Abstract: A remote communication device performs an authentication procedure with a home communication network, via a relay communication device, to authenticate the remote communication device to the home communication network for a proximity-based service, ProSe. Performing the authentication procedure comprises deriving one or more keys included in an authentication vector. The remote communication device generates an anchor key for the ProSe directly from the one or more keys included in the authentication vector. The remote communication device protects ProSe direct communication between the remote communication device and the relay communication device using security key material derived from the anchor key.

Abstract: A method of operating a core network node in a communication system includes receiving, at a first network function, a registration message from a radio access network node to register a user equipment, UE, and, responsive to the registration message, transmitting a request for information on whether network slices associated with the UE are subject to Network Slice-Specific Authentication and Authorization, NSSAA. Responsive to the request, the method receives a response message including Single-Network Slice Selection Assistance Information, S-NSSAI, information associated with the UE, the S-NSSAI information including NSSAA status information relating to the S-NSSAI information, and determines whether to initiate an NSSAA procedure with the UE based on the S-NSSAI information. Related network nodes are disclosed.

Abstract: Apparatuses and methods for short message service (SMS) delivery are disclosed. In one embodiment, a method implemented in a unified data management, UDM, node includes setting a short message service, SMS, function, SMSF, registration notification flag to detect an SMSF registration event associated with a user equipment, UE. In another embodiment, a method implemented in a home subscriber server, HSS, node includes sending a request to subscribe to a notification at a unified data management, UDM, node about a short message service, SMS, function, SMSF, registration event associated with a user equipment, UE.

Abstract: A method performed by a UE. The method incudes generating a SUCI comprising: i) an encrypted part in which a Mobile Subscription Identification Number of a SUPI is encrypted and ii) a clear-text part comprising: a) a Mobile Country Code of the SUPI, b) a Mobile Network Code of the SUPI, c) a public key identifier for a public key of a home network of the user equipment, and d) an encryption scheme identifier that identifies an encryption scheme used by the UE to encrypt the Mobile Subscription Identification Number in the SUCI. The method also includes transmitting the SUCI to an authentication server in the home network for forwarding of the SUCI to a de-concealing server capable of decrypting the Mobile Subscription Identification Number.

Abstract: Systems and methods related to a bootstrapping service for a network function (NF) in a core network of a cellular communications system are disclosed. In one embodiment, a method performed by a first NF in a core network of a cellular communications system comprises receiving, from a second NF, a request for services exposed by the first NF. The method further comprises, responsive to receiving the request, sending, to the second NF, information about one or more services exposed by the first NF. In one embodiment, the information about one or more services exposed by the first NF includes Application Programming Interface (API) versions of the one or more services. In this manner, flexibility is provided in the network since there is no need for static configuration of service parameters.

Abstract: A method performed by a mobile terminal for verifying at least one privacy profile setting for positioning of the mobile terminal to a location network node in a communications network is provided. The method includes receiving a request from the location network node for the mobile terminal to provide a position of the mobile terminal. The method further includes checking the at least one privacy profile setting of the mobile terminal for permission to provide position information of the mobile terminal. The method further includes determining whether to send the positioning information of the mobile terminal to the location network node based on the checking the at least one privacy profile setting. Methods performed by a network node are also provided.

Abstract: Exemplary embodiments include a method for provisioning subscription data, for a plurality of subscribers, to one or more network functions, NFs, in a communication network. Such embodiments include storing group data, related to the plurality of subscribers, in association with at least a first group identifier, GID, but not in association with individual subscription data for the respective subscribers. Such embodiments also include sending, to the one or more NFs, the group data and the first GID. Such embodiments also include sending, to a particular one of the NFs, the first GID and individual subscription data for a particular one of the subscribers. Embodiments also include complementary methods performed by network functions that receive subscription data in this manner, as well as various network functions and/or nodes, in a communication network, that are configured to perform various disclosed methods.

Abstract: Systems and methods for enabling Authentication and Key Management for Applications (AKMA) key diversity for multiple applications are disclosed herein. In one embodiment, an AKMA client of a wireless device determines a root key (KAKMA) and an AKMA key identifier (A-KID) based on primary authentication with a telecommunications network. The AKMA client receives an application identifier (APP-ID) and an application function (AF) identifier (AF-ID) from an application of the wireless device. The AKMA client verifies APP-ID, and verifies that the application is entitled to use AF-ID. If successful, an application key (KAPP) is derived based on KAKMA. AF-ID, and APP-ID. Optionally, the AKMA client encrypts APP-ID and outputs A-KID. KAPP, and the encrypted APP-ID to the application, and the application sends a session establishment request to an AF, the session establishment request comprising A-KID and the encrypted APP-ID.

Abstract: There is provided a method for handling a first response to a first service request. The method is performed by a first service communication proxy (SCR) node that is configured to operate as an SCR between a first network function (NF) node of a service consumer and one or more groups of second NF nodes of one or more service producers. In response to receiving the first response to the first service request, transmission of a second response to the first service request is initiated (102) towards the first NF node. The first service request is a request for a first service, requested by the first NF node, to be provided. The first response is received from a second NF node that is selected to provide the first service and the second response comprises information indicative of which group of the one or more groups comprises the second NF node.

Abstract: There is provided mechanisms for attachment of a wireless device to an MNO. A method is performed by the wireless device. The method comprises providing an authorization token to an AMF node of the MNO in conjunction with authenticating with the AMF node. The method comprises completing attachment to the MNO upon successful validation of the authorization token by the AMF node.

Abstract: Embodiments described herein relate to methods and apparatuses for registering one or more services that a producer network function is capable of providing at a network repository function and allowing for the access of those services by consumer network functions. A method in a producer network function comprises transmitting a registration request to the NRF, wherein the registration request comprises registration information comprising: an indication of the one or more services; and an indication of resources and operations associated with each resource of the one or more services that are allowed per network function consumer type.

Abstract: A method for a user equipment (UE) configured to communicate with an application function (AF) via a communication network is provided. The method comprises sending, to the AF, an application service request including: a second identifier (GPSI) specific to one or more applications, including an application associated with the UE and the AF; and information (app-info) associated with the second identifier and descriptive of the one or more applications. The method further comprises authenticating the AF based on an application-specific key (KAF) derived from a security key (KAKMA) associated with the UE; and receiving, from the AF, an application service response indicating whether the second identifier (GPSI) matches a corresponding second identifier (GPSI*) derived from the information associated with the second identifier.

Abstract: An authentication server (10A) is configured for use in a home network (10H) of a wireless device (12). The authentication server (10A) generates expected integrity protection data for checking an integrity of a set of one or more information fields (22) contained in a transparent container (20) that acknowledges successful reception by the wireless device (12) of device configuration data (14) from the home network (10H). The authentication server (10A) checks, or assists a core network node (16H) in the home network (10H) to check, the integrity of the set of one or more information fields (22) using the expected integrity protection data.

Abstract: A method for an access and mobility management function (AMF) of a communication network is provided. The method comprises determining that a stored status for a user equipment (UE) of network-slice-specific authentication and authorization (NSSAA) with respect to a first network slice of the communication network indicates that a new NSSAA should be executed, wherein the first network slice is associated with a first identifier; and in response to a subsequent UE request to register with the communication network, sending the UE a registration accept that includes an indication that another NSSAA procedure with respect to the first network slice should be executed.

Abstract: A method performed by a first node implementing a first NF in a visited network (VPLMN) for communicating with a third node implementing a second NF in a home network (HPLMN) is provided. Embodiments include: determining that the third node should be communicated with; sending, towards a second node implementing a Security Edge Protection Proxy (SEPP) in the visited network, a request for a telescopic FQDN for the third node in the home network to be used by the first node in the visited network to communicate with the third node in the home network, which request comprises a FQDN of the third node in the home network; receiving, from the second node, a telescopic FQDN for the third node wherein the FQDN for the third node in the home network is flattened to a single label to be used by the first node to communicate with the third node.

Abstract: A network node in a home network, HN, of a wireless device assigns a different priority to each of one or more parameter sets in a priority list. Each parameter set comprises one or more parameters used for calculating the subscription identifier. The network node provides the wireless device with the priority list to facilitate the calculation of the subscription identifier by the wireless device. The wireless device obtains the priority list, and calculates the subscription identifier using a null parameter set or one of the one or more parameter sets in the priority list selected responsive to the defined priorities. The wireless device then informs the HN of the subscription of the wireless device by sending the calculated subscription identifier to the network node.

Abstract: The present disclosure provides methods for event subscription management in a network comprising a set of NF nodes, and corresponding NF nodes. The method implemented at a first NF node includes receiving a subscription request of an event for a user equipment, UE, from a third NF node; transmitting, to a second NF node that serves the UE, a subscription report request for the event for the UE; receiving, from a fourth NF node that currently serves the UE, a UE registration request for the UE, including an indication indicating whether the UE is in a restricted service area; and determining whether to transmit a notification for the event to the third NF node based on the UE registration request. The present disclosure further discloses a corresponding method implemented at the second NF node. The present disclosure further provides corresponding computer readable medium.

Abstract: Network equipment in a wireless communication network is configured to receive at least a portion of a subscription concealed identifier, SUCI, for a subscriber. The SUCI contains a concealed subscription permanent identifier, SUPI, for the subscriber. The received at least a portion of the SUCI indicates a sub-domain code, SDC. The SDC indicates a certain sub-domain, from among multiple sub-domains of a home network of the subscriber, to which the subscriber is assigned. The network equipment is also configured to determine, based on the SDC and from among multiple instances of a provider network function in the home network respectively allocated to provide a service to be consumed for subscribers assigned to different sub-domains, an instance of the provider network function to provide the service to be consumed for the subscriber.

Abstract: A method for an authentication server function, AUSF, of a communication network is provided. The method comprises sending a second authentication request comprising a first identifier associated with a user equipment, UE, or a second identifier associated with the UE, receiving a response to the second authentication request, and when the response comprises an 5 authentication and key management for applications, AKMA, indicator: determining a first security key identifier based on a first field comprised in the response.

Abstract: The present disclosure provides methods, entities, and computer readable media for non-3GPP access authentication. The method (1600) at a protocol translation entity includes: receiving (S1601), from a Non-3GPP access point, an authentication request message of a first protocol type for a UE that includes an identity of the UE; translating (S1603) the authentication request message of the first protocol type to a corresponding authentication request message of a second protocol type; and transmitting (S1605), to an entity for authentication, the corresponding authentication request message of a second protocol type that includes the identity of the UE.