Abstract: Network equipment (16A) is configured for use in a wireless communication network. The network equipment (16A) is configured to detect one or more conditions under which non-access stratum (NAS) keys (26A) that protect NAS communication between the network equipment (16A) and a wireless device (12) are to be refreshed. Responsive to detecting the one or more conditions, the network equipment (16A) is configured to derive, from a base key (24A) on which the NAS keys (26A) were derived, a new base key (24B) on which fresh NAS keys (26B) are to be derived. The network equipment (16A) is also configured to activate the new base key (24B).

Abstract: A core network node (16) is configured for use in a wireless communication network (10). The core network node (16 receives a registration request (14) that requests registration of a wireless device (12) with the wireless communication network (10). The core network node (16) protects a security context (20) shared between the wireless device (12) and the core network node (16, e.g., including encrypting the security context (20). The core network node (16) transmits, to a radio network node (23) in the wireless communication network (10), signaling (24) that includes the registration request (14) and the protected security context (20P). In some embodiments, the signaling (24) indicates the registration request (14) and the protected security context (20P) are to be re-routed to a target core network node (18) in the wireless communication network (10).

Abstract: A key management is provided that enables security activation before handing over a user equipment from a source 5G wireless communication system, i.e., a Next Generation System (NGS), to a target 4G wireless communication system, i.e., a Evolved Packet System (EPS)/Long Term Evolution (LTE). The key management achieves backward security, i.e., prevents the target 4G wireless communication system from getting knowledge of 5G security information used in the source 5G wireless communication system.

Abstract: A method of operating a wireless device is provided. The method comprises transmitting (1002), to a network function within a home network of the wireless device, a key request to obtain a discovery key for network relay discovery within a visited network in which the wireless device is roaming, receiving (1004), from the network function within the home network of the wireless device, a key response including the discovery key for network relay discovery within the visited network, and securing (1006) communications with a network relay in the visited network using the discovery key.

Abstract: The present disclosure provides a security mechanism to mitigate the risk of trackability of a D2D device engaged in groupcast communication. The security mechanism relies on the introduction of new parameters provisioned to the UE to facilitate the privacy protection of destination L2 identifiers used during group communication. The new parameters allow the UE to change the destination L2 Identifier so that an eavesdropper on the PC5 interface can no longer link several broadcast messages originating from the source UE and pertaining to a specific group.

Abstract: The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes in idle mode. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, along with a key change indication indicating that the NAS key has changed. The target AMF sends the key change indication to the user equipment.

Abstract: A method may be provided at a wireless terminal to support communications with a network node of a wireless communication network. An IKE SA may be initiated to establish a NAS connection between the wireless terminal and the network node through a non-3GPP access network and a non-3GPP interworking function network node. After initiating the IKE SA, an IKE authorization request may be transmitted through the non-3GPP access network to the N3IWF network node, with the IKE authorization request including an identifier of the wireless terminal. An access network key may be derived for the NAS connection through the non-3GPP access network at the wireless terminal, with the access network key being derived based on a NAS count for the wireless terminal and an anchor key. An IKE authorization response corresponding to the IKE authorization request may be received.

Abstract: The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes in idle mode. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, along with a key change indication indicating that the NAS key has changed. The target AMF sends the key change indication to the user equipment.

Abstract: A message authentication code, for a message transmitted and received over a communications network, is formed by applying inputs to an integrity algorithm acting on the message. The inputs comprise: an integrity key; a value indicating a transfer direction; and a frame-dependent integrity input, wherein the frame-dependent integrity input is a frame-dependent modulo count value that also depends on a random value and on a frame-specific sequence number.

Abstract: A UE having a security context with an Initial AMF is able to accept an unprotected AUTHRQ, under certain circumstances, for a limited time. In one embodiment, a UE considers the security context to be temporary, which invokes rules or exceptions different than a permanent security context, such as the acceptance of an unprotected AUTHRQ from a Target AMF. The network may indicate to the UE the temporary status, or the UE may assume it. Alternatively, the UE may enable exceptions to the defined rules associated with the security context. In one embodiment, the UE receives a plurality of partial registration acceptance messages, each indicating a specific task or aspect of the overall registration has been completed. The UE may mark its security context temporary, or enable exceptions to the rules 10 associated with it, until a partial registration acceptance messages indicates AMF re-allocation is complete or is not required.

Abstract: A method performed by a wireless device is provided. The method comprises identifying that an Access and Mobility Management Function (AMF) relocation procedure with re-route via a Radio Access Network (RAN) node is being performed for the wireless device and generating a key associated with a primary authentication of the wireless device. The method further comprises using the key for performing a Non Access Stratum Security Mode Control (NAS SMC) procedure with a first network node operating as a target AMF, and wherein the use of the key by the wireless node is restricted such that the wireless device is restricted from using the key for at least one procedure other than the NAS SMS procedure with the first network node operating as the target AMF.

Abstract: There is provided a method performed by a network unit, and a corresponding network unit as well as a corresponding wireless communication device, for supporting interworking and/or idle mode mobility between different wireless communication systems, including a higher generation wireless system and a lower generation wireless system, to enable secure communication with the wireless communication device. The method comprises selecting, in connection with a registration procedure and/or a security context activation procedure of the wireless communication device with the higher generation wireless system, at least one security algorithm of the lower generation wireless system, also referred to as lower generation security algorithm(s). The method also comprises sending a control message including information on the selected lower generation security algorithm(s) to the wireless communication device.

Abstract: A method of operating a radio access network, RAN, node of a wireless communication system, includes preparing, at the RAN node, a handover request to handover a user equipment, UE, to a target node. The handover request includes a user plane integrity protection, UP IP, policy associated with the UE. The method further includes transmitting the handover request to the target node.

Abstract: A method performed by a target network node for interworking handover from an evolved packet system, EPS, to a fifth generation system, 5GS, in a mobile network is provided. The method includes receiving, from a source network node, a determined user plane, UP, encryption policy. The method further includes providing the determined UP encryption policy to a target radio access network node. Corresponding embodiments for methods performed by a source network node and a first target network node are also provided.

Abstract: A method may be provided at a wireless terminal to support communications with a network node of a wireless communication network. An IKE SA may be initiated to establish a NAS connection between the wireless terminal and the network node through a non-3GPP access network and a non-3GPP interworking function network node. After initiating the IKE SA, an IKE authorization request may be transmitted through the non-3GPP access network to the N3IWF network node, with the IKE authorization request including an identifier of the wireless terminal. An access network key may be derived for the NAS connection through the non-3GPP access network at the wireless terminal, with the access network key being derived based on a NAS count for the wireless terminal and an anchor key. An IKE authorization response corresponding to the IKE authorization request may be received.

Abstract: There is provided a solution for managing security contexts at idle mode mobility of a wireless communication device between different wireless communication systems including a first wireless communication system and a second wireless communication system. The first wireless communication system is a 5G/NGS system and the second wireless communication system is a 4G/EPS system. The solution is based on obtaining (S1) a 5G/NGS security context, and mapping (S2) the 5G/NGS security context to a 4G/EPS security context.

Abstract: A key management is provided that enables security activation before handing over a user equipment from a source 5G wireless communication system, i.e., a Next Generation System (NGS), to a target 4G wireless communication system, i.e., a Evolved Packet System (EPS)/Long Term Evolution (LTE). The key management achieves backward security, i.e., prevents the target 4G wireless communication system from getting knowledge of 5G security information used in the source 5G wireless communication system.

Abstract: A method by an AUSF of a home PLMN configured to communicate through an interface with electronic devices is provided. A first authentication request is received from a first PLMN that is authenticating an electronic device. A first security key used for integrity protection of messages delivered from the home PLMN to the electronic device is obtained. A second authentication request is received from a second PLMN that is authenticating the electronic device. A second security key used for integrity protection of the messages delivered from the home PLMN to the electronic device is obtained. A message protection request is received. Which of the first security key and the second security key is a latest security key is determined. The latest security key is used to protect a message associated with the message protection request.

Abstract: A communication device establishes a secure connection in a wireless communication network. The communication device communicates a request to use a communication service provided by the wireless communication network, the request including an indication that the communication device can support the requested communication service and an Authentication and Key Management for Applications (AKMA) service provided by the wireless communication network. Responsive to communicating the request, the communication device receives a communication comprising information that indicates whether the requested communication service and the AKMA service can be provided to the communication device to establish the secure connection in the wireless communication network.

Abstract: A remote communication device can receive a discovery key; receive a communication key and a key identifier, ID, for the communication key; and discover a relay communication device. Discovering the relay communication device can include receiving an encrypted discovery message from the relay communication device and decrypting the encrypted discovery message using the discovery key. The remote communication device can further transmit a direct communication request to the relay communication device responsive to receiving and decrypting the encrypted discovery message from the relay communication device. The direct communication request can include the key ID for the communication key. The remote communication device can further receive an encrypted direct communication response from the relay communication device. Receiving the encrypted direct communication response can include decrypting the encrypted direct communication response.