Abstract: A network node (26, 400) is configured for use in a wireless communication network (10). The network node (26, 400) receives a request to establish a session (14-1) for a device (12-1) in a group (18), e.g., a 5G Local Area Network group (18). The network node (26, 400) determines a user plane security policy (24-1) for the session (!4-1), based on a user plane security policy (28) for the group (18). The user plane security policy (28) for the group (18) may specify a policy for securing a user plane path of a session for any device in the group (18). The network node (26, 400) may then transmit, to an access node of the wireless communication network (10), control signaling indicating the determined user plane security policy (24-1).

Abstract: Embodiments include methods performed by a user equipment (UE) configured with a client for an edge data network. Such methods include sending, to a server in the edge data network, a first message that includes one of the following contents: at least one pre-shared key (PSK) identity hint that is supported by the UE and the UE's home public land mobile network (HPLMN), and one or more security key identifiers corresponding to respective one or more of a plurality of authentication procedures supported by at least the HPLMN; an indication of the UE's HPLMN; all valid PSK identity hints, and the one or more security key identifiers; or all valid PSK identity hints, and the indication of the HPLMN. Such methods also include receiving from the server a second message that includes one of the following contents: all valid PSK identity hints; or a PSK identity hint that is supported by at least the UE's HPLMN.

Abstract: Systems and methods for Generic Bootstrapping Authentication (GBA) are disclosed herein. A method performed by a User Equipment (UE) for GBA may include: communicating, at a GBA application, with a network node to run a GBA procedure during which the GBA application obtains a key, Ks, and a Bootstrapping Transaction Identifier (B-TID); providing to the GBA application, at an application, an application key request, the request including a Network Application Function (NAF) identifier; at the GBA application: verifying that the application is entitled to use a NAF corresponding to the NAF identifier; and responsive to successful verification: deriving the application key for the application based on the key, Ks, the NAF identifier, and an additional parameter generated by the GBA application or an application identifier; and sending a response to the application; and receiving, at the application, the response from the GBA application.

Abstract: Embodiments of the present disclosure include methods for a client in an edge data network. Such methods include obtaining an initial access credential before accessing the edge data network. The initial access credential includes or is based on one or more of the following: an indication that the client is a legitimate client, and a client type associated with the client. Such methods include establishing a first connection with a server of the edge data network based on transport layer security (TLS); authenticating the server via the first connection based on a server certificate; and providing the initial access credential to the server, via the first connection, for authentication of the client. Other embodiments include complementary methods for a server and for a credential provider, as well as UEs, network nodes, and/or computing systems configured to perform such methods.

Abstract: In a wireless communication network implementing network slicing (NS), an Initial Access and Mobility Management Function (AMF) for a user equipment (UE) in one NS is able to re-allocate a UE to a Target AMF in a different NS, despite not being able to directly communicate with the Target AMF due to NS security restrictions. In a first embodiment, the Initial AMF transfers the UE context—including its security context—to a Default AMF. The Default AMF has the capability to communicate with network functions in different NSes. The Default AMF transfers the UE context to the Target AMF. In a second embodiment, a security key Kamf? is horizontally derived in a manner that avoids NS security conflicts. The derived key is transferred to the UE and Target AMF, which establish a security context. In a third embodiment, the Initial AMF allocates a Token, and transfers it, along with the UE security context (directly or via RAN) to the Default AMF. The Default AMF then transfers the security context to the Target AMF.

Abstract: Systems and methods for enabling Authentication and Key Management for Applications (AKMA) key diversity for multiple applications are disclosed herein. In one embodiment, an AKMA client of a wireless device determines a root key (KAKMA) and an AKMA key identifier (A-KID) based on primary authentication with a telecommunications network. The AKMA client receives an application identifier (APP-ID) and an application function (AF) identifier (AF-ID) from an application of the wireless device. The AKMA client verifies APP-ID, and verifies that the application is entitled to use AF-ID. If successful, an application key (KAPP) is derived based on KAKMA. AF-ID, and APP-ID. Optionally, the AKMA client encrypts APP-ID and outputs A-KID. KAPP, and the encrypted APP-ID to the application, and the application sends a session establishment request to an AF, the session establishment request comprising A-KID and the encrypted APP-ID.

Abstract: Systems and methods are disclosed herein that relate to verifying that a particular Application Function (AF) is authorized to use a particular AF ID in association with an Authentication and Key Management for Applications (AKMA) related procedure in a core network of a cellular communications system. In one embodiment, a method performed by an AKMA Anchor Function (AAnF) in a core network of the cellular communications system for generating a shared secret key for AKMA comprises receiving, directly or indirectly from an AF, a request for a shared secret key for AKMA, the request comprising an AF ID. The method further comprises determining whether the AF is authorized to use the AF ID and performing one or more actions based on a result of determining whether the AF (404) is authorized to use the AF ID.

Abstract: The AMF re-allocation procedure for an Initiating AMF that has reroute capability via an Access Network (AN) is optimized in scenarios where a wireless device, such as a User Equipment (UE), already shares a 5G security context with-in a Last Serving AMF that is different from the Initiating AMF, and where the Initiating AMF and the Last Serving AMF can communicate with each other via an interface.

Abstract: A method for a user equipment (UE) configured to communicate with an application function (AF) via a communication network is provided. The method comprises sending, to the AF, an application service request including: a second identifier (GPSI) specific to one or more applications, including an application associated with the UE and the AF; and information (app-info) associated with the second identifier and descriptive of the one or more applications. The method further comprises authenticating the AF based on an application-specific key (KAF) derived from a security key (KAKMA) associated with the UE; and receiving, from the AF, an application service response indicating whether the second identifier (GPSI) matches a corresponding second identifier (GPSI*) derived from the information associated with the second identifier.

Abstract: An authentication server (10A) is configured for use in a home network (10H) of a wireless device (12). The authentication server (10A) generates expected integrity protection data for checking an integrity of a set of one or more information fields (22) contained in a transparent container (20) that acknowledges successful reception by the wireless device (12) of device configuration data (14) from the home network (10H). The authentication server (10A) checks, or assists a core network node (16H) in the home network (10H) to check, the integrity of the set of one or more information fields (22) using the expected integrity protection data.

Abstract: A core network node (16) is configured for use in a wireless communication network (10). The core network node (16 receives a registration request (14) that requests registration of a wireless device (12) with the wireless communication network (10). The core network node (16) protects a security context (20) shared between the wireless device (12) and the core network node (16, e.g., including encrypting the security context (20). The core network node (16) transmits, to a radio network node (23) in the wireless communication network (10), signaling (24) that includes the registration request (14) and the protected security context (20P). In some embodiments, the signaling (24) indicates the registration request (14) and the protected security context (20P) are to be re-routed to a target core network node (18) in the wireless communication network (10).

Abstract: A method for an authentication server function, AUSF, of a communication network is provided. The method comprises sending a second authentication request comprising a first identifier associated with a user equipment, UE, or a second identifier associated with the UE, receiving a response to the second authentication request, and when the response comprises an 5 authentication and key management for applications, AKMA, indicator: determining a first security key identifier based on a first field comprised in the response.

Abstract: A UE having a security context with an Initial AMF is able to accept an unprotected AUTHRQ, under certain circumstances, for a limited time. In one embodiment, a UE considers the security context to be temporary, which invokes rules or exceptions different than a permanent security context, such as the acceptance of an unprotected AUTHRQ from a Target AMF. The network may indicate to the UE the temporary status, or the UE may assume it. Alternatively, the UE may enable exceptions to the defined rules associated with the security context. In one embodiment, the UE receives a plurality of partial registration acceptance messages, each indicating a specific task or aspect of the overall registration has been completed. The UE may mark its security context temporary, or enable exceptions to the rules 10 associated with it, until a partial registration acceptance messages indicates AMF re-allocation is complete or is not required.

Abstract: A method performed by an application function (AF) associated with a communication network is provided. The method comprises sending, to a network function (NF) of the communication network, a key request for a security key (KAF) associated with an application session between 5 the AF and a user equipment (UE), wherein the key request includes one of the following: a request for a first identifier of the UE, or a second identifier of the UE. The method further comprises receiving, from the NF, a response that includes the security key (KAF) and one of the following: the first identifier, or a response code associated with the second identifier or the first identifier. The method further comprises authenticating the UE for the application session 0 based on the response.

Abstract: A method performed by a wireless device is provided. The method comprises identifying that an Access and Mobility Management Function (AMF) relocation procedure with re-route via a Radio Access Network (RAN) node is being performed for the wireless device and generating a key associated with a primary authentication of the wireless device. The method further comprises using the key for performing a Non Access Stratum Security Mode Control (NAS SMC) procedure with a first network node operating as a target AMF, and wherein the use of the key by the wireless node is restricted such that the wireless device is restricted from using the key for at least one procedure other than the NAS SMS procedure with the first network node operating as the target AMF.

Abstract: A communication device establishes a secure connection in a wireless communication network. The communication device communicates a request to use a communication service provided by the wireless communication network, the request including an indication that the communication device can support the requested communication service and an Authentication and Key Management for Applications (AKMA) service provided by the wireless communication network. Responsive to communicating the request, the communication device receives a communication comprising information that indicates whether the requested communication service and the AKMA service can be provided to the communication device to establish the secure connection in the wireless communication network.

Abstract: A method in a first node of a communications network for training a machine learning model comprises receiving a first message comprising instructions for training the machine learning model using a distributed learning process. The method then comprises responsive to receiving the first message, acting as an aggregator in the distributed learning process for a subset of other nodes selected by the first node from a plurality of nodes that have an established radio channel allocation with the first node, by causing the subset of other nodes to perform training on local copies of the machine learning model and aggregating the results of the training by the subset of other nodes.

Abstract: According to some embodiments, a method performed by a network node capable of operating as an authentication server function (AUSF) comprises generating an anchor key (KAKMA) and a KAKMA key identifier (KAKMA ID) associated with a wireless device and transmitting, to at least one authentication and key management for applications (AKMA) anchor function (AAnF) instance, key material associated with the wireless device.

Abstract: Methods, a wireless device (110), a radio network node (120) and a core network node (130) for reservation of bandwidth are disclosed. The wireless device (110) sends (A010), to the core network node (130), an inquiry for reservation of bandwidth. The inquiry comprises information about a route to be travelled by the wireless device (110), a start time, and an indication about the bandwidth to be reserved. The core network node (130) sends (A040), to the radio network node (120), a command for reservation of the bandwidth to be reserved for the wireless device (110). The command comprises the indication, information relating to one or more cells of the radio network node (120), in which one or more cells bandwidth is to be reserved according to the indication, a parameter indicating a period of time during which the wireless device (110) is expected to make use of at least some of the bandwidth to be reserved, and an identity of the wireless device (110).

Abstract: A method performed by a first network node includes transmitting a first subscription request message indicating a request to subscribe to receive notification of changes in an authentication status of a wireless device. A first notification message is received. The first notification message includes an indication of a change in the authentication status of the wireless device.