Abstract: Certain aspects of the present disclosure provide techniques for detecting false base stations and transmissions therefrom.

Abstract: Methods, systems, and devices for wireless communications are described. A user equipment (UE) may communicate with a base station in a wireless communications system. The base station may transmit signaling to the UE over a broadcast channel. The base station may transmit control signaling to the UE that indicates a broadcast root key. The UE may identify the broadcast root key for a wireless network corresponding to the base station. The base station may transmit an encrypted broadcast transmission. The UE may receive the encrypted broadcast transmission from the base station, and the UE may decrypt the encrypted broadcast transmission to obtain broadcast information based on a cell-specific key derived from the broadcast root key.

Abstract: Wireless communications systems and methods related to globally unique temporary identity (GUTI) reallocation for cellular-Internet of thing (CIoT) are provided. A user equipment (UE) receives, from a network, a paging associated with a mobile-terminated early data transmission (MT-EDT). The UE transmits, by the UE to the network, a data request in response to the paging. The UE receives, from the network in response to the data request, a message including a global unique temporary identifier (GUTI) and at least one of data associated with the paging or a connection release indication.

Abstract: Methods, systems, and devices for wireless communications are described. A user equipment (UE) may participate in a registration procedure with an access and mobility management function (AMF). The UE may transmit to the AMF, as part of the registration procedure, an indication of one or more single network slice selection assistance information (S-NSSAI) or a network slice selection assistance information (NSSAI). Following, the UE may receive a control message from the AMF, wherein the control message includes one or more encrypted S-NSSAI values or an encrypted NSSAI value based on the indication. The UE may then transmit the encrypted S-NSSAI or the encrypted NSSAI to a base station as part of a message.

Abstract: The present disclosure provides techniques that may be applied, for example, in a multi-slice network for maintaining privacy when attempting to access the network. An exemplary method generally includes transmitting a registration request message to a serving network to register with the serving network; receiving a first confirmation message indicating a secure connection with the serving network has been established; transmitting, after receiving the first confirmation message, a secure message to the serving network comprising an indication of at least one configured network slice that the UE wants to communicate over, wherein the at least one configured network slice is associated with a privacy flag that is set; and receiving a second confirmation message from the serving network indicating that the UE is permitted to communicate over the at least one configured network slice.

Abstract: One aspect relates to initiating, by a device, a connection with an application server associated with one or more application services. A gateway derives an uplink network token and/or a downlink network token. The tokens are provisioned to the device and/or an application server over the user-plane. The tokens are included with uplink and/or downlink packets, respectively. Another aspect relates to receiving a data packet at a gateway. The gateway determines a requirement for a network token from the packet. The gateway derives the network token based on a device subscription profile maintained by a network. The network token may be sent with the packet to a destination address associated with the packet. A packet including a network token may be received at a gateway. The gateway may verify the network token and send the data packet to an application server or a device if the verifying is successful.

Abstract: In an aspect, a network supporting client devices includes one or more network nodes implementing network functions. Such network functions enable a client device to apply a security context to communications with the network when the client device is not in a connected mode. The client device obtains a user plane key shared with a user plane network function implemented at a first network node and/or a control plane key shared with a control plane network function implemented at a second network node. The client device protects a data packet with the user plane key or a control packet with the control plane key. The data packet includes first destination information indicating the first network node and the control packet includes second destination information indicating the second network node. The client device transmits the data packet or control packet.

Abstract: Aspects of the present disclosure provide for a security model for enabling multiple connectivity and service contexts while sharing a single connectivity context to establish a network connection. A context (e.g., connectivity context, service context, security context) is a set of information describing the connectivity, service, or security established between two or more entities. The connectivity context and service context may be established at different network nodes or entities. In one aspect of the disclosure, a connectivity context includes an Evolved Packet System (EPS) Mobility Management (EMM) context or both an EMM context and an EPS Session Management (ESM) context.

Abstract: Methods, systems, and devices for wireless communications are described. A first node of a wireless communications network may determine a service type of the first node. The first node may transmit, to a second node during a random access procedure, an indication of the service type of the first node. The first node may then establish a connection with a unit of the second node that is for serving nodes of the wireless network associated with the service type. The connection may be established based on transmitting the indication of the service type.

Abstract: Aspects relate to user equipment (UE) to user equipment (UE-to-UE) relaying in a communication system. At least two remote UEs and a UE-to-UE relay receive provisioned security information from the wireless communication network, where the security information includes discovery parameters and relay security information. The security information provisioned by the wireless communication network is used to establish a connection between the two UEs and the UE-to-UE relay device including discovery of the UE-to-UE relay by the remote UEs. Furthermore, the provisioned security information is used to establish a secure connection between the two remote UEs via the UE-to-UE relay device.

Abstract: A gateway device detects a trigger associated with a device and, in response, identifies an application service associated with the device, obtains a traffic network policy associated with the application service, and obtains a network access token based on the traffic network policy. The network access token facilitates validating and/or mapping a downlink data packet obtained at the gateway device in user-plane traffic that is destined for the device. The network access token is sent to an entity in control-plane signaling. Subsequently, the gateway device obtains a downlink data packet including the network access token. The gateway device verifies the network access token and/or maps the downlink data packet to the device using data obtained from the network access token. The network access token may be removed from the downlink data packet before the downlink data packet is sent to the device according to the mapping.

Abstract: Methods, systems, and devices for wireless communication are described. Generally, the described techniques provide for efficiently protecting communications between a base station and a UE with limited signaling and processing overhead. As described herein, a base station may generate a system information security container (SISC) including integrity information of one or more system information blocks (SIBs), and the base station may transmit (e.g., broadcast) the SISC with a signature to one or more UEs (e.g., to protect the integrity information of the SIBs in the SISC). Once a UE receives the SISC, the UE may verify the signature of the SISC, identify the system information included in the SISC (e.g., the system information included in the integrity information of the SIBs), and apply the system information for communications with the base station.

Abstract: Apparatus, methods, and computer-readable media for facilitating self-managed trust in Internet-of-Things networks are disclosed herein. An example method of trust management at a network manager includes enrolling a network endpoint with a network managed by the network manager. The example method also includes receiving trusted reference information for the network endpoint based on enrolling the network endpoint. Additionally, the example method includes performing verification of the network endpoint based on at least one of the trusted reference information or an attestation received from the network endpoint. Further, the example method includes enforcing policies to the network endpoint based on a result of the verification. Such trust management may improve privacy and security at the network, as well as reduce latency in responding to trust incidents.

Abstract: One aspect relates to initiating, by a device, a connection with an application server associated with one or more application services. A gateway derives an uplink network token and/or a downlink network token. The tokens are provisioned to the device and/or an application server over the user-plane. The tokens are included with uplink and/or downlink packets, respectively. Another aspect relates to receiving a data packet at a gateway. The gateway determines a requirement for a network token from the packet. The gateway derives the network token based on a device subscription profile maintained by a network. The network token may be sent with the packet to a destination address associated with the packet. A packet including a network token may be received at a gateway. The gateway may verify the network token and send the data packet to an application server or a device if the verifying is successful.

Abstract: The present disclosure provides techniques that may be applied, for example, in a multi-slice network for maintaining privacy when attempting to access the network. An exemplary method generally includes transmitting a registration request message to a serving network to register with the serving network; receiving a first confirmation message indicating a secure connection with the serving network has been established; transmitting, after receiving the first confirmation message, a secure message to the serving network comprising an indication of at least one configured network slice that the UE wants to communicate over, wherein the at least one configured network slice is associated with a privacy flag that is set; and receiving a second confirmation message from the serving network indicating that the UE is permitted to communicate over the at least one configured network slice.

Abstract: Aspects described herein relate to initiating, by a source base station, handover of a user equipment (UE) from the source base station to a target base station, where the source base station supports user plane (UP) integrity protection (IP) for the UE, determining, based on initiating the handover, whether the target base station supports the UP IP, and determining, based on determining whether the target base station supports the UP IP, whether to continue the handover of the UE from the source base station to the target base station.

Abstract: Aspects of the present disclosure provide for a security model for enabling multiple connectivity and service contexts while sharing a single connectivity context to establish a network connection. A context (e.g., connectivity context, service context, security context) is a set of information describing the connectivity, service, or security established between two or more entities. The connectivity context and service context may be established at different network nodes or entities. In one aspect of the disclosure, a connectivity context includes an Evolved Packet System (EPS) Mobility Management (EMM) context or both an EMM context and an EPS Session Management (ESM) context.

Abstract: Various embodiments include methods, components and wireless devices configured to provide physical layer security in a communication system. In various embodiments, a wireless device processor may receive a first signature from a base station. The wireless device processor may determine a second signature based on the first signature. The wireless device processor may receive from the base station a communication that has been modified using a second signature determined by the base station. The wireless device processor may perform a matching operation to determine whether its second signature matches the second signature used to modify the base station communication. The wireless device processor may enable communications with the base station in response to determining that the second signature determined by its processor matches the second signature used to modify the communication.

Abstract: A device that identifies entry into a new service area, transmits a service area update request to a network device associated with a network, receives a control plane message from the network indicating control plane device relocation or a key refresh due to a service area change in response to transmitting the service area update request, and derives a first key based in part on data included in the control plane message and a second key shared between the device and a key management device. Another device that receives a handover command from a network device associated with a network, the handover command indicating a new service area, derives a first key based on data included in the handover command and on a second key shared between the device and a key management device, and sends a handover confirmation message that is secured based on the first key.

Abstract: Various aspects of the present disclosure generally relate to wireless communication. In some aspects, a relay user equipment may establish a sidelink unicast link with a remote UE via a sidelink signaling interface; receive, from a network entity, configuration information comprising at least one of: remote UE link identifier information associated with the sidelink unicast link for a relay service, an RLC channel mapping between the one or more RLC channels of the sidelink unicast link and the link with the network entity, or data routing information associated with the relay service; configure the one or more RLC channels for the sidelink unicast link and the link with the network entity based at least in part on the configuration information; and relay communications between the remote UE and the network entity based at least in part on the configuration information. Numerous other aspects are provided.