Abstract: Apparatuses, methods, and systems are disclosed for dynamic user equipment identifier assignment. One apparatus includes a transceiver that receives, at a user equipment (“UE”) device, an initial identifier for the UE device from a mobile wireless communication network and a processor that generates a plurality of identifiers for the UE device based on the initial identifier where each of the plurality of identifiers is generated based on a previous identifier to form a chain of identifiers, assigns an identifier that was generated last in the chain of identifiers to the UE device, and periodically assigns a different identifier to the UE device from the chain of identifiers, the different identifier comprising an identifier in the chain of identifiers that is used to generate the identifier that is currently assigned to the UE.

Abstract: Apparatuses, methods, and systems are disclosed for a factor for multiple device registrations. One method includes receiving, at a network device from a first device, a first session initiation protocol message including an identity for establishing a data session. The method includes determining a factor based on a first registration performed by a second device and a second registration performed by a third device. The method includes transmitting a second session initiation protocol message including the identity and the factor to the second device. The method includes establishing the data session between the first device and the second device. The identity is: registered for the first registration; registered for the second registration; not registered for the first registration; not registered for the second registration; or some combination thereof.

Abstract: Apparatuses, methods, and systems are disclosed for securing communications between user equipment devices. One apparatus includes a processor that derives, at a first user equipment (“UE”) device in communication with a mobile wireless communication network, a security key for securing communications between the first UE and a second UE via the mobile wireless communication network, the security key derived based on at least one parameter associated with the first UE and the second UE. The processor establishes a secure communication between the first UE and the second UE via a first network function of the mobile wireless communication network using the derived security key.

Abstract: Apparatuses, methods, and systems are disclosed for UAS authentication and security establishment. One apparatus includes a transceiver that sends, from a first network function of a mobile wireless communication network, an authentication request message from a user equipment (“UE”) to a UAS Service Supplier (“USS”)/UAS Traffic Management (“UTM”), the UE comprising at least one of an unmanned aerial vehicle (“UAV”) and a UAV controller (“UAV-C”). The transceiver receives, at the first network function from the USS/UTM, an authentication response message comprising a UAS identifier and a UAS security context.

Abstract: Apparatuses, methods, and systems are disclosed for authorizing and configuring pairing of unmanned aerial system. An apparatus includes a transceiver that receives, at a first network function of a mobile wireless communication network, a first authorization of unmanned aerial vehicle (“UAV”) operations and a second authorization for associating a UAV-controller with the UAV, the first and second authorizations associated with a first identifier. An apparatus includes a processor that creates a 5G local area network (“LAN”) group within the mobile wireless communication for facilitating communications between the UAV and the UAV-controller and associating a second identifier with the 5G LAN group, configures the 5G LAN group based on at least at least one parameter associated with the UAV and updates a third network function with information for the 5G LAN group for establishing a protocol data unit (“PDU”) session between the UAV and the UAV controller.

Abstract: Apparatuses, methods, and systems are disclosed for determining and enforcing service specific network slice security. One apparatus in a mobile communication network includes processor that performs primary authentication with a mobile communication network and a transceiver that receives a SMC message comprising SSI. The processor applies slice security for control plane and user plane traffic related to a network slice according to a Security Requirement Type indicated in the SSI.

Abstract: Apparatuses, methods, and systems are disclosed for security context control for AMF reallocation based on a slice capability indication. One apparatus includes a network interface-(840) that receives a first authentication request message from a SEAF having a co-located AMF, the first authentication request message comprising an AMF Slice Capabilities IE. Via the network interface-(840) the processor sends a data request message to a UDM and receives a data response message. Here, the data request message contains the received AMF Slice Capabilities IE and the data response message contains a Slice Compatibility Indicator. The processor determines not to send a SEAF key to the SEAF when the Slice Compatibility Indicator indicates AMF slice incompatibility. The network interface sends, to the SEAF, an authentication response message containing an Authentication Result, a User Subscription Identifier, and the Slice Compatibility indicator.

Abstract: Apparatuses, methods, and systems are disclosed for network function reallocation with security context. One apparatus includes a processor and a transceiver. The processor is configured to detect, at a first network function of a mobile wireless communication network, that the first network function cannot serve a requested network slice from a user equipment (“UE”) device. The transceiver is configured to send, from the first network function via a second network function, a reroute message to a third network function of the mobile wireless communication network. The reroute message includes an initial non-access stratum (“NAS”) message retrieved during NAS security mode command (“SMC”) procedure with the UE device and a security configuration. The third network function uses the initial NAS message and the security configuration to determine a security context for the UE device and serve the requested network slice from the UE device.

Abstract: Apparatuses, methods, and systems are disclosed for selecting an authentication type in a 5G network. One apparatus includes a processor and a network interface-640 that receives a first message requesting to register a remote unit to the mobile communication network, where the remote unit is connected to a non-3GPP access network and the remote unit does not support the NAS protocol. The processor determines an authentication request type for the remote unit, where the authentication request type is not based on the NAS protocol. The processor creates a NAS registration message on behalf of the remote unit and sends a second message to an access management function in the mobile communication network, where the second message contains the NAS registration message and the determined authentication request type.

Abstract: Apparatuses, methods, and systems are disclosed for security context handling during AMF reallocation. One apparatus in a mobile communication network includes a network interface and a processor that derives a Reroute Security Context and derives a first authentication parameter for authenticating a Target AMF. The network interface receives a Key Request message from a SEAF co-located with the Target AMF following an AMF reallocation during a UE Registration procedure. The processor verifies the Key Request message by determining whether the second authentication parameter matches the first authentication parameter derived for authenticating the Target AMF. The processor derives a new security context for the Target AMF/SEAF in response to successfully verifying the Key Request message. The network interface sends a Key Response message to the Target AMF/SEAF.

Abstract: Apparatuses, methods, and systems are disclosed for supporting authentication with a mobile core network using a concealed identity. One apparatus includes a processor that sends a first authentication message that includes a concealed identifier to a network function to authenticate with a mobile communication network via a non-3GPP access network. The processor receives a second authentication message from the network function in response to the first authentication message. The second authentication message comprises an authentication response based on the concealed identifier. The processor completes authentication with the mobile communication network in response to the authentication response comprising a challenge packet. The processor receives configuration information for accessing the mobile communication network in response to successful authentication with the mobile communication network.

Abstract: A method for integrity protection scheme by a mobile communication device or a core network entity according to a first exemplary aspect of the present disclosure includes configuring settings and parameters for integrity protection for user data with another party; receiving user plane data from the other party, calculating Message Authentication Code for Integrity (MAC-I) for a part of the data and checking integrity of the part of the data.

Abstract: Apparatuses, methods, and systems are disclosed for supporting remote unit reauthentication. One apparatus apparatus includes a processor and a transceiver that sends a first authentication message to a network function in a mobile communication network and receives a second authentication message from the network function in response to the first authentication message. Here, the first authentication message contains an indicator that the apparatus supports EAP Reauthentication Protocol and the second authentication message contains a key management domain name indicating a group of network functions that can share reauthentication security context. The processor derives reauthentication security context in response to successful authentication with the mobile communication network and locally stores the received key management domain name and the derived reauthentication security context for subsequent reauthentication with the mobile communication network.

Abstract: Apparatuses, methods, and systems are disclosed for accessing an NPN using external credentials. One apparatus in a mobile communication network includes a processor and a transceiver that receives a registration request for a UE. Here, the UE does not have a subscription with the mobile communication network. The processor identifies a service provider of the UE and controls the transceiver to send an authentication message to an AAA server of the identified service provider. The processor receives an authentication response containing a master session key from the AAA server in response to successful authentication of the UE and derives a set of security keys (e.g., KAUSF, KSEAF) using the master session key.

Abstract: Apparatuses, methods, and systems are disclosed for supporting remote unit reauthentication. One apparatus includes a network interface that receives a first authentication message for reauthenticating a remote unit and a processor that verifies a first domain-name. The first domain-name identifies a key management domain name and an associated gateway function holding a reauthentication security context. Here, the first authentication message includes a NAI containing a first username and the first domain-name. The processor validates the first authentication message using at least the first username and generates a second authentication message in response to successfully validating the first authentication message. Via the network interface, the processor responds to the first authentication message by sending the second authentication message.

Abstract: Apparatuses, methods, and systems are disclosed for using a pseudonym for access authentication over non-3GPP access. One apparatus includes a processor and a transceiver that communicates with a mobile communication network using a 3GPP access network and a non-3GPP access network. The processor sends a registration message to a first network function in the mobile communication network via the 3GPP access network, the first authentication message comprising a first indicator and a SUCI for the apparatus, wherein the first indicator comprises an indication that the apparatus has the capability for access authentication for non-3GPP access in an EPS. The processor receives a first identity pseudonym for the apparatus in response to the registration message comprising the first indicator and performs access authentication via a non-3GPP access network using the first identify pseudonym.

Abstract: Apparatuses, methods, and systems are disclosed for deriving a key based on an edge enabler client identifier. One method includes receiving, at a network function, a request message from an edge server function. The request message includes: an edge server identifier; and an edge enabler client identifier (EEC-ID), wherein the EEC-ID includes: an unencrypted EEC-ID; or an encrypted EEC-ID. The encrypted EEC-ID is encrypted with an authentication and key management (AKMA) key (KAKMA). The method includes deriving a unique key (KAFEEC) based on the edge server identifier and the EEC-ID. The method includes transmitting a response message to the edge server function. The response message includes: the KAFEEC; and an unencrypted EEC-ID.

Abstract: Apparatuses, methods, and systems are disclosed for setting up multiple user plane (“UP”) security contexts. One apparatus includes a transceiver and a processor that derives distinct UP integrity and ciphering keys for a selected central unit user plane (“CU-UP”) node in the RAN, said derivation using a key derivation function. The processor assigns a UP Security Indicator to uniquely identify the derived distinct UP integrity and ciphering keys and the transceiver sends a setup request to the selected CU-UP node, said setup request containing the UP Security Indicator and the distinct UP integrity and ciphering keys. The transceiver receives a setup response from the selected CU-UP node and the processor activates distinct UP security at a UE.

Abstract: Embodiments of the present application are directed to a method and apparatus for providing onboarding and provisioning services. A method according to an embodiment of the present application may include: receiving a registration request for a user equipment (UE), wherein the register request indicates an identity of the UE, an onboarding and provisioning flag, and an onboarding and provisioning function (OPF) identity; selecting an OPF entity at least based on the OPF identity in the case of an onboarding request being supported for the UE; and transmitting the onboarding request at least indicating the identity of the UE to the selected OPF entity.

Abstract: Apparatuses, methods, and systems are disclosed for enabling roaming with authentication and key management for applications. An apparatus includes a processor that determines a serving network of a user equipment (“UE”) device, the serving network comprising a visited public land mobile network (“VPLMN”) that is different from a home PLMN (“HPLMN”) associated with the UE. The processor selects a network function within the serving network for provisioning an authentication and key management for applications (“AKMA”) security context for an application function (“AF”) based on a name for the serving network. The apparatus includes a transceiver that sends the security context to the network function.