Abstract: There is provided mechanisms for authenticating a first radio communication device with a network. A method is performed by the first radio communication device. The method comprises obtaining credentials for a network subscription to the network. The method comprises obtaining an upper part of a radio protocol stack, according to which radio protocol stack the first radio communication device is configured to communicate with the network. The method comprises authenticating with the network. The method comprises providing, to a second radio communication device, at least one key, as derived from the credentials during the authenticating, for use by the second radio communication device when executing the remaining part of the radio protocol stack for communication between the second radio communication device and the network.

Abstract: There is provided mechanisms for handling download of a subscription profile from a pool of subscription profiles. The subscription profiles of the pool of subscription profiles are served by an MNO entity. A method is performed by a subscription management entity. The subscription management entity manages the pool of subscription profiles. The pool of subscription profiles has its own pool identifier. The method comprises obtaining a request from a communication device for download of one of the subscription profiles from the pool of subscription profiles. The method comprises enabling download to the communication device of one of the subscription profiles from the pool of subscription profiles. The method comprises filling up the pool of subscription profiles so that total number of subscription profiles in the pool of subscription profiles remains unchanged.

Abstract: There is provided mechanisms for subscription profile download. A method is performed by a communication device. The communication device is configured with a first authorization secret. The method comprises receiving, as part of performing a subscription profile download procedure, second authorization information from a subscription management entity. The second authorization information is generated using a second authorization secret. The method comprises downloading the subscription profile only if the second authorization information, according to a matching criterion, matches the first authorization secret.

Abstract: There is provided mechanisms for initial network authentication between a communications device and a network. A method is performed by the communications device. The communications device comprises an identity module supporting remote subscription profile download. The identity module comprises credentials for remote subscription profile download. The method comprises performing a first message exchange with an authentication server. The first message exchange comprises an identity module challenge obtained from the identity module being transmitted to the authentication server from the communications device. The method comprises receiving a second message from the authentication server. The second message comprises an ephemeral public key of the authentication server, an authentication server challenge and an authentication server signature.

Abstract: There is provided mechanisms for handling credentials of an IoT SAFE applet. A method is performed by a communication device. The communication device stores the IoT SAFE applet in a first security domain of a subscription module in the communication device. The first security domain is free from any subscription profile and is different from any security domain of the subscription module for storing subscription profiles. The IoT SAFE applet is independent from any MNO. The communication device is without credentials for the IoT SAFE applet for establishing secure communication for the communication device with a network node. The method comprises obtaining credentials for the IoT SAFE applet from the network node. The method comprises storing the credentials in the first security domain of the subscription module. The credentials are, after successful storage, accessible only from within the first security domain.

Abstract: There is provided mechanisms for profile handling of a communication device. A method is performed by a subscription server. The method comprises obtaining device type information of the communication device from a proxy server. The method comprises determining a profile handling action for the communication device according to at least one localization rule. According to which of the localization rule the profile handling action is determined depends on a mapping between the device type information and the localization rule. The method comprises notifying the proxy server of the profile handling action.

Abstract: There is presented mechanisms for profile handling of a communications device (300). A method is performed by a local profile assistant (200a) of a proxy device (200). The method comprises obtaining an indication of handling a profile of the communications device (300). The method comprises establishing a first secure communications link with a local profile assistant of the communications device. The method comprises establishing a second secure communications link with a subscription management entity (430) of the communications device. The method comprises receiving information pertaining to handling of the profile by the local profile assistant of the communications device, the information being received from the subscription management entity over the second secure communications link. The method comprises providing the information to the local profile assistant of the communications device over the first secure communications link.

Abstract: A method (100) for performing an authentication procedure between a verifying device and a responding device is disclosed, the verifying and responding devices being provisioned with security credentials. The method, performed by the verifying device, comprises generating an authentication challenge (110), delivering the authentication challenge to the responding device (120), receiving an authentication response from the responding device (130), and verifying the authentication response (140). According to the method, at least one of the authentication challenge or authentication response is encoded as a sequence of qubits and delivered over a quantum communication channel between the verifying device and the responding device (120A, 120B, 130A, 130B). Also disclosed are methods for delivering and receiving a message over a quantum communication channel, and devices for performing authentication and message exchange methods.

Abstract: A system is disclosed for managing a communication network subscription identifier associated with a device. The system comprises a Core Network node configured to provide a subscription identifier for the device to a Device Management node with management responsibility for the device. The system further comprises a Verification node configured to receive from the Device Management node the subscription identifier and a characteristic of the device, and to bind the subscription identifier to the characteristic such that the subscription identifier is uniquely associated with the characteristic. The system further comprises a Network Access node configured to obtain the subscription identifier from the device. The Verification node, Network Access node and Core Network node are configured to cooperate to verify that the device from which the Network Access node obtained the subscription identifier is in possession of the characteristic that is bound to the subscription identifier.

Abstract: There is provided mechanisms for handling subscription profiles for a set of wireless devices. A method is performed by an MNO entity. The method includes obtaining a single request for handling subscription profiles for the set of wireless devices. The method includes performing, with a profile provisioning server, a preparation procedure for the set of wireless devices wherein a common batch profile handling parameter for the set of wireless devices is created, and whereby the set of wireless devices are associated with at least one matching identifier for tracking actions relating to the handling of the subscription profiles at the MNO entity and the profile provisioning server.

Abstract: Embodiments described herein relate to methods and apparatuses for enabling remote management of a profile in an identity module in an NB-IoT device. A proxy server is configured with access to a database of one or more external identifiers associated with one or more respective NB-IoT devices, wherein the one or more external identifiers are used to address the respective one or more NB-IoT devices via an exposure function in a core network. A method in the proxy server comprises receiving a request to deliver a triggering message to the NB-IoT device, wherein the request comprises a device identifier; determining an external identifier based on the received device identifier; and delivering the triggering message to the NB-IoT device using the external identifier.

Abstract: There is provided mechanisms for profile handling of a batch of identity modules. Each identity module in the batch of identity modules has credentials for secure installation of profiles. A method is performed by an LPA of a proxy device. The LPA comprises credentials for profile download. The credentials comprise a certificate. The credentials enable the LPA to act as a virtual identity module. Another method is performed by a subscription management entity. Yet another method is performed by an identity module in the batch of identity modules.

Abstract: There is provided mechanisms for provisioning of an application level identity from an ID backend server to a communication device. The provisioning of the application level identity is protected using TLS-, DTLS-, or OSCORE-based secure communication. The communication device comprises an identity module configured for interaction according to GSMA RSP based remote subscription profile download. The methods are performed by the communication device and the ID backend server.

Abstract: There is provided mechanisms for authenticating a first radio communication device with a network. A method is performed by the first radio communication device. The method comprises obtaining credentials for a network subscription to the network. The method comprises obtaining an upper part of a radio protocol stack, according to which radio protocol stack the first radio communication device is configured to communicate with the network. The method comprises authenticating with the network. The method comprises providing, to a second radio communication device, at least one key, as derived from the credentials during the authenticating, for use by the second radio communication device when executing the remaining part of the radio protocol stack for communication between the second radio communication device and the network.

Abstract: There is provided mechanisms for enabling secure communication between a first communications device and a second communications device. A method is performed by the first communications device. The method comprises performing a network attachment procedure with an authentication server. The method comprises establishing, during the network attachment procedure, a shared secret between the first communications device and the authentication server. The shared secret is established by running an authentication and key agreement protocol as part of the network attachment procedure with a network access identity of the first communications device as input. The method comprises deriving an application level shared key for the first communications device from the shared secret. The shared key is to be used for secure communication between the first communications device and the second communications device.

Abstract: There is provided mechanisms for handling registration of data packet traffic for a wireless device in a communications network. A method is performed by a core network node. The method comprises registering an amount of data packet traffic in the communications network for the wireless device, wherein each data packet comprises an address of the wireless device, wherein the address is mapped to an identity of the wireless device, wherein the address comprises a first part defining an identity of a local network gateway of the wireless device and a second part defining the identity of the wireless device, and wherein selection of the second part is independent from the first part and the identity of the local network gateway. The method comprises mapping the amount of data packet traffic to the identity of the wireless device.

Abstract: This disclosure provides a method, performed in a wireless device, for obtaining initial access to a network in order to establish a connection to a server connected to the network. The wireless device stores a device public key and a device private key. The server stores the device public key. The method comprises transmitting an initial access request to a network node of the network and receiving an authentication request from the network node, the authentication request comprising a challenge. The method comprises generating a device authenticator based on the challenge and the device public key, and transmitting an authentication response to the network node. The authentication response comprises the device authenticator. The method comprises receiving an initial access response from the network node, the initial access response comprising an indicator of whether the initial access is granted or denied.

Abstract: There is provided mechanisms for handling subscription profiles for a set of wireless devices. A method is performed by an MNO entity. The method includes obtaining a single request for handling subscription profiles for the set of wireless devices. The method includes performing, with a profile provisioning server, a preparation procedure for the set of wireless devices wherein a common batch profile handling parameter for the set of wireless devices is created, and whereby the set of wireless devices are associated with at least one matching identifier for tracking actions relating to the handling of the subscription profiles at the MNO entity and the profile provisioning server.

Abstract: There is provided mechanisms for initial network authentication between a communications device and a network. A method is performed by the communications device. The communications device comprises an identity module supporting remote subscription profile download. The identity module comprises credentials for remote subscription profile download. The method comprises performing a first message exchange with an authentication server. The first message exchange comprises an identity module challenge obtained from the identity module being transmitted to the authentication server from the communications device. The method comprises receiving a second message from the authentication server. The second message comprises an ephemeral public key of the authentication server, an authentication server challenge and an authentication server signature.

Abstract: Methods for communication for a device and a transport node are disclosed, the transport node facilitating communication between the device and a server. The method (100) for the device comprises assembling a message for sending to the server via the transport node (120), the message comprising a message payload, an application layer header, and a signature, wherein at least one of the message payload or a part of the application layer header is encrypted. The method further comprises retrieving a compression context identifier corresponding to the application layer header (130), replacing the application layer header in the message with the retrieved compression context identifier (140) and forwarding the message to the transport node (150). The method (200) for the transport node comprises retrieving an application layer header corresponding to the compression context identifier (220), and replacing the compression context identifier in the message with the retrieved application layer header (230).