Abstract: There is provided an apparatus, method and computer program for causing a first apparatus to: obtain an identifier of a cryptographic key according to a first security communication protocol; signal, to a second apparatus, a first authentication request according to a second security communication protocol, the first authentication request comprising the identifier of the cryptographic key and a first verifying information according to a second security communication protocol, wherein the first verifying information comprises a first value calculated using the cryptographic key; receive, from the second apparatus, an authentication response according to the second security communication protocol, the authentication response comprising a second verifying information according to the second security communication protocol, wherein the second verifying information comprises a second value; and verify the second apparatus for the second security communication protocol using the second value and the cryptographic

Abstract: Method comprising: monitoring whether a network receives an authorization request for establishing a session of an AF with a UE, wherein the authorization request comprises a permanent identifier of the AF, a received temporary identifier of the AF, and a temporary identifier of a UE; if the authorization request is received: forming a key identifier based on the temporary identifier of the UE; retrieving, based on the key identifier, a stored key and a first permanent identifier of the UE; calculating a calculated temporary identifier of the AF based on the permanent identifier of the AF and the stored key; checking whether the calculated temporary identifier of the AF is identical with the received temporary identifier of the AF; inhibiting authorizing the AF for the establishing the session with the UE if the calculated temporary identifier of the AF is not identical with the received temporary identifier of the AF.

Abstract: A method is disclosed comprising: establishing an encrypted session with an application function based on a certificate; receiving a request for an application key from the application function using the encrypted session, wherein the request comprises a key identifier relating to a user device and an application function identifier; determining at least one response to the request for the application key from a set of possible responses, the set comprising at least a rejection and a message comprising the application key and a user device identifier; and transmitting the at least one response to the request for the application key to the application function. Furthermore, related methods, apparatuses, computer programs and systems are disclosed.

Abstract: According to an example aspect of the present invention, there is provided an apparatus, such as a user equipment, configured to transmit to a cellular core network a request to open a protocol session to an external network which is external to the cellular core network, the request being configured to cause the cellular core network to transmit to the external network, or to receive from the external network, a code associated with a subscription of the apparatus, forward at least one authentication request originating in the external network to a node connected with the apparatus, via a local connection, and forward at least one authentication response from the node to the external network via the cellular core network, and relay packets comprised in the protocol session between the node and the external network without participating in the protocol session as an endpoint.

Abstract: Techniques for facilitating onboarding to a non-public network is provided. Provisioning parameters may be provided to User Equipment (UE) from a Default Credential Server (DCS) via a secure communication tunnel. Additionally or alternatively, provisioning parameter container(s) including readable provisioning parameters for an Onboarding Network (ONN), and secure provisioning parameters for the UE, may be transmitted to the UE via the ONN. The disclosed methods and apparatuses enable the UE to onboard to a non-public network using the provisioning parameters, and to verify the integrity of the provisioning parameters and ensure the provisioning parameters are not modified by an unauthorized device.

Abstract: Techniques are disclosed for security management during an onboarding process for user equipment. For example, from a perspective of an onboarding network, a method comprises authenticating, via the onboarding network, user equipment based on an onboarding record previously configured for the user equipment or a set of user equipment and maintained by the onboarding network. Upon successful authentication, a communication session is established from the onboarding network to a provisioning server for remote provisioning of the user equipment. Advantageously, the onboarding process is performed without a default credential server.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to transmit, by a user equipment, a concealed identifier of the user equipment to an onboarding network, wherein the concealed identifier of the user equipment indicates that the user equipment is requesting unauthenticated access to the onboarding network and execute, by the user equipment, a key generating authentication protocol to access the onboarding network without performing authentication of the user equipment.

Abstract: According to an example aspect of the present invention, there is provided a method, comprising: receiving private mobile network credentials for accessing a private mobile network by a mobile device configured for machine to machine communications, receiving machine to machine service credentials for accessing a machine to machine service by a machine to machine service application of the mobile device, provisioning the private mobile network credentials to a first private mobile network n response to verifying a request for activating or registering the mobile device to the first private mobile network, and provisioning the machine to machine service credentials to a first machine to machine service entity in response to verifying a request for activating or registering the mobile device to the first machine to machine service.