Abstract: Embodiments include methods performed by a client in an edge data network. Such methods include obtaining an initial access token before accessing the edge data network. The initial access token is based on an identifier of the client. Such methods include establishing a first connection with a server of the edge data network based on transport layer security (TLS) and authenticating the server based on a server certificate received from the server via the first connection. Such methods include providing the initial access token to the server, via the first connection, for authentication of the client. Other embodiments include complementary methods performed by a server in an edge data network, as well as apparatus (e.g., user equipment and servers) configured to perform such methods.

Abstract: A key management is provided that enables security activation before handing over a user equipment from a source 5G wireless communication system, i.e., a Next Generation System (NGS), to a target 4G wireless communication system, i.e., a Evolved Packet System (EPS)/Long Term Evolution (LTE). The key management achieves backward security, i.e., prevents the target 4G wireless communication system from getting knowledge of 5G security information used in the source 5G wireless communication system.

Abstract: A method for operating a User Equipment (UE) is disclosed, wherein the UE is served by a source first network function in a first network and requires to register with a target second network function in a second network. The method comprises generating a registration request with integrity protection for at least a part of the registration request, and sending an integrity protected part of the registration request to the source first network function via the target second network function.

Abstract: The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes in idle mode. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, along with a key change indication indicating that the NAS key has changed. The target AMF sends the key change indication to the user equipment.

Abstract: The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes in idle mode. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, along with a key change indication indicating that the NAS key has changed. The target AMF sends the key change indication to the user equipment.

Abstract: A method for a user equipment (UE) to obtain security credentials for accessing a non-public network (NPN) is provided. The method comprises sending, to an onboarding network (ON), a registration request that includes an identifier of the UE, and obtaining an indication of a credential provisioning protocol (CPP) used by a provisioning server (PS) for provisioning security credentials to access the NPN. The method further comprises obtaining, from the PS via the ON using the indicated CPP, security credentials for the UE to access the NPN.

Abstract: A method performed by an application function (AF) associated with a communication network is provided. The method comprises sending, to a network function (NF) of the communication network, a key request for a security key (KAF) associated with an application session between 5 the AF and a user equipment (UE), wherein the key request includes one of the following: a request for a first identifier of the UE, or a second identifier of the UE. The method further comprises receiving, from the NF, a response that includes the security key (KAF) and one of the following: the first identifier, or a response code associated with the second identifier or the first identifier. The method further comprises authenticating the UE for the application session 0 based on the response.

Abstract: A method performed by a network node of a serving public land mobile network, PLMN, associated with a user equipment, UE, comprising: obtaining a secret identifier that uniquely identifies the UE, wherein the secret identifier is a secret that is shared between the UE and at least a home PLMN of the UE and that is shared by the home PLMN with the network node; and performing an operation related to the UE using the secret identifier. Other methods, computer programs, computer program products, network nodes and a serving PLMN are also disclosed.

Abstract: A method comprises receiving an access token request from a first network entity for granting access to a network function, NF, service producer. The method further comprises determining whether an access token can be granted for the first network entity. Responsive to determining that the access token can be granted, the method further comprises generating the access token that includes an identifier of a NF consumer associated with the first network entity and an identifier of each network entity in a communication path between the first network entity and the NF service producer and transmitting the access token towards the first network entity.

Abstract: A key management is provided that enables security activation before handing over a user equipment from a source 5G wireless communication system, i.e., a Next Generation System (NGS), to a target 4G wireless communication system, i.e., a Evolved Packet System (EPS)/Long Term Evolution (LTE). The key management achieves backward security, i.e., prevents the target 4G wireless communication system from getting knowledge of 5G security information used in the source 5G wireless communication system.

Abstract: A method for operating a User Equipment (UE) is disclosed, wherein the UE is served by a source first network function in a first network and requires to register with a target second network function in a second network. The method comprises generating a registration request with integrity protection for at least a part of the registration request, and sending an integrity protected part of the registration request to the source first network function via the target second network function.

Abstract: There is provided a solution for managing security contexts at idle mode mobility of a wireless communication device between different wireless communication systems including a first wireless communication system and a second wireless communication system. The first wireless communication system is a 5G/NGS system and the second wireless communication system is a 4G/EPS system. The solution is based on obtaining (S1) a 5G/NGS security context, and mapping (S2) the 5G/NGS security context to a 4G/EPS security context.

Abstract: Network equipment is configured for use in one of multiple different core network domains of a wireless communication system. The network equipment is configured to receive a message that has been, or is to be, transmitted between the different core network domains. The network equipment is also configured to apply inter-domain security protection to, or remove inter-domain security protection from, one or more portions of the content of a field in the message according to a protection policy. The protection policy includes information indicating to which one or more portions of the content inter-domain security protection is to be applied or removed. The network equipment is also configured to forward the message, with inter-domain security protection applied or removed to the one or more portions, towards a destination of the message.

Abstract: There is provided a method for handling a service request. The method is performed by a first network node. The first network node is a first network function (NF) node of a service consumer or a first service communication proxy (SCP) node that is configured to operate as an SCP between the first NF node and one or more second NF nodes of a service producer. Transmission of a first request is initiated and/or a response to the first request is received (102). The first request is for a second NF node of the one or more second NF nodes to provide a first service requested by the first NF node. The first request has a first security feature only if such a first security feature is required. The response to the first request has a second security feature only if such a second security feature is required.

Abstract: A method of operating a user equipment, UE, includes establishing a radio resource control, RRC, connection with a base station, following establishment of the RRC connection, sending an indication of a security capability of the UE to the base station, receiving a non-access stratum, NAS, message, from the base station, wherein the NAS message identifies a selected security algorithm, and generating the access stratum security key to be used with the selected security algorithm.

Abstract: Network equipment implements a network function in a wireless communication network. The network equipment obtains integrity verification information that is a function of only a portion of a message. The message is either a request for a service to be consumed by the network function or a response to a request for a service provided by the network function. The network equipment digitally signs an assertion that includes the integrity verification information, and then sends the message and the digitally signed assertion to a service communication proxy. Other network equipment that receives the message and the digitally signed assertion may check an integrity of the portion of the message, based on integrity verification information that the other network equipment obtains and on the integrity verification information included in the digitally signed assertion.

Abstract: Enabling the exchange of connection parameters where a user equipment (UE) lacks a secret shared with the network (e.g. a server), such as key materials, and lacks a valid certificate. In some embodiments, the connection parameters may be exchanged via EAP messages. In certain aspects, and particularly with respect to emergency attach, a simplified protocol is used with limited overhead because the UE does not attempt to authenticate the network, and the network does not attempt to authenticate the UE.

Abstract: The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, and sends a key change indication to the UE, either directly or through some other network node. The UE can then derive the new NAS key from the old NAS key. In some embodiments, the AMF may provide a key generation parameter to the UE to use in deriving the new NAS key. In other embodiments, the target AMF may change one or more security algorithms.

Abstract: Network equipment (300, 400) is configured for use in one of multiple different core network domains of a wireless communication system (10). The network equipment (300, 400) is configured to receive a message (60) that has been, or is to be, transmitted between the different core network domains. The network equipment (300, 400) is also configured to apply inter-domain security protection to, or remove inter-domain security protection from, one or more portions of the content of a field in the message according to a protection policy (80). The protection policy (80) includes information indicating to which one or more portions of the content inter-domain security protection is to be applied or removed. The network equipment (300, 400) is also configured to forward the message (60), with inter-domain security protection applied or removed to the one or more portions, towards a destination of the message (60).

Abstract: A method performed by a network node of a serving public land mobile network, PLMN, associated with a user equipment, UE, comprising: obtaining a secret identifier that uniquely identifies the UE, wherein the secret identifier is a secret that is shared between the UE and at least a home PLMN of the UE and that is shared by the home PLMN with the network node; and performing an operation related to the UE using the secret identifier. Other methods, computer programs, computer program products, network nodes and a serving PLMN are also disclosed.