WO2023224915A1 - Sécurité pour protocole de strates de non-accès distribuées dans un système mobile - Google Patents

Sécurité pour protocole de strates de non-accès distribuées dans un système mobile Download PDF

Info

Publication number
WO2023224915A1
WO2023224915A1 PCT/US2023/022248 US2023022248W WO2023224915A1 WO 2023224915 A1 WO2023224915 A1 WO 2023224915A1 US 2023022248 W US2023022248 W US 2023022248W WO 2023224915 A1 WO2023224915 A1 WO 2023224915A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
nas
seaf
key
context data
Prior art date
Application number
PCT/US2023/022248
Other languages
English (en)
Inventor
Abhijeet Kolekar
Zongrui DING
Alexandre Saso STOJANOVSKI
Qian Li
Xiaopeng Tong
Thomas Luetzenkirchen
Sudeep Palat
Sangeetha L. Bangolae
Original Assignee
Intel Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intel Corporation filed Critical Intel Corporation
Publication of WO2023224915A1 publication Critical patent/WO2023224915A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic

Definitions

  • 5G networks are expected to handle vast amounts of sensitive user data, such as financial information, health data, and personal identifiers. Security measures are necessary to ensure that this data is protected from unauthorized access, theft, or manipulation. As 5G networks become more pervasive, they become an attractive target for cyberattacks. Security mechanisms such as encryption and authentication are necessary to prevent these attacks and ensure network availability . 5G networks also enable the collection and processing of massive amounts of user data. Security measures are necessary to protect user privacy and ensure that personal data is handled in compliance with relevant regulations and standards. 5G networks provide underlying technologies to support a wide range of critical infrastructure, including healthcare, transportation, and energy. Any security breaches could potentially disrupt these services and cause significant harm to the public. Overall, security is essential for the successful deployment and adoption of 5G networks. Without adequate security measures, users may lose confidence in the technology, and the potential benefits of 5G may not be fully realized.
  • FIG. 1 illustrates a block diagram of a wireless system in accordance with one embodiment.
  • FIG. 2 illustrates a radio access network (RAN) in accordance with one embodiment.
  • RAN radio access network
  • FIG. 3 illustrates a core network (CN) in accordance with one embodiment.
  • FIG. 4 illustrates a logical diagram in accordance with one embodiment.
  • FIG. 5 illustrates an operating environment of a CN in accordance with one embodiment.
  • FIG. 6 illustrates a security architecture in accordance with one embodiment.
  • FIG. 7 illustrates an operating environment of a CN in accordance with one embodiment.
  • FIG. 8A illustrates a message flow in accordance with one embodiment.
  • FIG. 8B illustrates a message flow in accordance with one embodiment.
  • FIG. 9 illustrates user equipment (UE) in accordance with one embodiment.
  • FIG. 10 illustrates a logic flow in accordance with one embodiment.
  • FIG. 11 illustrates a logic flow in accordance with one embodiment.
  • FIG. 12 illustrates a logic flow in accordance with one embodiment.
  • FIG. 13 illustrates security architecture in accordance with one embodiment.
  • FIG. 14 illustrates message flow in accordance with one embodiment.
  • FIG. 15 illustrates a security architecture in accordance with one embodiment.
  • FIG. 16 illustrates a message flow in accordance with one embodiment.
  • FIG. 17 illustrates a protocol stack in accordance with one embodiment.
  • FIG. 18 illustrates a message flow in accordance with one embodiment.
  • FIG. 19 illustrates a logic flow 1900 in accordance with one embodiment.
  • FIG. 20 illustrates a wireless network in accordance with one embodiment.
  • FIG. 21 illustrates an apparatus in accordance with one embodiment.
  • FIG. 22 illustrates a computer readable medium in accordance with one embodiment.
  • the present disclosure generally relates to wireless technology, and more specifically to security techniques, procedures and a security architecture suitable for Fifth Generation (5G) System or Services (5GS) and 5G Core Network (5GC) network functions (NFs), as well as Sixth Generation (6G) System or Services (6GS) and 6G Core Network (6GC) NFs.
  • 5G Fifth Generation
  • 5GS Fifth Generation
  • 5GC 5G Core Network
  • 6G Sixth Generation
  • 6GS Sixth Generation
  • 6G Core Network 6GC 6G Core Network
  • a 5GS may implement a service based architecture (SBA), where network functions (NF) are implemented as modular services that can be combined and orchestrated dynamically to create end-to-end (E2E) network services.
  • SBA service based architecture
  • NF network functions
  • CN core network
  • AMF Access and Mobility Management Function
  • Embodiments attempt to solve these and other challenges by enabling secure connections directly between a UE and a NF in the CN without traversing a single entity such as the AMF. This may be referred to herein as a “direct secure connection.”
  • a UE and a NF may establish a direct secure connection by leveraging trusted security information previously generated for the UE and the CN. Examples of trusted security information may include 5G security context data and non-access stratum (NAS) security anchor function (SEAF) (NAS-SEAF) security context data, among other types of security context data.
  • NAS-SEAF non-access stratum
  • a UE and a NF may establish a direct secure connection by using a virtual security anchor proxy at both endpoints.
  • the virtual security anchor proxy may be similar to security edge protection proxy (SEPP) security components.
  • SEPP security edge protection proxy
  • the embodiments allows a UE and a NF to establish a direct secure connection faster than conventional solutions implementing indirect secure connections. This allows the UE to more quickly access NF services delivered via the CN, while conserving valuable compute, memory and communication resources in a wireless network. This may save time when a UE needs to quickly connect to a NF to support critical services, such as emergency services.
  • the security architecture as described herein may be related to one or more wireless standards.
  • embodiments may be suitable for implementation as part of the Third Generation Partnership Project (3GPP) technical standard (TS) 33.501 titled “Technical Specification Group Services and System Aspects; Security architecture and procedures for 5G system,” Release 18, version 18.0.0 (2023-01-06), including any progeny, revisions and variants ("3GPP TS 33.501").
  • 3GPP TS 33.501 Third Generation Partnership Project
  • Embodiments may be suitable for other 3GPP and non-3GPP wireless standards. Embodiments are not limited to 3GPP TS 33.501.
  • 3GPP TS 33.501 is a technical specification that defines the security architecture and procedures for 5G networks. It provides guidelines for the implementation of security features that ensure confidentiality, integrity, and availability of communication between 5G network elements and devices. The specification outlines the security framework for 5G networks and provides a detailed description of the security mechanisms and protocols used in different 5G network functions. It also defines the key management procedures and cryptographic algorithms used to secure 5G communications. In addition, 3GPP TS 33.501 provides guidelines for the protection of user privacy and the handling of personal data in compliance with relevant regulations and standards. It also covers security procedures for network operators and service providers, including requirements for security audits and incident response. Overall, 3GPP TS 33.501 plays a critical role in ensuring the security of 5G networks and protecting against potential security threats such as data breaches, identity theft, and cyber-attacks.
  • Various embodiments are generally directed to security techniques suitable for implementation in one or more 3GPP standards, such as 3GPP TS 33.501, for example. Some embodiments are particularly directed to security techniques suitable for 5G or 6G network protocols, such as a non-access stratum (NAS) protocol layer, among other 5G and 6G protocols.
  • the security techniques may allow a UE and a NF to communicate messages, such as NAS messages, over a direct secure connection established by: (1) leveraging trusted security information previously generated for the UE and the CN; and/or (2) using a virtual security anchor proxy at both endpoints.
  • a UE may communicate with various network functions of a 5G core network (5GC) using the NAS protocol layer.
  • the NAS protocol layer refers to the part of the network architecture that is responsible for the signaling and control of the connection between the UE and the 5GC.
  • the NAS protocol layer is located above a radio access network (RAN) protocol layer and below a 5GC protocol layer.
  • the NAS protocol layer plays a critical role in ensuring the reliability, security, and mobility of a UE connection to the 5G network.
  • the NAS protocol layer in a 5G system includes several main protocols: (1) the Access and Mobility Management Function (AMF) protocol: (2) the network function (NF) protocol; and (3) the Authentication and Key Agreement (AKA) protocol.
  • AMF Access and Mobility Management Function
  • NF network function
  • AKA Authentication and Key Agreement
  • the AMF protocol handles tasks such as user authentication, access control, mobility management, and security management. It is responsible for managing the UE connection to the network, ensuring that the UE communication is secure and uninterrupted.
  • the SMF protocol manages the establishment, modification, and termination of user sessions, which include data communication sessions such as voice and multimedia services. It is also responsible for managing the Quality of Service (QoS) of the UE communication, ensuring that a user's experience is optimized and meets their expectations.
  • QoS Quality of Service
  • the AKA protocol is a security protocol used in 5GS to provide secure authentication and key management between the user equipment (UE) and the core network (CN).
  • a 5GS may have a centralized NAS architecture or a distributed NAS architecture.
  • a UE communicates NAS messages with various network functions of the 5GC through a single point of entry, such as an access and mobility function (AMF), for example.
  • AMF access and mobility function
  • a UE communicates NAS messages directly with various network functions of the 5GC, thereby obviating the need for a single point of entry such as the AMF.
  • a distributed NAS architecture may have enhanced security concerns relative to a centralized NAS architecture.
  • a centralized NAS architecture uses a master security association referred to as a security' anchor function (SEAF), which is stored in a UE and the AMF.
  • SEAF security' anchor function
  • a distributed NAS architecture does not route NAS messages through the AMF. Instead, a UE communicates directly with a network function of the 5GC.
  • the distributed NAS architecture may need to establish separate security' associations for each connection to ensure secure NAS signaling.
  • Embodiments herein relate to techniques for managing direct secure connections between a UE and an individual NF of a 5GC.
  • a UE and a NF may establish a direct secure connection by leveraging trusted security information previously generated for the UE and the CN.
  • trusted security information may include 5G security context data and non-access stratum (NAS) security' anchor function (SEAF) (NAS-SEAF) security context data, among other types of security context data.
  • SEAF non-access stratum
  • NAS-SEAF non-access stratum
  • This embodiment assumes that, upon initial registration with the 5GS, the UE establishes a NAS master security association.
  • the NAS master security association information is stored in the UE, as well as in the SEAF of the 5GC.
  • an apparatus for user equipment (UE) of a wireless system may include a memory interface to send or receive, to or from a data storage device, fifth generation (5G) security context data for a 5G system (5GS), the 5G security context data to include non-access stratum (NAS) security anchor function (SEAF) (NAS-SEAF) security context data.
  • 5G fifth generation
  • 5GS fifth generation
  • SEAF security anchor function
  • NAS-SEAF non-access stratum security anchor function
  • the apparatus may also include processing circuitry communicatively coupled to the memory interface, the processing circuitry to determine to establish a secure NAS signaling connection with a network function (NF) (NAS-NF) of a core network (CN) of the 5GS, such as a NAS session management (SM) (NAS-SM) session, for example.
  • NF network function
  • CN core network
  • NAS-SM NAS session management
  • the processing circuitry may generate a NAS-NF request message, encode (or encapsulate) the NAS-NF request message in a first radio resource control (RRC) message, initiate transmission of the first RRC message from the UE to a base station of a radio access network (RAN) of the 5GS, and decode a second RRC message received from the base station, the second RRC message to include NAS-NF security context data for the UE and the NF of the CN of the 5GS, the NAS-NF security context data based on the NAS-SEAF security context data associated with the UE for the 5GS.
  • RRC radio resource control
  • the UE may use the NAS-NF security context data to establish a security association directly between the UE and NF of the CN, and vice-versa, without using the NAS-SEAF security context data and going through other security NFs for the CN, such as the SEAF, the SMF, or an access and mobility function (AMF).
  • the NAS-NF security context data may establish security associations between the UE and NF in less time relative to legacy security techniques.
  • the NAS-NF security context data may also reduce resource requirements for the UE and other devices within the 5GS, including the CN and the RAN, such as saving compute cycles, memory space, batery power, communications bandwidth, radio resources, and so forth. Other embodiments are described and claimed.
  • a UE and a NF may establish a direct secure connection by using a virtual security anchor proxy at both endpoints.
  • This solution is similar to how security is implemented for cloud computing systems.
  • the 5G and 6G systems are envisioned to integrate communication, computing, and data into its scope.
  • a security group (SG) architecture a UE communicates with a NF via the NAS protocol through an AMF about policy, session management, mobility, etc.
  • HTTP hypertext transfer protocol
  • RPC remote process call
  • CoAP constrained application protocol
  • Modern 5GS use a conventional model where a UE communicates with network functions in the CN through NAS for mobility, session management, policies, locationbased services, and so forth.
  • the communications goes through an AMF.
  • the AMF further directs messages in the NAS container to various network functions (e.g., SMF, SMSF, PCF, LMF, etc.) based on a 4-bit container type, which indicates the destination of the NAS message.
  • a 5GS may implement security techniques that model cloud computing security techniques.
  • various embodiments are generally directed to security techniques to enable communication between a UE and an NF instance via a service based interface (SBI).
  • SBI refers to the interface between two network functions or services that allows them to communicate with each other and exchange information.
  • the UE may be a service consumer or a service provider for the NF, such as computing services.
  • Some embodiments enable communication between a UE and an NF of the CN using a virtual security anchor proxy at one or both endpoints.
  • Embodiments introduce techniques to enable secure communications between UE and CN using a virtual security anchor proxy at both endpoints.
  • the embodiments attempt to fulfill a set of 5GS requirements that includes: (1) a central unit - control plane (CU-CP) acts as a relay only with no visibility into messages, such as NAS messages; (2) end-to-end (E2E) encryption between a UE and a NF, such as a one-to-one security anchor or based on a security anchor on the existing NAS security association; (3) the use of hypertext transfer protocol (HTTP) or similar protocols as an AIR interface protocol; (4) a core network perimeter defense to block insecure and unnecessary services to the core network; and (5) networks function virtualizations (NFVs) in the service based architecture (SBA) are fully controlled by a mobile network operator (MNO).
  • MNO mobile network operator
  • all nodes connected to a communications bus in the CN may not be under full operator control.
  • different security domains may exist, and the bus may cross borders across communication service providers (CSPs) or cloud providers. This is because there is no inherent trust between different NFs.
  • the virtual security anchor proxy at both endpoints allows a UE and a NF to communicate using secure network protocols, such as transport layer security (TES), tunneled transport layer security (TTLS), HTTP secure (HTTPs), and other secure network protocols.
  • TES transport layer security
  • TTLS tunneled transport layer security
  • HTTPs HTTP secure
  • aa apparatus for user equipment (UE) of a wireless system includes a memory interface to send or receive, to or from a data storage device, security information for a fifth generation (5G) system (5GS).
  • the apparatus also includes processing circuitry communicatively coupled to the memory interface, the processing circuitry to determine to establish a direct secure connection between a UE and a network function (NF) of a core network (CN) of the 5GS, generate a distributed non-access stratum (NAS) message for the NF, encode (or encapsulate) the distributed NAS message in a first radio resource control (RRC) message, initiate transmission of the first RRC message from the UE to a base station of a radio access network (RAN) of the 5GS, and decode a second RRC message received from the base station, the second RRC message to include a telescopic fully qualified domain name (FQDN) for the NF in the CN of the 5GS.
  • a telescopic FQDN is a hierarchical FQDN
  • the processing circuitry of the UE may use the telescopic FQDN for the NF in the CN to establish a direct secure connection with the NF.
  • the apparatus may include where the UE is a service consumer and the NF is a service producer, or vice-versa.
  • the apparatus may also include the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the 5GS using the telescopic FQDN for the NF.
  • the apparatus may also include the processing circuitry to establish a direct secure connection between the UE and NF of the CN of the 5GS using the telescopic FQDN for the NF, the direct secure connection to comprise a transport layer security (TLS) connection, a tunneled transport layer security (TTLS) connection, a secure socket layer (SSL) connection, or a hypertext transfer protocol secure (HTTPS) connection.
  • the apparatus may also include the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the 5GS using the telescopic FQDN for the NF, where the direct secure connection is established using a virtual security anchor proxy at the UE and the NF.
  • the apparatus may also include the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the 5GS using the telescopic FQDN for the NF, where the direct secure connection is established via a service based interface (SBI) between the UE and the NF.
  • SBI service based interface
  • a component can be a processor (e.g., a microprocessor, a controller, or other processing device), a process running on a processor, a controller, an object, an executable, a program, a storage device, a computer, a tablet PC and/or a user equipment (e.g., mobile phone, etc.) with a processing device.
  • a processor e.g., a microprocessor, a controller, or other processing device
  • a process running on a processor e.g., a microprocessor, a controller, or other processing device
  • an object running on a server and the server
  • a user equipment e.g., mobile phone, etc.
  • an application running on a server and the server can also be a component.
  • One or more components can reside within a process, and a component can be localized on one computer and/or distributed between two or more computers.
  • a set of elements or a set of other components can be described herein, in which the term “set”
  • these components can execute from various computer readable storage media having various data structures stored thereon such as with a module, for example.
  • the components can communicate via local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network, such as, the Internet, a local area network, a wide area network, or similar network with other systems via the signal).
  • a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network, such as, the Internet, a local area network, a wide area network, or similar network with other systems via the signal).
  • a component can be an apparatus with specific functionality provided by mechanical parts operated by electric or electronic circuitry. in which the electric or electronic circuitry' can be operated by a software application or a firmware application executed by one or more processors.
  • the one or more processors can be internal or external to the apparatus and can execute at least a part of the software or firmware application.
  • a component can be an apparatus that provides specific functionality through electronic components without mechanical parts; the electronic components can include one or more processors therein to execute software and/or firmware that confer(s), at least in part, the functionality of the electronic components.
  • circuitry may refer to, be part of, or include an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (shared, dedicated, or group), or associated memory (shared, dedicated, or group) operably coupled to the circuitry that execute one or more software or firmware programs, a combinational logic circuit, or other suitable hardware components that provide the described functionality.
  • ASIC Application Specific Integrated Circuit
  • the circuitry may be implemented in, or functions associated with the circuitry may be implemented by, one or more software or firmware modules.
  • circuitry may include logic, at least partially operable in hardware.
  • FIG. 1 illustrates an example of a wireless communication system 100.
  • the example wireless communication system 100 is described in the context of the long-term evolution (LTE) and fifth generation (5G) new radio (NR) (5G NR) cellular networks communication standards as defined by one or more 3GPP technical specifications (TSs) and/or technical reports (TRs).
  • LTE long-term evolution
  • NR new radio
  • TSs 3GPP technical specifications
  • TRs technical reports
  • the wireless communication system 100 includes UE 102a and UE 102b (collectively referred to as the "UEs 102").
  • the UEs 102 are illustrated as smartphones (e.g., handheld touchscreen mobile computing devices connectable to one or more cellular networks).
  • any of the UEs 102 can include other mobile or non-mobile computing devices, such as consumer electronics devices, cellular phones, smartphones, feature phones, tablet computers, wearable computer devices, personal digital assistants (PDAs), pagers, wireless handsets, desktop computers, laptop computers, in- vehicle infotainment (IVI), in-car entertainment (ICE) devices, an Instrument Cluster (IC), head-up display (HUD) devices, onboard diagnostic (OBD) devices, dashtop mobile equipment (DME), mobile data terminals (MDTs), Electronic Engine Management System (EEMS), electronic/engine control units (ECUs), electron!
  • PDAs personal digital assistants
  • IPI in-car entertainment
  • ICE in-car entertainment
  • IC Instrument Cluster
  • HUD head-up display
  • OBD onboard diagnostic
  • DME dashtop mobile equipment
  • MDTs mobile data terminals
  • EEMS Electronic Engine Management System
  • ECUs electronic/engine control units
  • any of the UEs 102 may be loT UEs, which can include a network access layer designed for low-power loT applications utilizing short-lived UE connections.
  • An loT UE can utilize technologies such as M2M or MTC for exchanging data with an MTC server or device using, for example, a public land mobile network (PLMN), proximity services (ProSe), device-to-device (D2D) communication, sensor networks, loT networks, or combinations of them, among others.
  • the M2M or MTC exchange of data may be a machine-initiated exchange of data.
  • An loT network describes interconnecting loT UEs, which can include uniquely identifiable embedded computing devices (within the Internet infrastructure), with short-lived connections.
  • the loT UEs may execute background applications (e.g., keep-alive messages or status updates) to facilitate the connections of the loT network.
  • the UEs 102 are configured to connect (e.g., communicatively couple) with a radio access network (RAN) 112.
  • the RAN 112 may be a next generation RAN (NG RAN), an evolved UMTS terrestrial radio access network (E- UTRAN), or a legacy RAN, such as a UMTS terrestrial radio access network (UTRAN) or a GSM EDGE radio access network (GERAN).
  • NG RAN may refer to a RAN 112 that operates in a 5G NR wireless communication system 100
  • E-UTRAN may refer to a RAN 112 that operates in an LTE or 4G wireless communication system 100.
  • connections 118 and 120 are illustrated as an air interface to enable communicative coupling, and can be consistent with cellular communications protocols, such as a global system for mobile communications (GSM) protocol, a code-division multiple access (CDMA) network protocol, a push-to-talk (PTT) protocol, a PTT over cellular (POC) protocol, a universal mobile telecommunications system (UMTS) protocol, a 3GPP LTE protocol, a 5G NR protocol, or combinations of them, among other communication protocols.
  • GSM global system for mobile communications
  • CDMA code-division multiple access
  • PTT push-to-talk
  • POC PTT over cellular
  • UMTS universal mobile telecommunications system
  • 3GPP LTE Long Term Evolution
  • 5G NR 5G NR protocol
  • the UE 102b is shown to be configured to access an access point (AP) 104 (also referred to as "WLAN node 104," “WLAN 104,” “WLAN Termination 104,” “WT 104" or the like) using a connection 122.
  • the connection 122 can include a local wireless connection, such as a connection consistent with any IEEE 802.11 protocol, in which the AP 104 would include a wireless fidelity (Wi-Fi) router.
  • Wi-Fi wireless fidelity
  • the AP 104 is shown to be connected to the Internet without connecting to the core network of the wireless system, as described in further detail below.
  • the RAN 112 can include one or more nodes such as RAN nodes 106a and 106b (collectively referred to as “RAN nodes 106" or “RAN node 106") that enable the connections 118 and 120.
  • RAN nodes 106 nodes 106a and 106b
  • RAN node 106 nodes 106
  • the terms "access node,” “access point,” or the like may describe equipment that provides the radio baseband functions for data or voice connectivity, or both, between a network and one or more users.
  • These access nodes can be referred to as base stations (BS), gNodeBs, gNBs, eNodeBs, eNBs, NodeBs, RAN nodes, rode side units (RSUs), transmission reception points (TRxPs or TRPs), and the link, and can include ground stations (e.g., terrestrial access points) or satellite stations providing coverage within a geographic area (e.g., a cell), among others.
  • BS base stations
  • gNodeBs gNodeBs
  • gNBs gNodeBs
  • eNodeBs eNodeBs
  • NodeBs NodeBs
  • RAN nodes e.g., rode side units (RSUs), transmission reception points (TRxPs or TRPs), and the link
  • RSUs rode side units
  • TRxPs or TRPs transmission reception points
  • the link and can include ground stations (e.g., terrestrial access points) or satellite stations providing coverage within
  • the term "NG RAN node” may refer to a RAN node 106 that operates in an 5G NR wireless communication system 100 (for example, a gNB), and the term “E-UTRAN node” may refer to a RAN node 106 that operates in an LTE or 4G wireless communication sy stem 100 (e.g., an eNB).
  • the RAN nodes 106 may be implemented as one or more of a dedicated physical device such as a macrocell base station, or a low power (LP) base station for providing femtocells, picocells or other like cells having smaller coverage areas, smaller user capacity, or higher bandwidth compared to macrocells.
  • LP low power
  • some or all of the RAN nodes 106 may be implemented as one or more software entities running on server computers as part of a virtual network, which may be referred to as a cloud RAN (CRAN) or a virtual baseband unit pool (vBBUP).
  • CRAN cloud RAN
  • vBBUP virtual baseband unit pool
  • the CRAN or vBBUP may implement a RAN function split, such as a packet data convergence protocol (PDCP) split in which radio resource control (RRC) and PDCP layers are operated by the CRAN/vBBUP and other layer two (e.g., data link layer) protocol entities are operated by individual RAN nodes 106; a medium access control (MAC)/ physical layer (PHY) split in which RRC, PDCP, MAC, and radio link control (RLC) layers are operated by the CRAN/vBBUP and the PHY layer is operated by individual RAN nodes 106; or a "lower PHY" split in which RRC, PDCP, RLC, and MAC layers and upper portions of the PHY layer are operated by the CRAN/vBBUP and lower portions of the PHY layer are operated by individual RAN nodes 106.
  • PDCP packet data convergence protocol
  • RRC radio resource control
  • RLC radio link control
  • an individual RAN node 106 may represent individual gNB distributed units (DUs) that are connected to a gNB central unit (CU) using individual Fl interfaces (not shown in FIG. 1).
  • the gNB-DUs can include one or more remote radio heads or RFEMs, and the gNB-CU may be operated by a server that is located in the RAN 112 (not shown) or by a server pool in a similar manner as the CRAN/vBBUP.
  • one or more of the RAN nodes 106 may be next generation eNBs (ng-eNBs), including RAN nodes that provide E-UTRA user plane and control plane protocol terminations toward the UEs 102, and are connected to a 5G core network (e.g., CN 114) using a next generation interface.
  • ng-eNBs next generation eNBs
  • 5G core network e.g., CN 114
  • RSU vehicle-to-everything
  • UE-type RSU a RSU implemented in or by a UE
  • eNB-type RSU a RSU implemented in or by a gNB
  • gNB-type RSU a RSU implemented in or by a gNB
  • an RSU is a computing device coupled with radio frequency circuitry located on a roadside that provides connectivity support to passing vehicle UEs 102 (vUEs 102).
  • the RSU may also include internal data storage circuitry to store intersection map geometry, traffic statistics, media, as well as applications or other software to sense and control ongoing vehicular and pedestrian traffic.
  • the RSU may operate on the 5.9 GHz Direct Short Range Communications (DSRC) band to provide very low latency communications required for high speed events, such as crash avoidance, traffic warnings, and the like. Additionally, or alternatively, the RSU may operate on the cellular V2X band to provide the aforementioned low latency communications, as well as other cellular communications services.
  • DSRC Direct Short Range Communications
  • the RSU may operate as a Wi-Fi hotspot (2.4 GHz band) or provide connectivity to one or more cellular networks to provide uplink and downlink communications, or both.
  • the computing device(s) and some or all of the radio-frequency circuitry of the RSU may be packaged in a weatherproof enclosure suitable for outdoor installation, and can include a network interface controller to provide a wired connection (e.g., Ethernet) to a traffic signal controller or a backhaul network, or both.
  • Any of the RAN nodes 106 can terminate the air interface protocol and can be the first point of contact for the UEs 102.
  • any of the RAN nodes 106 can fulfill various logical functions for the RAN 112 including, but not limited to, radio network controller (RNC) functions such as radio bearer management, uplink and downlink dynamic radio resource management and data packet scheduling, and mobility management.
  • RNC radio network controller
  • the UEs 102 can be configured to communicate using orthogonal frequency division multiplexing (OFDM) communication signals with each other or with any of the RAN nodes 106 over a multicarrier communication channel in accordance with various communication techniques, such as, but not limited to, OFDMA communication techniques (e.g., for downlink communications) or SC-FDMA communication techniques (e.g., for uplink communications), although the scope of the techniques described here not limited in this respect.
  • OFDM signals can comprise a plurality of orthogonal subcarriers.
  • the RAN nodes 106 can transmit to the UEs 102 over various channels.
  • Various examples of downlink communication channels include Physical Broadcast Channel (PBCH), Physical Downlink Control Channel (PDCCH), and Physical Downlink Shared Channel (PDSCH). Other types of downlink channels are possible.
  • the UEs 102 can transmit to the RAN nodes 106 over various channels.
  • Various examples of uplink communication channels include Physical Uplink Shared Channel (PUSCH), Physical Uplink Control Channel (PUCCH), and Physical Random Access Channel (PRACH). Other types of uplink channels are possible.
  • a downlink resource grid can be used for downlink transmissions from any of the RAN nodes 106 to the UEs 102, while uplink transmissions can utilize similar techniques.
  • the grid can be a time-frequency grid, called a resource grid or time-frequency resource grid, which is the physical resource in the downlink in each slot.
  • a time-frequency plane representation is a common practice for OFDM systems, which makes it intuitive for radio resource allocation.
  • Each column and each row of the resource grid corresponds to one OFDM symbol and one OFDM subcarrier, respectively.
  • the duration of the resource grid in the time domain corresponds to one slot in a radio frame.
  • the smallest time-frequency unit in a resource grid is denoted as a resource element.
  • Each resource grid comprises a number of resource blocks, which describe the mapping of certain physical channels to resource elements.
  • Each resource block comprises a collection of resource elements; in the frequency domain, this may represent the smallest quantity of resources that currently can be allocated.
  • the PDSCH carries user data and higher-layer signaling to the UEs 102.
  • the PDCCH carries information about the transport format and resource allocations related to the PDSCH channel, among other things. It may also inform the UEs 102 about the transport format, resource allocation, and hybrid automatic repeat request (HARQ) information related to the uplink shared channel.
  • HARQ hybrid automatic repeat request
  • Downlink scheduling e.g., assigning control and shared channel resource blocks to the UE 102b within a cell
  • the downlink resource assignment information may be sent on the PDCCH used for (e.g., assigned to) each of the UEs 102.
  • the PDCCH uses control channel elements (CCEs) to convey the control information.
  • CCEs control channel elements
  • the PDCCH complex-valued symbols may first be organized into quadruplets, which may then be permuted using a subblock interleaver for rate matching.
  • each PDCCH may be transmitted using one or more of these CCEs, in which each CCE may correspond to nine sets of four physical resource elements collectively referred to as resource element groups (REGs).
  • RAGs resource element groups
  • QPSK Quadrature Phase Shift Keying
  • the PDCCH can be transmitted using one or more CCEs, depending on the size of the downlink control information (DCI) and the channel condition.
  • DCI downlink control information
  • there can be four or more different PDCCH formats defined with different numbers of CCEs (e g., aggregation level, L l, 2, 4, or 8).
  • Some implementations may use concepts for resource allocation for control channel information that are an extension of the above-described concepts.
  • some implementations may utilize an enhanced PDCCH (EPDCCH) that uses PDSCH resources for control information transmission.
  • the EPDCCH may be transmitted using one or more enhanced CCEs (ECCEs). Similar to above, each ECCE may correspond to nine sets of four physical resource elements collectively referred to as an enhanced REG (EREG). An ECCE may have other numbers of EREGs.
  • the RAN nodes 106 are configured to communicate with one another using an interface 132.
  • the interface 132 may be an X2 interface 132.
  • the X2 interface may be defined between two or more RAN nodes 106 (e.g., two or more eNBs and the like) that connect to the CN 114, or between two eNBs connecting to CN 114, or both.
  • the X2 interface can include an X2 user plane interface (X2-U) and an X2 control plane interface (X2-C).
  • the X2-U may provide flow control mechanisms for user data packets transferred over the X2 interface, and may be used to communicate information about the delivery of user data between eNBs.
  • the X2-U may provide specific sequence number information for user data transferred from a master eNB to a secondary eNB; information about successful in sequence delivery of PDCP protocol data units (PDUs) to a UE 102 from a secondary eNB for user data; information of PDCP PDUs that were not delivered to a UE 102; information about a current minimum desired buffer size at the secondary eNB for transmitting to the UE user data, among other information.
  • the X2-C may provide intra-LTE access mobility functionality, including context transfers from source to target eNBs or user plane transport control; load management functionality; intercell interference coordination functionality, among other functionality.
  • the interface 132 may be an Xn interface 132.
  • the Xn interface may be defined between two or more RAN nodes 106 (e.g., two or more gNBs and the like) that connect to the 5G CN 114, between a RAN node 106 (e.g., a gNB) connecting to the 5G CN 114 and an eNB, or between two eNBs connecting to the 5G CN 114, or combinations of them.
  • the Xn interface can include an Xn user plane (Xn-U) interface and an Xn control plane (Xn-C) interface
  • the Xn-U may provide non-guaranteed delivery of user plane PDUs and support/provide data forwarding and flow control functionality'.
  • the Xn-C may provide management and error handling functionality, functionality' to manage the Xn-C interface; mobility support for UE 102 in a connected mode (e.g., CM-CONNECTED) including functionality to manage the UE mobility for connected mode between one or more RAN nodes 106, among other functionality.
  • a connected mode e.g., CM-CONNECTED
  • the mobility support can include context transfer from an old (source) serving RAN node 106 to new (target) serving RAN node 106, and control of user plane tunnels between old (source) serving RAN node 106 to new (target) serving RAN node 106.
  • a protocol stack of the Xn-U can include a transport network layer built on Internet Protocol (IP) transport layer, and a GPRS tunneling protocol for user plane (GTP-U) layer on top of a user datagram protocol (UDP) or IP layer(s), or both, to carry user plane PDUs.
  • IP Internet Protocol
  • GTP-U GPRS tunneling protocol for user plane
  • UDP user datagram protocol
  • IP layer(s) IP layer(s)
  • the Xn-C protocol stack can include an application layer signaling protocol (referred to as Xn Application Protocol (Xn-AP or XnAP)) and a transport network layer (TNL) that is built on a stream control transmission protocol (SCTP).
  • the SCTP may be on top of an IP layer, and may provide the guaranteed delivery of application layer messages.
  • point-to-point transmission is used to deliver the signaling PDUs.
  • the Xn-U protocol stack or the Xn-C protocol stack, or both may be same or similar to the user plane and/or control plane protocol stack(s) shown and described herein.
  • the RAN 112 is shown to be communicatively coupled to a CN 114 (referred to as a "CN 114").
  • the CN 114 includes multiple network elements and/or network functions (NFs), such as network element 108a and network element 108b (collectively referred to as the "network elements 108"), which are configured to offer various data and telecommunications services to customers/subscribers (e.g., users of UEs 102) who are connected to the CN 114 using the RAN 112.
  • NFs network elements and/or network functions
  • the components of the CN 114 may be implemented in one phy sical node or separate physical nodes and can include components to read and execute instructions from a machine-readable or computer-readable medium (e.g., a non-transitory machine-readable storage medium).
  • network functions virtualization may be used to virtualize some or all of the network node functions described here using executable instructions stored in one or more computer- readable storage mediums, as described in further detail below.
  • a logical instantiation of the CN 114 may be referred to as a network slice, and a logical instantiation of a portion of the CN 114 may be referred to as a network sub-slice.
  • NFV architectures and infrastructures may be used to virtualize one or more network functions, alternatively performed by proprietary hardware, onto physical resources comprising a combination of industrystandard server hardware, storage hardware, or switches.
  • NFV systems can be used to execute virtual or reconfigurable implementations of one or more network components or functions, or both.
  • the CN 114 may be a 5G core network (referred to as "5GC CN 114" or "5G CN 114"), and the RAN 112 may be connected with the CN 114 using a next generation interface 124.
  • the next generation interface 124 may be split into two parts, a next generation user plane (NG-U) interface 128, which carries traffic data between the RAN nodes 106 and a user plane function (UPF), and the SI control plane (NG-C) interface 126, which is a signaling interface between the RAN nodes 106 and access and mobility management functions (AMFs). Examples where the CN 114 is a 5G core network are discussed in more detail with regard to later figures.
  • the CN 114 may be an evolved packet core (EPC) (referred to as "EPC CN 114" or the like), and the RAN 112 may be connected with the CN 114 using an SI interface 124.
  • the SI interface 124 may be split into two parts, an SI user plane (Sl-U) interface 128, which carries traffic data between the RAN nodes 106 and the serving gateway (S-GW), and the Sl-MME interface 126, which is a signaling interface between the RAN nodes 106 and mobility management entities (MMEs).
  • SI interface 124 may be split into two parts, an SI user plane (Sl-U) interface 128, which carries traffic data between the RAN nodes 106 and the serving gateway (S-GW), and the Sl-MME interface 126, which is a signaling interface between the RAN nodes 106 and mobility management entities (MMEs).
  • Sl-U SI user plane
  • S-GW serving gateway
  • MME interface 126 mobility management entities
  • the CN 114 may include MME, SGW, SGSN, HSS, PGW, PCRF, and/or other NFs coupled with one another over various interfaces (or “reference points”) (not shown).
  • the CN 114 may be a 5GC including an AUSF, AMF, SMF, UPF, NSSF, NEF, NRF, PCF, UDM, AF, and/or other NFs coupled with one another over various service-based interfaces and/or reference points.
  • the 5GC may enable edge computing by selecting operator/3rd party services to be geographically close to a point that the UE 102 is attached to the network. This may reduce latency and load on the network.
  • the 5GC may select a UPF close to the UE 102 and execute traffic steering from the UPF to a data network (DN) 134 via an N6 interface. This may be based on the UE subscription data, UE location, and information provided by the AF, which allows the AF to influence UPF (re)selection and traffic routing.
  • DN data network
  • the DN 134 may represent various network operator services, Internet access, or third party services that may be provided by one or more servers including, for example, the application server 110.
  • the application server 110 may be an element offering applications that use IP bearer resources with the core network (e g., UMTS packet services (PS) domain, LTE PS data services, among others).
  • the application server 110 can also be configured to support one or more communication services (e.g., VoIP sessions, PTT sessions, group communication sessions, social networking services, among others) for the UEs 102 using the CN 114.
  • the application server 110 can use an IP communications interface 130 to communicate with one or more network element 108a or network element 108b.
  • the DN 134 may be an operator external public, a private PDN, or an intra- operator packet data network, for example, for provision of IMS services.
  • the application server 110 can be coupled to an IMS via an S-CSCF or the I-CSCF.
  • the DN 134 may represent one or more local area DNs (LADNs), which are DNs (or DN names (DNNs)) that is/are accessible by a UE 102 in one or more specific areas. Outside of these specific areas, the UE 102 is not able to access the LADN/DN.
  • LADNs local area DNs
  • DNNs DN names
  • the DN 134 may be an Edge DN 134, which is a (local) Data Network that supports the architecture for enabling edge applications.
  • the application server 110 may represent the physical hardware systems/devices providing app server functionality and/or the application software resident in the cloud or at an edge compute node that performs server function(s).
  • the application server 110 provides an edge hosting environment that provides support required for Edge Application Server's execution.
  • the 5GS can use one or more edge compute nodes to provide an interface and offload processing of wireless communication traffic.
  • the edge compute nodes may be included in, or co-located with one or more RAN 112.
  • the edge compute nodes can provide a connection between the RAN 112 and UPF in the 5GC.
  • the edge compute nodes can use one or more NFV instances instantiated on virtualization infrastructure within the edge compute nodes to process wireless connections to and from the RAN 112 and a UPF.
  • FIG. 2 illustrates a wireless communication system 200.
  • the wireless communication system 200 is a sub-system of the wireless communication system 100 illustrated in FIG. 1.
  • the wireless communication system 200 depicts a UE 202 connected to a gNB 204 over a connection 212.
  • the UE 202 and connection 212 are similar to the UE 102 and the connections 118, 120 described with reference to FIG. 1.
  • the gNB 204 is similar to the RAN node 106, and represents an implementation of the RAN node 106 as a gNB with a dual-architecture.
  • the gNB 204 is divided into two physical entities referred to a centralized or central unit (CU) and a distributed unit (DU).
  • the gNB 204 may comprise a gNB-CU 214 and one or more gNB-DU 210.
  • the gNB-CU 214 is further divided into a gNB-CU control plane (gNB-CU-CP) 206 and a gNB-CU user plane (gNB-CU-UP) 208
  • the gNB-CU-CP 206 and the gNB-CU-UP 208 communicate over an El interface.
  • the gNB-CU-CP 206 communicates with one or more gNB-DU 210 over an Fl-C interface.
  • the gNB-CU-UP 208 communicates with the one or more gNB-DU 210 over an Fl-U interface.
  • the gNB-CU-CP 206 and the gNB-CU-UP 208 provides support for higher layers of a protocol stack such as Service Data Adaptation Protocol (SDAP), Packet Data Convergence Protocol (PDCP) and RRC.
  • the gNB-DU 210 provides support for lower layers of the protocol stack such as Radio Link Control (RLC), MAC layer, and PHY layer.
  • RLC Radio Link Control
  • the gNB 204 may have more than 100 gNB-DU 210 connected to a single gNB-CU 214.
  • Each gNB-DU 210 is able to support one or more cells, where one gNB 204 can potentially control hundreds of cells in a 5G NR system.
  • the UE 202 can enter different RRC states, such as an idle state and a connected state.
  • the UE 202 can also enter an inactive state where the UE 202 is registered with the network but not actively transmitting data.
  • a resume procedure can prepare the UE 202 for subsequent data transmission by causing the UE 202 to switch from an inactive state to a connected state.
  • the RRC states for a 5G NR enabled UE can include RRC IDLE, RRC INACTIVE, and RRC CONNECTED states. When not transmitting data in an RRC_CONNECTED state, the UE 202 can switch to an RRC_INACTIVE state but remain registered with the network.
  • FIG. 3 illustrates a network architecture 300.
  • FIG. 3 illustrates block diagrams of NF components (NFs) and interfaces in connection with embodiments/aspects described herein.
  • a next generation (NG) radio access network (RAN) comprises a functional split feature that splits a gNodeB (gNB) (also referred to as an “NG RAN,” “NG RAN node,” or the like) into a gNB-Centrahzed Unit (CU) (gNB-CU) that implements the upper layer of gNB function and gNB-Distributed Unit (DU) (gNB-DU) that implements the lower layer gNB function.
  • gNB gNodeB
  • CU gNB-Centrahzed Unit
  • DU gNB-Distributed Unit
  • the 5G core NFs and gNB-CU can be implemented as Virtualized Network Functions (VNFs), and the gNB-CU and/or gNB-DU can be implemented as Physical Network Function(s) (PNF(s).
  • An Operator can create a virtualized 5G networks by using the European Telecommunications Standards Institute (ETSI) network functions virtualization (NFV) lifecycle management function to instantiate a Network Service (NS) in the cloud that includes various VNFs (e.g., 5G core NFs, gNB-CU), PNFs (e.g., gNB-DU), and VNF Forwarding Graph(s) (VNFFG(s)).
  • VNFs e.g., 5G core NFs, gNB-CU
  • PNFs e.g., gNB-DU
  • VNFFG(s) VNF Forwarding Graph
  • FIG. 3 illustrates an architecture of a network architecture 300 including a second CN 334 in accordance with various embodiments.
  • the network architecture 300 is similar to the wireless communication system 100, and may illustrate equipment, devices and network elements similar to those described with reference to the wireless communication system 100.
  • the network architecture 300 includes a user equipment (UE) 324, a RAN 326 or access node (AN); and a DN 330, which can all be the same or similar to similarly named elements as discussed herein.
  • the DN 330 is the same or similar to the DN 134, and it can implement, for example, operator services, Internet access or 3rd party services, as discussed further below.
  • the CN 114 may be implemented as a 5GC or 5GS, and it can include an Authentication Server Function (AUSF) 316; an AMF 318; an SMF 320; a NEF 304; a PCF 308; an NRF 306; a Unified Data Management (UDM) 310; an application function (AF) 312; a SCP 322; a user plane function (UPF) 328; Network Slice- Specific Authentication and Authorization Function (NSSAAF) 314; and an NSSF 302, each with respective components for processing corresponding 5GC network functions (NFs).
  • AUSF Authentication Server Function
  • AMF Access Management
  • SMF Serving Mobility Management
  • NEF User Planar Function
  • NRF Network Slice- Specific Authentication and Authorization Function
  • the UPF 328 can act as an anchor point for intra-RAT and inter-RAT mobility, an external protocol data unit (PDU) session point of interconnect to DN 203, and a branching point to support multi-homed PDU session.
  • the UPF 328 can also perform packet routing and forwarding, perform packet inspection, enforce the user plane part of policy rules, lawfully intercept packets (UP collection), perform traffic usage reporting, perform QoS handling for a user plane (e.g., packet filtering, gating, uplink (UL)Zdownlink (DL) rate enforcement), perform Uplink Traffic verification (e.g., Service Data Flow (SDF) to Quality of Service (QoS) flow mapping), transport level packet marking in the uplink and downlink, and perform downlink packet buffering and downlink data notification triggering.
  • SDF Service Data Flow
  • QoS Quality of Service
  • UPF 328 can include an uplink classifier to support routing traffic flows to a data network.
  • the DN 330 can represent various network operator services, Internet access, or third party services. DN 330 can include, or be similar to, application server XQ30 discussed previously.
  • the UPF 328 can interact with the SMF 320 via an N4 reference point between the SMF 320 and the UPF 328.
  • the AUSF 316 can store data for authentication of UE 202 and handle authentication-related functionality.
  • the AUSF 316 can facilitate a common authentication framework for various access types.
  • the AUSF 31 can communicate with the AMF 318 via an N12 reference point between the AMF 318 and the AUSF 316; and can communicate with the UDM 310 via an N13 reference point between the UDM 310 and the AUSF 316. Additionally, the AUSF 316 can exhibit an Nausf service-based interface.
  • the AMF 318 can be responsible for registration management (e.g., for registering UE 202, etc.), connection management, reachability management, mobility management, and lawful interception of AMF-related events, and access authentication and authorization.
  • the AMF 318 can be a termination point for an N11 reference point between the AMF 318 and the SMF 320.
  • the AMF 318 can provide transport for SM messages between the UE 202 and the SMF 320, and act as a transparent proxy for routing SM messages.
  • AMF 318 can also provide transport for SMS messages between UE 202 and a Short Message Service (SMS) function (SMSF) (not shown by FIG. 3).
  • SMS Short Message Service
  • AMF 318 can act as Security Anchor Function (SEAF), which can include interaction with the AUSF 316 and the UE 202, receipt of an intermediate key that was established as a result of the UE 202 authentication process. Where Universal Subscriber Identity Module (USIM) based authentication is used, the AMF 318 can retrieve the security material from the AUSF 316. AMF 318 can also include a Security Context Management (SCM) function, which receives a key from the SEAF that it uses to derive access-network specific keys.
  • SEAF Security Anchor Function
  • SCM Security Context Management
  • AMF 318 can be a termination point of a RAN CP interface or RAN connection point interface, which can include or be an N2 reference point between the RAN 326 and the AMF 318; and the AMF 318 can be a termination point of Non Access Stratum (NAS) layer (Nl) signaling, and perform NAS ciphering and integrity protection.
  • NAS Non Access Stratum
  • Nl Non Access Stratum
  • AMF 318 can also support NAS signaling with a UE 202 over an N3 Interworking Function (IWF) interface.
  • the N3 IWF can be used to provide access to untrusted entities.
  • N3IWF can be a termination point for the N2 interface between the RAN 326 and the AMF 318 for the control plane, and can be a termination point for the N3 reference point between the RAN 326 and the UPF for the user plane.
  • the AMF 318 can handle N2 signaling from the SMF 320 and the AMF 318 for PDU sessions and QoS, encode/decode packets for IPSec and N3 tunneling, mark N3 user-plane packets in the uplink, and enforce QoS corresponding to N3 packet marking considering QoS requirements associated with such marking received over N2.
  • N3IWF can also relay uplink and downlink control-plane NAS signaling between the UE 202 and AMF 318 via an Nl reference point between the UE 202 and the AMF 318, and relay uplink and downlink user-plane packets between the UE 202 and UPF 328.
  • the N3IWF also provides mechanisms for IPsec tunnel establishment with the UE 202.
  • the AMF 318 can exhibit an Namf service-based interface, and can be a termination point for an N14 reference point between two AMFs and an N17 reference point between the AMF 318 and a 5G-Equipment Identity Register (EIR) (not shown by FIG. 3).
  • EIR 5G-Equipment Identity Register
  • the UE 202 can need to register with the AMF 318 in order to receive network services.
  • Registration Management is used to register or deregister the UE 202 with the network (e.g., AMF 318), and establish a UE context in the network (e.g., AMF 318).
  • the UE 202 can operate in an RM-REGISTERED state or an RM-DEREGISTERED state. In the RM-DEREGISTERED state, the UE 202 is not registered with the network, and the UE context in AMF 318 holds no valid location or routing information for the UE 202 so the UE 202 is not reachable by the AMF 318.
  • the UE 202 In the RM-REGISTERED state, the UE 202 is registered with the network, and the UE context in AMF 318 can hold a valid location or routing information for the UE 202 so the UE 202 is reachable by the AMF 318.
  • the UE 202 In the RM- REGISTERED state, the UE 202 can perform mobility Registration Update procedures, perform periodic Registration Update procedures triggered by expiration of the periodic update timer (e.g., to notify the network that the UE 202 is still active), and perform a Registration Update procedure to update UE capability information or to re-negotiate protocol parameters with the network, among others.
  • the AMF 318 can store one or more RM contexts for the UE 202, where each RM context is associated with a specific access to the network.
  • the RM context can be a data structure, database object, etc. that indicates or stores, inter alia, a registration state per access type and the periodic update timer.
  • the AMF 318 can also store a 5GC MM context that can be the same or similar to the (E)MM context discussed previously.
  • the AMF 318 can store a CE mode B Restriction parameter of the UE 202 in an associated MM context or RM context.
  • the AMF 318 can also derive the value, when needed, from the UE's usage setting parameter already stored in the UE context (and/or MM/RM context).
  • Connection Management can be used to establish and release a signaling connection between the UE 202 and the AMF 318 over the N1 interface.
  • the signaling connection is used to enable NAS signaling exchange between the UE 202 and the CN 334, and comprises both the signaling connection between the UE and the Access Network (AN) (e.g., Radio Resource Control (RRC) connection or UE-N3IWF connection for non-3GPP access) and the N2 connection for the UE 202 between the AN (e.g., RAN 326) and the AMF 318.
  • the UE 202 can operate in one of two CM states, CM-IDLE mode or CM- CONNECTED mode.
  • the UE 202 When the UE 202 is operating in the CM-IDLE state/mode, the UE 202 can have no NAS signaling connection established with the AMF 221 over the N1 interface, and there can be RAN 326 signaling connection (e.g., N2 and/or N3 connections) for the UE 202.
  • the UE 202 When the UE 202 is operating in the CM-CONNECTED state/mode, the UE 202 can have an established NAS signaling connection with the AMF 318 over the N1 interface, and there can be a RAN 326 signaling connection (e.g., N2 and/or N3 connections) for the UE 202.
  • Establishment of an N2 connection between the RAN 326 and the AMF 318 can cause the UE 202 to transition from CM-IDLE mode to CM- CONNECTED mode, and the UE 202 can transition from the CM-CONNECTED mode to the CM-IDLE mode when N2 signaling between the RAN 326 and the AMF 318 is released.
  • the SMF 320 can be responsible for SM (e.g., session establishment, modify and release, including tunnel maintain between UPF and AN node); UE IP address allocation and management (including optional authorization); selection and control of UP function; configuring traffic steering at UPF to route traffic to proper destination; termination of interfaces toward policy control functions; controlling part of policy enforcement and QoS; lawful intercept (for SM events and interface to LI system); termination of SM parts of NAS messages; downlink data notification; initiating AN specific SM information, sent via AMF over N2 to AN; and determining SSC mode of a session.
  • SM e.g., session establishment, modify and release, including tunnel maintain between UPF and AN node
  • UE IP address allocation and management including optional authorization
  • selection and control of UP function configuring traffic steering at UPF to route traffic to proper destination; termination of interfaces toward policy control functions; controlling part of policy enforcement and QoS; lawful intercept (for SM events and interface to LI system); termination of SM parts of NAS messages
  • SM can refer to management of a PDU session
  • a PDU session or “session” can refer to a PDU connectivity service that provides or enables the exchange of PDUs between a UE 202 and a DN 330 identified by a Data Network Name (DNN).
  • DNN Data Network Name
  • PDU sessions can be established upon UE 202 request, modified upon UE 202 and 5GC CN 334 request, and released upon UE 202 and 5GC CN 334 request using NAS SM signaling exchanged over the N1 reference point between the UE 202 and the SMF 320.
  • the 5GC CN 334 can trigger a specific application in the UE 202.
  • the UE 202 can pass the trigger message (or relevant parts/information of the trigger message) to one or more identified applications in the UE 202.
  • the identified application(s) in the UE 202 can establish a PDU session to a specific DNN.
  • the SMF 320 can check whether the UE 202 requests are compliant with user subscription information associated with the UE 202. In this regard, the SMF 320 can retrieve and/or request to receive update notifications on SMF 320 level subscription data from the UDM 310.
  • the SMF 320 can include the following roaming functionality: handling local enforcement to apply QoS SLAs (VPLMN); charging data collection and charging interface (VPLMN); lawful intercept (in VPLMN for SM events and interface to LI system), and support for interaction with external DN 330 for transport of signaling for PDU session authorization/authenti cation by external DN 330.
  • An N16 reference point between two SMFs 320 can be included in the network architecture 300, which can be between another SMF 320 in a visited network and the SMF 320 in the home network in roaming scenarios. Additionally, the SMF 320 can exhibit the Nsmf service-based interface.
  • the NEF 304 can provide means for securely exposing the services and capabilities provided by 3GPP network functions for third party, internal exposure/re-exposure, Application Functions (e.g., AF 312), edge computing or fog computing systems, etc.
  • the NEF 304 can authenticate, authorize, and/or throttle the AFs 312.
  • NEF 304 can also translate information exchanged with the AF 312 and information exchanged with internal network functions. For example, the NEF 304 can translate between an AF-Service-Identifier and an internal 5GC information.
  • NEF 304 can also receive information from other network functions (NFs) based on exposed capabilities of other network functions.
  • NFs network functions
  • This information can be stored at the NEF 304 as structured data, or at a data storage NF using standardized interfaces. The stored information can then be reexposed by the NEF 304 to other NFs and AFs, and/or used for other purposes such as analytics. Additionally, the NEF 304 can exhibit an Nnef service-based interface.
  • the NRF 306 can support service discovery functions, receive NF discoveryrequests from NF instances, and provide the information of the discovered NF instances to the NF instances. NRF 306 also maintains information of available NF instances and their supported services. As used herein, the terms “instantiate,” “instantiation,” and the like can refer to the creation of an instance, and an “instance” can refer to a concrete occurrence of an object, which can occur, for example, during execution of program code. Additionally, the NRF 306 can exhibit the Nnrf service-based interface.
  • the PCF 308 can provide policy rules to control plane function(s) to enforce them, and can also support unified policy framework to govern network behavior.
  • the PCF 308 can also implement a front end (FE) to access subscription information relevant for policy decisions in a Uniform Data Repository (UDR) or user datagram protocol of the UDM 310.
  • the PCF 308 can communicate with the AMF 318 via an N15 reference point between the PCF 308 and the AMF 318, which can include a PCF 308 in a visited network and the AMF 318 in case of roaming scenarios.
  • the PCF 308 can communicate with the application function AF 312 via an N5 reference point between the PCF 308 and the AF 312; and with the SMF 320 via an N7 reference point between the PCF 308 and the SMF 320.
  • the network architecture 300 and/or CN 334 can also include an N24 reference point between the PCF 308 (in the home network) and a PCF 308 in a visited network. Additionally, the PCF 308 can exhibit an Npcf service-based interface.
  • the UDM 310 can handle subscription-related information to support the network entities' handling of communication sessions, and can store subscription data of UE 202.
  • subscription data can be communicated between the UDM 310 and the AMF 318 via an N8 reference point between the UDM 310 and the AMF 318.
  • the UDM 310 can include two parts, an application FE and a Uniform Data Repository (UDR) (the FE and UDR are not shown by FIG. 3).
  • the UDR can store subscription data and policy data for the UDM 310 and the PCF 308, and/or structured data for exposure and application data (including PFDs for application detection, application request information for multiple UEs UE 202) for the NEF 304.
  • the Nudr service-based interface can be exhibited by the UDR to allow the UDM 310, PCF 308, and NEF 304 to access a particular set of the stored data, as well as to read, update (e.g., add, modify), delete, and subscribe to notification of relevant data changes in the UDR.
  • the UDM 310 can include a UDM-FE, which is in charge of processing credentials, location management, subscription management and so on. Several different front ends can serve the same user in different transactions.
  • the UDM-FE accesses subscription information stored in the UDR and performs authentication credential processing, user identification handling, access authorization, registration/mobility management, and subscription management.
  • the UDR can interact with the SMF 320 via an N10 reference point between the UDM 310 and the SMF 320.
  • UDM 310 can also support SMS management, wherein an SMS-FE implements the similar application logic as discussed previously. Additionally, the UDM 310 can exhibit the Nudm service-based interface.
  • the AF 312 can provide application influence on traffic routing, provide access to the NCE, and interact with the policy framework for policy control.
  • the NCE can be a mechanism that allows the 5GC CN 334 and AF 312 to provide information to each other viaNEF 304, which can be used for edge computing implementations.
  • the network operator and third party services can be hosted close to the UE 202 access point of attachment to achieve an efficient service delivery through the reduced end-to-end latency and load on the transport network.
  • the 5GC can select a UPF 328 close to the UE 202 and execute traffic steering from the UPF 328 to DN 330 via the N6 interface.
  • the AF 312 can influence UPF (re)selection and traffic routing. Based on operator deployment, when AF 312 is considered to be a trusted entity, the network operator can permit AF 312 to interact directly with relevant NFs. Additionally, the AF 312 can exhibit a Naf servicebased interface.
  • the NSSF 302 can select a set of network slice instances serving the UE 202.
  • the NSSF 302 can also determine allowed NSSAI and the mapping to the subscribed single Network Slice Selection Assistance Information (S-NSSAIs), if needed.
  • the NSSF 302 can also determine the AMF 318 set to be used to serve the UE 202, or a list of candidate AMF 318 based on a suitable configuration and possibly by querying the NRF 306.
  • the selection of a set of network slice instances for the UE 202 can be triggered by the AMF 318 with which the UE 202 is registered by interacting with the NSSF 302, which can lead to a change of AMF 318.
  • the NSSF 302 can interact with the AMF 318 via an N22 reference point between AMF 318 and NSSF 302; and can communicate with another NSSF 302 in a visited network via an N31 reference point (not shown by FIG. 3). Additionally, the NSSF 302 can exhibit an Nnssf service-based interface.
  • the CN 334 can include an SMSF, which can be responsible for SMS subscription checking and verification, and relaying SM messages to/from the UE 202 to/from other entities, such as an SMS-GMSC/IWMSC/SMS-router.
  • the SMS can also interact with AMF 318 and UDM 310 for a notification procedure that the UE 202 is available for SMS transfer (e.g., set a UE not reachable flag, and notifying UDM 310 when UE 202 is available for SMS).
  • the CN 334 can also include other elements that are not shown by FIG. 3, such as a Data Storage system/architecture, a 5G-EIR, a SEPP, and the like.
  • the Data Storage system can include a SDSF, an UDSF, and/or the like.
  • Any NF can store and retrieve unstructured data into/from the UDSF (e.g., UE contexts), via N18 reference point between any NF and the UDSF (not shown by FIG. 3.
  • Individual NFs can share a UDSF for storing their respective unstructured data or individual NFs can each have their own UDSF located at or near the individual NFs.
  • the UDSF can exhibit an Nudsf service-based interface (not shown by FIG. 3.
  • the 5G-EIR can be an NF that checks the status of PEI for determining whether particular equipment/entities are blacklisted from the network; and the SEPP can be a non-transparent proxy that performs topology hiding, message filtering, and policing on inter-PLMN control plane interfaces.
  • the CN 334 can include an Nx interface, which is an inter-CN interface between the Mobility Management Entity (MME) and the AMF 318 in order to enable interworking between CN 334 and other CN.
  • MME Mobility Management Entity
  • interfaces/reference points can include an N5g-Equipment Identity Register (EIR) service-based interface exhibited by a 5G-EIR, an N27 reference point between the Network Repository Function (NRF) in the visited network and the NRF in the home network; and an N31 reference point between the NSSF in the visited network and the NSSF in the home network.
  • EIR N5g-Equipment Identity Register
  • NRF Network Repository Function
  • N31 reference point between the NSSF in the visited network and the NSSF in the home network.
  • the SCP 322 (or individual instances of the SCP 322) supports indirect communication (see e.g., 3GPP TS 23.501 section 7.1.1); delegated discovery (see e g., 3GPP TS 23.501 section 7.1.1); message forwarding and routing to destination NF/NF service(s), communication security (e.g., authorization of the NF Service Consumer to access the NF Service Producer API) (see e.g., 3GPP TS 33.501), load balancing, monitoring, overload control, etc.; and discovery and selection functionality for UDM(s), AUSF(s), UDR(s), PCF(s) with access to subscription data stored in the UDR based on UE's SUPI, SUCI or GPSI (see e.g., 3GPP TS 23.501 section 6.3).
  • 3GPP TS 23.501 section 7.1.1 The SCP 322 (or individual instances of the SCP 322) supports indirect communication (see e.g., 3GPP TS 23.501 section 7.1.1
  • the SCP 322 may be deployed in a distributed manner. More than one SCP 322 can be present in the communication path between various NF Services.
  • the DN 330 may represent various network operator services, Internet access, or third party services that may be provided by one or more servers including, for example, application server 110.
  • the DN 330 may be, or include, one or more edge compute nodes.
  • the DN 330 may be an Edge DN 330, which is a (local) Data Network that supports the architecture for enabling edge applications.
  • the application server 110 may represent the physical hardware systems/devices providing app server functionality and/or the application software resident in the cloud or at an edge compute node that performs server function(s). In some embodiments, the application server 110 provides an edge hosting environment that provides support required for Edge Application Server's execution.
  • FIG. 4 illustrates a centralized NAS architecture 400.
  • the centralized NAS architecture 400 depicts a centralized NAS transport architecture for a 5GS.
  • Non- Access Stratum refers to the part of the network architecture that is responsible for the signaling and control of the connection between the UE 436 and the CN 440 (which is similar to the CN 114 and CN 334).
  • the NAS protocol stack is used for signaling between the UE 436 and the CN 440, which includes the Authentication and Key Agreement (AKA) protocol, Mobility Management (MM) protocol, signaling connection protocol, and others.
  • AKA Authentication and Key Agreement
  • MM Mobility Management
  • Non-Access Stratum Session Management (NAS-SM) protocol is responsible for managing the establishment, modification, and termination of user sessions, which include data communication sessions such as voice and multimedia services.
  • the NAS-SM protocol also handles the authentication and security procedures necessary to ensure the confidentiality and integrity of the user's communication over the network.
  • the authentication and security procedures associated with the NAS-SM protocol are adopted for a NAS signaling connection protocol, referred to as a NAS signaling connection protocol.
  • the NAS-NF protocol performs operations, such as authentication and security procedures, similar to the NAS-SM protocol for all NAS signaling connections with a given network function (NF). It may be appreciated that references made to the NAS-SM protocol are applicable to the NAS-NF protocol, and vice- versa. Embodiments are not limited in this context.
  • the UE 436 may have various software or hardware elements, including a NAS-MM 402, a lower layer 404, a NAS-SM 406, an SMS 408, a UE policy 410 and a location services function (LCS) 412.
  • the CN 334 my include an AMF 414, SMF 416, SMSF 418, PCF 420, and a location management function (LMF) 422, each having a NAS-SM 428, SMS 430, UE Policy 432 and LCS 434, respectively.
  • the AMF 414 may include a NAS -MM 424 and a lower layer 426.
  • the AMF 414 may function as a single point of entry for all NAS signaling, regardless of the 5GC network function that terminates the signaling transaction.
  • the UE 436 may communicate NAS messages with the AMF 414 via a NAS transport 438 between the NAS-MM 402 and the NAS-MM 424.
  • the UE 436 may typically exchange all NAS signaling messages with the AMF 414.
  • the AMF 414 may further forward the NAS message to the 5GC network function that terminates the NAS signaling, such as the SMF 416, the SMSF 418, PCF 420, LMF 422, and other network functions in the CN 334.
  • IE payload type container Information Element
  • LTE Positioning Protocol (LPP) message container 0 0 0 1 1 LTE Positioning Protocol (LPP) message container
  • TABLE 1 illustrates payload container type IE as defined in the 3GPP TS 24.501 in Table 9.11.3.40.1. For instance, if the Payload container type IE is set to "N1 SM information”, “SMS”, “LTE Positioning Protocol (LPP) message container” or “UE policy container”, the AMF 414 forwards the NAS payload to the SMF 416, SMSF 418, LMF 422 or PCF 420, respectively.
  • N1 SM information SMS
  • LTE Positioning Protocol (LPP) message container or “UE policy container”
  • the AMF 414 forwards the NAS payload to the SMF 416, SMSF 418, LMF 422 or PCF 420, respectively.
  • the UE 436 may exchange NAS messages with the appropriate network function, such as NAS-SM 406, SMS 408, UE policy 410, and LCS 412 entities of UE 436 with corresponding entities in the CN 334, such as NAS-SM 428 of the SMF 416, SMS 430 of the SMSF 418, UE Policy 432 of the PCF 420, and LCS 434 of the LMF 422, among other possible network functions.
  • NAS-SM 406, SMS 408, UE policy 410, and LCS 412 entities of UE 436 with corresponding entities in the CN 334, such as NAS-SM 428 of the SMF 416, SMS 430 of the SMSF 418, UE Policy 432 of the PCF 420, and LCS 434 of the LMF 422, among other possible network functions.
  • NAS messages are protected by relying on a single security association between the UE 436 and the AMF 414. Regardless of the network function that terminates the NAS transaction, the NAS security mechanisms for encryption and integrity protection may be executed only between the UE 436 and the AMF 414.
  • the additional signaling leg (between the AMF 414 and the destination NF) may rely on the lower layer security mechanisms that are not UE-specific, such as the lower layer 404 and the lower layer 426 discussed in FIG. 4.
  • the AMF 414 may implement a Security Anchor Function (SEAF) 442.
  • SEAF 442 is a key security element that provides protection for the communication between the UE 436 and the CN 440.
  • the SEAF 442 acts as a security gateway that provides secure access to external networks or services for the UE 436. It receives and processes the data from the UE 436 and performs security functions such as access control, traffic filtering, and service-based routing.
  • the SEAF 442 also generates a new security key for each UE session and uses it to provide confidentiality and integrity protection for the data exchanged between the UE 436 and external entities.
  • the SEAF 442 is typically located at the edge of the CN 440 and it serves as the point of demarcation between the trusted network domain and the untrusted external networks or services.
  • the SEAF 442 communicates with the 5G core security functions, such as the Authentication Server (AUSF), to ensure that the UE identity is authenticated and that the session keys are derived correctly.
  • AUSF Authentication Server
  • the SEAF 442 also implements security policies and enforcement mechanisms to ensure that the data exchanged between the UE 436 and external entities is secure and trustworthy. It monitors the traffic flows and applies security policies to block any unauthorized or malicious traffic. Additionally, the SEAF 442 can provide network-based security services, such as fire-walling and intrusion detection, to enhance the security of the communication between the UE 436 and external entities. Overall, the SEAF 442 plays a critical role in ensuring the security and integrity of the communication between the UE 436 and entities in a 5G network, providing a secure access point to external networks and services while protecting the 5G network against potential security threats.
  • FIG. 5 illustrates a distributed NAS architecture 500.
  • a distributed NAS architecture As an alternative to the centralized NAS architecture 400, it may be possible to have a “distributed NAS” architecture where a UE would engage in direct dialogue with each individual network function in a core network, without going through a single point of contact comparable to the AMF in 5GC.
  • the distributed NAS architecture 500 illustrates a network architecture that is similar to the network architecture 300.
  • the UE 522 may communicate with the CN 504 via a CU-CP 502, which is similar to the gNB-CU-CP 206 of the gNB-CU 214 of the gNB dual-architecture implementation as described with reference to FIG. 2.
  • a Network Function (NF) identifier (ID) (NF -ID) parameter may need to be included in RRC signaling, so that the CU-CP 502 is able to route the NAS message to the relevant NF in the CN 504.
  • ID Network Function
  • the NF-ID parameter may be encoded as a NF type (e.g., “SMSF”, “SMF”, “PCF”, etc.), or it may be a unique NF identifier.
  • the CU-CP 502 routes the NAS message over the N2 reference point via the message bus 524 to a network function in the CN 504 based on the NF-ID parameter.
  • the UE 522 may communicate NAS messages directly with the NSSAAF 514, the AUSF 516, the AMF 518, or the SMF 520 over secure connections (SCs) 526, 528, 530 and 532, respectively, without having to traverse or go through the AMF 518, as in the centralized NAS architecture 400.
  • SCs secure connections
  • the distributed NAS architecture 500 provides a more efficient way for the UE 522 to directly communicate with the various network functions of the CN 504. However, the distributed NAS architecture 500 may need improved security techniques and measures to allow secure connections and/or security associations to protect the direct connects. In the distributed NAS architecture 500, the UE 522 may need to establish a direct secure connection with each NF with which the UE engages in NAS signaling.
  • Embodiments herein relate to how direct secure connections between the UE 522 and each NF can be efficiently established.
  • Embodiments herein may include the assumption that, upon initial registration, the UE establishes Non-Access Stratum (NAS) master security association.
  • the NAS master security association information is stored in the UE 522 as well as a SEAF (not shown) external to the AMF 518.
  • SEAF Non-Access Stratum
  • the UE 522 and the new NF may establish a security association for each secure connection (e.g., SC 526, 528, 530, and 532) by bootstrapping security parameters from the NAS master security association.
  • FIG. 6 illustrates a security architecture 600 suitable for a 5GS.
  • the security architecture 600 may include a key hierarchy generation 602 as defined in the 3GPP TS 33.501 standard. More particularly, the key hierarchy generation 602 is depicted in Figure 6.2.1-1 of the 3GPP TS 33.501 standard.
  • the key hierarchy generation 602 illustrates a hierarchy of security keys generated in accordance with the AKA protocol, both for a home public land mobile network (HPLMN) and a serving network.
  • a SEAF may initiate primary authentication with a UE.
  • the UE attempts to register with a 5GS, the UE is authenticated based on the long-lived key (Ki) stored in the UDM and on the USIM in the UE.
  • Ki long-lived key
  • a temporary key KSEAF
  • the SEAF 442 may not be defined as a distinct function, and rather may be assumed to be collocated with the AMF.
  • the KSEAF key may be considered synonymous with the KAMF key.
  • the KSAMF is then used as the master key for the derivation of all other security keys, both at NAS level (e.g., the security keys KXASCHC and KNASint for NAS encryption and integrity protection) and in the access stratum (e.g., the security keys K S NB, KRRCint, KRRCCHC. Kupint, KuPenc).
  • the UE 522 may need to establish a direct secure connection with each NF with which the UE 522 engages in NAS signaling. This keeps the communication between the UE 522 and each NF secure even from the RAN node, which is useful in case the RAN node is from a different administrative entity to the SEAF 442 or NF nodes.
  • the UE 522 may have a direct secure connection with the various network functions of the CN 504, including secure connection 526, secure connection 528, secure connection 530 and secure connection 532, among others.
  • FIG. 7 illustrates a distributed NAS architecture 700 similar to the distributed NAS architecture 500.
  • the distributed NAS architecture 700 may include a CN 710 with various network functions, such as NSSF 712, NEF 714, NRF 716, PCF 718, UDM 720, AF 722, SEAF 708, AUSF 724, AMF 726, SMSF 728, and LMF 730.
  • a UE 732 may communicate with each network function via the gNB-DU 702, the gNB-CU-CP 706 and the gNB-CU-CP 706 of a RAN.
  • the UE 732 may establish direct connections to a given network function, such as secure connections 738, 740, 742, 744, and 746.
  • the secure connections do not traverse a single entity, such as the AMF 726, when transporting NAS messages.
  • the UE 732 When the UE 732 performs Initial Registration with the CN 710, the UE 732 is authenticated with the HPLMN based on long-term credentials stored in the UE 732 and the UDM 720. As part of the authentication procedure, a master security association is established between the UE 732 and the serving network. The information for the NAS master security association is stored in the UE 732 as well as in the SEAF 708. When the UE 732 needs to contact a new NF, or vice versa, the UE 732 and the new NF function establish a security association by bootstrapping security parameters from the NAS master security association.
  • the AMF 726 is depicted as a standalone function distinct from the SEAF 708 because a next-generation mobile system does not necessarily need to have the AMF 726. If the next generation mobile system does have an AMF 726, the SEAF 708 can be collocated with the AMF 726, as depicted in FIG. 4.
  • the individual secure connections between the UE 732 and the various NF of the CN 710 may be established using the NAS master security information stored in the UE 732 and the SEAF 708, as depicted in FIGS. 8A, 8B.
  • FIG. 8A illustrates a message flow 800a suitable for implementing embodiments as described herein.
  • the message flow 800a illustrates an exchange of messages between a UE 802, a RAN 804, an NRF 806, a SEAF 808, an AUSF 810, a UDM 812, and an SMF 822, and various operations performed by one or more of the devices and/or NFs.
  • a UE 802 may send a message 830 to the RAN 804.
  • the message 830 may comprise a resource radio control (RRC) message.
  • the RAN 804 may select a SEAF 808 suitable for the UE 802.
  • the RAN 804 may send a message 832 to the SEAF 808.
  • the message 832 may comprise a NAS registration message.
  • the SEAF 808 may perform Initial Registration or subsequent re-authentication between the UE 802 and SEAF 808.
  • the SEAF 808 may generate a security key KSEAF, which is stored in the SEAF 808.
  • the SEAF 808 may send a message 834 to the RAN 804.
  • the message 834 may comprise a NAS registration accept.
  • the RAN 804 may send a message 858 to the UE 802.
  • the message 858 may comprise an RRC message with security information from the SEAF 808.
  • the UE 802 may create a NAS-SEAF security context using the security information from the SEAF 808.
  • the UE 802 may use the NAS-SEAF security context to create a NAS-NF security context for a session between the UE 802 and a NF.
  • the UE 802 may send a message 836 to the RAN 804.
  • the message 836 may comprise an RRC message that encodes a NAS-NF message.
  • the RAN 804 may select an NRF 806 based on a “Network Function identification” parameter (e.g., aNFID) in RRC signaling.
  • the RAN 804 contacts the NRF 806 to perform selection of an appropriate SMF 822.
  • the RAN 804 sends a message 838 to the SMF 822.
  • the message 838 may comprise a NAS-NF request message.
  • the SMF 822 Upon receiving the initial NAS-NF message from the UE 802 (e.g., the NAS-NF request), the SMF 822 determines whether the request comes from an unknown UE. At optional block 824, if the UE 802 is unknown (e g., during first registration), the SMF 822 contacts the NRF 806 and the SEAF 808 in order to authenticate the UE request. At block 826, the SMF 822 and the SEAF 808 may cooperate to authenticate the UE request based on the master security association information stored in the UE 802 and in the SEAF 808. The SMF 822 may send a message 840 to the RAN 804. The message 840 may comprise a NAS-NF response message. The RAN 804 may send the NAS-NF response message encoded in an RRC message, along with security information for the UE 802 from the SMF 822.
  • the UE 802 may create a NAS-NF security context to authenticate a NF, as discussed in more detail with reference to FIG. 8B.
  • Both UE 802 and SMF 822 create NAS-NF security context (e.g., by deriving a shared key KSMF that is anchored on KSEAF). AS such, there is no need for the SMF 822 to contact the SEAF 808 for subsequent NAS-NF signaling.
  • the serving network may have multiple SEAF nodes.
  • the SMF 822 may need to retrieve a master security association for the UE 802 from one of the multiple SEAF nodes. This can be accomplished in a number of different ways.
  • the SEAF 808 upon establishing a NAS connection with the SEAF 808, as part of the NAS registration accept message of the message 834, the SEAF 808 returns a UE identity' that uniquely identifies the UE 802 within that SEAF 808.
  • the RAN 804 Upon sending of the initial NAS-NF request message of message 838, the RAN 804 includes the SEAF identity' and the UE identity. SMF 822 uses the SEAF identity to contact the SEAF 808, including the UE identity that identifies the master security association in the SEAF 808 for the UE 802.
  • the SMF 822 upon reception of the initial NAS-NF request message of message 838, retrieves a UE identity that is provided by the UE 802 in the RRC message 836. The SMF 822 uses the UE identify to query the NRF 806 at block 824 in order to discover the SEAF 808 that is in charge of the UE 802.
  • the UE 802 and/or the SMF 822 may generate a shared security key (KSMF). This may be accomplished in a number of different ways.
  • KSMF shared security key
  • the UE 802 sends the NAS-NF request message encoded by an RRC message in clear text.
  • the SMF 822 Upon authentication of the NAS-NF request message with the SEAF 808 in in block 826, the SMF 822 establishes a security association for NAS-NF signaling.
  • the SEAF 808 responds with the message 840, having the NAS-NF response message, that is at least partially encrypted.
  • the nonencrypted part of the NAS-NF response message may include key material that is used by the UE 802 to create the NAS-NF security context at block 828, such as derive the same shared security' key KSMF.
  • the UE 802 generates the shared security key KSMF and the NAS-NF security context for a NF based on the security key KSEAF before initiating the message 836.
  • the UE 802 sends the NAS-NF request message (encoded within an RRC message) that is at least partially encrypted using the security key KSMF.
  • the non-encrypted part of the NAS-NF request message may include security material that is used by the SMF 822 to create the NAS-NF security context, such as derive the same shared security key KSMF. It may also contain security information for the SMF 822 that could be used to authenticate the UE 802 with the SEAF 808.
  • FIG. 8B illustrates a message flow 800b.
  • the message flow 800b illustrates an exchange of messages between a UE 802, a RAN 804, an NRF 806, a SEAF 808, and an NF 844, and various operations performed by one or more of the devices and/or NFs.
  • the NF 844 may represent any of network functions in a 5GC or 5GS, including the network functions as illustrated and described in the network architecture 300, the centralized NAS architecture 400, the distributed NAS architecture 500, the distributed NAS architecture 700 or the message flow 800a. Embodiments are not limited in this context.
  • KNF master security key
  • TLS transport layer security
  • TTLS tunneled transport layer security
  • the UE 802 may create a NAS-NF security context to authenticate an NF 844.
  • Both UE 802 and SMF 822 create NAS-NF security context (e.g., by deriving a shared key KSMF that is anchored on KSEAF). AS such, there is no need for the SMF 822 to contact the SEAF 808 for subsequent NAS-NF signaling.
  • the UE 802 may initiate a secure connection with the NF 844 by sending a message 846 to the RAN 804.
  • the message 846 may comprise a NAS message encoded in an RRC message.
  • the RAN 804 may use a NF-ID parameter to route the NAS message to the NF 844.
  • the NF-ID parameter may be part of the message 846 or stored in a data structure of the RAN 804.
  • the NF 844 may contact the SEAF 808 to authenticate the UE 802, and retrieve security information from the SEAF 808 to create the shared security key KNF.
  • the NF 844 may establish a secure connection 850 with the UE 802 with the shared security key KNF.
  • the UE 802 and the NF 844 may exchange NAS messages over the secure connection 850.
  • FIG. 9 illustrates a 5GS 900 having a UE 930 in communication with a base station 924 and a CN 934.
  • the 5GS 900 may be representative of any wireless system, such as a wireless communication system 100 or the wireless communication system 200.
  • the UE 930 may be representative of any UE as previously discussed, including the UE 202, UE 324, UE 436, UE 522, UE 732, UE 802, and so forth.
  • the UE 930 may communicate radio-frequency (RF) signals 910 with a base station 924.
  • RF radio-frequency
  • the base station 924 may be representative of any base station as previously discussed, including the RAN 112, RAN 326, RAN 804, RAN node 106a, RAN node 106b, gNB 204, gNB-CU 214, gNB- DU 210, and so forth.
  • the UE 930 may be generally arranged to establish a direct or individual secure connection 938 with an NF 936 of a CN 934.
  • the CN 934 may be representative of any 5GC as previously discussed, including the CN 114, CN 334, CN 440, CN 504, CN 710, and so forth.
  • the CN 934 is a distributed NAS architecture, such as the distributed NAS architecture 500 or the distributed NAS architecture 700, for example.
  • the NF 936 may be representative of any NF associated with the CN 934, such as the NF discussed with reference to the network architecture 300, the centralized NAS architecture 400, the distributed NAS architecture 500, the distributed NAS architecture 700, and so forth.
  • the secure connection 938 may bypass a single point of entry for the CN 934, such as an AMF, for example.
  • the secure connection 938 may be created by leveraging master security information generated for the UE 930 upon first entry or connection to the CN 934.
  • the UE 930 may comprise a processing circuitry 904, a memory 908 with a security manager 914, a memory interface 920, a data storage device 926, and radio-frequency (RF) circuitry 922.
  • the UE 930 may optionally include a set of platform components (not shown) suitable for a UE, such as input/output devices, memory controllers, different memory types, network interfaces, hardware ports, and so forth.
  • the UE 930 may include a memory interface 920 that may send or receive, to or from an internal data storage device 926 or an external data storage device 928, security information 912, such as a fifth generation (5G) security context data for a 5G system (5GS), such as 5G security context data 906.
  • security information 912 such as a fifth generation (5G) security context data for a 5G system (5GS), such as 5G security context data 906.
  • the 5G security context data 906 may include non-access stratum (NAS) security anchor function (SEAF) (NAS-SEAF) security context data, such as NAS-SEAF security context data 916.
  • NAS-SEAF non-access stratum
  • the UE 930 may also include processing circuitry 904 communicatively coupled to the memory interface 920.
  • the processing circuitry 904 may execute a connection manager 918 to determine to establish a NAS signaling connection between the UE 930 and a network function (NF) of a core network (CN) of the 5GS, such as NF 844.
  • the connection manager 918 may generate a NAS-NF request message.
  • a security coder/decoder such as security codec 902
  • security codec 902 may encode security information 912 for use by a NF of the CN 934, such as a SEAF, SMF, or NF 936.
  • the security manager 914 may encode the NAS-NF request message in a first radio resource control (RRC) message, and initiate transmission of the first RRC message from the UE 930 to a base station 924 (e.g., an eNB or gNB) of a radio access network (RAN) of the 5GS 900.
  • the processing circuitry 904 may execute the security codec 902 to decode a second RRC message received from the base station 924, the second RRC message to include NAS-NF security context data 932 for the UE 930 and the NF 936 of the CN 934 of the 5GS 900.
  • the NAS-NF security context data 932 may be derived or based on the NAS- SEAF security context data 916 associated with the UE 930 for the 5GS 900.
  • the UE 930 may also include where the NAS-SEAF security context data 916 comprises an anchor key for a SEAF.
  • the anchor key may comprise a security key KSEAF provided during authentication and used for derivation of subsequent security keys.
  • the UE 930 may also include where the NAS-NF security context data 932 comprises a shared security key.
  • the shared security key may comprise a security key KSMF for a security association between the UE 930 and a network function (NF) of the CN 934.
  • the UE 930 may also include where the NAS-NF security context data 932 comprises security information 912 to generate a shared security key by the UE 930, the shared security key to comprise a security key KSMF for a security association between the UE 930 and a network function (NF) of the CN 934.
  • the NAS-NF security context data 932 comprises security information 912 to generate a shared security key by the UE 930, the shared security key to comprise a security key KSMF for a security association between the UE 930 and a network function (NF) of the CN 934.
  • NF network function
  • the UE 930 may also include where the NAS-NF security context data 932 includes security information 912 to generate a master security key by the UE 930, the master security key to comprise a security key KNF for a security association between the UE 930 and the NF 936 of the CN 934.
  • the UE 930 may also include where the first RRC message includes a UE identifier, a security anchor function (SEAF) identifier, or a NF identifier parameter.
  • SEAF security anchor function
  • the UE 930 may also include the processing circuitry 904 to generate the NAS-NF request message in clear text.
  • the UE 930 may also include a memory 908 communicatively coupled to the memory interface 920.
  • the memory 908 may store the NAS-SEAF security context data 916 associated with the UE 930 for the 5GS 900.
  • the processing circuitry 904 may retrieve the NAS-SEAF security context data 916 stored in the memory 908, and generate a shared security key based on the NAS-SEAF security context data 916.
  • the shared security key may comprise a security key KSMF for a security association between the UE 930 and a network function (NF) of the CN 934.
  • NF network function
  • the UE 930 may also include the processing circuitry 904 to generate a master security key based on the NAS-NF security context data 932 by the UE 930, the master security key to comprise a security key KNF for a security association between the UE 930 and the NF 936 of the CN 934.
  • the UE 930 may also include the processing circuitry 904 to initiate establishment of a direct secure connection between the UE 930 and the NF 936 of the CN 934 of the 5GS using a master security key and without the NAS-SEAF security context data 916.
  • the UE 930 may form a secure connection 938 between the UE 930 and the NF 936, and vice-versa.
  • the UE 930 may also include the processing circuitry 904 to initiate establishment of a direct secure connection between the UE 930 and the NF 936 of the logical CN 934 of the 5GS 900 using the NAS-NF security context data 932 and without the NAS-SEAF security context data 916.
  • the UE 930 may also include the processing circuitry 904 to initiate establishment of a direct secure connection between the UE 930 and the NF 936 of the CN 934 of the 5GS 900 using a master security key and without an access and mobility function (AMF) of the CN 934 ofthe 5GS 900.
  • AMF access and mobility function
  • the UE 930 may also include an RF interface communicatively coupled to the processing circuitry 904, the RF interface configured to provide data for RF circuitry 922 to transmit RF signals 910 with the first RRC message and receive RF signals 910 with the second RRC message.
  • the UE 930 may also include the processing circuitry 904 to encrypt at least a portion of the NAS-NF request message with the shared security key prior to initiation of transmission of the first RRC message.
  • the UE 930 may also include the processing circuitry 904 to add security information 912 to generate the shared security key by a network function (NF) of the CN 934 to a non-encrypted portion of the NAS-NF request message prior to initiation of transmission of the first RRC message.
  • NF network function
  • FIG. 10 illustrates an embodiment of a logic flow 1000.
  • the logic flow 1000 may be representative of some or all of the operations executed by one or more embodiments described herein.
  • the logic flow 1000 may include some or all of the operations performed by devices or entities within the wireless communication system 100, the wireless communication system 200, or any UE operable therein.
  • the logic flow 1000 illustrates the UE 930 forming a secure connection 938 with the NF 936 of the CN 934 of the 5GS 900 without going through a single point of entry for the CN 934, such as an AMF, for example.
  • Embodiments are not limited in this context.
  • logic flow 1000 determines to establish a secure connection with a network function (NF) of a core network (CN) of a wireless system by a UE.
  • logic flow 1000 generates a request message to establish a session with the CN of the wireless system.
  • logic flow 1000 encodes the request message in a first radio resource control (RRC) message.
  • RRC radio resource control
  • logic flow 1000 initiates transmission of the first RRC message from the UE to a base station of a radio access network (RAN) of the wireless system.
  • RRC radio resource control
  • logic flow 1000 decodes a second RRC message received by the UE from the base station of the RAN, the second RRC message to include security information to establish secure connections directly between the UE and the NF of the CN, the security information based on master security information associated with the UE.
  • the connection manager 918 of the UE 930 determines to establish a secure connection 938 with an NF 936 of a CN 934 of the 5GS 900.
  • the connection manager 918 of the UE 930 generates a request message to establish a session with the CN 934 of the 5GS 900.
  • the security manager 914 of the UE 930 encodes the request message in a first RRC message.
  • the connection manager 918 of the UE 930 initiates transmission of the first RRC message from the UE 930 to a base station 924 of a RAN of the 5GS 900.
  • the security' codec 902 of the UE 930 decodes a second RRC message received by the UE 930 from the base station 924 of the RAN, that was received by the base station 924 from a SMF of the CN 934.
  • the second RRC message may include security information 912 to establish secure connections 938 directly between the UE 930 and the NF 936 of the CN 934, where the security information 912 is based on master security information associated with the UE 930 upon initial authentication or reauthentication by a SEAF.
  • FIG. 11 illustrates an embodiment of a logic flow 1100.
  • the logic flow 1100 may be representative of some or all of the operations executed by one or more embodiments described herein.
  • the logic flow 1100 may include some or all of the operations performed by devices or entities within the wireless communication system 100, the wireless communication system 200, or any UE operable therein.
  • the logic flow 1100 illustrates the UE 930 forming a secure connection 938 with the NF 936 of the CN 934 of the 5GS 900 without going through a single point of entry for the CN 934, such as an AMF, for example.
  • Embodiments are not limited in this context.
  • logic flow 1100 determines to establish a non-access stratum (NAS) signaling connection session with a network function (NF) (NAS-NF) of a core network (CN) of a fifth generation (5G) system (5GS).
  • NAS-NF network function
  • CN core network
  • 5G fifth generation
  • logic flow 1100 generates a NAS-NF request message.
  • logic flow 1100 encodes the NAS-NF request message in a first radio resource control (RRC) message.
  • RRC radio resource control
  • logic flow 1100 initiates transmission of the first RRC message from the UE to a base station of a radio access network (RAN) of the 5GS.
  • RRC radio resource control
  • logic flow 1100 decodes a second RRC message received from the base station, the second RRC message to include NAS-NF security context data for the UE and the NF of the CN of the 5GS, the NAS-NF security context data based on NAS security anchor function (SEAF) (NAS-SEAF) security context data associated with the UE for the 5GS.
  • SEAF NAS security anchor function
  • the UE 930 determines to establish a non-access stratum (NAS) signaling connection session with a network function (NF) (NAS-NF) of a core network (CN) of a fifth generation (5G) system (5GS).
  • the UE 930 generates a NAS-NF request message.
  • the UE 930 encodes the NAS-NF request message in a first radio resource control (RRC) message.
  • RRC radio resource control
  • the UE 930 initiates transmission of the first RRC message from the UE 930 to a base station 924 of a radio access network (RAN) of the 5GS 900.
  • RRC radio resource control
  • the UE 930 decodes a second RRC message received from the base station 924, the second RRC message to include NAS-NF security context data 932 for the UE 930 and the NF 936 of the CN 934 of the 5GS 900.
  • the NAS-NF security context data 932 may be derived or based on NAS security anchor function (SEAF) (NAS-SEAF) security context data, such as NAS-SEAF security context data 916, associated with the UE 930 for the 5GS 900 upon primary authentication of the UE 930.
  • SEAF NAS security anchor function
  • the logic flow 1100 may also include where the NAS-SEAF security context data to comprise an anchor key for a security anchor function (SEAF), the anchor key to comprise a security key KSEAF provided during authentication and used for derivation of subsequent security keys.
  • SEAF security anchor function
  • the logic flow 1100 may also include where the NAS-NF security context data to comprise a shared security key, the shared security key to comprise a security key KSMF for a security association between the UE and a network function (NF) of the CN.
  • the NAS-NF security context data to comprise a shared security key
  • the shared security key to comprise a security key KSMF for a security association between the UE and a network function (NF) of the CN.
  • NF network function
  • the logic flow 1100 may also include where the NAS-NF security context data to comprise security information to generate a shared security key by the UE, the shared security key to comprise a security key KSMF for a security association between the UE and a network function (NF) of the CN.
  • the NAS-NF security context data to comprise security information to generate a shared security key by the UE
  • the shared security key to comprise a security key KSMF for a security association between the UE and a network function (NF) of the CN.
  • NF network function
  • the logic flow 1100 may also include where the NAS-NF security context data includes security information to generate a master security key by the UE, the master security key to comprise a security key KNF for a security association between the UE and the NF of the CN.
  • the logic flow 1100 may also include where the first RRC message includes a UE identifier, a security anchor function (SEAF) identifier, or a NF identifier parameter.
  • SEAF security anchor function
  • the logic flow 1100 may also be implemented by the processing circuitry for generating the NAS-NF request message in clear text.
  • the logic flow 1100 may also be implemented by the processing circuitry for retrieving the NAS-SEAF security context data associated with the UE for the 5GS, and generating a shared security key based on the NAS-SEAF security context data, the shared security key to comprise a security key KSMF for a security association between the UE and a network function (NF) of the CN.
  • a security key KSMF for a security association between the UE and a network function (NF) of the CN.
  • the logic flow 1100 may also be implemented by the processing circuitry for encrypting at least a portion of the NAS-NF request message with the shared security key prior to initiation of transmission of the first RRC message.
  • the logic flow 1100 may also be implemented by the processing circuitry for adding security information to generate the shared security key by a network function (NF) of the CN to a non-encrypted portion of the NAS-NF request message prior to initiation of transmission of the first RRC message.
  • NF network function
  • the logic flow 1100 may also be implemented by the processing circuitry for generating a master security key based on the NAS-NF security context data by the UE, the master security key to comprise a security key KNF for a security association between the UE and the NF of the CN.
  • the logic flow 1100 may also be implemented by the processing circuitry for initiating establishment of a direct secure connection between the UE and the NF of the CN of the 5GS using a master security key and without the NAS-SEAF security context data.
  • the logic flow 1100 may also be implemented by the processing circuitry for initiating establishment of a direct secure connection between the UE and the NF of the logical CN of the 5GS using the NAS-NF security context data and without the NAS-SEAF security context data.
  • the logic flow 1100 may also be implemented by the processing circuitry for initiating establishment of a direct secure connection between the UE and the NF of the CN of the 5GS using a master security key and without an access and mobility function (AMF) of the CN of the 5GS.
  • AMF access and mobility function
  • the logic flow 1100 may also be implemented by the processing circuitry for providing data for radio-frequency (RF) circuitry to transmit RF signals with the first RRC message and receive RF signals with the second RRC message.
  • RF radio-frequency
  • FIG. 12 illustrates an embodiment of a logic flow 1200.
  • the logic flow 1200 may be representative of some or all of the operations executed by one or more embodiments described herein.
  • the logic flow 1200 may include some or all of the operations performed by devices or entities within the wireless communication system 100, the wireless communication system 200, or any NF operable therein.
  • the logic flow 1200 illustrates a SMF of the CN 934, such as SMF 822, forming a secure connection 938 with the UE 930 of the 5GS 900 without going through a single point of entry for the CN 934, such as an AMF, for example.
  • SMF SMF 822
  • logic flow 1200 decodes a non-access stratum (NAS) signaling connection with a NF (NAS-NF) request message from a radio access network (RAN) of a fifth generation (5G) system (5GS) by a network function (NF) of a core network (CN) of the 5GS, the NAS-NF request message to request establishment of a NAS-NF session between a UE and a network function (NF) of the CN.
  • logic flow 1200 initiates transmission of a request for NAS security anchor function (SEAF) (NAS-SEAF) security context data associated with the UE to a SEAF of the CN.
  • SEAF NAS security anchor function
  • logic flow 1200 authenticates the UE with the NAS-SEAF security context data.
  • logic flow 1200 generates NAS-NF security context data for the UE and the NF of the CN of the 5GS, the NAS-NF security context data based on NAS security anchor function (SEAF) (NAS-SEAF) security context data associated with the UE for the 5GS.
  • SEAF NAS security anchor function
  • logic flow 1200 initiates transmission of a NAS-NF response message with the NAS-NF security context data for the UE and the NF of the CN of the 5GS.
  • a computing device decodes a non-access stratum (NAS) signaling connection with a NF (NAS-NF) request message from a radio access network (RAN) of a fifth generation (5G) system (5GS) by a network function (NF) of a core network (CN) of the 5GS.
  • the NAS-NF request message may request establishment of a NAS-NF session between a UE 930 and an NF 936 of the CN 934.
  • the SMF 822 initiates transmission of a request for NAS security' anchor function (SEAF) (NAS-SEAF) security context data associated with the UE 930 to a SEAF 808 of the CN 934.
  • SEAF NAS security' anchor function
  • the SMF 822 authenticates the UE 930 with the NAS-SEAF security context data 916.
  • the SMF 822 generates NAS-NF security context data 932 for the UE 930 and an NF 936 of the CN 934 of the 5GS 900.
  • the NAS-NF security context data 932 may be based on NAS security anchor function (SEAF) (NAS-SEAF) security context data associated with the UE 930 for the 5GS 900.
  • SEAF NAS security anchor function
  • the SMF 822 initiates transmission of a NAS-NF response message with the NAS-NF security context data for the UE 930 (via an RRC message from the RAN 804) and the NF 936 of the CN 934 of the 5GS 900.
  • a UE and a NF may establish a direct secure connection by using a virtual security' anchor proxy at both endpoints.
  • the virtual security anchor proxy may be similar to security edge protection proxy (SEPP) security components.
  • a 5GS may implement security techniques that model cloud computing security techniques
  • various embodiments are generally directed to security techniques to enable communication between a UE and an NF instance via a service based interface (SBI).
  • SBI refers to the interface between two network functions or services that allows them to communicate with each other and exchange information.
  • the UE may be a service consumer or a service provider for the NF, such as computing services.
  • Some embodiments enable communication between a UE and an NF of the CN using a virtual security anchor proxy at one or both endpoints.
  • embodiments introduce techniques to enable secure communications between UE and CN using a virtual security' anchor proxy at both endpoints.
  • the embodiments attempt to fulfill a set of 5GS requirements that includes: (1) a central unit - control plane (CU-CP) acts as a relay only with no visibility into messages, such as NAS messages; (2) end-to-end (E2E) encryption between a UE and a NF, such as a one-to-one security anchor or based on a security anchor on the existing NAS security association; (3) the use of hypertext transfer protocol (HTTP) or similar protocols as an AIR interface protocol; (4) a core network perimeter defense to block insecure and unnecessary services to the core network; and (5) networks function virtualizations (NFVs) in the service based architecture (SBA) are fully controlled by a mobile network operator (MNO).
  • MNO mobile network operator
  • all nodes connected to a communications bus in the CN may not be under full operator control.
  • different security domains may exist, and the bus may cross borders across communication service providers (CSPs) or cloud providers. This is because there is no inherent trust between different NFs.
  • the virtual security anchor proxy at both endpoints allows a UE and a NF to communicate using secure network protocols, such as transport layer security (TLS), tunneled transport layer security (TTLS), HTTP secure (HTTPs), and other secure network protocols.
  • TLS transport layer security
  • TTLS tunneled transport layer security
  • HTTPs HTTP secure
  • the virtual security anchor proxy at both endpoints may model a security edge protection proxy (SEPP) architecture, as discussed in FIG. 13.
  • SEPP security edge protection proxy
  • FIG. 13 illustrates a security architecture 1300.
  • the security architecture 1300 is similar to the 3GPP Security Edge Protection Proxy (SEPP) architecture, which is a network architecture used for providing enhanced security to the Long-Term Evolution (LTE) and 5 G networks.
  • SEPP 3GPP Security Edge Protection Proxy
  • a SEPP acts as a security gateway that sits at the edge of the network and provides protection against attacks, such as Denial of Service (DoS) and Distributed Denial of Service (DD0S), and unauthorized access to the network. It is responsible for enforcing security policies and rules, providing threat detection and mitigation, and preventing malicious traffic from entering the network.
  • the SEPP architecture is comprised of two mam components: the User Plane Function (UPF) and the Session Management Function (SMF).
  • UPF User Plane Function
  • SMF Session Management Function
  • the SEPP architecture also includes other network elements, such as the Policy Control Function (PCF) and the Access and Mobility Management Function (AMF), which are used to manage network policies and control access to the network.
  • PCF Policy Control Function
  • AMF Access and Mobility Management Function
  • the security architecture 1300 implements a SEPP architecture that uses an internetwork interconnect, such as a N32 interface, that allows secure communication between service consuming and service-producing NFs in different public land mobile networks (PLMNs).
  • PLMNs public land mobile networks
  • Security is enabled by the SEPP entities of both networks.
  • the SEPP entities enforce protection policies regarding application layer security, ensuring integrity and confidentiality protection for those elements.
  • the SEPP entities may use javascript object notation (JSON) Web Encryption (JWE).
  • an NF 1308 may connect to a centralized security protection proxy (cSEPP) 1310.
  • the cSEPP 1310 is part of the 5G security architecture and is responsible for providing end-to-end security across the 5G network. It is typically located between the radio access network (RAN) and the core network and is connected to multiple network elements, including the access and mobility management function (AMF), the session management function (SMF), and the user plane function (UPF).
  • the cSEPP 1310 may communicate with a perimeter security protection proxy (pSEPP) 1316.
  • the pSEPP 1316 provides a range of security features to protect the RAN, including firewalling, intrusion detection and prevention, and secure communication protocols. It also provides access control and authentication mechanisms to ensure that only authorized devices and users can access the network.
  • the cSEPP 1310 and the pSEPP 1316 may communicate over an N32 interface.
  • the N32 interface is a network interface defined in the 3GPP system that is used to enable communication between the AMF and the UPF.
  • the N32 interface is a service-based interface, meaning that it is used to establish a service between the AMF and UPF. It is used to transfer information related to the establishment, modification, and release of a user plane data tunnel between the AMF and UPF.
  • the N32 interface is responsible for handling traffic steering between UPFs, supporting mobility between different 5G network slices, and enabling QoS (Quality of Service) management for user plane traffic. It is also responsible for supporting policy control and charging for user plane traffic.
  • the N32 interface may provide two types of connections: (1) a N32-c connection for management of the N32 interface; and (2) a N32-f connection for sending of JWE and JWS protected messages between the SEPPs.
  • the cSEPP 1310 and the pSEPP 1316 may use a set of private keys for Data Protection extensions (dPX).
  • the dPX is a set of security extensions that provide enhanced data protection capabilities for user data in the 3GPP network.
  • dPX provides an additional layer of security to protect user data both at rest and in transit. It introduces new algorithms and protocols for encryption, integrity protection, and key management to ensure that user data is secure and protected from unauthorized access or tampering.
  • IPX IP exchange
  • cIPX commercial IPX
  • pIPX private key for a private IPX
  • JWE javascript object notation
  • JWE Web Encryption
  • JWE is a standard format for encrypting and decrypting data in a JSON format. It is designed to provide a secure way to transmit data between different applications or services over the Internet.
  • JWE uses standard cryptographic algorithms, such as Advanced Encryption Standard (AES) and Rivest-Shamir-Adleman (RSA), to provide encryption and decryption of JSON data. It also supports key management and allows for the exchange of encryption keys between different applications or services.
  • AES Advanced Encryption Standard
  • RSA Rivest-Shamir-Adleman
  • JWE defines a standard format for representing encry pted JSON data, which includes the encrypted data itself, along with metadata such as the encryption algorithm and key information.
  • JWE is commonly used in web applications and services to provide a secure way to transmit data, such as user credentials or sensitive information. It is also used in other contexts where secure transmission of data is important, such as in the Internet of Things (loT) and other connected devices.
  • LoT Internet of Things
  • a JWE 1302 may receive an HTTP/2 request at the cSEPP 1310.
  • the JWE 1302 may output a clear text information element (IE) 1338, an encrypted IE 1340 and metadata 1342.
  • the cSEPP 1310 may send the HTTP/2 request over the N32 interface to the pSEPP 1316.
  • the HTTP/2 request may be encrypted and decrypted via the cIPX 1312 and the pIPX 1314 using the private key cIPX and the private key pIPX, respectively.
  • JWS JSON web signature
  • a JWS is a digitally signed representation of a JSON object that can be used to ensure the integrity of the contents and verify the identity of the signer.
  • the JWS contains a header, a payload, and a signature.
  • the header describes the algorithm used to sign the payload, and the signature is created by applying the specified algorithm to the header and payload using a secret key.
  • the JWS is used to provide integrity protection for the encrypted content of the JWE.
  • the encrypted content is first encrypted using a content encryption key, and then a JWS is created using the encrypted content and a set of headers.
  • the JWS is then included in the JWE alongside the encrypted content. When the recipient receives the JWE, they can use the JWS to verify the integrity of the encrypted content and confirm the identity' of the signer.
  • a JWS 1304 may perform JSON patch modifications to form a public key dPX.
  • the public key dPX may comprise a JSON patch 1326, an IPX ID 1328, and a JWS signature 1330.
  • a JWS 1306 may perform JSON patch modifications to form a public key pPX.
  • the public key pPX may comprise a JSON patch 1332, an IPX ID 1334, and a JWS signature 1336.
  • the pSEPP 1316 may use a symmetric key A to generate clear text IE 1320, encrypted IE 1322, and metadata 1324. The pSEPP 1316 may then deliver the HTTP/2 request to the NF 1318.
  • FIG. 14 illustrates a message flow 1400 that may implement a direct secure connection between a UE and a NF in a distributed NAS architecture, such as distributed NAS architecture 500 or the distributed NAS architecture 700, using security techniques associated with the SEPP architecture as described with reference to FIG. 13.
  • a distributed NAS architecture such as distributed NAS architecture 500 or the distributed NAS architecture 700
  • the N2 reference point between a CU-CP 502 and the message bus 524 is transformed into a service-based interface (SBI) so that the CU- CP 502 can communicate with other NFs directly via one or more SBIs.
  • SBI service-based interface
  • the message flow 1400 illustrates a way for the UE to securely communicate with different NFs using a distributed NAS architecture by leveraging a SEPP architecture, such as the distributed NAS architecture 500 or the distributed NAS architecture 700 and the security architecture 1300.
  • embodiments include improved security techniques that implement one or more of: (1) protocol stacks that enable the distributed NAS architecture; (2) secure communications between a UE and a NF; (3) routing and/or processing rules in different entities such as CU-CP for a distributed NAS architecture; and (4) a mechanism to find a NF instance to serve the UE.
  • Embodiments mayuse existing authentication and security (AS) security techniques or an established security channel to negotiate security parameters.
  • AS authentication and security
  • Various NFs can be discovered using a Fully Qualified Domain Name (FQDN).
  • a UE and a NF may then establish a secure connection, such as a TLS connection, a TTLS connection or an HTTPS connection, for example.
  • the message flow 1400 includes a set of messages exchanged between a UE 1402, a CU-CP 1404 and an NF 1406 to support various operations represented by block 1408, block 1410, block 1412, block 1414 and block 1416.
  • the UE 1402 exchanges messages with the CU-CP 1404 to establish AS security.
  • the UE 1402 exchanges messages with the CU-CP 1404 to support distributed NAS discovery over a NX-C interconnect.
  • the UE 1402 exchanges messages with the CU-CP 1404 and the NF 1406 to support security negotiations over a NX-F interconnect.
  • the UE 1402, the CU-CP 1404 and the NF 1406 exchange messages to establish a direct secure channel based on mutual authentication.
  • the UE 1402, the CU-CP 1404 and the NF 1406 exchange messages over the direct secure channel as protected distributed NAS messages.
  • An NF instance such as NF 1406 can be assigned to a UE 1402 during a registration procedure and stored as context information for the UE 1402.
  • the context information can be fetched as described in more detail in FIG. 16.
  • FIG. 15 illustrates a security architecture 1500.
  • the security architecture 1500 is similar to the security architecture 1300 modified to allow direct secure connections between a UE and a NF in a CN without an AMF.
  • the security architecture 1500 is a SEPP based architecture for HTTP based transport security and mutual authentication between network functions in a UE and core network, such as a 5GC.
  • the security architecture 1500 includes a UE 1504 in communication with a UE cSEPP 1506.
  • the UE cSEPP 1506 may communicate with a CU-CP pSEPP 1508 over a NX-C interconnect.
  • the NX-C interconnect may be used for messages to support mutual authentication between logical network functions.
  • the UE cSEPP 1506 may communicate with an NF 1510 via the CU-CP pSEPP 1508 over a NX-F interconnect.
  • the NX-F interconnect may be used for messages to support authentication operations for each NF.
  • the CU-CP pSEPP 1508 communicates messages with an NF 1510.
  • the UE cSEPP 1506 establishes AS security with the CU-CP pSEPP 1508 over the NX-C interconnect in accordance with 3GPP TS 33.501.
  • the UE cSEPP 1506 may use a modified version of the AS security' interconnect N32-C, which is referred to herein as a NX-C.
  • NX-C modified version of the AS security' interconnect N32-C
  • all network functions should support mutually authenticated TLS and HTTPS as specified in IEEE RFC 7540 and RFC 2818.
  • the identities in the end-entity certificates are used for authentication and policy checks.
  • Network functions shall support both server-side and client-side certificates.
  • the UE cSEPP 1506 When the UE cSEPP 1506 receives an HTTP/2 request from the UE 1504, the UE cSEPP 1506 sends a symmetric key A to a JWE 1502 to encrypt the HTTP/2 request.
  • the JWE 1502 outputs a clear text IE 1530, an encrypted IE 1532, and metadata 1534 for transport to the CU-CP pSEPP 1508.
  • the CU-CP pSEPP 1508 uses the symmetric key A to output a clear text IE 1512, an encrypted IE 1514, and metadata 1516 for the HTTP/2 request.
  • the CU-CP pSEPP 1508 operates as a relay only with no visibility into messages, such as NAS messages. It then forwards the HTTP/2 request to the NF 1510.
  • the UE 1504 may use a UE cSEPP protocol stack 1558.
  • the UE cSEPP protocol stack 1558 may include several protocol layers, such as HTTP 1518, RRC 1520, PDCP 1522, RLC 1524, MAC 1526, and PHY 1528.
  • the CU- CP pSEPP 1508 may use a CU-CP protocol stack 1556.
  • the CU-CP protocol stack 1556 may also include several protocol layers, such as HTTP 1536, RRC 1538, PDCP 1540, RLC 1542, MAC 1544 and PHY 1546.
  • the CU-CP protocol stack 1556 may also have corresponding protocol layers, such as HTTP/HTTPS 1548, an IP/TCP/QUIC 1550, an L2 1552, and an LI 1554.
  • the UE cSEPP 1506 and the CU-CP pSEPP 1508 may transport various messages, including NAS messages, across the NX-C and NX-F interconnects using the UE cSEPP protocol stack 1558 and the cu-cp protocol stack 1556.
  • the SEPP entities may support a TLS wildcard certificate for its domain name and generation of telescopic FQDN based on an FQDN obtained from a received NX-F message. This is described in more detail with reference to FIG. 16.
  • FIG. 16 illustrates a message flow 1600.
  • the message flow 1600 may support establishing a direct secure connection between a UE and a NF in a CN using the security architecture 1500. More particularly, the message flow 1600 illustrates messages to support discovery of an NF instance based on an NRF.
  • a UE 1602 may send a message 1610 to a CU-CP 1604.
  • the CU-CP 1604 may be representative of the CU-CP pSEPP 1508.
  • the message 1610 may comprise an initial distributed NAS message targeting an NF such as a SMF, PCF, SMSF, LMF, and other NFs in the 5GC.
  • the CU-CP 1604 may send a message 1612 to an NRF 1608.
  • the message 1612 may comprise a Nnrf_NFDiscovery_request to the NRF 1608 to find an NF instance for the UE 1602.
  • the NRF 1608 sends a message 1614 to the CU-CP 1604.
  • the message 1614 may comprise a Nnrf_NFDiscovery_response to the CU-CP 1604 about the targeted NF instance.
  • the Nnrf_NFDiscovery_response contains an HTTP message with fully qualified domain names (FQDNs) of a set of the discovered NF or NF service instances.
  • the CU-CP 1604 may generate a telescopic FQDN for each target network function in the discovery response, rewrite the original FQDN with the telescopic FQDN, and forward the modified discovery response to the UE 1602.
  • the CU-CP 1604 sends a message 1616 to the UE 1602 via the UE cSEPP 1506 over the NX-C interconnect.
  • the message 1616 may comprise the modified Nnrf_NFDiscovery_response with the telescopic FQDN.
  • the CU-CP 1604 When the CU-CP 1604 receives the message 1614, it considers the message 1614 as a distrusted NAS message.
  • the CU-CP 1604 generates an HTTP/HTTPS message that includes the targeted NF information.
  • the CU-CP 1604 rewrites the FQDN from the received message 1614 with a telescopic FQDN, and it sends a message 1618 to a target NF, such as an NF 1606.
  • the message 1618 may comprise a modified HTTP message to the target network function.
  • the message 1618 may comprise a Nnrf_distributedNASTransfer_request message or a Nnf_service_operation_request message.
  • the CU-CP 1604 may send the message 1618 to an overload and oversubscription control function (OSCP) inside the PLMN.
  • the NF 1606 sends a message 1620 to the CU-CP 1604.
  • the message 1620 may comprise an HTTP/HTTPS response message to the CU-CP 1604 for a targeted UE, such as the UE 1602.
  • the message 1620 may comprise a Nnrf_distributedNASTransfer_response message or a Nnf_service_operation_response message.
  • the CU-CP 1604 sends a message 1622 to the UE 1602.
  • the message 1622 may comprise a distributed NAS message based on the information from the received response from the NF 1606 received in message 1620.
  • the UE 1602 and the NF 1606 may establish a direct secure connection based on the information in the message 1622.
  • the UE 1602 and the NF 1606 may exchange message 1624 over the direct secure connection over NX-F.
  • the messages 1624 may comprise distributed NAS messages using the telescopic FQDN received in the message 1622.
  • FIG. 17 may illustrate various protocol stacks 1700.
  • the protocol stacks 1700 may include a UE CSEPP protocol stack 1558, a CU-CP protocol stack 1556, and an NF protocol stack 1710.
  • Each of the protocol stacks 1700 may have full knowledge of a distributed NAS architecture implemented for the security architecture 1500 and the message flow 1600.
  • the UE 1504 and UE 1602 may use a UE cSEPP protocol stack 1558.
  • the UE cSEPP protocol stack 1558 may include several protocol layers, such as HTTP 1518, RRC 1520, PDCP 1522, RLC 1524, MAC 1526, and PHY 1528.
  • the CU-CP pSEPP 1508 and the CU-CP 1604 may use a CU-CP protocol stack 1556.
  • the CU-CP protocol stack 1556 may also include several protocol layers, such as HTTP 1536, RRC 1538, PDCP 1540, RLC 1542, MAC 1544 and PHY 1546.
  • the CU-CP protocol stack 1556 may also have corresponding protocol layers, such as HTTP/HTTPS 1548, an IP/TCP/QUIC 1550, an L2 1552, and an LI 1554.
  • the UE cSEPP 1506 and the CU-CP pSEPP 1508 may transport various messages, including NAS messages, across the NX-C and NX-F interconnects using the UE cSEPP protocol stack 1558 and the cu-cp protocol stack 1556.
  • the protocol stacks 1700 may include an NF protocol stack 1710 that may be used for direct secure communications.
  • the NF protocol stack 1710 may comprise various protocol layers, including an HTTP/HTTPS 1702, an IP/TCP/QUIC 1704, an L2 1706, and an LI 1708.
  • the security architecture 1500 and the message flow 1600 may implement the protocol stacks 1700 for security capability negotiation between the UE cSEPP 1506 and the CU-CP pSEPP 1508.
  • the security capability negotiation over NX-C allows the SEPP entities to negotiate which security mechanism to use for protecting NF service-related signaling over NX-F.
  • An agreed security mechanism shall be between a pair of SEPP entities before conveying NF service-related signaling over NX-F.
  • a SEPP When a SEPP notices that it does not have an agreed security mechanism for NX-F protection with a peer SEPP or if the security capabilities of the SEPP have been updated, the SEPP shall perform security capability negotiation with the peer SEPP over NX-C to determine which security mechanism to use for protecting NF service-related signaling over NX-F. Certificate-based authentication could follow the profiles given in 3GPP TS 33.210 standard, clause 6.2, for example.
  • a mutually authenticated TLS connection is used for protecting security capability negotiation over NX-C.
  • the TLS connection provides integrity, confidentiality, and replay protection.
  • FIG. 18 illustrates a message flow 1800.
  • the message flow 1800 may provide an example of message flows between the UE cSEPP 1506 and an NF SEPP 1802.
  • the message flow 1800 may support security capability negotiation and master session key (MSK) derivation.
  • MSK is a secret cryptographic key used for securing communication between a UE and a SEPP.
  • the MSK is generated during the initial setup of the security association between the UE and the SEPP, and it is used to derive other session keys, such as the Key Updater (KLIP) and Key Derivation Function (KDF) keys, that are used for securing different aspects of the communication between the UE and the SEPP.
  • KLIP Key Updater
  • KDF Key Derivation Function
  • Either the UE cSEPP 1506 or the NF SEPP 1802 may initiate a TLS connection. Assume the UE cSEPP 1506 is a SEPP that initiates a TLS connection.
  • the UE cSEPP 1506 may send a message 1804 to the NF SEPP 1802.
  • the message 1804 may comprise a POST request, such as a Security Parameter Exchange Request, to the exchange-capability resource of the responding SEPP, including the initiating SEPP supported security mechanisms (e.g., supported cipher suites) for protecting the NF service-related signaling over NX-F.
  • the security mechanisms shall be ordered in the initiating SEPP priority order.
  • the cipher suite shall be ordered in initiating SEPP priority order.
  • the SEPP shall provide an initiating SEPP NX-F context ID for the responding SEPP.
  • the NF SEPP 1802 may be a responding SEPP.
  • the responding SEPP compares the received security capabilities to its supported security capabilities and it selects a security mechanism supported by both the initiating SEPP and the responding SEPP.
  • the NF SEPP 1802, as the responding SEPP, sends a message 1806 to the UE cSEPP 1506.
  • the message 1806 may comprise a response to the initiating SEPP with the selected security mechanism (including the selected cipher suite ) using a Security Parameter Exchange Response for protecting the NF service-related signaling over the NX- F interconnect.
  • the two SEPP entities can export keying material from the TLS session established between them using a TLS export function.
  • TLS 1.2 for example, the exporter specified in IEEE RFC 5705 can be used.
  • TLS 1.3 for example, the exporter described in section 7.5 of IEEE RFC 8446 can be used.
  • the exported key shall be used as the master key to derive session keys and initial vectors (IVs) for the NX-F context.
  • JWE tokens are used for authorization between NF to NF in the core network.
  • Existing JWE token-based authorization using NRF can still be used between UE and NF.
  • NRF as part of a discovery response, provides JWE token/keying material to the UE.
  • FIG. 19 illustrates a logic flow 1900.
  • the logic flow 1900 may be used to establish a direct secure connection between a UE and a NF in a CN of a 5GS.
  • the logic flow 1900 may be implemented on any UE as described herein, such as UE 930, for example.
  • logic flow 1900 determines to establish a direct secure connection between a UE and a network function (NF) of a core network (CN) of a fifth generation (5G) system (5GS).
  • logic flow 1900 generates a distributed non-access stratum (NAS) message for the NF.
  • logic flow 1900 encodes the distributed NAS message in a first radio resource control (RRC) message.
  • RRC radio resource control
  • logic flow 1900 initiates transmission of the first RRC message from the UE to a base station of a radio access network (RAN) of the 5GS.
  • logic flow 1900 decodes a second RRC message received from the base station, the second RRC message to include a telescopic fully qualified domain name (FQDN) for the NF in the CN of the 5GS.
  • FQDN fully qualified domain name
  • the processing circuitry 904 of the UE 930 may execute a connection manager 918 to determine to establish a direct secure connection between the UE 930 and a NF of a CN of a 5GS.
  • the connection manager 918 may generate a distributed NAS message for the NF 936, encode the distributed NAS message in a first RRC message, initiate transmission of the first RRC message from the UE 930 to a base station 924 of a RAN of the 5GS.
  • the security codec 902 may decode a second RRC message received from the base station 924, the second RRC message to include a telescopic fully qualified domain name (FQDN) for the NF 936 in the CN 934 of the 5GS.
  • the connection manager 918 may use the telescopic FQDN for the NF 936 to establish a direct secure connection 938 between the UE 930 and the NF 936.
  • the logic flow 1900 may optionally include additional blocks, logic flows, procedures or methods that may be implemented by the processing circuitry 904 of the UE 930. Some examples of methods suitable for implementation by the processing circuitry 904 of the UE 930 are provided below.
  • the method may also include where the UE is a service consumer and the NF is a service producer, or vice-versa
  • the method may also be implemented by the processing circuitry for providing data for radio-frequency (RF) circuitry to transmit RF signals with the first RRC message and receive RF signals with the second RRC message.
  • RF radio-frequency
  • the method may also include where the UE is a service consumer and the NF is a service producer, or vice-versa
  • the method may also be implemented by the processing circuitry for initiating establishment of a direct secure connection between the UE and the NF of the CN of the 5GS using the telescopic FQDN for the NF.
  • the method may also be implemented by the processing circuitry for establishing a direct secure connection between the UE and NF of the CN of the 5GS using the telescopic FQDN for the NF, the direct secure connection to comprise a transport layer security (TLS) connection, a tunneled transport layer security (TTLS) connection, a secure socket layer (SSL) connection, or a hypertext transfer protocol secure (HTTPS) connection.
  • TLS transport layer security
  • TTLS tunneled transport layer security
  • SSL secure socket layer
  • HTTPS hypertext transfer protocol secure
  • the method may also be implemented by the processing circuitry for initiating establishment of a direct secure connection between the UE and the NF of the CN of the 5GS using the telescopic FQDN for the NF, where the direct secure connection is established using a virtual security anchor proxy at the UE and the NF.
  • the method may also be implemented by the processing circuitry for initiating establishment of a direct secure connection between the UE and the NF of the CN of the 5GS using the telescopic FQDN for the NF, where the direct secure connection is established via a service based interface (SBI) between the UE and the NF.
  • SBI service based interface
  • the method may also be implemented by the processing circuitry for initiating establishment of a direct secure connection between the UE and the NF of the CN of the 5GS using the telescopic FQDN for the NF and without an access and mobility function (AMF) of the CN of the 5GS.
  • AMF access and mobility function
  • the method may also be implemented by the processing circuitry for initiating establishment of a direct secure connection between the UE and the NF of the CN of the 5GS using the telescopic FQDN for the NF and a previously established security association for the UE.
  • the method may also be implemented by the processing circuitry for initiating establishment of a direct secure connection between the UE and the NF of the CN of the 5GS using the telescopic FQDN for the NF and a security edge protection proxy (SEPP) to negotiate and establish the direct secure connection.
  • SEPP security edge protection proxy
  • the method may also be implemented by the processing circuitry for establishing a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, and establishing a second security association with the NF using the first security association.
  • SEPP security edge protection proxy
  • the method may also be implemented by the processing circuitry for establishing a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, negotiating a security parameter for a second security association using the first security association, and establishing the second security association with the NF using the first security association and the negotiated security parameter.
  • SEPP security edge protection proxy
  • the method may also be implemented by the processing circuitry for establishing a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, negotiating a security parameter for a second security association using the first security association, and establishing the second security association with the NF using the first security association and the negotiated security parameter, where the second security association is established using token-based dynamic authorization via a network repository function (NRF).
  • SEPP security edge protection proxy
  • NRF network repository function
  • the method may also be implemented by the processing circuitry for establishing a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, where the first security association is established via aNX-C interface, and establishing a second security association with the NF using the first security association, where the second security association is established via aNX-F interface.
  • SEPP security edge protection proxy
  • FIG. 20 schematically illustrates a wireless network 2000 in accordance with various embodiments.
  • the wireless network 2000 may include a UE 2002 in wireless communication with an AN 2024.
  • the UE 2002 and AN 2024 may be similar to, and substantially interchangeable with, like-named components described elsewhere herein.
  • the UE 2002 may be communicatively coupled with the AN 2024 via connection 2046.
  • the connection 2046 is illustrated as an air interface to enable communicative coupling, and can be consistent with cellular communications protocols such as an LTE protocol or a 5G NR protocol operating at mmWave or sub-6GHz frequencies.
  • the UE 2002 may include a host platform 2004 coupled with a modem platform 2008.
  • the host platform 2004 may include application processing circuitry 2006, which may be coupled with protocol processing circuitry 2010 of the modem platform 2008.
  • the application processing circuitry 2006 may run various applications for the UE 2002 that source/sink application data.
  • the application processing circuitry 2006 may further implement one or more layer operations to transmi t/receive application data to/from a data network. These layer operations may include transport (for example UDP) and Internet (for example, IP) operations
  • the protocol processing circuitry 2010 may implement one or more of layer operations to facilitate transmission or reception of data over the connection 2046.
  • the layer operations implemented by the protocol processing circuitry 2010 may include, for example, MAC, RLC, PDCP, RRC and NAS operations.
  • the modem platform 2008 may further include digital baseband circuitry 2034 that may implement one or more layer operations that are “below” layer operations performed by the protocol processing circuitry 2010 in a network protocol stack. These operations may include, for example, PHY operations including one or more of HARQ-ACK functions, scrambling/des crambling, encoding/decoding, layer mapping/de-mapping, modulation symbol mapping, received symbol/bit metric determination, multi-antenna port precoding/decoding, which may include one or more of space-time, space-frequency or spatial coding, reference signal generation/detection, preamble sequence generation and/or decoding, synchronization sequence generation/detection, control channel signal blind decoding, and other related functions.
  • PHY operations including one or more of HARQ-ACK functions, scrambling/des crambling, encoding/decoding, layer mapping/de-mapping, modulation symbol mapping, received symbol/bit metric determination, multi-antenna port precoding/decoding, which may
  • the modem platform 2008 may further include transmit circuitry 2014, receive circuitry 2016, RF circuitry 2018, and RF front end (RFFE) 2020, which may include or connect to one or more antenna panels 2022.
  • the transmit circuitry 2014 may include a digital-to-analog converter, mixer, intermediate frequency (IF) components, etc.
  • the receive circuitry 2016 may include an analog-to-digital converter, mixer, IF components, etc.
  • the RF circuitry 2018 may include a low-noise amplifier, a power amplifier, power tracking components, etc.
  • RFFE 2020 may include filters (for example, surface/bulk acoustic wave filters), switches, antenna tuners, beamforming components (for example, phase-array antenna components), etc.
  • transmit/receive components may be specific to details of a specific implementation such as, for example, whether communication is TDM or FDM, in mmWave or sub-6 gHz frequencies, etc.
  • the transmit/receive components may be arranged in multiple parallel transmit/receive chains, may be disposed in the same or different chips/modules, etc.
  • the protocol processing circuitry 2010 may include one or more instances of control circuitry (not shown) to provide control functions for the transmit/receive components.
  • a UE reception may be established by and via the antenna panels 1922, RFFE 1920, RF circuitry 1918, receive circuitry 1916, digital baseband circuitry' 1912, and protocol processing circuitry 1910.
  • the antenna panels 1922 may receive a transmission from the AN 1924 by receive-beamforming signals received by a plurality of antennas/ antenna elements of the one or more antenna panels 1922.
  • a UE transmission may be established by and via the protocol processing circuitry 1910, digital baseband circuitry' 1912, transmit circuitry 1914, RF circuitry 1918, RFFE 1920, and antenna panels 1922.
  • the transmit components of the UE 1924 may apply a spatial filter to the data to be transmitted to form a transmit beam emitted by the antenna elements of the antenna panels 1922.
  • the AN 1924 may include a host platform 1926 coupled with a modem platform 1930.
  • the host platform 1926 may include application processing circuitry 1928 coupled with protocol processing circuitry 1932 of the modem platform 1930.
  • the modem platform may further include digital baseband circuitry 1934, transmit circuitry 1936, receive circuitry 1938, RF circuitry 1940, RFFE circuitry 1942, and antenna panels 1944.
  • the components of the AN 1924 may be similar to and substantially interchangeable with like-named components of the UE 1902.
  • the components of the host platform 1904 may perform various logical functions that include, for example, RNC functions such as radio bearer management, uplink and downlink dynamic radio resource management, and data packet scheduling.
  • FIG. 21 is a block diagram illustrating an apparatus 2100 with various components, according to some example embodiments, able to read instructions from a machine-readable or computer-readable medium (e g., a non-transitory machine-readable storage medium) and perform any one or more of the methodologies discussed herein.
  • FIG. 21 shows a diagrammatic representation of hardware resources 2030 including one or more processors (or processor cores) 2010, one or more memory/storage devices 2022, and one or more communication resources 2026, each of which may be communicatively coupled via a bus 2020 or other interface circuitry.
  • node virtualization e.g., NFV
  • a hypervisor 2002 may be executed to provide an execution environment for one or more network slices/sub-slices to utilize the hardware resources 2030.
  • the processors 2010 may include, for example, a processor 2012 and a processor 2014.
  • the processors 2010 may be, for example, a central processing unit (CPU), a reduced instruction set computing (RISC) processor, a complex instruction set computing (CISC) processor, a graphics processing unit (GPU), a DSP such as a baseband processor, an ASIC, an FPGA, a radio-frequency integrated circuit (RF1C), another processor (including those discussed herein), or any suitable combination thereof.
  • CPU central processing unit
  • RISC reduced instruction set computing
  • CISC complex instruction set computing
  • GPU graphics processing unit
  • DSP such as a baseband processor, an ASIC, an FPGA, a radio-frequency integrated circuit (RF1C), another processor (including those discussed herein), or any suitable combination thereof.
  • the memory/storage devices 2022 may include main memory, disk storage, or any suitable combination thereof.
  • the memory /storage devices 2022 may include, but are not limited to, any type of volatile, non-volatile, or semi-volatile memory such as dynamic random access memory (DRAM), static random access memory (SRAM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), Flash memory, solid-state storage, etc.
  • the communication resources 2026 may include interconnection or network interface controllers, components, or other suitable devices to communicate with one or more peripheral devices 2004 or one or more databases 2006 or other network elements via a network 2008.
  • the communication resources 2026 may include wired communication components (e.g., for coupling via USB, Ethernet, etc.), cellular communication components, NFC components, Bluetooth® (or Bluetooth® Low Energy ) components, Wi-Fi® components, and other communication components.
  • Instructions 2016, 2018, 2024, 2028, 2032 may comprise software, a program, an application, an applet, an app, or other executable code for causing at least any of the processors 2010 to perform any one or more of the methodologies discussed herein.
  • the instructions 2016, 2018, 2024, 2028, 2032 may reside, completely or partially, within at least one of the processors 2010 (e g., within the processor’s cache memory), the memory/storage devices 2022, or any suitable combination thereof.
  • any portion of the instructions 2016, 2018, 2024, 2028, 2032 may be transferred to the hardware resources 2030 from any combination of the peripheral devices 2004 or the databases 2006. Accordingly, the memory of processors 2010, the memory/storage devices 2022, the peripheral devices 2004, and the databases 2006 are examples of computer-readable and machine-readable media.
  • At least one of the components set forth in one or more of the preceding figures may be configured to perform one or more operations, techniques, processes, and/or methods as set forth in the example section below.
  • the baseband circuitry as described above in connection with one or more of the preceding figures may be configured to operate in accordance with one or more of the examples set forth below.
  • circuitry associated with a UE, base station, network element, etc. as described above in connection with one or more of the preceding figures may be configured to operate in accordance with one or more of the examples set forth below in the example section.
  • FIG. 22 illustrates a computer readable media 2202.
  • the computer readable media 2202 may store one or more computer executable instructions 2204 to implemented one or more embodiments as described herein.
  • Various aspects or features described herein can be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques.
  • the term “article of manufacture” as used herein is intended to encompass a computer program accessible from any computer-readable device, carrier, or media.
  • computer-readable computer readable media 2202 can include but are not limited to magnetic storage devices (e.g., hard disk, floppy disk, magnetic strips, etc.), optical disks (e.g., compact disk (CD), digital versatile disk (DVD), etc ), smart cards, and flash memory devices (e.g., EPROM, card, stick, key drive, etc.).
  • various storage media described herein can represent one or more devices and/or other machine- readable media for storing information.
  • the term “machine-readable medium” can include, without being limited to, wireless channels and various other media capable of storing, containing, and/or carrying instruction(s) and/or data.
  • a computer program product can include a computer readable medium having one or more instructions or codes operable to cause a computer to perform functions described herein.
  • Communications media embody computer executable instructions 2204 or computer-readable instructions, data structures, program modules or other structured or unstructured data in a data signal such as a modulated data signal, e.g., a carrier wave or other transport mechanism, and includes any information delivery or transport media.
  • modulated data signal or signals refers to a signal that has one or more of its characteristics set or changed in such a manner as to encode information in one or more signals.
  • communication media include wired media, such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media.
  • An exemplary storage medium can be coupled to processor, such that processor can read information from, and write information to, the storage medium.
  • storage medium can be integral to processor.
  • processor and storage medium can reside in an ASIC.
  • ASIC can reside in a user terminal.
  • processor and storage medium can reside as discrete components in a user terminal.
  • the processes and/or actions of a method or algorithm can reside as one or any combination or set of codes and/or instructions on a machine-readable medium and/or computer readable medium, which can be incorporated into a computer program product.
  • an apparatus for user equipment (UE) of a wireless system includes a memory interface to send or receive, to or from a data storage device, security context data for a wireless system, the security context data to include non-access stratum (NAS) security anchor function (SEAF) (NAS-SEAF) security context data.
  • NAS non-access stratum
  • SEAF security anchor function
  • the apparatus also includes processing circuitry communicatively coupled to the memory interface, the processing circuitry to determine to establish a secure NAS signaling connection with a network function (NF) (NAS-NF) of a core network (CN) of the wireless system, generate a NAS-NF request message, encode the NAS-NF request message in a first radio resource control (RRC) message, initiate transmission of the first RRC message from the UE to a base station of a radio access network (RAN) of the wireless system, and decode a second RRC message received from the base station, the second RRC message to include NAS-NF security context data for the UE and the NF of the CN of the wireless system, the NAS-NF security context data based on the NAS-SEAF security context data associated with the UE for the wireless system.
  • NF network function
  • CN core network
  • RRC radio resource control
  • the apparatus may also include where the NAS-SEAF security context data to comprise an anchor key for a security anchor function (SEAF), the anchor key to comprise a security key KSEAF provided during authentication and used for derivation of subsequent security keys.
  • SEAF security anchor function
  • the apparatus may also include where the NAS-NF security context data to comprise a shared security key, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • the NAS-NF security context data to comprise a shared security key
  • the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • NF network function
  • the apparatus may also include where the NAS-NF security context data to comprise security information to generate a shared security key by the UE, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • the NAS-NF security context data to comprise security information to generate a shared security key by the UE, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • the apparatus may also include where the NAS-NF security context data includes security information to generate a master security key by the UE, the master security key to comprise a security key KNF for a security association between the UE and the NF of the CN.
  • the apparatus may also include where the first RRC message includes a UE identifier, a security anchor function (SEAF) identifier, or a NF identifier parameter.
  • SEAF security anchor function
  • the apparatus may also include the processing circuitry to generate the NAS-NF request message in clear text.
  • the apparatus may also include a memory communicatively coupled to the memory' interface, the memory to store the NAS-SEAF security context data associated with the UE for the wireless system.
  • the apparatus may also include the processing circuitry to retrieve the NAS-SEAF security context data stored in the memory, and generate a shared security key based on the NAS-SEAF security context data, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • NF network function
  • the apparatus may also include the processing circuitry to generate a master security key based on the NAS-NF security context data by the UE, the master security key to comprise a security key KNF for a security association between the UE and the NF of the CN.
  • the apparatus may also include the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using a master security key and without the NAS-SEAF security context data.
  • the apparatus may also include the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the logical CN of the wireless system using the NAS-NF security context data and without the NAS-SEAF security context data.
  • the apparatus may also include the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using a master security key and without an access and mobility function (AMF) of the CN of the wireless system.
  • the apparatus may also include a radio frequency (RF) interface communicatively coupled to the processing circuitry, the RF interface configured to provide data for RF circuitry to transmit RF signals with the first RRC message and receive RF signals with the second RRC message.
  • RF radio frequency
  • a method for user equipment (UE) to manage secure connections includes determining to establish a secure connection with a network function (NF) of a core network (CN) of a wireless system by a UE, generating a request message to establish a session with the CN of the wireless system, encoded the request message in a first radio resource control (RRC) message, initiating transmission of the first RRC message from the UE to a base station of a radio access network (RAN) of the wireless system, and decoding a second RRC message received by the UE from the base station of the RAN, the second RRC message to include security information to establish secure connections directly between the UE and the NF of the CN, the security information based on master security information associated with the UE.
  • RRC radio resource control
  • a method for user equipment (UE) of a wireless system includes determining to establish a secure non-access stratum (NAS) signaling connection with a network function (NF) (NAS-NF) of a core network (CN) of a wireless system, generating a NAS -NF request message, encoding the NAS-NF request message in a first radio resource control (RRC) message, initiating transmission of the first RRC message from the UE to a base station of a radio access network (RAN) of the wireless system, and decoding a second RRC message received from the base station, the second RRC message to include NAS-NF security context data for the UE and the NF of the CN of the wireless system, the NAS-NF security context data based on NAS security anchor function (SEAF) (NAS-SEAF) security context data associated with the UE for the wireless system.
  • SEAF NAS security anchor function
  • the method may also include where the NAS-SEAF security context data to comprise an anchor key for a security anchor function (SEAF), the anchor key to comprise a security key KSEAF provided during authentication and used for derivation of subsequent security keys.
  • SEAF security anchor function
  • the method may also include where the NAS-NF security context data to comprise a shared security key, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • the NAS-NF security context data to comprise a shared security key
  • the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • the method may also include where the NAS-NF security context data to comprise security information to generate a shared security key by the UE, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • the NAS-NF security context data to comprise security information to generate a shared security key by the UE, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • the method may also include where the NAS-NF security context data includes security information to generate a master security key by the UE, the master security key to comprise a security key KNF for a security association between the UE and the NF of the CN.
  • the method may also include where the first RRC message includes a UE identifier, a security anchor function (SEAF) identifier, or a NF identifier parameter.
  • SEAF security anchor function
  • the method may also include generating the NAS-NF request message in clear text.
  • the method may also include retrieving the NAS-SEAF security context data associated with the UE for the wireless system, and generating a shared security key based on the NAS-SEAF security context data, the shared security key to comprise a security' key KNF for a security association between the UE and a network function (NF) of the CN.
  • NF network function
  • the method may also include generating a master security key based on the NAS- NF security context data by the UE, the master security key to comprise a security key KNF for a security' association between the UE and the NF of the CN.
  • the method may also include initiating establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using a master security key and without the NAS-SEAF security context data.
  • the method may also include initiating establishment of a direct secure connection between the UE and the NF of the logical CN of the wireless system using the NAS-NF security context data and without the NAS-SEAF security context data.
  • the method may also include initiating establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using a master security key and without an access and mobility function (AMF) of the CN of the wireless system.
  • AMF access and mobility function
  • the method may also include providing data for radio-frequency (RF) circuitry to transmit RF signals with the first RRC message and receive RF signals with the second RRC message.
  • RF radio-frequency
  • a non-transitory computer-readable storage medium including instructions that when executed by a processing circuitry, cause the processing circuitry to determine to establish a non-access stratum (NAS) signaling connection session with a network function (NF) (NAS-NF) of a core network (CN) of a wireless system, generate a NAS-NF request message, encode the NAS- NF request message in a first radio resource control (RRC) message, initiate transmission of the first RRC message from the UE to a base station of a radio access network (RAN) of the wireless system, and decode a second RRC message received from the base station, the second RRC message to include NAS-NF security context data for the UE and the NF of the CN of the wireless system, the NAS-NF security context data based on NAS security anchor function (SEAF) (NAS-SEAF) security context data associated with the UE for the wireless system.
  • SEAF NAS security anchor function
  • the computer-readable storage medium may also include where the NAS-SEAF security context data to comprise an anchor key for a security anchor function (SEAF), the anchor key to comprise a security key KNF provided during authentication and used for derivation of subsequent security keys.
  • SEAF security anchor function
  • the computer-readable storage medium may also include where the NAS-NF security context data to comprise a shared security key, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • the NAS-NF security context data to comprise a shared security key
  • the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • the computer-readable storage medium may also include where the NAS-NF security context data to comprise security information to generate a shared security key by the UE, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • the NAS-NF security context data to comprise security information to generate a shared security key by the UE, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • the computer-readable storage medium may also include where the NAS-NF security context data includes security information to generate a master security key by the UE, the master security key to comprise a security key KNF for a security association between the UE and the NF of the CN.
  • the computer-readable storage medium may also include where the first RRC message includes a UE identifier, a security anchor function (SEAF) identifier, or a NF identifier parameter.
  • SEAF security anchor function
  • the computer-readable storage medium may also include instructions that when executed by the processing circuitry causes the processing circuitry to generate the NAS-NF request message in clear text.
  • the computer-readable storage medium may also include instructions that when executed by the processing circuitry causes the processing circuitry to retrieve the NAS- SEAF security context data associated with the UE for the wireless system, and generate a shared security' key based on the NAS-SEAF security context data, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • NF network function
  • the computer-readable storage medium may also include instructions that when executed by the processing circuitry causes the processing circuitry to generate a master security key based on the NAS-NF security context data by the UE, the master security key to comprise a security key KNF for a security association between the UE and the NF of the CN.
  • the computer-readable storage medium may also include instructions that when executed by the processing circuitry causes the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using a master security key and without the NAS-SEAF security context data.
  • the computer-readable storage medium may also include instructions that when executed by the processing circuitry causes the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the logical CN of the wireless system using the NAS-NF security context data and without the NAS-SEAF security context data.
  • the computer-readable storage medium may also include instructions that when executed by the processing circuitry causes the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using a master security key and without an access and mobility function (AMF) of the CN of the wireless system.
  • AMF access and mobility function
  • the computer-readable storage medium may also include instructions that when executed by the processing circuitry causes the processing circuitry to provide data for radio-frequency (RF) circuitry to transmit RF signals with the first RRC message and receive RF signals with the second RRC message.
  • RF radio-frequency
  • a method for a network function (NF) of a wireless system includes decoding a non-access stratum (NAS) signaling connection with a NF (NAS-NF) request message from a radio access network (RAN) of a wireless system by a network function (NF) of a core network (CN) of the wireless system, the NAS-NF request message to request establishment of a secure NAS signaling connection with a network function (NF) (NAS-NF) of the CN, initiating transmission of a request for NAS security anchor function (SEAF) (NAS-SEAF) security context data associated with the UE to a SEAF of the CN, authenticating the UE with the NAS-SEAF security context data, generating NAS-NF security context data for the UE and the NF of the CN of the wireless system, the NAS-NF security context data based on NAS security anchor function (SEAF) (NAS-SEAF) security context data associated with the UE for the wireless system, and initiating transmission of a NAS security anchor function (SEAF)
  • the method may also include where the NAS-SEAF security context data to comprise an anchor key for a security anchor function (SEAF), the anchor key to comprise a security key KSEAF provided during authentication and used for derivation of subsequent security keys.
  • SEAF security anchor function
  • the method may also include where the NAS-NF security context data to comprise a shared security key, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • the NAS-NF security context data to comprise a shared security key
  • the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • NF network function
  • the method may also include where the NAS-NF security context data to comprise security information to generate a shared security key by the UE, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • the NAS-NF security context data to comprise security information to generate a shared security key by the UE, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • the method may also include where the NAS-NF security context data includes security information to generate a master security key by the UE, the master security key to comprise a security key KNF for a security association between the UE and the NF of the CN.
  • the apparatus may also include the processing circuitry to encrypt at least a portion of the NAS-NF request message with the shared security key prior to initiation of transmission of the first RRC message.
  • the apparatus may also include the processing circuitry to add security information to generate the shared security key by a network function (NF) of the CN to a non-encrypted portion of the NAS-NF request message prior to initiation of transmission of the first RRC message.
  • NF network function
  • the method may also include encrypting at least a portion of the NAS-NF request message with the shared security key prior to initiation of transmission of the first RRC message.
  • the method may also include adding security information to generate the shared security key by a network function (NF) of the CN to a non-encrypted portion of the NAS- NF request message prior to initiation of transmission of the first RRC message.
  • NF network function
  • the computer-readable storage medium may also include instructions that when executed by the processing circuitry causes the processing circuitry to encrypt at least a portion of the NAS-NF request message with the shared security key prior to initiation of transmission of the first RRC message.
  • the computer-readable storage medium may also include instructions that when executed by the processing circuitry causes the processing circuitry to add security information to generate the shared security key by a network function (NF) of the CN to a non-encrypted portion of the NAS-NF request message prior to initiation of transmission of the first RRC message.
  • NF network function
  • an apparatus for user equipment (UE) of a wireless system comprises: means for determining to establish a secure non-access stratum (NAS) signaling connection with a network function (NF) (NAS-NF) of a core network (CN) of a wireless system; means for generating a NAS-NF request message; means for encoding the NAS-NF request message in a first radio resource control (RRC) message; means for initiating transmission of the first RRC message from a UE to a base station of a radio access network (RAN) of the wireless system; and means for decoding a second RRC message received from the base station, the second RRC message to include NAS-NF security context data for the UE and the NF of the CN of the wireless system, the NAS-NF security context data based on NAS security anchor function (SEAF) (NAS-SEAF) security context data associated with the UE for the wireless system.
  • SEAF NAS security anchor function
  • the example includes where the NAS-SEAF security context data to comprise an anchor key for a security anchor function (SEAF), the anchor key to comprise a security key KSEAF provided during authentication and used for derivation of subsequent security keys.
  • SEAF security anchor function
  • the example includes where the NAS-NF security context data to comprise a shared security key, the shared security key to comprise a security key KNF for a security association between the UE and a NF of the CN.
  • the example includes means for storing the NAS-SEAF security context data associated with the UE for the wireless system; means for retrieving the NAS-SEAF security context data stored in the memory; and means for generating a shared security key based on the NAS-SEAF security context data, the shared security key to comprise a security key KNF for a security association between the UE and a network function (NF) of the CN.
  • NF network function
  • the example includes means for transmitting radio-frequency (RF) signals with the first RRC message and receive RF signals with the second RRC message.
  • RF radio-frequency
  • Example 1 may include the method for the security of Non-Access Stratum (NAS) signalling messages in a next-generation mobile system.
  • NAS Non-Access Stratum
  • Example 2 may include the method of example 1 or some other example herein, whereby the UE performs NAS signalling directly with each individual Core Network (CN) function.
  • CN Core Network
  • Example 3 may include the method of example 2 or some other example herein, whereby the Serving network authenticates the UE based on long-term credentials stored in the UE and the UE’s Home network.
  • Example 4 may include the method of examples 2 or 3 or some other example herein, whereby the UE establishes a master security association with the Serving network as part of the authentication.
  • Example 5 may include the method of example 4 or some other example herein, whereby the information for the master security association is stored in the UE and in the Security Anchor Function (SEAF) in the Serving network.
  • SEAF Security Anchor Function
  • Example 6 may include the method of example 5 or some other example herein, whereby the UE sends a NAS signalling message to a new Network Function NF) in the Core Network (CN).
  • CN Core Network
  • Example 7 may include the method of example 6 or some other example herein, whereby the UE sends the NAS signalling message as clear text.
  • Example 8 may include the method of example 6 or some other example herein, whereby the UE derives a shared key (KNF) based on the master security association and a random nonce.
  • KNF shared key
  • Example 9 may include the method of example 8 or some other example herein, whereby the UE at least partially encrypts the NAS signalling message using the shared key (KNF), the non-encrypted part containing key material and material to authenticate the UE with the SEAF.
  • KNF shared key
  • Example 10 may include the method of examples 7 or 9 or some other example herein, whereby the Radio Access Networks forwards the NAS signalling message directly to the new NF.
  • Example 11 may include the method of example 10 or some other example herein, whereby the Radio Access Networks includes the SEAF identity and a UE identity in addition to the NAS signalling message.
  • Example 12 may include the method of example 11 or some other example herein, whereby the UE identity is generated by the SEAF and uniquely identifies the UE within the SEAF.
  • Example 13 may include the method of example 11 or some other example herein, whereby the UE identity is provided by the UE.
  • Example 14 may include the method of examples 10, 11, 12, 13, or some other example herein, wherein whereby the new NF determines that the NAS message comes from an unknown UE (i.e., a UE for which it does not have a security association).
  • Example 15 may include the method of example 14 or some other example herein, whereby the new NF queries the NRF using the UE identity in order to retrieve the SEAF.
  • Example 16 may include the method of examples 14 or 15 or some other example herein, whereby the new NF contacts the SEAF indicating the UE identity and optionally the key material provided by the UE.
  • Example 17 may include the method of example 16 or some other example herein, whereby the SEAF authenticates the UE request and provides key material to the new NF that the new NF uses to bootstrap security association with the UE (i.e., to derive the same shared key (KNF) as the UE).
  • KNF shared key
  • Example 18 may include the method of example 17 or some other example herein, whereby the new NF sends a NAS signalling message to the UE in response to the NAS signalling message received from the UE.
  • Example 19 may include the method of example 18 or some other herein, whereby the new NF at least partially encrypts the signalling NAS message using the shared key (KNF).
  • Example 20 may include the method of example 19 or some other example herein, whereby the non-encrypted part of the NAS signalling message includes key material that the UE uses to bootstrap security association with the new NF (i.e., to derive the same shared key (KNF) as the new NF)
  • KNF shared key
  • Example 21 may include the method of example 20 or some other example herein, whereby the subsequent NAS messages between the UE and the new NF are protected using the established security association between the UE and the new NF.
  • Example 22 includes a method to be performed by a user equipment (UE), one or more elements of a UE, and/or an electronic device that implements or includes a UE, wherein the method comprises: [0339] establishing a security key with a security anchor function (SEAF) of a network;
  • SEAF security anchor function
  • Example 23 includes the method of example 22, and/or some other example herein, wherein the method comprises communicating with the other NF without going through the AMF.
  • Example 24 includes the method of any of examples 22-23, and/or some other example herein, wherein the network is a fifth generation (5G) network.
  • the network is a fifth generation (5G) network.
  • Example 25 includes the method of any of examples 22-24, and/or some other example herein, wherein the communication is non-access stratum (NAS) communication.
  • NAS non-access stratum
  • Example 26 includes a method to be performed by a fifth generation core (5GC) of a network, one or more elements of the 5GC, and/or an electronic device that includes or implements the 5GC, wherein the method comprises:
  • a security anchor function of the network, a security key with a user equipment (UE);
  • Example 27 includes the method of example 26, and/or some other example herein, wherein the communication between the UE and the other NF is performed without going through the AMF.
  • Example 28 includes the method of any of examples 26-27, and/or some other example herein, wherein the network is a fifth generation (5G) network.
  • 5G fifth generation
  • Example 29 includes the method of any of examples 26-28, and/or some other example herein, wherein the communication is non-access stratum (NAS) communication.
  • NAS non-access stratum
  • a method for user equipment (UE) of a wireless system includes determining to establish a direct secure connection between a UE and a network function (NF) of a core network (CN) of a wireless system, generating a distributed non-access stratum (NAS) message for the NF, encoding the distributed NAS message in a first radio resource control (RRC) message, initiating transmission of the first RRC message from the UE to a base station of a radio access network (RAN) of the wireless system, and decoding a second RRC message received from the base station, the second RRC message to include a telescopic fully qualified domain name (FQDN) for the NF in the CN of the wireless system.
  • RRC radio resource control
  • the method may also include where the UE is a service consumer and the NF is a service producer, or vice-versa.
  • the method may also include initiating establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF.
  • the method may also include establishing a direct secure connection between the UE and NF of the CN of the wireless system using the telescopic FQDN for the NF, the direct secure connection to comprise a transport layer security (TLS) connection, a tunneled transport layer security (TTLS) connection, a secure socket layer (SSL) connection, or a hypertext transfer protocol secure (HTTPS) connection.
  • TLS transport layer security
  • TTLS tunneled transport layer security
  • SSL secure socket layer
  • HTTPS hypertext transfer protocol secure
  • the method may also include initiating establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF, where the direct secure connection is established using a virtual security anchor proxy at the UE and the NF.
  • the method may also include initiating establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF, where the direct secure connection is established using a service based interface (SBI) between the UE and the NF.
  • SBI service based interface
  • the method may also include initiating establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF and without an access and mobility function (AMF) of the CN of the wireless system.
  • AMF access and mobility function
  • the method may also include initiating establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF and a previously established security association for the UE.
  • the method may also include initiating establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF and using a security edge protection proxy (SEPP) to negotiate and establish the direct secure connection.
  • SEPP security edge protection proxy
  • the method may also include establishing a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, and establishing a second security association with the NF using the first security association.
  • the method may also include establishing a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, negotiating a security parameter for a second security association using the first security association, and establishing the second security association with the NF using the first security association and the negotiated security parameter.
  • SEPP security edge protection proxy
  • the method may also include establishing a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, negotiating a security parameter for a second security association using the first security association, and establishing the second security association with the NF using the first security association and the negotiated security parameter, where the second security association is established using token-based dynamic authorization via a network repository function (NRF).
  • SEPP security edge protection proxy
  • the method may also include establishing a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, where the first security association is established via a NX-C interface, and establishing a second security association with the NF using the first security association, where the second security association is established via a NX-F interface.
  • SEPP security edge protection proxy
  • the method may also include providing data for radio-frequency (RF) circuitry to transmit RF signals with the first RRC message and receive RF signals with the second RRC message.
  • RF radio-frequency
  • a non-transitory computer-readable storage medium including instructions that when executed by processing circuitry, cause the processing circuitry to determine to establish a direct secure connection between a UE and a network function (NF) of a core network (CN) of a wireless system, generate a distributed non-access stratum (NAS) message for the NF, encode the distributed NAS message in a first radio resource control (RRC) message, initiate transmission of the first RRC message from the UE to a base station of a radio access network (RAN) of the wireless system, and decode a second RRC message received from the base station, the second RRC message to include a telescopic fully qualified domain name (FQDN) for the NF in the CN of the wireless system.
  • RRC radio resource control
  • the computer-readable storage medium may also include where the UE is a service consumer and the NF is a service producer, or vice-versa.
  • the computer-readable storage medium may also include instructions that when executed by processing circuitry, cause the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF.
  • the computer-readable storage medium may also include instructions that when executed by processing circuitry, cause the processing circuitry to establish a direct secure connection between the UE and NF of the CN of the wireless system using the telescopic FQDN for the NF, the direct secure connection to comprise a transport layer security (TLS) connection, a tunneled transport layer security (TTLS) connection, a secure socket layer (SSL) connection, or a hypertext transfer protocol secure (HTTPS) connection.
  • TLS transport layer security
  • TTLS tunneled transport layer security
  • SSL secure socket layer
  • HTTPS hypertext transfer protocol secure
  • the computer-readable storage medium may also include instructions that when executed by processing circuitry, cause the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF, where the direct secure connection is established using a virtual security anchor proxy at the UE and the NF.
  • the computer-readable storage medium may also include instructions that when executed by processing circuitry, cause the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF, where the direct secure connection is established via a service based interface (SBI) between the UE and the NF.
  • SBI service based interface
  • the computer-readable storage medium may also include instructions that when executed by processing circuitry, cause the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF and without an access and mobility function (AMF) of the CN of the wireless system.
  • AMF access and mobility function
  • the computer-readable storage medium may also include instructions that when executed by processing circuitry, cause the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF and a previously established security association for the UE
  • the computer-readable storage medium may also include instructions that when executed by processing circuitry, cause the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF and a security edge protection proxy (SEPP) to negotiate and establish the direct secure connection.
  • SEPP security edge protection proxy
  • the computer-readable storage medium may also include instructions that when executed by processing circuitry, cause the processing circuitry to establish a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, and establish a second security association with the NF using the first security association.
  • SEPP security edge protection proxy
  • the computer-readable storage medium may also include instructions that when executed by processing circuitry, cause the processing circuitry to establish a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, negotiate a security parameter for a second security association using the first security association, and establish the second security association with the NF using the first security association and the negotiated security parameter.
  • SEPP security edge protection proxy
  • the computer-readable storage medium may also include instructions that when executed by processing circuitry, cause the processing circuitry to establish a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, negotiate a security parameter for a second security association using the first security association, and establish the second security association with the NF using the first security association and the negotiated security parameter, where the second security association is established using token-based dynamic authorization via a network repository function (NRF).
  • SEPP security edge protection proxy
  • NRF network repository function
  • the computer-readable storage medium may also include instructions that when executed by processing circuitry, cause the processing circuitry to establish a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, where the first security association is established via a NX-C interface, and establish a second security association with the NF using the first security association, where the second security association is established via a NX-F interface.
  • SEPP security edge protection proxy
  • an apparatus for user equipment (UE) of a wireless system includes a memory interface to send or receive, to or from a data storage device, security information for a wireless system.
  • the apparatus also includes processing circuitry communicatively coupled to the memory interface, the processing circuitry to determine to establish a direct secure connection between a UE and a network function (NF) of a core network (CN) of the wireless system, generate a distributed non-access stratum (NAS) message for the NF, encode the distributed NAS message in a first radio resource control (RRC) message, initiate transmission of the first RRC message from the UE to a base station of a radio access network (RAN) of the wireless system, and decode a second RRC message received from the base station, the second RRC message to include a telescopic fully qualified domain name (FQDN) for the NF in the CN of the wireless system.
  • RRC radio resource control
  • the apparatus may also include where the UE is a service consumer and the NF is a service producer, or vice-versa.
  • the apparatus may also include the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF.
  • the apparatus may also include the processing circuitry to establish a direct secure connection between the UE and NF of the CN of the wireless system using the telescopic FQDN for the NF, the direct secure connection to comprise a transport layer security (TLS) connection, a tunneled transport layer security' (TTLS) connection, a secure socket layer (SSL) connection, or a hypertext transfer protocol secure (HTTPS) connection.
  • TLS transport layer security
  • TTLS tunneled transport layer security'
  • SSL secure socket layer
  • HTTPS hypertext transfer protocol secure
  • the apparatus may also include the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF, where the direct secure connection is established using a virtual security anchor proxy at the UE and the NF.
  • the apparatus may also include the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF, where the direct secure connection is established via a service based interface (SBI) between the UE and the NF.
  • SBI service based interface
  • the apparatus may also include the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF and without an access and mobility function (AMF) of the CN of the wireless system.
  • the apparatus may also include the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF and a previously established security association for the UE.
  • the apparatus may also include the processing circuitry to initiate establishment of a direct secure connection between the UE and the NF of the CN of the wireless system using the telescopic FQDN for the NF and a security edge protection proxy (SEPP) to negotiate and establish the direct secure connection.
  • SEPP security edge protection proxy
  • the apparatus may also include the processing circuitry to establish a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, and establish a second security association with the NF using the first security association.
  • SEPP security edge protection proxy
  • the apparatus may also include the processing circuitry to establish a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, negotiate a security parameter for a second security association using the first security association, and establish the second security association with the NF using the first security association and the negotiated security parameter.
  • SEPP security edge protection proxy
  • the apparatus may also include the processing circuitry to establish a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, negotiate a security parameter for a second security association using the first security association, and establish the second security association with the NF using the first security association and the negotiated security parameter, where the second security association is established using token-based dynamic authorization via a network repository function (NRF)
  • SEPP security edge protection proxy
  • NRF network repository function
  • the apparatus may also include the processing circuitry to establish a first security association with a security edge protection proxy (SEPP) using the telescopic FQDN for the NF, where the first security association is established via a NX-C interface, and establish a second security association with the NF using the first security association, where the second security association is established via a NX-F interface.
  • SEPP security edge protection proxy
  • the apparatus may also include the processing circuitry to provide data for radiofrequency (RF) circuitry to transmit RF signals with the first RRC message and receive RF signals with the second RRC message.
  • RF radiofrequency
  • Example 1 may include a method in which UE establishes a security association with each NF in the core network.
  • Example 2 may include the method of example 1 or some other example herein, wherein UE and NF negotiate a security method using already established security association.
  • Example 3 may include the method of example 1 or some other example herein, in which UE uses Service/Security Edge proxy to negotiate and establish a security association
  • Example 4 may include the method in which authorization between UE and NF uses token based dynamic authorization through NRF.
  • Example 5 may include a method of a UE, the method comprising: establishing a first security association with a security edge protection proxy (SEPP); and establishing a second security association with one or more network functions using the first security association.
  • SEPP security edge protection proxy
  • Example 6 may include the method of example 5 or some other example herein, wherein establishing the second security association includes negotiating a security method.
  • Example 7 may include the method of example 5-6 or some other example herein, wherein the second security association is established using a token-based dynamic authorization via an NRF.
  • Example 8 may include the method of example 5-7 or some other example herein, further comprising discovering the one or more network functions using a fully qualified domain name (FQDN).
  • FQDN fully qualified domain name
  • Example 9 may include the method of example 5-8 or some other example herein, wherein the SEPP is implemented in a CU-CP.
  • Example 10 may include the method of example 5-9 or some other example herein, wherein the first security association is established via a NX-C interface.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Les modes de réalisation concernent un système de communication sans fil de cinquième génération (5G) ou de sixième génération (6G) et des composants de réseau destinés à établir des connexions sécurisées directement entre un équipement utilisateur et des fonctions de réseau dans un réseau central d'un système 5G ou 6G. D'autres modes de réalisation sont également décrits et revendiqués.
PCT/US2023/022248 2022-05-16 2023-05-15 Sécurité pour protocole de strates de non-accès distribuées dans un système mobile WO2023224915A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US202263342485P 2022-05-16 2022-05-16
US63/342,485 2022-05-16
US202263349956P 2022-06-07 2022-06-07
US63/349,956 2022-06-07

Publications (1)

Publication Number Publication Date
WO2023224915A1 true WO2023224915A1 (fr) 2023-11-23

Family

ID=88835879

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2023/022248 WO2023224915A1 (fr) 2022-05-16 2023-05-15 Sécurité pour protocole de strates de non-accès distribuées dans un système mobile

Country Status (1)

Country Link
WO (1) WO2023224915A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180084413A1 (en) * 2016-09-16 2018-03-22 Qualcomm Incorporated On-demand network function re-authentication based on key refresh
US10848967B2 (en) * 2017-01-30 2020-11-24 Telefonaktiebolaget Lm Ericsson (Publ) Security anchor function in 5G systems
US20220086706A1 (en) * 2017-09-15 2022-03-17 Telefonaktiebolaget Lm Ericsson (Publ) Security context in a wireless communication system
CN112565324B (zh) * 2019-09-26 2022-04-05 华为技术有限公司 非接入层消息传输的方法、装置和系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180084413A1 (en) * 2016-09-16 2018-03-22 Qualcomm Incorporated On-demand network function re-authentication based on key refresh
US10848967B2 (en) * 2017-01-30 2020-11-24 Telefonaktiebolaget Lm Ericsson (Publ) Security anchor function in 5G systems
US20220086706A1 (en) * 2017-09-15 2022-03-17 Telefonaktiebolaget Lm Ericsson (Publ) Security context in a wireless communication system
CN112565324B (zh) * 2019-09-26 2022-04-05 华为技术有限公司 非接入层消息传输的方法、装置和系统

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3 Generation Partnership Project; Technical Specification Group Services and System Aspects; Security architecture and procedures for 5G system (Release 17)", 3GPP TS 33.501, no. V17.5.0, 24 March 2022 (2022-03-24), pages 1 - 293, XP052144803 *

Similar Documents

Publication Publication Date Title
CN110291803B (zh) 蜂窝网络中的隐私保护和可扩展认证协议认证和授权
US11452001B2 (en) Group based context and security for massive internet of things devices
US11895229B2 (en) States secondary authentication of a user equipment
US20210321257A1 (en) Unified authentication for integrated small cell and wi-fi networks
KR101834685B1 (ko) 무선 로컬 영역 네트워크에서 사용자 장비(ue)의 통신을 안전하게 하는 장치, 시스템 및 방법
WO2018013925A1 (fr) Structure d'autorisation adaptative pour réseaux de communication
EP3771242A1 (fr) Procédé de génération de clé et appareil associé
US11617077B2 (en) Secure user equipment capability transfer for user equipment with no access stratum security
WO2022159725A1 (fr) Gestion d'identités fédérée dans un système de cinquième génération (5g)
WO2020065130A1 (fr) Gestion de sécurité entre un mandataire de périphérie et un nœud d'échange inter-réseaux dans un système de communication
CN114339688A (zh) 用于ue与边缘数据网络的认证的装置和方法
US20230032220A1 (en) Vehicle-to-everything (v2x) security policy negotiation between peer user equipment (ues)
US11622025B2 (en) Techniques in retrieving cached content using information centric networking for protocol data unit sessions
CN113766502A (zh) 用在ue、smf实体、以及预配置服务器中的装置
CN114205814B (zh) 一种数据传输方法、装置、系统、电子设备及存储介质
WO2023224915A1 (fr) Sécurité pour protocole de strates de non-accès distribuées dans un système mobile
US20240244427A1 (en) Method and apparatus for protecting privacy issue for authentication and key management for applications
WO2024067619A1 (fr) Procédé de communication et appareil de communication
WO2024069502A1 (fr) Fourniture de clés de sécurité à un réseau de desserte d'un équipement utilisateur
CN117255346A (zh) 用于sba中的证书生命周期管理的装置和方法
WO2024137101A1 (fr) Partage de modèle ml entre nwdaf
CN116896773A (zh) 用于演进分组系统(eps)中的用户装备(ue)路由选择策略(ursp)的ue策略增强
WO2023056051A1 (fr) Politique basée sur l'emplacement pour un dispositif sans fil
CN114531678A (zh) 用在nef实体和预配置服务器中的装置
CN115708386A (zh) 用在无线通信系统中的装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23808133

Country of ref document: EP

Kind code of ref document: A1