Abstract: A method performed by a STA may comprise receiving a frame, from a first AP including an indication of a configuration change counter (CCC) associated with a second AP. The CCC may be an unsigned integer that increments when an update to one or more AP parameters of the second AP has occurred. The method may further comprise establishing a first wireless link with the first AP and establishing a master key via at least the first wireless link.

Abstract: A method may include receiving, at a network device, a registration request that comprises a subscription concealed identifier (SUCI) associated with a particular user equipment (UE) device. The network device determines whether the SUCI indicates a request for null-scheme network access; and retrieves a scheme authorization parameter for the UE device when it is determined that the SUCI indicates a request for null-scheme network access. The scheme authorization parameter indicates whether the UE device is authorized for null-scheme access to a service provider network. The network device determines whether the UE device is authorized for null-scheme network access based on the retrieved scheme authorization parameter and performs processing associated with null-scheme network access when it is determined that the particular UE device is authorized for null-scheme network access.

Abstract: A method performed by a STA may comprise receiving a frame, from a first AP including an indication of a configuration change counter (CCC) associated with a second AP. The CCC may be an unsigned integer that increments when an update to one or more AP parameters of the second AP has occurred. The method may further comprise establishing a first wireless link with the first AP and establishing a master key via at least the first wireless link.

Abstract: Systems and methods described herein enforce access controls for network slices via proxy in a secure enclave of a user equipment (UE) device. A UE device executes, in a rich execution environment (REE), a function or application designated for using one or more secure network slices of a telecommunications network. The UE device executes, in a trusted execution environment (TEE), a slice admission control proxy (SACP) to perform admission control for the one or more secure network slices, and forces network traffic for the function or application through the SACP.

Abstract: A network terminal, e.g., LTE or 5G, can connect to a home network via a serving network. The terminal can have a terminal identifier (TID), such as an IMEI or other PEI, and a network subscriber can have a subscriber identifier (SID), such as an IMSI or other SUPI. In some nonlimiting examples, a network node can determine that a SID and a TID are authorized for joint use and, in response, transmit authorization information. In some nonlimiting examples, a network node can receive an attach request having verification data and encrypted identification data. The network node can receive decrypted identity data and determine that the identity data corresponds with the verification data. In some nonlimiting examples, the terminal can send an attach request comprising encrypted SID and TID data, and a cryptographic hash, to a network node.

Abstract: Systems and methods enable the provisioning of security as a service for network slices. A network device stores definitions of multiple security assurance levels for network slices based on security parameters of assets used in the network slices. The network device stores multiple network slice templates, wherein the multiple network slice templates have different security assurance levels, of the multiple security assurance levels, for a Network Service Descriptor (NSD). The network device receives a request for a network slice with a requested security assurance level, of the multiple security assurance levels, for the NSD, and deploys the network slice using one of the network slice templates that has a security assurance level that corresponds to the requested security assurance level. The network device monitors the security parameters of the assets of the network slice for changes to the security assurance level of the deployed network slice.

Abstract: Systems and methods enable the provisioning of security as a service for network slices. A network device stores definitions of multiple security assurance levels for network slices based on security parameters of assets used in the network slices. The network device stores multiple network slice templates, wherein the multiple network slice templates have different security assurance levels, of the multiple security assurance levels, for a Network Service Descriptor (NSD). The network device receives a request for a network slice with a requested security assurance level, of the multiple security assurance levels, for the NSD, and deploys the network slice using one of the network slice templates that has a security assurance level that corresponds to the requested security assurance level. The network device monitors the security parameters of the assets of the network slice for changes to the security assurance level of the deployed network slice.

Abstract: A device may receive, from a network device, a user equipment (UE) parameter update request notification indicating an update to a UE parameter of a universal subscriber identity module (USIM), and may generate an encrypted UE parameter update request. The device may cause the encrypted UE parameter update request to be provided to the USIM to cause the USIM to update the UE parameter and to generate an encrypted UE parameter update response. The device may receive, from the network device, the encrypted UE parameter update response, and may verify an authenticity of content of the encrypted UE parameter update response based on whether the encrypted UE parameter update response is signed by the USIM. The device may provide, to the network device, a result indicating whether the UE parameter is updated and whether the authenticity of the content of the encrypted UE parameter update response is verified.

Abstract: Systems and methods described herein enforce access controls for network slices via proxy in a secure enclave of a user equipment (UE) device. A UE device executes, in a rich execution environment (REE), a function or application designated for using one or more secure network slices of a telecommunications network. The UE device executes, in a trusted execution environment (TEE), a slice admission control proxy (SACP) to perform admission control for the one or more secure network slices, and forces network traffic for the function or application through the SACP.

Abstract: A method performed by a STA may comprise receiving a frame, from a first AP including an indication of a configuration change counter (CCC) associated with a second AP. The CCC may be an unsigned integer that increments when an update to one or more AP parameters of the second AP has occurred. The method may further comprise establishing a first wireless link with the first AP and establishing a master key via at least the first wireless link.

Abstract: A telecommunications network includes a serving network and a home network. In some examples the serving network receives, from the home network, identity data associated with a network terminal. The serving network determines a tied key using a tying key derivation function (TKDF) based on the identity data, then prepares an authentication request based on the tied key and sends the request to the terminal. In some examples, the home network receives the identity data from the access network and determines a tied key using a TKDF. The home network then determines a confirmation message based on the first tied key. In some examples, the serving network receives the identity data from the home network, and receives a network-slice selector associated with the network terminal. The serving network determines a tied key using a TKDF based on the identity data and the network-slice selector.

Abstract: A network terminal, e.g., LTE or 5G, can connect to a home network via a serving network. The terminal can have a terminal identifier (TID), such as an IMEI or other PEI, and a network subscriber can have a subscriber identifier (SID), such as an IMSI or other SUPI. In some nonlimiting examples, a network node can determine that a SID and a TID are authorized for joint use and, in response, transmit authorization information. In some nonlimiting examples, a network node can receive an attach request having verification data and encrypted identification data. The network node can receive decrypted identity data and determine that the identity data corresponds with the verification data. In some nonlimiting examples, the terminal can send an attach request comprising encrypted SID and TID data, and a cryptographic hash, to a network node.

Abstract: A device may receive, from a network device, a user equipment (UE) parameter update request notification indicating an update to a UE parameter of a universal subscriber identity module (USIM), and may generate an encrypted UE parameter update request. The device may cause the encrypted UE parameter update request to be provided to the USIM to cause the USIM to update the UE parameter and to generate an encrypted UE parameter update response. The device may receive, from the network device, the encrypted UE parameter update response, and may verify an authenticity of content of the encrypted UE parameter update response based on whether the encrypted UE parameter update response is signed by the USIM. The device may provide, to the network device, a result indicating whether the UE parameter is updated and whether the authenticity of the content of the encrypted UE parameter update response is verified.

Abstract: A method may include receiving, at a network device, a registration request that comprises a subscription concealed identifier (SUCI) associated with a particular user equipment (UE) device. The network device determines whether the SUCI indicates a request for null-scheme network access; and retrieves a scheme authorization parameter for the UE device when it is determined that the SUCI indicates a request for null-scheme network access. The scheme authorization parameter indicates whether the UE device is authorized for null-scheme access to a service provider network. The network device determines whether the UE device is authorized for null-scheme network access based on the retrieved scheme authorization parameter and performs processing associated with null-scheme network access when it is determined that the particular UE device is authorized for null-scheme network access.

Abstract: A device may receive, from a network device, a user equipment (UE) parameter update request notification indicating an update to a UE parameter of a universal subscriber identity module (USIM), and may generate an encrypted UE parameter update request. The device may cause the encrypted UE parameter update request to be provided to the USIM to cause the USIM to update the UE parameter and to generate an encrypted UE parameter update response. The device may receive, from the network device, the encrypted UE parameter update response, and may verify an authenticity of content of the encrypted UE parameter update response based on whether the encrypted UE parameter update response is signed by the USIM. The device may provide, to the network device, a result indicating whether the UE parameter is updated and whether the authenticity of the content of the encrypted UE parameter update response is verified.

Abstract: Systems and methods enable the provisioning of security as a service for network slices. A network device stores definitions of multiple security assurance levels for network slices based on security parameters of assets used in the network slices. The network device stores multiple network slice templates, wherein the multiple network slice templates have different security assurance levels, of the multiple security assurance levels, for a Network Service Descriptor (NSD). The network device receives a request for a network slice with a requested security assurance level, of the multiple security assurance levels, for the NSD, and deploys the network slice using one of the network slice templates that has a security assurance level that corresponds to the requested security assurance level. The network device monitors the security parameters of the assets of the network slice for changes to the security assurance level of the deployed network slice.

Abstract: Systems and methods for provisioning user privacy parameters necessary for network security in 5G telecommunication networks are provided, such as the subscriber permanent identifier (SUPI), the routing indicator, the protection scheme identifier, or the home network key. In order to protect the user privacy parameters, the techniques disclosed herein use private and public key encryption, as well as integrity protection offered by 5G telecommunications protocols. Such techniques use registration response messages, update location requests, or update notification request messages to provide end-to-end or end-to-middle security in the provisioning process. Unlike existing over-the-air (OTA) techniques, the techniques described herein provision user privacy parameters or other similar data in a secure and verifiable manner.

Abstract: The systems, devices, and methods discussed herein are directed to a portable communication device, or a user equipment (UE), for obtaining cellular network services with an unassociated cellular network with assistance from a wireless local area network (WLAN). The UE registers with the WLAN, discovers the unassociated cellular network, sends request to a WLAN service provider of the WLAN to obtain cellular network services with the unassociated cellular network, and obtains cellular network services with the unassociated cellular network.

Abstract: A network terminal, e.g., LTE or 5G, can connect to a home network via a serving network. The terminal can have a terminal identifier (TID), such as an IMEI or other PEI, and a network subscriber can have a subscriber identifier (SID), such as an IMSI or other SUPI. In some nonlimiting examples, a network node can determine that a SID and a TID are authorized for joint use and, in response, transmit authorization information. In some nonlimiting examples, a network node can receive an attach request having verification data and encrypted identification data. The network node can receive decrypted identity data and determine that the identity data corresponds with the verification data. In some nonlimiting examples, the terminal can send an attach request comprising encrypted SID and TID data, and a cryptographic hash, to a network node.

Abstract: A method performed by an AP may comprise initializing a CCC and increasing the CCC upon a change of at least one of a plurality of parameters of the AP. The plurality of parameters may include at least a high throughput (HT) Operation element, one or more Enhanced Distributed Channel Access (EDCA) parameters, or one or more operational mode parameters. The method may further comprise transmitting a frame, to at least one STA, wherein the frame includes an indication of the CCC, and the frame indicates that the at least one STA return from a power saving mode.