Abstract: In an aspect, a network may support a number of client devices. In such a network, a client device transmits a request to communicate with a network, establishes a security context, and receives one or more encrypted client device contexts from the network. An encrypted client device context enables reconstruction of a context at the network for communication with the client device, where the context includes network state information associated with the client device. The client device transmits a message (e.g., including an uplink data packet) to the network that includes at least one encrypted client device context. Since the network device can reconstruct the context for the client device based on an encrypted client device context, the network device can reduce an amount of the context maintained at the network device in order to support a greater number of client devices.

Abstract: Methods, systems, and devices for wireless communications are described that enable establishment of secure communications and security keys for a remote user equipment (UE) and a relay UE to perform relayed sidelink communications in which the remote UE communicates with a network via the relay UE. To establish secure communications for the direct communications between the relay UE and the remote UE, one or more security keys may be established encryption and decryption of communications. To establish the security keys, the relay UE may forward a request for direct communications to a key management function (e.g., a ProSe key management function (PKMF)) in a control plane of a core network (e.g., in a control plane message to the PKMF via an access and mobility function (AMF)). The PKMF may derive relay keys and return information related to the relay keys to the relay UE the remote UE.

Abstract: A device obtains proof of its authority to use a first set of selectively activated features (first proof). An authorization server signs the first proof with its private key. The device sends a request to use a network service to a network node. The device sends the first proof to the network node. The network node validates the first proof using a public key of the authorization server. The network node grants the request to use the network service. The device sends a request for proof of authority for the network node to provide the network service (second proof). The device obtains the second proof, signed by another authorization server, and validates the second proof before using the network service. The first proof and the second proof each include a list of selectively activated features, where the selectively activated features are needed to use or provide the network service.

Abstract: Various aspects pertain to ways to securing a peer-to-peer communication link that serves to relay transmissions to/from a managed mobile network node. A first user equipment may identify a second user equipment that can communicate via a peer-to-peer wireless interface and serve as a relay between the first user equipment and a managed mobile network node. A relay session key material may be obtained from the managed mobile network node. A peer-to-peer communication link between the first user equipment and the second user equipment may be established or modified by, for example, securing the peer-to-peer communication link based on the relay session key material. A protocol data unit session may be established, over the peer-to-peer communication link, between the first user equipment and the managed mobile network node for secured transmissions there between.

Abstract: Certain aspects of the present disclosure relate to methods and apparatus for signaling to and/or from a UE in an inactive state.

Abstract: Certain aspects of the present disclosure provide techniques for controlling access and use of network resources and services by user equipment based on user equipment capabilities. In one aspect, a method for wireless communication by a network entity, includes: receiving, from a user equipment, a request to connect to a network, the request comprising a user equipment identifier and a reduced capability indication; determining a validity of the reduced capability indication based on at least one of: subscription data associated with the user equipment; or one or more capabilities associated with the user equipment; and making a connection decision based on the validity of the reduced capability indication.

Abstract: Enabling Ethernet Header Compression (EHC) for use with data sent within a Non-Access Stratum (NAS) control plane of a wireless communication network. In one aspect, a wireless communication device sends a signal to a wireless communication network indicating the device supports EHC for data transfer over a control plane. The device obtains a response from the wireless communication network indicating the wireless communication network supports EHC for data transfer over the control plane. The device then sends an Ethernet packet compressed using EHC to the wireless communication network over the control plane. The wireless communication device may be configured to send a request to the wireless communication network to use EHC before sending the Ethernet packet compressed using EHC. The device then sends the compressed Ethernet packet only if the request is granted. In another aspects, complementary EHC features are provided within a network component of the wireless communication network.

Abstract: Aspects of the disclosure relate to mechanisms for securely communicating broadcast information related to cell access within a secure cell. The broadcast information may be encrypted using a cell-specific broadcast key that may be derived from a broadcast root key that is refreshed periodically. A wireless communication device may obtain the broadcast root key via a secure connection with a provisioning server or core network node within a core network maintaining the broadcast root key or a long term key from which the broadcast root key may be derived. The cell-specific broadcast key may be derived using a key derivation function of the broadcast root key and at least cell identifying information associated with the secure cell.

Abstract: Certain aspects of the present disclosure provide techniques and apparatus for anchor non-relocation security handling in 5G.

Abstract: A device obtains proof of its authority to use a first set of selectively activated features (first proof). An authorization server signs the first proof with its private key. The device sends a request to use a network service to a network node. The device sends the first proof to the network node. The network node validates the first proof using a public key of the authorization server. The network node grants the request to use the network service. The device sends a request for proof of authority for the network node to provide the network service (second proof). The device obtains the second proof, signed by another authorization server, and validates the second proof before using the network service. The first proof and the second proof each include a list of selectively activated features, where the selectively activated features are needed to use or provide the network service.

Abstract: Methods, systems, and devices for wireless communication are described that support security key derivation for handover. A network entity (e.g., an access and mobility function (AMF)) may establish an access stratum (AS) key to ensure secure communications between a user equipment (UE) and a base station. If the UE relocates to a new network entity (e.g., target network entity), the initial network entity (e.g., source network entity) may perform a handover procedure to the target network entity. In some aspects, the network entities may derive a unified AS key for the handover procedure. Additionally, the network entities may utilize one or more intermediate keys (e.g., refreshed intermediate keys) derived from, in part, respective freshness parameters for the handover procedure. The target network entity may then utilize the derived intermediate keys to derive the AS key for the handover procedure and establish communications with the UE.

Abstract: Methods, systems, and devices for wireless communications are described. In some systems, devices may use information protection to detect fake base stations. A base station verified by a network may transmit first information to a user equipment (UE) in an unprotected message. If a fake base station intercepts and modifies the message before relaying the message to the UE, the UE may receive different information than the transmitted first information. The UE may then transmit an indication of the received information to the verified base station in a protected message. In some cases, based on the indication, the verified base station may re-transmit the first information to the UE in a message protected against modification by the fake base station. If the UE determines that the initially received information is different from the information received in the protected retransmission, the UE identifies message modification by the fake base station.

Abstract: Some aspects described herein relate to provisioning aerial vehicles with identifiers, certificates, or other credentials for communicating based on a mobile network. The UAV can transmit a request to register with the mobile network, where the request includes at least a hardware identifier of the UAV. The UAV may receive, from a component of the mobile network, a response to the request, where the response includes a unique UAV identifier, a UAV certificate, and a network certificate generated by at least one of the component of the mobile network or a unmanned aircraft system service supplier (USS).

Abstract: Methods, systems, and devices for wireless communications are described. A user equipment (UE) may communicate with a base station in a wireless communications system. The base station may transmit signaling to the UE over a broadcast channel. The base station may transmit control signaling to the UE that indicates a broadcast root key. The UE may identify the broadcast root key for a wireless network corresponding to the base station. The base station may transmit an encrypted broadcast transmission. The UE may receive the encrypted broadcast transmission from the base station, and the UE may decrypt the encrypted broadcast transmission to obtain broadcast information based on a cell-specific key derived from the broadcast root key.

Abstract: A core network receives data from at least one of an AF, a DN, or a UE. A UPF having small data capability processes the data for transport with a low overhead and without initiating a bearer set up protocol. The data may be transported between the UE and the UPF as an RRC payload over a NAS protocol. The data may be received from an AF or DN external to the core network and may be processed to transport the data to the UE based as an RRC payload. The data may be received as uplink data from a UE, e.g., in an RRC payload. The UPF may process the RRC payload to obtain the data and may transport the data to the AF or DN. The UPF may perform IP header compression, data encryption, and/or buffering of data for a UE in an idle mode.

Abstract: Various aspects of the present disclosure generally relate to wireless communication. In some aspects, a user equipment (UE) may monitor a reception occasion for a short message that includes a system information change notification or a public warning system notification. The UE may initiate a mitigation action related to a radio link with a network based at least in part on non-reception by the UE of the short message in the reception occasion, failure of the short message to pass an integrity check, and/or the like. Numerous other aspects are provided.

Abstract: Certain aspects of the present disclosure provide techniques for estimating performance of a radio link in a wireless communication systems using historical information. Disclosed methods generally includes determining receipt of historical information from a network, and estimating the performance of a radio link based on at least one selected from the group consisting of determining historical information was not received, and comparing received historical information to information available at the UE.

Abstract: Systems and techniques enable an improved network selection procedure. Providers maintain preferred networks lists provisioned to UEs. The preferred networks lists include WLAN RATs, and for each entry coverage area and type of supported services. UEs include multiple credentials for connectivity via providers and potentially multiple transceivers supporting multiple active services. A UE triggers a network selection procedure whenever a new service is initiated. A credential is selected. The UE builds a list of network/RAT combinations from preferred networks lists and filters this list, removing entries that do not support the new service. The UE takes the context of the UE into consideration, further filtering the list. The remaining entries are scanned and a network/RAT combination selected. The UE determines whether registering with the selected network/RAT combination causes an interruption to an ongoing service. If not, the UE registers on the selection.

Abstract: Methods, systems, and devices for wireless communication are described. A managing device may create a group security configuration for each device of a group of devices managed by the managing device. The group security configuration may include a group security parameter associated with the group of devices and a device-specific security parameter associated with each device in the group of devices. The managing device may provide the group security configuration to one or more devices of the group of devices. The one or more devices may use the group security configuration to directly establish a secure connection for communications between the one or more devices, which may include an establishment of the secure connection without further communications with the managing device during the establishment.

Abstract: Methods, systems, and devices for wireless communications are described. Private keys may be maintained upstream in a network at a more secure location. For example, when a signature is needed, a base station may transmit a signing request to a signing function within the core network and may transmit system information (SI) to be protected. The signing function may use a private key to generate a signature for the SI and returns the signature to the base station. The base station may transmit the SI and the signature to user equipment (UEs) within a coverage area of the base station. The UEs may obtain a public key corresponding to the private key and may use the public key to verify that the signature for the SI is valid and from the base station. The public key, and hence the signature, may correspond to a particular tracking area.