a request for a first identifier of the UE, or a second identifier of the UE. The method further comprises receiving, from the NF, a response that includes the security key (KAF) and one of the following: the first identifier, or a response code associated with the second identifier or the first identifier. The method further comprises authenticating the UE for the application session 0 based on the response.

Abstract: Communication equipment (4, 6) generates an inner subscription concealed identifier (10C). Generating the inner subscription concealed identifier (10C) includes concealing at least a part of a subscription identifier (10S) using cryptographic key material (10K) associated with a first communication network (10), e.g., a non-public network. The subscription identifier (10S) identifies a subscription to the first communication network (10). The communication equipment (4, 6) generates an outer subscription concealed identifier (20C). Generating the outer subscription concealed identifier (20C) includes concealing the inner subscription concealed identifier (10C) using cryptographic key material (20K) associated with a second communication network (20), e.g., a public network. The communication equipment (4, 6) transmits the outer subscription concealed identifier (20C).

Abstract: A method performed by a target network node for interworking handover from an evolved packet system, EPS, to a fifth generation system, 5GS, in a mobile network is provided. The method includes receiving, from a source network node, a determined user plane, UP, encryption policy. The method further includes providing the determined UP encryption policy to a target radio access network node. Corresponding embodiments for methods performed by a source network node and a first target network node are also provided.

Abstract: A method performed by a network server is provided for authentication and key management for a terminal device in a wireless communication network. The method includes authenticating the terminal device during a primary authentication session for the terminal device. The method further includes responsive to a successful authentication of the terminal device, obtaining a first key. The method further includes generating bootstrapping security parameters. The parameters include a second key derived from the first key and a temporary identifier. The temporary identifier identifies the terminal device and the bootstrapping security parameters.

Abstract: A key management is provided that enables security activation before handing over a user equipment from a source 5G wireless communication system, i.e., a Next Generation System (NGS), to a target 4G wireless communication system, i.e., a Evolved Packet System (EPS)/Long Term Evolution (LTE). The key management achieves backward security, i.e., prevents the target 4G wireless communication system from getting knowledge of 5G security information used in the source 5G wireless communication system.

Abstract: A method may be provided at a wireless terminal to support communications with a network node of a wireless communication network. An IKE SA may be initiated to establish a NAS connection between the wireless terminal and the network node through a non-3GPP access network and a non-3GPP interworking function network node. After initiating the IKE SA, an IKE authorization request may be transmitted through the non-3GPP access network to the N3IWF network node, with the IKE authorization request including an identifier of the wireless terminal. An access network key may be derived for the NAS connection through the non-3GPP access network at the wireless terminal, with the access network key being derived based on a NAS count for the wireless terminal and an anchor key. An IKE authorization response corresponding to the IKE authorization request may be received.

Abstract: A method by an AUSF of a home PLMN configured to communicate through an interface with electronic devices is provided. A first authentication request is received from a first PLMN that is authenticating an electronic device. A first security key used for integrity protection of messages delivered from the home PLMN to the electronic device is obtained. A second authentication request is received from a second PLMN that is authenticating the electronic device. A second security key used for integrity protection of the messages delivered from the home PLMN to the electronic device is obtained. A message protection request is received. Which of the first security key and the second security key is a latest security key is determined. The latest security key is used to protect a message associated with the message protection request.

Abstract: A remote communication device can receive a discovery key; receive a communication key and a key identifier, ID, for the communication key; and discover a relay communication device. Discovering the relay communication device can include receiving an encrypted discovery message from the relay communication device and decrypting the encrypted discovery message using the discovery key. The remote communication device can further transmit a direct communication request to the relay communication device responsive to receiving and decrypting the encrypted discovery message from the relay communication device. The direct communication request can include the key ID for the communication key. The remote communication device can further receive an encrypted direct communication response from the relay communication device. Receiving the encrypted direct communication response can include decrypting the encrypted direct communication response.

Abstract: A method performed by a network server is provided for authentication and key management for a terminal device in a wireless communication network. The method includes authenticating the terminal device during a primary authentication session for the terminal device. The method further includes responsive to a successful authentication of the terminal device, obtaining a first key. The method further includes generating bootstrapping security parameters. The parameters include a second key derived from the first key and a temporary identifier. The temporary identifier identifies the terminal device and the bootstrapping security parameters.

Abstract: A method of operating a user equipment, UE, includes establishing a radio resource control, RRC, connection with a base station, following establishment of the RRC connection, sending an indication of a security capability of the UE to the base station, receiving a non-access stratum, NAS, message, from the base station, wherein the NAS message identifies a selected security algorithm, and generating the access stratum security key to be used with the selected security algorithm.