TW202249508A - Security handling of 5gs to epc reselection - Google Patents

Abstract

Aspects disclosed herein facilitate security handling of 5GS to EPC reselection are disclosed herein. An example method at a UE includes transmitting a first TAU request, the first TAU request encoded using a first security context associated with a first RAT, the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity. The example method also includes transmitting a second TAU request, the second TAU request including the first set of information, the second TAU request being integrity protected using a second uplink count. The example method also includes communicating based on a mapped security context based on the first security context and at least one of the first uplink count or the second uplink count.

Description

Safe handling of reselection of evolved packet system in 5G system

This patent application claims priority to U.S. Provisional Application No. 63/187,784, filed May 12, 2021, and entitled "SECURITY HANDLING OF 5GS TO EPC RESELECTION"; and U.S. Nonprovisional Patent Application No. 17/662,978, filed May 11, 2009, and entitled "SECURITY HANDLING OF 5GS TO EPC RESELECTION," which is expressly incorporated herein by reference in its entirety.

In general, this case concerns communication systems, and more specifically, it concerns security features and security mechanisms employed in communication systems.

Wireless communication systems are widely deployed to provide various telecommunication services such as telephony, video, data, messaging and broadcasting. A typical wireless communication system may employ a multiple access technology capable of supporting communication with multiple users by sharing available system resources. Examples of such multiple access techniques include Code Division Multiple Access (CDMA) systems, Time Division Multiple Access (TDMA) systems, Frequency Division Multiple Access (FDMA) systems, Orthogonal Frequency Division Multiple Access Access (OFDMA) system, single carrier frequency division multiple access (SC-FDMA) system and time division synchronous code division multiple access (TD-SCDMA) system.

These multiplexing access techniques have been adopted in various telecommunication standards to provide common protocols that enable different wireless devices to communicate at city, national, regional and even global levels. An example telecommunications standard is 5G New Radio (NR). 5G NR is part of the evolution of continuous mobile broadband released by the 3rd Generation Partnership Project (3GPP) to meet requirements associated with latency, reliability, security, scalability (e.g., together with Internet of Things (IoT)) New requirements and others. 5G NR includes services associated with enhanced mobile broadband (eMBB), massive machine-type communications (mMTC) and ultra-reliable low-latency communications (URLLC). Some aspects of 5G NR may be based on the 4G Long Term Evolution (LTE) standard. There is a need for further improvements in 5G NR technology. These improvements are also applicable to other multiplex access technologies and the telecommunication standards using these technologies.

A brief overview of one or more aspects is provided below in order to provide a basic understanding of such aspects. This overview is not an extensive overview of all expected aspects. This summary neither identifies key or critical elements of all aspects nor does it delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more aspects in a simplified form as a prelude to the more detailed description that is presented later.

In one aspect of the subject matter, a method, computer readable medium and apparatus for wireless communication are provided. An apparatus may include user equipment (UE). The example apparatus may send a first tracking area update (TAU) request to a first network entity, the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first The TAU request is integrity-protected using a first uplink count based on a first security context, and the first TAU request includes a first set of information including information mapped to the first network entity associated with the first network entity. Two RAT identifiers. The example apparatus may also send a second TAU request to the first network entity, the second TAU request includes the first set of information, and the second TAU request is integrity protected using a second uplink count. The example apparatus may also derive the mapped security context based on the first security context and at least one of the first uplink count or the second uplink count. Additionally, the example apparatus can communicate with the first network entity based on the mapped security context.

In one aspect of the subject matter, a method, computer readable medium and apparatus for wireless communication are provided. An apparatus may include a UE. The example apparatus may send a first TAU request to the first network entity when performing a change from a first cell associated with the first RAT to a connection to a second cell associated with a second RAT different from the first RAT , the first network entity is associated with the second RAT, the first TAU request is encoded using the first security context associated with the first RAT, and the first TAU request is based on the first security context to use the first uplink Link counts are integrity protected. The example apparatus may also derive a first integrity key based on the first security context, the first uplink count, and the first mapped security context. Additionally, the example apparatus can send a repetition of the first TAU request to the first network entity, the repetition of the first TAU request being integrity protected using a second uplink count different from the first uplink count. The example apparatus can also derive a second integrity key based on the first security context, the second uplink count, and the second mapped security context. The example apparatus can also receive downlink transmissions from the first network entity. Additionally, the example apparatus can perform an integrity check on the downlink transmission using at least one of the first integrity key and the second integrity key. When the integrity check of the downlink transmission using the derived integrity key is successful, the example apparatus may also set the UE's master security key based on the set by the first mapped security context or the second mapped security context.

In another aspect of the present disclosure, a method, computer-readable medium, and apparatus for wireless communication are provided. An apparatus may include a first network entity, such as a mobility management entity (MME). The example apparatus may receive a first TAU request generated by a UE, the first TAU request is encoded using a first security context associated with a first RAT, and the first TAU request uses a first uplink based on the first security context The link count is integrity protected, and the first TAU request includes a first set of information including an identifier mapped to a second RAT associated with the first network entity. The example apparatus may also output a first context request for a second network entity, the second network entity being associated with the first RAT, based on the first TAU request. Additionally, the example apparatus can receive a first mapped security context based on the first context request, the first mapped security context being derived from the first security context and the first uplink count. The example apparatus may also receive a second TAU request, the second TAU request is encoded using the first security context, the second TAU request is integrity protected using a second uplink count different from the first uplink count , and the second TAU request includes the first set of information. The example apparatus may also output a second context request for the second network entity based on the second TAU request. The example apparatus can also receive a second mapped security context based on the second context request, the second mapped security context derived from the first security context and the second uplink count. Additionally, the example apparatus can send downlink messages based on the second mapped security context.

In another aspect of the present disclosure, a method, computer-readable medium, and apparatus for wireless communication are provided. An apparatus may include a second network entity, such as an Access and Mobility Management Function (AMF). The example device may receive a first context request, the first context request includes at least a first TAU request generated by the UE, the first TAU request is integrity protected using a first uplink count, and the first TAU request is used with The first security context associated with the first RAT encodes that the first RAT is different from the second RAT associated with the first network entity. The example apparatus may also derive a first mapped security context when the first integrity check on the first TAU request is successful. The instance outputs a first mapped security context for the first network entity. Additionally, the example apparatus can receive a second context request comprising at least a second TAU request generated by the UE, the second TAU request being completed using a second uplink count different from the first uplink count sexual protection. The example apparatus may also derive a second mapped security context when the second integrity check on the second TAU request is successful. Additionally, the example apparatus can output a second mapped security context for the first network entity.

In one aspect of the subject matter, a method, computer-readable medium, and apparatus for wireless communication at a first network entity (such as an MME) are provided. An example apparatus may receive a first TAU request from a UE, the first TAU request encoded using a first security context associated with a first RAT, the first TAU request using a first uplink based on the first security context The count is integrity protected, and the first TAU request includes a first set of information including an identifier mapped to a second RAT associated with the first network entity. The example apparatus may also send a first context request to a second network entity associated with the first RAT based on the first TAU request. Additionally, the example apparatus can receive a first mapped security context from the second network entity based on the first context request, the first mapped security context being derived from the first security context and the first uplink count. Additionally, the example apparatus can receive a second TAU request from the UE, the second TAU request is encoded using the first security context, the second TAU request is made using a second uplink count different from the first uplink count Integrity protected, and the second TAU request includes the first set of information. The example apparatus may also send a second context request to the second network entity based on the second TAU request. The example apparatus can also receive a second mapped security context from the second network entity based on the second context request, the second mapped security context derived from the first security context and the second uplink count. Additionally, the example apparatus can send downlink messages to the UE based on the second mapped security context.

In another aspect of the subject matter, a method, computer-readable medium, and apparatus for wireless communication at a second network entity, such as an AMF, are provided. An example apparatus may receive a first context request from a first network entity, the first context request includes at least a first TAU request generated by a UE, the first TAU request is integrity-protected using a first uplink count, the first A TAU request is encoded using a first security context associated with a first RAT that is different from a second RAT associated with the first network entity. The example apparatus may also derive a first mapped security context when the integrity check of the first TAU request is successful. Additionally, the example apparatus may send the first mapped security context to the first network entity. The example apparatus may also receive a second context request from the first network entity, the second context request includes at least a second TAU request generated by the UE, the second TAU request uses a second uplink count different from the first uplink count Link counts are integrity protected. Additionally, the example apparatus may derive a second mapped security context when the integrity check of the second TAU request is successful. The example apparatus may also send the second mapped security context to the first network entity.

In another aspect of the present disclosure, a method, computer-readable medium, and apparatus for wireless communication at a UE are provided. An example apparatus may send a first TAU request to a first network entity, the first TAU request is encoded using a first security context associated with a first RAT, the first TAU request is based on the first security context using a first An uplink count is integrity protected, and the first TAU request includes a first set of information including an identifier mapped to a second RAT associated with the first network entity. The example apparatus can also derive a first mapped security context based on the first security context and the first uplink count. Additionally, the example apparatus may send a second TAU request to the first network entity, the second TAU request is encoded using the first security context, the second TAU request is using a second uplink count different from the first uplink count The link count is integrity protected, and the second TAU request includes the first set of information. The example apparatus can also derive a second mapped security context based on the first security context and the second uplink count. Additionally, the example apparatus can communicate with the first network entity based on the second mapped security context.

In another aspect of the present disclosure, a method, computer-readable medium, and apparatus for wireless communication at a UE are provided. An example apparatus may send a first TAU request to a first network entity upon performing a change from a first cell associated with a first RAT to a connection to a second cell associated with a second RAT different from the first RAT , the first network entity is associated with the second RAT, the first TAU request is encoded using the first security context associated with the first RAT, the first TAU request is based on the first security context to use the first uplink Where the way count is integrity protected, the first TAU request includes a first set of information including an identifier mapped to a second RAT associated with the first network entity. The example apparatus may also send a repetition of a first TAU request to the first network entity, the repetition of the first TAU request includes a first set of information, the repetition of the first TAU request is integrity protected using a first uplink count . Additionally, the example apparatus can derive a mapped security context based on the first security context and the first uplink count. The example apparatus can also communicate with the first network entity based on the mapped security context.

In another aspect of the present disclosure, a method, computer-readable medium, and apparatus for wireless communication at a UE are provided. An example apparatus may send a first TAU request to a first network entity upon performing a change from a first cell associated with a first RAT to a connection to a second cell associated with a second RAT different from the first RAT , the first network entity is associated with the second RAT, the first TAU request is encoded using the first security context associated with the first RAT, and the first TAU request is based on the first security context to use the first uplink Link counts are integrity protected. The example apparatus can also derive a first integrity key based on the first security context, the first uplink count, and the first mapped security context. Additionally, the example apparatus can send a repetition of the first TAU request to the first network entity, the repetition of the first TAU request being integrity protected using a second uplink count different from the first uplink count. The example apparatus can also derive a second integrity key based on the first security context, the second uplink count, and the second mapped security context. Additionally, the example apparatus can receive a downlink transmission from the first network entity. The example apparatus can also use at least one of the first integrity key and the second integrity key to perform integrity checks on downlink transmissions. In addition, when the integrity check of the downlink transmission using the derived integrity key is successful, the example apparatus may set the master security key of the UE, which is set based on the corresponding integrity key .

To the accomplishment of the foregoing and related ends, one or more aspects include the features hereinafter fully described and particularly pointed out in the claims. The description below and the annexed drawings set forth certain illustrative features of one or more aspects in detail. These features are indicative, however, of but a few of the various ways in which the principles of the various aspects may be employed.

Any number of wireless networks can be deployed in a given geographic area. Each wireless network can support a specific radio access technology (RAT) and can operate on one or more frequencies. In some instances, a UE may connect to a first cell associated with a first RAT (such as 5G). The first cell may not be able to provide support to the UE. For example, in some deployment scenarios, 5G coverage may not be widespread. In other instances, the first RAT may not be able to provide a service, eg, a voice handover in which voice handover service is initiated via the first RAT. To provide support to the UE, the UE and the first RAT may support reselection from the first RAT to a second RAT, and the second RAT may provide support to the UE with respect to the service. For example, to support voice handover support, the UE and the first cell may support a fallback procedure in which the UE falls back to a second cell associated with a second RAT.

When the UE falls back from the first cell to the second cell, the UE may perform a reselection procedure. For example, UE may perform 5G to Evolved Packet Core (EPC) reselection procedure. When the UE performs the reselection procedure, the UE may initiate a TAU procedure to register itself within the tracking area of the second cell and the associated second RAT.

In order to provide security for communications across the wireless communication system, messages exchanged between devices of the wireless communication system may be integrity protected. Integrity protection may be based on a security context that includes one or more security keys. In some examples, a security context may include one or more security parameters for authentication, integrity protection, and encryption, and may be identifiable via a key set identifier (KSI). In some instances, each RAT can be associated with a corresponding security context. To facilitate reselection from a first cell to a second cell, the network entity of the respective RAT may facilitate mapping a first security context associated with one RAT to a second security context associated with another RAT. For example, network entities associated with 5G can facilitate the mapping of 5G security contexts to EPC security contexts. In some examples, mapping the 5G security context to the EPC security context may include using the 5G security context to derive the EPC security context. The EPC security context may enable the UE to communicate with the second cell associated with the EPC network after switching from the first cell to the second cell.

In some scenarios, a radio link failure (RLF) may occur after the UE establishes a connection with the second cell and sends a TAU request message. In such instances, the UE may retransmit the TAU request message. However, the mapping of the first security context to the second security context may result in inconsistencies, which may result in communication failures.

Examples disclosed herein provide techniques for removing inconsistencies in the processing of iterations of TAU request messages, as described above. In a first aspect, the disclosed technique can remove inconsistencies by modifying how the network handles repetitions of TAU request messages. In a second aspect, the disclosed technique can remove the inconsistency by modifying how the UE integrity protects the TAU request message. On the third party side, the disclosed techniques can remove inconsistencies by modifying how UEs perform integrity verification of messages.

Aspects provided herein may enable devices of wireless communication systems to facilitate secure handling of 5GS to EPC reselection in case of retransmission of RLF and Evolved Packet System (EPS) TAU requests to facilitate improved mobility support.

The embodiments set forth below in conjunction with the figures describe various configurations and do not represent the only configurations in which the concepts described herein may be practiced. The embodiments include specific details for the purpose of providing a thorough understanding of various concepts. However, the concepts may be practiced without these specific details. In some instances, well-known structures and components are shown in block diagram form in order to avoid obscuring such concepts.

Several aspects of telecommunications systems are provided with reference to various devices and methods. These devices and methods are described in the following embodiments, and shown in the drawings through various blocks, components, circuits, programs, algorithms, etc. (collectively referred to as "elements"). These elements may be implemented using electronic hardware, computer software, or any combination thereof. Whether such elements are implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system.

For example, an element, or any portion of an element, or any combination of elements may be implemented as a "processing system" including one or more processors. Examples of processors include microprocessors, microcontrollers, graphics processing units (GPUs), central processing units (CPUs), application processors, digital signal processors (DSPs), reduced instruction set computing (RISC) processors, on-chip System (SoC), baseband processor, field programmable gate array (FPGA), programmable logic device (PLD), state machine, gating logic, individual hardware circuits, and Other suitable hardware for various functions. One or more processors in the processing system may execute software. Whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise, software should be construed broadly to mean instructions, sets of instructions, code, code fragments, code, programs, A subroutine, software component, application, software application, package, routine, subroutine, object, executable, thread of execution, procedure, function, or any combination thereof.

Accordingly, in one or more example aspects, implementations, and/or use cases, the described functionality may be implemented in hardware, software, or any combination thereof. If implemented in software, the functions may be stored or encoded as one or more instructions or code on a computer-readable medium. Computer-readable media includes computer storage media. A storage media may be any available media that can be accessed by a computer. Such computer readable media may include, for example, random access memory (RAM), read only memory (ROM), electronically erasable programmable ROM (EEPROM), optical disk memory, disk memory , other magnetic storage devices, combinations of computer-readable media of the above types, or any other medium that can be used to store computer-executable code in the form of instructions or data structures that can be accessed by a computer.

Although aspects, implementations and/or use cases are described in this case by way of illustration of a few examples, additional or different aspects, implementations and/or use cases may arise in many different arrangements and scenarios. Aspects, implementations and/or use cases described herein may be realized across many different platform types, devices, systems, shapes, sizes, packaging arrangements. For example, implementation and/or use may be implemented via integrated chip implementations and other non-modular component-based devices (e.g., end-user devices, vehicles, communications equipment, computing equipment, industrial equipment, retail/purchasing equipment, medical equipment, artificial intelligence-enabled Intelligent (AI) devices, etc.) are generated. While some examples may or may not be specific to use cases or applications, there may be a wide variety of scopes of applicability for the described examples. Aspects, implementations, and/or use cases may range from wafer-level or modular components to non-modular, non-wafer-level implementations, and further to aggregated, distributed, or Original Equipment Manufacturer (OEM) equipment or systems. In some practical arrangements, devices incorporating the described aspects and features may also include additional components and features for the implementation and implementation of the claimed and described aspects. For example, the transmission and reception of wireless signals necessarily includes multiple components for both analog and digital purposes (including, for example, antennas, RF chains, power amplifiers, modulators, buffers, processors, interleavers, adders/addition hardware components such as controllers). The techniques described herein may be implemented in a variety of devices, wafer-level components, systems, distributed arrangements, aggregated or disaggregated components, end-user devices, etc., having different sizes, shapes, and configurations.

Deployment of communication systems (eg, 5G NR systems) can be arranged in a variety of ways with various components or components. In a 5G NR system or network, network nodes, network entities, mobile parts of the network, radio access network (RAN) nodes, core network nodes, network components or network equipment (such as base stations ( BS) or one or more units (or one or more components) performing base station functions) can be implemented in a converged or disaggregated architecture. For example, a BS such as Node B (NB), Evolved NB (eNB), NR BS, 5G NB, Access Point (AP), Transceiver Point (TRP) or cell, etc.) can be implemented as an aggregated base station ( Also known as independent BS or single-chip BS) or decomposed base station.

Converged base stations can be configured to utilize radio protocol stacks that are physically or logically integrated within a single RAN node. Disaggregated base stations may be configured to utilize physical or logical distribution over two or more units such as one or more central or centralized units (CUs), one or more distributed units (DUs) or a or multiple radio units (RUs)) stacking agreement. In some aspects, a CU may be implemented within a RAN node, and one or more DUs may be co-located with the CU, or alternatively, may be geographically or virtually distributed among one or more other RAN nodes. A DU may be implemented to communicate with one or more RUs. Each of the CU, DU and RU may be implemented as a virtual unit, namely a virtual central unit (VCU), a virtual distributed unit (VDU), or a virtual radio unit (VRU).

Base station operations or network design may take into account the aggregation nature of base station functions. For example, it can be implemented in Integrated Access Backhaul (IAB) networks, Open Radio Access Networks (O-RAN (such as network configurations sponsored by the O-RAN Alliance)) or Virtual Radio Access Networks (vRAN, also Known as Cloud Radio Access Network (C-RAN)) utilizes disaggregated base stations. Decomposition may include allocating functionality across two or more elements at various physical locations, as well as virtually allocating functionality for at least one element, which may enable flexibility in network design. Each element of the disaggregated base station or the disaggregated RAN architecture may be configured for wired or wireless communication with at least one other element.

1 is a diagram 100 illustrating an example of a wireless communication system and access network. The wireless communication system shown includes a disaggregated base station architecture. The disaggregated base station architecture may include one or more CUs (e.g., CU 110), which may communicate directly with the core network 120 via a backhaul link, or via one or more disaggregated base station units, such as via an E2 link near-real-time (near-RT) RAN intelligent controller (RIC) (e.g., near-RT RIC 125 ), or a non-real-time (non-RT) RIC 115 , or both) communicates indirectly with core network 1220 . CU 110 may communicate with one or more DUs (eg, DU 130 ) via corresponding mid-range links, such as the F1 interface. DU 130 may communicate with one or more RUs (eg, RU 140 ) via respective fronthaul links. RU 140 may communicate with a corresponding UE (eg, UE 104 ) via one or more radio frequency (RF) access links. In some implementations, a UE 104 can be served by multiple RUs simultaneously.

Units (i.e., CU (e.g., CU 110), DU (e.g., DU 130), RU (e.g., RU 140) and near RT RIC (e.g., near RT RIC 125), non-RT RIC (e.g., non-RT RIC 115) each unit may include or be coupled to one or more interfaces configured to receive or transmit signals, data or information via wired or wireless transmission media (collectively referred to as signal ). Each of the units or an associated processor or controller that provides instructions to the unit's communication interface may be configured to communicate with one or more of the other units via a transmission medium. For example, a unit may include A wired interface configured to receive or send signals to one or more other units in other units over a wired transmission medium. Additionally, a unit may include a wireless interface, which may include a receiver, transmitter Or a transceiver (such as an RF transceiver) configured to receive signals or transmit signals to one or more of the other units, or both, over a wireless transmission medium.

In some aspects, CU 110 may host one or more higher-level control functions. Such control functions may include Radio Resource Control (RRC), Packet Data Convergence Protocol (PDCP), Service Data Adaptation Protocol (SDAP), etc. Each control function may be implemented using an interface configured to communicate signals with other control functions hosted by CU 110 . The CU 110 may be configured to handle user plane functions (ie, central unit-user-plane (CU-UP)), control plane functions (ie, central unit-control plane (CU-CP)), or a combination thereof. In some implementations, CU 110 may be logically split into one or more CU-UP units and one or more CU-CP units. The CU-UP unit can communicate bidirectionally with the CU-CP unit via an interface (eg, via an E1 interface when implemented in an O-RAN configuration). When necessary, CU 110 may be implemented to communicate with DU 130 for network control and signaling.

DU 130 may correspond to a logic unit that includes one or more base station functions to control the operation of one or more RUs. In some aspects, DU 130 may host a radio link control (RLC) layer, a media access control (MAC) layer, and one or more high-level One or more of the physical (PHY) layers such as modules for forward error correction (FEC) encoding and decoding, scrambling, modulation, demodulation, etc. In some aspects, DU 130 may also host one or more lower PHY layers. Each layer (or module) may be implemented with an interface configured to communicate with other layers (and modules) hosted by DU 130 or control functions hosted by CU 110 .

Lower layer functions may be implemented by one or more RUs. In some deployments, based at least in part on a functional split (such as lower layer functional split), RU 140 controlled by DU 130 may correspond to hosting RF processing functions or low PHY layer functions (e.g., performing Fast Fourier Transform (FFT) , inverse FFT (iFFT), digital beamforming, physical random access channel (PRACH) extraction and filtering, etc.) or both. In such architectures, RU 140 may be implemented to handle over-the-air (OTA) communications with one or more UEs (eg, UE 104 ). In some implementations, the real-time and non-real-time aspects of the control and user plane communications with the RU 140 can be controlled by the corresponding DU. In some scenarios, this configuration may enable DU and CU 110 to be implemented in a cloud-based RAN architecture, such as a vRAN architecture.

The SMO framework 105 can be configured to support RAN deployment and provisioning of non-virtualized and virtualized network elements. For non-virtualized network elements, the SMO framework 105 can be configured to support the deployment of dedicated physical resources for RAN coverage requirements, which can be managed via an operation and maintenance interface, such as the O1 interface. For virtualized network elements, the SMO framework 105 can be configured to interact with a cloud computing platform, such as an open cloud (O-cloud) 190, to perform network element lifecycle management via a cloud computing platform interface, such as an O2 interface ( For example, to generate physical virtualization network elements). Such virtualized network elements may include, but are not limited to, CUs, DUs, RUs, and near-RT RICs. In some implementations, the SMO framework 105 can communicate with a hardware aspect of the 4G RAN, such as an open eNB (O-eNB) 111 , via the O1 interface. Additionally, in some implementations, the SMO framework 105 can directly communicate with one or more RUs via the O1 interface. The SMO framework 105 may also include a non-RT RIC 115 configured to support the functionality of the SMO framework 105 .

The non-RT RIC 115 can be configured to include logic functions that enable non-instantaneous control and optimization of RAN elements and resources, artificial intelligence (AI)/machine learning (ML) (AI/ML) workflows (including Model training and updating), or policy-based guidance for the application/features in near RT RIC 125. The non-RT RIC 115 can couple to or communicate with the near-RT RIC 125 (eg, via the Al interface). The near RT RIC 125 may be configured to include logic functions via an interface connecting one or more CUs, one or more DUs, or both, and the O-eNB with the near RT RIC 125 (eg, via an E2 interface) Data collection and actions on the network to achieve near real-time control and optimization of RAN elements and resources.

In some implementations, the non-RT RIC 115 may receive parameters or external enrichment information from an external server in order to generate an AI/ML model to be deployed in the near-RT RIC 125 . Such information may be utilized by the near RT RIC 125 and may be received at the SMO framework 105 or the non-RT RIC 115 from non-network sources or network functions. In some examples, non-RT RIC 115 or near-RT RIC 125 may be configured to tune RAN behavior or performance. For example, the non-RT RIC 115 may monitor long-term trends and patterns in performance and employ AI/ML models to execute corrective actions via the SMO framework 105 (e.g., via reconfiguration of O1) or via establishment of RAN management policies (such as A1 policies) .

At least one of CU 110 , DU 130 , and RU 140 may be referred to as a base station 102 . Accordingly, base station 102 may include one or more of CU 110, DU 130, and RU 140 (each component is indicated with a dashed line to indicate that each component may or may not be included in base station 102 station 102). The base station 102 provides an access point to the core network 120 for the UE 104 . The base stations 102 may include macrocells (high power cellular base stations) and/or small cells (low power cellular base stations). Small cells include femtocells, picocells, and minicells. Networks that include both small cells and macrocytes can be referred to as heterogeneous networks. Heterogeneous networks may also include Home Evolved Node Bs (eNBs) (HeNBs), which may provide services to restricted groups known as Closed Subscriber Groups (CSGs). The communication link between a RU (eg, RU 140) and a UE (eg, UE 104) may include uplink (UL) (also known as reverse link) transmissions from UE 104 to RU 140 and/or Or downlink (DL) (also known as forward link) transmission from RU 140 to UE 104 . The communication link may use multiple-input multiple-output (MIMO) antenna technology, which includes spatial multiplexing, beamforming and/or transmit diversity. Communication links may be via one or more carriers. The base station 102/UE 104 may use up to Y MHz per carrier (e.g., 5, 10, 15 , 20, 100, 400, etc. MHz) bandwidth spectrum. The carriers may or may not be adjacent to each other. The allocation of carriers may be asymmetric with respect to DL and UL (eg, more or fewer carriers may be allocated for DL than for UL). Component carriers may include a primary component carrier and one or more secondary component carriers. The primary component carrier may be referred to as a primary cell (PCell), and the secondary component carrier may be referred to as a secondary cell (SCell).

Certain UEs may communicate with each other using a device-to-device (D2D) communication link (eg, D2D communication link 158 ). The D2D communication link 158 may use DL/UL wireless wide area network (WWAN) spectrum. The D2D communication link 158 may use one or more sidelink channels, such as a physical sidelink broadcast channel (PSBCH), a physical sidelink discovery channel (PSDCH), a physical sidelink shared channel (PSSCH) and a physical sidelink control channel (PSCCH). D2D communication may be via various wireless D2D communication systems such as, for example, Bluetooth, Wi-Fi based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard, LTE or NR.

The wireless communication system may also include a Wi-Fi AP 150 communicating with a UE 104 (also referred to as a Wi-Fi Station (STA)) via a communication link 154 in, for example, the 5 GHz unlicensed spectrum. When communicating in unlicensed spectrum, UE 104/Wi-Fi AP 150 may perform Clear Channel Assessment (CCA) prior to communicating to determine whether a channel is available.

The electromagnetic spectrum is typically subdivided into various categories, bands, channels, etc. based on frequency/wavelength. In 5G NR, two initial operating frequency bands have been identified as the frequency range designations FR1 (410 MHz - 7.125 GHz) and FR2 (24.25 GHz - 52.6 GHz. Although part of FR1 is greater than 6 GHz, in various documents and articles, FR1 is often (interchangeably) referred to as the "sub-6 GHz" band. Similar nomenclature issues sometimes arise with regard to FR2, although it is distinct from the Extremely High Frequency (EHF) band (30 GHz - 300 GHz), but in Commonly (interchangeably) referred to in documents and articles as the "mmWave" band, the EHF band is identified as the "mmWave" band by the International Telecommunication Union (ITU).

The frequencies between FR1 and FR2 are often referred to as mid-band frequencies. Recent 5G NR studies have identified the operating band for these mid-band frequencies as the frequency range designation FR3 (7.125 GHz–24.25 GHz). Frequency bands falling within FR3 can inherit FR1 characteristics and/or FR2 characteristics, and thus can effectively extend the characteristics of FR1 and/or FR2 to mid-band frequencies. Additionally, higher frequency bands are currently being explored to extend 5G NR operation beyond 52.6 GHz. For example, three higher operating frequency bands have been identified as frequency range designations FR2-2 (52.6 GHz–71 GHz), FR4 (71 GHz–114.25 GHz) and FR5 (114.25 GHz–300 GHz). Each of these higher frequency bands falls within the EHF frequency band.

With the above in mind, unless specifically stated otherwise, if the term "below 6 GHz", etc. is used herein, it can broadly mean frequencies that may be less than 6 GHz, may be within FR1, or may include mid-band frequencies. frequency. In addition, unless specifically stated otherwise, if the term "millimeter wave" and the like are used herein, it may broadly mean that it may include mid-band frequencies, may be within FR2, FR4, FR2-2, and/or FR5, or may Frequencies within the EHF band.

Base stations 102 and UEs 104 may each include a plurality of antennas, such as antenna elements, antenna panels, and/or antenna arrays, to facilitate beamforming. The base station 102 may transmit the beamformed signal 182 to the UE 104 in one or more transmit directions. UE 104 may receive beamformed signals from base station 102 in one or more receive directions. UE 104 may also transmit beamformed signals 184 to base station 102 in one or more transmit directions. The base station 104 can receive beamformed signals from the UE 104 in one or more receive directions. The base station 102/UE 104 may perform beam training to determine the best receive and transmit directions for each of the base station 102/UE 104. The transmit direction and receive direction for the base station 102 may be the same or may be different. The transmit direction and receive direction for UE 104 may be the same or may be different.

A base station 102 may include and/or be referred to as a gNB, Node B, eNB, access point, base transceiver station, radio base station, radio transceiver, transceiver function, basic service set (BSS), extended service set (ESS), Transceiver Point (TRP), network node, network entity, network device, or some other suitable term. The base station 102 can be implemented as an integrated access and backload (IAB) node, relay node, sidelink node, aggregated (single-chip) with baseband unit (BBU) (including CU and DU) and RU The base station, or implemented as a disaggregated base station including one or more of CU, DU and/or RU. A set of base stations that may include disaggregated base stations and/or aggregated base stations may be referred to as a next-generation (NG) RAN (NG-RAN).

The core network 120 may include an Access and Mobility Management Function (AMF) (eg, AMF 161), a Session Management Function (SMF) (eg, SMF 162), a User Plane Function (UPF) (eg, UPF 163), Unified Data Management (UDM) (eg, UDM 164), one or more location servers 168, and other functional entities. AMF 161 is a control node that handles signaling between UE 104 and core network 120 . AMF 161 supports registration management, connection management, activity management and other functions. SMF 162 supports communication period management and other functions. UPF 163 supports packet routing, packet forwarding, and other functions. UDM 164 supports Authentication and Key Agreement (AKA) certificate generation, user identification handling, access authorization, and subscription management. One or more location servers 168 are shown including a Gateway Mobile Location Center (GMLC) (eg, GMLC 165 ) and a Location Management Function (LMF) (eg, LMF 166 ). In general, however, one or more location servers 168 may include one or more location/positioning servers, which may include GMLC 165, LMF 166, Position Decision Entity (PDE), Serving Mobile Location Center (SMLC), Mobile Positioning One or more of Center (MPC), etc. GMLC 165 and LMF 166 support UE positioning services. The GMLC 165 provides an interface for clients/applications (eg, emergency services) to access UE positioning information. LMF 166 receives measurements and assistance information from NG-RAN and UE 104 via AMF 161 to calculate UE 104 location. The NG-RAN may utilize one or more positioning methods to determine the location of the UE 104 . Locating UE 104 may involve signal measurements, position estimates, and optional velocity calculations based on the measurements. Signal measurements may be performed by UE 104 and/or a serving base station (eg, base station 102). The measured signal may be based on one or more of the following: Satellite Positioning System (SPS) 170 (eg, Global Navigation Satellite System (GNSS), Global Positioning System (GPS), Non-Terrestrial Network (NTN) or other satellite position/positioning systems), LTE signals, Wireless Local Area Network (WLAN) signals, Bluetooth signals, Terrestrial Beacon System (TBS), sensor-based information (e.g., barometric pressure sensors, motion sensors), NR-enhanced cell ID (NR E-CID) methods, NR signals (e.g., Multi-Round-Trip Time (Multi-RTT), DL Angle of Emission (DL-AoD), DL Time Difference of Arrival (DL -TDOA), UL Time Difference of Arrival (UL-TDOA) and UL Angle of Arrival (UL-AoA) Positioning) and/or other systems/signals/sensors.

Examples of UEs include cellular phones, smart phones, Session Initiation Protocol (SIP) phones, laptops, personal digital assistants (PDAs), satellite radio units, global positioning systems, multimedia equipment, video equipment, digital audio players (e.g., MP3 players), video cameras, game consoles, tablets, smart devices, wearables, vehicles, electric meters, air pumps, large or small kitchen appliances, healthcare equipment, implants, sensors/genetics drives, monitors, or any other similarly functional device. Some of the UEs may be referred to as IoT devices (eg, parking meters, gas pumps, ovens, vehicles, heart monitors, etc.). UE 104 may also be called a station, mobile station, subscriber station, mobile unit, subscriber unit, wireless unit, remote unit, mobile device, wireless device, wireless communication device, remote device, mobile subscriber station, access terminal, mobile terminal, wireless terminal, remote terminal, handset, user agent, mobile service client, client, or some other appropriate term. In some scenarios, the term UE may also apply to one or more companion devices, such as in a device cluster arrangement. One or more of these devices may access the network jointly and/or individually.

Referring again to FIG. 1 , in some aspects, a device in communication with a base station, such as UE 104 , may be configured to manage one or more aspects of wireless communication. For example, UE 104 may include UE security processing component 198 configured to facilitate security handling of 5GS to EPC reselection in case of retransmission of RLF and EPS TAU requests. In some aspects, the UE security processing component 198 may be configured to send a first TAU request to the first network entity, the first TAU request is encoded using a first security context associated with the first RAT, A TAU request is integrity protected using a first uplink count based on a first security context, and the first TAU request includes a first set of information, the first set of information including mappings to The identifier of the second RAT. The uplink count may indicate the number of uplink messages transmitted. The example UE security processing component 198 may also be configured to send a second TAU request to the first network entity, the second TAU request including the first set of information, the second TAU request being integrity protected using a second uplink count . Additionally, the example UE security processing component 198 may be configured to derive the mapped security context based on the first security context and at least one of the first uplink count or the second uplink count. The example UE security processing component 198 may also be configured to communicate with the first network entity based on the mapped security context.

In another aspect, UE security processing component 198 may be configured to perform a change from a first cell associated with a first RAT to a second cell associated with a second RAT different from the first RAT. When sending a first TAU request to a first network entity, the first network entity is associated with a second RAT, the first TAU request is encoded using a first security context associated with the first RAT, and the first TAU The request is integrity protected using the first uplink count based on the first security context. The example UE security processing component 198 may also be configured to derive the first integrity key based on the first security context, the first uplink count and the first mapped security context. The integrity key may be a key used to perform integrity checks on communications. Additionally, the example UE security processing component 198 may be configured to send a repetition of the first TAU request to the first network entity, the repetition of the first TAU request using a second uplink count different from the first uplink count integrity protected. The example UE security processing component 198 may also be configured to derive a second integrity key based on the first security context, the second uplink count and the second mapped security context. Additionally, the example UE security processing component 198 may be configured to receive a downlink transmission from the first network entity. The example UE security processing component 198 may also be configured to use at least one of the first integrity key and the second integrity key to perform an integrity check on the downlink transmission. Integrity checks may be performed using integrity keys and confirm the integrity of downlink transmissions. In addition, the example UE security processing component 198 may be configured to set the master security key of the UE upon a successful integrity check of the downlink transmission using the derived integrity key, the master security key being based on the method used to derive the integrity key The derived integrity key is set from either the first mapped security context or the second mapped security context. The master security key may be a key used to derive other security keys.

In some aspects, the UE security processing component 198 may be configured to send the first TAU request to the first network entity. The first TAU request may be encoded using a first security context associated with the first RAT. The first TAU request may be integrity protected using a first uplink count based on a first security context, and the first TAU request may include a first set of information including The identifier of the associated second RAT. The example UE security processing component 198 may also be configured to derive the first mapped security context based on the first security context and the first uplink count. The example UE security processing component 198 may also be configured to send the second TAU request to the first network entity. The second TAU request may be encoded using a first security context, the second TAU request may be integrity protected using a second uplink count different from the first uplink count, and the second TAU request may include First collection of information. The example UE security processing component 198 may also be configured to derive a second mapped security context based on the first security context and the second uplink count. The example UE security processing component 198 may also be configured to communicate with the first network entity based on the second mapped security context.

In another aspect, UE security processing component 198 may be configured to perform a change from a first cell associated with a first RAT to a second cell associated with a second RAT different from the first RAT. Send the first TAU request to the first network entity at this time. The first network entity may be associated with the second RAT. The first TAU request may be encoded using a first security context associated with the first RAT, the first TAU request may be integrity protected using a first uplink count based on the first security context, and the first The TAU request may include a first set of information including an identifier mapped to a second RAT associated with the first network entity.

The example UE security processing component 198 may also be configured to send a repetition of the first TAU request to the first network entity. The repetition of the first TAU request can include a first set of information, and the repetition of the first TAU request can be integrity protected using a first uplink count. The example UE security processing component 198 may also be configured to derive the mapped security context based on the first security context and the first uplink count. Additionally, the example UE security processing component 198 can be configured to communicate with the first network entity based on the mapped security context.

In another aspect, UE security processing component 198 may be configured to perform a change from a first cell associated with a first RAT to a second cell associated with a second RAT different from the first RAT. Send the first TAU request to the first network entity at this time. The first network entity may be associated with the second RAT. The first TAU request may be encoded using a first security context associated with the first RAT, and the first TAU request may be integrity protected using a first uplink count based on the first security context. The example UE security processing component 198 may also be configured to derive the first integrity key based on the first security context, the first uplink count and the first mapped security context. The example UE security processing component 198 may also be configured to send a repetition of the first TAU request to the first network entity. Repetitions of the first TAU request may be integrity protected using a second uplink count different from the first uplink count. Additionally, the example UE security processing component 198 may also be configured to derive a second integrity key based on the first security context, the second uplink count and the second mapped security context. The example UE security processing component 198 may also be configured to receive downlink transmissions from the first network entity. The example UE security processing component 198 may also be configured to use at least one of the first integrity key and the second integrity key to perform an integrity check on the downlink transmission. The example UE security processing component 198 may also be configured to set the master security key of the UE upon a successful integrity check performed on the downlink transmission using the derived integrity key. The master security key is set based on the corresponding integrity key.

In another configuration, the network entity may be configured to manage one or more aspects of wireless communication to facilitate improved mobility support. For example, a network entity may include a network security processing component 199 . Aspects of the network security processing component 199 may be implemented by an MME, an AMF (eg, AMF 161 ), and/or a base station (eg, base station 102 ).

The network security processing component 199 may be configured to receive a first TAU request generated by the UE, the first TAU request is encoded using a first security context associated with the first RAT, the first TAU request is based on the first security context The context is integrity protected using a first uplink count, and the first TAU request includes a first set of information including an identifier mapped to a second RAT associated with the first network entity. Additionally, the network security processing component 199 may be configured to output, based on the first TAU request, a first context request for a second network entity, the second network entity being associated with the first RAT. The network security processing component 199 may also be configured to receive a first mapped security context based on the first context request, the first mapped security context being derived from the first security context and the first uplink count. Additionally, the network security processing component 199 may be configured to receive a second TAU request, the second TAU request is encoded using the first security context, the second TAU request is using a second uplink count different from the first uplink count The link count is integrity protected, and the second TAU request includes the first set of information. The network security processing component 199 may also be configured to output a second context request for the second network entity based on the second TAU request. Additionally, the network security processing component 199 may be configured to receive a second mapped security context based on the second context request, the second mapped security context being derived from the first security context and the second uplink count. The network security processing component 199 may also be configured to send the downlink message based on the second mapped security context.

In another aspect, the network security processing component 199 may be configured to receive a first context request, the first context request includes at least a first TAU request generated by the UE, and the first TAU request uses the first uplink count Integrity protected, the first TAU request is encoded using a first security context associated with a first RAT that is different from a second RAT associated with the first network entity. Additionally, the network security processing component 199 may be configured to derive the first mapped security context when the first integrity check on the first TAU request is successful. The network security processing component 199 may also be configured to output the first mapped security context for the first network entity. In addition, the network security processing component 199 may be configured to receive a second context request, the second context request includes at least a second TAU request generated by the UE, and the second TAU request uses a second uplink count different from the first uplink count. Uplink counts are integrity protected. The network security processing component 199 may also be configured to derive a second mapped security context when the second integrity check on the second TAU request is successful. Additionally, the network security processing component 199 may be configured to output the second mapped security context for the first network entity.

In some aspects, the network security processing component 199 may be configured to receive the first TAU request from the UE. The first TAU request may be encoded using a first security context associated with the first RAT, the first TAU request may be integrity protected using a first uplink count based on the first security context, and the first The TAU request includes a first set of information including an identifier mapped to a second RAT associated with the first network entity. The example network security processing component 199 may also be configured to send the first context request to the second network entity based on the first TAU request. The second network entity may be associated with the first RAT. The example network security processing component 199 can also be configured to receive the first mapped security context from the second network entity based on the first context request. The first mapped security context may be derived from the first security context and the first uplink count. Additionally, the example network security processing component 199 may be configured to receive a second TAU request from the UE. The second TAU request may be encoded using a first security context, the second TAU request may be integrity protected using a second uplink count different from the first uplink count, and the second TAU request includes the first A collection of information. The example network security processing component 199 may also be configured to send a second context request to the second network entity based on the second TAU request. Additionally, the example network security processing component 199 can be configured to receive the second mapped security context from the second network entity based on the second context request. The second mapped security context may be derived from the first security context and the second uplink count. The example network security processing component 199 may also be configured to send the downlink message to the UE based on the second mapped security context.

In another aspect, the network security processing component 199 may be configured to receive a first context request from the first network entity, where the first context request includes at least the first TAU request generated by the UE. The first TAU request may be integrity protected using a first uplink count, the first TAU request may be encoded using a first security context associated with the first RAT, the first RAT may be different from the first A second RAT associated with the network entity. The example network security processing component 199 may also be configured to derive the first mapped security context when the integrity check of the first TAU request is successful. The example network security processing component 199 may also be configured to send the first mapped security context to the first network entity. Additionally, the example network security processing component 199 can be configured to receive a second context request from the first network entity. The second context request may include at least a second TAU request generated by the UE, the second TAU request being integrity protected using a second uplink count different from the first uplink count. The example network security processing component 199 may also be configured to derive a second mapped security context upon a successful integrity check of the second TAU request. The example network security processing component 199 may also be configured to send the second mapped security context to the first network entity.

Aspects provided herein may enable devices of wireless communication systems to facilitate secure handling of 5GS to EPC reselection in case of retransmission of RLF and EPS TAU requests to facilitate improved mobility support.

Although the following description provides examples for 5G NR (specifically, for 5G to EPC reselection), the concepts described herein can be applied to other similar areas, such as LTE, LTE-A, CDMA, GSM and/or other wireless A technique wherein the UE may perform reselection from a cell associated with a first RAT to a second cell associated with a second RAT.

FIG. 2A is a schematic diagram 200 illustrating an example of a first subframe within a 5G NR frame structure. FIG. 2B is a schematic diagram 230 illustrating an example of DL channels within a 5G NR subframe. FIG. 2C is a schematic diagram 250 illustrating an example of a second subframe within a 5G NR frame structure. 2D is a schematic diagram 280 showing an example of UL channels within a 5G NR subframe. The 5G NR frame structure may be Frequency Division Duplex (FDD) (wherein for a specific set of subcarriers (carrier system bandwidth), The subframes in the subcarrier set are dedicated to DL or UL), or can be time division duplex (TDD) (where for a specific subcarrier set (carrier system bandwidth), the subframes in the subcarrier set dedicated to both DL and UL). In the example provided via Figures 2A, 2C, the 5G NR frame structure is assumed to be TDD, where subframe 4 is configured with slot format 28 (most of which are DL), where D is DL and U is UL , and F is flexible between DL/UL, and subframe 3 is configured with slot format 1 (all of which are UL). Although subframes 3, 4 are shown as having slot formats 1, 28, respectively, any particular subframe may be configured with any of the various available slot formats 0-61. Timeslot formats 0 and 1 are full DL and full UL respectively. Other slot formats 2-61 include a mix of DL, UL and flexible symbols. The UE is configured with a slot format via the received Slot Format Indicator (SFI) (dynamically via DL Control Information (DCI) or semi-statically/statically via Radio Resource Control (RRC) signaling ). It should be noted that the following description is also applicable to the frame structure of 5G NR as TDD.

循環字首 0 15 普通 1 30 普通 2 60 普通， 擴展 3 120 普通 4 240 普通 表1 2A-2D illustrate frame structures, and aspects of the present disclosure may be applicable to other wireless communication technologies, which may have different frame structures and/or different channels. A frame (10 ms) can be divided into 10 sub-frames (1 ms) of equal size. Each subframe can include one or more time slots. A subframe can also include mini-slots, which can include 7, 4 or 2 symbols. Each slot can consist of 14 or 12 symbols, depending on whether the cyclic prefix (CP) is normal or extended. Each slot may include 14 symbols for a normal CP and 12 symbols for an extended CP. The symbols on the DL may be CP Orthogonal Frequency Division Multiplexing (OFDM) (CP-OFDM) symbols. The symbols on the UL can be CP-OFDM symbols (for high throughput scenarios) or discrete Fourier transform (DFT) spread spectrum OFDM (DFT-s-OFDM) symbols (also known as single carrier frequency division multiplexing access (SC-FDMA) symbols) (for power-constrained scenarios; limited to single stream transmission). The number of slots in a subframe can be based on CP and numerology. The numerical scheme defines the Sub-Carrier Spacing (SCS) and indeed the symbol length/duration (which may be equal to 1/SCS). µ SCS

cyclic prefix 0 15 ordinary 1 30 ordinary 2 60 normal, extended 3 120 ordinary 4 240 ordinary Table 1

，其中

是數字方案0至4。因此，數字方案µ=0具有15 kHz的次載波間隔，並且數字方案µ=4具有240 kHz的次載波間隔。符號長度/持續時間是與次載波間隔逆相關的。圖2A-2D提供普通CP（具有每時槽14個符號）以及數字方案µ=2（具有每子訊框4個時槽）的實例。時槽持續時間是0.25 ms，次載波間隔是60 kHz，並且符號持續時間近似為16.67 µs。在訊框集合內，可以存在分頻多工的一或多個不同的頻寬部分（BWP）（參見圖2B）。每個BWP可以具有特定的數字方案和CP（普通或擴展）。 For a normal CP (14 symbols/slot), the different number schemes µ 0 to 4 allow 1, 2, 4, 8 and 16 slots per subframe, respectively. For extended CPs, Number Plan 2 allows 4 time slots per subframe. Correspondingly, for common CP and digital scheme µ, there are 14 symbols/slot and 2 ^µ slots/subframe. As shown in Table 1, the subcarrier spacing can be equal to

,in

is the number scheme 0 to 4. Thus, the digital scheme µ=0 has a subcarrier spacing of 15 kHz, and the digital scheme µ=4 has a subcarrier spacing of 240 kHz. Symbol length/duration is inversely related to subcarrier spacing. Figures 2A-2D provide examples of a normal CP (with 14 symbols per slot) and a digital scheme µ=2 (with 4 slots per subframe). The slot duration is 0.25 ms, the subcarrier spacing is 60 kHz, and the symbol duration is approximately 16.67 µs. Within a frame set, there may be one or more different bandwidth parts (BWPs) of frequency division multiplexing (see FIG. 2B ). Each BWP can have a specific digital scheme and CP (normal or extended).

A resource grid can be used to represent the frame structure. Each slot includes a resource block (RB) (also called a physical RB (PRB)), and a PRB includes 12 consecutive subcarriers. A resource grid is divided into resource elements (REs). The number of bits carried by each RE depends on the modulation scheme.

As shown in FIG. 2A, some of the REs carry a reference (pilot) signal (RS) for the UE. The RS may include a demodulation RS (DM-RS) for channel estimation at the UE (indicated as _Rx for one particular configuration, but other DM-RS configurations are possible) and a channel state information reference signal (CSI- RS). RS may also include beam-squaring RS (BRS), beam-refining RS (BRRS), and phase-tracking RS (PT-RS).

FIG. 2B shows examples of various DL channels within subframes of a frame. A physical downlink control channel (PDCCH) carries DCI within one or more control channel elements (CCEs) (for example, 1, 2, 4, 8 or 16 CCEs), each CCE comprising six RE groups (REGs) , each REG includes four consecutive REs in one OFDM symbol. A PDCCH within one BWP may be called a control resource set (CORESET). The UE is configured to monitor PDCCH candidates in a PDCCH search space (eg, common search space, UE-specific search space) during PDCCH monitoring occasions on CORESET, where the PDCCH candidates have different DCI formats and different aggregation levels. Additional BWPs may be located at higher and/or lower frequencies across the channel bandwidth. The Primary Synchronization Signal (PSS) may be within symbol 2 of a specific subframe of a frame. The PSS is used by the UE 104 to determine subframe/symbol timing and physical layer identification. The Secondary Synchronization Signal (SSS) may be within symbol 4 of a specific subframe of a frame. The SSS is used by the UE to determine the physical layer cell identification group number and radio frame timing. Based on the physical layer identity and the physical layer cell identity group number, the UE can determine the physical cell identifier (PCI). Based on PCI, UE can determine the location of DM-RS. A physical broadcast channel (PBCH) carrying a master information block (MIB) can be logically packed together with PSS and SSS to form a synchronization signal (SS)/PBCH block (also known as SS block (SSB)). The MIB provides the number of RBs and the system frame number (SFN) in the system bandwidth. The Physical Downlink Shared Channel (PDSCH) carries user data, broadcast system information (such as System Information Block (SIB)) and paging messages not sent via PBCH.

As shown in Figure 2C, some of the REs carry DM-RSs (indicated as R for one particular configuration, but other DM-RS configurations are possible) for channel estimation at the base station. The UE may transmit a DM-RS for a physical uplink control channel (PUCCH) and a DM-RS for a physical uplink shared channel (PUSCH). PUSCH DM-RS may be sent in the first one or two symbols of PUSCH. The PUCCH DM-RS may be transmitted in different configurations depending on whether a short or long PUCCH is transmitted and depending on the specific PUCCH format used. The UE may send a sounding reference signal (SRS). SRS may be sent in the last symbol of a subframe. The SRS may have a comb structure, and the UE may transmit the SRS on one of the combs. SRS can be used by the base station for channel quality estimation for frequency-dependent scheduling on the UL.

FIG. 2D shows examples of various UL channels within a subframe of a frame. The PUCCH may be located as indicated in one configuration. PUCCH carries uplink control information (UCI), such as scheduling request, channel quality indicator (CQI), precoding matrix indicator (PMI), rank indicator (RI) and hybrid automatic repeat request (HARQ) acknowledgment ( ACK) (HARQ-ACK) feedback (ie, one or more HARQ ACK bits indicating one or more ACK and/or negative ACK (NACK)). The PUSCH carries data and may additionally be used to carry Buffer Status Reports (BSRs), Power Headroom Reports (PHRs) and/or UCIs.

3 is a block diagram illustrating an example of a first wireless device configured to exchange wireless communications with a second wireless device. In the example shown in FIG. 3, the first wireless device may include a base station 310, the second wireless device may include a UE 350, and the base station 310 may communicate with the UE 350 in the access network. As shown in Figure 3, the base station 310 includes a transmit processor (TX processor 316), a transmitter 318Tx, a receiver 318Rx, an antenna 320, a receive processor (RX processor 370), a channel estimator 374, a controller/processing device 375 and memory 376. Example UE 350 includes antenna 352 , transmitter 354Tx , receiver 354Rx , RX processor 356 , channel estimator 358 , controller/processor 359 , memory 360 and TX processor 368 . In other examples, base station 310 and/or UE 350 may include additional or alternative components.

In DL, Internet Protocol (IP) packets may be provided to the controller/processor 375 . Controller/processor 375 implements layer 3 and layer 2 functions. Layer 3 includes the Radio Resource Control (RRC) layer, and Layer 2 includes the Service Data Adaptation Protocol (SDAP) layer, Packet Data Convergence Protocol (PDCP) layer, Radio Link Control (RLC) layer, and Media Access Control (MAC) layer Floor. The controller/processor 375 provides: RRC layer functions associated with broadcast of system information (e.g., MIB, SIB), RRC connection control (e.g., RRC connection paging, RRC connection establishment, RRC connection modification, and RRC connection release), inter-radio access technology (RAT) mobility, and measurement configuration for UE measurement reporting; PDCP layer functions associated with: header compression/decompression, security (encryption , decryption, integrity protection, integrity verification), and handover support functions; RLC layer functions associated with: transmission of upper layer Packet Data Unit (PDU), error correction via ARQ, RLC Service Data Unit (SDU ), re-segmentation of RLC data PDUs, and reordering of RLC data PDUs; and MAC layer functions associated with: mapping between logical channels and transport channels, MAC Multiplexing of SDUs onto transport blocks (TBs), demultiplexing of MAC SDUs from TBs, scheduling information reporting, error correction via HARQ, prioritization, and logical channel prioritization.

TX processor 316 and RX processor 370 implement Layer 1 functions associated with various signal processing functions. Layer 1 including the physical (PHY) layer may include error detection for the transport channel, forward error correction (FEC) encoding/decoding for the transport channel, interleaving, rate matching, mapping onto the physical channel, Modulation/demodulation, and MIMO antenna processing. The TX processor 316 is based on various modulation schemes (e.g., binary phase-shift keying (BPSK), quadrature phase-shift keying (QPSK), M-phase-phase-shift keying (M-PSK), M-order quadrature amplitude modulation (M-QAM)), to handle the mapping to signal clusters. The coded and modulated symbols can then be split into parallel streams. Each stream can then be mapped to OFDM subcarriers, multiplexed in time and/or frequency domain with a reference signal (e.g. pilot tone), and then combined using an inverse fast Fourier transform (IFFT), To generate a physical channel carrying a stream of time-domain OFDM symbols. OFDM streams are spatially precoded to generate multiple spatial streams. Channel estimates from channel estimator 374 may be used to decide coding and modulation schemes and for spatial processing. Channel estimation can be derived based on reference signals sent by UE 350 and/or channel condition feedback. Each spatial stream may then be provided to a different one of antennas 320 via a separate transmitter (eg, transmitter 318Tx). Each transmitter 318 Tx may modulate an RF carrier with a corresponding spatial stream for transmission.

At UE 350 , each receiver 354 Rx receives signals via a corresponding one of its antennas 352 . Each receiver 354 Rx recovers the information modulated onto the RF carrier and provides the information to the RX processor 356 . TX processor 368 and RX processor 356 implement Layer 1 functions associated with various signal processing functions. RX processor 356 may perform spatial processing on the information to recover any spatial streams destined for UE 350 . If multiple spatial streams are destined for UE 350, two or more of the multiple spatial streams may be combined by RX processor 356 into a single OFDM symbol stream. The RX processor 356 then uses Fast Fourier Transform (FFT) to convert the stream of OFDM symbols from the time domain to the frequency domain. The frequency domain signal includes a separate stream of OFDM symbols for each subcarrier of the OFDM signal. The symbols on each subcarrier and the reference signal are recovered and demodulated by determining the most likely signal cluster point transmitted by the base station 310. These soft decisions may be based on channel estimates computed by channel estimator 358 . The soft decisions are then decoded and deinterleaved to recover the data and control signals originally sent by the base station 310 on the physical channel. The data and control signals are then provided to the controller/processor 359, which implements layer 3 and layer 2 functions.

Controller/processor 359 can be associated with memory 360 that stores program codes and data. Memory 360 may be referred to as a computer-readable medium. In the UL, the controller/processor 359 provides demultiplexing, packet reassembly, deciphering, header decompression, and control signal processing between transport lanes and logical lanes to recover IP packets. Controller/processor 359 is also responsible for error detection using ACK and/or NACK protocols to support HARQ operations.

Similar to the functionality described in connection with DL transmissions by the base station 310, the controller/processor 359 provides: RRC layer functionality associated with: system information (e.g., MIB, SIB) acquisition, RRC connection and traffic test report; PDCP layer functions associated with: header compression/decompression and security (encryption, decryption, integrity protection, integrity verification); RLC layer functions associated with: upper layer PDU transmission, error correction via ARQ, concatenation, segmentation, and reassembly of RLC SDUs, re-segmentation of RLC data PDUs, and reordering of RLC data PDUs; and MAC layer functions associated with: Mapping to and from transport channels, multiplexing of MAC SDUs onto TBs, demultiplexing of MAC SDUs from TBs, scheduling information reporting, error correction via HARQ, prioritization and logical channel prioritization.

The channel estimate derived by channel estimator 358 from reference signals or feedback sent by base station 310 may be used by TX processor 368 to select appropriate coding and modulation schemes, and to facilitate spatial processing. The spatial streams generated by TX processor 368 may be provided to different ones of antennas 352 via separate transmitters (eg, transmitter 354Tx). Each transmitter 354Tx may modulate an RF carrier with a corresponding spatial stream for transmission.

UL transmissions are handled at the base station 310 in a manner similar to that described in connection with the receiver functionality at the UE 350 . Each receiver 318Rx receives signals via a corresponding one of its antennas 320 . Each receiver 318Rx recovers the information modulated onto the RF carrier and provides the information to the RX processor 370 .

Controller/processor 375 can be associated with memory 376 that stores program codes and data. Memory 376 may be referred to as a computer-readable medium. In the UL, the controller/processor 375 provides demultiplexing, packet reassembly, decryption, header decompression, control signal processing between transport lanes and logical lanes to recover IP packets. Controller/processor 375 is also responsible for error detection using ACK and/or NACK protocols to support HARQ operations.

At least one of TX processor 368, RX processor 356, and controller/processor 359 may be configured to perform aspects related to UE security processing component 198 of FIG.

At least one of TX processor 316, RX processor 370, and controller/processor 375 may be configured to perform aspects related to network security processing component 199 of FIG.

4 is a diagram illustrating an example of a wireless communication system and an access network 400 comprising a first network node 402a, a second network node 402b, a UE 404, an evolved packet core (e.g., EPC 410 ) and core network 430 (eg, 5G Core (5GC)), as provided herein. Various aspects of the first network node 402a and/or the second network node 402b (they are collectively referred to as "network nodes 402a/402b" herein) may be implemented by the base station 102 and/or the base station 102 in FIG. components (such as CU 110, DU 130, and/or RU 140). Aspects of UE 404 may be implemented by UE 104 of FIG. 1 .

In the example of FIG. 4, the first network node 402a may be configured for 4G LTE (collectively referred to as the Evolved Universal Mobile Telecommunications System (UMTS) Terrestrial Radio Access Network (E-UTRAN)), and may A backhaul link 452 (eg, S1 interface) interfaces with the EPC 410 . The second network node 402b may be configured for 5G NR (collectively referred to as Next Generation RAN (NG-RAN)), and may interface with the core network 430 via a second backhaul link 454 . Network nodes 402a/402b may perform, among other functions, one or more of the following functions: transmission of user data, radio channel encryption and decryption, integrity protection, header compression, mobility control functions ( e.g. handover, dual connectivity), inter-cell interference coordination, connection establishment and release, load balancing, distribution of non-access stratum (NAS) messages, NAS node selection, synchronization, radio access network (RAN) sharing, multimedia Broadcast Multicast Service (MBMS), user and device tracking, RAN Information Management (RIM), paging, location, and delivery of warning messages. The network nodes 402a/402b may communicate with each other directly or indirectly (eg, via the EPC 410 or the core network 430) via the third backhaul link 456 (eg, the X2 interface). The first backload link 452, the second backload link 454, and the third backload link 456 may be wired or wireless.

The network nodes 402a/402b can communicate with the UE 404 wirelessly. Each of the network nodes 402a/402b may provide communication coverage for a corresponding geographic coverage area 406 . There may be overlapping geographic coverage areas. In the example of FIG. 4, the communication link 408 between the network node 402a/402b and the UE 404 may include an uplink (UL) (also known as a reverse link) from the UE 404 to the corresponding network node. ) transmissions and/or downlink (DL) (also known as forward link) transmissions from corresponding network nodes to UE 404 . Communication link 408 may use MIMO antenna techniques, including spatial multiplexing, beamforming, and/or transmit diversity. Communication links may be via one or more carriers.

EPC 410 may include an Action Management Entity (e.g., MME 412), other MMEs 414, a Service Gateway 416, a Multimedia Broadcast Multicast Service (MBMS) Gateway (e.g., MBMS GW 418), a Broadcast Multicast Service Center (e.g., BM-SC 420), and a packet data network (PDN) gateway (eg, PDN gateway 422). MME 412 may communicate with a home subscriber server (eg, HSS 424). MME 412 is a control node that handles signaling between UE 404 and EPC 410 . Generally, MME 412 provides bearer and connection management. All user Internet Protocol (IP) packets are transmitted via the service gateway 416 which itself is connected to the PDN gateway 422 . The PDN gateway 422 provides UE IP address allocation as well as other functions. PDN gateway 422 and BM-SC 420 are connected to IP service 426 . IP services 426 may include Internet, intranet, IP Multimedia Subsystem (IMS), PS streaming services, and/or other IP services. The BM-SC 420 can provide functions for MBMS user service provisioning and delivery. The BM-SC 420 can act as an entry point for content provider MBMS transmissions, can be used to authorize and initiate MBMS bearer services within a public land mobile network (PLMN), and can be used to schedule MBMS transmissions. The MBMS GW 418 can be used to distribute MBMS traffic to network nodes 402a/402b belonging to a Broadcast Specific Service Multicast Broadcast Single Frequency Network (MBSFN) area, and can be responsible for communication period management (start/stop) and collection of information related to eMBMS Related billing information.

Core network 430 may include access and mobility management functions (eg, AMF 432 ), other AMFs 434 , session management functions (eg, SMF 436 ), and user plane functions (eg, UPF 438 ). AMF 432 may communicate with a unified data management unit (eg, UDM 440). AMF 432 is a control node that handles signaling between UE 404 and core network 430 . In general, AMF 432 provides QoS flow and traffic session management. All user IP packets are transmitted via UPF 438 . UPF 195 provides UE IP address allocation as well as other functions. UPF 438 connects to IP service 442 . IP services 442 may include Internet, intranet, IP Multimedia Subsystem (IMS), Packet Switched (PS) Streaming (PSS) services, and/or other IP services.

In the example of FIG. 4 , MME 412 and/or AMF 432 may be configured to manage one or more states of wireless communication via secure handling to facilitate 5GS to EPC reselection in the event of retransmission of RLF and EPS TAU requests. to facilitate improved mobility support. For example, MME 412 and/or AMF 432 may be configured to facilitate handover from a 5G network associated with second network node 402b to an EPS network associated with first network node 402a. MME 412 and/or AMF 432 may include a network security processing component 497 . Various aspects of the network security processing component 497 may be similar to the network security processing component 199 in FIG. 1 and/or FIG. 3 .

The Non-Access Stratum (NAS) forms the highest layer of the control plane between the UE and the MME at the radio interface. Protocols that are part of the NAS provide support for UE mobility. NAS security is an additional function that NAS provides to the NAS protocol. For example, NAS security can provide integrity protection and encryption of NAS signaling messages.

Security parameters used for authentication, integrity protection, and encryption may be referred to as security contexts and are identified by Key Set Identifiers (KSIs). Information representing the security context may be stored at the UE and at a network serving the UE (eg, a serving network). With respect to the transmission of NAS signaling messages, the security context may be referred to as a "NAS security context" and includes keys, keyset identifiers associated with keys, UE security capabilities (e.g., related to encryption and integrity set of identifiers corresponding to the algorithm), the uplink NAS count and the downlink NAS count. The uplink NAS count and the downlink NAS count may each be set to zero when the security context is activated, and may be sequentially incremented when the corresponding NAS messages are transmitted. Accordingly, the uplink NAS count value may indicate the number of uplink NAS messages transmitted, and the downlink NAS count value may indicate the number of transmitted downlink NAS messages associated with the active security context.

When a UE is connected to a 5G network, the 5G security context may include a 5G NAS Master Security Key (K _AMF ), which is identified by a Key Set Identifier (ngKSI) in 5G. The 5G NAS master security key can also be called "5G NAS key" or "5G master security key". When the UE is connected to the EPS network, the EPS security context may include the EPS-NAS Master Security Key (K _ASME ) identified by the EPS Key Set Identifier (eKSI). The EPS NAS master security key may also be referred to as "EPS NAS key" or "EPS master security key" herein.

Figure 5 illustrates examples of different security contexts as provided herein. For example, FIG. 5 includes a first security context 500, a second security context 520 associated with a 5G network, and a third security context 540 associated with an EPS network. A security context includes data that can be used to integrity protect NAS signaling, eg, when sending NAS messages and/or when receiving NAS messages. Security context data may be associated with integrity protecting NAS signaling associated with a corresponding RAN. For example, the second security context 520 may include 5G security context data for sending 5G NAS messages and/or verifying 5G NAS messages. The third security context 540 may include EPS security context data for sending the EPS NAS message and/or authenticating the EPS NAS message.

In the example of FIG. 5 , a first security context 500 includes a master security key 502 and a KSI 504 associated with the master security key 502 . For example, KSI 504 may indicate master security key 502 . The first security context 500 also includes UE security capabilities 506, which may include a set of identifiers corresponding to encryption and integrity algorithms implemented by the UE. For example, UE security capabilities 506 may include integrity and encryption keys and associated identifiers of selected integrity and encryption algorithms. The first security context 500 also includes a NAS count pair including an uplink NAS count 508 and a downlink NAS count 510 . Uplink NAS count 508 indicates the number of uplink NAS messages transmitted and downlink NAS count 510 indicates the number of downlink NAS messages associated with the active security context. Uplink NAS count 508 and downlink NAS count 510 may be set to starting values (eg, may be set to zero) when the security context is started. After setting the NAS count value as the initial value, the NAS count value can be incremented when the corresponding NAS message is transmitted.

As mentioned above, the second security context 520 includes 5G security context data to facilitate integrity protection of 5G NAS messages. For example, the second security context 520 includes a 5G key 522 (K _AMF ), a 5G KSI 524 (ngKSI), a 5G UE security capability 526 , a 5G uplink NAS count 528 and a 5G downlink NAS count 530 . The 5G security context data of the second security context 520 may be similar to the security context data of the first security context 500, but may be configured for 5G networks.

The third security context 540 includes EPS security context data to facilitate integrity protection of EPS NAS messages. For example, third security context 540 includes EPS key 542 (K _ASME ), EPS KSI 544 (eKSI), EPS UE security capabilities 546 , EPS uplink NAS count 548 and EPS downlink NAS count 550 . The EPS security context data of the third security context 540 may be similar to the security context data of the first security context 500, but may be configured for EPS networks.

A security context can be associated with a state, such as a "current" state or a "non-current" state. The current security context is the launched security context. A non-current security context is a security context that is not current (for example, one that has not been started). A security context can be associated with a type such as a "native" type or a "mapped" type. Native security contexts include "full native" or "partial native" security contexts. A security context can have one type and one state at a time. However, the type of a particular security context may change over time. For example, a partial native security context can be converted to a full native security context.

A native security context is a security context with a key (e.g., EPS key K _ASME or 5G key K _AMF ) established by the master authenticator and identified by a native keyset identifier (e.g., native eKSI or Native ngKSI) identity. For example, a master authentication procedure may enable mutual authentication between the UE and the network and provide keying material that may be used between the UE and the network in subsequent security procedures. When the UE registers with the network, the UE and the network can perform a primary authentication procedure, and when the primary authentication procedure is successful, a native security context can be generated. The UE may store a copy of the native security context, and the network may store a copy of the native security context associated with the UE at a network entity (eg, at the MME and/or AMF).

A native security context may include a native KSI identifying a native key. The native KSI may be derived during the main authentication procedure and may make it possible for the UE and the network to recognize the native security context without invoking the authentication procedure. Thus, the native KSI may allow re-use of the native security context during subsequent connection setup between the UE and the network without performing an authentication procedure.

A native security context can be a partial native security context or a full native security context. Part of the native security context is a key (e.g., 5G key 522 or EPS key 542) and associated key set identifier (e.g., 5G KSI 524 or EPS KSI 544), UE security capabilities and NAS count pairs (eg, uplink NAS count and downlink NAS count). Part of the native security context can be established by the master certificate and is in the "non-current" state. A full local security context is a security context that includes partial native security context security context data and also includes NAS integrity and encryption keys and associated keyset identifiers for selected NAS integrity and encryption algorithms . A full native security context can be in a "current" state or a "non-current" state.

A mapped security context is a security context whose keys are derived from keys associated with different RANs. For example, the mapped 5G security context includes a mapped 5G key (K _AMF ) derived from an EPS key (eg, EPS key 542 ). The mapped EPS security context includes a mapped EPS key (K _ASME ) derived from a 5G key (eg, 5G key 522 ).

The mapped security context may include the mapped KSI of the first network associated with the mapped key derived from the native key of the second network. For example, the mapped 5G security context includes a mapped 5G KSI associated with a mapped 5G key derived from an EPS key of the EPS network. The Map KSI may be generated at the UE and the network when the Map Key is derived. Thus, the map KSI may indicate the use of the map key.

In some aspects, a security context mismatch may occur between the UE and the first network, eg, during reselection from the second network to the first network (eg, 5GS to EPS reselection). Due to, for example, non-universal coverage of 5G in a deployment scenario, the number of 5G-to-EPS reselection procedures performed in a deployment may be high. In addition, 5G networks may not initially support IP Multimedia Subsystem (IMS) voice calling. In such scenarios, for example, a UE residing on a cell associated with a 5G network may be redirected to a cell associated with an EPS network to attempt to establish a voice call.

6 illustrates an example communication flow 600 between a network node 602, UE 604, MME 606, and AMF 608 as provided herein. In the example shown, communication flow 600 facilitates performing idle mode mobility from 5GS to EPS. For example, UE 604 may be connected to and/or resident on a first cell (e.g., a 5G network) associated with a first RAT and may be redirected to a second cell (e.g., a 5G network) associated with a second RAT. EPS network or LTE network). In the example of FIG. 6 , MME 606 may be associated with EPS network 607 and AMF 608 may be associated with 5G network 609 . The example communication flow 600 can be associated with performing a tracking area update (TAU) request procedure or an initial connection procedure with a second cell after being redirected to the second cell (eg, EPS network 607 ).

Various aspects of the network node 602 may be implemented by the base station 102 and/or components of the base station 102 (such as CU, DU and/or RU) in FIG. 1 . Aspects of UE 604 may be implemented by UE 104 of FIG. 1 . Aspects of MME 606 may be implemented by MME 412 of FIG. 4 . Aspects of AMF 608 may be implemented by AMF 161 of FIG. 1 , AMF 432 of FIG. 4 , and/or other AMFs 434 . In the example of FIG. 6 , UE 604 communicates with MME 606 via network node 602 . For example, UE 604 may send an uplink message received by network node 602 , which then forwards the uplink message to MME 606 . In the downlink direction, the MME 606 may send messages that are received by the network node 602 and subsequently forwarded by the network node 602 to the UE 604 .

In the example of FIG. 6 , UE 604 is performing reselection from 5G network 609 to EPS network 607 . Accordingly, the UE 604 is configured with a 5G security context 690, such as the second security context 520 of Figure 5, ie the current (or active) 5G security context. The UE 604 can derive and map the EPS security context based on the 5G security context information of the current 5G security context to facilitate communication with the MME 606 and the EPS network 607 .

As shown in FIG. 6 , UE 604 sends a first TAU request message 610 which is received by MME 606 . The UE 604 may send a first TAU request message 610 to update the registration of the actual tracking area of the UE 604 in the EPS network 607 . UE 604 may send a first TAU request message 610 via EPS NAS message. Accordingly, the first TAU request message 610 may include parameters associated with the EPS network 607 .

For example, the first TAU request message 610 includes a mapped EPS-wide unique temporary UE identity (eg, mapped EPS GUTI 612 ) of UE 604 and EPS security capabilities, such as EPS UE security capabilities 546 of FIG. 5 . The mapped EPS GUTI 612 may be derived from the 5G GUTI. When registering with the 5G network 609, the UE 604 may be configured with a 5G GUTI. The 5G GUTI may point to the AMF where the 5G key associated with the UE 604 is stored. Therefore, the mapping EPS GUTI 612 may contain the information of the AMF with the latest security context of the UE 604 in the 5G network 609 and the identifier of the UE within the AMF. For example, mapped EPS GUTI 612 may contain an address associated with AMF 608 and a Temporary Mobile Subscription Identifier (eg, TMSI 613 ) associated with UE 604 .

The UE 604 may integrity protect the first TAU request message 610 using the 5G security context 690 identified by the 5G GUTI used to derive the mapped EPS GUTI 612 . For example, UE 604 may calculate a NAS message authentication code (eg, NAS-MAC 614 ) for first TAU request message 610 . The UE 604 can compute the NAS-MAC 614, similar to computing the NAS-MAC for 5G NAS messages. The uplink NAS count used for integrity protection of the first TAU request message 610 may be the same value as the 5G uplink NAS count (eg, the same value as the 5G uplink NAS count 528 of FIG. 5 ). Therefore, the uplink NAS count across the communication system increases. The first TAU request message 610 may include eKSI parameters 616 , and the UE 604 may include a 5G KSI (ngKSI) corresponding to the 5G security context 690 in the eKSI parameters 616 .

In the example of FIG. 6, after sending the first TAU request message 610, the UE 604 may at 618 increment the 5G uplink NAS count of the 5G security context 690 by one.

At 620, MME 606 can obtain an AMF address of an AMF storing a 5G security context associated with UE 604. For example, MME 606 may use mapped EPS GUTI 612 of first TAU request message 610 to obtain the AMF address of AMF 608 .

As shown in FIG. 6 , MME 606 may send a context request message 622 which is received by AMF 608 . The context request message 622 may include all or part of the information in the first TAU request message 610 . For example, context request message 622 may include NAS-MAC 614 and eKSI parameters 616 . The context request message 622 may also include the mapped EPS GUTI 612 .

At 630 , AMF 608 can identify a 5G NAS security context 692 associated with UE 604 , eg, based on context request message 622 . AMF 608 may use the 5G KSI included in eKSI parameter 616 of context request message 622 to identify 5G NAS security context 692 associated with UE 604 .

At 632 , AMF 608 may authenticate first TAU request message 610 using 5G NAS security context 692 . The AMF 608 can authenticate the first TAU request message 610 as if the first TAU request message 610 was a 5G NAS message. If the AMF 608 successfully authenticates the first TAU request message 610 , the AMF 608 may generate a mapped EPS security context 636 at 634 . For example, AMF 608 may use 5G NAS security context 692 to derive mapped EPS security context 636 . The AMF 608 may derive the mapped EPS security context 636 eg by deriving the mapped EPS key (K _ASME ′) from the 5G key (K _AMF ) using the 5G uplink NAS count derived from the first TAU request message 610 . For example, the UE 604 may use the 5G uplink NAS count to integrity protect the first TAU request message 610 . When the AMF 608 identifies the 5G NAS security context 692 of the UE 604 and validates the first TAU request message 610, the AMF 608 may have the capability to determine the 5G uplink NAS count.

The AMF 608 may determine the mapped EPS KSI (eKSI) for the mapped EPS key (K _ASME ′) based on the value obtained from the 5G KSI (ngKSI) of the context request message 622 . The EPS uplink and downlink NAS count values in the mapped EPS security context 636 may be set to the uplink and downlink NAS count values of the 5G NAS security context 692, respectively. The AMF 608 may set the EPS NAS algorithm to the EPS NAS algorithm previously indicated to the UE 604 (eg, during a connection establishment procedure or a connection re-establishment procedure).

As shown in FIG. 6 , AMF 608 may output a context response message 638 received by MME 606 . The context response message 638 may include the mapped EPS security context 636 . In some examples, AMF 608 may discard (or erase) 5G NAS security context 692 used to derive mapped EPS security context 636 after sending context response message 638 . In some examples, AMF 608 may start a timer after sending context response message 638 and discard 5G NAS security context 692 after the timer expires.

In the illustrated example of FIG. 6 , UE 604 may generate, at 640, UE-mapped EPS security context 642 . For example, UE 604 may derive UE-mapped EPS security context 642 in a manner similar to how AMF 608 derived mapped EPS security context 636 . The UE 604 may set the EPS NAS algorithm to the EPS NAS algorithm previously received from the AMF 608 (eg, during a connection establishment procedure or a connection re-establishment procedure). UE 604 may initiate UE-mapped EPS security context 642 for processing EPS NAS messages received from MME 606 .

At 650, the MME 606 can compare the UE security algorithm with the security algorithm information 694. MME 606 may be configured with security algorithm information 694 via network management. Security algorithm information 694 may include a list of algorithms that are allowed to be used. The algorithms in the security algorithm information 694 may be sorted according to priority. The MME 606 may compare the EPS NAS algorithm included in the mapped EPS security context 636 of the context response message 638 with the security algorithm information 694 . At 650, MME 606 can compare security algorithms to decide whether to select another EPS NAS algorithm. If the MME 606 decides to perform an algorithm change, the MME 606 may select the EPS NAS algorithm from the security algorithm information 694 that has the highest priority and is available to the UE 604 . For example, MME 606 may use the UE's UE security capabilities (such as EPS UE security capabilities 546 of FIG. 5 ) to decide which EPS-NAS algorithm to select from security algorithm information 694 .

If MME 606 decides to select another EPS NAS algorithm, UE 604 and MME 606 may execute a NAS Security Mode Command (SMC) procedure (e.g., NAS SMC procedure 660) to derive a new EPS NAS algorithm using the selected EPS NAS algorithm. NAS key. If at 650 the MME 606 decides not to perform the algorithm change, or after the MME 606 and the UE 604 perform the NAS SMC procedure 660 , the MME 606 may output a TAU Accept message 662 received by the UE 604 . MME 606 may output (eg, send or transmit) TAU accept message 662 via the EPS NAS message.

At 664, UE 604 may perform integrity verification of TAU accept message 662. For example, the UE 604 may use the mapped EPS key (K _ASME ′) of the UE mapped EPS security context 642 to perform integrity verification of the TAU accept message 662 . If the integrity verification is successful, UE 604 may send a TAU complete message 666 received by MME 606 . UE 604 may discard TAU complete message 666 if the integrity verification fails.

As before, UE 604 may initiate the procedure of FIG. 6 based on reselection from a first cell associated with 5G network 609 to a second cell associated with EPS network 607 . However, this may arise when the security contexts at UE 604 and MME 606 may not match.

For example, after establishing a connection with a second cell associated with the EPS network 607 and sending the first TAU request message 610, the UE 604 may experience a radio link failure (RLF). In such instances, UE 604 may retransmit first TAU request message 610, eg, after establishing a new RRC connection with another cell associated with EPS network 607 or after re-establishing an RRC connection with a second cell. For example, UE 604 may send a second TAU request message 670 that is received by MME 606 . The second TAU request message 670 may include the same information as the first TAU request (eg, the first TAU request message 610 ).

However, when sending the second TAU request message 670, the UE 604 may use the updated 5G NAS uplink count value to integrity protect the second TAU request message 670. For example, the 5G NAS uplink count value for integrity protecting the first TAU request message 610 may be five, and the 5G NAS uplink count value for integrity protecting the second TAU request message 670 may be It's six.

In some examples, when the MME 606 receives the second TAU request message 670 , the MME 606 may be configured to compare the contents of the first TAU request message 610 and the second TAU request message 670 at 672 . In some examples, when the content (e.g., information elements) of the first TAU request message 610 and the second TAU request message 670 are the same, the MME 606 may discard the second TAU request message 670 and continue based on the first TAU request message 610 Execute the TAU request procedure in Figure 6. In such instances, MME 606 may refrain from sending another context request message to AMF 608 based on second TAU request message 670 .

It will be appreciated that in an inter-MME scenario, it may be sufficient to avoid sending another context request message, since security context mapping may not take place. Also, when performing reselection from UMTS to EPS, it is sufficient to avoid sending another context request message, since freshness depending on NONCE_UE can be used for context mapping. As used herein, "NONCE_UE" refers to a 32-bit pseudo-noise number generated by the UE to facilitate freshness of the UMTS-to-EPS security mapping. NONCE_UE can be used as input together with an existing security key such as a 3G security key to compute a mapped EPS key (K _ASME ').

However, as described in the example of FIG. 6, when performing 5G to EPS reselection (for example, when performing reselection from 5G network 609 to EPS network 607), AMF 608 may use the 5G NAS uplink counts to generate mapped EPS security context 636 (eg, at 634 ). For example, AMF 608 may use a value of five for the 5G NAS uplink count associated with first TAU request message 610 to generate mapped EPS security context 636, which AMF 608 provides to MME 606 via context response message 638 . Mapped EPS security context 636 may include 5G NAS uplink count based MME EPS key (K _{ASME'_MME} ). Therefore, the MME 606 may be configured with an MME EPS key (K _{ASME'_MME} ) based on a 5G NAS uplink count value of five.

Similarly, UE 604 may use the same 5G NAS uplink count associated with the TAU request message to generate UE-mapped EPS security context 642 (eg, at 640). For example, with respect to the first TAU request message 610, the UE 604 may generate, at 640, a UE-mapped EPS security context 642 including a first UE EPS key (K _{ASME'_UE} ).

However, after sending the second TAU request message 670 , the UE 604 can generate a new UE-mapped EPS security context 682 at 680 . The new UE-mapped EPS security context 682 may be based at least in part on the 5G NAS uplink count value associated with the second TAU request message 670 . For example, the new UE-mapped EPS security context 682 may be based on the 5G NAS uplink count value of six associated with the second TAU request message 670 . In such instances, the new UE-mapped EPS security context 682 may include a second UE EPS key (K _{ASME'_UE2} ). It can be appreciated that since the mapped EPS security context 636 and the new UE mapped EPS security context 682 can each be derived at the AMF 608 and the UE 604 using different 5G NAS uplink count values, the MME EPS gold at the MME 606 The key (K _{ASME'_MME} ) and the second UE EPS key (K _{ASME'_UE2} ) may also be different. Therefore, the UE 604 can discard the EPS NAS message received from the MME 606 because the mapped EPS keys keys K _ASME '_MME, K _ASME '_UE2 are different. That is, since UE 604 and MME 606 are using mismatched Mapped EPS Security Context and Mapped EPS Key, UE 604 may drop or reject EPS NAS messages from MME 606 (e.g., TAU Accept message 662 and/or messages associated with NAS SMC program 660). Such scenarios may result in interruption of service and/or dropped calls.

Examples disclosed herein provide techniques for removing inconsistencies in the processing of iterations of TAU request messages, as described above. In a first aspect, the disclosed techniques can remove inconsistencies by modifying how MME 606 handles repetitions of TAU request messages. In a second aspect, the disclosed techniques can remove inconsistencies by modifying how UE 604 performs integrity protection of TAU request messages. On the third party side, the disclosed techniques can remove inconsistencies by modifying how UE 604 performs integrity verification of messages.

As mentioned above, when the MME 606 receives the second TAU request message 670, when the contents (for example, information elements) of the first TAU request message 610 and the second TAU request message 670 are the same, the MME 606 may discard the second TAU request message 670, and avoid sending another context request message to AMF 608. In a first example aspect, the disclosed technique can remove the aforementioned inconsistency by modifying how the MME handles repetitions of TAU request messages.

For example, the MME 606 may be configured to: when the MME 606 can request the AMF address from the TAU, decide whether to send the context request message to the AMF 608 . That is, the MME 606 may decide whether to send the second context request message 674 based on whether the MME 606 can obtain the AMF address, rather than based on the fact that the first TAU request message 610 and the second TAU request message 670 include the same content (for example, the same information element) to avoid sending a second context request message, as described at 672. Therefore, if the second TAU request message 670 includes a mapped EPS-GUTI with an AMF address (such as the mapped EPS GUTI 612), the MME 606 may decide to send a second context request message 674 to the AMF 608, which requests a new mapped EPS-Security context.

In such instances, AMF 608 may generate mapped EPS security context 636 based on a 5G NAS uplink count (eg, a value of six) associated with second TAU request message 670 included in second context request message 674 . Therefore, the mapped EPS security context 636 and the new UE mapped EPS security context 682 may be derived based on the same 5G NAS uplink count (eg, value six), which may result in a corresponding mapped EPS key _{KASME'_MME} ,K _ASME '_UE2 is the same. In some examples, at 684, the UE 604 may update the security context of the UE 604 from the UE-mapped EPS security context 642 to the new UE-mapped EPS security context 642 based on the derivation of the new UE-mapped EPS security context 682 (eg, at 680) EPS security context 682.

In some instances, when MME 606 receives a mapped EPS security context from AMF 608, MME 606 may be configured to update its mapped EPS security context. For example, in some scenarios, MME 606 may generate EPS NAS messages for transmission to UE 604, and may receive a new mapped EPS security context while transmission of one or more generated EPS-NAS messages is pending. In such instances, MME 606 may be configured to discard pending EPS NAS messages that were integrity protected using an older mapped EPS security context.

It can be understood that as long as the MME 606 can obtain the address for sending the second context request message 674, the MME 606 can send the context request message requesting to map the EPS security context. Thus, in some instances, addresses included in the mapped EPS GUTI may correspond to AMFs (eg, AMF 608 ). In other examples, the address included in the mapped EPS GUTI of the first TAU request message 610 and the second TAU request message 670 may be mapped to the MME.

In some examples, MME 606 may receive a second TAU request message 670 with the same information elements before sending TAU accept message 662 to UE 604 . In some such examples, MME 606 can forward second TAU request message 670 to AMF 608 (eg, via second context request message 674), as previously described. In other examples, MME 606 may perform authentication and start a new native EPS security context for securing subsequent NAS messages to UE 604 . For example, MME 606 may decide to perform NAS SMC procedure 660 with UE 604 such that MME 606 and UE 604 are using the same EPS key (K _ASME ) to perform integrity verification of EPS NAS messages.

In some examples, MME 606 may receive a second TAU request message 670 with the same information elements after sending TAU accept message 662 to UE 604 . In some such instances, MME 606 may decide to perform authentication and initiate a new native EPS security context for securing subsequent NAS messages to UE 604 . For example, MME 606 may decide to perform NAS SMC procedure 660 with UE 604 such that MME 606 and UE 604 are using the same EPS key (K _ASME ) to perform integrity verification of EPS NAS messages.

In some examples, MME 606 may receive a second TAU request message 670 with the same information elements after sending TAU accept message 662 and before receiving TAU complete message 666 from UE 604 . For aspects other than an intersystem change from N1 mode to S1 mode in idle mode with UE 604 operating in single registration mode, MME 606 may resend TAU accept message 662 . In some such instances, MME 606 can restart a timer (eg, T3450 timer) if TAU complete message 666 is expected. For aspects of an intersystem change from N1 mode to S1 mode in idle mode with UE 604 operating in single registration mode, MME 606 may initiate an authentication procedure with UE 604 followed by security mode control procedures (eg, NAS SMC program 660) to attempt to use the new partial native EPS security context. If the new partial native EPS security context is successfully used, MME 606 may set the new partial native EPS security context as the full native EPS security context. The MME 606 may also resend the TAU Accept message 662 and use the (new) full native EPS security context to integrity protect the resend of the TAU Accept message 662 . In some instances, MME 606 may also restart the T3450 timer. In such instances, the retransmission counter associated with the T3450 timer may not be incremented.

In some examples, MME 606 may receive first TAU request message 610 and second TAU request message 670, and may not have sent TAU accept message 662 or TAU reject message. If one or more information elements in the first TAU request message 610 and the second TAU request message 670 are different, the TAU procedure initiated based on the first TAU request message 610 may be terminated, and the new TAU procedure initiated based on the second TAU request message 670 may be terminated. The TAU program can proceed (eg, can continue).

If the information elements in the first TAU request message 610 and the second TAU request message 670 are the same (e.g., there is no difference), then from N1 mode to S1 in idle mode except when UE 604 is operating in single registration mode Aspects other than an intersystem change of mode, the MME 606 may continue the previously initiated TAU procedure (eg, based on the first TAU request message 610 ), and discard the second TAU request message 670 . That is, the MME 606 may avoid sending the second context request message 674 requesting a new mapped EPS security context to the AMF 608 based on the second TAU request message 670 .

For aspects of an intersystem change from N1 mode to S1 mode in idle mode with UE 604 operating in single registration mode, MME 606 may forward a new TAU request message to AMF 608 (e.g., via another A context request message) to perform an integrity check and obtain the latest mapped EPS security context, and continue with the previous TAU procedure. For example, MME 606 may forward second TAU request message 670 to AMF 608 (eg, via second context request message 674). As an example, the integrity check may be based on the integrity key, uplink count, transmission direction (e.g., a 1-bit indicator indicating the downlink direction of the downlink transmission), and the payload of the downlink transmission of. AMF 608 may validate second TAU request message 670 (eg, at 632). Subsequently, the AMF 608 may generate a new mapped EPS security context based on the second TAU request message 670 . For example, the new mapped EPS security context may be based at least in part on a 5G NAS uplink count (eg, a value of six) associated with the second TAU request message 670 . Therefore, the mapped EPS security context 636 provided to the MME 606 including the new MME EPS key (eg, K _{ASME'_MME} ) may be provided with the new UE mapped EPS security context including the new UE EPS key (K _{ASME'_UE2} ). Context 682 is the same. Therefore, when the MME 606 uses the new MME EPS key (eg, K _{ASME'_MME} ) to integrity protect a subsequent NAS message (eg, TAU accept message 662 ), the UE 604 can at 664 perform an authentication on the subsequently received NAS message The message (eg, TAU Accept message 662) successfully performed integrity verification. In some examples, at 684, the UE 604 may update the security context of the UE 604 from the mapped EPS security context 642 to the new UE-mapped EPS based on the derivation of the new UE-mapped EPS security context 682 (eg, at 680) Security context 682.

In some instances, the MME 606 may decide to initiate an authentication procedure followed by a security mode control procedure to use a new partial native EPS security context instead of a second TAU request message containing the same information elements as the first TAU request message 610. TAU request message 670 is forwarded to AMF 608 . If the new partial native EPS security context is successfully used (e.g., NAS SMC procedure 660 is successful), the MME 606 may set the new partial native EPS security context to the full native EPS security context, and the full native EPS Security may be used to protect any future NAS messages sent to UE 604, such as TAU accept message 662.

As mentioned above, when the UE 604 sends the first TAU request message 610 and the second TAU request message 670, the UE 604 uses the corresponding 5G NAS uplink count to perform integrity protection on the corresponding TAU request message. In a second example aspect, the disclosed techniques can remove inconsistencies by modifying how UE 604 performs integrity protection of TAU request messages. For example, UE 604 may be configured to use the same 5G NAS when sending two consecutive TAU request messages, such as first TAU request message 610 and a repetition of the first TAU request message (eg, second TAU request message 670 ) Uplink count value. For example, at 618, UE 604 may skip incrementing the 5G uplink NAS count of 5G security context 690 by one.

By sending the first TAU request message 610 and the second TAU request message 670 without incrementing the 5G NAS uplink count, the same 5G NAS uplink count value can be used for the first TAU request message 610 and the second TAU request message 610. The TAU request message 670 is integrity protected. Accordingly, the mapped EPS security context 636 generated by the AMF 608 (eg, at 634 ) and the new UE-mapped EPS security context 682 generated by the UE 604 (eg, at 680 ) may be identical. Accordingly, integrity verification (eg, at 664) performed on subsequent NAS messages received at UE 604 may succeed, and communications between UE 604 and cells associated with EPS network 607 may successfully proceed. In some examples, at 684, the UE 604 may update the security context of the UE 604 from the UE-mapped EPS security context 642 to the new UE-mapped EPS security context 642 based on the derivation of the new UE-mapped EPS security context 682 (eg, at 680) EPS security context 682.

That is, since the 5G NAS uplink count value of the first TAU request message 610 and the second TAU request message 670 are the same, the corresponding TAU request messages contain the same content (for example, the same information element), and each uses The same 5G NAS uplink count value is integrity protected. In some examples, if the MME 606 receives the first TAU request message 610 and the second TAU request message 670, the MME 606 may discard the second TAU request message 670 based on the first TAU request message 610 and continue the TAU procedure. After the MME 606 does not receive the first TAU request message 610 (for example, if a radio link failure occurs and the network node 602 misses one or more RLC packets containing RRC connection setup complete information) but the MME 606 receives the second TAU In other instances of the request message 670, the MME 606 may use the second TAU request message 670 to perform the TAU procedure of FIG. 6 (eg, to request mapping of the EPS security context from the AMF 608). In either scenario, the mapped EPS keys (K _{ASME'_MME} , K _{ASME'_UE2} ) are the same, and therefore, communication between UE 604 and cells associated with EPS network 607 can proceed successfully.

In a third example aspect, the disclosed techniques can remove inconsistencies in the processing of repetitions of TAU request messages by modifying how UE 604 performs integrity verification of EPS NAS messages. For example, UE 604 may attempt to perform integrity verification based on a different EPS key (eg, at 664).

For example, the UE 604 may derive the first EPS key for the UE-mapped EPS security context 642 based on the 5G key (K _AMF ) and the 5G NAS uplink count (eg, value five) associated with the first TAU request message 610 (K _ASME '1). Subsequently, UE 604 may derive a first NAS integrity key (NAS_IK1 ) from the first EPS key (K _ASME '1).

The UE 604 may also derive a second EPS key for the new UE-mapped EPS security context 682 based on the 5G key (K _AMF ) and the 5G NAS uplink count (eg, value six) associated with the second TAU request message 670 Key (K _ASME '2). Subsequently, UE 604 may derive a second NAS integrity key (NAS_IK2) from the second EPS key (K _ASME '2).

When UE 604 receives an EPS NAS integrity protection message from MME 606 (e.g., TAU Accept message 662), UE 604 may attempt to perform integrity verification using NAS integrity keys (e.g., NAS_IK1 and NAS_IK2) (e.g., at 664 place). If one of the NAS integrity keys allows integrity verification, the UE 604 selects the corresponding NAS integrity key and continues to communicate with cells associated with the EPS network 607 based on the corresponding NAS integrity key. For example, if the integrity verification using the first NAS integrity key (NAS_IK1 ) is successful, the UE 604 may set the first EPS key (K _ASME '1) as the EPS key (K _ASME ). The UE 604 may also erase the second EPS key (K _ASME '2) and any other keys derived from the second EPS key (K _ASME '2). Similarly, if the integrity verification using the second NAS integrity key (NAS_IK2 ) is successful, the UE 604 may set the second EPS key (K _ASME '2) as the EPS key (K _ASME ). UE 604 may also erase the first EPS key (K _ASME '1 ) and any other keys derived from the first EPS key (K _ASME '1 ). If integrity verification using the two NAS integrity keys (NAS_IK1, NAS_IK2) fails (eg, both NAS integrity keys fail to perform integrity verification), the UE 604 may discard the EPS NAS message.

It is understood that although the above description provides an example including two TAU request messages, other examples may include any suitable number of TAU request messages. For example, there may be z possible NAS uplink count values (eg, x, x+1, x+2, . . . z). In case of successful integrity verification using the NAS Integrity Key (NAS_IK_y), which is derived from the y EPS Key (K _ASME'y ) using the 5G NAS Uplink Count y, where y is possible One of z NAS uplink count values (eg, x, x+1, x+2, ... z), then UE 604 can set y EPS key (K _ASME 'y) to EPS key (K _ASME ), and all other EPS keys (K _ASME ') and their corresponding derived keys are erased.

FIG. 7 is a flowchart 700 of a method of wireless communication. The method may be performed by a UE (eg, UE 104, UE 350, UE 404, and/or apparatus 1104 of FIG. 11). In instances involving retransmission of RLF and TAU request messages, the method can facilitate improved communication performance by improving security handling of first cell to second cell reselection.

At 702, the UE sends a first TAU request to a first network entity, as described in connection with the first TAU request message 610 of FIG. 6 . The first TAU request may be encoded using a first security context associated with the first RAT, such as 5G security context 690 of FIG. 6 . The first TAU request may be integrity protected using a first uplink count (such as 5G uplink NAS count 528 of FIG. 5 ) based on a first security context. The first TAU request may include a first set of information including an identifier mapped to a second RAT associated with the first network entity, such as mapped EPS GUTI 612 of FIG. 6 . The sending of the first TAU request at 702 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

In some examples, the UE may send a first TAU request when performing a change from a first cell associated with a first RAT to connect to a second cell associated with a second RAT. For example, the UE may send the first TAU request when performing 5GS to EPS reselection. The second RAT may be different from the first RAT, and the first network entity may be associated with the second RAT, as described in connection with MME 606 , EPS network 607 and 5G network 609 of FIG. 6 .

At 704, the UE sends a second TAU request to the first network entity, as described in connection with the second TAU request message 670 of FIG. 6 . The second TAU request may include the first set of information, as described in connection with mapped EPS GUTI 612 , NAS-MAC 614 , and eKSI parameters 616 of FIG. 6 . The second TAU request may be integrity protected using a second uplink count. The sending of the second TAU request at 704 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 706, the UE derives the mapped security context based on the first security context and at least one of the first uplink count or the second uplink count, such as in conjunction with the UE mapped EPS security context 642 and/or the new The UE mapping EPS security context 682 describes. The derivation of the mapped security context at 706 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 708, the UE communicates with the first network entity based on the mapped security context, as described in connection with the TAU complete message 666 of FIG. 6 . Communicating based on the mapped security context at 714 may be performed by UE security processing component 198 of apparatus 1104 of FIG. 11 .

FIG. 8 is a flowchart 800 of a method of wireless communication. The method may be performed by a UE (eg, UE 104, UE 350, UE 404, and/or apparatus 1104 of FIG. 11). In instances involving retransmission of RLF and TAU request messages, the method can facilitate improved communication performance by improving security handling of first cell to second cell reselection.

At 802, the UE sends a first TAU request to a first network entity, as described in connection with the first TAU request message 610 of FIG. 6 . The first TAU request may be encoded using a first security context associated with the first RAT, such as 5G security context 690 of FIG. 6 . The first TAU request may be integrity protected using a first uplink count (such as 5G uplink NAS count 528 of FIG. 5 ) based on a first security context. The first TAU request may include a first set of information including an identifier mapped to a second RAT associated with the first network entity, such as mapped EPS GUTI 612 of FIG. 6 . The sending of the first TAU request at 802 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

In some examples, the UE may send a first TAU request when performing a change from a first cell associated with a first RAT to connect to a second cell associated with a second RAT. For example, the UE may send the first TAU request when performing 5GS to EPS reselection. The second RAT may be different from the first RAT, and the first network entity may be associated with the second RAT, as described in connection with MME 606 , EPS network 607 and 5G network 609 of FIG. 6 .

At 804, the UE sends a second TAU request to the first network entity, as described in connection with the second TAU request message 670 of FIG. 6 . The second TAU request may include the first set of information, as described in connection with mapped EPS GUTI 612 , NAS-MAC 614 , and eKSI parameters 616 of FIG. 6 . The second TAU request may be integrity protected using a second uplink count. The sending of the second TAU request at 804 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 806, the UE derives a mapping security context based on the first security context and at least one of the first uplink count or the second uplink count, such as in conjunction with the UE mapping EPS security context 642 and/or the new The UE mapping EPS security context 682 describes. The derivation of the mapped security context at 806 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 814, the UE communicates with the first network entity based on the mapped security context, as described in connection with the TAU complete message 666 of FIG. 6 . Communicating based on the mapped security context at 814 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

In some examples, the second TAU request at 804 may include a repetition of the first TAU request, and the second uplink count may be the same value as the first uplink count, as described in connection with the second state of FIG. As described above, where the UE 604 removes the inconsistency in the repetition of the TAU request by modifying how the UE 604 performs integrity protection of the TAU request message. In some instances, the UE may send a second TAU request based on the occurrence of a radio link failure. In some instances, the mapped security context may be associated with the second RAT. For example, the mapped security context may be associated with the UE-mapped EPS security context 642 of FIG. 6 or the new UE-mapped EPS security context 682 .

In some examples, the second TAU request may include a repetition of the first TAU request, and the second uplink count at 804 may be different than the first uplink count, and the mapped security context may be the first mapped security context , as described in connection with the UE mapping EPS security context 642 of FIG. 6 .

In some such examples, the UE may derive a second mapped security context at 808 based on the first security context and the first uplink count, as described in connection with new UE mapped EPS security context 682 of FIG. 6 . The UE may encode the second TAU request using the first security context, and the second TAU request may be integrity protected using the second uplink count. For example, a first TAU request may be integrity protected using an uplink NAS count value of five, and a second TAU request may be integrity protected using an uplink NAS count value of six. The derivation of the second mapped security context at 808 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 810, the UE may update the UE's security context from the second mapped security context to the first mapped security context based on deriving the first mapped security context, as described in connection with 684 of FIG. 6 . The updating of the security context of the UE at 810 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 812, the UE may discard pending transmissions using the second mapped security context for integrity protection after updating the UE's security context. The discarding of the pending transmission at 812 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

FIG. 9 is a flowchart 900 of a method of wireless communication. The method may be performed by a UE (eg, UE 104, UE 350, UE 404, and/or apparatus 1104 of FIG. 11). In instances involving retransmission of RLF and TAU request messages, the method can facilitate improved communication performance by improving security handling of first cell to second cell reselection.

At 902, when performing a change from a first cell associated with a first RAT to a second cell associated with a second RAT different from the first RAT, the UE sends a first network entity a first The TAU request is as described in connection with the first TAU request message 610 of FIG. 6 . The first network entity may be associated with the second RAT, as described in connection with MME 606 and EPS network 607 of FIG. 7 . The first TAU request may be encoded using a first security context associated with the first RAT, such as security context 690 of FIG. 6 . The first TAU request may be integrity protected using a first uplink count based on a first security context. The sending of the first TAU request at 902 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 904, the UE derives a first integrity key based on the first security context, the first uplink count, and the first mapped security context, as described in connection with the first NAS integrity key (NAS_IK1 ). For example, the UE may _derive the first EPS key ( K _ASME '1). Subsequently, the UE may derive a first NAS integrity key (NAS_IK1 ) from the first EPS key (K _ASME '1). The derivation of the first integrity key at 904 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 906, the UE sends a repetition of the first TAU request to the first network entity, as described in connection with the second TAU request message 670 of FIG. 6 . Repetitions of the first TAU request may be integrity protected using a second uplink count different from the first uplink count. For example, a first TAU request may be integrity protected using an uplink NAS count value of five, and a second TAU request may be integrity protected using an uplink NAS count value of six. The repeated sending of the first TAU request at 906 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 908, the UE derives a second integrity key based on the first security context, the second uplink count and the second mapped security context, such as in combination with a second NAS from a second EPS key (K _ASME '2) Integrity Key (NAS_IK2) described. For example, the UE may derive a second EPS key for the new UE-mapped EPS security context 682 based on the 5G key (K _AMF ) associated with the second TAU request message 670 and the 5G NAS uplink count (eg, six) (K _ASME '2). Subsequently, the UE may derive a second NAS integrity key (NAS_IK2) from the second EPS key (K _ASME '2). The derivation of the second integrity key at 908 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 910, the UE receives a downlink transmission from a first network entity, as described in connection with TAU accept message 662 of FIG. 6 . The receiving of the downlink transmission at 910 may be performed by UE security processing component 198 of apparatus 1104 of FIG. 11 .

At 912 , the UE performs an integrity check on the downlink transmission using at least one of the first integrity key and the second integrity key, as described in connection with 664 of FIG. 6 . The performance of the integrity check at 912 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 914, when the integrity check of the downlink transmission using the derived integrity key is successful, the UE sets the UE's master security key. The master security key may be set based on the corresponding integrity key used to successfully perform the integrity check. The setting of the master security key at 914 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

FIG. 10 is a flowchart 1000 of a method of wireless communication. The method may be performed by a UE (eg, UE 104, UE 350, UE 404, and/or apparatus 1104 of FIG. 11). In instances involving retransmission of RLF and TAU request messages, the method can facilitate improved communication performance by improving security handling of first cell to second cell reselection.

At 1002, when performing a change from a first cell associated with a first RAT to a second cell associated with a second RAT different from the first RAT, the UE sends a first The TAU request is as described in connection with the first TAU request message 610 of FIG. 6 . The first network entity may be associated with the second RAT, as described in connection with MME 606 and EPS network 607 of FIG. 7 . The first TAU request may be encoded using a first security context associated with the first RAT, such as security context 690 of FIG. 6 . The first TAU request may be integrity protected using a first uplink count based on a first security context. The sending of the first TAU request at 1002 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

In some examples, the UE may derive a first mapped security context at 1004 based on the first security context and the first uplink count, as described in connection with UE mapped EPS security context 642 of FIG. 6 . The derivation of the first mapped security context at 1004 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 1006, the UE derives a first integrity key based on the first security context, the first uplink count, and the first mapped security context, as described in connection with the first NAS integrity key (NAS_IK1 ). For example, the UE may _derive the first EPS key ( K _ASME '1). Subsequently, the UE may derive a first NAS integrity key (NAS_IK1 ) from the first EPS key (K _ASME '1). The derivation of the first integrity key at 1006 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 1008, the UE sends a repetition of the first TAU request to the first network entity, as described in connection with the second TAU request message 670 of FIG. 6 . Repetitions of the first TAU request may be integrity protected using a second uplink count different from the first uplink count. For example, a first TAU request may be integrity protected using an uplink NAS count value of five, and a second TAU request may be integrity protected using an uplink NAS count value of six. The repeated sending of the first TAU request at 1008 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 1010, the UE derives a second integrity key based on the first security context, the second uplink count and the second mapped security context, such as in combination with a second NAS from a second EPS key (K _ASME '2) Integrity Key (NAS_IK2) described. For example, the UE may derive a second EPS key for the new UE-mapped EPS security context 682 based on the 5G key (K _AMF ) associated with the second TAU request message 670 and the 5G NAS uplink count (eg, six) (K _ASME '2). Subsequently, the UE may derive a second NAS integrity key (NAS_IK2) from the second EPS key (K _ASME '2). The derivation of the second integrity key at 1010 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 1012, the UE receives a downlink transmission from the first network entity, as described in connection with the TAU accept message 662 of FIG. 6 . The reception of the downlink transmission at 1012 may be performed by UE security processing component 198 of apparatus 1104 of FIG. 11 .

At 1014, the UE performs an integrity check on the downlink transmission using at least one of the first integrity key and the second integrity key, as described in connection with 664 of FIG. 6 . The performance of the integrity check at 1014 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

At 1016, when the integrity check of the downlink transmission using the derived integrity key is successful, the UE sets the UE's master security key. The master security key may be set based on the corresponding integrity key used to successfully perform the integrity check. The setting of the master security key at 1016 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

In some instances, the UE may discard information related to other derived integrity keys after setting the master security key. For example, the UE may set the master security key as the first mapped security context at 1016. In such instances, when the integrity check of the downlink transmission using the first integrity key succeeds, the UE may erase the second mapped security context and any keys derived using the second mapped security context at 1018 . The erasing of the second mapped security context at 1018 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

In other examples, the UE may set the master security key as the second mapped security context at 1016 . In such instances, when the integrity check of the downlink transmission using the second integrity key is successful, the UE may erase the first mapped security context and any keys derived using the first mapped security context at 1020 . The erasing of the first mapped security context at 1020 may be performed by the UE security processing component 198 of the apparatus 1104 of FIG. 11 .

FIG. 11 is a diagram 1100 illustrating an example of a hardware implementation for an apparatus 1104 . Apparatus 1104 may be a UE, a component of a UE, or may implement a UE function. In some aspects, apparatus 2304 may include a cellular baseband processor 1124 (also referred to as a modem) coupled to one or more transceivers (eg, cellular RF transceiver 1122). The cellular baseband processor 1124 may include on-chip memory 1124'. In some aspects, device 1104 may also include one or more subscriber identity module (SIM) cards 1120 and application processor 1106 coupled to secure digital (SD) card 1108 and screen 1110 . The application processor 1106 may include on-chip memory 1106'. In some aspects, device 1104 may also include Bluetooth module 1112, WLAN module 1114, SPS module 1116 (eg, GNSS module), one or more sensor modules 1118 (eg, barometric pressure sensing sensor/altimeter; motion sensors such as inertial management unit (IMU), gyroscope and/or accelerometer); light detection and ranging (LIDAR), radio-aided detection and ranging (radar), voice navigation and ranging (SONAR), magnetometer, audio and/or other technologies for positioning), additional memory module 1126 , power supply 1130 and/or camera 1132 . The Bluetooth module 1112, WLAN module 1114, and SPS module 1116 may include an on-chip transceiver (TRX) (or in some cases, just a receiver (RX)). The Bluetooth module 1112 , the WLAN module 1114 and the SPS module 1116 may include their own dedicated antennas and/or utilize one or more antennas 1180 for communication. The cellular baseband processor 1124 communicates with the UE 104 and/or RUs associated with the network entity 1102 via a transceiver (eg, cellular RF transceiver 1122 ) via one or more antennas 1180 . The cellular baseband processor 1124 and application processor 1106 may each include computer readable media/memory, such as on-chip memory 1124' and on-chip memory 1106', respectively. The additional memory module 1126 can also be regarded as a computer-readable medium/memory. Each computer-accessible medium/memory (eg, on-chip memory 1124', on-chip memory 1106', and/or additional memory module 1126) may be non-transitory. The cellular baseband processor 1124 and application processor 1106 are each responsible for general processing, including executing software stored on a computer-readable medium/memory. The software, when executed by the cellular baseband processor 1124/application processor 1106, enables the cellular baseband processor 1124/application processor 1106 to perform the aforementioned various functions. The computer readable medium/memory may also be used to store data that is manipulated by the cellular baseband processor 1124/application processor 1106 when executing software. Cellular baseband processor 1124 /application processor 1106 may be part of UE 350 and may include memory 360 and/or at least one of TX processor 368 , RX processor 356 and controller/processor 3511 . In one configuration, device 1104 may be a processor chip (modem and/or application) and include only cellular baseband processor 1124 and/or application processor 1106, and in another configuration device 1104 may be an entire UE (eg, see 350 of FIG. 3 ), and includes additional modules of the apparatus 1104 .

As mentioned above, the UE security processing component 198 is configured to: send a first Tracking Area Update (TAU) request to the first network entity, the first TAU request is to use the first radio access technology (RAT) associated with the first The security context is encoded, the first TAU request is integrity-protected using the first uplink count based on the first security context, and the first TAU request includes a first set of information, the first set of information includes mapping to the an identifier of a second RAT associated with a network entity; sending a second TAU request to the first network entity, the second TAU request including the first set of information, the second TAU request being completed using a second uplink count deriving a mapped security context based on the first security context and at least one of the first uplink count or the second uplink count; and communicating with the first network entity based on the mapped security context.

In another aspect, the UE security processing component 198 may be configured to: when performing a connection from a first cell associated with a first radio access technology (RAT) to a second RAT different from the first RAT When the associated second cell changes, a first Tracking Area Update (TAU) request is sent to the first network entity, the first network entity is associated with the second RAT, and the first TAU request is made using the and the first TAU request is integrity-protected using the first uplink count based on the first security context; based on the first security context, the first uplink count, and the first mapping security context to derive the first integrity key; send a repetition of the first TAU request to the first network entity, the repetition of the first TAU request is completed using a second uplink count different from the first uplink count permanently protected; derive a second integrity key based on the first security context, the second uplink count, and the second mapped security context; receive a downlink transmission from the first network entity; use the first integrity key and at least one of the second integrity key to perform an integrity check on the downlink transmission; and when the integrity check on the downlink transmission using the derived integrity key succeeds, setting the primary security of the UE The key, the master security key, is set based on either the first mapped security context or the second mapped security context used to derive the derived integrity key.

UE security processing component 198 may be within cellular baseband processor 1124 , within applications processor 1106 , or within both cellular baseband processor 1124 and applications processor 1106 . The UE security processing component may be one or more hardware components specially configured to execute the program/algorithm, implemented by one or more processors configured to execute the program/algorithm, stored in the computer Reading within the medium is intended to be implemented by one or more processors, or some combination thereof.

As shown, apparatus 1104 may include various components configured for various functions. For example, the UE security processing component may include one or more hardware components that perform each block of the algorithm in the flowcharts of FIG. 7 , FIG. 8 , FIG. 9 and/or FIG. 10 .

In one configuration, the device 1104 (specifically, the cellular baseband processor 1124 and/or the application processor 1106) includes means for: sending a first tracking area update (TAU) to a first network entity request, the first TAU request is encoded using a first security context associated with a first radio access technology (RAT), the first TAU request is based on the first security context using a first uplink count for integrity protected, and the first TAU request includes a first set of information, the first set of information includes an identifier mapped to a second RAT associated with the first network entity; sending the second TAU request to the first network entity, the first The second TAU request includes a first set of information, the second TAU request is integrity protected using a second uplink count; based on the first security context and at least one of the first uplink count or the second uplink count to derive the mapped security context; and communicate with the first network entity based on the mapped security context.

In another configuration, the example means 1104 also includes means for sending a first TAU request when performing a change from a first cell associated with a first RAT to a connection to a second cell associated with a second RAT , the second RAT is different from the first RAT, and the first network entity is associated with the second RAT.

In another configuration, the second TAU request includes a repetition of the first TAU request, and the second uplink count has the same value as the first uplink count.

In another configuration, the example device 1104 also includes means for sending a second TAU request based on the occurrence of a radio link failure.

In another configuration, the mapped security context is associated with the second RAT.

In another configuration, the second uplink count is different from the first uplink count, and the mapped security context is the first mapped security context, and the example means 1104 also includes a way count to derive the unit of the second mapped security context, the second TAU request is encoded using the first security context and integrity protected using the second uplink count, and the first mapped security context is based on the first security context context and the second uplink count is derived.

In another configuration, the example device 1104 also includes means for: updating the security context of the UE from the second mapped security context to the first mapped security context based on deriving the first mapped security context; and updating the UE After the security context of the first mapping security context, pending transfers that are integrity-protected using the second mapping security context are discarded.

In another configuration, the second TAU request includes a repetition of the first TAU request.

In one configuration, the device 1104 (specifically, the cellular baseband processor 1124 and/or the applications processor 1106) includes means for: when executing When the first cell changes to a second cell associated with a second RAT different from the first RAT, a first tracking area update (TAU) request is sent to the first network entity, the first network entity communicates with A second RAT is associated, the first TAU request is encoded using a first security context associated with the first RAT, and the first TAU request is integrity protected using a first uplink count based on the first security context of; derive a first integrity key based on the first security context, the first uplink count, and the first mapped security context; send a repetition of the first TAU request to the first network entity, the repetition of the first TAU request is Integrity protected using a second uplink count different from the first uplink count; deriving a second integrity key based on the first security context, the second uplink count, and the second mapped security context; from The first network entity receives the downlink transmission; performs an integrity check on the downlink transmission using at least one of the first integrity key and the second integrity key; and when using the derived integrity key When the integrity check of the downlink transmission of the key pair is successful, the master security key of the UE is set, the master security key is based on the first mapping security context or the second mapping security context used to derive the derived integrity key set.

In another configuration, the example means 1104 also includes means for erasing the second mapped security context and any information derived using the second mapped security context when the integrity check of the downlink transmission using the first integrity key succeeds. A unit of keys, wherein the master security key includes a first mapped security context.

In another configuration, the example means 1104 also includes means for erasing the first mapped security context and any information derived using the first mapped security context when the integrity check of the downlink transmission using the second integrity key succeeds. A unit of keys, wherein the master security key includes a second mapped security context.

In another configuration, the example device 1104 also includes means for deriving a first mapped security context based on the first security context and the first uplink count.

The unit may be the UE security processing component 198 of the apparatus 1104 configured to perform the function recited by the unit. As before, device 1104 may include TX processor 368 , RX processor 356 and controller/processor 359 . Thus, in one configuration, the unit may be the TX processor 368, the RX processor 356, and/or the controller/processor 359 configured to perform the functions recited by the unit.

FIG. 12 is a flowchart 1200 of a method of wireless communication. The method may be performed by a first network entity (eg, base station 102 or components of base station 102, MME 412, AMF 432, network entity 1602 in FIG. 16 and/or network entity 1760 in FIG. 17). In instances involving retransmission of RLF and TAU request messages, the method can facilitate improved communication performance by improving security handling of first cell to second cell reselection.

The first network entity can communicate with the UE and the second network entity. In some examples, the first network entity may include an MME, such as MME 606 of FIG. 6 , and the second network entity may include an AMF, such as AMF 608 of FIG. 6 .

At 1202, the first network entity obtains a first TAU request generated by the UE, as described in connection with the first TAU request message 610 of FIG. 6 . The first TAU request may be encoded using a first security context associated with the first RAT, such as 5G security context 690 of FIG. 6 . The first TAU request may be integrity protected using a first uplink count (such as the 5G NAS uplink count associated with the first TAU request message 610 ) based on the first security context. The first TAU request may include a first set of information including an identifier mapped to a second RAT associated with the first network entity, as described in connection with mapping EPS GUTI 612 of FIG. 6 . The obtaining of the first TAU request at 1202 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1204, the first network entity outputs a first context request for the second network entity based on the first TAU request, as described in connection with context request message 622 and AMF 608 of FIG. 6 . A second network entity may be associated with the first RAT, for example AMF 608 is associated with 5G network 609 . In some examples, the first context request may include an identifier mapped to a second RAT, such as the mapped EPS GUTI 612 of the first TAU request message 610 of FIG. 6 . In some examples, the first TAU request may be integrity protected using the first uplink count. The output of the first context request at 1204 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1206, the first networking entity obtains a first mapped security context based on the first context request, as described in connection with mapped EPS security context 636 of FIG. 6 . The first mapped security context may be derived from the first security context and the first uplink count. The obtaining of the first mapped security context at 1206 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1208, the first network entity obtains a second TAU request, as described in connection with the second TAU request message 670 of FIG. 6 . The second TAU request may be encoded using the first security context. The second TAU request may be integrity protected using a second uplink count different from the first uplink count. For example, a first TAU request may be integrity protected using an uplink NAS count value of five, and a second TAU request may be integrity protected using an uplink NAS count value of six. The second TAU request may include the first set of information, as described in connection with mapped EPS GUTI 612 , NAS MAC 614 , and eKSI parameters 616 of FIG. 6 . In some instances, the second TAU request may include a repetition of the first TAU request. The obtaining of the second TAU request at 1208 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1210, the first network entity outputs a second context request for the second network entity based on the second TAU request, as described in connection with the second context request message 674 of FIG. 6 . The output of the second context request at 1210 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1212, the first network entity obtains a second mapped security context based on the second context request, the second mapped security context being derived from the first security context and the second uplink count. Aspects of obtaining the second mapped security context may be similar to obtaining the first mapped security context, as described in connection with mapped EPS security context 636 of FIG. 6 . The obtaining of the second mapped security context at 1212 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1214, the first network entity outputs a downlink message based on the second mapped security context, as described in connection with TAU accept message 662 of FIG. 6 . The output of the downlink message at 1214 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

FIG. 13 is a flowchart 1300 of a method of wireless communication. The method may be performed by a first network entity (eg, base station 102 or components of base station 102, MME 412, AMF 432, network entity 1602 in FIG. 16 and/or network entity 1760 in FIG. 17). In instances involving retransmission of RLF and TAU request messages, the method can facilitate improved communication performance by improving security handling of first cell to second cell reselection.

The first network entity can communicate with the UE and the second network entity. In some examples, the first network entity may include an MME, such as MME 606 of FIG. 6 , and the second network entity may include an AMF, such as AMF 608 of FIG. 6 .

At 1302, the first network entity obtains a first TAU request generated by the UE, as described in connection with the first TAU request message 610 of FIG. 6 . The first TAU request may be encoded using a first security context associated with the first RAT, such as 5G security context 690 of FIG. 6 . The first TAU request may be integrity protected using a first uplink count (such as the 5G NAS uplink count associated with the first TAU request message 610 ) based on the first security context. The first TAU request may include a first set of information including an identifier mapped to a second RAT associated with the first network entity, as described in connection with mapping EPS GUTI 612 of FIG. 6 . The obtaining of the first TAU request at 1302 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

In some examples, at 1304, the first network entity may derive the address of the second network entity based on the identifier mapped to the second RAT, as described in connection with 620 of FIG. 6 . The derivation of the address of the second network entity at 1304 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1306, the first network entity outputs a first context request for the second network entity based on the first TAU request, as described in connection with context request message 622 and AMF 608 of FIG. 6 . A second network entity may be associated with the first RAT, for example AMF 608 is associated with 5G network 609 . In some examples, the first context request may include an identifier mapped to a second RAT, such as the mapped EPS GUTI 612 of the first TAU request message 610 of FIG. 6 . In some examples, the first TAU request may be integrity protected using the first uplink count. The output of the first context request at 1306 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1308, the first networking entity obtains a first mapped security context based on the first context request, as described in connection with mapped EPS security context 636 of FIG. 6 . The first mapped security context may be derived from the first security context and the first uplink count. The obtaining of the first mapped security context at 1308 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1310, the first network entity obtains a second TAU request, as described in connection with the second TAU request message 670 of FIG. 6 . The second TAU request may be encoded using the first security context. The second TAU request may be integrity protected using a second uplink count different from the first uplink count. For example, a first TAU request may be integrity protected using an uplink NAS count value of five, and a second TAU request may be integrity protected using an uplink NAS count value of six. The second TAU request may include the first set of information, as described in connection with mapped EPS GUTI 612 , NAS MAC 614 , and eKSI parameters 616 of FIG. 6 . In some instances, the second TAU request may include a repetition of the first TAU request. The obtaining of the second TAU request at 1310 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1312, the first network entity outputs a second context request for the second network entity based on the second TAU request, as described in connection with the second context request message 674 of FIG. 6 . The output of the second context request at 1312 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1314, the first network entity obtains a second mapped security context based on the second context request, the second mapped security context being derived from the first security context and the second uplink count. Aspects of obtaining the second mapped security context may be similar to obtaining the first mapped security context, as described in connection with mapped EPS security context 636 of FIG. 6 . The obtaining of the second mapped security context at 1314 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1316, the first network entity outputs a downlink message based on the second mapped security context, as described in connection with TAU accept message 662 of FIG. 6 . The output of the downlink message at 1316 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

In some examples, at 1318, the first networking entity may update the security context of the first networking entity from the first mapped security context to the second mapped security context based on obtaining the second mapped security context. The updating of the security context of the first network entity at 1318 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

Additionally, at 1320, after updating the security context of the first network entity, the first network entity may discard pending downlink transmissions that were integrity protected using the first mapped security context. The discarding of the pending downlink transmission at 1320 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

In some examples, the first network entity may obtain a second TAU request message with the same information elements at 1310 after outputting the downlink message at 1316 and before obtaining an uplink message in response to the downlink message . For example, the first network entity may obtain the second TAU request message after outputting the TAU accept message 662 and before obtaining the TAU complete message 666 .

In some instances where the first network entity obtains the first TAU request, at 1302, based on a non-intersystem change from N1 mode to S1 mode, the UE is configured to operate in single registration mode, and the downlink message includes The TAU accepts the message, and the first network entity can resend the downlink message. In some instances, the first network entity may restart the T3450 timer in anticipation of a TAU complete message from the UE, such as the TAU complete message 666 of FIG. 6 . The first network entity may also skip incrementing the retransmission counter associated with the T3450 timer.

In some instances where the first network entity obtains the first TAU request, at 1302, based on an intersystem change from N1 mode to S1 mode, the UE is configured to operate in single registration mode and the downlink message includes the TAU Receiving the message, the first network entity may initiate an authentication procedure with the UE. The first network entity may also execute a security mode control program to convert the new partial native EPS security context into the current full native EPS security context. For example, the first network entity may execute the NAS SMC procedure 660 with the UE to convert the partial native EPS security context into a full native EPS security context to facilitate the transmission of EPS NAS messages with the UE.

In some instances where the security mode control procedure is successful, the first network entity may output a downlink message repetition that is integrity protected using the current full local EPS security context. The first network entity may also restart the T3450 timer when expecting a TAU complete message from the UE, such as the TAU complete message 666 of FIG. 6 . The first network entity may also skip incrementing the retransmission counter associated with the T3450 timer.

In some instances where the first network entity obtains the first TAU request based on a non-intersystem change from N1 mode to S1 mode at 1302 and the UE is configured to operate in single registration mode, the first network entity may base Two TAU requests to skip the initiation of the TAU procedure. The first network entity may also perform integrity protection on the downlink message based on the first mapped security context.

In some instances where the first network entity obtains the first TAU request based on the intersystem change from N1 mode to S1 mode at 1302 and the UE is configured to operate in single registration mode, the first network entity may decide to initiate the first TAU request Two TAU programs. For example, at 1312, the first networking entity may output a second context request to the second networking entity. The first network entity may also perform integrity protection on the downlink message based on the second mapped security context.

In some instances, the first network entity may have received a TAU request message, and may not have sent a TAU accept message or a TAU reject message. If one or more information elements in the TAU request messages are different, the TAU procedure initiated based on the first TAU request message may be terminated and the TAU procedure initiated based on the second TAU request message may proceed (eg, may continue).

If the information elements in the TAU request message are the same (e.g., no difference), then for each aspect except the intersystem change from N1 mode to S1 mode in idle mode with the UE operating in single registration mode , the first network entity may continue the previously initiated TAU procedure (eg, based on the first TAU request message), and discard the second TAU request message. That is, the first network entity may avoid sending the second context request message requesting a new mapped EPS security context to the second network entity based on the second TAU request message.

For aspects of intersystem change from N1 mode to S1 mode in idle mode with UE operating in single registration mode, the first network entity may forward a new TAU request message to the second network entity (eg, via another context request message) to perform an integrity check and obtain the latest mapped EPS security context and continue with the previous TAU procedure. For example, the first network entity may forward the second TAU request message to the second network entity (eg, via the second context request message). The second network entity may verify the second TAU request message. Subsequently, the second network entity may generate a new mapped EPS security context based on the second TAU request message. For example, the new mapped EPS security context may be based at least in part on a 5G NAS uplink count value (eg, six) associated with the second TAU request message. Therefore, the mapped EPS security context provided to the first network entity including the new MME EPS key (eg K _{ASME'_MME} ) can be mapped with the new UE including the new UE EPS key (K _{ASME'_UE2} ) EPS security context is the same. Therefore, when the first network entity uses the new MME EPS key (for example, K _ASME '_MME) to perform integrity protection on the subsequent NAS message (for example, the TAU acceptance message), the UE can perform integrity protection on the subsequent received NAS message ( For example, TAU accepts message) successfully performs integrity verification. In some examples, the UE may update the UE's security context from the mapped EPS security context 642 to the new UE mapped EPS security context based on the derivation of the new mapped EPS security context.

FIG. 14 is a flowchart 1400 of a method of wireless communication. The method may be performed by a second network entity (eg, base station 102 or components of base station 102, MME 412, AMF 432, network entity 1602 in FIG. 16 and/or network entity 1760 in FIG. 17). In instances involving retransmission of RLF and TAU request messages, the method can facilitate improved communication performance by improving security handling of first cell to second cell reselection.

The second network entity can communicate with the first network entity. In some examples, the first network entity may include an MME, such as MME 606 of FIG. 6 , and the second network entity may include an AMF, such as AMF 608 of FIG. 6 .

At 1402, the second network entity obtains a first context request, the first context request includes at least the first TAU request generated by the UE, as described in connection with the context request message 622 of FIG. 6 . The first TAU request may be encoded using a first security context associated with the first RAT, such as 5G security context 690 of FIG. 6 . The first TAU request may be integrity protected using a first uplink count (such as the 5G NAS uplink count associated with the first TAU request message 610 ) based on the first security context. The first RAT may be different from the second RAT associated with the first network entity. For example, a first RAT may correspond to 5G network 609 and a second RAT associated with the first network entity may correspond to EPS network 607 associated with MME 606 of FIG. 6 . The obtaining of the first context request at 1402 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1404, when the first integrity check of the first TAU request is successful, the second network entity derives a first mapped security context, as described in connection with 632, 634 and mapped EPS security context 636 of FIG. The derivation of the first mapped security context at 1404 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1406, the second network entity outputs the first mapped security context for the first network entity, as described in connection with mapped EPS security context 636 and context response message 638 of FIG. 6 . The output of the first mapped security context at 1406 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1408, the second network entity obtains a second context request including at least a second TAU request generated by the UE, as described in connection with the second context request message 674 including the TAU request in FIG. 6 . The second TAU request may be integrity protected using a second uplink count different from the first uplink count. For example, a first TAU request may be integrity protected using an uplink NAS count value of five, and a second TAU request may be integrity protected using an uplink NAS count value of six. The obtaining of the second context request at 1408 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1410, the second network entity derives a second mapped security context when the second integrity check on the second TAU request is successful. Aspects of deriving the second mapped security context may be similar to exporting the first mapped security context, as described in connection with 632 , 634 and mapped EPS security context 636 of FIG. 6 . The derivation of the second mapped security context at 1410 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1412, the second network entity outputs a second mapped security context for the first network entity. Aspects of outputting the second mapped security context may be similar to outputting the first mapped security context, as described in connection with mapped EPS security context 636 and context response message 638 of FIG. 6 . The output of the second mapped security context at 1412 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

FIG. 15 is a flowchart 1500 of a method of wireless communication. The method may be performed by a second network entity (eg, base station 102 or components of base station 102, MME 412, AMF 432, network entity 1602 in FIG. 16 and/or network entity 1760 in FIG. 17). In instances involving retransmission of RLF and TAU request messages, the method can facilitate improved communication performance by improving security handling of first cell to second cell reselection.

The second network entity can communicate with the first network entity. In some examples, the first network entity may include an MME, such as MME 606 of FIG. 6 , and the second network entity may include an AMF, such as AMF 608 of FIG. 6 .

At 1502, the second network entity obtains a first context request, the first context request includes at least the first TAU request generated by the UE, as described in connection with the context request message 622 of FIG. 6 . The first TAU request may be encoded using a first security context associated with the first RAT, such as 5G security context 690 of FIG. 6 . The first TAU request may be integrity protected using a first uplink count (such as the 5G NAS uplink count associated with the first TAU request message 610 ) based on the first security context. The first RAT may be different from the second RAT associated with the first network entity. For example, a first RAT may correspond to 5G network 609 and a second RAT associated with the first network entity may correspond to EPS network 607 associated with MME 606 of FIG. 6 . The obtaining of the first context request at 1502 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

In some examples, the first context request may also include an identifier mapped to a second RAT, such as the example mapped EPS GUTI 612 of FIG. 6 .

At 1504, when the first integrity check of the first TAU request is successful, the second network entity derives a first mapped security context, as described in connection with 632, 634 and mapped EPS security context 636 of FIG. The derivation of the first mapped security context at 1504 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

In some examples, the second network entity may perform a first integrity check on the first TAU request based on the first security context, as described in connection with 632 and 5G NAS security context 692 of FIG. 6 .

At 1506, the second network entity outputs the first mapped security context for the first network entity, as described in connection with mapped EPS security context 636 and context response message 638 of FIG. 6 . The output of the first mapped security context at 1506 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

In some examples, at 1508, the second networking entity can start a timer after sending the first mapped security context. The starting of the timer at 1508 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

In some examples, at 1510, the second networking entity may erase the first mapped security context after expiration of a timer. The erasing of the first mapped security context at 1510 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1512, the second network entity obtains a second context request including at least a second TAU request generated by the UE, as described in connection with the second context request message 674 including the TAU request of FIG. 6 . The second TAU request may be integrity protected using a second uplink count different from the first uplink count. For example, a first TAU request may be integrity protected using an uplink NAS count value of five, and a second TAU request may be integrity protected using an uplink NAS count value of six. The obtaining of the second context request at 1512 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

In some instances, the second TAU request may include a repetition of the first TAU request.

At 1514, the second network entity derives a second mapped security context when the second integrity check on the second TAU request is successful. Aspects of deriving the second mapped security context may be similar to exporting the first mapped security context, as described in connection with 632 , 634 and mapped EPS security context 636 of FIG. 6 . The derivation of the second mapped security context at 1514 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

At 1516, the second network entity outputs the second mapped security context for the first network entity. Aspects of outputting the second mapped security context may be similar to outputting the first mapped security context, as described in connection with mapped EPS security context 636 and context response message 638 of FIG. 6 . The output of the second mapped security context at 1516 may be performed by the network security processing component 199 of the network entity 1602 of FIG. 16 and/or the network security processing component 497 of the network entity 1760 of FIG. 17 .

FIG. 16 is a diagram 1600 illustrating an example of a hardware implementation for a network entity 1602 . The network entity 1602 may be a BS, a component of a BS, or may implement a BS function. Network entity 1602 may include at least one of CU 1610 , DU 1630 or RU 1640 . For example, depending on the layer function processed by the network security processing component 199, the network entity 1602 may include the CU 1610; both the CU 1610 and the DU 1630; each of the CU 1610, the DU 1630 and the RU 1640; the DU 1630; the DU 1630 and RU 1640; or RU 1640. The CU 1610 may include a CU processor 1612 . The CU processor 1612 may include on-chip memory 1612'. In some aspects, an additional memory module 1614 and a communication interface 1618 may also be included. CU 1610 communicates with DU 1630 via a medium-range link, such as the F1 interface. The DU 1630 may include a DU processor 1632 . The DU processor 1632 may include on-chip memory 1632'. In some aspects, the DU 1630 can also include an additional memory module 1634 and a communication interface 1638 . DU 1630 communicates with RU 1640 via the fronthaul link. RU 1640 may include RU processor 1642 . The RU processor 1642 may include on-chip memory 1642'. In some aspects, RU 1640 may also include additional memory module 1644 , one or more transceivers 1646 , antenna 1680 and communication interface 1648 . RU 1640 communicates with UE 104 . on-chip memory (e.g., on-chip memory 1612′, on-chip memory 1632′, and/or on-chip memory 1642′) and/or additional memory modules (e.g., additional memory module 1614, additional memory module 1634 and/or additional memory module 1644) may each be considered a computer readable medium/memory. Each computer-readable medium/memory can be non-transitory. Each of CU processor 1612, DU processor 1632, RU processor 1642 is responsible for general processing, including executing software stored on computer-readable media/memory. The software, when executed by the corresponding processors, causes the processors to perform the various functions described above. Computer-readable media/memory can also be used to store data that is manipulated by the processor when the software is executed.

As mentioned above, the network security processing component 199 is configured to: receive a first tracking area update (TAU) request generated by the user equipment (UE), the first TAU request is related to the first radio access technology (RAT) The first security context of the connection is encoded, the first TAU request is integrity protected using a first uplink count based on the first security context, and the first TAU request includes a first set of information, the first set of information includes Mapping to an identifier of a second RAT associated with the first network entity; outputting a first context request for the second network entity based on the first TAU request, the second network entity being associated with the first RAT; based on The first context request to receive a first mapped security context, the first mapped security context is derived from the first security context and the first uplink count; receive a second TAU request, the second TAU request is to use the first security context Encoded, the second TAU request is integrity protected using a second uplink count different from the first uplink count, and the second TAU request includes the first set of information; based on the second TAU request output for A second context request by a second network entity; receiving a second mapped security context based on the second context request, the second mapped security context being derived from the first security context and the second uplink count; and based on the second Map security context to send downlink messages.

In another aspect, the network security processing component 199 may be configured to: receive a first context request, the first context request at least includes a first Tracking Area Update (TAU) request generated by a user equipment (UE), the first A TAU request is integrity protected using a first uplink count, the first TAU request is encoded using a first security context associated with a first radio access technology (RAT), the first RAT is different from the A second RAT associated with the first network entity; when the first integrity check of the first TAU request is successful, deriving a first mapped security context; outputting the first mapped security context for the first network entity; receiving A second context request, the second context request includes at least a second TAU request generated by the UE, and the second TAU request is integrity protected using a second uplink count different from the first uplink count; when the second uplink count is used for integrity protection; deriving a second mapped security context when the second integrity check of the TAU request is successful; and outputting the second mapped security context for the first network entity.

Network security processing component 199 may be within one or more processors of one or more of CU 1610 , DU 1630 , and RU 1640 . The network security processing component 199 may be one or more hardware components specially configured to execute the program/algorithm, realized by one or more processors configured to execute the program/algorithm, store within a computer-readable medium for implementation by one or more processors, or some combination thereof.

In one configuration, the network entity 1602 may be a first network entity, and includes means for: obtaining a first tracking area update (TAU) request generated by a user equipment (UE), the first TAU The request is encoded using a first security context associated with a first radio access technology (RAT), the first TAU request is integrity protected using a first uplink count based on the first security context, and the first a TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity; outputting a first context request for the second network entity based on the first TAU request , the second network entity is associated with the first RAT; based on the first context request to obtain a first mapped security context, the first mapped security context is derived from the first security context and the first uplink count; obtain the first Two TAU requests, the second TAU request is encoded using a first security context, the second TAU request is integrity protected using a second uplink count different from the first uplink count, and the second TAU request including a first set of information; outputting a second context request for a second network entity based on a second TAU request; obtaining a second mapped security context based on the second context request, the second mapped security context is obtained from the first security context and the second uplink count is derived; and outputting the downlink message based on the second mapped security context.

In another configuration, the first context request includes an identifier mapped to the second RAT, and the first TAU request is integrity protected using the first uplink count.

In another configuration, the example network entity 1602 also includes means for deriving the address of the second network entity based on the identifier mapped to the second RAT.

In another configuration, the example network entity 1602 also includes means for updating the security context of the first network entity from the first mapped security context to the second mapped security context based on obtaining the second mapped security context context; and after updating the security context of the first network entity, discarding pending downlink transmissions integrity-protected using the first mapped security context.

In another configuration, the second TAU request includes a repetition of the first TAU request.

In another configuration, the first TAU request is obtained based on a non-intersystem change from N1 mode to S1 mode, the UE is configured to operate in single registration mode, and the downlink message includes a TAU accept message, and the instance The network entity 1602 also includes means for resending downlink messages.

In another configuration, the example network entity 1602 also includes means for: restarting the T3450 timer in anticipation of a TAU complete message from the UE; and skip incrementing a retransmission counter associated with the T3450 timer.

In another configuration, the first TAU request is obtained based on an intersystem change from N1 mode to S1 mode, the UE is configured to operate in single registration mode, and the downlink message includes a TAU accept message, and the instance network The way entity 1602 also includes units for: initiating an authentication procedure; and executing a security mode control procedure to convert the new partial native Evolved Packet System (EPS) security.

In another configuration, the example network entity 1602 also includes means for outputting a downlink message repetition when the security mode control procedure is successful, the downlink message repetition using the current full native EPS security context Integrity protected; restarting the T3450 timer when a TAU complete message from the UE is expected; and skip incrementing the retransmission counter associated with the T3450 timer.

In another configuration, the first TAU request is obtained based on a non-intersystem change from N1 mode to S1 mode, the UE is configured to operate in single registration mode, and the example network entity 1602 also includes a mechanism for performing the following The unit of operation: skip the initiation of the TAU procedure based on the second TAU request; and perform integrity protection on the downlink message based on the first mapped security context.

In another configuration, the first TAU request is obtained based on an intersystem change from N1 mode to S1 mode, the UE is configured to operate in single registration mode, and the example network entity 1602 also includes a method for performing the following operations The unit of: deciding to initiate a second TAU procedure includes: outputting a second context request to a second network entity; and performing integrity protection on the downlink message based on the second mapped security context.

In another configuration, the first network entity includes a mobility management entity (MME) and the second network entity includes an access and mobility management function (AMF).

In one configuration, the network entity 1602 may be a second network entity, and includes means for: obtaining a first context request, the first context request including at least a first context request generated by a user equipment (UE) A tracking area update (TAU) request, the first TAU request is integrity protected using a first uplink count, the first TAU request is made using a first security context associated with a first radio access technology (RAT) Encoded, the first RAT is different from the second RAT associated with the first network entity; when the first integrity check of the first TAU request is successful, a first mapping security context is derived; output for the first network A first mapping security context of the entity; obtaining a second context request, the second context request including at least a second TAU request generated by the UE, the second TAU request using a second uplink count different from the first uplink count Integrity protected; deriving a second mapped security context when the second integrity check of the second TAU request is successful; and outputting the second mapped security context for the first network entity.

In another configuration, the first context request also includes an identifier mapped to the second RAT.

In another configuration, the second TAU request includes a repetition of the first TAU request.

In another configuration, the example networking entity 1602 also includes means for: starting a timer after exporting the first mapped security context; and erasing the first mapped security context after the timer expires.

In another configuration, the example network entity 1602 also includes means for performing a first integrity check on the first TAU request based on the first security context.

In another configuration, the first network entity includes a mobility management entity (MME) and the second network entity includes an access and mobility management function (AMF).

The element may be a network security processing component 199 of the network entity 1602 configured to perform the function recited by the element. As before, network entity 1602 may include TX processor 316 , RX processor 370 and controller/processor 375 . Thus, in one configuration, the unit may be the TX processor 316, the RX processor 370, and/or the controller/processor 375 configured to perform the functions recited by the unit.

FIG. 17 is a diagram 1700 illustrating an example of a hardware implementation for a network entity 1760 . In one example, network entity 1760 may be located within core network 120 . Network entity 1760 may include network processor 1712 . The network processor 1712 may include on-chip memory 1712'. In some aspects, the network entity 1760 may also include an additional memory module 1714 . Network entity 1760 communicates with CU 1702 via network interface 1780 directly (eg, a loopback link) or indirectly (eg, via a RIC). The on-chip memory 1712' and the additional memory module 1714 can each be considered a computer readable medium/memory. Each computer-readable medium/memory can be non-transitory. The network processor 1712 is responsible for general processing, including executing software stored on computer-readable media/memory. The software, when executed by the corresponding processors, causes the processors to perform the various functions described above. Computer-readable media/memory can also be used to store data that is manipulated by the processor when the software is executed.

As mentioned above, the network security processing component 497 is configured to: receive the first tracking area update (TAU) request generated by the user equipment (UE), the first TAU request is related to the first radio access technology (RAT) The first security context of the connection is encoded, the first TAU request is integrity protected using a first uplink count based on the first security context, and the first TAU request includes a first set of information, the first set of information includes Mapping to an identifier of a second RAT associated with the first network entity; outputting a first context request for the second network entity based on the first TAU request, the second network entity being associated with the first RAT; based on The first context request to receive a first mapped security context, the first mapped security context is derived from the first security context and the first uplink count; receive a second TAU request, the second TAU request is to use the first security context Encoded, the second TAU request is integrity protected using a second uplink count different from the first uplink count, and the second TAU request includes the first set of information; based on the second TAU request output for A second context request by a second network entity; receiving a second mapped security context based on the second context request, the second mapped security context being derived from the first security context and the second uplink count; and based on the second Map security context to send downlink messages.

In another aspect, the network security processing component 497 may be configured to: receive a first context request, where the first context request includes at least a first Tracking Area Update (TAU) request generated by a user equipment (UE), the first A TAU request is integrity protected using a first uplink count, the first TAU request is encoded using a first security context associated with a first radio access technology (RAT), the first RAT is different from the A second RAT associated with the first network entity; when the first integrity check of the first TAU request is successful, deriving a first mapped security context; outputting the first mapped security context for the first network entity; receiving A second context request, the second context request includes at least a second TAU request generated by the UE, the second TAU request is integrity protected using a second uplink count different from the first uplink count; when the second uplink count is used for integrity protection; deriving a second mapped security context when the second integrity check of the TAU request is successful; and outputting the second mapped security context for the first network entity.

The network security processing component 497 may be within the network processor 1712 . The network security processing component 497 may be one or more hardware components specially configured to execute the program/algorithm, realized by one or more processors configured to execute the program/algorithm, store within a computer-readable medium for implementation by one or more processors, or some combination thereof. The network entity 1760 may include various components configured for various functions.

In one configuration, the network entity 1760 may be a first network entity, and includes means for: obtaining a first tracking area update (TAU) request generated by a user equipment (UE), the first TAU The request is encoded using a first security context associated with a first radio access technology (RAT), the first TAU request is integrity protected using a first uplink count based on the first security context, and the first a TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity; outputting a first context request for the second network entity based on the first TAU request , the second network entity is associated with the first RAT; based on the first context request to obtain a first mapped security context, the first mapped security context is derived from the first security context and the first uplink count; obtain the first Two TAU requests, the second TAU request is encoded using a first security context, the second TAU request is integrity protected using a second uplink count different from the first uplink count, and the second TAU request including a first set of information; outputting a second context request for a second network entity based on a second TAU request; obtaining a second mapped security context based on the second context request, the second mapped security context is obtained from the first security context and the second uplink count is derived; and outputting the downlink message based on the second mapped security context.

In another configuration, the first context request includes an identifier mapped to the second RAT, and the first TAU request is integrity protected using the first uplink count.

In another configuration, the example network entity 1760 also includes means for deriving the address of the second network entity based on the identifier mapped to the second RAT.

In another configuration, the example network entity 1760 also includes means for updating the security context of the first network entity from the first mapped security context to the second mapped security context based on obtaining the second mapped security context context; and after updating the security context of the first network entity, discarding pending downlink transmissions integrity-protected using the first mapped security context.

In another configuration, the second TAU request includes a repetition of the first TAU request.

In another configuration, the first TAU request is obtained based on a non-intersystem change from N1 mode to S1 mode, the UE is configured to operate in single registration mode, and the downlink message includes a TAU accept message, and the instance Network entity 1760 also includes means for resending downlink messages.

In another configuration, the example network entity 1760 also includes means for: restarting the T3450 timer in anticipation of a TAU complete message from the UE; and skip incrementing a retransmission counter associated with the T3450 timer.

In another configuration, the first TAU request is obtained based on an intersystem change from N1 mode to S1 mode, the UE is configured to operate in single registration mode, and the downlink message includes a TAU accept message, and the instance network The way entity 1760 also includes units for: initiating an authentication procedure; and executing a security mode control procedure to convert the new partial native Evolved Packet System (EPS) security.

In another configuration, the example network entity 1760 also includes means for outputting a downlink message repetition when the security mode control procedure is successful, the downlink message repetition using the current full native EPS security context Integrity protected; restarting the T3450 timer when a TAU complete message from the UE is expected; and skip incrementing the retransmission counter associated with the T3450 timer.

In another configuration, the first TAU request is obtained based on a non-intersystem change from N1 mode to S1 mode, the UE is configured to operate in single registration mode, and the example network entity 1760 also includes a mechanism for performing the following The unit of operation: skip the initiation of the TAU procedure based on the second TAU request; and perform integrity protection on the downlink message based on the first mapped security context.

In another configuration, the first TAU request is obtained based on an intersystem change from N1 mode to S1 mode, the UE is configured to operate in single registration mode, and the example network entity 1760 also includes a method for performing the following operations The unit of: deciding to initiate a second TAU procedure includes: outputting a second context request to a second network entity; and performing integrity protection on the downlink message based on the second mapped security context.

In another configuration, the first network entity includes a mobility management entity (MME) and the second network entity includes an access and mobility management function (AMF).

In one configuration, the network entity 1760 may be a second network entity, and includes means for: obtaining a first context request including at least a first context request generated by a user equipment (UE) A tracking area update (TAU) request, the first TAU request is integrity protected using a first uplink count, the first TAU request is made using a first security context associated with a first radio access technology (RAT) Encoded, the first RAT is different from the second RAT associated with the first network entity; when the first integrity check of the first TAU request is successful, a first mapping security context is derived; output for the first network A first mapping security context of the entity; obtaining a second context request, the second context request including at least a second TAU request generated by the UE, the second TAU request using a second uplink count different from the first uplink count Integrity protected; deriving a second mapped security context when the second integrity check of the second TAU request is successful; and outputting the second mapped security context for the first network entity.

In another configuration, the first context request also includes an identifier mapped to the second RAT.

In another configuration, the second TAU request includes a repetition of the first TAU request.

In another configuration, the example network entity 1760 also includes means for: starting a timer after exporting the first mapped security context; and erasing the first mapped security context after the timer expires.

In another configuration, the example network entity 1760 also includes means for performing a first integrity check on the first TAU request based on the first security context.

In another configuration, the first network entity includes a mobility management entity (MME) and the second network entity includes an access and mobility management function (AMF).

The element may be a network security processing component 497 of the network entity 1760 configured to perform the function recited by the element. As mentioned above, the network entity 1760 may include the network processor 1712 . Thus, in one configuration, the unit may be a network processor 1712 configured to perform the functions recited by the unit.

Examples disclosed herein provide techniques for removing inconsistencies in the processing of duplicates of TAU request messages, as described above. For example, the disclosed techniques can remove inconsistencies by modifying how the network handles repetitions of TAU request messages. Additionally or alternatively, the disclosed techniques may remove inconsistencies by modifying how UEs integrity protect TAU request messages. Additionally, the disclosed techniques can remove inconsistencies by modifying how UEs perform integrity verification of messages.

It is understood that the specific order or hierarchy of blocks in the disclosed procedures/flow diagrams is an illustration of example approaches. Based upon design preferences, it is understood that the specific order or hierarchy of blocks in the procedures/flow diagrams may be rearranged. Also, some blocks may be combined or omitted. The accompanying method claims present elements of the various blocks in an example order, and are not limited to the specific order or hierarchy presented.

The preceding description is provided to enable any person having ordinary knowledge in the art to which the invention pertains to practice the various aspects described herein. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects. Accordingly, the claims are not limited to the aspects described herein, but are given the full scope consistent with the literal claims, and reference to an element in the singular does not mean "one and only one" unless expressly so stated. , but "one or more". Terms such as "if", "when" and "at the same time" do not imply a direct temporal relationship or response. That is, these phrases (e.g., "when") do not imply immediate action in response to or during the occurrence of the action, but only that the action will occur if the conditions are met, but No specific or immediate time constraint is required for this action to occur. The word "exemplary" is used herein to mean "serving as an example, instance, or illustration." Any aspect described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other aspects. Unless expressly stated otherwise, the term "some" means one or more. Such as "at least one of A, B or C", "one or more of A, B or C", "at least one of A, B and C", "one or more of A, B and C ", and "A, B, C, or any combination thereof" include any combination of A, B, and/or C, and may include multiples of A, multiples of B, or multiples of C. Specifically, such as "at least one of A, B, or C", "one or more of A, B, or C", "at least one of A, B, and C", "among A, B, and C Combinations such as "one or more of", and "A, B, C or any combination thereof" may be only A, only B, only C, A and B, A and C, B and C, or A and B and C, wherein any such combination may comprise one or more members or several members of A, B or C. A collection shall be interpreted as a collection of elements, where the number of elements is one or more. Thus, for a set of X, X will consist of one or more elements. If the first device receives data from the second device or sends data to the second device, the data can be received/sent directly between the first device and the second device, or between the first device and the second device via device aggregation Receive/send data indirectly. All structural and functional equivalents to the elements of the various aspects described throughout this disclosure are expressly incorporated herein by reference, and encompassed by the claims, which are known to those of ordinary skill in the art to which this invention pertains is known or will be known later. Furthermore, no disclosure herein is dedicated to the public, whether or not such disclosure is expressly recited in the claims. The words "module", "mechanism", "element", "device", etc. may not be substituted for the word "unit". Thus, no claim element is to be construed as means-plus-function unless the element is explicitly recited using the phrase "means for".

As used herein, the phrase "based on" should not be interpreted as a reference to a closed set of information, one or more conditions, one or more factors, or the like. In other words, the phrase "based on A" (where "A" can be information, conditions, factors, etc.) should be construed as "based at least on A" unless expressly stated otherwise.

The following aspects are illustrative only and may be combined with other aspects or teachings described herein, but are not limited thereto.

Aspect 1 is a wireless communication method at a UE, including: sending a first Tracking Area Update (TAU) request to a first network entity, where the first TAU request uses a first radio access technology (RAT)-related The first TAU request is encoded based on the first security context of the connection, the first TAU request is integrity protected using the first uplink count based on the first security context, and the first TAU request includes a first set of information, the first TAU request an information set including an identifier mapped to a second RAT associated with the first network entity; sending a second TAU request to the first network entity, the second TAU request including the first information set, the first network entity The TAU request is integrity-protected using a second uplink count; deriving a mapping security context based on the first security context and at least one of the first uplink count or the second uplink count; and communicating with the first network entity based on the mapped security context.

Aspect 2 is the method according to aspect 1, further comprising: sending the first TAU when performing a change from a first cell associated with the first RAT to a connection to a second cell associated with the second RAT request, the second RAT is different from the first RAT, and the first network entity is associated with the second RAT.

Aspect 3 is the method according to any one of aspects 1 and 2, further comprising: the second TAU request includes a repetition of the first TAU request, and the second uplink count is the same as the first uplink count The same value as the link count.

Aspect 4 is the method according to any one of aspects 1 to 3, further comprising: sending the second TAU request based on occurrence of a radio link failure.

Aspect 5 is the method according to any one of Aspects 1 and 2, and also includes: the mapped security context is associated with the second RAT.

Aspect 6 is the method according to any one of aspects 1 and 2, further comprising: the second uplink count is different from the first uplink count, and the mapped security context is the first mapped security context , the method also includes: deriving a second mapped security context based on the first security context and the first uplink count, the second TAU request is encoded using the first security context and using the second uplink count Integrity protection is performed on the uplink count, and the first mapped security context is derived based on the first security context and the second uplink count.

Aspect 7 is the method according to any one of aspects 1 and 6, further comprising: updating the UE's security context from the second mapped security context to the first mapped security context based on deriving the first mapped security context a security context; and discarding pending transmissions integrity-protected using the second mapped security context after updating the UE's security context.

Aspect 8 is the method according to any one of aspects 1, 6 and 7, further comprising: the second TAU request includes a repetition of the first TAU request.

Aspect 9 is an apparatus for wireless communication at a UE, comprising: at least one processor coupled to a memory and configured to implement any one of aspects 1 to 8.

In aspect 10, the apparatus according to aspect 9 also includes: at least one antenna coupled to the at least one processor.

In aspect 11, the apparatus according to aspect 9 or 10 also includes: a transceiver coupled to the at least one processor.

Aspect 12 is a device for wireless communication, including a unit for realizing any one of aspects 1 to 8.

In aspect 13, the apparatus according to aspect 12 also includes at least one antenna coupled to the means for performing the method according to any one of aspects 1-8.

In aspect 14, the apparatus according to aspect 12 or 13 also includes a transceiver coupled to the means for performing the method according to any one of aspects 1-8.

Aspect 15 is a non-transitory computer-readable storage medium storing computer-executable code, wherein the code, when executed, causes a processor to implement any one of aspects 1-8.

Aspect 16 is a method of wireless communication at a UE, comprising: when performing a connection from a first cell associated with a first radio access technology (RAT) to a cell associated with a second RAT different from the first RAT When the second cell of the RAT changes, a first Tracking Area Update (TAU) request is sent to the first network entity associated with the second RAT, the first TAU request using the The first security context associated with the RAT is encoded, and the first TAU request is integrity protected using the first uplink count based on the first security context; based on the first security context, the first uplink link count and the first mapped security context to derive a first integrity key; send a repetition of the first TAU request to the first network entity, the repetition of the first TAU request is using a method different from the first uplink A second uplink count of the link count is integrity protected; a second integrity key is derived based on the first security context, the second uplink count, and a second mapped security context; from the first network A road entity receives a downlink transmission; uses at least one of the first integrity key and the second integrity key to perform an integrity check on the downlink transmission; and when using the derived integrity key When the integrity check of the downlink transmission is successful, the UE's master security key is set, the master security key is based on the first mapping security context used to derive the derived integrity key or The second mapping security context is set.

Aspect 17 is the method according to aspect 16, further comprising: when the integrity check of the downlink transmission using the first integrity key succeeds, erasing the second mapped security context and using the second any key derived from the mapping security context, wherein the master security key includes the first mapping security context.

Aspect 18 is the method according to aspect 16, further comprising: when the integrity check of the downlink transmission using the second integrity key succeeds, erasing the first mapped security context and using the first any key derived from the mapping security context, wherein the master security key includes the second mapping security context.

Aspect 19 is the method according to any one of aspects 16 to 18, further comprising: deriving the first mapped security context based on the first security context and the first uplink count.

Aspect 20 is an apparatus for wireless communication at a UE, comprising: at least one processor coupled to a memory and configured to implement any one of aspects 16-19.

In aspect 21, the apparatus according to aspect 20 also includes at least one antenna coupled to the at least one processor.

In aspect 22, the apparatus according to aspect 20 or 21 also includes: a transceiver coupled to the at least one processor.

Aspect 23 is a device for wireless communication, including a unit for realizing any one of aspects 16 to 19.

In aspect 24, the apparatus according to aspect 23 also comprises at least one antenna coupled to the means for performing the method according to any one of aspects 16-19.

In aspect 25, the apparatus according to aspect 23 or 24 also comprises a transceiver coupled to the means for performing the method according to any one of aspects 16-19.

Aspect 26 is a non-transitory computer-readable storage medium storing computer-executable code, wherein the code, when executed, causes a processor to implement any of aspects 16-19.

Aspect 27 is a method of wireless communication at a first network entity, comprising: obtaining a first tracking area update (TAU) request generated by a user equipment (UE), the first TAU request using a first radio The first security context associated with the access technology (RAT), the first TAU request is based on the first security context to use the first uplink count for integrity protection, and the first TAU request includes a first set of information including an identifier mapped to a second RAT associated with the first network entity; outputting a first context request for the second network entity based on the first TAU request, the second network entity is associated with the first RAT; obtaining a first mapped security context based on the first context request, the first mapped security context derived from the first security context and the first uplink count out; obtain a second TAU request, the second TAU request is encoded using the first security context, the second TAU request is completed using a second uplink count different from the first uplink count protected, and the second TAU request includes the first set of information; output a second context request for the second network entity based on the second TAU request; obtain a second mapping security based on the second context request context, the second mapped security context is derived from the first security context and the second uplink count; and outputting downlink messages based on the second mapped security context.

Aspect 28 is the method according to aspect 27, further comprising: the first context request includes the identifier mapped to the second RAT, and the first TAU request is integrity protected using the first uplink count of.

Aspect 29 is the method according to any one of aspects 27 and 28, further comprising: deriving an address of the second network entity based on the identifier mapped to the second RAT.

Aspect 30 is the method according to any one of aspects 27 to 29, further comprising: updating the security context of the first network entity from the first mapped security context to the second mapped security context; and discarding pending downlink transmissions using the first mapped security context for integrity protection after updating the security context of the first network entity.

Aspect 31 is the method according to any one of aspects 27 to 30, further comprising: the second TAU request includes a repetition of the first TAU request.

Aspect 32 is the method according to any one of aspects 27 to 31, and also includes: the first TAU request is obtained based on a non-intersystem change from N1 mode to S1 mode, and the UE is configured to Operates in a single registration mode, and the downlink message includes a TAU accept message, and the method also includes: resending the downlink message.

Aspect 33 is the method according to any one of aspects 27 to 32, further comprising: restarting a T3450 timer in anticipation of a TAU complete message from the UE; and skip incrementing a restart associated with the T3450 timer pass counter.

Aspect 34 is the method according to any one of aspects 27 to 31, and also includes: the first TAU request is obtained based on an intersystem change from N1 mode to S1 mode, and the UE is configured to operate in a single operating in registration mode, and the downlink message includes a TAU accept message, and the method also includes: initiating an authentication procedure; and executing a security mode control procedure to convert the new partial native Evolved Packet System (EPS) security context to the current Full native EPS security context.

Aspect 35 is the method according to any one of aspects 27 and 34, further comprising: when the security mode control procedure is successful, outputting a downlink message repetition, the downlink message repetition using the current full version Integrity protection of the UE's EPS security context; restarting a T3450 timer when expecting a TAU completion message from the UE; and skip incrementing a retransmission counter associated with the T3450 timer.

Aspect 36 is the method according to any one of aspects 27 to 31, further comprising: the first TAU request is obtained based on a non-intersystem change from N1 mode to S1 mode, and the UE is configured to Operating in a single registration mode, and the method also includes: skipping initiation of a TAU procedure based on the second TAU request; and integrity protecting the downlink message based on the first mapped security context.

Aspect 37 is the method according to any one of aspects 27 to 31, and also includes: the first TAU request is obtained based on an inter-system change from N1 mode to S1 mode, and the UE is configured to operate in a single operating in a registration mode, and the method also includes: deciding to initiate a second TAU procedure, including: outputting the second context request to the second network entity; and sending the downlink message based on the second mapped security context Integrity protection.

Aspect 38 is the method of any one of aspects 27 to 37, further comprising: the first network entity includes a mobility management entity (MME), and the second network entity includes an access and mobility Administrative Function Unit (AMF).

Aspect 39 is an apparatus for wireless communication at a UE, comprising: at least one processor coupled to a memory and configured to implement any one of aspects 27 to 38.

In aspect 40, the apparatus according to aspect 39 also includes at least one antenna coupled to the at least one processor.

In aspect 41, the apparatus according to aspect 39 or 40 also includes: a transceiver coupled to the at least one processor.

Aspect 42 is a device for wireless communication, including a unit for realizing any one of aspects 27 to 38.

In aspect 43, the apparatus according to aspect 42 also comprises at least one antenna coupled to the means for performing the method according to any one of aspects 27-38.

In aspect 44, the apparatus according to aspect 42 or 43 also comprises a transceiver coupled to the means for performing the method according to any one of aspects 27-38.

Aspect 45 is a non-transitory computer-readable storage medium storing computer-executable code, wherein the code, when executed, causes a processor to implement any of aspects 27-38.

Aspect 46 is a method of wireless communication at a second network entity, comprising: obtaining a first context request, the first context request including at least a first tracking area update (TAU) request generated by a user equipment (UE) , the first TAU request is integrity protected using a first uplink count, the first TAU request is encoded using a first security context associated with a first radio access technology (RAT), the first TAU request A RAT is different from a second RAT associated with the first network entity; when a first integrity check of the first TAU request is successful, deriving a first mapped security context; outputting a security context for the first network entity The first mapping security context; obtaining a second context request, the second context request including at least a second TAU request generated by the UE, the second TAU request using a second uplink different from the first uplink count link count integrity protected; deriving a second mapped security context when the second integrity check of the second TAU request is successful; and outputting the second mapped security context for the first network entity.

Aspect 47 is the method according to aspect 46, further comprising: the first context request also includes an identifier mapped to the second RAT.

Aspect 48 is the method according to any one of aspects 46 and 47, further comprising: the second TAU request includes a repetition of the first TAU request.

Aspect 49 is the method of any one of aspects 46 to 48, further comprising: starting a timer after outputting the first mapped security context; and erasing the first mapped security context after the timer expires. context.

Aspect 50 is the method of any one of aspects 46 to 49, further comprising: performing the first integrity check on the first TAU request based on the first security context.

Aspect 51 is the method of any one of aspects 46 to 50, further comprising the first network entity comprising a mobility management entity (MME), and the second network entity comprising an access and mobility Administrative Function Unit (AMF).

Aspect 52 is an apparatus for wireless communication at a UE, comprising: at least one processor coupled to a memory and configured to implement any one of aspects 46 to 51 .

In aspect 53, the apparatus according to aspect 52 also includes at least one antenna coupled to the at least one processor.

In aspect 54, the apparatus according to aspect 52 or 53 also includes: a transceiver coupled to the at least one processor.

Aspect 55 is a device for wireless communication, including a unit for realizing any one of aspects 46 to 51.

In aspect 56, the apparatus according to aspect 55 also comprises at least one antenna coupled to the means for performing the method according to any one of aspects 46-51.

In aspect 57, the apparatus according to aspect 55 or 56 also includes a transceiver coupled to the means for performing the method according to any one of aspects 46-51.

Aspect 58 is a non-transitory computer-readable storage medium storing computer-executable code, wherein the code, when executed, causes a processor to implement any of aspects 46-51.

100: figure 102: base station 104:UE 105: SMO framework 110: Central or Centralized Unit (CU) 111: Open eNB (O-eNB) 115: Non-RT RIC 120: Core network 125:near RT RIC 130: Distributed Unit (DU) 140: Radio Unit (RU) 150:Wi-Fi AP 154: Communication link 158: D2D communication link 161: Access and Mobility Management Function (AMF) 162: Communication Period Management Function Unit (SMF) 163: User Plane Function Unit (UPF) 164: Unified Data Management (UDM) 165: Gateway Operations Location Center (GMLC) 166: Location Management Function Unit (LMF) 168:Position server 182: Beamforming signal 184: Beamforming signal 190:Open Cloud 198: UE security processing component 199:Network security processing unit 200: Schematic diagram 230: schematic diagram 250: Schematic diagram 280: Schematic diagram 310: base station 316:TX processor 318Rx: Receiver 318Tx: Transmitter 320: Antenna 350:UE 352: Antenna 354Rx: Receiver 354Tx: Transmitter 356: RX processor 358: Channel Estimator 359: Controller/Processor 360: Memory 368:TX processor 370: RX processor 374: Channel Estimator 375: Controller/Processor 376: memory 400: Wireless communication system and access network 402a: the first network node 402b: second network node 404:UE 406: Geographic coverage area 408: Communication link 410: Evolution Packet Core 412: Mobility Management Entity (MME) 414: MME 416: Service Gateway 418: Multimedia Broadcast Multicast Service (MBMS) Gateway 420: Broadcast Multicast Service Center (BM-SC) 422: Packet Data Network (PDN) Gateway 424: Belonging to user server 426: IP service 430: core network 432: Access and Mobility Management Function (AMF) 434:AMF 436: Communication Period Management Function Unit (SMF) 438: User Plane Function Unit (UPF) 440: Unified Data Management Unit (UDM) 442: IP service 452: The first backload link 454: The second backload link 456: The third return link 497:Network security processing unit 500: First Security Context 502: Master security key 504: KSI 506: UE Security Capabilities 508: Uplink NAS count 510: Downlink NAS count 520: Second security context 522:5G key 524:5G KSI 526: 5G UE Security Capabilities 528: 5G uplink NAS count 530: 5G downlink NAS count 540: The third security context 542: EPS key 544: EPS KSI 546:EPS UE security capability 548: EPS uplink NAS count 550: EPS downlink NAS meter 600: instance communication flow 602: Network node 604:UE 606: MME 607: EPS network 608:AMF 609: 5G network 610: The first TAU request message 612:Mapping EPS GUTI 613:Temporary Mobile Subscription Identifier (TMSI) 614:NAS-MAC 616: eKSI parameters 618: procedure 620: procedure 622: Context Request Message 630: procedure 632: program 634: program 636: Map EPS security context 638: Context response message 640: program 642: UE maps EPS security context 650: program 660:NAS SMC program 662: TAU accepts the message 664: program 666: TAU completion message 670: The second TAU request message 672: procedure 674: program 680: procedure 682: procedure 684: procedure 690: procedure 692: procedure 694: program 700: Flowchart 702: block 704: block 706: cube 708: cube 800: flow chart 802: block 804: block 806: cube 808: cube 810: block 812: cube 814: cube 900: flow chart 902: block 904: block 906: block 908: block 910: block 912: cube 914: block 1000: flow chart 1002: block 1004: block 1006: block 1008: block 1010: block 1012: block 1014: block 1016: block 1018: block 1020: block 1100: Figure 1102: network entity 1104: device 1106: application processor 1106': On-chip memory 1108: Secure Digital (SD) card 1110: screen 1112:Bluetooth module 1114: WLAN module 1116:SPS module 1118: Sensor module 1120: Subscriber Identity Module (SIM) card 1122: Cellular RF Transceiver 1124: Honeycomb baseband processor 1124': On-chip memory 1126:Memory module 1130: power supply 1132: camera 1180:antenna 1200: flow chart 1202: block 1204: block 1206: block 1208: block 1210: block 1212: block 1214: block 1300: flow chart 1302: block 1304: block 1306: cube 1308: cube 1310: block 1312: block 1314: block 1316: block 1318: block 1320: block 1400: flow chart 1402: block 1404: block 1406: cube 1408: cube 1410: block 1412: cube 1500: Flowchart 1502: block 1504: block 1506: block 1508: cube 1510: block 1512: block 1514: block 1516: block 1600: Figure 1602: Network entity 1610:CU 1612: CU processor 1612': On-chip memory 1614:Extra Memory Module 1618: communication interface 1630:DU 1632: DU processor 1632': On-chip memory 1634:Memory module 1638: communication interface 1640:RU 1642: RU processor 1642': On-chip memory 1644:Memory module 1646: Transceiver 1648: communication interface 1680: Antenna 1700: Figure 1702: Central or Centralized Unit (CU) 1712: network processor 1712': On-chip memory 1714: Memory module 1760: Network entity 1780: Network interface A1: Interface E2: interface F1: interface O1: interface O2: interface

FIG. 1 is a diagram showing an example of a wireless communication system and an access network.

FIG. 2A is a diagram illustrating an example of a first frame according to various aspects of the present disclosure.

2B is a diagram illustrating an example of DL channels within a subframe according to various aspects of the present disclosure.

FIG. 2C is a diagram illustrating an example of a second frame according to various aspects of the present disclosure.

FIG. 2D is a diagram illustrating examples of UL lanes within a subframe according to various aspects of the present disclosure.

FIG. 3 is a diagram showing examples of base stations and user equipment (UE) in an access network.

4 is a diagram illustrating a wireless communication system and including a first network node, a second network node, a UE, an evolved packet core (EPC) and a core network (e.g., a 5G core (5GC)) according to the teachings disclosed herein A diagram of an instance of the access network.

Figure 5 illustrates examples of different security contexts according to the teachings disclosed herein.

6 is an example communication flow illustrating idle mode mobility from a first RAT to a second RAT in accordance with the teachings disclosed herein.

7 is a flowchart of a method of wireless communication at a UE according to the teachings disclosed herein.

8 is a flowchart of a method of wireless communication at a UE according to the teachings disclosed herein.

9 is a flowchart of a method of wireless communication at a UE according to the teachings disclosed herein.

10 is a flowchart of a method of wireless communication at a UE according to the teachings disclosed herein.

11 is a diagram illustrating an example of a hardware implementation for an example device in accordance with the teachings disclosed herein.

12 is a flowchart of a method of wireless communication at a network entity according to the teachings disclosed herein.

13 is a flowchart of a method of wireless communication at a network entity according to the teachings disclosed herein.

14 is a flowchart of a method of wireless communication at a network entity according to the teachings disclosed herein.

15 is a flowchart of a method of wireless communication at a network entity according to the teachings disclosed herein.

16 is a diagram illustrating an example of a hardware implementation for an example network entity.

17 is a diagram illustrating an example of a hardware implementation for an example network entity.

Domestic deposit information (please note in order of depositor, date, and number) none Overseas storage information (please note in order of storage country, institution, date, and number) none

600: instance communication flow

602: Network node

604:UE

606: MME

607: EPS network

608:AMF

609: 5G network

610: The first TAU request message

612:Mapping EPS GUTI

613:Temporary Mobile Subscription Identifier (TMSI)

614:NAS-MAC

616: eKSI parameters

618: procedure

620: procedure

622: Context Request Message

630: program

632: program

634: program

636: Map EPS security context

638: Context response message

640: program

642: UE maps EPS security context

650: program

660:NAS SMC program

662: TAU accepts the message

664: program

666: TAU completion message

670: The second TAU request message

672: procedure

674: procedure

680: procedure

682: procedure

684: procedure

690: procedure

692: procedure

694: program

Claims (30)

An apparatus for wireless communication at a user equipment (UE), comprising: a memory; and at least one processor coupled to the memory and configured to: sending a first tracking area update (TAU) request to a first network entity, the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the The first TAU request is integrity protected using a first uplink count based on the first security context, and the first TAU request includes a first set of information, the first set of information includes an identifier of a second RAT associated with a network entity; sending a second TAU request to the first network entity, the second TAU request including the first set of information, the second TAU request being integrity protected using a second uplink count; deriving a mapped security context based on the first security context and at least one of the first uplink count or the second uplink count; and Communicate with the first network entity based on the mapped security context. The device according to Claim 1 also includes: at least one antenna coupled to the at least one processor, wherein the at least one processor coupled to the memory is configured to: The first TAU request is sent upon a change of a second cell associated with a RAT different from the first RAT with which the first network entity is associated. The device according to claim 2, wherein the second TAU request includes a repetition of the first TAU request, and the second uplink count is the same value as the first uplink count. The apparatus of claim 3, wherein the at least one processor coupled to the memory is configured to: send the second TAU request based on an occurrence of a radio link failure. The device according to claim 2, wherein the mapped security context is associated with the second RAT. The apparatus according to claim 1, wherein the second uplink count is different from the first uplink count, and the mapped security context is a first mapped security context, and the at least one processor coupled to the memory is also is configured as: deriving a second mapped security context based on the first security context and the first uplink count, the second TAU request is encoded using the first security context and using the second uplink count for integrity protected, the first mapped security context is derived based on the first security context and the second uplink count. The device according to claim 6, wherein the at least one processor coupled to the memory is also configured to: updating a security context of the UE from the second mapped security context to the first mapped security context based on deriving the first mapped security context; and After updating the UE's security context, discarding pending transmissions integrity-protected using the second mapped security context. The device according to claim 6, wherein the second TAU request includes a repetition of the first TAU request. An apparatus for wireless communication at a user equipment (UE), comprising: a memory; and at least one processor coupled to the memory and configured to: When performing a change from a first cell associated with a first radio access technology (RAT) to a second cell associated with a second RAT different from the first RAT, to a A first tracking area update (TAU) request is sent by a first network entity associated with the second RAT, the first TAU request using a first security context encoded, and the first TAU request is integrity protected using a first uplink count based on the first security context; deriving a first integrity key based on the first security context, the first uplink count and a first mapped security context; sending a repetition of the first TAU request to the first network entity, the repetition of the first TAU request being integrity protected using a second uplink count different from the first uplink count; deriving a second integrity key based on the first security context, the second uplink count, and a second mapped security context; receiving a downlink transmission from the first network entity; performing an integrity check on the downlink transmission using at least one of the first integrity key and the second integrity key; and When the integrity check of the downlink transmission using a derived integrity key is successful, a master security key of the UE is set, the master security key being based on the key used to derive the derived integrity key The first mapped security context or the second mapped security context of the key is set. The device according to Claim 9 also includes: at least one antenna coupled to the at least one processor, wherein the at least one processor coupled to the memory is also configured to: erasing the second mapped security context and any keys derived using the second mapped security context when the integrity check of the downlink transmission using the first integrity key succeeds, Wherein the master security key includes the first mapped security context. The device according to claim 9, wherein the at least one processor coupled to the memory is also configured to: erasing the first mapped security context and any keys derived using the first mapped security context when the integrity check of the downlink transmission using the second integrity key succeeds, Wherein the master security key includes the second mapping security context. The device according to claim 9, wherein the at least one processor coupled to the memory is also configured to: The first mapped security context is derived based on the first security context and the first uplink count. An apparatus for wireless communication at a first network entity, comprising: a memory; and at least one processor coupled to the memory and configured to: Obtaining a first tracking area update (TAU) request generated by a user equipment (UE), the first TAU request encoded using a first security context associated with a first radio access technology (RAT) , the first TAU request is integrity protected using a first uplink count based on the first security context, and the first TAU request includes a first set of information, the first set of information including mapping to an identifier of a second RAT associated with the first network entity; outputting a first context request for a second network entity associated with the first RAT based on the first TAU request; obtaining a first mapped security context based on the first context request, the first mapped security context derived from the first security context and the first uplink count; obtaining a second TAU request, the second TAU request encoded using the first security context, the second TAU request using a second uplink count different from the first uplink count for integrity protected, and the second TAU request includes the first set of information; outputting a second context request for the second network entity based on the second TAU request; obtaining a second mapped security context derived from the first security context and the second uplink count based on the second context request; and A downlink message is output based on the second mapped security context. The device according to claim 13, wherein the first context request includes the identifier mapped to the second RAT, and the first TAU request is integrity protected using the first uplink count. The device according to claim 13 also includes: At least one antenna coupled to the at least one processor, the at least one processor coupled to the memory is also configured to: An address of the second network entity is derived based on the identifier mapped to the second RAT. The device according to claim 13, wherein the at least one processor coupled to the memory is also configured to: updating a security context of the first network entity from the first mapped security context to the second mapped security context based on obtaining the second mapped security context; and After updating the security context of the first network entity, discarding pending downlink transmissions integrity-protected using the first mapped security context. The apparatus according to claim 13, wherein the second TAU request comprises a repetition of the first TAU request. The apparatus according to claim 13, wherein the first TAU request is obtained based on a non-intersystem change from an N1 mode to an S1 mode, the UE is configured to operate in a single registration mode, and the downlink The way messages include a TAU acceptance message, and wherein the at least one processor coupled to the memory is also configured to: Resend the downlink message. The device according to claim 18, wherein the at least one processor coupled to the memory is also configured to: restarting a T3450 timer in anticipation of a TAU complete message from the UE; and Skip incrementing a retransmission counter associated with the T3450 timer. The apparatus according to claim 13, wherein the first TAU request is obtained based on an intersystem change from an N1 mode to an S1 mode, the UE is configured to operate in a single registration mode, and the downlink The message includes a TAU acceptance message, and wherein the at least one processor coupled to the memory is also configured to: initiate an authentication procedure; and A security mode control procedure is executed to convert a new partial native Evolved Packet System (EPS) security context to a current full native EPS security context. The device according to claim 20, wherein the at least one processor coupled to the memory is also configured to: When the security mode control procedure is successful, output a downlink message repetition, where the downlink message repetition is integrity-protected using the current complete local EPS security context; restarting a T3450 timer in anticipation of a TAU complete message from the UE; and Skip incrementing a retransmission counter associated with the T3450 timer. The apparatus according to claim 13, wherein the first TAU request is obtained based on a non-intersystem change from an N1 mode to an S1 mode, the UE is configured to operate in a single registration mode, and wherein coupled to The at least one processor of the memory is also configured to: skipping initiation of a TAU procedure based on the second TAU request; and The downlink message is integrity protected based on the first mapped security context. The apparatus according to claim 13, wherein the first TAU request is obtained based on an intersystem change from an N1 mode to an S1 mode, the UE is configured to operate in a single registration mode, and wherein coupled to the The at least one processor of memory is also configured to: Decided to initiate a second TAU process, including: outputting the second context request to the second network entity; and The downlink message is integrity protected based on the second mapped security context. The apparatus according to claim 13, wherein the first network entity comprises a Mobility Management Entity (MME), and the second network entity comprises an Access and Mobility Management Function (AMF). An apparatus for wireless communication at a second network entity, comprising: a memory; and at least one processor coupled to the memory and configured to: obtaining a first context request comprising at least a first tracking area update (TAU) request generated by a user equipment (UE), the first TAU request using a first uplink count Integrity protected, the first TAU request is encoded using a first security context associated with a first radio access technology (RAT) that is different from the first RAT associated with a first network entity a second RAT; deriving a first mapping security context when a first integrity check of the first TAU request is successful; exporting the first mapped security context for the first network entity; obtaining a second context request comprising at least a second TAU request generated by the UE using a second uplink count different from the first uplink count Integrity protected; deriving a second mapped security context when a second integrity check of the second TAU request succeeds; and Outputting the second mapped security context for the first network entity. The device according to claim 25, wherein the first context request also includes an identifier mapped to the second RAT-1. The apparatus according to claim 25, wherein the second TAU request comprises a repetition of the first TAU request. The device according to Claim 25 also includes: at least one antenna coupled to the at least one processor, wherein the at least one processor coupled to the memory is also configured to: starting a timer after outputting the first mapped security context; and The first mapped security context is erased after expiration of the timer. The apparatus according to claim 25, wherein the at least one processor is configured to: perform the first integrity check on the first TAU request based on the first security context. The apparatus according to claim 25, wherein the first network entity comprises a Mobility Management Entity (MME), and the second network entity comprises an Access and Mobility Management Function (AMF).

Images