Abstract: A wireless device (12) performs authentication (14) with a home network (10H) of the wireless device (12). The wireless device (12) encrypts a network slice identifier (24) with cryptographic key material (22) that is available from the authentication (14) with the home network (10H) and that is shared between the wireless device (12) and the home network (10H). The wireless device (12) transmits a message (20) that includes the encrypted network slice identifier (26). In some embodiments, a network node in a serving network (10S) of the wireless device (12) receives the message (20) and decrypts, or requests decryption of, the encrypted network slice identifier (26) using cryptographic key material (22) that is available to the wireless device (12) from authentication (14) of the wireless device (12) with the home network (10H) and that is shared between the wireless device (12) and the home network (10H).

Abstract: This application provides a communication method and an apparatus. In an implementation, the communication method is applied to a universal integrated circuit card, the universal integrated circuit card is configured with a subscription permanent identifier and a pseudo identifier corresponding to the subscription permanent identifier, and the method includes: The universal integrated circuit card generates a subscription concealed identifier based on the pseudo identifier, where a length of a username included in the pseudo identifier is different from a length of a username included in the subscription permanent identifier, and the length of the username included in the pseudo identifier is greater than a first threshold and less than a second threshold; and then the universal integrated circuit card sends the subscription concealed identifier to a mobile equipment.

Abstract: A method performed by a core network node in a core network of a wireless communication system includes receiving a first request to establish a first protocol data unit, PDU, session between a user equipment, UE and a user plane function in the core network, generating user plane, UP, security enforcement information, to be applied to the first PDU session, transmitting the UP security enforcement information to a radio access network, RAN, node for establishing the first PDU session, and storing the UP security enforcement information for use in establishing a subsequent PDU session for the UE.

Abstract: A method performed by a network equipment of a communication network to dynamically provide trust information to a communication device registered or being registered to the communication network is provided. The method includes determining a trust information for each of one or more access networks. The trust information indicates whether each of the one or more access networks is trusted. The method further includes indicating to the communication device whether the one or more access networks is trusted for a current session or a later session. A method performed by a communication device registered or being registered with a communication network to dynamically receive trust information is also provided. The method includes receiving a message including a protected trust information list from a network equipment. The method further includes verifying the protection of the message. The method further includes storing the protected trust information list.

Abstract: A method to operate a UE for handling security policy for user plane protection of communications in a communications system is provided. The method includes transmitting a packet data unit (PDU) session establishment request network access stratum (NAS) message toward an Access and Mobility Management Function (AMF) to establish a PDU session. The method further includes receiving an access network (AN) specific resource setup message indicating whether the UE is to activate integrity protection for data radio bearers (DRBs) serving the PDU session.

Abstract: A method by a first security edge protection proxy (SEPP) for security edge protection of messages being communicated between first and second communications networks of a communications system. The method receives, from a first network function of the first communications network, a first message containing an address identifying a second network function which is located in the second communications network. The method receives, from a second SEPP operating to protect communications with the second communications network, a second message containing a fully qualified domain name, FQDN, reference for a combination of the second SEPP and the second network function. The method stores the FQDN reference for the combination of the second SEPP and second network function in a label-to-FQDN mapping data structure with a logical association to a substitute locally-unique label, and sends a third message containing the substitute locally-unique label to the first network function.

Abstract: A method performed by a wireless device (12). The method comprises performing, over a first cell (14) associated with a public network, a non-access stratum (NAS) procedure in which the wireless device (12) is authenticated as being authorized to access a non-public network. The method also comprises after performing the NAS procedure, receiving from the first cell (14) a mobility command that commands the wireless device (12) to perform a mobility procedure towards a second cell (16) associated with the non-public network.

Abstract: A method is provided to operate a CN node to determine UP security activation. A UP session establishment request is obtained for a wireless device. An indication is obtained that the UP session establishment request is associated with an emergency session and/or that null ciphering and/or null integrity protection are applied to a CP associated with a CP session for the wireless device. It is determined that a UP should be configured for the UP session without activating integrity and/or confidentiality protection for the UP based on the indication. A UP security policy is provided to a RAN node associated with the wireless device, wherein the UP security policy indicates to configure the UP for the UP session without activating integrity and/or confidentiality protection based on determining that a UP should be configured for the UP session without activating integrity and/or confidentiality protection.

Abstract: A method performed by a UE. The method incudes generating a SUCI comprising: i) an encrypted part in which a Mobile Subscription Identification Number of a SUPI is encrypted and ii) a clear-text part comprising: a) a Mobile Country Code of the SUPI, b) a Mobile Network Code of the SUPI, c) a public key identifier for a public key of a home network of the user equipment, and d) an encryption scheme identifier that identifies an encryption scheme used by the UE to encrypt the Mobile Subscription Identification Number in the SUCI. The method also includes transmitting the SUCI to an authentication server in the home network for forwarding of the SUCI to a de-concealing server capable of decrypting the Mobile Subscription Identification Number.

Abstract: A method performed by a user equipment, UE, for enabling a user plane integrity protection mode in a radio access network packet data convergence protocol, PDCP, is provided. The method includes providing an indication of a user plane integrity protection, UP IP, mode supported by the UE. The method further includes receiving an activation message from a receiving node that includes an indication to the UE to activate the UP IP mode. The receiving node is a long term evolution eNodeB. Methods performed by a network node and a radio access node are also provided.

Abstract: In some embodiments, a method in a wireless device comprises registering first and second connections with an AMF. The first and second connections share a first security context and connect via first and second access networks, respectively. The method further comprises establishing a second security context with the AMF, setting a flag to a first value based on the second security context having been taken into use on the first connection, and setting the flag to a second value based on the second security context having been taken into use on the second connection. The second value indicates that the second security context has been taken into use on both the first and second connections. The method further comprises retaining the first security context when the flag is set to the first value, and disposing of the first security context after setting the flag to the second value.

Abstract: A method to operate a UE for handling security policy for user plane protection of communications in a communications system is provided. The method includes transmitting a packet data unit (PDU) session establishment request network access stratum (NAS) message toward an Access and Mobility Management Function (AMF) to establish a PDU session. The method further includes receiving an access network (AN) specific resource setup message indicating whether the UE is to activate integrity protection for data radio bearers (DRBs) serving the PDU session.

Abstract: The AMF re-allocation procedure for an Initiating AMF that has reroute capability via an Access Network (AN) is optimized in scenarios where a wireless device, such as a User Equipment (UE), already shares a 5G security context with-in a Last Serving AMF that is different from the Initiating AMF, and where the Initiating AMF and the Last Serving AMF can communicate with each other via an interface.

Abstract: A key management is provided that enables security activation before handing over a user equipment from a source 5G wireless communication system, i.e., a Next Generation System (NGS), to a target 4G wireless communication system, i.e., a Evolved Packet System (EPS)/Long Term Evolution (LTE). The key management achieves backward security, i.e., prevents the target 4G wireless communication system from getting knowledge of 5G security information used in the source 5G wireless communication system.

Abstract: A method performed by a user equipment, UE, for enabling user plane integrity protection of data in a packet data convergence protocol, PDCP, in a radio access network is provided. The method includes sending a session establishment request towards a session management node that includes an indication of a user plane integrity protection mode supported by the UE. The method further includes receiving an activation message from a receiving radio access node that includes an indication to the UE to activate the user plane integrity protection mode for a data radio bearer established with the receiving radio access node. Methods performed by a session management node, a target access and mobility node, and a radio access node are also provided.

Abstract: A method performed by a user equipment, UE, for enabling a user plane integrity protection mode in a radio access network packet data convergence protocol, PDCP, is provided. The method includes providing an indication of a user plane integrity protection, UP IP, mode supported by the UE. The method further includes receiving an activation message from a receiving node that includes an indication to the UE to activate the UP IP mode. The receiving node is a long term evolution eNodeB. Methods performed by a network node and a radio access node are also provided.

Abstract: A UE configured to perform a process that includes transmitting, via a RAN node, a Protocol Data Unit (PDU) Session Establishment Request message toward a Session Management Function (SMF). The process also includes, after transmitting the PDU Session Establishment Request message, the UE receiving from the RAN node a Radio Resource Control (RRC) Connection Reconfiguration message comprising: i) a PDU session identifier (ID) identifying a PDU session, ii) a PDU Session Establishment Accept message generated by the SMF, and iii) indications for the activation of user plane (UP) integrity protection and ciphering for each data radio bearer (DRB) belonging to the PDU session according to a security policy received by the RAN node.

Abstract: An authentication server (10A) is configured for use in a home network (10H) of a wireless device (12). The authentication server (10A) generates expected integrity protection data for checking an integrity of a set of one or more information fields (22) contained in a transparent container (20) that acknowledges successful reception by the wireless device (12) of device configuration data (14) from the home network (10H). The authentication server (10A) checks, or assists a core network node (16H) in the home network (10H) to check, the integrity of the set of one or more information fields (22) using the expected integrity protection data.

Abstract: Methods and apparatus for small data communications over a user plane in a wireless communication network. A method performed by a wireless device comprises receiving, from mobility management network equipment (e.g., implementing an AMF), control signaling indicating that the wireless device is to horizontally derive a base security key and/or that the wireless device is to derive a small data transfer, SDT, security key from the base security key. The base security key may be included in a non-access stratum, NAS, security context at the wireless device and at the mobility management network equipment. The method may further comprise, responsive to receiving the control signaling, deriving the SDT security key from the base security key and a freshness parameter.

Abstract: Network equipment (16A) is configured for use in a wireless communication network. The network equipment (16A) is configured to detect one or more conditions under which non-access stratum (NAS) keys (26A) that protect NAS communication between the network equipment (16A) and a wireless device (12) are to be refreshed. Responsive to detecting the one or more conditions, the network equipment (16A) is configured to derive, from a base key (24A) on which the NAS keys (26A) were derived, a new base key (24B) on which fresh NAS keys (26B) are to be derived. The network equipment (16A) is also configured to activate the new base key (24B).