Abstract: A user equipment in a communication system, a unified subscription identifier data structure is constructed. The unified subscription identifier data structure includes a plurality of fields that specify information for a selected one of two or more subscription identifier types and selectable parameters associated with the selected subscription identifier type, and wherein the information in the unified subscription identifier data structure is useable by the user equipment to access one or more networks associated with the communication system based on an authentication scenario corresponding to the selected subscription identifier type. For example, during different authentication scenarios, the user equipment utilizes the unified subscription identifier data structure to provide the appropriate subscription identifier (e.g., SUPI, SUCI or IMSI) and associated parameters for a given authentication scenario.

Abstract: Techniques for enhancing subscription authorization in a communications network are provided. For example, a method in a source network function service producer or an apparatus for a source network function service provider is disclosed. The method comprises: receiving a subscription request including access authorization information from a network function service consumer for a subscription to receive a notification upon occurrence of a specific event; verifying that the network function service consumer is authorized to create the subscription to the source network function service producer; storing subscription context and access authorization information granted for the subscription if the subscription request is authorized.

Abstract: According to an example aspect of the present invention, there is provided method, comprising: generating a first key based on a first input specific to a mobile device, wherein the first input comprises measurement of mutable code of the mobile device and a unique device secret, generating a symmetric second key on the basis of the first key and a second input specific to the mobile device, and generating authentication credentials on the basis of the second key for authenticating the mobile device to a mobile communications network.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising means for determining a data privacy filter of a user equipment, wherein the data privacy filter is configured to be used in a visited network by the user equipment to determine whether a request, from a network function in the visited network, to collect data from the user equipment is acceptable and whether the user equipment should transmit said data to the network function and means for transmitting, to the user equipment located in the visited network, the data privacy filter of the user equipment.

Abstract: Embodiments of the present disclosure relate to usage of access token in service based architecture. According to one aspect of the present disclosure, a first network device transmits an access token request to a second network device, and receives, from the second network device, an access token associated with a first count value, the first count value indicating the number of times the access token is allowed to be used. The first network device transmits, to a third network device, a service request with the access token; and receives, from the third network device, a service response determined based on the first count value and the access token. In this way, usage of an access token may be restricted and chance of misuse of the access token may be reduced.

Abstract: It is provided a method comprising at least one of a) and b): a) monitoring whether a service request to produce a producer service is received and producing the producer service if the service request is received, wherein the producer service is a service produced by the access network; and b) consuming a producer service from a core network or an access network, wherein the producer service is consumed by an access network.

Abstract: At given user equipment in a communication system, a unified subscription identifier data structure is constructed. The unified subscription identifier data structure includes a plurality of fields that specify information for a selected one of two or more subscription identifier types and selectable parameters associated with the selected subscription identifier type, and wherein the information in the unified subscription identifier data structure is useable by the given user equipment to access one or more networks associated with the communication system based on an authentication scenario corresponding to the selected subscription identifier type. For example, during different authentication scenarios, the given user equipment utilizes the unified subscription identifier data structure to provide the appropriate subscription identifier (e.g., SUPI, SUCI or IMSI) and associated parameters for the given authentication scenario.

Abstract: Systems, methods, apparatuses, and computer program products directed to next generation (e.g., 5G systems) key set identifier(s) are provided. One method includes requesting, by a network node, authentication of a user equipment with an authentication server, receiving a master key and authentication parameters/vectors from the authentication server when authorization is successful, and verifying validity of the authentication request. When the verification is successful, the method may further include instantiating a security context for the user equipment and assigning a security context identifier for next generation system security context to the user equipment, and then sending a security mode command message to instruct the user equipment to instantiate security context using the security context identifier.

Abstract: A method of performing a data retrieval service for a first analytics function of a first communication network comprises collecting (S201), for at least one user equipment, data from the first communication network, obtaining (S203), from the collected data, processed information which is to be passed to an entity of a second communication network, and storing (S205) the processed information, wherein the processed information complies with one or more protection policies with respect to the second communication network.

Abstract: Techniques for providing privacy features in communication systems are provided. For example, a message may be provided from user equipment to an element or function in a communication network that comprises one or more privacy indicators, where privacy features for processing the message are determined based on the privacy indicators. The message may comprise an attach request comprising a subscription identifier for a subscriber associated with the user equipment, with the privacy indicators comprising a flag indicating whether the subscription identifier in the attach request is privacy-protected. As another example, the element of function in the communication network may determine privacy features supported by the communication network and generate and send a message to user equipment comprising one or more privacy indicators selected based on the determined privacy features.

Abstract: Embodiments of the present disclosure relate to methods, apparatuses and computer readable storage media for inter-network communication. A first edge protection proxy in a first network receives a request for an access token from a network repository function in the first network. The access token is to be used by a first network function in the first network to request a service from a second network function in a second network. The first edge protection proxy validates the request based on configurations allowed to access services provided by networks different from the first network. If the validation of the request is successful, the first edge protection proxy transmits the request to a second edge protection proxy in the second network. The transmitted request comprises verified information concerning the first network function.

Abstract: Example embodiments of the present disclosure relate to dynamic authorization. According to embodiments of the present disclosure, a solution for dynamic access control to data is proposed. On receiving data registration from a data source, a first device checks the data types to be produced by the data source and adds policies for the data or updates existing policies for the data according to its property. It also serves as access control decision point to determine consumers' access rights based on centrally managed policies. Authorization for data access is granted/denied according to local attributes/policies. In this way, it achieves a dynamic, context-aware and risk-intelligent access control to different kind of data from various data sources (i.e., service producers).

Abstract: Techniques for providing privacy features in communication systems are provided. For example, a message may be provided from user equipment to an element or function in a communication network that comprises one or more privacy indicators, where privacy features for processing the message are determined based on the privacy indicators. The message may comprise an attach request comprising a subscription identifier for a subscriber associated with the user equipment, with the privacy indicators comprising a flag indicating whether the subscription identifier in the attach request is privacy-protected. As another example, the element of function in the communication network may determine privacy features supported by the communication network and generate and send a message to user equipment comprising one or more privacy indicators selected based on the determined privacy features.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, and wherein one of the first and second security edge protection proxy elements is a sending security edge protection proxy element and the other of the first and second security edge protection proxy elements is a receiving security edge protection proxy element, the receiving security edge protection proxy element receives a message from the sending security edge protection proxy element. The receiving security edge protection proxy element detects one or more error conditions associated with the received message. The receiving security edge protection proxy element determines one or more error handling actions to be taken in response to the one or more detected error conditions.

Abstract: There is disclosed a network apparatus that is caused to receive analytics data from a first network apparatus, determine that said analytics data is usable by a second network apparatus, and send said analytics data to the second network apparatus in dependence on said determining.

Abstract: In accordance with an example embodiment, there is provided an apparatus, such as a user equipment, configured to receive, from a communication network, an authentication request which comprises a nonce and a received sequence number, check, whether the received sequence number is advanced with respect to a first sequence number, the first sequence number being from a most recent previous authentication request handled by the apparatus, check, responsive to the received sequence number not being advanced with respect the first sequence number, whether the nonce is identical to one from among plural stored nonces, and send, responsive to the nonce being identical to the one stored nonce, a response to the authentication request which comprises as a synchronization failure token a dummy value which is not derived from the first sequence number.

Abstract: Example embodiments of the present disclosure relate to devices, methods and computer readable storage media for service provisioning to facilitate analysis of a service from a network function (NF). In example embodiments, one or more logs are received from at least one of a first NF, a network repository function (NRF) and a service communication proxy (SCP). The one or more logs are associated with a service from a second NF. Further, analysis of provision of the service from the second NF is facilitated based on the one or more logs.

Abstract: Techniques are disclosed for security management for authentication failure notification in a communication system. For example, a method comprises receiving, at user equipment from a network entity in a communication system, a message comprising an indication of at least one specific cause for a failure in an authentication procedure between the communication system and the user equipment, wherein the at least one specific cause comprises an occurrence of an authentication credential expiration. The user equipment may apply a policy and/or take one or more actions in response to receipt of the message.

Abstract: According to an example aspect of the present invention, there is provided a method comprising, transmitting to a Network Function, NF, service producer, by a Service Communication Proxy, SCP, a service request on behalf of an NF service consumer, wherein the service request comprises an access token, receiving, by the SCP, a service response from the NF service producer and upon receiving the service response, transmitting to the NF service consumer, by the SCP, information related to the access token.

Abstract: In given user equipment seeking access to a first communication network (e.g., 5G network), wherein the given user equipment comprises a subscriber identity module (e.g., USIM) configured for a second communication network, and wherein the second communication network is a legacy network with respect to the first communication network (e.g., legacy 4G network), a method includes: initiating an authentication procedure with at least one network entity of the first communication network and selecting an authentication method to be used during the authentication procedure; and participating in the authentication procedure with the at least one network entity using the selected authentication method and, upon successful authentication, the given user equipment obtaining a set of keys to enable the given user equipment to access the first communication network.