Abstract: According to an example aspect of the present invention, there is provided a method comprising: generating a certificate comprising an identifier of a base station, a public key of the base station, and a public key of a terminal; signing the certificate by a signature based on a private key belonging to the public key of the base station; sending the signed certificate to the terminal using an established security association; monitoring whether the base station receives a request for local authentication of the terminal, wherein the request comprises an encrypted certificate unit and a base station identifier; checking whether the base station identifier is the identifier of the base station and, if it is, decrypting the encrypted certificate unit using the private key; and using the public key of the terminal for a communication with the terminal if the certificate unit comprises the signed certificate.

Abstract: Techniques for preventing sequence number leakage during user equipment authentication in a communication network are provided. For example, a method comprises obtaining a permanent identifier and an authentication sequence value that are unique to user equipment, concealing the permanent identifier and the authentication sequence value, and sending the concealed permanent identifier and the authentication sequence value in a registration message from the user equipment to a communication network. Then, advantageously, in response to receipt of an authentication failure message from the communication network, the user equipment can send a response message to the communication network containing a failure cause indication without a re-synchronization token.

Abstract: Systems, methods, and software of performing a UE challenge. In one embodiment, User Equipment (UE) initiates a UE challenge procedure to a home network before engaging in a primary authentication procedure by generating a UE challenge by encrypting a random nonce with a home network public key, and transmitting a first message containing the UE challenge toward the home network. The UE receives a second message containing a challenge response to the UE challenge, processes the challenge response to determine whether the home network decrypted the random nonce in response to the UE challenge, and verifies an identity of the home network when the home network decrypted the random nonce in response to the UE challenge.

Abstract: In response to a UE in a wireless network leaving a multicast group to which the user equipment belonged or switching between multiple access nodes belonging to the multicast group, sending by an access node a rekeying token for UE(s) in the multicast group to use to access data for the multicast group. The access node generates key(s) based at least on the rekeying token. The access node multicasts traffic to the UE(s) in the multicast group using the key(s). In response to an other UE in a wireless network leaving a multicast group to which a UE belongs or switching by the UE between multiple access nodes belonging to the multicast group, receiving, at the UE from an access node, a rekeying token to use. The UE generates key(s) based at least on the rekeying token and receives multicast traffic using the key(s).

Abstract: Techniques for securing mobile-terminated messages are disclosed. In one example, a method comprises receiving, at user equipment, a concealed message from a communication network with which the user equipment is in an idle state. The method de-conceals the concealed message, at the user equipment, to obtain at least one indicator value using at least a security value previously agreed upon with the communication network. The method generates a decision, at the user equipment, with respect to the idle state based on the obtained at least one indicator value. In one example, the at least one indicator value comprises a paging cause value.

Abstract: Methods, computer program products, and apparatuses are provided for enabling a user equipment (UE) to connect to the wireless access network that support non-seamless wireless local area network (WLAN) offload (NSWO), such as using the UE's fifth generation (5G) credentials. An apparatus may include a processor and a memory storing computer program code configured to cause the apparatus to request, by the UE, a wireless connection to a network entity; receive, by the UE, from the network entity, an identity request; and in response to the identity request, cause transmission, by the UE, an identity response including a UE identifier to the network entity such that the UE is configured to establish a security context with the network entity upon successful authentication using the UE identifier.

Abstract: Apparatus and method for counter measures for attacking messages are provided. Solution comprises communicating (500) with another apparatus utilising sidelink transmissions, monitoring (502) for an attacking sidelink message based on the content or timing of received messages and entering (504) a defensive mode to mitigate the attack when one or more received messages has been detected as attacking sidelink messages.

Abstract: Apparatus and method for communication are provided. One or more link identifiers used by a first terminal device are obtained. Information on communication of another terminal device with the first terminal device based on the obtained one or more link identifiers is obtained. Based on the obtained information, it is determined, that the first terminal device is active for communication and transmission to the first terminal device performed based on the determination.

Abstract: A user equipment includes at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the user equipment to obtain a message, the message including information identifying a plurality of discontinuous reception configurations, and use one of the plurality of discontinuous reception configurations based on at least one of a location of the user equipment and a current time.

Abstract: Techniques for securing mobile-terminated messages are disclosed. In one example, a method comprises receiving, at user equipment, a concealed message from a communication network with which the user equipment is in an idle state. The method de-conceals the concealed message, at the user equipment, to obtain at least one indicator value using at least a security value previously agreed upon with the communication network. The method generates a decision, at the user equipment, with respect to the idle state based on the obtained at least one indicator value. In one example, the at least one indicator value comprises a paging cause value.

Abstract: In accordance with an example embodiment, there is provided an apparatus, such as a user equipment, configured to receive, from a communication network, an authentication request which comprises a nonce and a received sequence number, check, whether the received sequence number is advanced with respect to a first sequence number, the first sequence number being from a most recent previous authentication request handled by the apparatus, check, responsive to the received sequence number not being advanced with respect the first sequence number, whether the nonce is identical to one from among plural stored nonces, and send, responsive to the nonce being identical to the one stored nonce, a response to the authentication request which comprises as a synchronization failure token a dummy value which is not derived from the first sequence number.

Abstract: Techniques for preventing sequence number leakage during user equipment authentication in a communication network are provided. For example, a method comprises obtaining a permanent identifier and an authentication sequence value that are unique to user equipment, concealing the permanent identifier and the authentication sequence value, and sending the concealed permanent identifier and the authentication sequence value in a registration message from the user equipment to a communication network. Then, advantageously, in response to receipt of an authentication failure message from the communication network, the user equipment can send a response message to the communication network containing a failure cause indication without a re-synchronization token.