Abstract: Some aspects described herein relate to provisioning aerial vehicles with identifiers, certificates, or other credentials for communicating based on a mobile network. The UAV can transmit a request to register with the mobile network, where the request includes at least a hardware identifier of the UAV. The UAV may receive, from a component of the mobile network, a response to the request, where the response includes a unique UAV identifier, a UAV certificate, and a network certificate generated by at least one of the component of the mobile network or a unmanned aircraft system service supplier (USS).

Abstract: One feature pertains to a method for secure wireless communication at an apparatus of a network. The method includes receiving a user equipment identifier identifying a user equipment and a cryptographic key from a wireless wide area network node, and using the cryptographic key as a pairwise master key (PMK). A PMK identifier (PKMID) is generated based on the PMK and the two are stored at the network. A PMK security association is initialized by associating the PMK with at least the PMKID and an access point identifier identifying an access point of the apparatus. An association request is received that includes a PMKID from the user equipment, and it's determined that the PMKID received from the user equipment matches the PMKID stored. A key exchange is initiated with the user equipment based on the PMK to establish a wireless local area network security association with the user equipment.

Abstract: The present disclosure provides techniques that may be applied, for example, for providing network policy information in a secure manner. In some cases, a UE may receive a first message for establishing a secure connection with a network, wherein the first message comprises network policy information, generate a first key based in part on the network policy information, and use the first key to verify the network policy information.

Abstract: Methods, systems, and devices are provided for supporting user plane integrity protection (UP IP) for communications with a radio access network (RAN). Various embodiments may include indicating whether or not a wireless device supports UP IP over Evolved Universal Mobile Telecommunications System (UMTS) Terrestrial Radio Access (eUTRA) by including UP IP support indications in user equipment (UE) security capability information elements (IEs).

Abstract: Aspects directed towards steering of roaming (SoR) are disclosed. In one example, a communication from a public land mobile network (PLMN) is received by a user equipment (UE) in which the communication indicates an acceptance of a UE registration with the PLMN. This example further includes performing a determination of whether an SoR indicator associated with a home PLMN (HPLMN) is embedded within the communication. The UE then manages PLMN selection according to the determination. In another example, a UE is configured to operate according to an SoR configuration in which the UE is configured to ascertain whether an SoR indicator is embedded within a communication from a PLMN. An SoR indicator associated with an HPLMN is then generated and subsequently transmitted from the HPLMN to the UE via the PLMN.

Abstract: Techniques and apparatus for protecting sequence numbers used in authentication procedures are described. One technique includes receiving, from a network, an authentication request comprising at least a random challenge. After receipt of the authentication request, a synchronization parameter is generated based at least in part on a key shared by the network and the UE, the random challenge, and a first message authentication code (MAC). The synchronization parameter and the first MAC are transmitted to the network in response to the authentication request.

Abstract: Various aspects of the present disclosure generally relate to wireless communication. In some aspects, a user equipment (UE) may transmit, to a relay UE, a first message comprising a first freshness parameter, an identity of the UE, and authentication information, where the authentication information is used by a network node to authenticate the UE with security context information of the UE. The UE may derive a relay key for security establishment between the UE and the relay UE based on the first freshness parameter, a set of key generation parameters, and a shared key with the network node. The UE may derive a relay session key for security establishment between the UE and the relay UE based on the relay key, a first nonce of the UE, and a second nonce of the relay UE. Numerous other aspects are described.

Abstract: In an aspect, the present disclosure includes a method, apparatus, and computer readable medium for wireless communications for configuring of a NAS COUNT value of a mapped EPS security context associated with an intersystem change of a UE from a 5G system to an EPS. The aspect includes generating, by a UE, a mapped EPS security context associated with an intersystem change of the UE from a 5G system to an EPS, wherein the mapped EPS security context comprises security parameters created based a 5G security context used for the 5G system, the security parameters enabling security-related communications between the UE and a network entity; determining an UL NAS COUNT value and the DL NAS COUNT value for the mapped EPS security context; and transmitting, by the UE, a NAS message to the network entity, the NAS message including the UL NAS COUNT value of the mapped EPS security context.

Abstract: A user device having a security context with a first network based on a first key may establish a security context with a second network. In a method, the user device may generate a key identifier based on the first key and a network identifier of the second network. The user device may forward the key identifier to the second network for forwarding to the first network by the second network to enable the first network to identify the first key at the first network. The user device may receive a key count from the second network. The key count may be associated with a second key forwarded to the second network from the first network. The user device may generate the second key based on the first key and the received key count thereby establishing a security context between the second network and the user device.

Abstract: The present disclosure provides techniques that may be applied, for example, in a multi-slice network for maintaining privacy when attempting to access the network. An exemplary method generally includes transmitting a registration request message to a serving network to register with the serving network; receiving a first confirmation message indicating a secure connection with the serving network has been established; transmitting, after receiving the first confirmation message, a secure message to the serving network comprising an indication of at least one configured network slice that the UE wants to communicate over, wherein the at least one configured network slice is associated with a privacy flag that is set; and receiving a second confirmation message from the serving network indicating that the UE is permitted to communicate over the at least one configured network slice.

Abstract: Techniques are described for wireless communication. A method for wireless communication at a user equipment (UE) includes performing an extensible authentication protocol (EAP) procedure with an authentication server via an authenticator. The EAP procedure is based at least in part on a set of authentication credentials exchanged between the UE and the authentication server. The method also includes deriving, as part of performing the EAP procedure, a master session key (MSK) and an extended master session key (EMSK) that are based at least in part on the authentication credentials and a first set of parameters; determining a network type associated with the authenticator; and performing, based at least in part on the determined network type, at least one authentication procedure with the authenticator. The at least one authentication procedure is based on an association of the MSK or the EMSK with the determined network type.

Abstract: In an aspect, a network supporting client devices includes one or more network nodes implementing network functions. Such network functions enable a client device to apply a security context to communications with the network when the client device is not in a connected mode. The client device obtains a user plane key shared with a user plane network function implemented at a first network node and/or a control plane key shared with a control plane network function implemented at a second network node. The client device protects a data packet with the user plane key or a control packet with the control plane key. The data packet includes first destination information indicating the first network node and the control packet includes second destination information indicating the second network node. The client device transmits the data packet or control packet.

Abstract: One feature pertains to a method that includes establishing a radio communication connection with a first radio access node (RAN) that uses control plane signaling connections to carry user plane data. The method also includes determining that the wireless communication device is experiencing radio link failure (RLF) with the first RAN and that the radio communication connection should be reestablished with a second RAN. A reestablishment request message is transmitted to the second RAN that includes parameters that enable a core network node communicatively coupled to the second RAN to authenticate the wireless communication device and allow or reject reestablishment of the radio communication connection. The parameters include at least a message authentication code (MAC) based in part on one or more bits of a non-access stratum (NAS) COUNT value maintained at the wireless communication device.

Abstract: Certain aspects provide a method for wireless communication. The method generally includes deriving a network specific identifier (NSI) in a network access identifier (NAI) format, the NSI including a network identifier (NID) stored at the UE, generating a subscription concealed identifier (SUCI) based on the NSI for authentication of the UE with a non-public network (NPN), and sending the SUCI to a network entity for the authentication of the UE with the NPN.

Abstract: The present disclosure provides techniques that may be applied, for example, for providing network policy information in a secure manner. In some cases, a UE may receive a first message for establishing a secure connection with a network, wherein the first message comprises network policy information, generate a first key based in part on the network policy information, and use the first key to verify the network policy information.

Abstract: Various aspects of the present disclosure generally relate to wireless communication. In some aspects, a user equipment (UE) may register to a cellular network associated with a multicast/broadcast multimedia service (MBMS). The UE may transmit, to the cellular network, a request to join the MBMS. The UE may receive, from the cellular network and based at least in part on being registered with the cellular network, a response that indicates an MBMS service key (MSK) and MSK identifier pair. Numerous other aspects are described.

Abstract: Methods, systems, and devices for wireless communications are described. A first parent node of a wireless backhaul network may receive, from a donor node of the wireless backhaul network, a token for a child node of the wireless backhaul network, the token being unique to a first wireless link between the first parent node and the child node. The first parent node may determine that a triggering event has occurred for a second wireless link between the first parent node and a second parent node. The first parent node may transmit, in response to determining that the triggering event has occurred, the token to the child node over the first wireless link to indicate for the child node to select a third parent node of the wireless backhaul network.

Abstract: In an aspect, a network supporting a number of client devices includes a network device that generates a context for a client device. The client device context may include network state information for the client device that enables the network to communicate with the client device. The client device may obtain, from a network device that serves a first service area of the network, information that includes a first client device context. The client device may enter a second service area of the network served by a second network device. Instead of performing a service area update procedure with the network, the client device may transmit a packet in the different service area with the information that includes the client device context. The client device may receive a service relocation message including information associated with the different network device in response to the transmission.

Abstract: In an aspect, the present disclosure includes a method, apparatus, and computer readable medium for wireless communications for configuring of a NAS COUNT value of a mapped EPS security context associated with an intersystem change of a UE from a 5G system to an EPS. The aspect includes generating, by a UE, a mapped EPS security context associated with an intersystem change of the UE from a 5G system to an EPS, wherein the mapped EPS security context comprises security parameters created based a 5G security context used for the 5G system, the security parameters enabling security-related communications between the UE and a network entity; determining an UL NAS COUNT value and the DL NAS COUNT value for the mapped EPS security context; and transmitting, by the UE, a NAS message to the network entity, the NAS message including the UL NAS COUNT value of the mapped EPS security context.

Abstract: This disclosure provides methods, devices and systems for using a pseudonym service set identifier (pSSID) for access point (AP) and station (STA) privacy. For example, a pSSID is included by a STA or AP in place of a persistent SSID for over the air communications used for various functions (such as for the STA to determine the SSID of the AP before connecting to the AP). The pSSID is generated using a hash function that is defined at both the AP and the STA. An input to the hash function includes the SSID. Other inputs may include a temporary media access control (MAC) address of the device generating the pSSID, a time value associated with a time when the pSSID is generated, or a location value associated with a position measurement of the device generating the pSSID.