Abstract: A method performed by a network node (106) of a serving public land mobile network, PLMN, (112) associated with a user equipment, UE, (102) comprising: obtaining a secret identifier (110) that uniquely identifies the UE, wherein the secret identifier is a secret that is shared between the UE and at least a home PLMN of the UE and that is shared by the home PLMN with the network node; and performing an operation (108) related to the UE using the secret identifier. Other methods, computer programs, computer program products, network nodes and a serving PLMN are also disclosed.

Abstract: Methods and network nodes of a wireless communications network are disclosed. The network nodes are operable to initiate a plurality of authentication mechanisms. Responsive to receipt of a request for authentication transmitted by a terminal device of the wireless communications network, the network nodes are configured to select an authentication mechanism from the plurality of authentication mechanisms; and are further configured to initiate the selected authentication mechanism to authenticate the terminal device with the wireless communications network.

Abstract: A user equipment is configured to receive an extensible authentication protocol (EAP) request from a session management function (SMF) that serves as an EAP authenticator for secondary authentication of the user equipment. The secondary authentication is authentication of the user equipment in addition to primary authentication of the user equipment. The user equipment is also configured to, responsive to the EAP request, transmit an EAP response to the SMF.

Abstract: A network node of a mobile communications network may need to generate at least one new Input Offset Value, IOV value, for use in protecting communications between the network node and a mobile station. The network node then associates a fresh counter value with the or each new IOV value; calculates a Message Authentication Code based on at least the at least one new IOV value, the fresh counter value associated with the or each new IOV value, and a constant indicating that the Message Authentication Code is calculated to protect the new IOV value; and transmits the at least one new IOV value, the fresh counter value associated with the or each new IOV value, and the calculated Message Authentication Code to the mobile station.

Abstract: A terminal device obtains location information relating to its location, wherein the location information comprises first location information and second location information, wherein the first location information relates to a location of the terminal device within a region, and wherein the second location information identifies the region in which the terminal device is located. The terminal device forms content for a proximity service discovery message, wherein the content for the discovery message includes the first location information; calculates a message integrity code based on the content for the discovery message and the second location information; and transmits the proximity service discovery message, comprising the content for the discovery message and the computed message integrity code.

Abstract: An authentication node (22) in a wireless communication system (10) authenticates a message received by a recipient radio node (16A) (e.g., a user equipment). The authentication node (22) in this regard determines a radio resource that carries the message received by the recipient radio node (16A). The authentication node (22) performs authentication of the message, by checking whether the message is bound to the determined radio resource. The authentication node (22) may, for example, compute an expected authentication or integrity code based on information identifying the determined radio resource and check whether the expected authentication or integrity code matches an authentication or integrity code associated with the message.

Abstract: A method of operation of a terminal device in a cellular communications network is disclosed. The method comprises sending a GMM Attach Request message to the network, the GMM Attach Request message identifying security capabilities of the terminal device. The terminal device receiving from the network an echo message in the GMM layer including information identifying the security capabilities of the terminal device, wherein the echo message is received with integrity protection.

Abstract: A method performed by an authentication server in a home network of a UE for obtaining a subscription permanent identifier, SUPI. The method comprises: receiving a SUCI which comprises an encrypted part in which at least a part of the SUPI is encrypted, and a clear-text part which comprises a home network identifier and an encryption scheme identifier that identifies an encryption scheme used by the UE to encrypt the SUPI in the SUCI; determining a de-concealing server to use to decrypt the encrypted part of the SUCI; sending the SUCI to the de-concealing server; and receiving the SUPI in response. Methods performed by a UE and a de-concealing server are also disclosed. Furthermore, UEs, de-concealing servers, authentication servers, computer program and a memory circuitry are also disclosed.

Abstract: A terminal device, for example a 3GPP Proximity Services (ProSe)-enabled user equipment, obtains grid location information relating to a cell of a predetermined grid in which the terminal device is located. The terminal device then calculates a message integrity code based on the grid location information and transmits a proximity service discovery message. The discovery message includes the calculated message integrity code and does not include the grid location information. A second terminal device, for example a 3GPP Proximity Services (ProSe)-enabled user equipment, receives a proximity service discovery message containing a message integrity code.

Abstract: An electronic communication device of a telecommunications system receives a message containing an integrity mode bit and an integrity protection bit from another electronic communication device, and determines whether the integrity protection bit indicates that a Frame Check Sequence, FCS, field of the message has been replaced by a Medium Access Control, MAC, field. Responsive to determining that the integrity protection bit indicates that the FCS field has been replaced by the MAC field, the device determines whether the MAC field is valid. Responsive to determining that the MAC field is not valid and the integrity mode bit having a first defined value, the message is discarded. Responsive to determining that the MAC field is not valid and the integrity mode bit having a second defined value, content of the message is provided to a higher network protocol layer for processing.

Abstract: A basestation in a cellular communications network is operable to send a message to a Mobility Management Entity, relating to a suspension or resumption of a connection of a UE, wherein the message contains key renewal information. The Mobility Management Entity receives the message, and determines whether a key renewal condition is met. If the key renewal condition is met, the MME forwards a new NH, NCC pair to the base station. If a message received from the MME includes a NH, NCC pair, the basestation derives keying information using the NH, NCC pair for future use in deriving keys.

Abstract: A method and arrangements for enabling authentication of a communication device is suggested, where a network node, capable of operating as an authentication server does not have to store all state related information relevant for a roundtrip of an authentication session. Instead of storing all this information, at least a part of it is provided to the authenticator or the communication unit, for later retrieval in a subsequent response. Based on the state related information provided in the response, the network node is capable of reproducing a state associated with a respective roundtrip. By repeating the mentioned process for a required number of roundtrips, an authentication session can be executed, where less state related information need to be stored at the mentioned network node.

Abstract: A terminal device, for example a 3GPP Proximity Services (ProSe)-enabled user equipment, obtains imprecise location information relating to a location of the terminal device, and transmits a proximity service discovery message, wherein the discovery message includes the imprecise location information. A second terminal device, again for example a 3GPP Proximity Services (ProSe)-enabled user equipment, receives a proximity service discovery message containing location information. The second terminal device obtains location information relating to its location, and calculates a distance from the location indicated by the location information in the received discovery message to its location. The second terminal device acts on the received discovery message only if the calculated distance is less than a predetermined distance.

Abstract: This relates to wireless communications, and in particular to the generation of keying material for security purposes. In particular, A method of performing authentication for a user terminal. The method comprises performing an Authentication and Key Agreement procedure for authenticating the user terminal in a cellular access network, wherein a core network of the cellular network comprises a Home Subscriber Server; determining in a Bootstrapping Server Function that the user terminal requires keying material for use outside the cellular access network. The method also comprises transferring authentication information directly from the Home Subscriber Server to the Bootstrapping Server Function; and generating session keys in the Bootstrapping Server Function using said authentication information, wherein said session keys are also generated in the user terminal.

Abstract: Integrity protection is activated for user plane data transferred between a network node and a terminal device of the cellular communications network. The activation can be initiated by the terminal device sending a request message to a second network node. Thus, a UE, such as a Cellular IoT UE, and a network node such as a SGSN are able to use LLC layer integrity protection for both control plane and user plane data.

Abstract: A method and arrangements for enabling authentication of a communication device is suggested, where a network node, capable of operating as an authentication server does not have to store all state related information relevant for a roundtrip of an authentication session. Instead of storing all this information, at least a part of it is provided to the authenticator or the communication unit, for later retrieval in a subsequent response. Based on the state related information provided in the response, the network node is capable of reproducing a state associated with a respective roundtrip. By repeating the mentioned process for a required number of roundtrips, an authentication session can be executed, where less state related information need to be stored at the mentioned network node.

Abstract: A user equipment (18) is configured to receive an extensible authentication protocol, EAP, request (28) from a session management function, SMF, (14) that serves as an EAP authenticator for secondary authentication of the user equipment (18). The secondary authentication is authentication of the user equipment (18) in addition to primary authentication of the user equipment (18). The user equipment (18) is also configured to, responsive to the EAP request (28), transmit an EAP response (30) to the SMF (14).

Abstract: A method, performed by a User Equipment device, UE, for obtaining a key for direct communication with a device over an air interface, wherein the UE has previously acquired a transaction identifier received from a Bootstrapping Server Function, BSF, in a Generic Bootstrapping Architecture, GBA, procedure, is provided. The method comprises storing the transaction identifier, sending the transaction identifier to the device and requesting key generation for direct communication with the device. If the transaction identifier is invalid, the method further comprises receiving from the device a device identifier and key generation information, deriving a session shared key from at least the key generation information, and deriving a direct communication key from at least the session shared key and the device identifier.

Abstract: A method, performed by a User Equipment device (UE), for obtaining a key for direct communication with a device over an air interface, wherein the UE has previously acquired a transaction identifier received from a Bootstrapping Server Function (BSF), in a Generic Bootstrapping Architecture (GBA), procedure, is provided. The method comprises storing the transaction identifier, sending the transaction identifier to the device and requesting key generation for direct communication with the device. If the transaction identifier is invalid, the method further comprises receiving from the device a device identifier and key generation information, deriving a session shared key from at least the key generation information, and deriving a direct communication key from at least the session shared key and the device identifier.

Abstract: A device receives a privacy template from a network node. The device forms a temporary privacy mask using a time-varying value and the privacy template; and encrypts a code value using the temporary privacy mask. The device transmits the encrypted code value. A receiving device receives an encrypted code value, and forms a temporary privacy mask using a time-varying value and a privacy template that it has also received from a network node. The receiving device is then able to decrypt the code value using the temporary privacy mask. The code may identify an individual or a group, and may be protected using a privacy template that is specific to the individual or to the group.