Abstract: Apparatuses, methods, and systems are disclosed for indicating the IMS capability for EPS fallback. One apparatus in a mobile communication network includes a processor and a transceiver that transmits to an IMS network entity a first SIP message comprising a request for establishing a data session, where the first SIP message contains a first contact header field. The transceiver receives a second SIP message from the IMS network entity for establishing the data session, where the second SIP message contains an indicator. The processor determines an IMS network capability from a combination of the first contact header field and the indicator.

Abstract: Various aspects of the present disclosure relate to protecting broadcast ranging and positioning messages over sidelink interface. An initiator user equipment (UE) can initiate a ranging or positioning procedure with secondary UEs that are in close proximity with the initiator. The initiator UE sends a sidelink (SL) broadcast message with a requested positioning or ranging action, along with a temporary group identifier. The secondary UEs perform the requested positioning or ranging action and return their results to the initiator UE. The results are protected (e.g., encrypted) using one or more keys associated with the temporary group identifier. These one or more keys may be a group broadcast key known by all of the secondary UEs, or individual broadcast keys for the individual secondary UEs.

Abstract: An object is to provide a key generation method capable of maintaining a high security level in each of sliced networks when network slicing is applied to a core network. A key generation method according to this disclosure specifies network slice identification information indicating a network slice system that provides a service to be used by a communication terminal (50) among a plurality of network slice systems included in a core network (10) and, using the network slice identification information, generates a service key to be used for security processing in the network slice system indicated by the network slice identification information.

Abstract: Apparatuses, methods, and systems are disclosed for physical layer secret key generation. One method includes generating a security key using channel information of a wireless channel and computing a first authentication code over a first Training Sequence using the security key. The method includes sending the first Training Sequence including the first authentication code to a second endpoint and receiving a response message from the second endpoint, the response message including a second authentication code. The method includes validating the second authentication code and indicating successful key establishment in response to successful validation of the second authentication code.

Abstract: Apparatuses, methods, and systems are disclosed for allowing connectivity between a UAV and a UAV-C. One method includes receiving, at a network function, a first request from a first USS. The first request indicates to replace a first UAV-C of a first UAV, and the first request includes an IP address of the first UAV, a requested QOS, flow descriptors identifying traffic, UAV to UAV-C pairing information, or some combination thereof. The method includes transmitting a second request to a policy control function. The second request includes a request to trigger policies to allow connectivity between the first UAV and a second UAV-C based on the UAV to UAV-C pairing information.

Abstract: Apparatuses, methods, and systems are disclosed for security mode integrity verification. One method includes receiving an authentication request message corresponding to a user equipment. The method includes, in response to receiving the authentication request message, determining whether the user equipment has moved from a first public land mobile network to a second public land mobile network within a predetermined period of time. The method includes, in response to the user equipment having moved from the first public land mobile network to the second public land mobile network within the predetermined period of time, determining a likelihood factor that indicates a likelihood that the user equipment moved from the first public land mobile network to the second public land mobile network. The method includes, in response to the likelihood factor being less than a predetermined threshold, transmitting an authentication response message indicating a failed authentication.

Abstract: Apparatuses, methods, and systems are disclosed for network slice authentication. One method includes receiving a registration request message associated with a UE and determining an authentication requirement for a network slice based at least in part on the received registration request. The method includes transmitting an authentication request to a network entity based at least in part on the determined authentication requirement for the network slice and receiving an authentication response from the network entity based at least in part on the transmitted authentication request. The method includes determining, based at least in part on the received authentication response, whether to include the network slice within a set of allowed NSSAI and transmitting a registration accept message comprising the allowed NSSAI.

Abstract: A communication terminal (10) according to the present disclosure includes: a control unit (12) configured to, in a case of a movement from a communication area formed by the 5GS to a communication area formed by the EPS or a movement from a communication area formed by the EPS to a communication area formed by the 5GS, determine whether or not a communication system forming a communication area at a movement destination can satisfy requirements of services; and a communication unit (11) configured to, when it is determined that the communication system forming the communication area at the movement destination can satisfy the requirements of the services, send a connection request message to the communication system forming the communication area at the movement destination.

Abstract: Apparatuses, methods, and systems are disclosed for registration authentication based on a capability. One method (700) includes receiving (702), at a second network device from a first network device, an indication for a capability for a registration. The method (700) includes transmitting (704), to a third network device, a first request for a type of authentication procedure for the registration. The method (700) includes transmitting (706), to a remote unit, a second request. The second request corresponds to the type of authentication procedure for the registration. The method (700) includes receiving (708), from the remote unit, a response to the second request. The response corresponds to a stored credential in the remote unit.

Abstract: Apparatuses, methods, and systems are disclosed for authentication for a network service. One method includes receiving, at a first network device from a second network device, a network function service request to execute a service on a third network device. The request includes first credentials for authentication with a first network device and second credentials for authentication with the third network device. The method includes determining whether the first credentials provided are valid and execute the service request by determining the third network device to execute the service requested from the second network device. The method includes transmitting, to a fourth network device, a request for authentication with the third network device. The request includes an identifier of the third network device and second credentials of the second network device.

Abstract: Various aspects of the present disclosure relate to key identification for mobile edge computing functions. An apparatus includes at least one memory and at least one processor that is configured to generate a unique key set identifier (“KSI”) associated with a multi-access edge computing (“MEC”) service, derive a key for a network function based on a corresponding root key and the generated KSI, the KSI provided as input to a key derivation function (“KDF”), and transmit an application registration request message to the network function for establishing a secure connection to the network function using the key, the application registration request message comprising the KSI.

Abstract: Various aspects of the present disclosure relate to secure data collection via a messaging framework. An apparatus includes at least one memory and at least one processor that is configured to receive a subscription request from a data consumer function, the subscription request comprising a data tag associated with a data producer function, generate a security key for the data tag, generate a binding for the data tag between the security key, the data consumer function, and the data producer function, and transmit, for use in data transmissions between the data producer function and the data consumer function a service request message to the data producer function, the service request message comprising the data tag and the security key, and a data exposure response message to the data consumer function, the data exposure response message comprising the data tag and the security key.

Abstract: Apparatuses, methods, and systems are disclosed for rerouting message transmissions. One method includes receiving, at a first network device, a registration request message. The method includes delaying, by the first network device, primary authentication, security setup, or a combination thereof based at least partly on a subscription permanent identifier (SUFI) from a second network device and subscription information. The method includes determining, at the first network device, whether to transmit a reroute non-access stratum (NAS) message.

Abstract: Apparatuses, methods, and systems are disclosed for provisioning server selection in a cellular network. One method includes communicating, at a network device, with a remote unit via a first network function. The method includes receiving an authentication request from the first network function. The method includes selecting a provisioning server based on a remote unit identity of an onboarding profile, based on a pre-configuration, or a combination thereof. The method includes transmitting a response message to the first network function. The response message includes a provisioning server address.

Abstract: A communication terminal (10) according to the present disclosure includes: a control unit (12) configured to, in a case of a movement from a communication area formed by the 5GS to a communication area formed by the EPS or a movement from a communication area formed by the EPS to a communication area formed by the 5GS, determine whether or not a communication system forming a communication area at a movement destination can satisfy requirements of services; and a communication unit (11) configured to, when it is determined that the communication system forming the communication area at the movement destination can satisfy the requirements of the services, send a connection request message to the communication system forming the communication area at the movement destination.

Abstract: Apparatuses, methods, and systems are disclosed for network security based on routing information. One method includes receiving at a first network device, a security request message from an initial access and mobility management function (AMF), an initial security anchor function (SEAF)), or a combination thereof. The security request message includes information indicating a serving network name (SNN), whether routing information is required, a subscription permanent identifier (SUFI), or some combination thereof. The method includes determining, at the first network device, routing information based on the security request message. The method includes transmitting, from the first network device, a security response message to the initial AMF, the initial SEAF, or the combination thereof. The security response message includes the routing information.

Abstract: Apparatuses, methods, and systems are disclosed for handling security aspects for UAS in a 3GPP network. One apparatus contains a transceiver that receives a revocation indication message from a mobile communication network and a processor that deletes UAS-related authorization and security information corresponding to a UAV ID. The transceiver further transmits a revocation acknowledgement message to the mobile communication network.

Abstract: Apparatuses, methods, and systems are disclosed for determining a time to perform an update. One method (900) includes transmitting (902) first information indicating an initial value. The method (900) includes transmitting (904) second information indicating an update interval corresponding to the initial value. The method (900) includes updating (906) an identifier at a time determined based on the initial value and the update interval.

Abstract: This disclosure provides a User Equipment (UE), including: a transmitter configured to transmit at least one Protocol Data Unit (PDU) session identifier (ID), each of which indicates a PDU session that the UE needs to use in a Non Access Stratum (NAS) Service Request message to a Mobility Management Function (MMF) via an access network (AN) node when the UE has user data to send.

Abstract: A session initiation protocol register request message for RLOS can be received at a P-CSCF. The session initiation protocol register request message can include an IP multimedia public user identification for a UE. The session initiation protocol register request message can be forwarded to a Serving Call Session Control Function (S-CSCF). A UE identifier in a 200 OK response can be received in response to forwarding the session initiation protocol register request message at the P-CSCF from the S-CSCF. Signaling can be ciphered using a security key for the UE in response to receiving the 200 OK response.