Abstract: In some implementations, a policy control function (PCF) device may receive a PCF device key uniquely associated with a user equipment (UE). The PCF device may generate an integrity key and an encryption key based on the PCF device key and an identifier of the PCF device. The PCF device may generate, based on the integrity key, integrity data associated with policy information related to the UE. The PCF device may encrypt, based on the encryption key, the policy information to generate encrypted policy information. The PCF device may send, for the UE, a UE policy message indicating the integrity data, the encrypted policy information, and the identifier of the PCF device.

Abstract: A method performed by a STA may comprise receiving a frame, from a first AP including an indication of a configuration change counter (CCC) associated with a second AP. The CCC may be an unsigned integer that increments when an update to one or more AP parameters of the second AP has occurred. The method may further comprise establishing a first wireless link with the first AP and establishing a master key via at least the first wireless link.

Abstract: A device described herein may establish a communication session with a first Security Edge Protection Proxy (“SEPP”) of a first network, and further with a second SEPP of a second network. The device may be or may implement an intermediary gateway between the SEPPs. The communication session may be associated with an N32-F interface that includes the SEPPs, the intermediary gateway, and one or more other intermediary gateways. The device may receive traffic from the first SEPP, and may determine that the traffic satisfies one or more error conditions. The device may identify an error reporting policy associated with the identified error condition, and may output, to the first SEPP and/or to the second SEPP (e.g., in accordance with the error reporting policy), an indication that the traffic satisfies the one or more error conditions.

Abstract: A device may include a processor. The processor may be configured to: receive, from a User Equipment device (UE) over a wireless connection, a request to enroll an application installed on the UE to receive a service from a network slice; select a network slice to provide the service to the application on the UE; bind the application on the UE to the selected network slice; and send an enrollment reply to the UE. The processor may perform a dynamic, short-term application enrollment or a long-term application enrollment, to enable the application to access the service.

Abstract: A method, a network device, and a non-transitory computer-readable storage medium are described in relation to an application authorization service. The application authorization service may be performed at an end device and invoked responsive to the launching of an application. The application authorization service may include validating an application certificate associated with the application, validating an attestation value, and validating a token provided by the application. The application may provide a request that includes an application identifier and a token. The application may be granted access to a network or denied access depending on the outcome of the validation procedures. The granted access may include assignment of a network slice. The application certificate, a secured token, and a secured attestation value may be stored in a secure environment at the end device and used for validation procedures.

Abstract: Systems and methods enable the provisioning of security as a service for network slices. A network device stores definitions of multiple security assurance levels for network slices based on security parameters of assets used in the network slices. The network device stores multiple network slice templates, wherein the multiple network slice templates have different security assurance levels, of the multiple security assurance levels, for a Network Service Descriptor (NSD). The network device receives a request for a network slice with a requested security assurance level, of the multiple security assurance levels, for the NSD, and deploys the network slice using one of the network slice templates that has a security assurance level that corresponds to the requested security assurance level. The network device monitors the security parameters of the assets of the network slice for changes to the security assurance level of the deployed network slice.

Abstract: A system described herein may maintain a set of policies associated with accessing a radio access network (“RAN”), may receive a request for a particular network function (“NF”) to access the RAN, and may determine, based on the set of policies and information included in the request, whether to grant the request to access the RAN. The system may establish, when determining that the request should be granted, connectivity between the particular NF and the RAN, where establishing the connectivity includes assigning a particular address to the particular NF, routing traffic, addressed to the particular address, to the particular NF, routing traffic, received from the particular NF, to the RAN. The system may forgo establishing connectivity between the particular NF and the RAN when determining that the request should not be granted. The RAN may include an Open RAN (“O-RAN”).

Abstract: In some implementations, a policy control function (PCF) device may receive a PCF device key uniquely associated with a user equipment (UE). The PCF device may generate an integrity key and an encryption key based on the PCF device key and an identifier of the PCF device. The PCF device may generate, based on the integrity key, integrity data associated with policy information related to the UE. The PCF device may encrypt, based on the encryption key, the policy information to generate encrypted policy information. The PCF device may send, for the UE, a UE policy message indicating the integrity data, the encrypted policy information, and the identifier of the PCF device.

Abstract: In some implementations, an key management server function (KMSF) may generate a security policy, wherein the security policy is an application function (AF)-specific security policy or a network function (NF)-specific security policy. The KMSF may transmit, to one of an AF or an NF, the security policy, wherein the AF-specific security policy is associated with a derivation of an AF-specific session key, or the NF-specific security policy is associated with a derivation of an NF-specific session key.

Abstract: A method performed by a STA may comprise receiving a frame, from a first AP including an indication of a configuration change counter (CCC) associated with a second AP. The CCC may be an unsigned integer that increments when an update to one or more AP parameters of the second AP has occurred. The method may further comprise establishing a first wireless link with the first AP and establishing a master key via at least the first wireless link.

Abstract: A method may include receiving, at a network device, a registration request that comprises a subscription concealed identifier (SUCI) associated with a particular user equipment (UE) device. The network device determines whether the SUCI indicates a request for null-scheme network access; and retrieves a scheme authorization parameter for the UE device when it is determined that the SUCI indicates a request for null-scheme network access. The scheme authorization parameter indicates whether the UE device is authorized for null-scheme access to a service provider network. The network device determines whether the UE device is authorized for null-scheme network access based on the retrieved scheme authorization parameter and performs processing associated with null-scheme network access when it is determined that the particular UE device is authorized for null-scheme network access.

Abstract: A method performed by a STA may comprise receiving a frame, from a first AP including an indication of a configuration change counter (CCC) associated with a second AP. The CCC may be an unsigned integer that increments when an update to one or more AP parameters of the second AP has occurred. The method may further comprise establishing a first wireless link with the first AP and establishing a master key via at least the first wireless link.

Abstract: Systems and methods described herein enforce access controls for network slices via proxy in a secure enclave of a user equipment (UE) device. A UE device executes, in a rich execution environment (REE), a function or application designated for using one or more secure network slices of a telecommunications network. The UE device executes, in a trusted execution environment (TEE), a slice admission control proxy (SACP) to perform admission control for the one or more secure network slices, and forces network traffic for the function or application through the SACP.

Abstract: A network terminal, e.g., LTE or 5G, can connect to a home network via a serving network. The terminal can have a terminal identifier (TID), such as an IMEI or other PEI, and a network subscriber can have a subscriber identifier (SID), such as an IMSI or other SUPI. In some nonlimiting examples, a network node can determine that a SID and a TID are authorized for joint use and, in response, transmit authorization information. In some nonlimiting examples, a network node can receive an attach request having verification data and encrypted identification data. The network node can receive decrypted identity data and determine that the identity data corresponds with the verification data. In some nonlimiting examples, the terminal can send an attach request comprising encrypted SID and TID data, and a cryptographic hash, to a network node.

Abstract: Systems and methods enable the provisioning of security as a service for network slices. A network device stores definitions of multiple security assurance levels for network slices based on security parameters of assets used in the network slices. The network device stores multiple network slice templates, wherein the multiple network slice templates have different security assurance levels, of the multiple security assurance levels, for a Network Service Descriptor (NSD). The network device receives a request for a network slice with a requested security assurance level, of the multiple security assurance levels, for the NSD, and deploys the network slice using one of the network slice templates that has a security assurance level that corresponds to the requested security assurance level. The network device monitors the security parameters of the assets of the network slice for changes to the security assurance level of the deployed network slice.

Abstract: Systems and methods enable the provisioning of security as a service for network slices. A network device stores definitions of multiple security assurance levels for network slices based on security parameters of assets used in the network slices. The network device stores multiple network slice templates, wherein the multiple network slice templates have different security assurance levels, of the multiple security assurance levels, for a Network Service Descriptor (NSD). The network device receives a request for a network slice with a requested security assurance level, of the multiple security assurance levels, for the NSD, and deploys the network slice using one of the network slice templates that has a security assurance level that corresponds to the requested security assurance level. The network device monitors the security parameters of the assets of the network slice for changes to the security assurance level of the deployed network slice.

Abstract: A device may receive, from a network device, a user equipment (UE) parameter update request notification indicating an update to a UE parameter of a universal subscriber identity module (USIM), and may generate an encrypted UE parameter update request. The device may cause the encrypted UE parameter update request to be provided to the USIM to cause the USIM to update the UE parameter and to generate an encrypted UE parameter update response. The device may receive, from the network device, the encrypted UE parameter update response, and may verify an authenticity of content of the encrypted UE parameter update response based on whether the encrypted UE parameter update response is signed by the USIM. The device may provide, to the network device, a result indicating whether the UE parameter is updated and whether the authenticity of the content of the encrypted UE parameter update response is verified.

Abstract: Systems and methods described herein enforce access controls for network slices via proxy in a secure enclave of a user equipment (UE) device. A UE device executes, in a rich execution environment (REE), a function or application designated for using one or more secure network slices of a telecommunications network. The UE device executes, in a trusted execution environment (TEE), a slice admission control proxy (SACP) to perform admission control for the one or more secure network slices, and forces network traffic for the function or application through the SACP.

Abstract: A method performed by a STA may comprise receiving a frame, from a first AP including an indication of a configuration change counter (CCC) associated with a second AP. The CCC may be an unsigned integer that increments when an update to one or more AP parameters of the second AP has occurred. The method may further comprise establishing a first wireless link with the first AP and establishing a master key via at least the first wireless link.

Abstract: A telecommunications network includes a serving network and a home network. In some examples the serving network receives, from the home network, identity data associated with a network terminal. The serving network determines a tied key using a tying key derivation function (TKDF) based on the identity data, then prepares an authentication request based on the tied key and sends the request to the terminal. In some examples, the home network receives the identity data from the access network and determines a tied key using a TKDF. The home network then determines a confirmation message based on the first tied key. In some examples, the serving network receives the identity data from the home network, and receives a network-slice selector associated with the network terminal. The serving network determines a tied key using a TKDF based on the identity data and the network-slice selector.