Abstract: A network may authenticate a user equipment (UE) to access an edge data network. The network generates a first credential based on a second credential, the second credential generated for a procedure between the UE and a cellular network corresponding to the network component, receives an identifier associated with the first credential from a further network component in response to the UE transmitting an application registration request to a server associated with an edge data network and retrieves the first credential based on the identifier. The network also receives a multi-access edge computing (MEC) authorization parameter, verifies the MEC authorization parameter and transmits an authentication verification response to a second network component.

Abstract: A digital letter of approval (DLOA) is used by a subscription manager (SM) server to determine whether a device is compliant with requirements for an application to be provisioned. If the device is compliant, the application is provisioned to the device or to an embedded universal integrated circuit card (eUICC) included in the device. To increase the security of the device DLOA, the device DLOA is linked to the eUICC, in some embodiments. The linkage may be based on one or more platform label fields in the device DLOA. A database is consulted, in some embodiments, to confirm a relationship between the device and the eUICC identified in the device DLOA. In some embodiments, the eUICC signs the device DLOA and the device DLOA with eUICC signature is sent to the SM server. In some embodiments, the device provides a device signature on the DLOA independent of the eUICC.

Abstract: Embodiments described herein relate to eligibility checking for transfer of one or more electronic subscriber identity modules (eSIMs) between two mobile wireless devices. Eligibility to transfer an eSIM to an eUICC of a target device can depend on whether the eUICC of the target device satisfies certain security requirements for the eSIMs to be transferred. The mobile wireless devices can obtain a transfer eligibility result based on communication with one or more network-based servers that can determine compatibility for eSIM transfer.

Abstract: This Application sets forth techniques for managing communication with wireless devices that have been flagged due to certain activity. In particular, the techniques effectively eliminate unnecessary interactions and enable enhanced user feedback when wireless devices that have been flagged are attempting to interact with mobile network operators (MNOs). The techniques can be implemented by a variety of entities to achieve different and efficient results under various scenarios. Such entities can include, for example, i) equipment identity registries that track unique identifiers of wireless devices that have been flagged due to certain activity, ii) MNO servers, such as SM-DP+ servers, and iii) wireless devices.

Abstract: The present application relates to devices and components including apparatus, systems, and methods for secured user equipment communications over a user equipment relay. In some embodiments, symmetric or asymmetric encryption may be used for the secured user equipment communications.

Abstract: Apparatuses, systems, and methods for a wireless device to perform substantially concurrent communications with a next generation network node and a legacy network node. The wireless device may be configured to stablish a first wireless link with a first cell according to a RAT, where the first cell operates in a first system bandwidth and establish a second wireless link with a second cell according to a RAT, where the second cell operates in a second system bandwidth. Further, the wireless device may be configured to perform uplink activity for both the first RAT and the second RAT by TDM uplink data for the first RAT and uplink data for the second RAT if uplink activity is scheduled according to both the first RAT and the second RAT.

Abstract: This disclosure relates to techniques, base stations, and user equipment devices (UEs) for performing base station authentication through access stratum signaling transmissions. The UE may operate in idle mode and may receive an authentication message from a base station through the wireless interface while operating in idle mode. The UE may determine whether a signature comprised within the authentication message is valid, and the UE may continue a connection procedure with the base station based on a determination that the signature is valid. If it is determined that the signature is invalid, the UE may designate the base station as a barred base station and may perform cell re-selection. The authentication message may be one of a radio resource control (RRC) connection setup message, a special RRC message, a media access control (MAC) message, or a random access channel (RACH) message comprising a random access response (RAR) message.

Abstract: Techniques to protect a subscriber identity, by encrypting a subscription permanent identifier (SUPI) to form one-time use subscription concealed identifiers (SUCIs) using a set of one-time ephemeral asymmetric keys, generated by a user equipment (UE), and network provided keys are disclosed. Encryption of the SUPI to form the SUCIs can mitigate snooping by rogue network entities, such as fake base stations. The UE is restricted from providing the unencrypted SUPI over an unauthenticated connection to a network entity. In some instances, the UE uses a trusted symmetric fallback encryption key KFB or trusted asymmetric fallback public key PKFB to verify messages from an unauthenticated network entity and/or to encrypt the SUPI to form a fallback SUCIFB for communication of messages with the unauthenticated network entity.

Abstract: Techniques for identity-based message integrity protection and verification between a user equipment (UE) and a wireless network entity, include use of signatures derived from identity-based keys. To protect against attacks from rogue network entities before activation of a security context with a network entity, the UE verifies integrity of messages by checking a signature using an identity-based public key PKID derived by the UE based on (i) an identity value (ID) of the network entity and (ii) a separate public key PKPKG of a private key generator (PKG) server. The network entity generates signatures for messages using an identity-based private key SKID obtained from the PKG server, which generates the identity-based private key SKID using (i) the ID value of the network entity and (ii) a private key SKPKG that is known only by the PKG server and corresponds to the public key PKPKG.

Abstract: TDD configuration may be dynamically and/or semi-statically signaled to user equipment devices by a base station. Semi-static TDD configuration may include: an initial portion for downlink transmission; a flexible portion; and a terminal portion for uplink transmission. TDD structure of the flexible portion may be determined later by transmission of dynamic physical layer configuration information such as downlink control information (DCI) and/or slot format indicator (SFI). (The SFI may be included in a group common PDCCH of a slot.) The downlink portion and/or the uplink portion may include subsets whose nominal transmit direction is subject to override by transmission of dynamic physical layer configuration information.

Abstract: The described embodiments set forth techniques for securely transferring a cellular wireless service subscription associated with an electronic subscriber identity module (eSIM) profile from a source wireless device to a target wireless device via communication with servers of a mobile network operator (MNO). An MNO provisioning server encrypts an activation code, used for transfer of the cellular wireless service subscription, with a session key generated based on a one-time-use eUICC public key and a one-time-use server private key. The encrypted activation code is protected from malicious third parties, as only the eUICC of the source wireless device can perform the decryption required by generating an identical session key to recover the activation code. The eUICC of the source wireless device deletes the eSIM profile from the eUICC before providing the activation code to the target wireless device to protect against eSIM profile cloning.

Abstract: A downlink control information (DCI), such as a blanking DCI (bDCI) message may be transmitted by a base station (e.g., eNB) and received by a mobile device (e.g., UE). The bDCI may indicate that the eNB will not transmit a subsequent DCI to the UE for a duration of time. The UE may be in continuous reception mode or connected discontinuous reception (C-DRX) mode. The UE may therefore determine to enter a sleep state or take other action. The bDCI may specify an explicit blanking duration, or an index indicating a blanking duration from a lookup table, and/or the blanking duration (and/or a blanking duration offset value) may be determined in advance, e.g., semi-statically. When the UE is in C-DRX mode, the UE may be configured such that either the sleep/wake period of the C-DRX mode or the blanking period of the bDCI may take precedence over the other.

Abstract: Apparatuses, systems, and methods for a wireless device to perform substantially concurrent communications with a next generation network node and a legacy network node. The wireless device may be configured to stablish a first wireless link with a first cell according to a RAT, where the first cell operates in a first system bandwidth and establish a second wireless link with a second cell according to a RAT, where the second cell operates in a second system bandwidth. Further, the wireless device may be configured to perform uplink activity for both the first RAT and the second RAT by TDM uplink data for the first RAT and uplink data for the second RAT if uplink activity is scheduled according to both the first RAT and the second RAT.

Abstract: Embodiments are presented herein of apparatuses, systems, and methods for utilizing a flexible slot indicator in wireless communication. A base station (BS) may establish communication with a first user equipment device (UE). The BS may determine a transmission direction for each of a plurality of symbols included in one or more slots. The BS may transmit a slot format indicator (SFI) to the UE. The SFI may indicate the transmission direction for each of the plurality of symbols included in one or more slots. The BS and the UE may perform communication during the one or more slots according to the determined transmission direction.

Abstract: Systems, apparatuses, methods, and program products to provision a user plane (UP) security policy at a granularity level that is per data radio bearer (DRB) within a protocol data unit (PDU) session or per quality of service (QoS) flow within one or more DRB of the PDU session.

Abstract: A downlink control information (DCI), such as a blanking DCI (bDCI) message may be transmitted by a base station (e.g., eNB) and received by a mobile device (e.g., UE). The bDCI may indicate that the eNB will not transmit a subsequent DCI to the UE for a duration of time. The UE may be in continuous reception mode or connected discontinuous reception (C-DRX) mode. The UE may therefore determine to enter a sleep state or take other action. The bDCI may specify an explicit blanking duration, or an index indicating a blanking duration from a lookup table, and/or the blanking duration (and/or a blanking duration offset value) may be determined in advance, e.g., semi-statically. When the UE is in C-DRX mode, the UE may be configured such that either the sleep/wake period of the C-DRX mode or the blanking period of the bDCI may take precedence over the other.

Abstract: Embodiments described herein relate to credential wrapping for secure transfer of electronic SIMs (eSIMs) between wireless devices. Transfer of an eSIM from a source device to a target device includes re-encryption of sensitive eSIM data, e.g., eSIM encryption keys, financial transaction credentials, transit authority credentials, and the like, using new encryption keys that include ephemeral elements applicable to a single, particular transfer session between the source device and the target device. The sensitive eSIM data encrypted with a symmetric key (Ks) is re-wrapped with a new header that includes a version of Ks encrypted with a new key encryption key (KEK) and information to derive KEK by the target device. The re-encrypted sensitive SIM data is formatted with additional eSIM data into a new bound profile package (BPP) to transfer the eSIM from the source device to the target device.

Abstract: Embodiments described herein relate to eligibility checking for transfer of one or more electronic subscriber identity modules (eSIMs) between two mobile wireless devices. Eligibility to transfer an eSIM to an eUICC of a target device can depend on whether the eUICC of the target device satisfies certain security requirements for the eSIMs to be transferred. The mobile wireless devices can obtain a transfer eligibility result based on communication with one or more network-based servers that can determine compatibility for eSIM transfer.

Abstract: Systems and methods for facilitating transfer of an eSIM subscription from a source device to a target device. In one embodiment, a source device includes a transceiver and a processor system. The processor system includes an eUICC configured to store an eSIM associated with an eSIM subscription. The processor system is configured to transmit, via the transceiver and to an eSIM subscription manager server, a request for an eSIM subscription transfer activation code; receive, via the transceiver and at least partly in response to the request, a server nonce; generate a signed payload using the server nonce and source device information; transmit, via the transceiver and to the eSIM subscription manager server, the signed payload; receive, via the transceiver and in response to transmitting the signed payload, the eSIM subscription transfer activation code; and provide the eSIM subscription transfer activation code to the target device or a user thereof.

Abstract: Techniques are disclosed relating to authenticating a user with a mobile device. In some embodiments, a computing device stores a first signed attestation indicating an ability of the computing device to securely perform a user authentication. The computing device receives a request to store credential information of an identification document issued by an issuing authority to a user for establishing an identity of the user. In response to the request, the computing device sends, to the issuing authority, a request to store the credential information, the sent request including the first signed attestation to indicate an ability to perform a user authentication prior to permitting access to the credential information. In response to an approval of the sent request based on the first signed attestation, the computing device stores the credential information in a secure element of the computing device.