Abstract: Improved techniques for secure access control in communication systems are provided. In one example, in accordance with an authorization server function, a method comprises receiving a request from a service consumer in a communication system for access to a service type and one or more resources associated with the service type. The method determines whether the service consumer is authorized to access the service type and the one or more resources associated with the service type. The method generates an access token that identifies one or more service producers for the service type and the one or more resources associated with the service type that the service consumer is authorized to access, and sends the access token to the service consumer. The service consumer can then use the access token to access the one or more services and one or more resources. In addition to such resource level access authorization, target network function group access authorization can be performed.

Abstract: There is provided an apparatus configured to protect security of communication in roaming scenarios between a first network and a second network, the apparatus being a first apparatus residing in the first network and comprising means for in response to a selection of transport layer security as a security capability mechanism, transmitting, to a second apparatus residing in the second network and configured to protect security of communication in roaming scenarios between the first network and the second network, a request to terminate connections over a forwarding interface between the first apparatus and the second apparatus.

Abstract: Improved techniques for secure access control in communication systems are provided. Secure access control in one or more examples includes authorization of network function sets. For example, in accordance with an authorization server function, a method includes receiving a request from a service consumer in a communication system for access to a service type, wherein the request comprises information including a service producer set identifier. The method determines whether the service consumer is authorized to access the service type. The method identifies service producer instances that belong to the requested service producer set identifier. The method generates an access token that comprises identifiers for identified ones of the service producer instances that belong to the requested service producer set identifier, and sends the access token to the service consumer.

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured to receive a service request for a service provided by the apparatus, determine whether to provide the service based at least partly on an authentication based on a first identifier, comprised in an access token in the service request, and on a second identifier, comprised in a credential data element in the service request, wherein the authentication is successful when the first identifier and the second identifier identify a same network function instance or same network function instance set, and provide the service responsive to a result of the determination indicating the service is to be provided.

Abstract: Improved security management techniques between user equipment and a communication system are provided. For example, techniques are provided for preventing malicious attacks via a user equipment deregistration process. In one example, a method comprises sending a deregistration request message from the given user equipment to a communication system to which the given user equipment is registered, wherein the deregistration request message is security-protected and comprises a temporary identifier assigned to the given user equipment. By not sending the deregistration request message with a subscription concealed identifier, the given user equipment prevents a malicious actor from succeeding with a deregistration attack replaying the subscription concealed identifier.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to establish a user equipment context for a user equipment registered with the apparatus, the user equipment context being associated with an identity of the user equipment, determine that a plurality of network messages comprising the identity of the user equipment as sender fail a network message integrity process, and trigger, responsive to the determination, at least one of: 1) sending a paging message to the user equipment, and 2) initiating an authentication process with a sender of the network messages, and deletion the user equipment context as a response to successful completion of the authentication process.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising means for receiving, by a network function configured to provide centralized user consent authorization in a cellular communication system, a user consent authorization request from a logical network entity, wherein the user consent authorization request comprises an identity of at least one user equipment whose user consent is requested by the logical network entity, the logical network entity being a network function service consumer or an application function, means for retrieving user consent information concerning the at least one user equipment whose user consent is requested by the logical network entity, wherein said user consent information indicates individually whether the logical network entity is authorized to access data related to each of the at least one user equipment, means for determining, based on said user consent information, whether the logical network entity is authorized to access data r

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured at least to: receive, from a service communication proxy, a request for an access token which authorizes access to a service at a network function provider, transmit an authorization token to the service communication proxy, the authorization token being specific to the request, and provide the access token to the service communication proxy responsive to determining that a cryptographic signature of a network function consumer on a signed version of the authorization token, received in the apparatus from the service communication proxy, is correct. The apparatus may work in a network serving user equipments, for example.

Abstract: In with a network exposure function of a communication network, a method comprises generating at least one application layer cryptographic key based on a request specific to given user equipment received from an application function, and sharing the application layer cryptographic key with the application function. The application layer cryptographic key is configured to enable the application function and the given user equipment to establish a secure communication session.

Abstract: According to an example aspect of the present invention, there is provided method, comprising: generating a first key based on a first input specific to a mobile device, wherein the first input comprises measurement of mutable code of the mobile device and a unique device secret, generating a symmetric second key on the basis of the first key and a second input specific to the mobile device, and generating authentication credentials on the basis of the second key for authenticating the mobile device to a mobile communications network.

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured at least to determine whether a cryptographic signature of a token received in the apparatus from a network function consumer is valid, obtain a cryptographic signature of the apparatus of the token responsive to the cryptographic signature of the token being valid, and provide the token to a peer entity of the apparatus, wherein the cryptographic signature of the apparatus is either included into the token or provided in a header external to the token, wherein the peer entity is comprised in a second network, different from a first network where the apparatus is comprised in. The request may serve a user equipment, directly or indirectly.

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured to initiate a handshake process configured to establish a control plane connection prior to establishing an associated data plane connection from the apparatus to a gateway node in second network, the apparatus being in a first network distinct from the second network, indicate during the establishing of the control plane connection that compression of payload communicated over the data plane connection is requested, and wherein the data plane connection to the gateway node traverses at least one intermediate internet protocol exchange.

Abstract: According to an example aspect of the present invention, there is provided a method comprising, receiving, by an intermediary network function, a subscription request from a network function consumer requesting data of a network function producer, wherein the subscription request comprises a client credential assertion of the network function consumer and an access token, authorizing and authenticating, by the intermediary network function, the network function consumer upon successful validation of the access token and the client credential assertion validation and transmitting, by the intermediary network function, an access token request to an authorization server to get another access token, wherein said another access token is to be used to validate the network function consumer to access services of the network function producer, and the access token request comprises the client credential assertion of the network function consumer requesting data of the network function producer.

Abstract: There is provided an apparatus configured to receive, from a first network entity associated with a first domain in a communication network, a request to communicate; determine a second network entity to which to send the request; determine that the second network entity is associated with a second domain in the communication network; and enforce at least one access policy for routing the request to the network entity, wherein the apparatus is a first service communication proxy trusted in both the first and second domains.

Abstract: According to an example aspect of the present invention, there is provided a method comprising receiving, by a network repository function, a registration request from an application function, wherein the registration request comprises at least one parameter that needs to be used for generating an access token for the application function, the at least one parameter being associated with the application function, registering the application function by the network repository function and transmitting, by the network repository function, a response to the registration request, wherein the response comprises the at least one parameter associated with the application function.

Abstract: According to an example aspect of the present invention, there is provided a method comprising, transmitting to a Network Function, NF, service producer, by a Service Communication Proxy, SCP, a service request on behalf of an NF service consumer, wherein the service request comprises an access token, receiving, by the SCP, a service response from the NF service producer and upon receiving the service response, transmitting to the NF service consumer, by the SCP, information related to the access token.

Abstract: If a first condition for a handover of an analytics calculation for a user equipment by an analytics function is met, the analytics function requests, of at least one other analytics function of the communication network, preparation of the handover of the analytics calculation. If a second condition for the handover of the analytics calculation is met, the analytics function confirms the handover to one of the at least one other analytics function, the analytics calculation for the user equipment at the analytics function being deemed complete.

Abstract: There are provided measures for optimization of network function profile administration and registration. Such measures exemplarily comprise, at a network repository function entity, receiving, from a control entity, network entity profile template information, storing said network entity profile template information, wherein said network entity profile template information comprises a network entity profile template including an identifier of said network entity profile template and a profile content of said network entity profile template, said profile content including at least one profile attribute, receiving, from a network entity, a network entity registration request comprising said identifier of said network entity profile template, and generating a network entity profile for said network entity based on said at least one profile attribute.

Abstract: In accordance with an example embodiment, there is provided an apparatus, such as a user equipment, configured to receive, from a communication network, an authentication request which comprises a nonce and a received sequence number, check, whether the received sequence number is advanced with respect to a first sequence number, the first sequence number being from a most recent previous authentication request handled by the apparatus, check, responsive to the received sequence number not being advanced with respect the first sequence number, whether the nonce is identical to one from among plural stored nonces, and send, responsive to the nonce being identical to the one stored nonce, a response to the authentication request which comprises as a synchronization failure token a dummy value which is not derived from the first sequence number.

Abstract: Techniques for preventing sequence number leakage during user equipment authentication in a communication network are provided. For example, a method comprises obtaining a permanent identifier and an authentication sequence value that are unique to user equipment, concealing the permanent identifier and the authentication sequence value, and sending the concealed permanent identifier and the authentication sequence value in a registration message from the user equipment to a communication network. Then, advantageously, in response to receipt of an authentication failure message from the communication network, the user equipment can send a response message to the communication network containing a failure cause indication without a re-synchronization token.