Abstract: Network equipment is configured for use in one of multiple different core network domains of a wireless communication system. The network equipment is configured to receive a message that has been, or is to be, transmitted between the different core network domains. The network equipment is also configured to apply inter-domain security protection to, or remove inter-domain security protection from, one or more portions of the content of a field in the message according to a protection policy. The protection policy includes information indicating to which one or more portions of the content inter-domain security protection is to be applied or removed. The network equipment is also configured to forward the message, with inter-domain security protection applied or removed to the one or more portions, towards a destination of the message.

Abstract: Enabling the exchange of connection parameters where a user equipment (UE) lacks a secret shared with the network (e.g. a server), such as key materials, and lacks a valid certificate. In some embodiments, the connection parameters may be exchanged via EAP messages. In certain aspects, and particularly with respect to emergency attach, a simplified protocol is used with limited overhead because the UE does not attempt to authenticate the network, and the network does not attempt to authenticate the UE.

Abstract: A method performed by a mobile terminal for verifying at least one privacy profile setting for positioning of the mobile terminal to a location network node in a communications network is provided. The method includes receiving a request from the location network node for the mobile terminal to provide a position of the mobile terminal. The method further includes checking the at least one privacy profile setting of the mobile terminal for permission to provide position information of the mobile terminal. The method further includes determining whether to send the positioning information of the mobile terminal to the location network node based on the checking the at least one privacy profile setting. Methods performed by a network node are also provided.

Abstract: Embodiments include methods for a data consumer network function (NF) of a communication network. These methods include sending, to a network repository function (NRF) of the communication network, a request for an access token for the following: a service provided by a 5 data collection coordination function (DCCF) of the communication network, and data to be collected via the DCCF service. These methods include receiving from the NRF at least one access token for the DCCF service and for the data to be collected via the DCCF service and, using the at least one access token, collecting the data from a data producer NF of the communication network via the DCCF service. Other embodiments include complementary methods for DCCFs 0 and NRFs, as well as data consumer NFs, DCCFs, and NRFs configured to perform such methods.

Abstract: Systems and methods are disclosed herein that relate to verifying that a particular Application Function (AF) is authorized to use a particular AF ID in association with an Authentication and Key Management for Applications (AKMA) related procedure in a core network of a cellular communications system. In one embodiment, a method performed by an AKMA Anchor Function (AAnF) in a core network of the cellular communications system for generating a shared secret key for AKMA comprises receiving, directly or indirectly from an AF, a request for a shared secret key for AKMA, the request comprising an AF ID. The method further comprises determining whether the AF is authorized to use the AF ID and performing one or more actions based on a result of determining whether the AF (404) is authorized to use the AF ID.

Abstract: There is provided mechanisms for attachment of a wireless device to an MNO. A method is performed by the wireless device. The method comprises providing an authorization token to an AMF node of the MNO in conjunction with authenticating with the AMF node. The method comprises completing attachment to the MNO upon successful validation of the authorization token by the AMF node.

Abstract: A key management is provided that enables security activation before handing over a user equipment from a source 5G wireless communication system, i.e., a Next Generation System (NGS), to a target 4G wireless communication system, i.e., a Evolved Packet System (EPS)/Long Term Evolution (LTE). The key management achieves backward security, i.e., prevents the target 4G wireless communication system from getting knowledge of 5G security information used in the source 5G wireless communication system.

Abstract: A method for a user equipment (UE) configured to communicate with an application function (AF) via a communication network is provided. The method comprises sending, to the AF, an application service request including: a second identifier (GPSI) specific to one or more applications, including an application associated with the UE and the AF; and information (app-info) associated with the second identifier and descriptive of the one or more applications. The method further comprises authenticating the AF based on an application-specific key (KAF) derived from a security key (KAKMA) associated with the UE; and receiving, from the AF, an application service response indicating whether the second identifier (GPSI) matches a corresponding second identifier (GPSI*) derived from the information associated with the second identifier.

Abstract: An authentication server (10A) is configured for use in a home network (10H) of a wireless device (12). The authentication server (10A) generates expected integrity protection data for checking an integrity of a set of one or more information fields (22) contained in a transparent container (20) that acknowledges successful reception by the wireless device (12) of device configuration data (14) from the home network (10H). The authentication server (10A) checks, or assists a core network node (16H) in the home network (10H) to check, the integrity of the set of one or more information fields (22) using the expected integrity protection data.

Abstract: A data collection coordination function, DCCF, network node receives (1a) a request for data from a data consumer, determines (2) a data source for the requested data, verifies (3a, 3b) with a network node that the data consumer and the DCCF are authorized by the data source, receives (3b) a message container for the data consumer from the network node, the message container for the data consumer including a data encryption key KE and a data integrity key Ki, and receives (3b) a message container for the data source from the network node, the message container for the data source including the data encryption key KE and the data integrity key Ki. The DCCF network node transmits (4a) the message container for the data consumer to the data consumer and transmits (5) the message container for the data source to the data source.

Abstract: Embodiments include methods performed by a client in an edge data network. Such methods include obtaining an initial access token before accessing the edge data network. The initial access token is based on an identifier of the client. Such methods include establishing a first connection with a server of the edge data network based on transport layer security (TLS) and authenticating the server based on a server certificate received from the server via the first connection. Such methods include providing the initial access token to the server, via the first connection, for authentication of the client. Other embodiments include complementary methods performed by a server in an edge data network, as well as apparatus (e.g., user equipment and servers) configured to perform such methods.

Abstract: There is provided a solution for managing security contexts at idle mode mobility of a wireless communication device between different wireless communication systems including a first wireless communication system and a second wireless communication system. The first wireless communication system is a 5G/NGS system and the second wireless communication system is a 4G/EPS system. The solution is based on obtaining (S1) a 5G/NGS security context, and mapping (S2) the 5G/NGS security context to a 4G/EPS security context.

Abstract: A method for key derivation for non-3GPP access. The method includes determining a particular non-3GPP access type, wherein the particular non-3GPP access type is one of N different particular non-3GPP access types (N>1), and each one of the N particular non-3GPP access types is associated with a unique access type distinguisher value. The method also includes generating (s604) a first access network key using a key derivation function and the unique access type distinguisher value with which the determined particular non-3GPP access type is associated, thereby generating a first access network key for the particular non-3GPP access type.

Abstract: The invention relates to a method for a data consumer network function, NF, of a communication network to collect data from a data producer NF, the method comprising: o sending (810), to a network repository function, NRF, in the communication network, a request for an access token for a service provided by a data collection coordination function, DCCF, in the communication network; o receiving (820), from the NRF, at least one access token for the service provided by the DCCF; and o using (830) the at least one access token, collecting data from the data producer NF in the communication network via the DCCF service.

Abstract: Embodiments include methods performed by a client in an edge data network. Such methods include obtaining an initial access token before accessing the edge data network. The initial access token is based on an identifier of the client. Such methods include establishing a first connection with a server of the edge data network based on transport layer security (TLS) and authenticating the server based on a server certificate received from the server via the first connection. Such methods include providing the initial access token to the server, via the first connection, for authentication of the client. Other embodiments include complementary methods performed by a server in an edge data network, as well as apparatus (e.g., user equipment and servers) configured to perform such methods.

Abstract: A key management is provided that enables security activation before handing over a user equipment from a source 5G wireless communication system, i.e., a Next Generation System (NGS), to a target 4G wireless communication system, i.e., a Evolved Packet System (EPS)/Long Term Evolution (LTE). The key management achieves backward security, i.e., prevents the target 4G wireless communication system from getting knowledge of 5G security information used in the source 5G wireless communication system.

Abstract: A method for operating a User Equipment (UE) is disclosed, wherein the UE is served by a source first network function in a first network and requires to register with a target second network function in a second network. The method comprises generating a registration request with integrity protection for at least a part of the registration request, and sending an integrity protected part of the registration request to the source first network function via the target second network function.

Abstract: The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes in idle mode. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, along with a key change indication indicating that the NAS key has changed. The target AMF sends the key change indication to the user equipment.

Abstract: The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes in idle mode. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, along with a key change indication indicating that the NAS key has changed. The target AMF sends the key change indication to the user equipment.

Abstract: A method for a user equipment (UE) to obtain security credentials for accessing a non-public network (NPN) is provided. The method comprises sending, to an onboarding network (ON), a registration request that includes an identifier of the UE, and obtaining an indication of a credential provisioning protocol (CPP) used by a provisioning server (PS) for provisioning security credentials to access the NPN. The method further comprises obtaining, from the PS via the ON using the indicated CPP, security credentials for the UE to access the NPN.