Abstract: Embodiments of the present disclosure relate to path switch between relays and security procedures. A terminal device obtains a selection policy for selecting a RSC from a plurality of RSCs, an RSC of the plurality of RSCs being associated with an indicator for indicating whether the RSC supports a CP security procedure or an UP security procedure. Based on determining that path switching from a source relay terminal device with a source RSC is triggered, the terminal device selects a target RSC based on the selection policy, a source indicator being associated with the source RSC, and a plurality of indicators being associated with the plurality of RSCs. The terminal device selects, for the path switching, a target relay terminal device based on the target RSC. As such, the service continuity after path switching between relays can be improved and delay or disruptions to the service can be avoided.

Abstract: Embodiments of the present disclosure relate to security communication in ProSe U2N relay. According to one aspect of the present disclosure, remote UE and relay UE receive a configuration comprising at least a set of indicators of a CP based security procedure or a UP based security procedure for a set of relay services. Based on an indicator for a relay service in the set of indicators, the remote UE and relay UE performs one of the CP based security procedure or the UP based security procedure for a communication between the remote UE and the relay UE for the relay service. In this way, remote UE and remote UE may correctly trigger a security procedure for U2N relay communication.

Abstract: Security mechanisms (300) between user equipment and a network. In an embodiment, a network (101) is operatively coupled to user equipment (106). A network element (212/1600), when operating as a sender (810) of a sent message (1720) to the user equipment, comprises a means (1504/1606) for identifying a combined integrity and encryption algorithm (1000), a means (1504/1606) for deriving a combined integrity and encryption key (1010) for the combined integrity and encryption algorithm, and a means (1504/1606) for applying the combined integrity and encryption algorithm to the sent message using the combined integrity and encryption key as an input parameter (1002), to provide security protection to the sent message.

Abstract: Methods, apparatus and systems for provision of keys in a communication network are disclosed.

Abstract: Methods, apparatus and systems for provision of keys in a communication network are disclosed.

Abstract: Negotiating security mechanisms (300) between user equipment and a network. In an embodiment, an access and mobility management function (212) is operatively coupled to user equipment (106). The access and mobility management function comprises a means (1504) for identifying security capabilities of the user equipment in supporting one or more non-access stratum combined integrity and encryption algorithms (1050), a means (1504) for selecting a non-access stratum combined integrity and encryption algorithm from the one or more non-access stratum combined integrity and encryption algorithms to protect non-access stratum signaling, and a means (1502) for sending a non-access stratum security mode command message (2312) to the user equipment indicating the non-access stratum combined integrity and encryption algorithm.

Abstract: Techniques are disclosed for user equipment authentication in a shared access network environment. In one example, a method comprises establishing, via a first access management entity in a first communication network that has a radio access network associated therewith, a secure connection with a second access management entity in a second communication network to which user equipment subscribes, and facilitating, via the first access management entity, authentication of the user equipment in conjunction with the second access management entity over the secure connection to enable the user equipment to utilize the radio access network of the first communication network to access the second communication network.

Abstract: Following radio link failure (RLF) of a radio link between a cellular internet-of-things (CIoT) user equipment (UE) and a source access node (nodeB) during a data transfer operation over a control plane between a mobility management entity (MME) of a narrow-band IoT (NB-IoT), a radio link is recovered by transmitting an RLF message from the CIoT UE to the MME of the NB-IoT network via a target nodeB, the target nodeB being different from the source nodeB. The RLF message is protected using a key associated with a non-access stratum (NAS) security context previously established between the CIoT UE and the MME of the NB-IoT network. The MME of the NB-IoT network can retrieve data that failed to be delivered to the CIoT UE due to the RLF during the data transfer operation over the control plane and provide said data to the UE via target nodeB.

Abstract: Embodiments of the present disclosure relate to security communication in ProSe U2N relay. According to one aspect of the present disclosure, remote UE and relay UE receive a configuration comprising at least a set of indicators of a CP based security procedure or a UP based security procedure for a set of relay services. Based on an indicator for a relay service in the set of indicators, the remote UE and relay UE performs one of the CP based security procedure or the UP based security procedure for a communication between the remote UE and the relay UE for the relay service. In this way, remote UE and remote UE may correctly trigger a security procedure for U2N relay communication.

Abstract: Techniques are disclosed for verifying user equipment compliance. For example, a method comprises computing, via user equipment, a secure identifier for the user equipment comprising an equipment identifier of the user equipment, and sending the secure identifier comprising the equipment identifier in a request message from the user equipment to a communication network to which the user equipment is attempting to connect. The communication network performs compliance verification for the user equipment based at least in part on the equipment identifier securely received from the user equipment.

Abstract: In response to a radio link failure between given user equipment and a source access node of a communication system during a data transfer operation over a control plane, a method is provided for recovering the radio link for the given user equipment through a target access node of the communication system. The radio link recovery is enabled via a mobility management node of the communication system using a non-access stratum security context previously established between the given user equipment and the mobility management node.

Abstract: There is provided an apparatus comprising means for determining a change of connection at a user equipment from a source access point to a target access point, and means for receiving, from the target access point, an indication that an associated gateway function is the same for the source access point and the target access point. The apparatus also comprising means for generating an access point key based on the received indication from the target access point, and means for securing communications with the target access point using the generated access point key.

Abstract: Techniques for security management with compromised-equipment detection in a communication system are disclosed. For example, a method comprises causing intentional introduction of one or more errors in at least one communication protocol layer of a communication network, wherein the communication network has a plurality of user equipment connected thereto via at least one access point. The method further comprises causing verification of one or more received error indicators against one or more expected error indicators to decide whether any of: (i) the plurality of user equipment; (ii) the at least one access point; or (iii) one or more network entities, may be compromised. In other examples, verifications may be correlated with other logs including, for example, security event logs.

Abstract: There is provided an apparatus comprising means for determining a change of connection at a user equipment from a source access point to a target access point, and means for receiving, from the target access point, an indication that an associated gateway function is the same for the source access point and the target access point. The apparatus also comprising means for generating an access point key based on the received indication from the target access point, and means for securing communications with the target access point using the generated access point key.

Abstract: Systems, methods, apparatuses, and computer program products for a method of mobility between distributed units with a local control plane are provided. For example, a method can include detecting, at a target distributed unit, a handover based on an indication from a source distributed unit after a handover command has been sent to a user equipment to hand over from the source distributed unit to the target distributed unit. The method can also include sending, from the target distributed unit to a central unit user plane, a data transmission resume notification, to trigger to the central unit user plane to resume downlink data transmission toward the target distributed unit. The downlink data transmission was previously suspended by instructions from a source distributed unit to the central unit user plane when the handover was initiated from the source distributed unit to the target distributed unit.

Abstract: Techniques for providing privacy features in communication systems are provided. For example, a message may be provided from user equipment to an element or function in a communication network that comprises one or more privacy indicators, where privacy features for processing the message are determined based on the privacy indicators. The message may comprise an attach request comprising a subscription identifier for a subscriber associated with the user equipment, with the privacy indicators comprising a flag indicating whether the subscription identifier in the attach request is privacy-protected. As another example, the element of function in the communication network may determine privacy features supported by the communication network and generate and send a message to user equipment comprising one or more privacy indicators selected based on the determined privacy features.

Abstract: Various example embodiments relate to authentication in case of roaming. An apparatus may be configured to receive, by an application function of a first visitor public land mobile area network (PLMN) or a second visitor PLMN of a device, a registered serving network identifier of the device indicative of the first visitor PLMN; and transmit, based on the registered serving network identifier, an encryption key to an application security function of the first visitor PLMN for encryption of an application session of the device.

Abstract: Systems, methods, and software of performing primary re-authentication of User Equipment (UE) (106). In one embodiment, a Unified Data Management (UDM) (218) triggers primary re-authentication of a UE in response to a trigger condition, and sends a re-authentication notification message toward an Access and Mobility Management Function (AMF) (212) to perform primary re-authentication of the UE.

Abstract: Systems, methods, and software of performing an Authentication and Key Management for Applications (AKMA) authentication service. An AKMA authentication proxy resides between User Equipment (UE) and a plurality of Application Functions (AFs). The AKMA authentication proxy receive an application session establishment request message from the UE requesting an application session with a first application function, sends a key request message toward an AKMA anchor function (AAnF) requesting AKMA application keys for a plurality of application functions, receives a key response message sent from the AAnF that includes the AKMA application keys, identifies a first AKMA application key for the first application function from the AKMA application keys derived by the AAnF, and forwards the application session establishment request message to the first application function with the first AKMA application key.

Abstract: Techniques for providing privacy features in communication systems are provided. For example, a message may be provided from user equipment to an element or function in a communication network that comprises one or more privacy indicators, where privacy features for processing the message are determined based on the privacy indicators. The message may comprise an attach request comprising a subscription identifier for a subscriber associated with the user equipment, with the privacy indicators comprising a flag indicating whether the subscription identifier in the attach request is privacy-protected. As another example, the element of function in the communication network may determine privacy features supported by the communication network and generate and send a message to user equipment comprising one or more privacy indicators selected based on the determined privacy features.