Abstract: A method for supporting authentication of a User Equipment, UE, in an Internet Protocol, IP, Multimedia Subsystem, IMS, telecommunication network, by interfacing a Service Based Architecture, SBA, telecommunication network, the method including receiving, by a Unified Data Management, UDM, in the SBA telecommunication network, from a Session Management Function, SMF, in the SBA telecommunication network, binding information, wherein the binding information is used to identify the UE in the IMS telecommunication network; receiving, by the UDM in the SBA telecommunication network, from a Home Subscriber Server, in the IMS telecommunication network, a request for providing the binding information, and providing, by the UDM in the SBA telecommunication network, to the HSS in the IMS telecommunication network the binding information, thereby supporting authentication of the UE. Complementary methods and corresponding nodes are also presented herein.

Abstract: A method performed by an a first Internet Protocol, IP, Multimedia Subsystem, IMS, node for selecting a second IMS node from one or more second IMS in a communications network is provided. The first IMS node and the one or more second IMS nodes are operating in an IMS network. Upon receiving, from a User Equipment, UE, a registration request message requesting the UE to be registered to the IMS network, the first IMS node obtains (201), from a subscriber data node, subscriber data related to the UE. The subscriber data comprises one or more capabilities associated to a second IMS node to be used in the registration procedure. The first IMS node sends (202), to a network node, a request to identify one or more second IMS nodes for the registration procedure, based on the one or more capabilities in the obtained subscriber data. The request comprises the one or more capabilities. The first IMS node receives (203) a response to the request from the network node.

Abstract: A wireless communication device (12) generates key material (22) during an authentication and key agreement procedure (18) with a home network (10) of the wireless communication device (12). The wireless communication device (12) transmits, as part of a home network parameter update procedure (14) to update the home network (10) with one or more parameters (12P), a message (20) that includes the one or more parameters (12P) and that protects the one or more parameters (12P) using the generated key material (22). In some embodiments, the home network parameter update procedure (14) is independent from, and/or is performable separately from, a user equipment, UE, parameter update, UPU, procedure for updating the wireless communication device (12) with a set of parameters (12P) stored at the home network (10).

Abstract: A security relay node receives (710) a discovery request from a service consumer. The discovery request requests discovery of a network function to provide a service. The security relay node directs (720) the discovery request to a selected one of a plurality of remote security relay nodes of a target network and forwards (730), to the service consumer, a discovery response identifying the network function to provide the service.

Abstract: Embodiments include methods for a network exposure function (NEF) of a communication network. Such methods include sending, to a unified data management function (UDM) of the communication network, a first request to remove or delete authorization for provisioning service-specific parameters to one or more user equipment (UEs). Such methods also include receiving, from the UDM, a first response indicating that the authorization for provisioning the service-specific parameters has been removed or deleted as requested.

Abstract: Exemplary embodiments include a method for provisioning subscription data, for a plurality of subscribers, to one or more network functions (NFs) in a communication network. Such embodiments include storing group data, related to the plurality of subscribers, in association with at least a first group identifier (GID), but not in association with individual subscription data for the respective subscribers. Such embodiments also include sending, to the one or more NFs, the group data and the first GID. Such embodiments also include sending, to a particular one of the NFs, the first GID and individual subscription data for a particular one of the subscribers. Embodiments also include complementary methods performed by network functions that receive subscription data in this manner, as well as various network functions and/or nodes, in a communication network, that are configured to perform various disclosed methods.

Abstract: A first network node operating in a telecommunications network can receive an authentication request associated with a communication device requesting registration with the telecommunications network. The authentication request can include first subscriber information. The first network node can determine that the first subscriber information includes an anonymous identifier. Responsive to determining that the first subscriber information includes the anonymous identifier, the network node can determine an authentication procedure to be performed. The network node can receive information associated with the communication device as part of the authentication procedure. The network node can generate second subscriber information based on the information associated with the communication device.

Abstract: A remote communication device performs an authentication procedure with a home communication network, via a relay communication device, to authenticate the remote communication device to the home communication network for a proximity-based service, ProSe. Performing the authentication procedure comprises deriving one or more keys included in an authentication vector. The remote communication device generates an anchor key for the ProSe directly from the one or more keys included in the authentication vector. The remote communication device protects ProSe direct communication between the remote communication device and the relay communication device using security key material derived from the anchor key.

Abstract: A method of operating a core network node in a communication system includes receiving, at a first network function, a registration message from a radio access network node to register a user equipment, UE, and, responsive to the registration message, transmitting a request for information on whether network slices associated with the UE are subject to Network Slice-Specific Authentication and Authorization, NSSAA. Responsive to the request, the method receives a response message including Single-Network Slice Selection Assistance Information, S-NSSAI, information associated with the UE, the S-NSSAI information including NSSAA status information relating to the S-NSSAI information, and determines whether to initiate an NSSAA procedure with the UE based on the S-NSSAI information. Related network nodes are disclosed.

Abstract: Apparatuses and methods for short message service (SMS) delivery are disclosed. In one embodiment, a method implemented in a unified data management, UDM, node includes setting a short message service, SMS, function, SMSF, registration notification flag to detect an SMSF registration event associated with a user equipment, UE. In another embodiment, a method implemented in a home subscriber server, HSS, node includes sending a request to subscribe to a notification at a unified data management, UDM, node about a short message service, SMS, function, SMSF, registration event associated with a user equipment, UE.

Abstract: A method performed by a UE. The method incudes generating a SUCI comprising: i) an encrypted part in which a Mobile Subscription Identification Number of a SUPI is encrypted and ii) a clear-text part comprising: a) a Mobile Country Code of the SUPI, b) a Mobile Network Code of the SUPI, c) a public key identifier for a public key of a home network of the user equipment, and d) an encryption scheme identifier that identifies an encryption scheme used by the UE to encrypt the Mobile Subscription Identification Number in the SUCI. The method also includes transmitting the SUCI to an authentication server in the home network for forwarding of the SUCI to a de-concealing server capable of decrypting the Mobile Subscription Identification Number.

Abstract: Systems and methods related to a bootstrapping service for a network function (NF) in a core network of a cellular communications system are disclosed. In one embodiment, a method performed by a first NF in a core network of a cellular communications system comprises receiving, from a second NF, a request for services exposed by the first NF. The method further comprises, responsive to receiving the request, sending, to the second NF, information about one or more services exposed by the first NF. In one embodiment, the information about one or more services exposed by the first NF includes Application Programming Interface (API) versions of the one or more services. In this manner, flexibility is provided in the network since there is no need for static configuration of service parameters.

Abstract: A method performed by a mobile terminal for verifying at least one privacy profile setting for positioning of the mobile terminal to a location network node in a communications network is provided. The method includes receiving a request from the location network node for the mobile terminal to provide a position of the mobile terminal. The method further includes checking the at least one privacy profile setting of the mobile terminal for permission to provide position information of the mobile terminal. The method further includes determining whether to send the positioning information of the mobile terminal to the location network node based on the checking the at least one privacy profile setting. Methods performed by a network node are also provided.

Abstract: Exemplary embodiments include a method for provisioning subscription data, for a plurality of subscribers, to one or more network functions, NFs, in a communication network. Such embodiments include storing group data, related to the plurality of subscribers, in association with at least a first group identifier, GID, but not in association with individual subscription data for the respective subscribers. Such embodiments also include sending, to the one or more NFs, the group data and the first GID. Such embodiments also include sending, to a particular one of the NFs, the first GID and individual subscription data for a particular one of the subscribers. Embodiments also include complementary methods performed by network functions that receive subscription data in this manner, as well as various network functions and/or nodes, in a communication network, that are configured to perform various disclosed methods.

Abstract: Systems and methods for enabling Authentication and Key Management for Applications (AKMA) key diversity for multiple applications are disclosed herein. In one embodiment, an AKMA client of a wireless device determines a root key (KAKMA) and an AKMA key identifier (A-KID) based on primary authentication with a telecommunications network. The AKMA client receives an application identifier (APP-ID) and an application function (AF) identifier (AF-ID) from an application of the wireless device. The AKMA client verifies APP-ID, and verifies that the application is entitled to use AF-ID. If successful, an application key (KAPP) is derived based on KAKMA. AF-ID, and APP-ID. Optionally, the AKMA client encrypts APP-ID and outputs A-KID. KAPP, and the encrypted APP-ID to the application, and the application sends a session establishment request to an AF, the session establishment request comprising A-KID and the encrypted APP-ID.

Abstract: There is provided a method for handling a first response to a first service request. The method is performed by a first service communication proxy (SCR) node that is configured to operate as an SCR between a first network function (NF) node of a service consumer and one or more groups of second NF nodes of one or more service producers. In response to receiving the first response to the first service request, transmission of a second response to the first service request is initiated (102) towards the first NF node. The first service request is a request for a first service, requested by the first NF node, to be provided. The first response is received from a second NF node that is selected to provide the first service and the second response comprises information indicative of which group of the one or more groups comprises the second NF node.

Abstract: There is provided mechanisms for attachment of a wireless device to an MNO. A method is performed by the wireless device. The method comprises providing an authorization token to an AMF node of the MNO in conjunction with authenticating with the AMF node. The method comprises completing attachment to the MNO upon successful validation of the authorization token by the AMF node.

Abstract: Embodiments described herein relate to methods and apparatuses for registering one or more services that a producer network function is capable of providing at a network repository function and allowing for the access of those services by consumer network functions. A method in a producer network function comprises transmitting a registration request to the NRF, wherein the registration request comprises registration information comprising: an indication of the one or more services; and an indication of resources and operations associated with each resource of the one or more services that are allowed per network function consumer type.

Abstract: A method for a user equipment (UE) configured to communicate with an application function (AF) via a communication network is provided. The method comprises sending, to the AF, an application service request including: a second identifier (GPSI) specific to one or more applications, including an application associated with the UE and the AF; and information (app-info) associated with the second identifier and descriptive of the one or more applications. The method further comprises authenticating the AF based on an application-specific key (KAF) derived from a security key (KAKMA) associated with the UE; and receiving, from the AF, an application service response indicating whether the second identifier (GPSI) matches a corresponding second identifier (GPSI*) derived from the information associated with the second identifier.

Abstract: An authentication server (10A) is configured for use in a home network (10H) of a wireless device (12). The authentication server (10A) generates expected integrity protection data for checking an integrity of a set of one or more information fields (22) contained in a transparent container (20) that acknowledges successful reception by the wireless device (12) of device configuration data (14) from the home network (10H). The authentication server (10A) checks, or assists a core network node (16H) in the home network (10H) to check, the integrity of the set of one or more information fields (22) using the expected integrity protection data.