Abstract: A method of performing authentication and authorization in Proximity based Service (ProSe) communication by a requesting device which sends a request of a communication and a receiving device which receives the request from the requesting device, the method including deriving session keys Kpc and Kpi from an unique key Kp at the requesting and receiving devices, using the session keys Kpc and Kpi for ProSe communication setup and direct communication between the requesting and receiving devices, starting the direct communication with the requesting and receiving devices. The key Kpc is confidentiality key and the key Kpi is integrity protection key.

Abstract: In order for supporting separate ciphering at an MeNB (20) and an SeNB (30), the MeNB (20) derives separate first and second keys (KUPenc-M, KUPenc-S) from a third key (KeNB). The first key (KUPenc-M) is used for confidentially protecting first traffic transmitted over U-Plane between the MeNB (20) and a UE (10). The first key (KUPenc-M) may be the same as current KUPenc or a new key. The second key (KUPenc-S) is used for confidentially protecting second traffic transmitted over the U-Plane between the UE (10) and the SeNB (30). The MeNB (20) sends the second key (KUPenc-S) to the SeNB (30). The UE (10) negotiates with the MeNB (20), and derives the second key (KUPenc-S) based on a result of the negotiation.

Abstract: The present disclosure relates to secure provisioning of UE mobility restriction by extending neighbour relation tables to include mobility restrictions in addition to neighbour cell information and sending neighbour cell restriction information (per UE) to the UE, gNB, UE and gNB. The present invention also provides a method and apparatus and a system for mapping mobility restrictions with TA list and sending the TA list along with the Handover Restriction List during handover.

Abstract: A VNF package signing system, comprises an orchestration unit sending an acknowledge of receiving a VNF package including the VNF image, in response to the receiving the VNF package from a sender, a storage unit storing the VNF package and generating a certificate for the VNF package using a private key for at least generating a certificate for signing the VNF package and a HISEE (Hardware Isolated Secured Execution Environment) unit providing the private key in response to the request from the storage unit. The orchestration unit sends the acknowledge of receiving a VNF package when the storage unit successes generating the certificate of the VNF package.

Abstract: A method of forming a secure group in ProSe communication includes requesting a service request to a ProSe server from a requesting device (21), the service request indicating a request to communicate with a receiving device (22) from the requesting device (21), performing verification on the requesting and receiving devices (21) and (22) by the ProSe server 24, sending a ProSe Service Result to the requesting and receiving devices (21) and (22) to inform to be allowed a group member, and starting a group security establishment of the group including the requesting and receiving devices (21) and (22)

Abstract: Upon receiving a triggering message from a MTC server (20), a network (10) verifies if the MTC server (20) is authorized to trigger a target MTC device (30) and also if the MTC device (30) is authorized to respond the triggering message, by comparing an MTC device ID and MTC server ID (and optionally information on subscription) which are include in the triggering message with authorized ones. Upon succeeding in the verification, the network (10) checks a trigger type included in the triggering message to verify if the triggering message is authorized to be sent to the MTC device (30). Upon succeeding in the check, the network (10) forwards the triggering message to the MTC device (30). The network (10) also validates a response from the MTC device (30), by checking whether the MTC device (30) is allowed to communicate with the addressed MTC server (20).

Abstract: A method of performing authentication and authorization in Proximity based Service (ProSe) communication by a requesting device (31) which sends a request of a communication and a receiving device (32) which receives the request from the requesting device (31) and (32), the method including deriving session keys Kpc and Kpi from an unique key Kp at the requesting and receiving devices (31) and (32), using the session keys Kpc and Kpi for ProSe communication setup and direct communication between the requesting and receiving devices (31) and (32), starting the direct communication with the requesting and receiving devices (31) and (32). The key Kpc is confidentiality key and the key Kpi is integrity protection key.

Abstract: In order for supporting separate ciphering at an MeNB (20) and an SeNB (30), the MeNB (20) derives separate first and second keys (KUPenc-M, KUPenc-S) from a third key (KeNB). The first key (KUPenc-M) is used for confidentially protecting first traffic transmitted over U-Plane between the MeNB (20) and a UE (10). The first key (KUPenc-M) may be the same as current KUPenc or a new key. The second key (KUPenc-S) is used for confidentially protecting second traffic transmitted over the U-Plane between the UE (10) and the SeNB (30). The MeNB (20) sends the second key (KUPenc-S) to the SeNB (30). The UE (10) negotiates with the MeNB (20), and derives the second key (KUPenc-S) based on a result of the negotiation.

Abstract: Upon transmitting privacy information to an MTC server (20) via a network (30, 40), an MTC device (10) includes in a message a field to indicate whether the message contains the privacy information, such that the network (30, 40) can perform authorization for the MTC device (10) and server (20). When the MTC device (10) needs to keep connection with the network (30, 40), the MTC device (10) switches off the functionality of provisioning the privacy information, such that the MTC device (10) still can communicate with the network (30, 40). Upon the transmission of privacy information in an emergency case, the MTC device (10) further includes in the message a content to indicate that the MTC device (10) is an emergency device, such that the network (30, 40) verifies whether the MTC device (10) can be used or activated in the emergency case. Optionally, a USIM for emergency-use is deployed in the MTC device (10).

Abstract: A method of performing authentication and authorization in Proximity based Service (ProSe) communication by a requesting device (31) which sends a request of a communication and a receiving device (32) which receives the request from the requesting device (31) and (32), the method including deriving session keys Kpc and Kpi from an unique key Kp at the requesting and receiving devices (31) and (32), using the session keys Kpc and Kpi for ProSe communication setup and direct communication between the requesting and receiving devices (31) and (32), starting the direct communication with the requesting and receiving devices (31) and (32). The key Kpc is confidentiality key and the key Kpi is integrity protection key.

Abstract: A communication system includes a plurality of communication terminals that form a communication group and a node device that carries out an authentication process on each of the communication terminals. The node device derives first keys unique to the respective communication terminals by using information shared between the node device and each communication terminal through the authentication process, derives a second key common to the communication group, calculates an exclusive OR between each first key and the second key, and transmits respective XOR values obtained through the calculation to the respective communication terminals. Each communication terminal reproduces the second key by calculating an exclusive OR of between the first key unique to the own communication terminal derived by using the information and the XOR value received from the node device. Thus, the keys used in group communication are managed more securely.

Abstract: Provided is an authentication device capable of generating a master key suited to a UE in a 5GS. The authentication device (10) includes a communication unit (11) configured to, in registration processing of user equipment (UE), acquire UE key derivation function (KDF) capabilities indicating a pseudo random function supported by the UE, a selection unit (12) configured to select a pseudo random function used for generation of a master key related to the UE by use of the UE KDF capabilities, and a key generation unit (13) configured to generate a master key related to the UE by use of the selected pseudo random function.

Abstract: In order for charging SDT and MTC device trigger over control plane, there is provided a network node (40) that relays messages over a control plane (T5 and Tsp) between an MTC device (10) and an SCS (50). The network node (40) counts the number of messages successfully relayed, and generates a CDR in accordance with the counted number. The messages are SDT messages delivered from the MTC device (10) to the SCS (50), SDT messages delivered from the SCS (50) to the MTC device (10), or MTC device trigger messages delivered from the SCS (50) to the MTC device (10). The network node (40) transfers the CDR to an OCF (31) or a CDF (32).

Abstract: Embodiments of this disclosure enable the I-CSCF and S-CSCF to detect inbound roaming UEs to network supporting Service Domain Centralization in IMS, so that the S-CSCF is able to select the appropriate database entity and can understand the CS authentication vector.

Abstract: This invention provides a network node for IP Multimedia Subsystem (IMS) Centralized Services (ICS), comprising: a memory storing instructions; and at least one processor configured to process the instructions to: receive an Update Location Request with an IMSI (International Mobility Subscriber Identity) and an MSRN (Mobile Station Routing Number) from a MSC (Mobile Switching Centre) Server, retrieve a subscription profile and service settings from a HSS (Home Subscriber Server), map the subscription profile with service settings into a CS (Circuit-Switched) profile with CS settings, and send an Insert Subscriber Data message including the mapped CS profile and CS settings, to the MSC Server.

Abstract: In order for more effectively supporting a Dedicated Core Network, there is provided a network system including a first node (30) that establishes secure connection with a UE (10) initially attempting to attach to a network, through a radio base station (20), and a second node (40) to which the UE (10) is redirected from the first node (30) through the radio base station (20). Upon the redirection, the first node (30) sends information on the first node (30) itself to the second node (40) through the radio base station (20). The second node (40) uses the information to retrieve security context necessary for establishing the connection with the UE (10) from the first node (30).

Abstract: A network node (21), which is placed within a core network, receives a message from a transmission source (30) placed outside the core network. The message includes an indicator indicating whether or not the message is addressed to a group of one or more MTC devices attached to the core network. The network node (21) determines to authorize the transmission source (30), when the indicator indicates that the message is addressed to the group. Further, the message includes an ID for identifying whether or not the message is addressed to the group. The MTC device determines to discard the message, when the ID does not coincide with an ID allocated for the MTC device itself. Furthermore, the MTC device communicates with the transmission source (30) by use of a pair of group keys shared therewith.

Abstract: An object is to provide a communication terminal capable of using a newly-generated network slice or service. A communication terminal (10) according to the present disclosure includes a communication unit (11) configured to receive a parameter related to SM-NSSAI (Session Management-Network Slice Selection Assistance Information) from a core network When subscriber information of the communication terminal itself managed in the core network or a location of the communication terminal itself is changed, and a control unit (12) configured to update NSSAI by using the parameter related to the SM-NSSAI, the NSSAI being managed to select a network slice.

Abstract: The present disclosure aims to provide a communication system capable of achieving advanced security in a 5G communication system. The communication system according to the present disclosure includes: a communication terminal (10); an Access and Mobility Management (AMF) entity (20) configured to execute Mobility Management (MM) processing regarding the communication terminal (10); and a Session Management Function (SMF) entity (30) configured to execute Session Management (SM) processing regarding the communication terminal (10), in which the communication terminal (10) sends an MM message used in the MM processing, a first security key having been applied to the MM message, between the communication terminal and the AMF entity (20), and sends an SM message used in the SM processing, a second security key having been applied to the SM message, between the communication terminal and the SMF entity (30) via the AMF entity (20).

Abstract: An SeNB informs an MeNB that it can configure bearers for the given UE. At this time, the MeNB manages the DRB status, and then sends a key S-KeNB to the SeNB. The MeNB also sends a KSI for the S-KeNB to both of the UE and the SeNB. After this procedure, the MeNB informs an EPC (MME and S-GW) about the new bearer configured at the SeNB, such that the S-GW 50 can start offloading the bearer(s) to the SeNB 30. Prior to the offloading, the EPC network entity (MME or S-GW) performs verification that: 1) whether the request is coming from authenticated source (MeNB); and 2) whether the SeNB is a valid eNB to which the traffic can be offload.