Abstract: Apparatuses, methods, and systems are disclosed for registering with a core network after NSWO authentication. One apparatus includes a processor coupled to a transceiver, the processor configured to cause the apparatus to connect to a WLAN AN using credentials associated with a network, including performing a first authentication procedure without registering the apparatus with the network. The processor determines to register with the network and the transceiver sends a first message including a first container derived based on information generated during the first authentication procedure, where the first message initiates registration with the network. The transceiver receives a second message including a second container derived based on information generated during the first authentication procedure. The processor registers with the network based on validating the second container.

Abstract: Apparatuses, methods, and systems are disclosed for communicating and storing aerial system security information. One method includes transmitting a request message to an uncrewed aerial system network function, a network exposure function, or a combination thereof, the request message including: an aerial vehicle identifier; a general public subscription identifier; and security policy information. The method includes receiving a response message from the uncrewed aerial system network function, the network exposure function, or the combination thereof, the response message including: the aerial vehicle identifier; the general public subscription identifier; an aerial vehicle authentication result, authorization result, or a combination thereof; and aerial system security requirement information. The method includes storing the aerial system security requirement information together with the aerial vehicle identifier, the general public subscription identifier, and the aerial vehicle authentication result.

Abstract: Various aspects of the present disclosure relate to using authenticated encryption with associated data (AEAD) algorithms for both non-access stratum (NAS) and access stratum (AS) security mode command procedures. For example, the technology enhances or updates the command procedures (e.g., AS, NS, radio resource control (RRC) reconfiguration) to enable communications between a network entity and a user equipment (UE) that identify selected AEAD algorithms and/or AEAD modes during AS and NAS security establishment.

Abstract: Various aspects of the present disclosure relate to using authenticated encryption with associated data (AEAD) algorithms for user equipment (UE) mobility scenarios and/or dual connectivity deployments. For example, the technology enhances or updates various mobility procedures (e.g., Xn or N2 handover) to enable communications between an NE and a UE that utilize AEAD algorithms and/or AEAD modes when establishing security contexts for or during the mobility procedures. Thus, a wireless communications system can utilize the benefits of AEAD without introducing issues when a UE moves between NEs (e.g., RAN nodes) that support different security contexts, among other benefits.

Abstract: Apparatuses, methods, and systems are disclosed for supporting remote unit reauthentication. One apparatus includes a network interface that receives a first authentication message for reauthenticating a remote unit and a processor that verifies a first domain-name. The first domain-name identifies a key management domain name and an associated gateway function holding a reauthentication security context. Here, the first authentication message includes a NAI containing a first username and the first domain-name. The processor validates the first authentication message using at least the first username and generates a second authentication message in response to successfully validating the first authentication message. Via the network interface, the processor responds to the first authentication message by sending the second authentication message.

Abstract: Apparatuses, methods, and systems are disclosed for communicating and storing aerial system security information. One method includes transmitting a request message to an uncrewed aerial system network function, a network exposure function, or a combination thereof, the request message including: an aerial vehicle identifier; a general public subscription identifier; and session security information. The method includes receiving a response message from the uncrewed aerial system network function, the network exposure function, or the combination thereof, the response message including: the aerial vehicle identifier; the general public subscription identifier; an aerial vehicle authentication result; and aerial system session security requirement information. The method includes storing the aerial system session security requirement information together with the aerial vehicle identifier, the general public subscription identifier, and the aerial vehicle authentication result.

Abstract: Apparatuses, methods, and systems are disclosed for securing communications between user equipment devices. One apparatus includes a processor that derives, at a first user equipment (“UE”) device in communication with a mobile wireless communication network, a security key for securing communications between the first UE and a second UE via the mobile wireless communication network, the security key derived based on at least one parameter associated with the first UE and the second UE. The processor establishes a secure communication between the first UE and the second UE via a first network function of the mobile wireless communication network using the derived security key.

Abstract: Apparatuses, methods, and systems are disclosed for determining remote unit behavior parameters. One method includes receiving a message including parameters associated with an application in a remote unit. The method includes determining a first set of parameters including a first portion of the parameters, wherein each parameter of the first set of parameters corresponds to a remote unit behavior. The method includes determining a second set of parameters including a second portion of the parameters, wherein each parameter of the second set of parameters corresponds to a service behavior. The method includes associating the second set of parameters with a data network name, a single network slice selection assistance information, or a combination thereof.

Abstract: In response to a network function of a communication system, such as an Access and Mobility Function (AMF) of a wireless communication network, being determined to be an untrusted network function, the untrusted network function may be replaced without requiring participation of the untrusted network function. For example, to replace a first AMF determined to be an untrusted AMF, UE registered to the untrusted AMF may re-register with a second AMF as a result of operations performed by a Trust Surveillance Network Function, the second AMF, and a base station or Unified Data Management function, and without reliance on any operation of the untrusted AMF.

Abstract: Various aspects of the present disclosure relate to a radio access network (RAN) node and/or associated network function to adapt the size of an ID filter mask based on limitations of an ambient Internet of Things (AIoT) radio interface at the time of a requested AIoT operation (e.g., an inventory procedure). For example, the RAN node may receive an ID filter mask within a request message, transmit assistance information back to a requesting function that includes an indication of an allowable size for the ID filter mask, and receive an updated, modified, or new ID filter mask having an allowable size for the AIoT radio interface.

Abstract: An apparatus comprising: a transceiver; and a processor coupled to the transceiver, the processor and the transceiver configured to cause the apparatus to: receive a monitoring configuration request from a trust surveillance network function, the monitoring configuration request comprising: an identifier for a Visited Public Land Mobile Network, VPLMN; information specifying a parameter set to be monitored; and an address of an application function, AF; select a user equipment, UE, apparatus registered in a VPLMN identified by the identifier; and send, to the selected UE apparatus, a monitoring configuration message, the monitoring configuration message comprising: the information specifying the parameter set to be monitored; and the address of the AF.

Abstract: There is provided a network node in a first wireless communication network, the network node comprising a receiver a processor and a transmitter. The receiver is arranged to receive an indication from a user equipment apparatus that the user equipment apparatus requires route selection policy rules, wherein the user equipment apparatus is a subscriber to the first wireless communication network. The processor is arranged to determine a list of network identities, each network identity identifying a wireless communication network that the network node is authorized to set route selection policy rules for the user equipment apparatus to apply when connected to the wireless communication network. The transmitter is arranged to send at least one route selection policy rule to the user equipment apparatus together with a policy delivery request, wherein the policy delivery request includes the list of network identities for which route selection policy rules provisioned from the network node must be applied.

Abstract: Various aspects of the present disclosure relate to a UE that is connected to a visited network requests a network service from the visited network. The service request is rejected, and the UE and the visited network communicate rejection reports for the service rejection to the home network of the UE. Further, the home network considers received service rejection information from the UE and/or the visited network to provide configuration of preferred visited network and/or access technology combinations to the UE.

Abstract: Various aspects of the present disclosure relate to an authentication server function (AUSF) that receives an authentication request from a security anchor function (SEAF), and transmits a data request for authentication data to unified data management (UDM). The AUSF can receive the authentication data from the UDM for primary authentication, and set an expiration time for security information associated with the primary authentication being successful. The AUSF can then transmit an authentication message of authentication information that includes the security information and the expiration time to an authentication and key management for applications (AKMA) anchor function (AAnF) that registers the expiration time. The AUSF can also initiate reauthentication based at least in part on expiry of the authentication information.

Abstract: There is further provided a user equipment apparatus comprising a receiver, a transmitter and a processor. The receiver is arranged to receive from a first wireless communication network at least one route selection policy rule together with a policy delivery request, wherein the policy delivery request includes a list of network identities for which route selection policy rules provisioned from the first wireless communication network must be applied. The transmitter is arranged to transmit a registration request to a second wireless communication network, where a network identity of the second wireless communication network is not listed in the list of network identities for which route selection policy rules provisioned from the first wireless communication network must be applied. The processor is arranged to not apply route selection policy rules provisioned from the first wireless communication network.

Abstract: Various aspects of the present disclosure relate to authenticating user equipment (UE) for applications. A first communication device (e.g., a network entity, a server device) authenticates a second communication device (e.g., a UE) for authentication and key management for applications (AKMA) with a challenge, such as an authentication vector (AV), computed based on the AKMA anchor key (KAKMA) corresponding to the second communication device. Comparison of the challenge result (RES) received from the second communication device and an expected challenge result (XRES) is performed by an AKMA anchor function (AAnF) or by an application function (AF), and the AKMA application key (KAF) for the AF is only provisioned after the comparison indicates a successful communication device authentication (e.g., the RES and the XRES are the same).

Abstract: Various aspects of the present disclosure relate to methods, apparatuses, and systems that support service monitoring in wireless networks. For instance, when a service request from a UE to a visited serving network is rejected, rejection reports can be generated and validated using secure techniques, such as via a blockchain and/or a permissioned distributed ledger (PDL). The information can then be maintained and communicated in a trusted and secure manner, such as to a home serving network and/or service providers that provide network services.

Abstract: The present disclosure relates to methods, apparatuses, and systems that support API access management in wireless systems. For instance, an API invoker (e.g., a user or UE) can be authenticated and authorized to access or register with a common API framework (CAPIF) function to enable real-time user consent driven API invocation authorization and secured user service data exposure by a network. Further, a comprehensive set of procedures are provided that ensure that networks are protected from unpermitted and/or potentially malicious access to APIs exposed by the network.

Abstract: Apparatuses, methods, and systems are disclosed for performing a trust evaluation service at a network function (“NF”). One method includes receiving, at a first NF, a first request message from a second NF. The first request message includes a trust service subscription request message corresponding to a trust service subscription. The method includes performing inference data collection. The method includes performing a trust evaluation service corresponding to the trust service subscription to produce trust evaluation data. The trust evaluation service is performed based at least in part on the inference data collected. The method includes transmitting a first response message to the second NF. The first response message includes information corresponding to the trust evaluation data.

Abstract: The present disclosure relates to methods, apparatuses, and systems that support API access management in wireless systems. For instance, an API invoker (e.g., a user or UE) can be authenticated and authorized to access or register with a common API framework (CAPIF) function to enable real-time user consent driven API invocation authorization and secured user service data exposure by a network. Further, a comprehensive set of procedures are provided that ensure that networks are protected from unpermitted and/or potentially malicious access to APIs exposed by the network.