Abstract: A method (30) of ending a subscription performed in a network entity (20) is disclosed. The method (30) comprises receiving (33), from a device (10) comprising an Embedded Universal Integrated Circuit Card, eUICC, (14), a signed confirmation of a profile having been deleted in the device (10), the profile being associated with a subscription for the device (10); sending (34), to a Subscription Manager Data Preparation entity (19), a command for deletion of the profile; and deleting (35) the user subscription and related profile in case an acknowledgement of the deletion of the profile is received from the Subscription Manager Data Preparation entity (19). Method (60) in a device (10), method (90) in a Subscription Manager Data Preparation entity, devices and entities, computer programs and computer program products are also provided.

Abstract: There is provided mechanisms for remote provision of a subscriber entity. The method is performed by the subscriber entity. A method comprises providing a request for download of a profile for remote provisioning of the subscriber entity to a subscription management entity. The method comprises verifying, using a profile handling unit of the subscriber entity, that the subscription management entity possesses a valid certificate for downloading the profile. The method comprises allowing download of the profile for remote provisioning of the subscriber entity only when the subscription management entity possesses the valid certificate.

Abstract: There is provided mechanisms for providing a subscriber entity with a time-bounded network subscription. The method is performed by a mobile network operator entity of the subscriber entity. The method comprises receiving a request for a time-bounded network subscription for the subscriber entity. The time-bounded network subscription is to be limited to a specified time period. The method comprises providing, to a subscription management entity, subscription information of the time-bounded network subscription. The subscription information comprises a parameter indicating that the time-bounded network subscription is to be limited to the specified time period.

Abstract: There is provided mechanisms for remote provision of a secondary subscriber entity. A method is performed by a primary subscriber entity. The method comprises providing a selected subscription type for the secondary subscriber entity to a subscription portal of the primary subscriber entity during an authenticated session between the primary subscriber entity and the subscription portal. The method comprises receiving an activation code for a new network subscription of the selected subscription type from the subscription portal. The method comprises providing the activation code to the secondary subscriber entity to remotely provision the secondary subscriber entity.

Abstract: A method is provided for registration of a device as a Network Application Function, NAF, in a Generic Bootstrapping Architecture, GBA. The device performs a GBA bootstrap operation with a Bootstrapping Server Function, BSF, and sends to a NAF registration function a request to register as a NAF. The device receives NAF registration information from the NAF registration function, and performs a NAF registration with the BSF. The NAF registration function receives from the device a request to register as a NAF, confirms that that the device is authorised to act as a NAF, and transmits the NAF registration information to the device.

Abstract: The invention relates to a method at a network node in a communications network configured to receive messages from at least one MTC device manager intended for an MTC device, as well as the network node. The invention further relates to a network node and a method at the network node to receive messages from at least one MTC device intended for a one or more MTC device managers. In a first aspect of the present invention, a method is provided at a network node in a communications network configured to receive messages from at least one MTC device manager intended for an MTC device. The method comprises merging the received messages into at least one MTC device message, and sending the at least one MTC device message to the MTC device.

Abstract: There is provided mechanisms for handling network subscriptions of a subscriber entity having a network subscription locked to a source subscription management entity. A method is performed by a profile handling entity. The method comprises obtaining a request message for download of a new network subscription handled by a target subscription management entity, the request message comprising identity information of the target subscription management entity. The method comprises transmitting, when there is a mismatch between the identity information and reference identity information, a release request message of the network subscription to the source subscription management entity via the target subscription management entity. The method comprises receiving, from the source subscription management entity via the target subscription management entity, a release response message of the network subscription.

Abstract: A method enabling migration of a subscription from a source device to a destination device is disclosed. The method may be performed in a migration entity and comprises: receiving, from the source device, a confirmation of a first profile associated with the subscription having been deleted in the source device, securing a second profile associated with the subscription to be provisioned onto the eUICC of the destination device, wherein at least one piece of subscription information is the same for the first and second profiles, and providing an activation code for use in migration of the subscription to the destination device. A method in a source device, migration entity, source device, computer programs and computer program products are also provided.

Abstract: The disclosure relates to a method for access control of a data flow in a software defined networking system. The method includes receiving a first packet associated with a first data flow between a client node and a server node, verifying authentication of the first packet, repeating the receiving and verifying for a number of subsequent packets of the first data flow, wherein the number of subsequent packets is set based on type of protocol used for the first data flow and/or a policy set in the controller device, and sending, to an intermediate node along a path of the first data flow, a respective verification message for each successfully verified authentication of the first packet and any subsequent packets, allowing the first packet and any subsequent packets of the first data flow for forwarding.

Abstract: A method (200) of establishing a secure connection (213) between a master device (101) and a slave device (102), sharing at least a first communication channel, is provided. The method comprises transmitting (201) an identifier IDM of the master device over the first communication channel, generating (202) a proof-of-possession Xs of a key Ks, using Ks, IDM, and a first identifier I DSi of the slave device, generating (202) a key MKS using IDM, I DSi, and Ks, storing (204) MKS, and transmitting (203) I DSi and Xs to the master device. The method further comprises transmitting (205) IDSi, Xs, and IDM, to a bootstrapping server, acquiring (206) Ks using IDSi, and generating (207) a proof-of-possession XB of Ks using Ks, IDM, and IDsi. The method further comprises, if XB and Xs are identical (208), generating (210) a key MKB using IDM, I DSi, and Ks, and transmitting (211) MKB to the master device where it is stored (212).

Abstract: It is disclosed a method and a capillary gateway, CGW, (50, 60, 204, 304) capable to determine whether to allow a first machine-to-machine, M2M, device network access. The CGW is adapted to intercept (310) an authentication request message sent from a M2M device, and intercept (318) an authentication response message sent from a M2M management service. If the CGW determines that the authentication is successful based on the authentication response message and that there is a valid subscription for the M2M device and the authentication response message is received from a trusted management service, the CGW may allow (414) the first M2M device network access. Embodiments of the present disclosure have the advantage that disclosure can provide low-powered devices Internet reachability based on user subscriptions in non-traditional scenarios such as where devices are deployed straight out-of-the-box, i.e., without any customization.

Abstract: It is provided a method performed in a gateway and comprises the steps of: receiving a first client request from the client device, the first client request comprising a first fully qualified domain name, FQDN; transmitting a gateway request to the application server; receiving an application server response from the application server, the application server response indicating a need to provide authentication; generating a second FQDN, based on the first FQDN and an identifier of the client device; generating a client specific shared key based on the second FQDN and a shared key; generating a redirect message comprising the second FQDN, an authentication request, a context identifier and the client specific shared key; transmitting the redirect message to the client device; receiving a second client request from the client device; and generating an authentication response in case the second client request fails to comprise an authentication response.

Abstract: Embodiments are directed to using an authentication server (140) to program and reprogram network elements, such as a network node (150), in accordance with software-defined networking techniques in order to establish a traffic flow rule for a communication device (110) or user of the communication device (110). After successfully authenticating a communication device (110) or user, the authentication server (140) and/or network node (150) may use an identifier received at the authentication server (140) in connection with the authentication procedure in order to obtain a traffic flow rule for the communication device (110). The traffic flow rule may be established at the network node (140) or forwarded to a second network node configured to receive network packets from the communication device (110). The first identifier may be any one of a user identifier identifying a user, an application identifier identifying an application, and a device identifier unique to the communication device (110).

Abstract: A method, performed by an EAP authenticator in a communication network, is disclosed. An identification of at least one EAP method supported by an EAP authentication server providing an EAP authentication service to the EAP authenticator is obtained, wherein the identification is obtained from a network entity of the communication network or from inspection of traffic through the EAP authenticator. The identification of at least one EAP method is provided to a device operable to request communication network access from the EAP authenticator. Also disclosed is a method, performed in an EAP authentication server in a communication network. A request for identification of EAP methods supported by the EAP authentication server is received, and a response to the request is sent identifying at least one EAP method supported by the EAP authentication server. An EAP authenticator. EAP authentication server and computer program are also disclosed.

Abstract: It is presented a method for facilitating secure communication between a client device and an application server.

Abstract: According to a first aspect, it is presented a method, executed in a gateway, the gateway being arranged to facilitate communication between a client device and an application server. The method comprises the steps of: receiving a client request from the client device, the client request comprising at least a portion being bound for the application server; sending an application server request to the application server; receiving an application server response from the application server, the application server response indicating a need to provide authentication; establishing at least one authentication credential using an authentication server for a connection between the client device and the application server; and sending a client response to the client device, the client response being based on the application server response and comprising the at least one authentication credential. An associated gateway, client device, vehicle, computer program and computer program product are also presented.

Abstract: The disclosure relates to a method for access control of a data flow in a software defined networking system. The method includes is performed in a controller device and comprises: receiving a first packet associated with a first data flow between a client node and a server node, verifying, based on flow attributes authentication of the first packet, repeating the receiving and verifying for a number of subsequent packets of the first data flow, wherein the number of subsequent packets is set based on type of protocol used for the first data flow and/or a policy set in the controller device, and sending, to an intermediate node along a path of the first data flow, a respective verification message for each successfully verified authentication of the first packet and any subsequent packets, allowing the first packet and any subsequent packets of the first data flow for forwarding.

Abstract: A method (100) for establishing a new identity for a constrained device is disclosed, wherein the device has an existing identity and is associated with an asymmetric key pair comprising a device public key and a device private key. The method comprises applying a hash function to the existing identity (106) and setting the resulting value as the new identity for the constrained device (108), wherein the existing identity comprises at least a first generation hash value of a hash chain formed by applying the hash function to the device public key. Also disclosed is a method (200) for managing an identity of a constrained device, the device being associated with an asymmetric key pair comprising a device public key and a device private key.

Abstract: A method in a network node of a communication network configured to manage command messages from at least one Machine Type Communication, MTC, device manager intended for an MTC device, comprises receiving command messages from the at least one MTC device manager, step (201). One or more command messages are merged into an MTC device message that comprises at least one command message, step (203). Originator information is associated with each command message in the MTC device message, step (205). The MTC device message is sent to an MTC device. The network node may further perform the steps of receiving an MTC device message from an MTC device, the MTC device message comprising at least one response message, step (301).

Abstract: A system is described for a license provider to distribute licenses for software applications. A license server (102) is operated by the license provider to distribute licenses to user devices (110). At least one local interface device such as an NFC pad (104) is provided at a known geographical location, configured to communicate with the license server, and further configured to communicate with a user device (110) when located less than a predetermined maximum distance from the local interface device. The local interface device is configured to be authenticated to the license server and provides a mechanism for a user device (110) communicating with the local interface device (104) to use the authentication of the local interface device to obtain a license from the license server (102).