Abstract: Apparatuses, methods, and systems are disclosed for authentication for a network service. One method includes receiving, at a first network device from a second network device, a network function service request to execute a service on a third network device. The request includes first credentials for authentication with a first network device and second credentials for authentication with the third network device. The method includes determining whether the first credentials provided are valid and execute the service request by determining the third network device to execute the service requested from the second network device. The method includes transmitting, to a fourth network device, a request for authentication with the third network device. The request includes an identifier of the third network device and second credentials of the second network device.

Abstract: Various aspects of the present disclosure relate to secure data collection via a messaging framework. An apparatus includes at least one memory and at least one processor that is configured to receive a subscription request from a data consumer function, the subscription request comprising a data tag associated with a data producer function, generate a security key for the data tag, generate a binding for the data tag between the security key, the data consumer function, and the data producer function, and transmit, for use in data transmissions between the data producer function and the data consumer function a service request message to the data producer function, the service request message comprising the data tag and the security key, and a data exposure response message to the data consumer function, the data exposure response message comprising the data tag and the security key.

Abstract: Various aspects of the present disclosure relate to key identification for mobile edge computing functions. An apparatus includes at least one memory and at least one processor that is configured to generate a unique key set identifier (“KSI”) associated with a multi-access edge computing (“MEC”) service, derive a key for a network function based on a corresponding root key and the generated KSI, the KSI provided as input to a key derivation function (“KDF”), and transmit an application registration request message to the network function for establishing a secure connection to the network function using the key, the application registration request message comprising the KSI.

Abstract: Apparatuses, methods, and systems are disclosed for rerouting message transmissions. One method includes receiving, at a first network device, a registration request message. The method includes delaying, by the first network device, primary authentication, security setup, or a combination thereof based at least partly on a subscription permanent identifier (SUFI) from a second network device and subscription information. The method includes determining, at the first network device, whether to transmit a reroute non-access stratum (NAS) message.

Abstract: A method for providing a key derivation function (KDF) negotiation in a 5G network is provided. The method which includes: selecting a specific KDF at a UE and at the network for at least one security related key derivation; and transmitting, said selected KDF to the UE and to other network functions to indicate said selected KDF for generating specific security key at a receiver side.

Abstract: Apparatuses, methods, and systems are disclosed for provisioning server selection in a cellular network. One method includes communicating, at a network device, with a remote unit via a first network function. The method includes receiving an authentication request from the first network function. The method includes selecting a provisioning server based on a remote unit identity of an onboarding profile, based on a pre-configuration, or a combination thereof. The method includes transmitting a response message to the first network function. The response message includes a provisioning server address.

Abstract: A communication terminal (10) according to the present disclosure includes: a control unit (12) configured to, in a case of a movement from a communication area formed by the 5GS to a communication area formed by the EPS or a movement from a communication area formed by the EPS to a communication area formed by the 5GS, determine whether or not a communication system forming a communication area at a movement destination can satisfy requirements of services; and a communication unit (11) configured to, when it is determined that the communication system forming the communication area at the movement destination can satisfy the requirements of the services, send a connection request message to the communication system forming the communication area at the movement destination.

Abstract: Apparatuses, methods, and systems are disclosed for network security based on routing information. One method includes receiving at a first network device, a security request message from an initial access and mobility management function (AMF), an initial security anchor function (SEAF)), or a combination thereof. The security request message includes information indicating a serving network name (SNN), whether routing information is required, a subscription permanent identifier (SUFI), or some combination thereof. The method includes determining, at the first network device, routing information based on the security request message. The method includes transmitting, from the first network device, a security response message to the initial AMF, the initial SEAF, or the combination thereof. The security response message includes the routing information.

Abstract: Apparatuses, methods, and systems are disclosed for handling security aspects for UAS in a 3GPP network. One apparatus contains a transceiver that receives a revocation indication message from a mobile communication network and a processor that deletes UAS-related authorization and security information corresponding to a UAV ID. The transceiver further transmits a revocation acknowledgement message to the mobile communication network.

Abstract: Apparatuses, methods, and systems are disclosed for managing the end-to-end (“e2e”) data protection. One apparatus includes a transceiver that receives, from an application server, a management requirement for managing e2e data protection for at least one service. The apparatus includes a processor that obtains at least one digital identifier (“DIG-ID”) of at least one client device for the at least one service in response to receiving the management requirement and verifies the at least one DIG-ID with a distributed transaction verification network. The transceiver further sends a request to a mobile communication network, the request providing the at least one verified DIG-ID, and sends a trigger event to the at least one client device for connecting to the mobile communication network using the at least one verified DIG-ID.

Abstract: A communication terminal capable of preventing a reduction in security level that is caused at the time of establishing multiple connections via 3GPP Access and Non-3GPP Access. A communication terminal according to the present disclosure includes: a communication unit configured to communicate with gateway devices disposed in a preceding stage of a core network device via an Untrusted Non-3GPP Access; and a key derivation unit configured to derive a second security key used for security processing of a message transmitted using a defined protocol with the gateway device, from a first security key used for security processing of a message transmitted using a defined protocol with the core network device.

Abstract: The present disclosure provides a User Equipment (UE) comprising a transceiver circuit; and a controller configured to control the transceiver circuit to send, to an Access and mobility Management Function (AMF) of a communication node, an identifier, wherein upon successful authentication of a network access function of the UE in the communication node, the controller is configured to maintain a secure connection with the communication node.

Abstract: Provided is an authentication device capable of generating a master key suited to a UE in a 5GS. The authentication device (10) includes a communication unit (11) configured to, in registration processing of user equipment (UE), acquire UE key derivation function (KDF) capabilities indicating a pseudo random function supported by the UE, a selection unit (12) configured to select a pseudo random function used for generation of a master key related to the UE by use of the UE KDF capabilities, and a key generation unit (13) configured to generate a master key related to the UE by use of the selected pseudo random function.

Abstract: Apparatuses, methods, and systems are disclosed for Digital Identifier-based authentication for network access. One apparatus includes a memory coupled to a processor, the memory storing instructions executable by the processor to control the apparatus to receive a first authentication request message containing UE identifier that is based on a Digital Identifier (“DIG-ID”) comprising a verifiably secure identity. The instructions are executable by the processor to control the apparatus to receive subscription information from a service provider identified using the DIG-ID, and to store the subscription information and UE security context containing at least one security key derived using the DIG-ID. The instructions are executable by the processor to control the apparatus to transmit the at least one security key.

Abstract: A communication terminal (10) includes control means for generating a subscription concealed identifier (SUCI) including a subscription permanent identifier (SUPI) concealed using a predetermined protection scheme, and a protection scheme identifier identifying the protection scheme, and transmission means for sending the SUCI to a first network apparatus during a registration procedure, the SUCI being sent for a second network apparatus to de-conceal the SUPI from the SUCI based on the protection scheme used to generate the SUCI.

Abstract: Apparatuses, methods, and systems are disclosed for Digital Identifier-based subscription onboarding. One apparatus includes a memory coupled to a processor, the memory storing instructions executable by the processor to control the apparatus to acquire a Digital Identifier (“DIG-ID”) comprising a verifiably secure identity, and to generate a digital signature of the DIG-ID and a timestamp using a private key. The instructions are executable by the processor to control the apparatus to send a first request to a mobile communication network and to receive a response containing an onboarding authentication success indication and a verified DIG-ID, the first request including the DIG-ID, the timestamp and the digital signature. The instructions are executable by the processor to establish a provisioning connection to the mobile communication network and to receive a subscription credential and/or a user subscription profile via the provisioning connection.

Abstract: Apparatuses, methods, and systems are disclosed for correlating a user equipment and an access and mobility management function. One method (900) includes determining (902), at a first network device, a correlation between a user equipment identifier for a user equipment and an access and mobility management function identifier for an access and mobility management function. The method (900) includes storing (904), by the first network device, correlation information indicating the correlation between the user equipment identifier and the access and mobility management function identifier. The method (900) includes receiving (906), at the first network device, a request from a second network device, wherein the request comprises the user equipment identifier. The method (900) includes determining (908), by the first network device, the access and mobility management function identifier using the user equipment identifier in the request.

Abstract: A method for integrity protection scheme by a mobile communication device or a core network entity according to a first exemplary aspect of the present disclosure includes configuring settings and parameters for integrity protection for user data with another party; receiving user plane data from the other party, calculating Message Authentication Code for Integrity (MAC-I) for a part of the data and checking integrity of the part of the data.

Abstract: Apparatuses, methods, and systems are disclosed for dynamic user equipment identifier assignment. One apparatus includes a transceiver that receives, at a user equipment (“UE”) device, an initial identifier for the UE device from a mobile wireless communication network and a processor that generates a plurality of identifiers for the UE device based on the initial identifier where each of the plurality of identifiers is generated based on a previous identifier to form a chain of identifiers, assigns an identifier that was generated last in the chain of identifiers to the UE device, and periodically assigns a different identifier to the UE device from the chain of identifiers, the different identifier comprising an identifier in the chain of identifiers that is used to generate the identifier that is currently assigned to the UE.

Abstract: Apparatuses, methods, and systems are disclosed for a factor for multiple device registrations. One method includes receiving, at a network device from a first device, a first session initiation protocol message including an identity for establishing a data session. The method includes determining a factor based on a first registration performed by a second device and a second registration performed by a third device. The method includes transmitting a second session initiation protocol message including the identity and the factor to the second device. The method includes establishing the data session between the first device and the second device. The identity is: registered for the first registration; registered for the second registration; not registered for the first registration; not registered for the second registration; or some combination thereof.