Abstract: A core network node (16) is configured for use in a wireless communication network (10). The core network node (16 receives a registration request (14) that requests registration of a wireless device (12) with the wireless communication network (10). The core network node (16) protects a security context (20) shared between the wireless device (12) and the core network node (16, e.g., including encrypting the security context (20). The core network node (16) transmits, to a radio network node (23) in the wireless communication network (10), signaling (24) that includes the registration request (14) and the protected security context (20P). In some embodiments, the signaling (24) indicates the registration request (14) and the protected security context (20P) are to be re-routed to a target core network node (18) in the wireless communication network (10).

Abstract: A method for an authentication server function, AUSF, of a communication network is provided. The method comprises sending a second authentication request comprising a first identifier associated with a user equipment, UE, or a second identifier associated with the UE, receiving a response to the second authentication request, and when the response comprises an 5 authentication and key management for applications, AKMA, indicator: determining a first security key identifier based on a first field comprised in the response.

Abstract: A UE having a security context with an Initial AMF is able to accept an unprotected AUTHRQ, under certain circumstances, for a limited time. In one embodiment, a UE considers the security context to be temporary, which invokes rules or exceptions different than a permanent security context, such as the acceptance of an unprotected AUTHRQ from a Target AMF. The network may indicate to the UE the temporary status, or the UE may assume it. Alternatively, the UE may enable exceptions to the defined rules associated with the security context. In one embodiment, the UE receives a plurality of partial registration acceptance messages, each indicating a specific task or aspect of the overall registration has been completed. The UE may mark its security context temporary, or enable exceptions to the rules 10 associated with it, until a partial registration acceptance messages indicates AMF re-allocation is complete or is not required.

Abstract: A method performed by a wireless device is provided. The method comprises identifying that an Access and Mobility Management Function (AMF) relocation procedure with re-route via a Radio Access Network (RAN) node is being performed for the wireless device and generating a key associated with a primary authentication of the wireless device. The method further comprises using the key for performing a Non Access Stratum Security Mode Control (NAS SMC) procedure with a first network node operating as a target AMF, and wherein the use of the key by the wireless node is restricted such that the wireless device is restricted from using the key for at least one procedure other than the NAS SMS procedure with the first network node operating as the target AMF.

Abstract: A method performed by an application function (AF) associated with a communication network is provided. The method comprises sending, to a network function (NF) of the communication network, a key request for a security key (KAF) associated with an application session between 5 the AF and a user equipment (UE), wherein the key request includes one of the following: a request for a first identifier of the UE, or a second identifier of the UE. The method further comprises receiving, from the NF, a response that includes the security key (KAF) and one of the following: the first identifier, or a response code associated with the second identifier or the first identifier. The method further comprises authenticating the UE for the application session 0 based on the response.

Abstract: A method performed by a target network node for interworking handover from an evolved packet system, EPS, to a fifth generation system, 5GS, in a mobile network is provided. The method includes receiving, from a source network node, a determined user plane, UP, encryption policy. The method further includes providing the determined UP encryption policy to a target radio access network node. Corresponding embodiments for methods performed by a source network node and a first target network node are also provided.

Abstract: A communication device establishes a secure connection in a wireless communication network. The communication device communicates a request to use a communication service provided by the wireless communication network, the request including an indication that the communication device can support the requested communication service and an Authentication and Key Management for Applications (AKMA) service provided by the wireless communication network. Responsive to communicating the request, the communication device receives a communication comprising information that indicates whether the requested communication service and the AKMA service can be provided to the communication device to establish the secure connection in the wireless communication network.

Abstract: A method in a first node of a communications network for training a machine learning model comprises receiving a first message comprising instructions for training the machine learning model using a distributed learning process. The method then comprises responsive to receiving the first message, acting as an aggregator in the distributed learning process for a subset of other nodes selected by the first node from a plurality of nodes that have an established radio channel allocation with the first node, by causing the subset of other nodes to perform training on local copies of the machine learning model and aggregating the results of the training by the subset of other nodes.

Abstract: According to some embodiments, a method performed by a network node capable of operating as an authentication server function (AUSF) comprises generating an anchor key (KAKMA) and a KAKMA key identifier (KAKMA ID) associated with a wireless device and transmitting, to at least one authentication and key management for applications (AKMA) anchor function (AAnF) instance, key material associated with the wireless device.

Abstract: Methods, a wireless device (110), a radio network node (120) and a core network node (130) for reservation of bandwidth are disclosed. The wireless device (110) sends (A010), to the core network node (130), an inquiry for reservation of bandwidth. The inquiry comprises information about a route to be travelled by the wireless device (110), a start time, and an indication about the bandwidth to be reserved. The core network node (130) sends (A040), to the radio network node (120), a command for reservation of the bandwidth to be reserved for the wireless device (110). The command comprises the indication, information relating to one or more cells of the radio network node (120), in which one or more cells bandwidth is to be reserved according to the indication, a parameter indicating a period of time during which the wireless device (110) is expected to make use of at least some of the bandwidth to be reserved, and an identity of the wireless device (110).

Abstract: A method performed by a first network node includes transmitting a first subscription request message indicating a request to subscribe to receive notification of changes in an authentication status of a wireless device. A first notification message is received. The first notification message includes an indication of a change in the authentication status of the wireless device.

Abstract: Initiating primary reauthentication of a communication device by a home network (UDM or AUSF) is provided. A trigger to initiate a primary reauthentication request of a communication device is detected. An authentication status of the subscription permanent identifier (SUPI) of the communication device is checked. Responsive to the authentication status of the SUPI being obsolete or null, a reauthentication message is transmitted towards an access and mobility management function (AMF) node. A reauthentication confirmation message is received. A determination is made as to whether to continue, abort, or postpone any steering of roaming (SoR) updates, any user equipment parameter updates (UPU updates) or any authentication and key agreement for applications (AKMA) procedures based on the reauthentication confirmation message.

Abstract: A method and a traffic control entity (100) for controlling a group of vehicles (104) capable of autonomous driving without requiring a driver, to allow an emergency vehicle (102) to pass the group of vehicles (104) which are travelling concurrently in multiple lanes on a road. When detecting that the emergency vehicle (102) is approaching the group of vehicles (104) e.g. from behind, the vehicles in the group (104) are identified based on information (108) about current position and movement of the vehicles (104). The traffic control entity (100) then issues a command (106) instructing the identified vehicles to adjust their lateral positions relative the lanes to create a passage along the group of vehicles (104). Thereby, the emergency vehicle (102) is able to move through the passage without having to slow down significantly.

Abstract: A user equipment (“UE”) in a wireless communication network can receive a plurality of signals from a plurality of nodes. The UE can further determine a plurality of radio signal strength measurements. Each radio signal strength measurement can be associated with a signal of the plurality of signals received from the plurality of nodes. The UE can further determine whether there is an indication that a first node of the plurality of nodes may be an imposter node based on the plurality of radio signal strength measurements.

Abstract: Embodiments include methods performed by a key management node in a communication network. Such methods can include receiving, from an application function, a request for a security key specific to an application session for a particular user. The request can include a representation of the following information associated with the particular user: a first identifier of a non-application-specific anchor security key, and a second identifier related to a network subscription. Such methods can also include, based on the representation, determining an authentication server function that generated the non-application-specific anchor security key. Other embodiments include complementary methods performed by application functions, authentication server functions, and unified data management functions in the communication network. Other embodiments include network nodes configured to perform such methods.

Abstract: In a wireless communication network implementing network slicing (NS), an Initial Access and Mobility Management Function (AMF) for a user equipment (UE) in one NS is able to re-allocate a UE to a Target AMF in a different NS, despite not being able to directly communicate with the Target AMF due to NS security restrictions. In a first embodiment, the Initial AMF transfers the UE context—including its security context—to a Default AMF. The Default AMF has the capability to communicate with network functions in different NSes. The Default AMF transfers the UE context to the Target AMF. In a second embodiment, a security key Kamf? is horizontally derived in a manner that avoids NS security conflicts. The derived key is transferred to the UE and Target AMF, which establish a security context. In a third embodiment, the Initial AMF allocates a Token, and transfers it, along with the UE security context (directly or via RAN) to the Default AMF. The Default AMF then transfers the security context to the Target AMF.

Abstract: The AMF re-allocation procedure for an Initiating AMF that has reroute capability via an Access Network (AN) is optimized in scenarios where a wireless device, such as a User Equipment (UE), already shares a 5G security context with-in a Last Serving AMF that is different from the Initiating AMF, and where the Initiating AMF and the Last Serving AMF can communicate with each other via an interface.

Abstract: A UE having a security context with an Initial AMF is able to accept an unprotected AUTHRQ, under certain circumstances, for a limited time. In one embodiment, a UE considers the security context to be temporary, which invokes rules or exceptions different than a permanent security context, such as the acceptance of an unprotected AUTHRQ from a Target AMF. The network may indicate to the UE the temporary status, or the UE may assume it. Alternatively, the UE may enable exceptions to the defined rules associated with the security context. In one embodiment, the UE receives a plurality of partial registration acceptance messages, each indicating a specific task or aspect of the overall registration has been completed. The UE may mark its security context temporary, or enable exceptions to the rules 10 associated with it, until a partial registration acceptance messages indicates AMF re-allocation is complete or is not required.

Abstract: The embodiments herein relate to a method performed by a UE (103) for handling SI. The UE obtains one or multiple public keys for SI signature verification. Each of the one or multiple public keys is associated with a validity area of an access network where the public key is valid. The UE obtains a SI together with a SI signature from a network node (101) covering a cell. The SI comprises area identification information. The UE determines (103), based on the area identification information comprised in the SI, the validity area that the cell belongs to and the corresponding public key. The UE (103) verifies the SI signature using the determined corresponding public key.

Abstract: Embodiments include methods performed by a key management node in a communication network. Such methods can include receiving, from an application function, a request for a security key specific to an application session for a particular user. The request can include a representation of the following information associated with the particular user: a first identifier of a non-application-specific anchor security key, and a second identifier related to a network subscription. Such methods can also include, based on the representation, determining an authentication server function that generated the non-application-specific anchor security key. Other embodiments include complementary methods performed by application functions, authentication server functions, and unified data management functions in the communication network. Other embodiments include network nodes configured to perform such methods.