Abstract: Network equipment in a wireless communication network is configured to receive at least a portion of a subscription concealed identifier, SUCI, (34) for a subscriber. The SUCI (34) contains a concealed subscription permanent identifier, SUPI, (20) for the subscriber. The received at least a portion of the SUCI (34) indicates a sub-domain code, SDC. The SDC indicates a certain sub-domain, from among multiple sub-domains of a home network of the subscriber, to which the subscriber is assigned. The network equipment is also configured to determine, based on the SDC and from among multiple instances of a provider network function in the home network respectively allocated to provide a service to be consumed for subscribers assigned to different sub-domains, an instance of the provider network function to provide the service to be consumed for the subscriber.

Abstract: A method at a first communication node may provide communication with a second communication node in a wireless communication network. A radio bearer is provided for communication between the first and second communication nodes over a radio interface. A plurality of packets are communicated over the radio bearer between the first and second communication nodes using selective integrity protection so that at least a first packet of the plurality of packets is communicated over the radio bearer with integrity protection and so that at least a second packet of the plurality of packets is communicated over the radio bearer without integrity protection. Related mobile devices and base stations are also discussed.

Abstract: A method is provided to operate a CN node to determine UP security activation. A UP session establishment request is obtained for a wireless device. An indication is obtained that the UP session establishment request is associated with an emergency session and/or that null ciphering and/or null integrity protection are applied to a CP associated with a CP session for the wireless device. It is determined that a UP should be configured for the UP session without activating integrity and/or confidentiality protection for the UP based on the indication. A UP security policy is provided to a RAN node associated with the wireless device, wherein the UP security policy indicates to configure the UP for the UP session without activating integrity and/or confidentiality protection based on determining that a UP should be configured for the UP session without activating integrity and/or confidentiality protection.

Abstract: There is provided a method for determining a security context for communication between a wireless device and a target network node at handover. The method comprises obtaining (S1) information representative of the type of Radio Access Technology, also referred to as RAT type, of the target network node, and deriving and/or determining (S2) the security context at least partly based on the information representative of the RAT type.

Abstract: A network node is configured for use in a wireless communication network. The network node is configured to acquire radio access capability information of a wireless device. The radio access capability information of the wireless device indicates radio access capabilities of the wireless device. The network node is configured to determine if the wireless communication network received the radio access capability information of the wireless device before access stratum security was activated for the wireless device. If the wireless communication network received the radio access capability information of the wireless device before access stratum security was activated for the wireless device according to that determination, the network node is configured to re-acquire the radio access capability information of the wireless device after access stratum security is activated for the wireless device.

Abstract: A network function performs a method to identify an invalid subscription concealed identifier, SUCI. When the network function receives a message containing a SUCI, it determines a size of the SUCI contained in the received message, and also determines an expected size of the SUCI in the received message. The network function then determines whether the size of the SUCI contained in the received message satisfies a criterion associated with the expected size. If the size of the SUCI contained in the received message does not satisfy the criterion associated with the expected size, the network function determines that the SUCI in the received message is invalid, and it rejects the SUCI in the received message if it is determined to be invalid.

Abstract: A method in a first node of a wireless communications network comprises: inspecting a data packet or message to determine a characteristic of the data packet or message; and selectively activating integrity protection for onward transmission of the data packet or message to a second node of the wireless communications network based on the determined characteristic.

Abstract: A method performed by an authentication server in a home network of a UE for obtaining a subscription permanent identifier, SUPI. The method comprises: receiving a SUCI which comprises an encrypted part in which at least a part of the SUPI is encrypted, and a clear-text part which comprises a home network identifier and an encryption scheme identifier that identifies an encryption scheme used by the UE to encrypt the SUPI in the SUCI; determining a de-concealing server to use to decrypt the encrypted part of the SUCI; sending the SUCI to the de-concealing server; and receiving the SUPI in response. Methods performed by a UE and a de-concealing server are also disclosed. Furthermore, UEs, de-concealing servers, authentication servers, computer program and a memory circuitry are also disclosed.

Abstract: A method (1400) is performed by a secondary base station (412, 520) in first connection with a wireless device (110) in a dual connectivity. The wireless device has a second connection with a master base station (412, 520). A first security algorithm is used for communication between the secondary base station and the wireless device in the first connection. The method comprises determining to use a second security algorithm for securing communication between the secondary base station and the wireless device. The method further comprises sending a message to the master base station, the message indicating the second security algorithm and causes the master base station to send a message to the wireless device. The message to the wireless device indicates the second security algorithm. The method further comprises using the second security algorithm to secure communication between the secondary base station and the wireless device.

Abstract: Network equipment (26) in a wireless communication network is configured to receive at least a portion of a subscription concealed identifier, SUCI, (34) for a subscriber (13). The SUCI (34) contains a concealed subscription permanent identifier, SUPI, (20) for the subscriber (13). The received at least a portion of the SUCI (34) indicates a sub-domain code, SDC, (32). The SDC (32) indicates a certain sub-domain, from among multiple sub-domains (30-1, 30-2, . . . 30-N) of a home network of the subscriber (13), to which the subscriber (13) is assigned. The network equipment (26) is also configured to determine, based on the SDC (32) and from among multiple instances (24-1, 24-2, . . . 24-M) of a provider network function in the home network respectively allocated to provide a service to be consumed for subscribers assigned to different sub-domains, an instance of the provider network function to provide the service to be consumed for the subscriber (13).

Abstract: A communication device, network node and methods therein in for handling network slices in a wireless communication network are disclosed. The communication device encrypts Network Slice Selection Assistance information, NSSAI, using public key cryptography and includes the encrypted NSSAI in a Non Access Stratum, NAS, registration request. Then the communication device sends a Radio Resource Control, RRC, request to the network node including the NAS registration request. The network node receives the RRC connection request from the communication device and selects a network function based on information in the RRC connection request. The network node forwards the NAS registration request to the network function and forwards to the communication device a NAS registration response received from the network function after the network function decrypting the NSSAI using a PLMN private key.

Abstract: A wireless device (16) configured to receive from a network node (20) a page (18) that includes a paging identifier (18A) 4 for the wireless device (16). The paging identifier (18A) may identify as a target of the page (18) a wireless device (16) associated with a particular subscriber. In fact, in some embodiments, the paging identifier (18A) is based on an encrypted subscription identifier for the wireless device (16) or is a pseudonym subscription identifier for the wireless device (16). In any event, the wireless device (16) is also configured to transmit to the network node (20) a response (22) to the page (18) that indicates the wireless device (16) was paged but that includes an identifier for the wireless device (16) that is different than the paging identifier (18A) included in the page (18).

Abstract: A method is provided to operate a CN node to determine UP security activation. A UP session establishment request is obtained for a wireless device. An indication is obtained that the UP session establishment request is associated with an emergency session and/or that null ciphering and/or null integrity protection are applied to a CP associated with a CP session for the wireless device. It is determined that a UP should be configured for the UP session without activating integrity and/or confidentiality protection for the UP based on the indication. A UP security policy is provided to a RAN node associated with the wireless device, wherein the UP security policy indicates to configure the UP for the UP session without activating integrity and/or confidentiality protection based on determining that a UP should be configured for the UP session without activating integrity and/or confidentiality protection.

Abstract: A method performed by an authentication server for provisioning a user equipment (1), UE. The method comprises: obtaining a message authentication code, MAC, based on a provisioning key specific to the UE to the UE and a privacy key of a home network (3) of the UE, wherein the provisioning key is a shared secret between the authentication server (14) and the UE and the privacy key comprises a public key of the home network; and transmitting the privacy key and the MAC to the UE. Methods performed by a de-concealing server and the UE, respectively are also disclosed as well as authentication servers, de-concealing servers and UEs. A computer program and a memory circuitry (13) are also disclosed.

Abstract: A network node is configured for use in a wireless communication network. The network node is configured to acquire radio access capability information of a wireless device. The radio access capability information of the wireless device indicates radio access capabilities of the wireless device. The network node is configured to determine if the wireless communication network received the radio access capability information of the wireless device before access stratum security was activated for the wireless device. If the wireless communication network received the radio access capability information of the wireless device before access stratum security was activated for the wireless device according to that determination, the network node is configured to re-acquire the radio access capability information of the wireless device after access stratum security is activated for the wireless device.

Abstract: According to certain embodiments, a method for use in a wireless device comprises receiving a release message from a network node operating in a network. The release message comprises a first release token and an instruction to release a radio resource control (RRC) connection. The method comprises determining whether the first release token passes verification and determining an action to perform based on whether the first release token passes verification. In response to a determination that the first release token passes verification, the action comprises releasing the RRC connection.

Abstract: Core network equipment is configured for use in a core network of a wireless communication system. The core network equipment is configured to switch switching to using a new non-access stratum, NAS, security context between a user equipment and the core network equipment. The core network equipment is also configured to, during or in association with a handover procedure for handover of the user equipment, signal from the core network equipment that the new NAS security context between the user equipment and the core network equipment is to be used as a basis for an access stratum (AS) security context between the user equipment and radio access network equipment.

Abstract: A method is performed by a wireless device (16). The method comprises determining whether a core network functionality (12) of a wireless communication system (10) refreshes a temporary identifier (18) associated with the wireless device (16) in accordance with a defined procedure. The method also comprises, responsive to determining that the core network functionality (12) does not refresh the temporary identifier (18) in accordance with the defined procedure, performing one or more actions. The action(s) may for instance include recording at the wireless device (16) that the core network functionality (12) does not refresh a temporary identifier (18) in accordance with the defined procedure and/or reporting the core network functionality (12) as not refreshing the temporary identifier (18) in accordance with the defined procedure.

Abstract: A method of operating a Master gNodeB (MgNB) in a radio access network RAN is disclosed. An indication of a user plane security policy is received from a core network node, wherein the user plane security policy requires user plane integrity protection for a protocol data unit PDU session. Responsive to the user plane security policy requiring user plane integrity protection for the PDU session and responsive to determining that a secondary base station supporting the user plane security policy requiring user plane integrity protection is unavailable, a data radio bearer DRB of the PDU session is established directly between the MgNB and a user equipment UE. Related MgNBs are also discussed.

Abstract: A method performed by a network node of a serving public land mobile network, PLMN, associated with a user equipment, UE, comprising: obtaining a secret identifier that uniquely identifies the UE, wherein the secret identifier is a secret that is shared between the UE and at least a home PLMN of the UE and that is shared by the home PLMN with the network node; and performing an operation related to the UE using the secret identifier. Other methods, computer programs, computer program products, network nodes and a serving PLMN are also disclosed.