Abstract: A remote communication device can receive a discovery key; receive a communication key and a key identifier, ID, for the communication key; and discover a relay communication device. Discovering the relay communication device can include receiving an encrypted discovery message from the relay communication device and decrypting the encrypted discovery message using the discovery key. The remote communication device can further transmit a direct communication request to the relay communication device responsive to receiving and decrypting the encrypted discovery message from the relay communication device. The direct communication request can include the key ID for the communication key. The remote communication device can further receive an encrypted direct communication response from the relay communication device. Receiving the encrypted direct communication response can include decrypting the encrypted direct communication response.

Abstract: According to certain embodiments, a method by a user equipment (UE) for securing network steering information includes transmitting a registration request to a Visited Public Land Mobile Network (VPLMN). Upon successful authentication b an authentication server function (AUSF), a home network root key is generated. A protected message comprising Network Steering information is received from a first network node. The protected message is protected using a configuration key (Kconf) and a first Message Authentication Code (MAC-1). The configuration key (Kconf) is determined from the home network root key, and the UE verifies the MAC-1. Based on the Kconf and the MAC-1, it is verified that the VPLMN did not alter Network Steering Information. An acknowledgement message, which is protected with a second Message Authentication Code (MAC-2), is transmitted to a Home Public Land Mobile Network (HPLMN).

Abstract: A method performed by a relay UE for determining whether the relay UE may provide a relay service to a remote UE. The method includes the relay UE receiving from the remote UE a first message comprising a first authorization token and a first digital signature for verifying the authenticity of the first authorization token, wherein the first digital signature was generated by a first network function using the first authorization token and a first key, and the first authorization token indicates whether or not the remote UE is authorized to utilize a relay service provided by the relay UE. The method further includes the relay UE verifying the authenticity of the first authorization token.

Abstract: A method of operating a user equipment, UE, (1000) in a wireless communication system is provided. The method includes obtaining (502) a discovery key for discovery of a UE-to-Network relay from a first application function. The method includes using (504) the discovery key for discovery of the UE-to-Network relay over a PC5 interface. A method of operating a user equipment-to- network, UE-to-NW, relay node in a wireless communication system is also provided. The method includes obtaining (702) a discovery key for discovery of a user equipment, UE, from a first application function. The method includes using (704) the discovery key for discovery of the UE over a PC5 interface.

Abstract: Some methods in a wireless communication network may include providing a first authentication key, and deriving a second authentication key based on the first authentication key, with the second authentication key being associated with the wireless terminal. Responsive to deriving the second authentication key, a key response message may be transmitted including the second authentication key and/or an EAP-Finish/Re-auth message. Some other methods in a wireless communication network may include receiving a key response message including a core network mobility management authentication key and an EAP-Finish/Re-auth message. Responsive to receiving the key response message, the network may initiate transmission of an EAP-Finish/Re-auth message and/or a freshness parameter used to derive the core network mobility management authentication key from the wireless communication network to the wireless terminal responsive to the key response message. Related wireless terminal methods are also discussed.

Abstract: A method of operating a user equipment, UE, includes establishing a radio resource control, RRC, connection with a base station, following establishment of the RRC connection, sending an indication of a security capability of the UE to the base station, receiving a non-access stratum, NAS, message, from the base station, wherein the NAS message identifies a selected security algorithm, and generating the access stratum security key to be used with the selected security algorithm.

Abstract: A method is provided to operate a CN node to determine UP security activation. A UP session establishment request is obtained for a wireless device. An indication is obtained that the UP session establishment request is associated with an emergency session and/or that null ciphering and/or null integrity protection are applied to a CP associated with a CP session for the wireless device. It is determined that a UP should be configured for the UP session without activating integrity and/or confidentiality protection for the UP based on the indication. A UP security policy is provided to a RAN node associated with the wireless device, wherein the UP security policy indicates to configure the UP for the UP session without activating integrity and/or confidentiality protection based on determining that a UP should be configured for the UP session without activating integrity and/or confidentiality protection.

Abstract: A user equipment (“UE”) can handle registrations of the UE in different wireless communication networks. The UE can obtain information indicating whether a Universal Subscriber Identity Module (“USIM”) of the UE supports storing multiple different Non-Access Stratum (“NAS”) security contexts of the UE associated with the different wireless communication networks. The UE can further determine whether the USIM supports storing the multiple different NAS security contexts of the UE associated with the different wireless communication networks based on the obtained information.

Abstract: In order to ensure that a Subscription Concealed Identifier, SUCI, is calculated in the Universal Subscriber Identity Module, USIM, part of a User Equipment, UE, when intended, when a SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, a network node sets proprietary information, which is not known to a Mobile Equipment, ME, part of the UE, as required for calculation of the SUCI. The USIM facilitates calculation of the SUCI in the ME part of the UE only when the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the ME. When the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, the ME part deletes any locally stored information required for calculation of the SUCI.

Abstract: There is provided a method performed by a network unit, and a corresponding network unit as well as a corresponding wireless communication device, for supporting interworking and/or idle mode mobility between different wireless communication systems, including a higher generation wireless system and a lower generation wireless system, to enable secure communication with the wireless communication device. The method comprises selecting, in connection with a registration procedure and/or a security context activation procedure of the wireless communication device with the higher generation wireless system, at least one security algorithm of the lower generation wireless system, also referred to as lower generation security algorithm(s). The method also comprises sending a control message including information on the selected lower generation security algorithm(s) to the wireless communication device.

Abstract: Methods in a wireless communication network may include providing a first authentication key, and deriving a second authentication key based on the first authentication key, with the second authentication key being associated with the wireless terminal. Responsive to deriving the second authentication key, a key response message may be transmitted including the second authentication key and/or an EAP-Finish/Re-auth message. Some other methods in a wireless communication network may include receiving a key response message including a core network mobility management authentication key and an EAP-Finish/Re-auth message. Responsive to receiving the key response message, the network may initiate transmission of an EAP-Finish/Re-auth message and/or a freshness parameter used to derive the core network mobility management authentication key from the wireless communication network to the wireless terminal responsive to the key response message. Related wireless terminal methods are also discussed.

Abstract: A method performed by an access and mobility node for interworking handover from an evolved packet system, EPS, to a fifth generation system, 5GS, in a radio access network is provided. The method includes receiving a relocation request from a mobility management node. The relocation request comprises an indication comprising a least one of that a user equipment, UE, supports a UP integrity protection mode over the radio access network connected to a fifth generation core, 5GC, and that the UE supports a UP integrity protection mode over the radio access network connected to the EPS. The method further includes sending a handover request to a radio access node. The handover request comprises the indication. Methods performed by a session management node, a mobility management node, a radio access node, a target radio access node, and computer products and computer programs are also provided.

Abstract: A network node in a wireless communication system configures an operator policy to indicate whether to accept legacy user equipments, UEs, that do not support user plane integrity protection, UP IP, and it sets UP IP to be either “preferred” or “not required” of a UP security policy based on the operator policy indicating acceptance of legacy UEs and in response to a communication related to a legacy UE.

Abstract: A first communication node may provide first and second NAS connection identifications for respective first and second NAS connections between the first and a second communication node, with the first and second NAS connection identifications being different and the first and second NAS connections being different. A first NAS message may be communicated between the first and second communication nodes over the first NAS connection, including at performing integrity protection for the first NAS message using the first NAS connection identification and/or performing confidentiality protection for the first NAS message using the first NAS connection identification.

Abstract: The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, and sends a key change indication to the UE, either directly or through some other network node. The UE can then derive the new NAS key from the old NAS key. In some embodiments, the AMF may provide a key generation parameter to the UE to use in deriving the new NAS key. In other embodiments, the target AMF may change one or more security algorithms.

Abstract: A method by an AUSF of a home PLMN configured to communicate through an interface with electronic devices is provided. A first authentication request is received from a first PLMN that is authenticating an electronic device. A first security key used for integrity protection of messages delivered from the home PLMN to the electronic device is obtained. A second authentication request is received from a second PLMN that is authenticating the electronic device. A second security key used for integrity protection of the messages delivered from the home PLMN to the electronic device is obtained. A message protection request is received. Which of the first security key and the second security key is a latest security key is determined. The latest security key is used to protect a message associated with the message protection request.

Abstract: A method of operating a radio access network, RAN, node of a wireless communication system, includes preparing, at the RAN node, a handover request to handover a user equipment, UE, to a target node. The handover request includes a user plane integrity protection, UP IP, policy associated with the UE. The method further includes transmitting the handover request to the target node.

Abstract: A network node configured to perform a process that includes receiving a PDU Session Establishment Request message for establishing a PDU session, wherein the PDU Session Establishment Request message was transmitted by a UE and includes a PDU session ID. The process also includes communicating a Session Management (SM) Request comprising the PDU Session Establishment Request to an SMF. The process also includes receiving from the SMF a message that includes: i) the PDU Session ID identifying the PDU session, ii) a PDU Session Establishment Accept message, and iii) a user plane (UP) security policy for the PDU session, wherein the UP security policy for the PDU session indicates: i) whether UP confidentiality protection shall be activated or not for all data radio bearers (DRBs) belonging to the PDU session, and/or ii) whether UP integrity protection shall be activated or not for all data radio bearers (DRBs) belonging to the PDU session.

Abstract: There is provided a solution for managing security contexts at idle mode mobility of a wireless communication device between different wireless communication systems including a first wireless communication system and a second wireless communication system. The first wireless communication system is a 5G/NGS system and the second wireless communication system is a 4G/EPS system. The solution is based on obtaining (S1) a 5G/NGS security context, and mapping (S2) the 5G/NGS security context to a 4G/EPS security context.

Abstract: A method for re-establishing a Radio Resource Control (RRC) connection between a UE and a target eNB. The method is performed by the UE. The method includes the UE receiving an RRC Connection Reestablishment message from the target eNB, the RRC Connection Reestablishment message including a DL authentication token which has been generated by an MME and has had a Non Access Stratum integrity key as input. The method also includes the UE authenticating the received DL authentication token.