Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network; the method comprises constructing a message at a network function in the first network destined for the second network, wherein the message comprises at least one information element and an indicator, wherein the indicator is set to specify at least one security operation to be applied to the at least one information element before sending the message to the second security edge protection proxy element of the second network.

Abstract: In response to a radio link failure between given user equipment and a source access node of a communication system during a data transfer operation over a control plane, a method is provided for recovering the radio link for the given user equipment through a target access node of the communication system. The radio link recovery is enabled via a mobility management node of the communication system using a non-access stratum security context previously established between the given user equipment and the mobility management node.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, a method comprises provisioning at least a given one of the first and second security edge protection proxy elements with configuration information that enables the given security edge protection proxy element to identify at least one security operation to be applied to at least one information element in a received message before sending the message to the other one of the first and second security edge protection proxy elements.

Abstract: A measurement report is sent from user equipment in a communication system to a serving base station in a serving cell of the communication system, wherein the measurement report comprises one or more signal measurements obtained by the user equipment for one or more other base stations in the communication system. A base station removal list is received at the user equipment from the serving base station which lists any base stations from the measurement report that failed a set-up procedure and are thus potentially false base stations. Any base stations in the base station removal list are removed from consideration by the user equipment as a target base station for a handover procedure.

Abstract: A reconfiguration message is received at user equipment in a communication system from a disaggregated base station with which the user equipment has a current security context established. The reconfiguration message comprises an instruction to compute a new security context based on a security domain counter value, wherein the security domain counter value represents a given security domain from a plurality of security domains supported by the disaggregated base station. The new security context is computed at the user equipment for the given security domain based on the security domain counter value. A set of security keys are derived from the new security context at the user equipment.

Abstract: A measurement report is sent from user equipment in a communication system to a serving base station in a serving cell of the communication system, wherein the measurement report comprises one or more signal measurements obtained by the user equipment for one or more other base stations in the communication system. A base station removal list is received at the user equipment from the serving base station which lists any base stations from the measurement report that failed a set-up procedure and are thus potentially false base stations. Any base stations in the base station removal list are removed from consideration by the user equipment as a target base station for a handover procedure.

Abstract: Security management techniques for roaming service authorization for communication systems are provided. In one or more methods, a first element or function in a visiting network of a communication system receives a first service discovery request from a second element or function in the visiting network for services provided by at least a third element or function in a home network of the communication system, sends a second service discovery request to a fourth element or function in the home network of the communication system responsive to authenticating the second element or function, receives from the fourth element or function a first service discovery response comprising an access token for the second element or function, and provides to the second element or function a second service discovery response comprising the access token, the access token being used by the second element or function to access the one or more services provided by the third element or function.

Abstract: Privacy management techniques for communication systems are provided. In one or more methods, one or more cryptographic key pairs are provisioned in a home network of a communication system for utilization by subscribers of the home network to conceal subscriber identifiers provided to access points in the communication system. The cryptographic key pairs are managed utilizing an element or function in the home network of the communication system. In one or more other methods, one or more public keys associated with one or more cryptographic key pairs are stored in user equipment, the cryptographic key pairs being provisioned by a home network of a communication system for use by subscribers of the home network to conceal subscriber identifiers provided to access points in the communication network. An element or function of the home network of the communication system is interfaced for management of the public keys stored in the user equipment.

Abstract: Key identification techniques for determination of appropriate keys for processing messages in communication systems are provided. In one or more methods, an indicator is assigned to each key pair provisioned in a communication system. The indicator is then sent to one or more network elements or functions in the communication system with a message encrypted with a first part of the key pair corresponding to the indicator. A network element or function receiving the encrypted message determines, based on the indicator, a corresponding second part of the key pair to use to process the encrypted message.

Abstract: One or more application programs are invoked at user equipment. At least one of the one or more application programs is configured with application layer security between the user equipment and a data network. A data session request is sent from the user equipment to a communication network. The communication network is configured to connect the user equipment to the data network in association with the at least one application program. The data session request comprises an indication that application layer security between the user equipment and the data network is active for the at least one application program. In one example, in response to the request, the user equipment receives a configuration message indicating that no communication network level security applies for data associated with the at least one application program.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, a method comprises configuring at least a given one of the first and second security edge protection proxy elements to determine whether to apply at least one security operation at the transport level for incoming packets based at least in part on source and destination networks for the incoming packets.

Abstract: There is provided monitoring at least one bearer comprising a first and second radio accesses according to different radio technologies between user equipment and a communications network. One or more properties of the monitored bearer are determined and an update of a security key utilized for securing communications over at least one of the radio accesses is triggered in response to determining that the determined properties meet at least one triggering condition capable of indicating a need for the update.

Abstract: In accordance with the occurrence of a mobility event whereby user equipment moves from accessing a source network to accessing a target network in a communication system environment, the user equipment sends a control plane message to the target network comprising an integrity verification parameter associated with the source network and an integrity verification parameter associated with the target network. By providing integrity verification parameters for both the source network and the target network in an initial message sent by the user equipment to the mobility management element of the target network, the mobility management element of the target network can verify the user equipment on its own or seek the assistance of the source network.

Abstract: Embodiments provide a mobile communications device that includes a processor configured to communicate with a transceiver and a memory. The transceiver is configured to exchange control signals with a network node. The memory contains instructions that when executed by the processor configure the processor to operate the transceiver to exchange the control signals. The instructions further configure the processor to pass a first proper subset of the control signals to a remote device without operating according to the control signals, and to operate according to control signals in a second proper subset of the control signals. The processor is thereby configured to operate on behalf of a remote communication device to support communication between the remote communication device and the network node.

Abstract: Embodiments provide a mobile communications device that includes a processor configured to communicate with a transceiver and a memory. The transceiver is configured to exchange control signals with a network node. The memory contains instructions that when executed by the processor configure the processor to operate the transceiver to exchange the control signals. The instructions further configure the processor to pass a first proper subset of the control signals to a remote device without operating according to the control signals, and to operate according to control signals in a second proper subset of the control signals. The processor is thereby configured to operate on behalf of a remote communication device to support communication between the remote communication device and the network node.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network; the method comprises configuring at least a given one of the first and second security edge protection proxy elements to apply application layer security to one or more information elements in a received message from a network function before sending the message to the other one of the first and second security edge protection proxy elements.

Abstract: Security management techniques for service authorization for communication systems are provided. In one or more methods, a first element or function in a home network of a communication system registers a second element or function in the home network as a service consumer of one or more services provided by at least a third element or function in the home network, receives a request from the second element or function, and provides an access token to the second element or function responsive to authenticating the second element or function, the access token being used by the second element or function to access the one or more services provided by the third element or function.

Abstract: Security management techniques for roaming service authorization for communication systems are provided. In one or more methods, a first element or function in a visiting network of a communication system receives a first service discovery request from a second element or function in the visiting network for services provided by at least a third element or function in a home network of the communication system, sends a second service discovery request to a fourth element or function in the home network of the communication system responsive to authenticating the second element or function, receives from the fourth element or function a first service discovery response comprising an access token for the second element or function, and provides to the second element or function a second service discovery response comprising the access token, the access token being used by the second element or function to access the one or more services provided by the third element or function.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network; the method comprises constructing a message at a network function in the first network destined for the second network, wherein the message comprises at least one information element and an indicator, wherein the indicator is set to specify at least one security operation to be applied to the at least one information element before sending the message to the second security edge protection proxy element of the second network.

Abstract: A first security context is established between a given user computing device and a first network computing device to enable a secure data connection between the given user computing device and the first network computing device. A second security context is established between the given user computing device and a second network computing device to enable a secure data connection between the given user computing device and the second network computing device simultaneous with the secure data connection between the given user computing device and the first network computing device. Establishment of the second security context includes the first network computing device sending the given user computing device a simultaneous secure data connection parameter useable by the given user computing device to establish the second security context with the second network computing device.