Abstract: Communication equipment (16) is configured to invoke an application programming interface (API) (14) to access a service. The communication equipment (16) transmits, from the communication equipment (16) to API exposing equipment (12) configured to expose the API (14), a request (18) to invoke the API (14). The communication equipment (16) also transmits, from the communication equipment (16) to the API exposing equipment (12), an access token (20) that indicates whether a resource owner (24) consents (26) to the communication equipment (16) accessing a protected resource (22) of the API (14). The API exposing equipment (12) may verify the request (18) based on the access token (20), e.g., by verifying the request (18) against one or more claims in the access token (20). The API exposing equipment (12) may then accept or reject the request (18) depending on that verification.

Abstract: Embodiments of the present disclosure includes methods for a client in an edge data network. Such methods include obtaining an initial access credential for a server in the edge data network, before accessing the server; providing the initial access credential to the server for authentication of the client; and obtaining an updated access credential for the server based on expiration of one of the following: the initial access credential, or a further access credential provided by the server; and providing the updated access credential to the server for authentication of the client. Other embodiments include complementary methods for a server and for a credential provider, as well as UEs, network nodes, and/or computing systems configured to perform such methods.

Abstract: The invention relates to a method for a data consumer network function, NF, of a communication network to collect data from a data producer NF, the method comprising: ?sending (810), to a network repository function, NRF, in the communication network, a request for an access token for a service provided by a data collection coordination function, DCCF, in the communication network; ?receiving (820), from the NRF, at least one access token for the service provided by the DCCF; and ?using (830) the at least one access token, collecting data from the data producer NF in the communication network via the DCCF service.

Abstract: Embodiments include methods for a client (e.g., EEC) of an edge data network. Such methods include, during or after authentication and/or authorization of the client by a first server (e.g., ECS) of the edge data network, receiving from the first server an identifier (UE ID) of a user 5 equipment that hosts the client. Such methods include sending the UE ID to a second server (e.g., EES) of the edge data network, during authentication and/or authorization of the client by the second server. Other embodiments include complementary methods for the first and second servers, as well as clients (or UEs hosting same) and servers configured to perform such methods.

Abstract: Embodiments include methods performed by a user equipment (UE) configured with a client for an edge data network. Such methods include sending, to a server in the edge data network, a first message that includes one of the following contents: at least one pre-shared key (PSK) identity hint that is supported by the UE and the UE's home public land mobile network (HPLMN), and one or more security key identifiers corresponding to respective one or more of a plurality of authentication procedures supported by at least the HPLMN; an indication of the UE's HPLMN; all valid PSK identity hints, and the one or more security key identifiers; or all valid PSK identity hints, and the indication of the HPLMN. Such methods also include receiving from the server a second message that includes one of the following contents: all valid PSK identity hints; or a PSK identity hint that is supported by at least the UE's HPLMN.

Abstract: According to a first aspect there is a method performed by a detector node in a communications network, wherein the detector node is for monitoring messages sent between a first client node, a second client node and a Federated Learning, FL, server, as part of a FL process wherein, as part of the FL process, the first client node sends a local model update to the second client node for forwarding to the FL server. The method comprising: receiving first information relating to the local model update sent from the first client node to the second client node; receiving second information relating to the local model update as received or forwarded by the second client node; and comparing the first information to the second information to determine whether the second client node correctly received or forwarded the first information relating to the local model.

Abstract: Systems and methods for Generic Bootstrapping Authentication (GBA) are disclosed herein. A method performed by a User Equipment (UE) for GBA may include: communicating, at a GBA application, with a network node to run a GBA procedure during which the GBA application obtains a key, Ks, and a Bootstrapping Transaction Identifier (B-TID); providing to the GBA application, at an application, an application key request, the request including a Network Application Function (NAF) identifier; at the GBA application: verifying that the application is entitled to use a NAF corresponding to the NAF identifier; and responsive to successful verification: deriving the application key for the application based on the key, Ks, the NAF identifier, and an additional parameter generated by the GBA application or an application identifier; and sending a response to the application; and receiving, at the application, the response from the GBA application.

Abstract: Embodiments described herein provide methods and apparatuses for performing federated learning, FL.

Abstract: Embodiments of the present disclosure include methods for a client in an edge data network. Such methods include obtaining an initial access credential before accessing the edge data network. The initial access credential includes or is based on one or more of the following: an indication that the client is a legitimate client, and a client type associated with the client. Such methods include establishing a first connection with a server of the edge data network based on transport layer security (TLS); authenticating the server via the first connection based on a server certificate; and providing the initial access credential to the server, via the first connection, for authentication of the client. Other embodiments include complementary methods for a server and for a credential provider, as well as UEs, network nodes, and/or computing systems configured to perform such methods.

Abstract: Embodiments include methods for a data consumer network function (NF) of a communication network. These methods include sending, to a network repository function (NRF) of the communication network, a request for an access token for the following: a service provided by a 5 data collection coordination function (DCCF) of the communication network, and data to be collected via the DCCF service. These methods include receiving from the NRF at least one access token for the DCCF service and for the data to be collected via the DCCF service and, using the at least one access token, collecting the data from a data producer NF of the communication network via the DCCF service. Other embodiments include complementary methods for DCCFs 0 and NRFs, as well as data consumer NFs, DCCFs, and NRFs configured to perform such methods.

Abstract: Systems and methods for enabling Authentication and Key Management for Applications (AKMA) key diversity for multiple applications are disclosed herein. In one embodiment, an AKMA client of a wireless device determines a root key (KAKMA) and an AKMA key identifier (A-KID) based on primary authentication with a telecommunications network. The AKMA client receives an application identifier (APP-ID) and an application function (AF) identifier (AF-ID) from an application of the wireless device. The AKMA client verifies APP-ID, and verifies that the application is entitled to use AF-ID. If successful, an application key (KAPP) is derived based on KAKMA. AF-ID, and APP-ID. Optionally, the AKMA client encrypts APP-ID and outputs A-KID. KAPP, and the encrypted APP-ID to the application, and the application sends a session establishment request to an AF, the session establishment request comprising A-KID and the encrypted APP-ID.

Abstract: A method performed by a first network function is provided. The method comprises receiving a request for Non-Access Stratum (NAS) traffic information. The request was transmitted by a second network function. The method further comprises after receiving the request, sending towards the second network function a report comprising: i) a NAS message type identifier identifying a type of NAS message and information indicating a number of received NAS messages of the identified type and/or ii) user equipment (UE) type information indicating a type of UE and information indicating a number of NAS messages transmitted by UEs of the indicated type.

Abstract: The invention relates to a method for operating a mobile entity in a cellular network, the method comprising: —receiving an identity request from a requesting entity, the identity request requesting a permanent, non-temporary identity of the mobile entity, by which the mobile entity is uniquely identified in the cellular network, —transmitting, in response to the identity request, a response to the requesting entity, the response including the permanent, non-temporary identity of the mobile entity, —transmitting, in response to the identity request, a verification request requesting a verification of the identity request to a verification entity of the cellular network.

Abstract: A method for a user equipment (UE) configured to communicate with an application function (AF) via a communication network is provided. The method comprises sending, to the AF, an application service request including: a second identifier (GPSI) specific to one or more applications, including an application associated with the UE and the AF; and information (app-info) associated with the second identifier and descriptive of the one or more applications. The method further comprises authenticating the AF based on an application-specific key (KAF) derived from a security key (KAKMA) associated with the UE; and receiving, from the AF, an application service response indicating whether the second identifier (GPSI) matches a corresponding second identifier (GPSI*) derived from the information associated with the second identifier.

Abstract: A data collection coordination function, DCCF, network node receives (1a) a request for data from a data consumer, determines (2) a data source for the requested data, verifies (3a, 3b) with a network node that the data consumer and the DCCF are authorized by the data source, receives (3b) a message container for the data consumer from the network node, the message container for the data consumer including a data encryption key KE and a data integrity key Ki, and receives (3b) a message container for the data source from the network node, the message container for the data source including the data encryption key KE and the data integrity key Ki. The DCCF network node transmits (4a) the message container for the data consumer to the data consumer and transmits (5) the message container for the data source to the data source.

Abstract: Embodiments include methods performed by a client in an edge data network. Such methods include obtaining an initial access token before accessing the edge data network. The initial access token is based on an identifier of the client. Such methods include establishing a first connection with a server of the edge data network based on transport layer security (TLS) and authenticating the server based on a server certificate received from the server via the first connection. Such methods include providing the initial access token to the server, via the first connection, for authentication of the client. Other embodiments include complementary methods performed by a server in an edge data network, as well as apparatus (e.g., user equipment and servers) configured to perform such methods.

Abstract: The invention relates to a method for a data consumer network function, NF, of a communication network to collect data from a data producer NF, the method comprising: o sending (810), to a network repository function, NRF, in the communication network, a request for an access token for a service provided by a data collection coordination function, DCCF, in the communication network; o receiving (820), from the NRF, at least one access token for the service provided by the DCCF; and o using (830) the at least one access token, collecting data from the data producer NF in the communication network via the DCCF service.

Abstract: Embodiments include methods performed by a client in an edge data network. Such methods include obtaining an initial access token before accessing the edge data network. The initial access token is based on an identifier of the client. Such methods include establishing a first connection with a server of the edge data network based on transport layer security (TLS) and authenticating the server based on a server certificate received from the server via the first connection. Such methods include providing the initial access token to the server, via the first connection, for authentication of the client. Other embodiments include complementary methods performed by a server in an edge data network, as well as apparatus (e.g., user equipment and servers) configured to perform such methods.

Abstract: A method performed by an application function (AF) associated with a communication network is provided. The method comprises sending, to a network function (NF) of the communication network, a key request for a security key (KAF) associated with an application session between 5 the AF and a user equipment (UE), wherein the key request includes one of the following: a request for a first identifier of the UE, or a second identifier of the UE. The method further comprises receiving, from the NF, a response that includes the security key (KAF) and one of the following: the first identifier, or a response code associated with the second identifier or the first identifier. The method further comprises authenticating the UE for the application session 0 based on the response.

Abstract: A method comprises receiving an access token request from a first network entity for granting access to a network function, NF, service producer. The method further comprises determining whether an access token can be granted for the first network entity. Responsive to determining that the access token can be granted, the method further comprises generating the access token that includes an identifier of a NF consumer associated with the first network entity and an identifier of each network entity in a communication path between the first network entity and the NF service producer and transmitting the access token towards the first network entity.