Abstract: Methods of operating a user equipment (UE) in a mobile communication network are disclosed. An authentication process start message may be transmitted from the UE to the mobile communication network, wherein the authentication process start message includes an identifier for the UE. After transmitting the authentication process start message from the UE, a request commit message may be received from the mobile communication network. Responsive to receiving the request commit message, a response commit message may be transmitted to the mobile communication network. After transmitting the response commit message, an authentication challenge message may be received corresponding to the authentication process start message. Related methods of operating network nodes are also discussed.

Abstract: Embodiments include methods performed by a computing device to obtain trusted computing services (TCS) from service providers (SPs). Such methods include querying one or more remote service databases for one or more TCS required by a user of the computing device or by an application executing on the computing device. The query for each required TCS includes identification of software required to provide the required TCS, and one or more indicia of trust for any computing platform that provides the required TCS. Such methods include receiving, from the remote service databases, information related to one or more available TCS and corresponding SPs of the available TCS and, based on the received information, selecting one of the available TCS and establishing a connection with the SP corresponding to the selected TCS. Embodiments include complementary methods performed by SPs and remote service databases, as well as apparatus configured to perform such methods.

Abstract: A method performed by an orchestrator. The method comprises receiving signaling that requests the orchestrator to orchestrate a service and that indicates a trusted computing policy with which a resource must prove compliance in order for the service to be orchestrated with that resource. The method further comprises sending a response that indicates whether or not the orchestrator has orchestrated the service according to the received signaling.

Abstract: A method for a serving network to selectively employ perfect forward security (PFS) based on an indication from a home network is described. The method includes receiving, by the serving network, a PFS indicator from the home network; determining, by the serving network, whether the PFS indicator indicates that the home network has instructed the serving network to employ PFS for communications with a piece of user equipment; and performing, by the serving network, a PFS procedure with the piece of user equipment in response to determining that the PFS indicator indicates that the home network has instructed the serving network to employ PFS for communications with the piece of user equipment.

Abstract: A communication device of a communication network receives, via a network, a challenge, generates a first Diffie Hellman, DH, parameter, a first verification code for the first DH parameter, forwards the challenge or a derivative thereof to an identity module, receives at least one result parameter as response from the identity module, determines, based on the result parameter, whether the first DH parameter is authentic, and if the first DH parameter is authentic, generates and sends a second DH parameter to the network device for session key generation based on the first DH parameter and the second DH parameter.

Abstract: A computing device is disclosed. The computing device comprises processing circuitry that is configured to expose (110) a resource that is hosted at the computing device, wherein the resource comprises a digital interface for a physical entity to which the resource corresponds, and expose (120) information about a relation between a state of the resource and a state of the physical entity to which the resource corresponds. Also disclosed is a network node, the network node comprising processing circuitry that is configured to discover a resource that is hosted at the computing device, and to discover information about a relation between a state of the resource and a state of the physical entity to which the resource corresponds. The processing circuitry is further configured to prepare an action relating to the physical entity corresponding to the resource on the basis of a current state of the resource and the information, and to initiate execution of the prepared action.

Abstract: Methods may be provided to transmit encrypted data from a communication device to a remote storage system. A data value and information related to the data value may be provided, where the information related to the data value includes an identifier associated with the communication device and a time-value associated with the data value. A combination of the time-value and the identifier may be encrypted using a public key to provide a first encrypted value. The data value may be encrypted using the public key to provide a second encrypted value, and a hidden datum package may be generated including the time-value, the first encrypted value, and the second encrypted value. The hidden datum package including the time-value, the first encrypted value, and the second encrypted value may be transmitted to the remote storage system.

Abstract: A method in a user equipment for attaching the user equipment to a mobile communications network comprises receiving a list of network slice identities, wherein a network slice identity identifies a portion of the mobile communications network that serves as a logical network to a set of user equipment (step 201). A network slice is selected based on one or more criteria (step 203). A network slice attachment request is sent to a network node (step 205), for requesting attachment of the user equipment to the selected network slice of the mobile communications network.

Abstract: Methods of operating a user equipment (UE) in a mobile communication network are disclosed. An authentication process start message may be transmitted from the UE to the mobile communication network, wherein the authentication process start message includes an identifier for the UE. After transmitting the authentication process start message from the UE, a request commit message may be received from the mobile communication network. Responsive to receiving the request commit message, a response commit message may be transmitted to the mobile communication network. After transmitting the response commit message, an authentication challenge message may be received corresponding to the authentication process start message. Related methods of operating network nodes are also discussed.

Abstract: Systems and methods for increasing the value of trash. By increasing the value of trash, persons have an incentive to collect litter and deposit the collected litter at an appropriate trash collection site (e.g., garbage can, reverse vending machine, recycling center, etc.). In one aspect, a financial instrument (e.g., a Bitcoin, Bitcoin-like value, account identifier, or any other financial instrument) or a pointer to a financial instrument is attached to the object itself or placed inside of the object in a way that is not easily extracted before appropriate time.

Abstract: Disclosed is a method in an operator authentication server for authentication of a communication device associated with a communication device manager. The communication device manager being associated with a plurality of communication devices, wherein the operator authentication server has transmitted group subscriber identity module (SIM) information to the communication device manager, wherein the group SIM information is associated with an international mobile subscriber identity (IMSI) number and a shared secret K. The method comprises receiving from the communication device a request for authentication comprising a sub identifier associated with the communication device; determining whether the sub identifier is known.

Abstract: A method (300) for registering with a serving network (104). The method is performed by a UE (102). The method includes the UE transmitting (s302) to the serving network (104) a message (212) indicating a UE capability that is relevant for a home network (106), wherein the 5 serving network (104) is configured to send to the home network (106) a message (216) indicating the UE capability.

Abstract: Methods for provisioning a service in a first network and providing the service by an entity in a second network are disclosed. The methods comprising maintaining in a software repository in the first network, one or more software images (I1, I2, . . . Ii) of corresponding one or more services and where each service is identified by a service identifier (Si) and storing configuration information related to the one or more services in a database repository of the first network. The method of providing the service in the second network further comprises receiving and storing one or more software images (I1, I2, . . . ) for one or more services of the first network and where each service is identified by a service identifier (Si) and upon detecting a trigger indicating a request for a service of the one or more services, instantiating the software image of the service in the serving network.

Abstract: Using an authentication server to program network elements, such as a network node, in accordance with software-defined networking techniques in order to establish a traffic flow rule for a communication device or user of the communication device. After successfully authenticating a communication device or user, the authentication server and/or network node may use an identifier received at the authentication server in connection with the authentication procedure in order to obtain a traffic flow rule for the communication device. The traffic flow rule may be established at the network node or forwarded to a second network node configured to receive network packets from the communication device. The first identifier may be any one of a user identifier identifying a user, an application identifier identifying an application, and a device identifier unique to the communication device.

Abstract: Methods and systems for optimizing Network Function (NF) service authorization are presented. According to one aspect, a method implemented in an NF consumer comprises: sending, to an authorization server, an authorization request for a procedure that involves a plurality of NF services; and receiving, from the authorization server, an authorization response for the procedure, the authorization response including information authorizing access to the plurality of NF services. In some embodiments, the NF consumer may comprise an Access and Mobility Management Function (AMF). In some embodiments, the authorization server may comprise a Network Repository Function (NRF). In some embodiments, the authorization response may include one or more access tokens.

Abstract: Systems and methods that are particularly well-suited for service-based core network endpoint authentication are disclosed. In some embodiments, a method of operation of a network node implementing a second network function in a core network of a cellular communications system comprises receiving, at a main service of the second network function, a request from a first network function for a desired service via Hypertext Transfer Protocol/Representational State Transfer (HTTP/REST) signaling. The request comprises information that identifies one or more delegate endpoints of the first network function that expose one or more delegate services, respectively, of the first network function for providing the desired service using one or more different communication styles. The method further comprises initiating the desired service using a selected delegate endpoint from the one or more delegate endpoints identified by the information comprised in the request.

Abstract: A critical application system includes a wireless device, an application and a network device. The network device is configured to: receive a command from the at least one wireless device through a first application protocol interface; monitor the connection to the at least one wireless device; determine whether a change in connectivity through the connection occurs, and if so, send information regarding the change in connectivity to the application device through a second application protocol interface. The application device controller is configured to: receive information regarding a change in connectivity to at least one of the at least one wireless device through the second application protocol interface, and determine an action to take; and send a command to at least one of the at least one wireless device through a third application protocol interface, where the controller is configured to: receive the command and execute the associated action.

Abstract: A communication device for communication with a network device during EAP-AKA?. The communication device is operative to receive a first Perfect Forward Secrecy, PFS, parameter value and at least one attribute value indicating a choice of a Diffie-Hellman group from the network device. The communication device is also operative to receive a cipher key, CK, and an integrity key, IK. Generate a modified cipher key, CK?, and a modified integrity key, IK? based on CK, IK and an access network identity. Operations include calculating a second PFS parameter value. Send the second PFS parameter value to the network device. Calculate a third PFS parameter value. Derive, using a Pseudo-random function, a key based on the third PFS parameter value, CK?, IK? and an identity associated with the communication device. A network device, methods, further communication devices, a server, computer programs and a computer program product are also disclosed.

Abstract: A method of re-establishing a connection between a LWM2M client and an LWM2M server following a reconnection of the LWM2M client to the LWM2M server includes determining, at the LWM2M client, a state of the LWM2M client device prior to reconnection of the LWM2M client, transmitting, to the LWM2M server, an indication of the state of the LWM2M client prior to reconnection of the LWM2M client, and receiving a response from the LWM2M server indicating whether the indicated state of the LWM2M client is an expected state or an unexpected state of the LWM2M client.

Abstract: Methods for provisioning a service in a first network and providing the service by an entity in a second network are disclosed. The methods comprising maintaining in a software repository in the first network, one or more software images (I1, I2, . . . I1) of corresponding one or more services and where each service is identified by a service identifier (Si) and storing configuration information related to the one or more services in a database repository of the first network. The method of providing the service in the second network further comprises receiving and storing one or more software images (I1, I2, . . . ) for one or more services of the first network and where each service is identified by a service identifier (Si) and upon detecting a trigger indicating a request for a service of the one or more services, instantiating the software image of the service in the serving network.