Abstract: There is provided mechanisms for authenticating an OEM entity as manufacturer of a communication device comprising an identification module. A method is performed by a network entity. The method comprises providing, towards tire identification module, a challenge of a challenge-response authentication procedure. The method comprises obtaining, from the identification module, a first response of the challenge-response authentication procedure. The method comprises providing, towards the OEM entity and upon having obtained the response, the challenge. The method comprises obtaining, from the OEM entity, a second response of the challenge-response authentication procedure. The method comprises authenticating the OEM entity as the manufacturer of the communication device only when the second response matches the first response.

Abstract: A method for enabling attestation of a platform comprising a Trusted Execution Environment, TEE, and a Trusted Platform Module, TPM is disclosed. The method is performed by the TEE and comprises: receiving, from an Application of the platform, a request for generation of an attestation quote, the request comprising a nonce, information on which PCR(s) to be used and information about Attestation Keys; establishing a connection to the TPM and obtaining from it at least one PCR value; generating an attestation quote based on the received nonce and the at least one PCR value; signing the attestation, and rendering the attestation quote available for the Application.

Abstract: The application discloses methods and corresponding systems and network devices and/or nodes for enabling user equipment belonging to a home network to access data communication services in a visited network of a wireless communication system. By way of example, there is provided a method that comprises the step of obtaining at least one cryptographic token originating from a network node of the home network of the user equipment and cryptographically signed by a private key associated with the home network, wherein the at least one cryptographic token represents means for accessing data communication services via user data transport functions of the visited network.

Abstract: It is provided a method for authenticating a user (5). The method is performed in an authenticator (1) and comprises the steps of: obtaining (40) context data reflecting a current context of the user (5); determining (42) a user challenge set for the user (5) to perform based on the context data, the user challenge set comprising at least one user challenge, wherein each user challenge indicates an action for the user(5) to perform in relation to at least one object (10a-I); transmitting (44) the user challenge set to a user device (2), for presenting the user challenge set to the user (5); obtaining (46) media data; determining (47) a behaviour of the user (5) captured in the media data; and authenticating (48) the user (5), when the media data indicates an expected behaviour of the user (5) in response to the user challenge set.

Abstract: There are provided methods and corresponding systems for supporting protected collection of measurement data, representative of usage of network capabilities within a communication network, related to at least two logical and/or physical entities or nodes, also referred to as managed entities, managed by a management system associated with the communication network. By way of example, there is provided a method comprising the step of combining measurement data related to a set of at least two of the managed entities according to a controllable and/or detectable pattern. The controllable pattern is defining at least the order of managed entities in which the combining of measurement data is to be performed. The method also comprises enabling the combined measurement data to be collected for validation of existence of the controllable pattern in the combined measurement data.

Abstract: It is provided a method for enabling a user device to verify data integrity. The method is performed in a network node and includes: obtaining measurement data indicating resource usage by the user device; obtaining a session identifier; generating a measurement indicator using a one-way function, based on the measurement data; generating an asymmetric cryptographic signature of the session identifier and the measurement indicator, the asymmetric cryptographic signature being based on a private key of a cryptographic key pair of the network node; and storing, in a distributed ledger database, a set of data comprising the asymmetric cryptographic signature, the session identifier and the measurement indicator.

Abstract: A method of verifying that a first device and a second device are physically interconnected is disclosed. The method is performed by a verifier and includes sending a challenge R1 to the first device, for use as basis for input to a first physical unclonable function, PUF, —part of the first device, receiving, a response, RES1, from the second device, the response RES1 being based on an output of a second PUF part of the second device, and verifying that the first device and the second device are interconnected for the case that the received response, RES1, and an expected response fulfills a matching criterion. A method in a first device and a method in a second device and corresponding devices, computer programs and computer program products are also disclosed.

Abstract: It is provided a method for enabling distributing of user data among users of respective user device, the users being participants of a meeting. The method is performed by an authenticator device and the method includes the steps of: receiving a signal based on a user action of a first user to enable data distribution; receiving a first set of attributes, including at least one attribute based on real-world data captured by a first user device of the first user; receiving a second set of attributes, including at least one attribute based on real-world data captured by a second user device of a second user, wherein the second set of attributes are of the same type as the first set of attributes; and enabling access to the user data for the user device of the second user when the first set of attributes match the second set of attributes.

Abstract: There is provided mechanisms for obtaining a VC certificate from a server. A method is performed by network equipment. The method comprises performing, by an enclave of the network equipment, measurements on at least one property of the network equipment. The method comprises providing, by the enclave, a request for the VC certificate from the server upon having attested the measurements. The method comprises receiving, from the server, the VC certificate in response to the request and storing the VC certificate in the network equipment.

Abstract: There is provided mechanisms for profile handling of a communication device. A method is performed by a subscription server. The method comprises obtaining device type information of the communication device from a proxy server. The method comprises determining a profile handling action for the communication device according to at least one localization rule. According to which of the localization rule the profile handling action is determined depends on a mapping between the device type information and the localization rule. The method comprises notifying the proxy server of the profile handling action.

Abstract: According to some embodiments, a security management entity is provided. The security management entity includes processing circuitry configured to: generate a key having a plurality of key parts, anonymize at least a first data instance at least in part by using the key with threshold cryptography, transmit a respective key part to each one of the plurality of trusted entities, store at least one key part where the stored at least one key part is different from the transmitted respective key parts, receive a message from a first trusted entity of the plurality of trusted entities for investigating the anonymized first data instance where the message includes one of the transmitted respective key parts, and deanonymize the first data instance using the stored at least one key part and the one of the transmitted respective key parts associated with the first trusted entity.

Abstract: There is provided mechanisms for handling instances of a trusted execution environment on an execution platform. The trusted execution environment is associated with a secure cryptoprocessor. The secure cryptoprocessor holds a register. The trusted execution environment is configured to read from and write to the register at a given index i. A method is performed by the trusted execution environment. The method comprises checking, upon start of a new instance of the trusted execution environment, status of the register at the given index i, and wherein, when the register at the given index i has its status set to “undefined”, an internal status value is set to a first value, and else, when a value is read from the register at the given index i, the internal status value is set to a second value based on the read value. The method comprises writing the internal status value to the register at the given index i. The method comprises running the new instance.

Abstract: A method and a corresponding runtime environment for migrating an instance of an actor of an application are provided. An initiating runtime environment performs a method comprising selecting, based on obtained security attributes for a set of target runtime environments, a target runtime environment from the set of target runtime environments for migration of the instance of the actor. The method comprises migrating the instance of the actor to the selected target runtime environment once the target runtime environment has been selected.

Abstract: Disclosed is a method performed by a communication device (140) for handling access to a service of an authorization-requiring network (150), the communication device (140) being connected to a communication network (100).The method comprises initiating access to the service of the authorization-requiring network (150), and after the initiating of the access, obtaining information on a security level of a context of the communication device (140).

Abstract: A method is disclosed of a secure component (SC) of a local attestation server (LAS) for populating an enclave associated with the LAS. The SC comprises stored encrypted population information previously received in a data packet and encrypted by an encryption key matching a private decryption key of a trusted platform module (TPM) associated with the LAS. The method comprises receiving a public part of a temporary asymmetric key from the enclave, establishing a secure session between the SC and the TPM, sending (to the TPM by using the secure session) the encrypted population information and the public part of the temporary asymmetric key, receiving (from the TPM by using the secure session) the population information decrypted by the private decryption key and re-encrypted by the public part of the temporary asymmetric key, and transmitting the re-encrypted population information to the enclave. An additional method is also disclosed for enabling the population of the enclave.

Abstract: A security management system including a first TEE and a common TEE is provided. The first TEE is a secured environment for data associated with a first entity. The common TEE is a seemed environment for data associated with any one of a plurality of entities. First anonymization parameters are shared between the first TEE and the common TEE The first anonymization parameters arc based at least in part on at least one privacy requirement of the first entity and at least one utility requirement of the security management system. The security management system includes processing circuitry configured to: anonymize first data associated with the first entity based at least in part on the first anonymization parameters, analyze at least the anonymized first data for performing data investigation, and generate analysis results based at least in part on the analysis of at least the anonymized first data.

Abstract: A system is disclosed for managing a communication network subscription identifier associated with a device. The system comprises a Core Network node configured to provide a subscription identifier for the device to a Device Management node with management responsibility for the device. The system further comprises a Verification node configured to receive from the Device Management node the subscription identifier and a characteristic of the device, and to bind the subscription identifier to the characteristic such that the subscription identifier is uniquely associated with the characteristic. The system further comprises a Network Access node configured to obtain the subscription identifier from the device. The Verification node, Network Access node and Core Network node are configured to cooperate to verify that the device from which the Network Access node obtained the subscription identifier is in possession of the characteristic that is bound to the subscription identifier.

Abstract: There is provided mechanisms for initial network access of a subscriber entity to a radio access network. A method is performed by the subscriber entity. The method comprises transmitting an attach message towards a network node. The attach message indicates a request for network access of the subscriber entity to a radio access network of the network node. The method comprises receiving an identification request originating from the network node. The identification request requests identification of the subscriber entity. The method comprises transmitting a response message towards the network node. The response message comprises an Access Identifier of the subscriber entity. The Access Identifier indicates that the subscriber entity is subscription-less. The method comprises receiving a grant from the network node. The grant allows the subscriber entity limited network access.

Abstract: Embodiments described herein relate to methods and apparatuses for enabling remote management of a profile in an identity module in an NB-IoT device. A proxy server is configured with access to a database of one or more external identifiers associated with one or more respective NB-IoT devices, wherein the one or more external identifiers are used to address the respective one or more NB-IoT devices via an exposure function in a core network. A method in the proxy server comprises receiving a request to deliver a triggering message to the NB-IoT device, wherein the request comprises a device identifier; determining an external identifier based on the received device identifier; and delivering the triggering message to the NB-IoT device using the external identifier.

Abstract: There is provided mechanisms for profile handling of a batch of identity modules. Each identity module in the batch of identity modules has credentials for secure installation of profiles. A method is performed by an LPA of a proxy device. The LPA comprises credentials for profile download. The credentials comprise a certificate. The credentials enable the LPA to act as a virtual identity module. Another method is performed by a subscription management entity. Yet another method is performed by an identity module in the batch of identity modules.