Abstract: There is provided an apparatus comprising means for determining a change of connection at a user equipment from a source access point to a target access point, and means for receiving, from the target access point, an indication that an associated gateway function is the same for the source access point and the target access point. The apparatus also comprising means for generating an access point key based on the received indication from the target access point, and means for securing communications with the target access point using the generated access point key.

Abstract: Techniques for authentication and key management for applications (AKMA) in a communication network are disclosed. For example, a method comprises receiving an indication from an application function that a first expiry time of a first application function key, generated using a first random value and configured to enable user equipment to participate in a session with the application function, has expired. The method generates a second application function key for the application function, using a second random value, with a second expiry time.

Abstract: An apparatus for a network node acting as a gateway entity of a second communication network providing access to a first communication network being different to the second communication network, the apparatus comprising at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to receive a registration request of a user equipment for a registration to the first communication network via the second communication network, wherein the registration request comprises an anonymized subscriber identification element, to obtain a temporary identification for the user equipment, and to forward the temporary identification for the user equipment to the user equipment.

Abstract: A method, apparatus, and computer program for receiving an application session establishment request comprising an authentication and key management for applications, AKMA, Key Identifier, A-KID; producing an application key request (Naanf_AKMA_ApplicationKey_Get_request) comprising information elements AKMA Key Identifier A-KID; an application function identifier, AF_ID; and an application encryption key indication (Nnef_AKMA_AF_Encryption_Key_Indication); and sending the produced application key request (Naanf_AKMA_ApplicationKey_Get_request) to a home AKMA anchor function, hAAnF, or to a network exposure function, NEF, for enabling lawful interception in the VPLMN.

Abstract: Disclosed is a method comprising receiving a first transmission from a first terminal device, wherein the first transmission indicates one or more resources to be used at least for a second transmission, monitoring one or more physical feedback channel resources associated with the indicated one or more resources, detecting one or more feedback signals from the monitored one or more physical feedback channel resources, and extending a wake-up time based at least partly on the detected one or more feedback signals.

Abstract: There is provided receiving, by a wireless device connected to a wireless network over a wireless connection, one or more segments of at least one system information block message; determining, by the wireless device, at least one hash value based on at least one segment of the received one or more segments; transmitting, by the wireless device to the wireless network, a system information request comprising information identifying the at least one segment and the determined at least one hash value.

Abstract: There is provided an apparatus, method and computer program for causing a first apparatus to: obtain an identifier of a cryptographic key according to a first security communication protocol; signal, to a second apparatus, a first authentication request according to a second security communication protocol, the first authentication request comprising the identifier of the cryptographic key and a first verifying information according to a second security communication protocol, wherein the first verifying information comprises a first value calculated using the cryptographic key; receive, from the second apparatus, an authentication response according to the second security communication protocol, the authentication response comprising a second verifying information according to the second security communication protocol, wherein the second verifying information comprises a second value; and verify the second apparatus for the second security communication protocol using the second value and the cryptographic

Abstract: A method is disclosed comprising: establishing an encrypted session with an application function based on a certificate; receiving a request for an application key from the application function using the encrypted session, wherein the request comprises a key identifier relating to a user device and an application function identifier; determining at least one response to the request for the application key from a set of possible responses, the set comprising at least a rejection and a message comprising the application key and a user device identifier; and transmitting the at least one response to the request for the application key to the application function. Furthermore, related methods, apparatuses, computer programs and systems are disclosed.

Abstract: There is provided an apparatus comprising means for determining a change of connection at a user equipment from a source access point to a target access point, and means for receiving, from the target access point, an indication that an associated gateway function is the same for the source access point and the target access point. The apparatus also comprising means for generating an access point key based on the received indication from the target access point, and means for securing communications with the target access point using the generated access point key.

Abstract: Method comprising: monitoring whether a network receives an authorization request for establishing a session of an AF with a UE, wherein the authorization request comprises a permanent identifier of the AF, a received temporary identifier of the AF, and a temporary identifier of a UE; if the authorization request is received: forming a key identifier based on the temporary identifier of the UE; retrieving, based on the key identifier, a stored key and a first permanent identifier of the UE; calculating a calculated temporary identifier of the AF based on the permanent identifier of the AF and the stored key; checking whether the calculated temporary identifier of the AF is identical with the received temporary identifier of the AF; inhibiting authorizing the AF for the establishing the session with the UE if the calculated temporary identifier of the AF is not identical with the received temporary identifier of the AF.

Abstract: Techniques for security management with compromised-equipment detection in a communication system are disclosed. For example, a method comprises causing intentional introduction of one or more errors in at least one communication protocol layer of a communication network, wherein the communication network has a plurality of user equipment connected thereto via at least one access point. The method further comprises causing verification of one or more received error indicators against one or more expected error indicators to decide whether any of: (i) the plurality of user equipment; (ii) the at least one access point; or (iii) one or more network entities, may be compromised. In other examples, verifications may be correlated with other logs including, for example, security event logs.

Abstract: There are provided measures for improved robustness of artificial intelligence or machine learning capabilities against compromised input. Such measures exemplarily comprise receiving, from a first machine learning model training data collection entity, first machine learning model training input data, analyzing said first machine learning model training input data for malicious input detection, deducing, based on a result of said analyzing, whether said first machine learning model training data collection entity is suspected to be compromised, and transmitting, if said first machine learning model training data collection entity is suspected to be compromised, information to a core network entity indicative of that said first machine learning model training data collection entity is suspected to be compromised.

Abstract: Various example embodiments relate to authentication in case of roaming. An apparatus may be configured to receive, by an application function of a first visitor public land mobile area network (PLMN) or a second visitor PLMN of a device, a registered serving network identifier of the device indicative of the first visitor PLMN; and transmit, based on the registered serving network identifier, an encryption key to an application security function of the first visitor PLMN for encryption of an application session of the device.

Abstract: According to an example aspect of the present invention, there is provided an apparatus, such as a user equipment, configured to transmit to a cellular core network a request to open a protocol session to an external network which is external to the cellular core network, the request being configured to cause the cellular core network to transmit to the external network, or to receive from the external network, a code associated with a subscription of the apparatus, forward at least one authentication request originating in the external network to a node connected with the apparatus, via a local connection, and forward at least one authentication response from the node to the external network via the cellular core network, and relay packets comprised in the protocol session between the node and the external network without participating in the protocol session as an endpoint.

Abstract: Example embodiments of the present disclosure relate to switching over without disconnection of access network. In an example method, a core network device receives a sensing request from a terminal device. The first apparatus receives an internal indication of the switchover from a second apparatus of the terminal device separable from the first apparatus; switches from a first context associated with the first traffic to a second context associated with the second traffic; and sends a response to the second apparatus of the terminal device to indicate that the switching is completed. In this way, the first apparatus of the terminal device can switch from the first context to the second context, without disconnection with the access network, and without interrupt of the service.

Abstract: According to an example aspect of the present invention, there is provided a method comprising: generating a certificate comprising an identifier of a base station, a public key of the base station, and a public key of a terminal; signing the certificate by a signature based on a private key belonging to the public key of the base station; sending the signed certificate to the terminal using an established security association; monitoring whether the base station receives a request for local authentication of the terminal, wherein the request comprises an encrypted certificate unit and a base station identifier; checking whether the base station identifier is the identifier of the base station and, if it is, decrypting the encrypted certificate unit using the private key; and using the public key of the terminal for a communication with the terminal if the certificate unit comprises the signed certificate.

Abstract: Systems, methods, and software of performing primary re-authentication of User Equipment (UE) (106). In one embodiment, a Unified Data Management (UDM) (218) triggers primary re-authentication of a UE in response to a trigger condition, and sends a re-authentication notification message toward an Access and Mobility Management Function (AMF) (212) to perform primary re-authentication of the UE.

Abstract: Systems, methods, and software of performing an Authentication and Key Management for Applications (AKMA) authentication service. An AKMA authentication proxy resides between User Equipment (UE) and a plurality of Application Functions (AFs). The AKMA authentication proxy receive an application session establishment request message from the UE requesting an application session with a first application function, sends a key request message toward an AKMA anchor function (AAnF) requesting AKMA application keys for a plurality of application functions, receives a key response message sent from the AAnF that includes the AKMA application keys, identifies a first AKMA application key for the first application function from the AKMA application keys derived by the AAnF, and forwards the application session establishment request message to the first application function with the first AKMA application key.

Abstract: In accordance with an example embodiment, there is provided an apparatus, such as a user equipment, configured to receive, from a communication network, an authentication request which comprises a nonce and a received sequence number, check, whether the received sequence number is advanced with respect to a first sequence number, the first sequence number being from a most recent previous authentication request handled by the apparatus, check, responsive to the received sequence number not being advanced with respect the first sequence number, whether the nonce is identical to one from among plural stored nonces, and send, responsive to the nonce being identical to the one stored nonce, a response to the authentication request which comprises as a synchronization failure token a dummy value which is not derived from the first sequence number.

Abstract: There is provided an apparatus for a communication network comprising means for generating a subscription concealed identifier, SUCI, comprising a protection scheme identifier and a home network public key identifier. At least one of: a part of the protection scheme identifier and a part of the home network public key identifier comprises a version number of the at least one of: the protection scheme identifier and the home network public key identifier, correspondingly.