Abstract: This invention introduces methods and mechanisms of partial integrity protection in mobile systems. A user equipment (UE), comprising: a memory configured to store instructions; and a processor configured to execute the instructions to: receive, from a network device, user plane data having integrity protection; send an error indication indicating an integrity protection error relating to the user plane data; and receive retransmitted user plane data from the network device with a reduced data rate, based on the error indication.

Abstract: A UE (10) provides information on potential S?eNB(s). The information is forwarded from an MeNB (20_1) to an M?eNB (20_2) such that the M?eNB (20_2) can determine, before the handover happens, whether the M?eNB (20_2) will configure a new SeNB (S?eNB) and which S?eNB the M?eNB (20_2) will configure. In one of options, the MeNB (20_1) derives a key S?-KeNB for communication protection between the UE (10) and the S?eNB (30_1), and send the S?-KeNB to the M?eNB (20_2). In another option, the M?eNB (20_2) derives the S?-KeNB from a key KeNB* received from the MeNB (20_1). The M?eNB (20_2) sends the S?-KeNB to the S?eNB (30_1). Moreover, there are also provided several variations to perform SeNB Release, SeNB Addition, Bearer Modification and the like, in which the order and/or timing thereof can be different during the handover procedure.

Abstract: The present disclosure relates to secure provisioning of UE mobility restriction by extending neighbour relation tables to include mobility restrictions in addition to neighbour cell information and sending neighbour cell restriction information (per UE) to the UE, gNB, UE and gNB. The present invention also provides a method and apparatus and a system for mapping mobility restrictions with TA list and sending the TA list along with the Handover Restriction List during handover.

Abstract: An SeNB informs an MeNB that it can configure bearers for the given UE. At this time, the MeNB manages the DRB status, and then sends a key S-KeNB to the SeNB. The MeNB also sends a KSI for the S-KeNB to both of the UE and the SeNB. After this procedure, the MeNB informs an EPC (MME and S-GW) about the new bearer configured at the SeNB, such that the S-GW 50 can start offloading the bearer(s) to the SeNB 30. Prior to the offloading, the EPC network entity (MME or S-GW) performs verification that: 1) whether the request is coming from authenticated source (MeNB); and 2) whether the SeNB is a valid eNB to which the traffic can be offload.

Abstract: The present disclosure aims to provide a communication system capable of achieving advanced security in a 5G communication system. The communication system according to the present disclosure includes: a communication terminal (10); an Access and Mobility Management (AMF) entity (20) configured to execute Mobility Management (MM) processing regarding the communication terminal (10); and a Session Management Function (SMF) entity (30) configured to execute Session Management (SM) processing regarding the communication terminal (10), in which the communication terminal (10) sends an MM message used in the MM processing, a first security key having been applied to the MM message, between the communication terminal and the AMF entity (20), and sends an SM message used in the SM processing, a second security key having been applied to the SM message, between the communication terminal and the SMF entity (30) via the AMF entity (20).

Abstract: Accordingly, embodiments herein disclose a method and base station for preventing a User Equipment (UE) from attaching to a false base station. The method includes: generating, by a source base station, a UE specific Anonymity Challenge Parameter to the UE based on sensitive information from the UE, cell information, source base station information and initial Anonymity Challenge Parameter assigned to the particular base station; and sending, by the source base station, a measurement command message including the UE specific Anonymity Challenge Parameter to the UE. Further, the method includes receiving, by the source base station, an Anonymity Challenge Parameter acknowledgement as a response from the UE; and negotiating, by the source base station, the UE specific Anonymity Challenge Parameter with the UE to prevent the UE from attaching to the false base station.

Abstract: In order for supporting separate ciphering at an MeNB (20) and an SeNB (30), the MeNB (20) derives separate first and second keys (KUPenc-M, KUPenc-S) from a third key (KeNB). The first key (KUPenc-M) is used for confidentially protecting first traffic transmitted over U-Plane between the MeNB (20) and a UE (10). The first key (KUPenc-M) may be the same as current KUPenc or a new key. The second key (KUPenc-S) is used for confidentially protecting second traffic transmitted over the U-Plane between the UE (10) and the SeNB (30). The MeNB (20) sends the second key (KUPenc-S) to the SeNB (30). The UE (10) negotiates with the MeNB (20), and derives the second key (KUPenc-S) based on a result of the negotiation.

Abstract: A VNF package signing system, comprises an orchestration unit sending an acknowledge of receiving a VNF package including the VNF image, in response to the receiving the VNF package from a sender, a storage unit storing the VNF package and generating a certificate for the VNF package using a private key for at least generating a certificate for signing the VNF package and a HISEE (Hardware Isolated Secured Execution Environment) unit providing the private key in response to the request from the storage unit. The orchestration unit sends the acknowledge of receiving a VNF package when the storage unit successes generating the certificate of the VNF package.

Abstract: An object is to provide a core network device being able to efficiently perform secondary authentication to be performed for each network slice.

Abstract: An object is to provide a communication terminal capable of using a newly-generated network slice or service. A communication terminal (10) according to the present disclosure includes a communication unit (11) configured to receive a parameter related to SM-NSSAI (Session Management-Network Slice Selection Assistance Information) from a core network when subscriber information of the communication terminal itself managed in the core network or a location of the communication terminal itself is changed, and a control unit (12) configured to update NSSAI by using the parameter related to the SM-NSSAI, the NSSAI being managed to select a network slice.

Abstract: An SeNB (30) informs an MeNB (20) that it can configure bearers for the given UE (10). At this time, the MeNB (20) manages the DRB status, and then sends a key S-KeNB to the SeNB (30). The MeNB (20) also sends a KSI for the S-KeNB to both of the UE (10) and the SeNB (30). After this procedure, the MeNB (20) informs an EPC (MME (40) and S-GW (50)) about the new bearer configured at the SeNB (30), such that the S-GW 50 can start offloading the bearer(s) to the SeNB 30. Prior to the offloading, the EPC network entity (MME (40) or S-GW (50)) performs verification that: 1) whether the request is coming from authenticated source (MeNB); and 2) whether the SeNB (30) is a valid eNB to which the traffic can be offload.

Abstract: An object is to provide a transmission apparatus which can suppress an increase in processing load in a communication apparatus such as a sender and a receiver due to an increase in the number of messages to be transmitted. A transmission apparatus (10) according to the present disclosure includes a generation unit (11) for generating authentication information used for confirming integrity of a plurality of data pieces using the plurality of data pieces and an integrity protection key transmitted at different timings, and a communication unit (12) for transmitting the plurality of data pieces and the authentication information to a reception apparatus (20) for confirming the integrity of the plurality of data pieces.

Abstract: A method of performing authentication and authorization in Proximity based Service (ProSe) communication by a requesting device which sends a request of a communication and a receiving device which receives the request from the requesting device, the method including deriving session keys Kpc and Kpi from an unique key Kp at the requesting and receiving devices, using the session keys Kpc and Kpi for ProSe communication setup and direct communication between the requesting and receiving devices, starting the direct communication with the requesting and receiving devices. The key Kpc is confidentiality key and the key Kpi is integrity protection key.

Abstract: In order for supporting separate ciphering at an MeNB (20) and an SeNB (30), the MeNB (20) derives separate first and second keys (KUPenc-M, KUPenc-S) from a third key (KeNB). The first key (KUPenc-M) is used for confidentially protecting first traffic transmitted over U-Plane between the MeNB (20) and a UE (10). The first key (KUPenc-M) may be the same as current KUPenc or a new key. The second key (KUPenc-S) is used for confidentially protecting second traffic transmitted over the U-Plane between the UE (10) and the SeNB (30). The MeNB (20) sends the second key (KUPenc-S) to the SeNB (30). The UE (10) negotiates with the MeNB (20), and derives the second key (KUPenc-S) based on a result of the negotiation.

Abstract: A network node (21), which is placed within a core network, stores a list of network elements (24) capable of forwarding a trigger message to a MTC device (10). The network node (21) receives the trigger message from a transmission source (30, 40) placed outside the core network, and then selects, based on the list, one of the network elements to forward the trigger message to the MTC device (10). The MTC device (10) validates the received trigger message, and then transmits, when the trigger message is not validated, to the network node (21) a reject message indicating that the trigger message is not accepted by the MTC device (10). Upon receiving the reject message, the network node (21) forwards the trigger message through a different one of the network elements, or forwards the reject message to transmission source (30, 40) to send the trigger message through user plane.

Abstract: A method for providing a key derivation function (KDF) negotiation in a 5G network is provided. The method which includes: selecting a specific KDF at a UE and at the network for at least one security related key derivation; and transmitting, said selected KDF to the UE and to other network functions to indicate said selected KDF for generating specific security key at a receiver side.

Abstract: An apparatus is provided. The apparatus includes a memory storing one or more instructions and a processor. The processor execute the one or more instructions to: receive update information from an external apparatus, the update information corresponding to a network communication; obtain a Subscription Concealed Identifier (SUCI) based on the update information; and transmit the SUCI to the external apparatus.

Abstract: This disclosure is related to the security procedures for UE (300) in 5GLAN Group Communication. Security procedure involved in this disclosure is based on Authentication and authorization of UE (300) by Group Management Function (GMF) (500) in 5GLAN communication, attachment and detachment of UE (300) in 5GLAN Group due to state transition and the access restrictions imposed on UE (300) during state transition.

Abstract: This invention introduces methods and mechanisms of partial integrity protection in mobile systems. A device comprising: a memory configured to store instructions; and a processor configured to execute the instructions to: generate a representation value based on protocol data unit (PDU) header data and payload data of a PDU; generate a message authentication code based on the representation value; and include the message authentication code in the PDU.

Abstract: There is provided a new IWF SMC procedure for establishing security association between an MTC UE (10) and an MTC-IWF (20). The MTC-IWF (20) sends to the UE (10) at least an algorithm identifier which instructs the UE (10) to select one of algorithms for deriving a root key (K_iwf). The UE (10) derives the root key (K_iwf) in accordance with the selected algorithm, and derives at least a subkey for checking the integrity of messages transferred between the UE (10) and the MTC-IWF (20) by using the derived root key (K_iwf). The UE (10) protects uplink messages transmitted to the MTC-IWF (20) with the derived subkey. The MTC-IWF (20) protects downlink messages transmitted to the UE (10) with the same subkey derived at a core network.