Abstract: Apparatuses, methods, and systems are disclosed for performing a trust evaluation service at a network function (“NF”). One method includes receiving, at a first NF, a first request message from a second NF. The first request message includes a trust service subscription request message corresponding to a trust service subscription. The method includes performing inference data collection. The method includes performing a trust evaluation service corresponding to the trust service subscription to produce trust evaluation data. The trust evaluation service is performed based at least in part on the inference data collected. The method includes transmitting a first response message to the second NF. The first response message includes information corresponding to the trust evaluation data.

Abstract: The present disclosure provides a User Equipment (UE) comprising a transceiver circuit; and a controller configured to control the transceiver circuit to send, to an Access and mobility Management Function (AMF) of a communication node, an identifier, wherein upon successful authentication of a network access function of the UE in the communication node, the controller is configured to maintain a secure connection with the communication node.

Abstract: The present disclosure relates to methods, apparatuses, and systems that support API access management in wireless systems. For instance, an API invoker (e.g., a user or UE) can be authenticated and authorized to access or register with a common API framework (CAPIF) function to enable real-time user consent driven API invocation authorization and secured user service data exposure by a network. Further, a comprehensive set of procedures are provided that ensure that networks are protected from unpermitted and/or potentially malicious access to APIs exposed by the network.

Abstract: Various aspects of the present disclosure relate to a resource owner (e.g., a user or UE) that is authenticated and authorized to access or register with a common application programming interface (API) framework (CAPIF) function. Security credentials (e.g., a CAPIF key KCAPIF) are generated and a temporary user identity is used to preserve confidentiality of identity of the resource owner. The KCAPIF is subsequently used to provide a secure session when registering with the CAPIF function. Furthermore, the KCAPIF is used to provide a secure session when providing consent data from the resource owner to the CAPIF.

Abstract: Apparatuses, methods, and systems are disclosed for deriving a key based on an edge enabler client identifier. One method includes receiving, at a network function, a request message from an edge server function. The request message includes: an edge server identifier; and an edge enabler client identifier (EEC-ID), wherein the EEC-ID includes: an unencrypted EEC-ID; or an encrypted EEC-ID. The encrypted EEC-ID is encrypted with an authentication and key management (AKMA) key (KAKMA). The method includes deriving a unique key (KAFEEC) based on the edge server identifier and the EEC-ID. The method includes transmitting a response message to the edge server function. The response message includes: the KAFEEC; and an unencrypted EEC-ID.

Abstract: Various aspects of the present disclosure relate to user equipment (UE) parameter update (UPU) header protection. An apparatus, such as a network equipment (NE) implements unified data management (UDM). The UDM transmits a request to an authentication server function (AUSF) to apply UPU header protection, and transmits a UPU transparent container and/or UPU header information to a UE. The UPU transparent container and/or the UPU header information includes an indication that a UPU header is protected. The UE receives a non-access stratum (NAS) message that includes an indication of the UPU header protection, computes a UPU message authentication code (MAC) using a UPU header as at least one input for UPU protection, and transmits an acknowledgement that indicates a UPU header verification is successful.

Abstract: Various aspects of the present disclosure relate to a user equipment (UE) that transmits information, such as to a common application programming interface framework (CAPIF) function or to a core network function (CNF), to trigger a user consent provisioning procedure. The UE also transmits a data exposure notification comprising at least user consent data, and the UE receives a data exposure response acknowledgement (ACK) that indicates the user consent data is stored for reference of the user consent.

Abstract: Various aspects of the present disclosure relate to performing confidentiality and/or privacy protection for communications between devices, such as ambient energy-powered devices. In some cases, the IoT devices and/or IoT servers can perform key generation using secret parameters that are only known to the devices/servers as input into a hash function. For example, the IoT server and IoT device can utilize a device identifier as a secret parameter, which is input, along with a nonce, into hash operations or functions to generate security keys (e.g., a key K). In some cases, key generation can include time information or other similar information to ensure freshness of the security K during generation.

Abstract: Apparatuses, methods, and systems are disclosed for communicating identity messages between network devices. One method includes receiving, at a first network device, network repository function (“NRF”) level information from a second network device. The method includes transmitting an identity request message to a third network device. The identity request message includes target access and mobility management function (“AMF”) information, selection information, a subscription permanent identifier (“SUPI”), and/or an AMF reallocation indication. The method includes receiving an identity response message from the third network device. The identity response message includes a global unique temporary identifier (“GUTI”) and/or the SUPI. The method includes transmitting a registration accept message to a user equipment (“UE”). The registration accept message includes the GUTI and/or a reroute indication. The method includes receiving a registration complete message from the UE.

Abstract: The present disclosure is related to sending of a one time identifier of a UE during the NAS procedure. Specifically, the present disclosure relates to determining whether to use same one time identifier or different one time identifier during registration retry procedure.

Abstract: Apparatuses, methods, and systems are disclosed for coordinating dual registration. One method includes transmitting, to an edge interworking service, a first request message including: an application profile; primary security information; secondary security information; and a requested dual registration area. The method includes receiving, from the edge interworking service, a first response message including: a coordinated expiration time; a dual registration identifier; and a combined allowed dual registration area.

Abstract: Apparatuses, methods, and systems are disclosed for provisioning a Secured Packet. One method includes sending, to a Secured Packet Application Function, a request for a credential related to a device and a service descriptor and receiving, from the Secured Packet Application Function, a secured packet and credential information, the credential information including: a subscriber identity corresponding to the device, a lifetime for the Secured Packet, a network service identifier, a device storage requirement indication, or a combination thereof. The method includes storing the secured packet and the credential information and provisioning the secured packet to the device via an update procedure, where the secured packet including the valid credential.

Abstract: Apparatuses, methods, and systems are disclosed for performing a user equipment (“UE”) parameters update (“UPU”) capability check. One method includes determining, at a first network function, to invoke a UE UPU capability check as part of a UPU procedure in response to UE capabilities not being available to provide a data set type. The method includes transmitting a first message to a second network function, wherein the first message includes: UPU priority information, UPU capability check required information, required UPU data type support information, or a combination thereof. The method includes receiving a second message from the second network function. The second message includes an authentication server function (“AUSF”) UPU medium access control (“MAC”) integrity (“I”) (“UPU-MAC-IAUSF”) and a UE UPU expected MAC (“XMAC”) I (“UPU-XMAC-IUE”).

Abstract: Apparatuses, methods, and systems are disclosed for determining release information based on registration information. One method includes receiving, at a first network function, a registration request message from a UE. The registration request message includes: an identity; at least one information element; and at least one UE capability. The method includes determining release information of the UE by analyzing the identity, the at least one information element, and the at least one UE capability. The method includes transmitting to a second network function: the identity; and the release information of the UE.

Abstract: Apparatuses, methods, and systems are disclosed for enabling roaming with authentication and key management for applications. An apparatus includes a processor that determines a serving network of a user equipment (“UE”) device, the serving network comprising a visited public land mobile network (“VPLMN”) that is different from a home PLMN (“HPLMN”) associated with the UE. The processor selects a network function within the serving network for provisioning an authentication and key management for applications (“AKMA”) security context for an application function (“AF”) based on a name for the serving network. The apparatus includes a transceiver that sends the security context to the network function.

Abstract: The present disclosure is related to sending of a one time identifier of a UE during the NAS procedure. Specifically, the present disclosure relates to determining whether to use same one time identifier or different one time identifier during registration retry procedure.

Abstract: The present disclosure relates to method of enabling key re-usage for an electronic device. The method comprising: receiving a request message from the electronic device, wherein the request message comprises a first information being indicative of a preference for one of a first key associated with a first network node in a first network or a second key associated with a second network node in a second network; processing the request message to determine the preference indicated in the first information; and transmitting a response message to the electronic device for reusing the first key or second key, the electronic device is configured to derive a third key based on the first key or the second key as indicated in the determined preference, and the second network is able to access to the first key and the second key whereas the first network cannot access the second key.

Abstract: Apparatuses, methods, and systems are disclosed for application registration with a network. One method includes transmitting an application registration request to a network device. The application registration request includes a client identifier, an authentication code, a routing identifier, or a combination thereof. The method includes receiving a response from the network device. The response corresponds to the application registration request.

Abstract: Apparatuses, methods, and systems are disclosed for establishing a trust relationship between an application entity and a wireless communication network. One apparatus (600) includes a processor (605) and a transceiver (625). The transceiver (625) sends, from an application entity, a request to a first network function to authenticate the application entity to a second network function that does not have a trust relationship with the application entity and receives a result of the authentication from at least one of the first and second network functions. The processor (605) establishes a trust relationship between the application entity and the second network function such that the application entity can communicate with the second network function in response to the application entity being authenticated.

Abstract: Various aspects of the present disclosure relate to protecting broadcast ranging and positioning messages over sidelink interface. An initiator user equipment (UE) can initiate a ranging or positioning procedure with secondary UEs that are in close proximity with the initiator. The initiator UE sends a sidelink (SL) broadcast message with a requested positioning or ranging action, along with a temporary group identifier. The secondary UEs perform the requested positioning or ranging action and return their results to the initiator UE. The results are protected (e.g., encrypted) using one or more keys associated with the temporary group identifier. These one or more keys may be a group broadcast key known by all of the secondary UEs, or individual broadcast keys for the individual secondary UEs.