Abstract: Network equipment in a wireless communication network is configured to receive at least a portion of a subscription concealed identifier, SUCI, for a subscriber. The SUCI contains a concealed subscription permanent identifier, SUPI, for the subscriber. The received at least a portion of the SUCI indicates a sub-domain code, SDC. The SDC indicates a certain sub-domain, from among multiple sub-domains of a home network of the subscriber, to which the subscriber is assigned. The network equipment is also configured to determine, based on the SDC and from among multiple instances of a provider network function in the home network respectively allocated to provide a service to be consumed for subscribers assigned to different sub-domains, an instance of the provider network function to provide the service to be consumed for the subscriber.

Abstract: A method performed by a mobile terminal is provided for supporting positioning of the mobile terminal. The method includes receiving a defined filter pattern from a network node in a communications network or another node of the communications network, discovering identities of a plurality of reference devices based on signals received from the plurality of reference devices, filtering the identities of the plurality of reference devices to obtain a subset of identities of the plurality of reference devices that each satisfy the defined filter pattern, and reporting information on the subset of the identities of the plurality of reference devices to the network node.

Abstract: A method for improving data transmission security at a user equipment comprises receiving, from a source network node, a connection release message including instructions for computing a hash value for data to be included in a connection request message; computing the hash value based on the instructions included in the connection release message; calculating a token based on the hash value, and sending, to a target network node, the connection request message including the token. The method may further forward the data from the target network node directly to a gateway after the token has been verified. The method may reduce a signaling overhead by having a fixed-size hash value for data. Furthermore, the method may improve a transmission security by including the token in an RRC message, in which the token is calculated based on the hash value representing the data.

Abstract: A method performed by a wireless device is provided. The method comprises identifying that an Access and Mobility Management Function (AMF) relocation procedure with re-route via a Radio Access Network (RAN) node is being performed for the wireless device and generating a key associated with a primary authentication of the wireless device. The method further comprises using the key for performing a Non Access Stratum Security Mode Control (NAS SMC) procedure with a first network node operating as a target AMF, and wherein the use of the key by the wireless node is restricted such that the wireless device is restricted from using the key for at least one procedure other than the NAS SMS procedure with the first network node operating as the target AMF.

Abstract: A network node (500, 600) in a home network, HN, of a wireless device (10, 300, 400) assigns a different priority to each of one or more parameter sets in a priority list. Each parameter set comprises one or more parameters used for calculating the subscription identifier. The network node (500, 600) provides the wireless device (10, 300, 400) with the priority list to facilitate the calculation of the subscription identifier by the wireless device (10, 300, 400). The wireless device (10, 300, 400) obtains the priority list, and calculates the subscription identifier using a null parameter set or one of the one or more parameter sets in the priority list selected responsive to the defined priorities. The wireless device (10, 300, 400) then informs the HN of the subscription of the wireless device (10, 300, 400) by sending the calculated subscription identifier to the network node (500, 600).

Abstract: Network equipment (10) is configured for use in a wireless communication network (12). The network equipment (10) is configured to receive, over an interface (22) with radio equipment (14), a request (24) for information (26) based on which is determinable an unobfuscated identifier (20) associated with a target (16) being tracked by the radio equipment (14). The unobfuscated identifier (20) may be obfuscated by an obfuscating identifier (18) associated with the target (16). The network equipment (10) is also configured to send, from the network equipment (10) to the radio equipment (14), a response (28) that includes the requested information (26).

Abstract: The present disclosure relates to a method performed by a UE (103) in a communications system (100). The UE (103) provides information indicating its SI protection capability to a node (101, 105). The SI protection capability is associated with the UE's (103) capability and need to verify SI signatures. The UE (103) obtains SI protection information from the node (101, 105), and uses the SI protection information.

Abstract: A method performed by a network node of a serving public land mobile network, PLMN, associated with a user equipment, UE, comprising: obtaining a secret identifier that uniquely identifies the UE, wherein the secret identifier is a secret that is shared between the UE and at least a home PLMN of the UE and that is shared by the home PLMN with the network node; and performing an operation related to the UE using the secret identifier. Other methods, computer programs, computer program products, network nodes and a serving PLMN are also disclosed.

Abstract: A method performed by a Distributed Unit, DU, node for handling a message in a communication between a User Equipment, UE, the DU node and a Central Unit, CU, node. The DU node obtains a secondary security key from a network node. The secondary security key is associated with the DU node. The DU node receives the message from the UE or the CU node. The message is security protected with one or both of a first security key, and the secondary security key. The message or a part of the message, is not possible to use by the DU node when security protected with the first security key. The DU node determines that at least a part of the message is security protected with the secondary security key. The DU node uses the at least the part of the message security protected with the secondary security key.

Abstract: Fuzz testing equipment fuzz tests a system under test, SUT, configured for use in a wireless communication network. The fuzz test equipment obtains a message specification that governs a certain type of message whose handling by the SUT is to be tested. The fuzz testing equipment mutates the message specification, and performs, or assists with, testing of the SUT using a message that is fuzzed based on the mutated message specification.

Abstract: A network node (20) is configured for use in a wireless communication network (10). The network node (20) configures multiple central unit user planes, CU-UPs, (14-1UP) of a disaggregated radio network node (14) to handle different respective data radio bearers (16-1 . . . 16-N) of a wireless device (12) in multi-connectivity operation, with security processing of user plane traffic by different CU-UPs (14-1UP) being based on different respective security keys (18). In some embodiments, the network node (20) configures different distributed units, DUs, of the disaggregated radio network node (14) to serve different respective ones of the data radio bearers (16-1 . . . 16-N).

Abstract: Network equipment in a wireless communication network is configured to receive at least a portion of a subscription concealed identifier, SUCI, (34) for a subscriber. The SUCI (34) contains a concealed subscription permanent identifier, SUPI, (20) for the subscriber. The received at least a portion of the SUCI (34) indicates a sub-domain code, SDC. The SDC indicates a certain sub-domain, from among multiple sub-domains of a home network of the subscriber, to which the subscriber is assigned. The network equipment is also configured to determine, based on the SDC and from among multiple instances of a provider network function in the home network respectively allocated to provide a service to be consumed for subscribers assigned to different sub-domains, an instance of the provider network function to provide the service to be consumed for the subscriber.

Abstract: A method is provided to operate a CN node to determine UP security activation. A UP session establishment request is obtained for a wireless device. An indication is obtained that the UP session establishment request is associated with an emergency session and/or that null ciphering and/or null integrity protection are applied to a CP associated with a CP session for the wireless device. It is determined that a UP should be configured for the UP session without activating integrity and/or confidentiality protection for the UP based on the indication. A UP security policy is provided to a RAN node associated with the wireless device, wherein the UP security policy indicates to configure the UP for the UP session without activating integrity and/or confidentiality protection based on determining that a UP should be configured for the UP session without activating integrity and/or confidentiality protection.

Abstract: A user equipment (“UE”) can handle registrations of the UE in different wireless communication networks. The UE can obtain information indicating whether a Universal Subscriber Identity Module (“USIM”) of the UE supports storing multiple different Non-Access Stratum (“NAS”) security contexts of the UE associated with the different wireless communication networks. The UE can further determine whether the USIM supports storing the multiple different NAS security contexts of the UE associated with the different wireless communication networks based on the obtained information.

Abstract: A method of operating a network device in a serving network for providing regulation compliant privacy in a communications network is provided. Operations of such methods include obtaining a concealed subscription identifier from a user equipment, UE, that is associated with a home network, HN, obtaining a permanent subscription identifier that is associated with the concealed subscription identifier from the HN, determining whether the concealed subscription identifier from the UE corresponds to the permanent subscription identifier from the HN, and responsive to determining that the concealed subscription identifier from the UE corresponds to the permanent subscription identifier from the HN, performing further operations to provide service to the UE.

Abstract: In order to ensure that a Subscription Concealed Identifier, SUCI, is calculated in the Universal Subscriber Identity Module, USIM, part of a User Equipment, UE, when intended, when a SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, a network node sets proprietary information, which is not known to a Mobile Equipment, ME, part of the UE, as required for calculation of the SUCI. The USIM facilitates calculation of the SUCI in the ME part of the UE only when the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the ME. When the SUCI-Calculation-Indicator is set to a value indicating that the SUCI should be calculated in the USIM, the ME part deletes any locally stored information required for calculation of the SUCI.

Abstract: Detection equipment (46) detects a false cell (18) in a wireless communication network (10). The detection equipment (46) obtains a test dataset (40) that comprises one or more test datapoints (42), with each test datapoint indicating a combination (44) of values detected for a cell characteristic. The detection equipment (46) tests for the presence of a false cell (18) that is using the same cell identity as a genuine cell, based on an extent to which the test dataset (40) differs from a training dataset (26) according to a model (30) trained using the training dataset (26).

Abstract: A wireless device requests a network slice from a network by, first, identifying at least one network slice to be requested. Based on a mapping method that is specific to the wireless device, the wireless device forms a slice pseudonym for the or each network slice to be requested. The wireless device then transmits a request message to the network, wherein the request message comprises the or each slice pseudonym. The network node receives the request message sent by the wireless device, wherein the request message comprises at least one slice pseudonym. Based on a mapping method that is used by the wireless device and that is specific to the wireless device, the network node identifies at least one requested network slice from the or each received slice pseudonym. The network node then permits use of the requested network slice.

Abstract: A method and apparatus for a first IAB node for securely communicating with at least one second IAB node is provided. A secure connection with a node of a network is established. A message is received, from the node, indicating a secure messaging protocol to use to communicate with the at least one second IAB node, the message including one of at least one nonce or a key. A control message to be sent to the at least one second IAB node is transformed into a secure control message using the secure messaging protocol. The secure control message is transmitted to the at least one second IAB node.

Abstract: A method for improving data transmission security at a user equipment comprises receiving, from a source network node, a connection release message including instructions for computing a hash value for data to be included in a connection request message; computing the hash value based on the instructions included in the connection release message; calculating a token based on the hash value, and sending, to a target network node, the connection request message including the token. The method may further forward the data from the target network node directly to a gateway after the token has been verified. The method may reduce a signaling overhead by having a fixed-size hash value for data. Furthermore, the method may improve a transmission security by including the token in an RRC message, in which the token is calculated based on the hash value representing the data.