Abstract: Initiating primary reauthentication of a communication device by a home network (UDM or AUSF) is provided. A trigger to initiate a primary reauthentication request of a communication device is detected. An authentication status of the subscription permanent identifier (SUPI) of the communication device is checked. Responsive to the authentication status of the SUPI being obsolete or null, a reauthentication message is transmitted towards an access and mobility management function (AMF) node. A reauthentication confirmation message is received. A determination is made as to whether to continue, abort, or postpone any steering of roaming (SoR) updates, any user equipment parameter updates (UPU updates) or any authentication and key agreement for applications (AKMA) procedures based on the reauthentication confirmation message.

Abstract: A method for an authentication server function, AUSF, of a communication network is provided. The method comprises sending a second authentication request comprising a first identifier associated with a user equipment, UE, or a second identifier associated with the UE, receiving a response to the second authentication request, and when the response comprises an 5 authentication and key management for applications, AKMA, indicator: determining a first security key identifier based on a first field comprised in the response.

Abstract: A method performed by a Unified Data Management (UDM) comprises determining that a user equipment (UE) has been registered in the UD.M by an Access and Mobility Management Function (AMP), in response to the determination, sending a request message to the AMP to initiate a primary authentication procedure for the UE, wherein the request message includes a subscription permanent identifier (SUPI) associated with the UE, and receiving a response message from the AMP based on the request message. wherein the response message indicates an authentication status of the UE.

Abstract: A network node (26, 400) is configured for use in a wireless communication network (10). The network node (26, 400) receives a request to establish a session (14-1) for a device (12-1) in a group (18), e.g., a 5G Local Area Network group (18). The network node (26, 400) determines a user plane security policy (24-1) for the session (!4-1), based on a user plane security policy (28) for the group (18). The user plane security policy (28) for the group (18) may specify a policy for securing a user plane path of a session for any device in the group (18). The network node (26, 400) may then transmit, to an access node of the wireless communication network (10), control signaling indicating the determined user plane security policy (24-1).

Abstract: Embodiments include methods performed by a key management node in a communication network. Such methods can include receiving, from an application function, a request for a security key specific to an application session for a particular user. The request can include a representation of the following information associated with the particular user: a first identifier of a non-application-specific anchor security key, and a second identifier related to a network subscription. Such methods can also include, based on the representation, determining an authentication server function that generated the non-application-specific anchor security key. Other embodiments include complementary methods performed by application functions, authentication server functions, and unified data management functions in the communication network. Other embodiments include network nodes configured to perform such methods.

Abstract: A user equipment (“UE”) in a wireless communication network can receive a plurality of signals from a plurality of nodes. The UE can further determine a plurality of radio signal strength measurements. Each radio signal strength measurement can be associated with a signal of the plurality of signals received from the plurality of nodes. The UE can further determine whether there is an indication that a first node of the plurality of nodes may be an imposter node based on the plurality of radio signal strength measurements.

Abstract: A network node (26, 400) is configured for use in a wireless communication network (10). The network node (26, 400) receives a request to establish a session (14-1) for a device (12-1) in a group (18), e.g., a 5G Local Area Network group (18). The network node (26, 400) determines a user plane security policy (24-1) for the session (!4-1), based on a user plane security policy (28) for the group (18). The user plane security policy (28) for the group (18) may specify a policy for securing a user plane path of a session for any device in the group (18). The network node (26, 400) may then transmit, to an access node of the wireless communication network (10), control signaling indicating the determined user plane security policy (24-1).

Abstract: Embodiments include methods performed by a user equipment (UE) configured with a client for an edge data network. Such methods include sending, to a server in the edge data network, a first message that includes one of the following contents: at least one pre-shared key (PSK) identity hint that is supported by the UE and the UE's home public land mobile network (HPLMN), and one or more security key identifiers corresponding to respective one or more of a plurality of authentication procedures supported by at least the HPLMN; an indication of the UE's HPLMN; all valid PSK identity hints, and the one or more security key identifiers; or all valid PSK identity hints, and the indication of the HPLMN. Such methods also include receiving from the server a second message that includes one of the following contents: all valid PSK identity hints; or a PSK identity hint that is supported by at least the UE's HPLMN.

Abstract: Systems and methods for Generic Bootstrapping Authentication (GBA) are disclosed herein. A method performed by a User Equipment (UE) for GBA may include: communicating, at a GBA application, with a network node to run a GBA procedure during which the GBA application obtains a key, Ks, and a Bootstrapping Transaction Identifier (B-TID); providing to the GBA application, at an application, an application key request, the request including a Network Application Function (NAF) identifier; at the GBA application: verifying that the application is entitled to use a NAF corresponding to the NAF identifier; and responsive to successful verification: deriving the application key for the application based on the key, Ks, the NAF identifier, and an additional parameter generated by the GBA application or an application identifier; and sending a response to the application; and receiving, at the application, the response from the GBA application.

Abstract: Embodiments of the present disclosure include methods for a client in an edge data network. Such methods include obtaining an initial access credential before accessing the edge data network. The initial access credential includes or is based on one or more of the following: an indication that the client is a legitimate client, and a client type associated with the client. Such methods include establishing a first connection with a server of the edge data network based on transport layer security (TLS); authenticating the server via the first connection based on a server certificate; and providing the initial access credential to the server, via the first connection, for authentication of the client. Other embodiments include complementary methods for a server and for a credential provider, as well as UEs, network nodes, and/or computing systems configured to perform such methods.

Abstract: In a wireless communication network implementing network slicing (NS), an Initial Access and Mobility Management Function (AMF) for a user equipment (UE) in one NS is able to re-allocate a UE to a Target AMF in a different NS, despite not being able to directly communicate with the Target AMF due to NS security restrictions. In a first embodiment, the Initial AMF transfers the UE context—including its security context—to a Default AMF. The Default AMF has the capability to communicate with network functions in different NSes. The Default AMF transfers the UE context to the Target AMF. In a second embodiment, a security key Kamf? is horizontally derived in a manner that avoids NS security conflicts. The derived key is transferred to the UE and Target AMF, which establish a security context. In a third embodiment, the Initial AMF allocates a Token, and transfers it, along with the UE security context (directly or via RAN) to the Default AMF. The Default AMF then transfers the security context to the Target AMF.

Abstract: Systems and methods for enabling Authentication and Key Management for Applications (AKMA) key diversity for multiple applications are disclosed herein. In one embodiment, an AKMA client of a wireless device determines a root key (KAKMA) and an AKMA key identifier (A-KID) based on primary authentication with a telecommunications network. The AKMA client receives an application identifier (APP-ID) and an application function (AF) identifier (AF-ID) from an application of the wireless device. The AKMA client verifies APP-ID, and verifies that the application is entitled to use AF-ID. If successful, an application key (KAPP) is derived based on KAKMA. AF-ID, and APP-ID. Optionally, the AKMA client encrypts APP-ID and outputs A-KID. KAPP, and the encrypted APP-ID to the application, and the application sends a session establishment request to an AF, the session establishment request comprising A-KID and the encrypted APP-ID.

Abstract: Systems and methods are disclosed herein that relate to verifying that a particular Application Function (AF) is authorized to use a particular AF ID in association with an Authentication and Key Management for Applications (AKMA) related procedure in a core network of a cellular communications system. In one embodiment, a method performed by an AKMA Anchor Function (AAnF) in a core network of the cellular communications system for generating a shared secret key for AKMA comprises receiving, directly or indirectly from an AF, a request for a shared secret key for AKMA, the request comprising an AF ID. The method further comprises determining whether the AF is authorized to use the AF ID and performing one or more actions based on a result of determining whether the AF (404) is authorized to use the AF ID.

Abstract: The AMF re-allocation procedure for an Initiating AMF that has reroute capability via an Access Network (AN) is optimized in scenarios where a wireless device, such as a User Equipment (UE), already shares a 5G security context with-in a Last Serving AMF that is different from the Initiating AMF, and where the Initiating AMF and the Last Serving AMF can communicate with each other via an interface.

Abstract: A method for a user equipment (UE) configured to communicate with an application function (AF) via a communication network is provided. The method comprises sending, to the AF, an application service request including: a second identifier (GPSI) specific to one or more applications, including an application associated with the UE and the AF; and information (app-info) associated with the second identifier and descriptive of the one or more applications. The method further comprises authenticating the AF based on an application-specific key (KAF) derived from a security key (KAKMA) associated with the UE; and receiving, from the AF, an application service response indicating whether the second identifier (GPSI) matches a corresponding second identifier (GPSI*) derived from the information associated with the second identifier.

Abstract: An authentication server (10A) is configured for use in a home network (10H) of a wireless device (12). The authentication server (10A) generates expected integrity protection data for checking an integrity of a set of one or more information fields (22) contained in a transparent container (20) that acknowledges successful reception by the wireless device (12) of device configuration data (14) from the home network (10H). The authentication server (10A) checks, or assists a core network node (16H) in the home network (10H) to check, the integrity of the set of one or more information fields (22) using the expected integrity protection data.

Abstract: A core network node (16) is configured for use in a wireless communication network (10). The core network node (16 receives a registration request (14) that requests registration of a wireless device (12) with the wireless communication network (10). The core network node (16) protects a security context (20) shared between the wireless device (12) and the core network node (16, e.g., including encrypting the security context (20). The core network node (16) transmits, to a radio network node (23) in the wireless communication network (10), signaling (24) that includes the registration request (14) and the protected security context (20P). In some embodiments, the signaling (24) indicates the registration request (14) and the protected security context (20P) are to be re-routed to a target core network node (18) in the wireless communication network (10).

Abstract: A method for an authentication server function, AUSF, of a communication network is provided. The method comprises sending a second authentication request comprising a first identifier associated with a user equipment, UE, or a second identifier associated with the UE, receiving a response to the second authentication request, and when the response comprises an 5 authentication and key management for applications, AKMA, indicator: determining a first security key identifier based on a first field comprised in the response.

Abstract: A UE having a security context with an Initial AMF is able to accept an unprotected AUTHRQ, under certain circumstances, for a limited time. In one embodiment, a UE considers the security context to be temporary, which invokes rules or exceptions different than a permanent security context, such as the acceptance of an unprotected AUTHRQ from a Target AMF. The network may indicate to the UE the temporary status, or the UE may assume it. Alternatively, the UE may enable exceptions to the defined rules associated with the security context. In one embodiment, the UE receives a plurality of partial registration acceptance messages, each indicating a specific task or aspect of the overall registration has been completed. The UE may mark its security context temporary, or enable exceptions to the rules 10 associated with it, until a partial registration acceptance messages indicates AMF re-allocation is complete or is not required.

Abstract: A method performed by an application function (AF) associated with a communication network is provided. The method comprises sending, to a network function (NF) of the communication network, a key request for a security key (KAF) associated with an application session between 5 the AF and a user equipment (UE), wherein the key request includes one of the following: a request for a first identifier of the UE, or a second identifier of the UE. The method further comprises receiving, from the NF, a response that includes the security key (KAF) and one of the following: the first identifier, or a response code associated with the second identifier or the first identifier. The method further comprises authenticating the UE for the application session 0 based on the response.