Abstract: A method for handling digital certificates in a communication network is described. The communication network comprises a first certificate authority (110-116) having issued at least one digital certificate. The method comprises determining (216) whether a revocation condition for revoking the at least one digital certificate is fulfilled. The at least one digital certificate has been issued by the first certificate authority, wherein the at least one digital certificate is valid and is not revoked. The method further comprises, based on a result of the step of determining (216), revoking (404), by the first certificate authority (110-116), the at least one digital certificate, and based on the result of the step of determining (216), issuing, by a second certificate authority (110-116), at least one further digital certificate for the revoked at least one digital certificate. An associated system, methods in involved network entities, the involved network entities, and computer programs are also described.

Abstract: A method for amending, by a rule engine, a network element in a telecommunications network containing network elements each described by at least one parameter. An authorization database contains information for who and what extent configuring operators have access to the network elements, and a rule repository containing parameter dependent rules describing which activity is carried out for the network elements, and parameter dependent security information describing whether and how configuring operators are supervised by a security administrator when amending and how the authorization database is amended for a network element. A request for amending the network element in the network is identified and its parameter is determined. A rule is determined in the rule repository for which the parameter corresponds to the parameter of the amended network element and the security information for the determined rule is determined. The authorization database is updated using the security information.

Abstract: System, methods, nodes, and computer program for handling performance monitoring data in a communication network are described. The communication network (100) comprises a plurality of network nodes (102). The performance monitoring data are generated by a network node (102). The performance monitoring data are a stream of data characterizing the performance of the network node (102). The method comprises determining, by the network node (102), whether an encryption condition for encrypting the performance monitoring data is fulfilled. The method further comprises based on the result of determining, encrypting, by the network node (102), the performance monitoring data. The method further comprises subsequent to the encrypting, sending, by the network node (102), the encrypted performance monitoring data to a performance monitoring data collector (112).

Abstract: This disclosure provides a method, a Back-end-server (102, 400, 506) and a system (500) for protection of location information of a UE. The Back-end-server can receive (104, 202, 302) a request message from an operator interface (504) requesting location information of the UE. Based on probability criteria or blocking factors, it is determined (110, 208, 306-310) whether location information may be transferred to the operator interface. One advantage is that a quantitative security for the privacy of subscribers is provided, with which the privacy of the subscribers is not disclosed.

Abstract: System, methods, nodes, and computer program for handling performance monitoring data in a communication network are described. The communication network (100) comprises a plurality of network nodes (102). The performance monitoring data are generated by a network node (102). The performance monitoring data are a stream of data characterizing the performance of the network node (102). The method comprises determining, by the network node (102), whether an encryption condition for encrypting the performance monitoring data is fulfilled. The method further comprises based on the result of determining, encrypting, by the network node (102), the performance monitoring data. The method further comprises subsequent to the encrypting, sending, by the network node (102), the encrypted performance monitoring data to a performance monitoring data collector (112).

Abstract: The invention relates to a communication device (1) comprising a processor configured to create a client handshake message in order to negotiate security settings for a network connection between the device and a network node (2) of the telecommunication network using a transport layer security protocol. The client handshake message comprises a first encryption algorithm indicator indicative of a first encryption algorithm proposed by the communication device for communication from the communication device (1) to the network node (2), and a second encryption algorithm indicator indicative of a second encryption algorithm proposed by the communication device for communication from the network node to the communication device (1). Only one of the first and second encryption algorithm indicator indicates that communication is non-encrypted while the other of the first and second encryption algorithm indicator is indicating that communication is encrypted. This enables e.g.

Abstract: A method for handling digital certificates in a communication network is described. The communication network comprises a first certificate authority (110-116) having issued at least one digital certificate. The method comprises determining (216) whether a revocation condition for revoking the at least one digital certificate is fulfilled. The at least one digital certificate has been issued by the first certificate authority, wherein the at least one digital certificate is valid and is not revoked. The method further comprises, based on a result of the step of determining (216), revoking (404), by the first certificate authority (110-116), the at least one digital certificate, and based on the result of the step of determining (216), issuing, by a second certificate authority (110-116), at least one further digital certificate for the revoked at least one digital certificate. An associated system, methods in involved network entities, the involved network entities, and computer programs are also described.

Abstract: The invention relates to a communication device (1) comprising a processor configured to create a client handshake message in order to negotiate security settings for a network connection between the device and a network node (2) of the telecommunication network using a transport layer security protocol. The client handshake message comprises a first encryption algorithm indicator indicative of a first encryption algorithm proposed by the communication device for communication from the communication device (1) to the network node (2), and a second encryption algorithm indicator indicative of a second encryption algorithm proposed by the communication device for communication from the network node to the communication device (1). Only one of the first and second encryption algorithm indicator indicates that communication is non-encrypted while the other of the first and second encryption algorithm indicator is indicating that communication is encrypted. This enables e.g.

Abstract: A method for amending, by a rule engine, a network element in a telecommunications network containing network elements each described by at least one parameter. An authorization database contains information for who and what extent configuring operators have access to the network elements, and a rule repository containing parameter dependent rules describing which activity is carried out for the network elements, and parameter dependent security information describing whether and how configuring operators are supervised by a security administrator when amending and how the authorization database is amended for a network element. A request for amending the network element in the network is identified and its parameter is determined. A rule is determined in the rule repository for which the parameter corresponds to the parameter of the amended network element and the security information for the determined rule is determined. The authorization database is updated using the security information.

Abstract: This disclosure provides a method, a Back-end-server (102, 400, 506) and a system (500) for protection of location information of a UE. The Back-end-server can receive (104, 202, 302) a request message from an operator interface (504) requesting location information of the UE. Based on probability criteria or blocking factors, it is determined (110, 208, 306-310) whether location information may be transferred to the operator interface. One advantage is that a quantitative security for the privacy of subscribers is provided, with which the privacy of the subscribers is not disclosed.

Abstract: There is provided a method of operating a telecommunications network management system. The management system comprises an authorisation service defining authorisations of client applications that each user of the management system is permitted to execute. The telecommunications network comprises managed resources in the form of network elements, which are targets of the management system to which the authorised client applications relate. The method comprises: making a change involving a change to one or more authorisations; generating an unsolicited notification of the authorisation change; and propagating the unsolicited notification to the authorised client applications in real time.