Abstract: An apparatus and system for onboarding based on UE default manufacturer credentials are described. A UE sends default manufacturer credentials and an indication to proceed with restricted onboarding to an onboarding non-public network (O-SNPN). An Onboarding Server validates the authenticity of the UE based on the manufacturer credentials and sends a certificate. The UE is provisioned with a set of roots of trust certificate information to use to authenticate the certificate using one way authentication. After authentication, the UE receives network credentials and performs mutual authentication to register with a NPN while being authenticated by a home network. The UE identity is indicated as anonymous in response to an indication by the O-SNPN for subscriber identifier privacy.

Abstract: An apparatus and system of providing a service registry function (SRF) and service discovery in a 6G system are described. Registration procedures are provided for a service instance on a user equipment (UE) or in the 6G system to register to the SRF with or without a service mesh. The SRF provides a list of service instances based on criteria in service discovery inquiries from the UE or network function (NF) and notifies a subscribed party about a status change of a particular service instance. The service discovery enables the UE to discover a computing service instance in the 6G system by control plane service discovery to find a service orchestration and chaining function (SOCF) and user plane service discovery to find the computing service instance.

Abstract: Systems and methods are disclosed for enhancing cryptographic security in 5G networks by addressing key management, algorithm selection, and security context consistency. One method ensures uniform cryptographic key lengths during Access and Mobility Function (AMF) changes, maintaining consistent Non-Access Stratum (NAS) security contexts across transitions. Another method focuses on dual connectivity scenarios, ensuring uniform cryptographic key lengths across Master Node and Secondary Node communications by defining a unified cryptographic profile and enhancing capability signaling. Additionally, an entropy-based approach to cryptographic algorithm selection is introduced, incorporating entropy assessment into the capability signaling process. This ensures that selected cryptographic algorithms for Access Stratum (AS) and NAS layers align with the actual entropy of long-term keys, providing true security levels.

Abstract: An apparatus and system for onboarding based on UE default manufacturer credentials are described. A UE sends default manufacturer credentials and an indication to proceed with restricted onboarding to an onboarding non-public network (O-SNPN). An Onboarding Server validates the authenticity of the UE based on the manufacturer credentials and sends a certificate. The UE is provisioned with a set of roots of trust certificate information to use to authenticate the certificate using one way authentication. After authentication, the UE receives network credentials and performs mutual authentication to register with a NPN while being authenticated by a home network. The UE identity is indicated as anonymous in response to an indication by the O-SNPN for subscriber identifier privacy.

Abstract: An example method includes, based on a request from the third-party entity to join the edge network, initiating a Zero-Knowledge Proof (ZKP) protocol by generating a common reference string (CRS) to establish public parameters within the edge network; transmitting the CRS to the third-party entity and an authorization server; obtaining an authorization of the third-party entity from the authorization server, the authorization server authenticating the third-party entity based on a ZKP proof constructed by the third-party entity using the CRS and a private credential of the third-party entity; authorizing the third-party entity to join the edge network based on the authorization; and deploying a smart contract on a distributed ledger, wherein the smart contract specifies conditions under which the third-party entity is granted access to the edge network, and wherein the distributed ledger records transactions related to access permissions of the third-party entity.

Abstract: An apparatus and system are described for secure authentication and identification in trusted non-3GPP access networks. A temporary identifier is generated by a trusted non-3GPP gateway function (TNGF) and sent to a user equipment (UE) over an encrypted channel. The temporary identifier is unique and not associated with personally identifiable information of a user of the UE. The UE uses the temporary identifier to establish a secure connection with the TNGF.

Abstract: An apparatus and system for traffic Steering for Service Function Chaining (SFC) are described. Different protocol stacks may be used to enable SFC for the user plane. The protocol stacks include: separate SFC service layer and transport protocols in which transport uses identifiers of different enhanced user plane functions (eUPFs) and communication (Comm) Service Functions (SFs), transport protocols that are integrated with SFC-related information in which a General Packet Radio Service Tunneling Protocol-user (GTP-U) header or a Segment Routing Header (SRH) has type-length-value (TLV) fields contains the SFC-related information, or an SFC inherent Segment Routing (SR) protocol stack in which first SFC-related information is carried as a locator: function field in Segment Routing Header (SRH) and second SFC-related information is contained in a type-length-value (TLV) field of the SRH, the first SFC-related information comprising a Comm SF and identification of SFs reachable from the Comm SF.

Abstract: An apparatus and system to enable dynamic offloading and execution of compute tasks are described. In split CU-DU RAN architectures, the CU-CP is connected with multiple compute control functions (CF) and service functions (SF) that have different computing hardware/software capabilities. Different architectures depend on whether the SF is collocated with the CU-UP, the CU-UP and SF only serve compute messages, a compute message is supplied directly to the CU-UP or also traverses the CU-CP. In response to reception from a UE of a compute message containing data for computation being sent to the CU-CP through the DU, the CU-CP sends the data to the SF with identifiers and sends the result to the UE.

Abstract: An apparatus, method, and system are described for data transfer between a user equipment (UE) and Data Storage Function (DSF) in a 6G system. The data transfer occurs via a control and/or user plane using a data ID and data filter defined using data ID, metadata, data source, and labeling. User plane data transfer is based on a protocol data unit (PDU) or a standalone data session. The DSF provides data services by service application programming interfaces (APIs). A Service Infrastructure Control Function (SICF) configures routing policies to an evolved Service Communication Proxy User Plane (eSCP-U) to route data inquiries to the correct DSF using a service mesh.

Abstract: Systems and methods of protecting an initial NAS message are described. Depending on whether a security context for a serving PLMN is stored, the UE uses either a public key from the serving PLMN or a key from the security context to encrypt parts of the initial NAS message. An initial NAS message containing the encrypted parts is then sent to an AMF of the serving PLMN. The serving PLMN public key is transmitted via a SIB. Prior to transmission of the initial NAS message or in parallel with it, an RRC message is sent to the base station. The RRC message contains the UE identifier and/or a NSSAI encrypted using the serving PLMN public key.

Abstract: Systems and methods of protecting an initial NAS message are described. The NAS message is encrypted using the home PLMN public key during initial registration with the network using a registration request message. An AMF of the serving PLMN sends a serving PLMN public key which is then used to encrypt information including an S-NSSAI of later initial NAS messages after initial registration is completed. The S-NSSAI may not be sent in the later initial NAS message if the S-NSSAI is provided at an access stratum level. The RRC message may contain an indication that the S-NSSAI is encrypted using the serving PLMN public key.

Abstract: Systems and methods of protecting an initial NAS message are described. Depending on whether a security contex.1: for a serving PLMN is stored, the UE uses either a public key from the serving PLMN or a key from the security context to encrypt parts of the initial NAS message. An initial NAS message containing the encrypted parts is then sent to an AMF of the serving PLMN. The serving PLMN public key is transmitted via a SIB. Prior to transmission of the initial NAS message or in parallel with it, an RRC message is sent to the base station. The RRC message contains the UE identifier and/or a NSSAI encrypted using the serving PLMN public key.

Abstract: Packet protection is described. Data of a group of packets is concatenated with a security key and a sequence number of the packet. A hash mark of the concatenated data is calculated and sent with data or control information in a packet. If each packet has reserved bits, at least some of the packets each has data, a least a portion of the hash mark, and a header having: a first bit that indicates if the hash mark is present, and a second bit that indicates if the packet is used to determine the hash mark. Otherwise, a separate control packet is sent that contains the hash mark, a first sequence number of the group of packets, and a PDU type indicating that the control packet is an integrity protection packet for the group of PDCP packets.

Abstract: An apparatus and system for onboarding based on UE default manufacturer credentials are described. A UE sends default manufacturer credentials and an indication to proceed with restricted onboarding to an onboarding non-public network (O-SNPN). An Onboarding Server validates the authenticity of the UE based on the manufacturer credentials and sends a certificate. The UE is provisioned with a set of roots of trust certificate information to use to authenticate the certificate using one way authentication. After authentication, the UE receives network credentials and performs mutual authentication to register with a NPN while being authenticated by a home network. The UE identity is indicated as anonymous in response to an indication by the O-SNPN for subscriber identifier privacy.

Abstract: Systems and methods of providing steering of roaming (SOR) information in a 5G VPLMN are described. A UE receives a REGISTRATION ACCEPT message from an AMF of the VPLMN during initial or mobility registration of the UE in the VPLMN and DL NAS TRANSPORT message thereafter. The message has a Payload container information element (IE) set to secured packet. The SOR information indicates a list of preferred PLMN/access technology combinations, which is uploaded to a memory after a successful security check to verify that the list of preferred PLMN/access technology combinations is provided by the UDM of the HPLMN and is not tampered with by the VPLMN. When the message also contains a request for acknowledgment of successful security check of the list of preferred PLMN/access technology combinations, the UE transmits to the AMF the acknowledgment in a REGISTRATION COMPLETE or a DL NAS TRANSPORT message.

Abstract: Systems and methods of protecting an initial NAS message are described. Depending on whether a security context for a serving PLMN is stored, the UE uses either a public key from the serving PLMN or a key from the security context to encrypt parts of the initial NAS message. An initial NAS message containing the encrypted parts is then sent to an AMF of the serving PLMN. The serving PLMN public key is transmitted via a SIB. Prior to transmission of the initial NAS message or in parallel with it, an RRC message is sent to the base station. The RRC message contains the UE identifier and/or a NSSAI encrypted using the serving PLMN public key.

Abstract: Systems and methods of providing secondary authentication credentials for an external network are described. The credentials are provided from the UE to the GGSN via the SGSN during establishment of a PDN connection for the UE in a NAS message. The SGSN receives an Activate PDP Context Request from the UE and sends to the GGSN a Create PDP Context Request. The Requests include a PCO IE with the credentials. The GGSN determines a RADIUS and/or DHCP server to be used for IP address allocation, a protocol to be used with the server, and security features to use to dialogue with the server. The GGSN obtains the IP address from the server and provides the IP address to the UE via the SGSN via Create PDP Context Response.

Abstract: Packet protection is described. Data of a group of packets is concatenated with a security key and a sequence number of the packet. A hash mark of the concatenated data is calculated and sent with data or control information in a packet. If each packet has reserved bits, at least some of the packets each has data, a least a portion of the hash mark, and a header having: a first bit that indicates if the hash mark is present, and a second bit that indicates if the packet is used to determine the hash mark. Otherwise, a separate control packet is sent that contains the hash mark, a first sequence number of the group of packets, and a PDU type indicating that the control packet is an integrity protection packet for the group of PDCP packets.

Abstract: An apparatus and system to enable dynamic offloading and execution of compute tasks are described. In split CU-DU RAN architectures, the CU-CP is connected with multiple compute control functions (CF) and service functions (SF) that have different computing hardware/software capabilities. Different architectures depend on whether the SF is collocated with the CU-UP, the CU-UP and SF only serve compute messages, a compute message is supplied directly to the CU-UP or also traverses the CU-CP. In response to reception from a UE of a compute message containing data for computation being sent to the CU-CP through the DU, the CU-CP sends the data to the SF with identifiers and sends the result to the UE.

Abstract: Systems and methods of protecting an initial NAS message are described. The NAS message is encrypted using the home PLMN public key during initial registration with the network using a registration request message. An AMF of the serving PLMN sends a serving PLMN public key which is then used to encrypt information including an S-NSSAI of later initial NAS messages after initial registration is completed. The S-NSSAI may not be sent in the later initial NAS message if the S-NSSAI is provided at an access stratum level. The RRC message may contain an indication that the S-NSSAI is encrypted using the serving PLMN public key.