Abstract: A method for providing a key derivation function (KDF) negotiation in a 5G network is provided. The method which includes: selecting a specific KDF at a UE and at the network for at least one security related key derivation; and transmitting, said selected KDF to the UE and to other network functions to indicate said selected KDF for generating specific security key at a receiver side.

Abstract: A communication terminal (10) according to the present disclosure includes: a control unit (12) configured to, in a case of a movement from a communication area formed by the 5GS to a communication area formed by the EPS or a movement from a communication area formed by the EPS to a communication area formed by the 5GS, determine whether or not a communication system forming a communication area at a movement destination can satisfy requirements of services; and a communication unit (11) configured to, when it is determined that the communication system forming the communication area at the movement destination can satisfy the requirements of the services, send a connection request message to the communication system forming the communication area at the movement destination.

Abstract: A communication terminal capable of preventing a reduction in security level that is caused at the time of establishing multiple connections via 3GPP Access and Non-3GPP Access. A communication terminal according to the present disclosure includes: a communication unit configured to communicate with gateway devices disposed in a preceding stage of a core network device via an Untrusted Non-3GPP Access; and a key derivation unit configured to derive a second security key used for security processing of a message transmitted using a defined protocol with the gateway device, from a first security key used for security processing of a message transmitted using a defined protocol with the core network device.

Abstract: This invention introduces methods and mechanisms of partial integrity protection in mobile systems. A user equipment (UE), comprising: a memory configured to store instructions; and a processor configured to execute the instructions to: receive, from a network device, user plane data having integrity protection; send an error indication indicating an integrity protection error relating to the user plane data; and receive retransmitted user plane data from the network device with a reduced data rate, based on the error indication.

Abstract: The present disclosure provides a User Equipment (UE) comprising a transceiver circuit; and a controller configured to control the transceiver circuit to send, to an Access and mobility Management Function (AMF) of a communication node, an identifier, wherein upon successful authentication of a network access function of the UE in the communication node, the controller is configured to maintain a secure connection with the communication node.

Abstract: Provided is an authentication device capable of generating a master key suited to a UE in a 5GS. The authentication device (10) includes a communication unit (11) configured to, in registration processing of user equipment (UE), acquire UE key derivation function (KDF) capabilities indicating a pseudo random function supported by the UE, a selection unit (12) configured to select a pseudo random function used for generation of a master key related to the UE by use of the UE KDF capabilities, and a key generation unit (13) configured to generate a master key related to the UE by use of the selected pseudo random function.

Abstract: An object is to provide a transmission apparatus which can suppress an increase in processing load in a communication apparatus such as a sender and a receiver due to an increase in the number of messages to be transmitted. A transmission apparatus (10) according to the present disclosure includes a generation unit (11) for generating authentication information used for confirming integrity of a plurality of data pieces using the plurality of data pieces and an integrity protection key transmitted at different timings, and a communication unit (12) for transmitting the plurality of data pieces and the authentication information to a reception apparatus (20) for confirming the integrity of the plurality of data pieces.

Abstract: A communication terminal (10) includes control means for generating a subscription concealed identifier (SUCI) including a subscription permanent identifier (SUPI) concealed using a predetermined protection scheme, and a protection scheme identifier identifying the protection scheme, and transmission means for sending the SUCI to a first network apparatus during a registration procedure, the SUCI being sent for a second network apparatus to de-conceal the SUPI from the SUCI based on the protection scheme used to generate the SUCI.

Abstract: A network node (21), which is placed within a core network, stores a list of network elements (24) capable of forwarding a trigger message to a MTC device (10). The network node (21) receives the trigger message from a transmission source (30, 40) placed outside the core network, and then selects, based on the list, one of the network elements to forward the trigger message to the MTC device (10). The MTC device (10) validates the received trigger message, and then transmits, when the trigger message is not validated, to the network node (21) a reject message indicating that the trigger message is not accepted by the MTC device (10). Upon receiving the reject message, the network node (21) forwards the trigger message through a different one of the network elements, or forwards the reject message to transmission source (30, 40) to send the trigger message through user plane.

Abstract: In order for efficiently managing communications between a UE (10) and multiple SCSs (20_1-20_n), the UE (10) includes, in one message, multiple pieces of data to be transmitted to the SCSs (20_1-20_n), and sends the message to an MTC-IWF (30). The MTC-IWF (30) receives the message from the UE (10), and distributes the date to the SCSs (20_1-20_n). Each of the SCSs sends (20_1-20_n), to the MTC-IWF (30), data to be transmitted to the UE (10) and an indicator that indicates for the SCSs (20_1-20 n) the time tolerance until the data is transmitted to the UE (10). The MTC-IWF (30) receives the data and the indicators from the SCSs (20_1-20_n), and determines when to forward the data to the UE (10) based on the indicators.

Abstract: There is provided a network system including one or more first MMEs (30), and a second MME (40) separated from the first MMEs (30). In one of operation cases, the first MME (30) pushes, to the second MME (40), security context for a UE (10) that attaches to the first MME (30). The second MME (40) stores the security context. The first MME (30) further pushes the latest security context to the second MME (40), during a switch-off procedure for the first MME (30). The second MME (40) updates the stored security context with the latest security context. The first MME (30) pulls the security context from the second MME (40), when the UE (10) re-attaches to the first MME (30) or is handovered from different one of the first MMEs (30).

Abstract: A method for integrity protection scheme by a mobile communication device or a core network entity according to a first exemplary aspect of the present disclosure includes configuring settings and parameters for integrity protection for user data with another party; receiving user plane data from the other party, calculating Message Authentication Code for Integrity (MAC-I) for a part of the data and checking integrity of the part of the data.

Abstract: A UE (10) provides information on potential S?eNB(s). The information is forwarded from an MeNB (20_1) to an M?eNB (20_2) such that the M?eNB (20_2) can determine, before the handover happens, whether the M?eNB (20_2) will configure a new SeNB (S?eNB) and which S?eNB the M?eNB (20_2) will configure. In one of options, the MeNB (20_1) derives a key S?-KeNB for communication protection between the UE (10) and the S?eNB (30_1), and send the S?-KeNB to the M?eNB (20_2). In another option, the M?eNB (20_2) derives the S?-KeNB from a key KeNB* received from the MeNB (20_1). The M?eNB (20_2) sends the S?-KeNB to the S?eNB (30_1). Moreover, there are also provided several variations to perform SeNB Release, SeNB Addition, Bearer Modification and the like, in which the order and/or timing thereof can be different during the handover procedure.

Abstract: There is provided a network system including one or more first MMEs (30), and a second MME (40) separated from the first MMEs (30). In one of operation cases, the first MME (30) pushes, to the second MME (40), security context for a UE (10) that attaches to the first MME (30). The second MME (40) stores the security context. The first MME (30) further pushes the latest security context to the second MME (40), during a switch-off procedure for the first MME (30). The second MME (40) updates the stored security context with the latest security context. The first MME (30) pulls the security context from the second MME (40), when the UE (10) re-attaches to the first MME (30) or is handovered from different one of the first MMEs (30).

Abstract: In order for supporting separate ciphering at an MeNB (20) and an SeNB (30), the MeNB (20) derives separate first and second keys (KUPenc-M, KUPenc-S) from a third key (KeNB). The first key (KUPenc-M) is used for confidentially protecting first traffic transmitted over U-Plane between the MeNB (20) and a UE (10). The first key (KUPenc-M) may be the same as current KUPenc or a new key. The second key (KUPenc-S) is used for confidentially protecting second traffic transmitted over the U-Plane between the UE (10) and the SeNB (30). The MeNB (20) sends the second key (KUPenc-S) to the SeNB (30). The UE (10) negotiates with the MeNB (20), and derives the second key (KUPenc-S) based on a result of the negotiation.

Abstract: A method for integrity protection scheme by a mobile communication device or a core network entity according to a first exemplary aspect of the present disclosure includes configuring settings and parameters for integrity protection for user data with another party; receiving user plane data from the other party, calculating Message Authentication Code for Integrity (MAC-I) for a part of the data and checking integrity of the part of the data.

Abstract: A UE (10) provides information on potential S?eNB(s). The information is forwarded from an MeNB (20_1) to an M?eNB (20_2) such that the M?eNB (20_2) can determine, before the handover happens, whether the M?eNB (20_2) will configure a new SeNB (S?eNB) and which S?eNB the M?eNB (20_2) will configure. In one of options, the MeNB (20_1) derives a key S?-KeNB for communication protection between the UE (10) and the S?eNB (30_1), and send the S?-KeNB to the M?eNB (20_2). In another option, the M?eNB (20_2) derives the S?-KeNB from a key KeNB* received from the MeNB (20_1). The M?eNB (20_2) sends the S?-KeNB to the S?eNB (30_1). Moreover, there are also provided several variations to perform SeNB Release, SeNB Addition, Bearer Modification and the like, in which the order and/or timing thereof can be different during the handover procedure.

Abstract: A network node (21), which is placed within a core network, receives a message from a transmission source (30) placed outside the core network. The message includes an indicator indicating whether or not the message is addressed to a group of one or more MTC devices attached to the core network. The network node (21) determines to authorize the transmission source (30), when the indicator indicates that the message is addressed to the group. Further, the message includes an ID for identifying whether or not the message is addressed to the group. The MTC device determines to discard the message, when the ID does not coincide with an ID allocated for the MTC device itself. Furthermore, the MTC device communicates with the transmission source (30) by use of a pair of group keys shared therewith.

Abstract: A communication terminal (10) according to the present disclosure includes: a control unit (12) configured to, in a case of a movement from a communication area formed by the 5GS to a communication area formed by the EPS or a movement from a communication area formed by the EPS to a communication area formed by the 5GS, determine whether or not a communication system forming a communication area at a movement destination can satisfy requirements of services; and a communication unit (11) configured to, when it is determined that the communication system forming the communication area at the movement destination can satisfy the requirements of the services, send a connection request message to the communication system forming the communication area at the movement destination.

Abstract: A communication terminal (10) includes control means for generating a subscription concealed identifier (SUCI) including a subscription permanent identifier (SUPI) concealed using a predetermined protection scheme, and a protection scheme identifier identifying the protection scheme, and transmission means for sending the SUCI to a first network apparatus during a registration procedure, the SUCI being sent for a second network apparatus to de-conceal the SUPI from the SUCI based on the protection scheme used to generate the SUCI.