Abstract: There is provided mechanisms for authenticating a user for a service. A method is performed by an authentication system. The method comprises obtaining source feature data of the user to be authenticated and user attributes. The source feature data represents a by the user performed time dependent movement. The user attributes represent information of the user as extractable from sensor data. The source feature data and the user attributes is extracted from sensor data of the user as collected by at least one sensor device. The method comprises authenticating the user as a function of the source feature data and the user attributes. The user is successfully authenticated when the source feature data fulfils an evaluation criterion with respect to target feature data. The target feature data represents a, for the user and the service, expected time dependent movement. The service is associated with an authentication purpose.

Abstract: There is provided mechanisms for provisioning of an application level identity from an ID backend server to a communication device. The provisioning of the application level identity is protected using TLS-, DTLS-, or OSCORE-based secure communication. The communication device comprises an identity module configured for interaction according to GSMA RSP based remote subscription profile download. The methods are performed by the communication device and the ID backend server.

Abstract: There is provided mechanisms for downloading an operational subscription profile to a communication device. A method is performed by the communication device. The communication device has an EID and is provided with a provisioning subscription profile. The method comprises obtaining a temporary PSI for the provisioning subscription profile, wherein the temporary PSI is based on the EID. The method comprises providing, whilst using the provisioning subscription profile, the temporary PSI to a first MNO as part of performing network attachment with the first MNO. The first MNO is selected based on the temporary PSI. The method comprises obtaining, whilst using the provisioning subscription profile and as part of performing network access authentication for the network attachment, an operational PSI from an eSIM server via the first MNO.

Abstract: Embodiments described herein relate to methods and apparatuses for enabling remote management of a profile in an identity module in an NB-IoT device. A proxy server is configured with access to a database of one or more external identifiers associated with one or more respective NB-IoT devices, wherein the one or more external identifiers are used to address the respective one or more NB-IoT devices via an exposure function in a core network. A method in the proxy server comprises receiving a request to deliver a triggering message to the NB-IoT device, wherein the request comprises a device identifier; determining an external identifier based on the received device identifier; and delivering the triggering message to the NB-IoT device using the external identifier.

Abstract: A method, system and nodes are disclosed. According to one or more embodiments, a management node (16) is provided. The management node (16) includes processing circuitry (36) configured to receive an origin certificate for a first service type where the received origin certificate includes a public key and a private key, receive a certificate request for a first instance of the first service type, generate a first proxy certificate based at least on the received origin certificate, and transmit the first proxy certificate and the public key of the received origin certificate to a first virtual network function component where the public key of the received origin certificate is for inclusion to a listing of trusted certificates at the first virtual network function component.

Abstract: There is provided mechanisms for profile handling of a batch of identity modules. Each identity module in the batch of identity modules has credentials for secure installation of profiles. A method is performed by an LPA of a proxy device. The LPA comprises credentials for profile download. The credentials comprise a certificate. The credentials enable the LPA to act as a virtual identity module. Another method is performed by a subscription management entity. Yet another method is performed by an identity module in the batch of identity modules.

Abstract: A method for enabling attestation of a platform comprising a Trusted Execution Environment, TEE, and a Trusted Platform Module, TPM is disclosed. The method is performed by the TEE and comprises: receiving, from an Application of the platform, a request for generation of an attestation quote, the request comprising a nonce, information on which PCR(s) to be used and information about Attestation Keys; establishing a connection to the TPM and obtaining from it at least one PCR value; generating an attestation quote based on the received nonce and the at least one PCR value; signing the attestation, and rendering the attestation quote available for the Application.

Abstract: There is provided mechanisms for authenticating an OEM entity as manufacturer of a communication device comprising an identification module. A method is performed by a network entity. The method comprises providing, towards tire identification module, a challenge of a challenge-response authentication procedure. The method comprises obtaining, from the identification module, a first response of the challenge-response authentication procedure. The method comprises providing, towards the OEM entity and upon having obtained the response, the challenge. The method comprises obtaining, from the OEM entity, a second response of the challenge-response authentication procedure. The method comprises authenticating the OEM entity as the manufacturer of the communication device only when the second response matches the first response.

Abstract: A method for enabling attestation of a platform comprising a Trusted Execution Environment, TEE, and a Trusted Platform Module, TPM is disclosed. The method is performed by the TEE and comprises: receiving, from an Application of the platform, a request for generation of an attestation quote, the request comprising a nonce, information on which PCR(s) to be used and information about Attestation Keys; establishing a connection to the TPM and obtaining from it at least one PCR value; generating an attestation quote based on the received nonce and the at least one PCR value; signing the attestation, and rendering the attestation quote available for the Application.

Abstract: The application discloses methods and corresponding systems and network devices and/or nodes for enabling user equipment belonging to a home network to access data communication services in a visited network of a wireless communication system. By way of example, there is provided a method that comprises the step of obtaining at least one cryptographic token originating from a network node of the home network of the user equipment and cryptographically signed by a private key associated with the home network, wherein the at least one cryptographic token represents means for accessing data communication services via user data transport functions of the visited network.

Abstract: It is provided a method for authenticating a user (5). The method is performed in an authenticator (1) and comprises the steps of: obtaining (40) context data reflecting a current context of the user (5); determining (42) a user challenge set for the user (5) to perform based on the context data, the user challenge set comprising at least one user challenge, wherein each user challenge indicates an action for the user(5) to perform in relation to at least one object (10a-I); transmitting (44) the user challenge set to a user device (2), for presenting the user challenge set to the user (5); obtaining (46) media data; determining (47) a behaviour of the user (5) captured in the media data; and authenticating (48) the user (5), when the media data indicates an expected behaviour of the user (5) in response to the user challenge set.

Abstract: There are provided methods and corresponding systems for supporting protected collection of measurement data, representative of usage of network capabilities within a communication network, related to at least two logical and/or physical entities or nodes, also referred to as managed entities, managed by a management system associated with the communication network. By way of example, there is provided a method comprising the step of combining measurement data related to a set of at least two of the managed entities according to a controllable and/or detectable pattern. The controllable pattern is defining at least the order of managed entities in which the combining of measurement data is to be performed. The method also comprises enabling the combined measurement data to be collected for validation of existence of the controllable pattern in the combined measurement data.

Abstract: It is provided a method for enabling a user device to verify data integrity. The method is performed in a network node and includes: obtaining measurement data indicating resource usage by the user device; obtaining a session identifier; generating a measurement indicator using a one-way function, based on the measurement data; generating an asymmetric cryptographic signature of the session identifier and the measurement indicator, the asymmetric cryptographic signature being based on a private key of a cryptographic key pair of the network node; and storing, in a distributed ledger database, a set of data comprising the asymmetric cryptographic signature, the session identifier and the measurement indicator.

Abstract: A method of verifying that a first device and a second device are physically interconnected is disclosed. The method is performed by a verifier and includes sending a challenge R1 to the first device, for use as basis for input to a first physical unclonable function, PUF, —part of the first device, receiving, a response, RES1, from the second device, the response RES1 being based on an output of a second PUF part of the second device, and verifying that the first device and the second device are interconnected for the case that the received response, RES1, and an expected response fulfills a matching criterion. A method in a first device and a method in a second device and corresponding devices, computer programs and computer program products are also disclosed.

Abstract: It is provided a method for enabling distributing of user data among users of respective user device, the users being participants of a meeting. The method is performed by an authenticator device and the method includes the steps of: receiving a signal based on a user action of a first user to enable data distribution; receiving a first set of attributes, including at least one attribute based on real-world data captured by a first user device of the first user; receiving a second set of attributes, including at least one attribute based on real-world data captured by a second user device of a second user, wherein the second set of attributes are of the same type as the first set of attributes; and enabling access to the user data for the user device of the second user when the first set of attributes match the second set of attributes.

Abstract: There is provided mechanisms for obtaining a VC certificate from a server. A method is performed by network equipment. The method comprises performing, by an enclave of the network equipment, measurements on at least one property of the network equipment. The method comprises providing, by the enclave, a request for the VC certificate from the server upon having attested the measurements. The method comprises receiving, from the server, the VC certificate in response to the request and storing the VC certificate in the network equipment.

Abstract: There is provided mechanisms for profile handling of a communication device. A method is performed by a subscription server. The method comprises obtaining device type information of the communication device from a proxy server. The method comprises determining a profile handling action for the communication device according to at least one localization rule. According to which of the localization rule the profile handling action is determined depends on a mapping between the device type information and the localization rule. The method comprises notifying the proxy server of the profile handling action.

Abstract: According to some embodiments, a security management entity is provided. The security management entity includes processing circuitry configured to: generate a key having a plurality of key parts, anonymize at least a first data instance at least in part by using the key with threshold cryptography, transmit a respective key part to each one of the plurality of trusted entities, store at least one key part where the stored at least one key part is different from the transmitted respective key parts, receive a message from a first trusted entity of the plurality of trusted entities for investigating the anonymized first data instance where the message includes one of the transmitted respective key parts, and deanonymize the first data instance using the stored at least one key part and the one of the transmitted respective key parts associated with the first trusted entity.

Abstract: There is provided mechanisms for handling instances of a trusted execution environment on an execution platform. The trusted execution environment is associated with a secure cryptoprocessor. The secure cryptoprocessor holds a register. The trusted execution environment is configured to read from and write to the register at a given index i. A method is performed by the trusted execution environment. The method comprises checking, upon start of a new instance of the trusted execution environment, status of the register at the given index i, and wherein, when the register at the given index i has its status set to “undefined”, an internal status value is set to a first value, and else, when a value is read from the register at the given index i, the internal status value is set to a second value based on the read value. The method comprises writing the internal status value to the register at the given index i. The method comprises running the new instance.

Abstract: A method and a corresponding runtime environment for migrating an instance of an actor of an application are provided. An initiating runtime environment performs a method comprising selecting, based on obtained security attributes for a set of target runtime environments, a target runtime environment from the set of target runtime environments for migration of the instance of the actor. The method comprises migrating the instance of the actor to the selected target runtime environment once the target runtime environment has been selected.