Abstract: Apparatus, methods, and computer program products for disaggregated UE are provided. An example method includes establishing, with a second UE, a connection session based on a configuration profile, the configuration profile including a mapping of an upper-layer protocol to a lower-layer protocol, one or more security policies, and a routing for one or more services associated with the second UE to a protocol stack. The example method further includes managing a connection between the second UE and a third device via the connection session.

Abstract: A user equipment (UE) may update multicast-broadcast key for securing a data session for a multicast or broadcast service. The UE may receive a multicast-broadcast key for the for a multicast or broadcast service carried by a radio bearer (RB) associated with the data session. The UE may receive packets for the multicast or broadcast service. The UE may decode the packets using the multicast-broadcast key, or a key derived from the multicast-broadcast key. The UE may receive an updated multicast-broadcast key for the multicast or broadcast service. The UE may decode the packets for the multicast or broadcast service received on the RB using the updated multicast-broadcast key, or a key derived from the updated multicast-broadcast key.

Abstract: A remote UE or a relay UE may identify a configuration for a relocation of one or more session termination points associated with one or more radio access packet data sessions from the relay UE to the remote UE or from the remote UE to the relay UE. The remote UE or the relay UE may execute the relocation of the one or more session termination points associated with the one or more radio access packet data sessions from the relay UE to the remote UE or from the remote UE to the relay UE based on the configuration. The session termination point relocation may be controlled by the remote UE, the relay UE, or a network entity. The remote UE may transmit or receive data with a network via the relay UE based on the relocation of the one or more session termination points.

Abstract: In embodiment methods for supporting pre-shared key (PSK) renegotiation, a user equipment (UE) may generate a request message including a first bootstrapping transaction identifier (B-TID), a first PSK namespace identifying a first bootstrapping procedure supported by the UE, and a first correlated PSK namespace indicating PSK renegotiation is supported by the UE for the first bootstrapping procedure, and send the request message to a network device. The network device may determine an indication of a PSK renegotiation for the first correlated PSK namespace in response to determining PSK renegotiation is required for the UE, generate a response message including the indication of the PSK renegotiation for the first correlated PSK namespace, and send the response message to the UE. In response, the UE may perform a bootstrapping procedure to obtain a second B-TID and second (i.e., new) session key (Ks).

Abstract: Various aspects of the present disclosure generally relate to wireless communication. In some aspects, a user equipment (UE) may register to a cellular network associated with a multicast/broadcast multimedia service (MBMS). The UE may transmit, to the cellular network, a request to join the MBMS. The UE may receive, from the cellular network and based at least in part on being registered with the cellular network, a response that indicates an MBMS service key (MSK) and MSK identifier pair. Numerous other aspects are described.

Abstract: Aspects of the disclosure relate to configuration of the Access Stratum (AS) security in communication networks. The AS security may be defined by security configuration information selected for a protocol data unit (PDU) session established for a user equipment (UE). The security configuration information may be selected by a network node within a core network based on one or more of the PDU session, device type of the UE, or Quality of Service (QoS) flow within the PDU session. The security configuration information may be provided to a radio access network (RAN) serving the UE for selection of an AS security configuration that is specific to the PDU session.

Abstract: In an aspect, the present disclosure includes a method, apparatus, and computer readable medium for wireless communications for configuring of a NAS COUNT value of a mapped EPS security context associated with an intersystem change of a UE from a 5G system to an EPS. The aspect includes generating, by a UE, a mapped EPS security context associated with an intersystem change of the UE from a 5G system to an EPS, wherein the mapped EPS security context comprises security parameters created based a 5G security context used for the 5G system, the security parameters enabling security-related communications between the UE and a network entity; determining an UL NAS COUNT value and the DL NAS COUNT value for the mapped EPS security context; and transmitting, by the UE, a NAS message to the network entity, the NAS message including the UL NAS COUNT value of the mapped EPS security context.

Abstract: This disclosure provides methods, devices and systems for using a pseudonym service set identifier (pSSID) for access point (AP) and station (STA) privacy. For example, a pSSID is included by a STA or AP in place of a persistent SSID for over the air communications used for various functions (such as for the STA to determine the SSID of the AP before connecting to the AP). The pSSID is generated using a hash function that is defined at both the AP and the STA. An input to the hash function includes the SSID. Other inputs may include a temporary media access control (MAC) address of the device generating the pSSID, a time value associated with a time when the pSSID is generated, or a location value associated with a position measurement of the device generating the pSSID.

Abstract: One aspect relates to initiating, by a device, a connection with an application server associated with one or more application services. A gateway derives an uplink network token and/or a downlink network token. The tokens are provisioned to the device and/or an application server over the user-plane. The tokens are included with uplink and/or downlink packets, respectively. Another aspect relates to receiving a data packet at gateway. The gateway determines a requirement for a network token from the packet. The gateway derives the network token based on a device subscription profile maintained by a network. The network token may be sent with the packet to a destination address associated with the packet. A packet including a network token may be received at a gateway. The gateway may verify the network token and send the data packet to an application server or a device if the verifying is successful.

Abstract: This disclosure provides methods, devices and systems for using a variable authentication identifier (AID) for access point (AP) privacy. For example, instead of a persistent SSID, an AID is used by a station (STA) to authenticate the AP before connecting to the AP. The AP is associated with a service set, and the STA has stored a secret token associated with the service set. Before connecting to the AP, a broadcasted probe request from the STA includes no identifying information other than the token. The AP generates the AID from the token and provides the AID in a probe response. The STA is able to identify the AP as being associated with a service set and connect to the AP using the token and AID without the token and the AID being used by another device not associated with the service set to identify the AP.

Abstract: In embodiments of systems and methods for synchronous content presentation, a user equipment (UE) may generate a freshness parameter, generate a unique session key based on a first session key and the freshness parameter, and send the freshness parameter to a Network Application Function (NAF) of a network device in a configuration that will enable the NAF to generate the unique session key. The network device may receive the freshness parameter, receive from a Key Server Function (KSF) the first session key, and generate based on the freshness parameter and the first session key the unique session key. The UE and the network device may then conduct secure communications using the unique session key without exchanging the unique session key between the two devices.

Abstract: Methods, systems, and devices for wireless communications are described. A first node of a wireless communications network may determine a service type of the first node. The first node may transmit, to a second node during a random access procedure, an indication of the service type of the first node. The first node may then establish a connection with a unit of the second node that is for serving nodes of the wireless network associated with the service type. The connection may be established based on transmitting the indication of the service type.

Abstract: Methods, systems, and devices for communications are described. A device or a group of devices may generate data. The group of devices may receive a group profile from a node that identifies the devices to be included, and the group profile may include a function to be evaluated at each of the devices. The node may also provision evaluation parameters which may allow the device to provide authenticated aggregate data to a requesting third party, without sharing the data between the devices, thus concurrently maintaining individual data privacy and data provenance.

Abstract: A user equipment (UE) may receive a quality of service (QoS) flow for a multicast or broadcast service that is secured with a multicast-broadcast key. The UE may transmit a data session establishment request to a service management function (SMF) for the multicast or broadcast service. The UE may receive at least one multicast-broadcast key for the PDU session. The UE may determine a radio bearer (RB) configuration for the multicast or broadcast service. The UE may receive one or more QoS flow packets for the multicast or broadcast service over the RB. The UE may decode the one or more QoS flow packets using the at least one multicast-broadcast key, or a key derived from the at least one multicast-broadcast key. Decoding may include decrypting, verifying the integrity, or a combination thereof.

Abstract: Various aspects of the present disclosure generally relate to wireless communication. In some aspects, a user equipment (UE) may determine, based at least in part on a key derivation function and a set of physical layer parameters, a secret key for encrypting a unicast physical channel at a physical layer, wherein the secret key is a UE-specific secret key. The UE may transmit, to a base station, an encrypted transmission over the unicast physical channel based at least in part on the secret key. Numerous other aspects are described.

Abstract: Embodiments may include a user equipment (UE) configured to obtain a Mobile Subscriber Identification Number (MSIN) from an International Mobile Subscriber Identity (IMSI) of the UE, encrypt the MSIN to generate a Subscription Concealed Identifier (SUCI) in a Network Access Identifier (NAI) format, and send the SUCI to the non-3GPP access network for authentication of the UE, and a network element of a home 3GPP network configured to receive, by a 5G Non-seamless WLAN Offload (NSWO) Function, an authentication request including the SUCI from the non-3GPP access network, determine, by the 5G NSWO Function, based on the SUCI, that the UE should be authenticated by an authentication function of the home 3GPP network, and provide the authentication request including the SUCI to the authentication function of the home 3GPP network for processing based on the determination that the UE should be authenticated by the authentication function.

Abstract: Techniques are described for wireless communication. A method for wireless communication at a user equipment (UE) includes performing an extensible authentication protocol (EAP) procedure with an authentication server via an authenticator. The EAP procedure is based at least in part on a set of authentication credentials exchanged between the UE and the authentication server. The method also includes deriving, as part of performing the EAP procedure, a master session key (MSK) and an extended master session key (EMSK) that are based at least in part on the authentication credentials and a first set of parameters; determining a network type associated with the authenticator; and performing, based at least in part on the determined network type, at least one authentication procedure with the authenticator. The at least one authentication procedure is based on an association of the MSK or the EMSK with the determined network type.

Abstract: One aspect relates to initiating, by a device, a connection with an application server associated with one or more application services. A gateway derives an uplink network token and/or a downlink network token. The tokens are provisioned to the device and/or an application server over the user-plane. The tokens are included with uplink and/or downlink packets, respectively. Another aspect relates to receiving a data packet at a gateway. The gateway determines a requirement for a network token from the packet. The gateway derives the network token based on a device subscription profile maintained by a network. The network token may be sent with the packet to a destination address associated with the packet. A packet including a network token may be received at a gateway. The gateway may verify the network token and send the data packet to an application server or a device if the verifying is successful.

Abstract: A user device having a security context with a first network based on a first key may establish a security context with a second network. In a method, the user device may generate a key identifier based on the first key and a network identifier of the second network. The user device may forward the key identifier to the second network for forwarding to the first network by the second network to enable the first network to identify the first key at the first network. The user device may receive a key count from the second network. The key count may be associated with a second key forwarded to the second network from the first network. The user device may generate the second key based on the first key and the received key count thereby establishing a security context between the second network and the user device.

Abstract: Methods, systems, and devices for communications are described. A device or a group of devices may generate data. The group of devices may receive a group profile from a node that identifies the devices to be included, and the group profile may include a function to be evaluated at each of the devices. The node may also provision evaluation parameters which may allow the device to provide authenticated aggregate data to a requesting third party, without sharing the data between the devices, thus concurrently maintaining individual data privacy and data provenance.