Abstract: A method performed by a network server is provided for authentication and key management for a terminal device in a wireless communication network. The method includes authenticating the terminal device during a primary authentication session for the terminal device. The method further includes responsive to a successful authentication of the terminal device, obtaining a first key. The method further includes generating bootstrapping security parameters. The parameters include a second key derived from the first key and a temporary identifier. The temporary identifier identifies the terminal device and the bootstrapping security parameters.

Abstract: A method for operating a User Equipment (UE) is disclosed, wherein the UE is served by a source first network function in a first network and requires to register with a target second network function in a second network. The method comprises generating a registration request with integrity protection for at least a part of the registration request, and sending an integrity protected part of the registration request to the source first network function via the target second network function.

Abstract: Methods and network equipment for implementing security mechanism for interworking with independent security anchor function (SEAF) in 5G networks. A method performed by the standalone SEAF comprises receive a first request for a key to secure communication between the UE and a first access and mobility function (AMF) which a user equipment (UE) requests registration, wherein the request includes a first indication that indicates UE supports a standalone SEAF or not; receive, from a second AMF with which the UE requests registration for performing inter-AMF mobility to the second AMF, a second request for a key to secure communication between the UE and the second AMF, wherein the request includes a second indication that indicates the UE supports a standalone SEAF or not; and determine whether or not a bidding down attack has occurred depending at least in part on whether the first indication matches the second indication.

Abstract: A method may be provided at a wireless terminal to support communications with a network node of a wireless communication network. An IKE SA may be initiated to establish a NAS connection between the wireless terminal and the network node through a non-3GPP access network and a non-3GPP interworking function network node. After initiating the IKE SA, an IKE authorization request may be transmitted through the non-3GPP access network to the N3IWF network node, with the IKE authorization request including an identifier of the wireless terminal. An access network key may be derived for the NAS connection through the non-3GPP access network at the wireless terminal, with the access network key being derived based on a NAS count for the wireless terminal and an anchor key. An IKE authorization response corresponding to the IKE authorization request may be received.

Abstract: A key management is provided that enables security activation before handing over a user equipment from a source 5G wireless communication system, i.e., a Next Generation System (NGS), to a target 4G wireless communication system, i.e., a Evolved Packet System (EPS)/Long Term Evolution (LTE). The key management achieves backward security, i.e., prevents the target 4G wireless communication system from getting knowledge of 5G security information used in the source 5G wireless communication system.

Abstract: There is provided a solution for managing security contexts at idle mode mobility of a wireless communication device between different wireless communication systems including a first wireless communication system and a second wireless communication system. The first wireless communication system is a 5G/NGS system and the second wireless communication system is a 4G/EPS system. The solution is based on obtaining (S1) a 5G/NGS security context, and mapping (S2) the 5G/NGS security context to a 4G/EPS security context.

Abstract: A method by an AUSF of a home PLMN configured to communicate through an interface with electronic devices is provided. A first authentication request is received from a first PLMN that is authenticating an electronic device. A first security key used for integrity protection of messages delivered from the home PLMN to the electronic device is obtained. A second authentication request is received from a second PLMN that is authenticating the electronic device. A second security key used for integrity protection of the messages delivered from the home PLMN to the electronic device is obtained. A message protection request is received. Which of the first security key and the second security key is a latest security key is determined. The latest security key is used to protect a message associated with the message protection request.

Abstract: A method performed by a network server is provided for authentication and key management for a terminal device in a wireless communication network. The method includes authenticating the terminal device during a primary authentication session for the terminal device. The method further includes responsive to a successful authentication of the terminal device, obtaining a first key. The method further includes generating bootstrapping security parameters. The parameters include a second key derived from the first key and a temporary identifier. The temporary identifier identifies the terminal device and the bootstrapping security parameters.

Abstract: A method is provided to operate a CN node to determine UP security activation. A UP session establishment request is obtained for a wireless device. An indication is obtained that the UP session establishment request is associated with an emergency session and/or that null ciphering and/or null integrity protection are applied to a CP associated with a CP session for the wireless device. It is determined that a UP should be configured for the UP session without activating integrity and/or confidentiality protection for the UP based on the indication. A UP security policy is provided to a RAN node associated with the wireless device, wherein the UP security policy indicates to configure the UP for the UP session without activating integrity and/or confidentiality protection based on determining that a UP should be configured for the UP session without activating integrity and/or confidentiality protection.

Abstract: There is provided a method performed by a network unit, and a corresponding network unit as well as a corresponding wireless communication device, for supporting interworking and/or idle mode mobility between different wireless communication systems, including a higher generation wireless system and a lower generation wireless system, to enable secure communication with the wireless communication device. The method comprises selecting, in connection with a registration procedure and/or a security context activation procedure of the wireless communication device with the higher generation wireless system, at least one security algorithm of the lower generation wireless system, also referred to as lower generation security algorithm(s). The method also comprises sending a control message including information on the selected lower generation security algorithm(s) to the wireless communication device.

Abstract: A method by a first core network (CN) node of a core network of a wireless communication system for authenticating a user equipment (UE) to the CN. The method includes receiving, from a second CN node, a first authentication request to authenticate the UE to the CN, and determining that the UE should be authenticated by an external authentication entity that is external to the wireless communication system. The first CN node transmits a second authentication request toward the external authentication entity, and receives a first authentication response verifying authenticity of the UE. The method further includes obtaining a key for securing communications with the UE based on the authentication response, and transmitting a second authentication response to the second CN node identifying the UE and including the key for securing communications with the UE.

Abstract: A first communication node may provide first and second NAS connection identifications for respective first and second NAS connections between the first and a second communication node, with the first and second NAS connection identifications being different and the first and second NAS connections being different. A first NAS message may be communicated between the first and second communication nodes over the first NAS connection, including at performing integrity protection for the first NAS message using the first NAS connection identification and/or performing confidentiality protection for the first NAS message using the first NAS connection identification.

Abstract: The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, and sends a key change indication to the UE, either directly or through some other network node. The UE can then derive the new NAS key from the old NAS key. In some embodiments, the AMF may provide a key generation parameter to the UE to use in deriving the new NAS key. In other embodiments, the target AMF may change one or more security algorithms.

Abstract: A method by an AUSF of a home PLMN configured to communicate through an interface with electronic devices is provided. A first authentication request is received from a first PLMN that is authenticating an electronic device. A first security key used for integrity protection of messages delivered from the home PLMN to the electronic device is obtained. A second authentication request is received from a second PLMN that is authenticating the electronic device. A second security key used for integrity protection of the messages delivered from the home PLMN to the electronic device is obtained. A message protection request is received. Which of the first security key and the second security key is a latest security key is determined. The latest security key is used to protect a message associated with the message protection request.

Abstract: A network node configured to perform a process that includes receiving a PDU Session Establishment Request message for establishing a PDU session, wherein the PDU Session Establishment Request message was transmitted by a UE and includes a PDU session ID. The process also includes communicating a Session Management (SM) Request comprising the PDU Session Establishment Request to an SMF. The process also includes receiving from the SMF a message that includes: i) the PDU Session ID identifying the PDU session, ii) a PDU Session Establishment Accept message, and iii) a user plane (UP) security policy for the PDU session, wherein the UP security policy for the PDU session indicates: i) whether UP confidentiality protection shall be activated or not for all data radio bearers (DRBs) belonging to the PDU session, and/or ii) whether UP integrity protection shall be activated or not for all data radio bearers (DRBs) belonging to the PDU session.

Abstract: A method performed by a network node of a serving public land mobile network, PLMN, associated with a user equipment, UE, comprising: obtaining a secret identifier that uniquely identifies the UE, wherein the secret identifier is a secret that is shared between the UE and at least a home PLMN of the UE and that is shared by the home PLMN with the network node; and performing an operation related to the UE using the secret identifier. Other methods, computer programs, computer program products, network nodes and a serving PLMN are also disclosed.

Abstract: There is provided a solution for managing security contexts at idle mode mobility of a wireless communication device between different wireless communication systems including a first wireless communication system and a second wireless communication system. The first wireless communication system is a 5G/NGS system and the second wireless communication system is a 4G/EPS system. The solution is based on obtaining (S1) a 5G/NGS security context, and mapping (S2) the 5G/NGS security context to a 4G/EPS security context.

Abstract: A method performed by a user equipment, UE, for enabling user plane integrity protection of data in a packet data convergence protocol, PDCP, in a radio access network is provided. The method includes sending a session establishment request towards a session management node that includes an indication of a user plane integrity protection mode supported by the UE. The method further includes receiving an activation message from a receiving radio access node that includes an indication to the UE to activate the user plane integrity protection mode for a data radio bearer established with the receiving radio access node. Methods performed by a session management node, a target access and mobility node, and a radio access node are also provided.

Abstract: A key management is provided that enables security activation before handing over a user equipment from a source 5G wireless communication system, i.e., a Next Generation System (NGS), to a target 4G wireless communication system, i.e., a Evolved Packet System (EPS)/Long Term Evolution (LTE). The key management achieves backward security, i.e., prevents the target 4G wireless communication system from getting knowledge of 5G security information used in the source 5G wireless communication system.

Abstract: There is provided a solution for managing security contexts at idle mode mobility of a wireless communication device between different wireless communication systems including a first wireless communication system and a second wireless communication system. The first wireless communication system is a 5G/NGS system and the second wireless communication system is a 4G/EPS system. The solution is based on obtaining (S1) a 5G/NGS security context, and mapping (S2) the 5G/NGS security context to a 4G/EPS security context.