First node, second node and methods performed thereby for handling a subscriber identity
Patent Information
- Authority / Receiving Office
- EP · EP
- Patent Type
- Applications
- Current Assignee / Owner
- TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)
- Filing Date
- 2023-06-22
- Publication Date
- 2026-06-24
Smart Images

Figure IN2023050598_26122024_PF_FP_ABST
Abstract
Description
[0001] FIRST NODE, SECOND NODE AND METHODS PERFORMED THEREBY FOR HANDLING
[0002] A SUBSCRIBER IDENTITY
[0003] TECHNICAL FIELD
[0004] The present disclosure relates generally to a first node and methods performed thereby for handling a subscriber identity. The present disclosure also relates generally to a second node, and methods performed thereby for handling the subscriber identity. The present disclosure also relates generally to computer programs and computer-readable storage mediums, having stored thereon the computer programs to carry out these methods.
[0005] BACKGROUND
[0006] Computer systems in a communications network or communications system may comprise one or more nodes. A node may comprise a processing circuitry which, together with computer program code may perform different functions and actions, a memory, a receiving port, and a sending port. A node may be, for example, a server. Nodes may perform their functions entirely on the cloud.
[0007] The communications system may cover a geographical area which may be divided into cell areas, each cell area being served by a type of node, a network node in the Radio Access Network (RAN), radio network node or Transmission Point (TP), for example, an access node such as a Base Station (BS), e.g., a Radio Base Station (RBS), which sometimes may be referred to as e.g., gNB, evolved Node B (“eNB”), “eNodeB”, “NodeB”, “B node”, or Base Transceiver Station (BTS), depending on the technology and terminology used. The base stations may be of different classes such as e.g., Wide Area Base Stations, Medium Range Base Stations, Local Area Base Stations and Home Base Stations, based on transmission power and thereby also cell size. A cell may be understood to be the geographical area where radio coverage may be provided by the base station at a base station site. One base station, situated on the base station site, may serve one or several cells. Further, each base station may support one or several communication technologies. The telecommunications network may also comprise network nodes which may serve receiving nodes, such as user equipments, with serving beams.
[0008] The standardization organization Third Generation Partnership Project (3GPP) is currently in the process of specifying a New Radio Interface called Next Generation Radio or New Radio (NR) or 5G-Universal Terrestrial Radio Access (UTRA), as well as a Fifth Generation (5G) Packet Core Network, which may be referred to as 5G Core Network (5GC), abbreviated as 5GC.
[0009] In a 5G reference architecture as defined by 3GPP, which may be used as a reference for the present disclosure, an Application Function (AF) may allow external parties to use the Exposure Application Program Interfaces (APIs) offered by the Mobile Network Operator (MNO). The AF may interact with the 3GPP Core Network through a Network Exposure Function (NEF). In case the AF may be trusted, e.g., internal to the network operator, the AF may interact with the 3GPP Core Network directly, with no NEF involved. The NEF may support different functionality, e.g., may support different Exposure APIs, e.g., sponsored Data, Quality of Service (QoS), etc., which may allow a content provider to request policies from the MNO. The NEF may be understood to act as the entry point into the network of the operator, so an external AF, e.g., a content provider, may interact with the 3GPP Core Network through the NEF.
[0010] A Policy Control Function (PCF) may support a unified policy framework to govern the network behavior. Specifically, the PCF may provide Policy and Charging Control (PCC) rules to the Policy and Charging Enforcement Function (PCEF), that is, the Session Management Function (SMF) / User Plane function (UPF) that may enforce policy and charging decisions according to provisioned Policy and Charging Control (PCC) rules. The SMF may support different functionalities, e.g., may receive PCC rules from the PCF and may configure the UPF accordingly. The UPF may support handling of user plane traffic based on the rules received from the SMF, e.g., packet inspection and different enforcement actions such as reporting for charging and QoS handling. The PCF may provide policy rules to a UE through an Access and Mobility Function (AMF). The AMF may manage access of the UE. For example, when the UE may be connected through different access networks, and mobility aspects of the UE.
[0011] The applications available today have the ability to access the identity of subscribers, e.g., their mobile numbers, and expose them when requests are received on the applications. Hence, with existing methods, subscribers in a communications network are exposed to unsecure communications.
[0012] SUMMARY
[0013] As part of the development of embodiments herein, one or more challenges with the existing technology will first be identified and discussed.
[0014] Today, due to the extensive usage of applications, it may be required to share identity of subscribers, e.g., their mobile numbers, for traditional third-party services such as, e.g., housekeeping, booking cabs, food delivery etc...
[0015] There is always a risk involved, as the third parties may leak the identity of subscribers, e.g., their mobile numbers, resulting in a large number of spam calls / Short Messaging Systems (SMS). Such communications may impact the capacity and latency of the network, as well as the ability to provide services in the network in an optimal fashion. Moreover, the leakage of the identity of subscribers may result in cyber fraud aimed at deceiving users. Globally, during the last couple of years, victims have experienced massive losses due to vishing cases.
[0016] According to the foregoing, it is an object of embodiments herein to improve the handling of a subscriber identity in a communications system.
[0017] According to a first aspect of embodiments herein, the object is achieved by a computer- implemented method, performed by a first node. The method is for handling a subscriber identity. The first node operates in the communications system. The first node receives a first request to process a subscriber identity for communication with a second device. The subscriber identity belongs to a first device operating in the communications system. The first device is a secured party and the second device is an untrusted party. At least one of the following applies: i) with the proviso the subscriber identity is encrypted, the first request is to decrypt the subscriber identity, and ii) with the proviso the subscriber identity is unencrypted, the first request is to encrypt the subscriber identity. The first node obtains a processed subscriber identity based on the received first request. At least one of the following applies: i) with the proviso the first request is to decrypt the subscriber identity, the processed subscriber identity is a decrypted subscriber identity, and ii) with the proviso the first request is to encrypt the subscriber identity, the processed subscriber identity is an encrypted subscriber identity. The first node then initiates provision of a first indication of the processed subscriber identity.
[0018] According to a second aspect of embodiments herein, the object is achieved by a computer-implemented method, performed by a second node. The method is for handling the subscriber identity. The second node operates in the communications system. The second node receives a second request from the first node operating in the communications system. The second request is to process the subscriber identity for communication with the second device. The subscriber identity belongs to the first device operating in the communications system. At least one of the following applies: i) with the proviso the subscriber identity is encrypted, the second request is to decrypt the subscriber identity, and ii) with the proviso the subscriber identity is unencrypted, the second request is to encrypt the subscriber identity. The second node also provides the processed subscriber identity to the first node based on the received second request. The second node obtains the processed subscriber identity using blockchain. At least one of the following applies: i) with the proviso the second request is to decrypt the subscriber identity, the processed subscriber identity is a decrypted subscriber identity, and ii) with the proviso the second request is to encrypt the subscriber identity, the processed subscriber identity is an encrypted subscriber identity. The second node also initiates provision of the first indication of the processed subscriber identity.
[0019] According to a fifth aspect of embodiments herein, the object is achieved by the first node, for handling the subscriber identity. The first node is configured to operate in the communications system. The first node is further configured to receive the first request to process the subscriber identity for communication with the second device. The subscriber identity is configured to belong to the first device configured to operate in the communications system. The first device is configured to be a secured party and the second device 132 is configured to be an untrusted party. At least one of the following applies: i) with the proviso the subscriber identity is encrypted, the first request is configured to be to decrypt the subscriber identity, and ii) with the proviso the subscriber identity is unencrypted, the first request is configured to be to encrypt the subscriber identity. The first node is further configured to obtain the processed subscriber identity based on the first request configured to be received. At least one of the following applies: i) with the proviso the first request is configured to be to decrypt the subscriber identity, the processed subscriber identity is the decrypted subscriber identity, and ii) with the proviso the first request is configured to be to encrypt the subscriber identity, the processed subscriber identity is the encrypted subscriber identity. The first node is also configured to initiate provision of the first indication of the processed subscriber identity.
[0020] According to a sixth aspect of embodiments herein, the object is achieved by the second node, for handling the subscriber identity. The second node is configured to operate in the communications system. The second node is further configured to receive the second request, from the first node configured to operate in the communications system, to process the subscriber identity for communication with the second device. The subscriber identity is configured to belong to the first device configured to operate in the communications system. At least one of the following applies: i) with the proviso the subscriber identity is encrypted, the second request is configured to be to decrypt the subscriber identity, and ii) with the proviso the subscriber identity is unencrypted, the second request is configured to be to encrypt the subscriber identity. The second node is also configured to provide the processed subscriber identity to the first node based on the second request configured to be received. The second node is configured to obtain the processed subscriber identity using blockchain. At least one of the following applies: i) with the proviso the second request is to decrypt the subscriber identity, the processed subscriber identity is a decrypted subscriber identity, and ii) with the proviso the second request is to encrypt the subscriber identity, the processed subscriber identity is an encrypted subscriber identity.
[0021] According to a fifth aspect of embodiments herein, the object is achieved by a computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed by the first node.
[0022] According to a sixth aspect of embodiments herein, the object is achieved by a computer-readable storage medium, having stored thereon the computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed by the first node. According to a seventh aspect of embodiments herein, the object is achieved by a computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed by the second node.
[0023] According to an eighth aspect of embodiments herein, the object is achieved by a computer-readable storage medium, having stored thereon the computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed by the second node.
[0024] By receiving the first request, the first node may enable to initiate a processing of the subscriber identity, to either decrypt it or encrypt it, as indicated, either implicitly or explicitly, on the first request. Hence, the first node, acting as an authorized mediator, may enable that a secured party such as the first device communicate in a secured manner with untrusted party such as the second device, and vice versa. That is, the first node may enable that an untrusted party such as the second device may reach a secured party such as the first device in a secured manner, which otherwise may be unreachable.
[0025] By obtaining the processed subscriber identity, the first node may then be enabled to initiate provision of the processed subscriber identity and thereby enable that the first device may establish a secured communication with an unsecured party such as the second device, and / or that an unsecured party such as the second device may reach a party such as the first device, which otherwise may be unreachable.
[0026] By initiating the provision of the first indication of the processed subscriber identity, the first node may enable that the first device may establish a secured communication with an unsecured party such as the second device, by triggering a notification to the second device to call the first device, and / or that an unsecured party such as the second device may reach a party such as the first device, which otherwise may be unreachable, by enabling that a call may be established between the first device and the second device.
[0027] Accordingly, the first node may avoid that communications from untrusted parties may impact the capacity and latency of the network, as well as the ability to provide services in the network in an optimal fashion.
[0028] By the second node operating in the communications system, receiving the second request, the second node may be enabled to then provide the processed subscriber identity to the first node, and therefore the benefits already mentioned. By the second node being a node operating in the communications system, advantageously, no additional application may be required for secured communication with untrusted parties, as it may be handled by the network elements.
[0029] Moreover, since the blockchain technology may be understood to exist to ensure the decentralized secured integration with any system, by using blockchain technology, the following advantages of blockchain may be applicable to embodiments herein: a) decentralization, b) immutability of an encryption / decryption algorithm on which rules may be run, and c) ledger lifetime configuration. Decentralization may ensure availability of the system when the central system may be out of order, localization and better performance of the system, reliability of the results for encryption / decryption and persistence of the same. The ledger lifetime configuration may enable that a time based control on decryption for the untrusted party to the trusted party may be possible.
[0030] BRIEF DESCRIPTION OF THE DRAWINGS
[0031] Examples of embodiments herein are described in more detail with reference to the accompanying drawings, according to the following description.
[0032] Figure 1 is a schematic diagram illustrating a non-limiting example of a communications system, according to embodiments herein.
[0033] Figure 2 is a flowchart depicting embodiments of a method in a first node, according to embodiments herein.
[0034] Figure 3 is a flowchart depicting embodiments of a method in a second node, according to embodiments herein.
[0035] Figure 4 is a schematic diagram depicting a non-limiting example of signalling between nodes in a communications system, according to embodiments herein.
[0036] Figure 5 is a schematic diagram depicting signalling between nodes in a communications system, according to embodiments herein.
[0037] Figure 6 is a schematic block diagram illustrating two non-limiting examples, a) and b), of a first node, according to embodiments herein.
[0038] Figure 7 is a schematic block diagram illustrating two non-limiting examples, a) and b), of a second node, according to embodiments herein.
[0039] DETAILED DESCRIPTION
[0040] Certain aspects of the present disclosure and their embodiments address one or more of the challenges identified with the existing methods and provide solutions to the challenges discussed.
[0041] Embodiments herein may relate to a system and apparatus to prevent vishing of subscriber identities, such as mobile numbers. Considering the limitations in the existing system, embodiments herein may be understood to introduce method to secure the subscriber identities e.g., mobile numbers, so that they may not be misused by untrusted parties. Accordingly, embodiments herein may relate to avoiding that communications from untrusted parties may impact the capacity and latency of the network, as well as the ability to provide services in the network in an optimal fashion. Embodiments herein may be understood to aim to protect the usage and sharing of mobile numbers from untrusted parties. As a general overview, embodiments herein may relate to using network elements and blockchain for securing the subscriber identities, e.g., mobile numbers, and restricting calls from untrusted parties.
[0042] According to examples of embodiments herein, an Application Programming Interface (API) may be introduced in the network element for the following functionality: a) encrypt the subscriber identity, e.g., mobile number, so that the network may share the encrypted identity, e.g., number, with the third party, b) set rules to access the subscriber identity, e.g., the mobile number, and c) decrypt the subscriber identity, e.g., mobile number, by service provider, so that third party may make a call using the encrypted subscriber identity, e.g., mobile number.
[0043] The embodiments will now be described more fully hereinafter with reference to the accompanying drawings, in which examples are shown. In this section, embodiments herein are illustrated by exemplary embodiments. It should be noted that these embodiments are not mutually exclusive. Components from one embodiment or example may be tacitly assumed to be present in another embodiment or example and it will be obvious to a person skilled in the art how those components may be used in the other exemplary embodiments. All possible combinations are not described to simplify the description.
[0044] Figure 1 depicts two non-limiting examples, in panels “a” and “b”, respectively, of a communications system 100, in which embodiments herein may be implemented. In some example implementations, such as that depicted in the non-limiting example of Figure 1a, the communications system 100 may be a computer network. In other example implementations, such as that depicted in the non-limiting example of Figure 1b, the communications system 100 may be implemented in a telecommunications system, sometimes also referred to as a telecommunications network, cellular radio system, cellular network, or wireless communications system. In some examples, the telecommunications system may comprise network nodes which may serve receiving nodes, such as wireless devices. The communications system 100 may for example be a network such as a 5G system, or a newer system, e.g., 6G system, supporting similar functionality, or a Long-Term Evolution (LTE) network, e.g., LTE Frequency Division Duplex (FDD), LTE Time Division Duplex (TDD), LTE Half-Duplex Frequency Division Duplex (HD-FDD), or LTE operating in an unlicensed band. The telecommunications system may further support other technologies, such as for example Wideband Code Division Multiple Access (WCDMA), Universal Mobile Telecommunications System Terrestrial Radio Access (UTRA) TDD, Global System for Mobile communications (GSM) network, GSM / Enhanced Data Rate for GSM Evolution (EDGE) Radio Access Network (GERAN) network, Ultra-Mobile Broadband (UMB), EDGE network, network comprising any combination of Radio Access Technologies (RATs) such as e.g. Multi-Standard Radio (MSR) base stations, multi-RAT base stations etc., any 3rd Generation Partnership Project (3GPP) cellular network, Wireless Local Area Network / s (WLAN) or WiFi network / s, Worldwide Interoperability for Microwave Access (WiMax), IEEE 802.15.4-based low-power short-range networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LowPAN), Zigbee, Z-Wave, Bluetooth Low Energy (BLE), or any cellular network or system. The telecommunications system may for example support a Low Power Wide Area Network (LPWAN). LPWAN technologies may comprise Long Range physical layer protocol (LoRa), Haystack, SigFox, LTE-M, and Narrow-Band loT (NB-loT).
[0045] The communications system 100 may comprise a plurality of nodes, and / or operate in communication with other nodes, whereof a first node 111, a second node 112, a third node 113, and fourth node 114 are depicted in both panels of Figure 1. In some examples, the communications system 100 may comprise a fifth node 115, depicted also in Figure 1. It may be understood that the communications system 100 may comprise more nodes than those represented in Figure 1.
[0046] Any of the first node 111, the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may be understood, respectively, as a first computer system, a second computer system, a third computer system, a fourth computer system and a fifth computer system. In some examples, any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may be implemented as a standalone server in e.g., a host computer in the cloud 120, as depicted in the non-limiting example depicted in panel b) of Figure 1. Any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may in some examples be a distributed node or distributed server, with some of their respective functions being implemented locally, e.g., by a client manager, and some of their functions implemented in the cloud 120, by e.g., a server manager. Yet in other examples, any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may also be implemented as processing resources in a server farm.
[0047] Any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may be co-localized.
[0048] The first node 111 may be a node that may have a capability to handle requests for policies from a Mobile Network Operator (MNO). In some embodiments, the first node 111 may be a node that may have a capability to manage exposure to different events, e.g., different Exposure APIs. The first node 111 may optionally support other functionalities, such as handling e.g., sponsored Data, Quality of Service (QoS), etc., which may allow a content provider to request policies from the MNO. The first node 111 may be understood to act as the entry point into the communications system 100. In some embodiments, as in the nonlimiting example of Figure 1 , the first node 111 may be a NEF. In other non-limiting examples not depicted in Figure 1 , wherein e.g., the communications system 100 may be a 4G network, the first node 111 may be a Service Capability Exposure Function (SCEF).
[0049] The second node 112 may have a capability to manage a database. To manage may be understood to herein as to provide an interface that may enable to write to and to read from the data in the database. The database may be at least one of: i) layered and ii) immutable and synchronized. The database may be a distributed ledger, e.g., a distributed ledger as a blockchain (BC). However, other forms of distributed ledger may also be used, for example a distributed, multi-layered hash table. In particular examples, the database may be a multilayer distributed ledger, an immutable, replicable, consensus-based database which may comprise connectivity information, roaming agreements and billing information for radio access services rendered to mobile devices from the participating radio access vendors.
[0050] The third node 113 may be a node operating in the communications system 100 and having a capability to may be a node having a capability to support different functionalities, e.g., may receive PCC rules from a PCF and may configure a node handling user plane traffic, such as a UPF, accordingly. This node may then handle the user plane traffic based on the rules received from the third node 113, e.g., packet inspection and different enforcement actions such as reporting for charging and QoS handling. As depicted in Figure 1, in some particular examples, the third node 113 may be an SMF. In other examples, the third node 113 may be, e.g., a Mobility Management Entity (MME).
[0051] The fourth node 114 may be a node having a capability to support a unified policy framework to govern the behavior of the communications system 100. Specifically, the fourth node 114 may provide PCC rules to one or more other nodes in the communication system 100, which may then be applied to traffic. As depicted in Figure 1, in some examples, the fourth node 114 may be a PCF.
[0052] The fifth node 115 may be a node having a capability to manage access of a device, such as e.g., the device 131 described below, to the communications system 100, when the device may be connected through different access networks, and mobility aspects of the device. As depicted in Figure 1 , a particular non-limiting example of the fifth node 115, wherein the communications system 100 may be a 5G network, may be an AMF. In other nonlimiting examples not depicted in Figure 1, wherein e.g., the communications system 100 may be a 4G network, the fifth node 115 may be an MME.
[0053] The communications system 100 may also comprise a plurality of devices, of which a first device 131 and a second device 132 are depicted in the non-limiting example of Figure 1. Any of the first device 131 and the second device 132 may be also known as e.g., a user equipment, wireless device, mobile terminal, wireless terminal and / or mobile station, mobile telephone, cellular telephone, or laptop with, or without, wireless capability, an Internet of Things (loT) device, or a Customer Premises Equipment (CPE), just to mention some further examples. Any of the first device 131 and the second device 132 in the present context may be, for example, portable, pocket-storable, hand-held, computer-comprised, or a vehiclemounted mobile device, enabled to communicate voice and / or data, via a Radio Access Network (RAN), with another entity, such as a server, a laptop, a Personal Digital Assistant (PDA), or a tablet, a Machine-to-Machine (M2M) device, an Internet of Things (loT) device, e.g., a sensor or a camera, a device equipped with a wireless interface, a printer or a file storage device, modem, Laptop Embedded Equipped (LEE), Laptop Mounted Equipment (LME), USB dongles, CPE or any other radio network unit capable of communicating over a radio link in the communications system 100. Any of the first device 131 and the second device 132 may be wireless, i.e. , it may be enabled to communicate wirelessly in the communications system 100 and, in some particular examples, may be able support beamforming transmission. The communication may be performed e.g., between two devices, between a device and a radio network node, and / or between a device and a server. The communication may be performed e.g., via a RAN and possibly one or more core networks, comprised, respectively, within the communications system 100.
[0054] The communications system 100 may comprise one or more radio network nodes, whereof a first radio network node 141 and a second radio network node 142 are depicted in Figure 1b. Any of the radio network node 141 and the second radio network node 142 may typically be a base station or Transmission Point (TP), or any other network unit capable to serve a wireless device or a machine type node in the communications system 100. Any of the radio network node 141 and the second radio network node 142 may be e.g., a 5G gNB, a 4G eNB, or a radio network node in an alternative 5G radio access technology, e.g., fixed or WiFi. Any of the radio network node 141 and the second radio network node 142 may be e.g., a Wide Area Base Station, Medium Range Base Station, Local Area Base Station and Home Base Station, based on transmission power and thereby also coverage size. Any of the radio network node 141 and the second radio network node 142 may be a stationary relay node or a mobile relay node. Any of the radio network node 141 and the second radio network node 142 may support one or several communication technologies, and its name may depend on the technology and terminology used. Any of the radio network node 141 and the second radio network node 142 may be directly connected to one or more networks and / or one or more core networks.
[0055] The communications system 100 covers a geographical area which may be divided into cell areas, wherein each cell area may be served by a radio network node, although, one radio network node may serve one or several cells.
[0056] The first node 111 may communicate with the second node 112 over a first link 151, e.g., a radio link or a wired link. The first node 111 may communicate with the third node 113 over a second link 152, e.g., a radio link or a wired link. The first node 111 may communicate with the fourth node 114 over a third link 153, e.g., a radio link or a wired link. The first node 111 may communicate with the first device 131, e.g., indirectly, over a fourth link 154, e.g., a radio link or a wired link. The third node 113 may communicate with the fifth node 115 over a fifth link 155, e.g., a radio link or a wired link. The second device 132 may communicate with the fifth node 115 over a sixth link 156, e.g., a radio link or a wired link. The first node 111 may communicate with the first radio network node 141 over a seventh link 157, e.g., a radio link or a wired link. The first radio network node 141 may communicate with the first device 131 over an eighth link 158, e.g., a radio link. The fifth node 115 may communicate with the second radio network node 142 over a ninth link 159, e.g., a radio link or a wired link. The second radio network node 142 may communicate with the second device 132 over a tenth link 160, e.g., a radio link or a wired link.
[0057] Any of the first link 151 , the second link 152, the third link 153, the fourth link 154, the fifth link 155, the sixth link 156, the seventh link 157, the eighth link 158, the ninth link 159 and / or the tenth link 160 may be a direct link or it may go via one or more computer systems or one or more core networks in the communications system 100, or it may go via an optional intermediate network. The intermediate network may be one of, or a combination of more than one of, a public, private or hosted network; the intermediate network, if any, may be a backbone network or the Internet, which is not shown in Figure 1.
[0058] Although terminology from Long Term Evolution (LTE) / 5G has been used in this disclosure to exemplify the embodiments herein, this should not be seen as limiting the scope of the embodiments herein to only the aforementioned system. Other wireless systems supporting similar or equivalent functionality may also benefit from exploiting the ideas covered within this disclosure. In future telecommunication networks, e.g., in the sixth generation (6G), the terms used herein may need to be reinterpreted in view of possible terminology changes in future technologies.
[0059] In general, the usage of “first”, “second”, “third”, “fourth”, “fifth”, “sixth”, “seventh”, “eighth”, “ninth” and / or “tenth” herein may be understood to be an arbitrary way to denote different elements or entities and may be understood to not confer a cumulative or chronological character to the nouns they modify.
[0060] Some of the embodiments contemplated herein will now be described more fully with reference to the accompanying drawings. Other embodiments, however, are contained within the scope of the subject matter disclosed herein, the disclosed subject matter should not be construed as limited to only the embodiments set forth herein; rather, these embodiments are provided by way of example to convey the scope of the subject matter to those skilled in the art. Embodiments of a computer-implemented method, performed by the first node 111 , will now be described with reference to the flowchart depicted in Figure 2. The method may be understood to be for handling a subscriber identity. The first node 111 operates in the communications system 100.
[0061] In some embodiments, the communications system 100 may be a Fifth Generation, 5G, system.
[0062] The first node 111 may be a NEF.
[0063] Several embodiments are comprised herein. In some embodiments, all the actions may be performed. In some embodiments, two or more actions may be performed. It should be noted that the examples herein are not mutually exclusive. One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. Components from one embodiment may be tacitly assumed to be present in another embodiment and it will be obvious to a person skilled in the art how those components may be used in the other exemplary embodiments. A non-limiting example of the method performed by the first node 111 is depicted in Figure 2.
[0064] In Figure 2, optional actions are represented with dashed lines.
[0065] Action 201
[0066] In this Action 201 , the first node 111 receives a first request to process a subscriber identity for communication with the second device 132. The subscriber identity belongs to the first device 131 operating in the communications system 100. The first device 131 is a secured party and the second device 132 is an untrusted party.
[0067] The subscriber identity may be a telephone number, e.g., a mobile number. For communication with the second device 132 may be understood to mean, in such embodiments, for telephone communication with the second device 132, that is, for telephone communication between the first device 131 and the second device 132. The processing of the subscriber identity may be understood to then render the communication possible or desired.
[0068] The subscriber identity may be in a state, e.g., encrypted or unencrypted, wherein its usage for communication between the first device 131 and the second device 132 may not be possible, e.g., when it may be encrypted, or not desired, e.g., when it may be unencrypted, as explained next.
[0069] In some examples of embodiments wherein the subscriber identity may be unencrypted, the first request may be received as a result of the first device 131 desiring to communicate with the second device 132 and being unwilling to do it with an unencrypted subscriber identity. In such examples, the first device 131 may desire to enable a secured communication, e.g., call, with the second device 132, since the second device 132 is an untrusted party. In such examples, the first node 111 may receive the first request, e.g., directly, from the first device 131. An example of this scenario is described later in Figure 4. In such a scenario, in this Action 201, the first device 131, that is, the secured party, may invoke an encryption API aft the first node 111 , providing the untrusted business calling party details along.
[0070] In some examples of embodiments wherein the subscriber identity may be encrypted, the first request may be received as a result of the second device 132 trying to communicate with the first device 131 and being unable to do it with an encrypted subscriber identity. In such examples, the first node 111 may receive the first request from the third node 113, e.g., an SMF operating in the communications system 100. In such examples, the third node 113 may send the first request as a result of having received an indication, e.g., via the fifth node 115 and the second radio network node 142, that the second device 132 is trying to communicate with the first device 131 , e.g., that the second device 132 is calling the first device 131. An example of this scenario is described later in Figure 5. In such a scenario, in this Action 201 , the second device 132, that is, the untrusted party, may initiate a voice call to the secured party using the encrypted number. The encrypted number may reach the mobile network, which in-turn may reach the third node 113, e.g., the SMF, via the fifth node 115, e.g., AMF. The third node 113 may then detect the called number is encrypted and may route the call to the first node 111 instead of using a normal call flow, where the SMF may look up the subscriber number from a Unified data management (UDM) / Home Subscriber Service (HSS). The first node 111 alone may have the authorization to decrypt the subscriber identity.
[0071] In line with the foregoing, at least one of the following applies: i) with the proviso the subscriber identity is encrypted, the first request is to decrypt the subscriber identity, and ii) with the proviso the subscriber identity is unencrypted, the first request is to encrypt the subscriber identity.
[0072] The receiving in this Action 201 may be performed, e.g., via the fourth link 154 and / or the seventh link 157 and the eighth link 158, or via the second link 152.
[0073] The first request may be, for example, a Representational State Transfer (REST) Application Programming Interface (API) message.
[0074] By receiving the first request in this Action 201 , the first node 111 may enable to initiate a processing of the subscriber identity, to either decrypt it or encrypt it, as indicated, either implicitly or explicitly, on the first request. The processing of the subscriber identity may involve the first node 111 obtaining a processed subscriber identity via a Block Chain Security (BCS) application programming interface (API). The BCS API may reside in or be managed by the first node 111. The obtaining of the processed subscriber identity may be performed by the first node 111, e.g., via the BCS API, sending a second request to the second node 112, the second request requesting the processed subscriber identity. Hence, the first node 111, acting as an authorized mediator, may enable that a secured party such as the first device 131 communicates in a secured manner with untrusted party such as the second device 132, and vice versa. That is, the first node 111 may enable that an untrusted party such as the second device 132 may reach a secured party such as the first device 131 in a secured manner.
[0075] In some of such embodiments, the obtained processed subscriber identity may be based on a set of rules provided to the BCS API. The set of rules may comprise, for example, ledger rules. Examples of ledger rules may be: lifetime of the processed subscriber identity, e.g., encrypted number, number of decryption requests allowed and timeline of usage, that is, when decryption may be allowed, etc.
[0076] The rules may have to be executed while adding a ledger entry during the encryption API invocation. If the rule is related to restricting the number of times the decryption API should be called, a counter may be set to the ledger entry which may decrease every time there may be a read. Once the counter reads 0, the ledger entry may need to be deleted. If the rule is related to restricting the decryption API call to a certain timeline, a cleanup of the ledger entry may need to be scheduled at that particular time.
[0077] In some embodiments, the set of rules may comprise a first rule restricting a number of times a decryption of the processed subscriber identity may be allowed to be requested.
[0078] In embodiments wherein the processed subscriber identity may be based on a set of rules, the first node 111 may receive the first request from the first device 131 , which first request may invoke the encryption BCS API with the details of the second device 132 along with the ruleset.
[0079] Action 202
[0080] As stated earlier, the processed subscriber identity is obtained from the second node 112 operating in the communications system 100 using blockchain, e.g., via the BCS API. In some embodiments, in this Action 202, the first node 111 may send, responsive to the received first request, the second request to the second node 112. The second request may request the processed subscriber identity. The processed subscriber identity may then be obtained responsive to the sent second request.
[0081] The sending in this Action 202 may be performed, e.g., via the first link 151.
[0082] The second request may be, for example, another REST API message.
[0083] The second node 112 may operate in the communications system 100 using blockchain. The second node 112 may manage a distributed ledger, e.g., a distributed ledger as a blockchain (BC). The second node 112 may comprise two APIs. A first API may be an encryption API. The encryption API may take as input a first identity, that is, the subscriber identity of the secured party, e.g., the telephone number to be encrypted, as well as a second identity. The second identity may be that the second device 132, e.g., the identity of an untrusted business calling party. The second identity may be a telephone number which the first device 131 may desire to reach using the encrypted subscriber identity to establish a communication, e.g. a telephone call. The second identity may be used as a key for encryption. The encryption API may further take as input the set of rules, e.g., of the rules of the ledger. The encryption API may then output an encrypted subscriber identity, e.g., an encrypted secured party number.
[0084] A second API may be a decryption API. The decryption API may take as input the encrypted subscriber identity, e.g., the encrypted secured party number, the second identity, e.g., the untrusted business party number, and an authentication token of the first node 111, e.g., a NEF authentication token. The decryption API may then output a decrypted subscriber identity, e.g., the decrypted number of the secured party.
[0085] By sending the second request in this Action 202, the first node 111 may then be enabled to obtain the processed subscriber identity and thereby enable that the first device 131 may establish a secured communication with an unsecured party such as the second device 132, and / or that an unsecured party such as the second device 132 may reach a party such as the first device 131, which otherwise may be unreachable. Embodiments herein may therefore enable to establish secure communications between a mobile number of a secured party and an unsecured party by interfacing with a network API, the BCS API, using the first node 111, e.g., a NEF, endpoint which may in turn interface with the second node 111 , the blockchain.
[0086] Action 203
[0087] In this Action 203, the first node 111 obtains a processed subscriber identity based on the received first request. At least one of the following applies: i) with the proviso the first request is to decrypt the subscriber identity, the processed subscriber identity is a decrypted subscriber identity, and ii) with the proviso the first request is to encrypt the subscriber identity, the processed subscriber identity is an encrypted subscriber identity.
[0088] The obtaining in this Action 203 of the processed subscriber identity may be via a BCS API.
[0089] Obtaining may comprise any of retrieving, fetching or receiving. The obtaining, e.g., receiving, may be performed e.g., via the first link 151.
[0090] By obtaining the processed subscriber identity in this Action 203, the first node 111 may then be enabled to initiate provision of the processed subscriber identity and thereby enable that the first device 131 may establish a secured communication with an unsecured party such as the second device 132, and / or that an unsecured party such as the second device 132 may reach a party such as the first device 131 , which otherwise may be unreachable. Action 204
[0091] In some embodiments wherein the obtained processed subscriber identity may be based on the set of rules provided to the BCS API, the first node 111 may, in this Action 204, validate the set of rules before initiating of a provision of the first indication.
[0092] In some embodiments, the validating in this Action 204 may be performed via the fourth node 114. The fourth node 114 may be a PCF.
[0093] By the first node 111, in this Action 204, validating the set of rules before the initiating of the provision of the first indication, the first node 111 may be able to ensure that the set of rules may be complied with correctly.
[0094] Action 205
[0095] In this Action 205, the first node 111 may initiate provision of a first indication of the processed subscriber identity.
[0096] Initiating may be understood as triggering, starting, facilitating or enabling providing, that is, sending or outputting.
[0097] The provision may be to the third node 113 and may be performed e.g., via the fourth link 154.
[0098] The first indication may be provided, for example, via a REST API.
[0099] The third node 113 may be an SM F.
[0100] In some embodiments, the initiating in this Action 205 of the provision of the first indication of the processed subscriber identity may comprise initiating establishing the communication between the first device 131 and the second device 132 using the processed subscriber identity. The initiating, in this Action 205, establishing of the communication may comprise triggering an event to the third node 113 operating in the communications system 100. The event may comprise generating a second indication, to at least one of the first device 131 and the second device 132. The second indication may indicate that the communication has been initiated with the processed subscriber identity. It may be understood that the first node 111 may refrain from sharing or providing the unencrypted subscriber identity of the first device 131 to the second device 132.
[0101] In some examples of embodiments wherein the subscriber identity in the first request may be encrypted, the second indication may indicate that a call has been established between the first device 131 and the second device 132.
[0102] In some examples of embodiments wherein the subscriber identity may be unencrypted in the first request, the second indication may be an alert to the first device 131 indicating that a notification has been sent to the second device to call the first device 131. In embodiments wherein Action 204 may have been performed, the provision of the first indication may be initiated with the proviso the set of rules may have been validated.
[0103] In some embodiments, at least one of the following may apply: a) the first node 111 may be a NEF, b) the third node 113 may be an SMF, and c) the validating in Action 202 may be performed via the fourth node 114. The fourth node 114 may be a PCF.
[0104] By initiating the provision of the first indication of the processed subscriber identity in this Action 205, the first node 111 may enable that the first device 131 may establish a secured communication with an unsecured party such as the second device 132, by triggering a notification to the second device 132 to call the first device 131 , and / or that an unsecured party such as the second device 132 may reach a party such as the first device 131 , which otherwise may be unreachable, by enabling that a call may be established between the first device 131 and the second device 132.
[0105] For example, a first scenario of applicability of embodiments herein, may be a scenario wherein a user X of the first device 131 may want to securely share the subscriber identity, e.g., the phone number of X, with an untrusted business party using the second device 132. The user of the first device 131 may desire to call a user of the second device, Y, to receive a service offered by Y. X is a trusted party and the phone number of X may get revealed if X calls Y directly. Since X does not know or trust Y, X may opt to use the encryption number service which the communication system 100 may provide via a network API and chooses to allow Y to call X only 3 times, as specified in the set of rules chosen. The encryption service may encrypt X’s number and only the person receiving it while returning the call may decrypt the number. Y may get the encrypted X' number via a notification and may then be enabled to return the call via X’. Sharing the number or calling the number multiple times may not be possible thanks to the set of rules and / or the cloud based blockchain algorithm. If Y tries to call X the 4thtime, the communication system 100 may be understood to reject the call. Thanks to embodiments herein, X’s telephone number may be secured, and X may share the encrypted number with any party X pleases, as only core network nodes comprised in the communications system 100 may decrypt the number.
[0106] Embodiments of a computer-implemented method performed by the second node 112, will now be described with reference to the flowchart depicted in Figure 3. The method may be understood to be for handling the subscriber identity. The second node 112 operates in the communications system 100.
[0107] The communications system 100 may be a 5G network.
[0108] The method comprises the following actions. One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. It should be noted that the examples herein are not mutually exclusive. Components from one example may be tacitly assumed to be present in another example and it will be obvious to a person skilled in the art how those components may be used in the other examples.
[0109] The detailed description of some of the following corresponds to the same references provided above, in relation to the actions described for the first node 111 and will thus not be repeated here to simplify the description. For example, the first device 131 is a secured party and the second device 132 is an untrusted party.
[0110] Action 301
[0111] In this Action 301, the second node 112 may receive the second request from the first node 111 operating in the communications system 100, to process the subscriber identity for communication with the second device 132. The subscriber identity belongs to the first device 131 operating in the communications system 100. At least one of the following applies: i) with the proviso the subscriber identity is encrypted, the second request is to decrypt the subscriber identity, and ii) with the proviso the subscriber identity is unencrypted, the second request is to encrypt the subscriber identity.
[0112] The first node 111 may be the NEF.
[0113] The subscriber identity may be a telephone number.
[0114] The receiving in this Action 301 may be performed e.g., via the first link 151.
[0115] The first request may comprise the set of rules.
[0116] Action 302
[0117] In this Action 302, the second node 112 provides a processed subscriber identity to the first node 111 based on the received second request. The second node 112 obtains the processed subscriber identity using blockchain. At least one of the following applies :i) with the proviso the second request is to decrypt the subscriber identity, the processed subscriber identity is the decrypted subscriber identity, and ii) with the proviso the second request is to encrypt the subscriber identity, the processed subscriber identity is the encrypted subscriber identity.
[0118] The providing in this Action 302 may be performed, e.g., via the first link 151.
[0119] The providing 302 of the processed subscriber identity may be via the BCS API.
[0120] The obtained processed subscriber identity may be based on the set of rules provided to the blockchain security API.
[0121] In some embodiments, the set of rules comprises the first rule restricting the number of times the decryption of the processed subscriber identity may be allowed to be requested. Several non-limiting examples of a method in the communications system 100 according to embodiments herein will now be described in the next Figure 4 and Figure 5.
[0122] Figure 4 shows a sequence diagram describing a first non-limiting example of a method performed in the communications system 100, according to embodiments herein. In the depicted example, the communications system 100 is a 5G network comprising network elements wherein the first node 111 is a NEF, the third node 113 is an SMSF, the fifth node 115 is an AMF and the second radio network node 142 is a gNB. The example of Figure 4 depicts an example of a scenario wherein a request for connection may be made from the first device 131 , depicted as secured party X to the second device 132, depicted as untrusted party Y. In Step 1 , the first device 131, according to Action 202, sends the first request to the first node 111, requesting an encrypted telephone number to enable to receive a secured call from the untrusted second device 132. In doing so, the secured party X, that is, the first device 131, invokes the encryption BCS API with the details of the second device 132, the untrusted business calling party Y, along with the set of rules. The second device 132 may also share its subscriber identity, e.g., telephone number, via QR code or other means to receive the encrypted number of the first device 131. In Step 2, according to Action 301 and Action 202, the first node 111 , via its BCS API, sends the second request to the second node 112, which may manage a Core Network (CN) blockchain algorithm in the cloud, to request an encrypted number for X with the second subscriber identity of the second device 132, Y, as input. In Step 3, the second node 112, in accordance with Action 302 and Action 203 sends the processed subscriber identity to the first node 111 , via its BCS API, as an encrypted number (prefix)X. In Step 4, the first node 111, in accordance with Action 205, ing triggers an event to the third node 113, here the SMSF, to generate a notification to the first device 131 and the second device 132, and enables shar the encrypted details of the first device 131 , as X', with the first device 131, the secured party X, and the second device 132, that is, the untrusted business party Y using the SMSF. Particularly, by receiving the first indication of the processed subscriber identity, the third node 113, the SMSF, may then be enabled to indicate the processed subscriber identity to the fifth node 115, the AMF. In Step 5a, the fifth node 115 may then, via the second radio network node 142 alert the second device 132 to call the processed subscriber identity X’. In Step 5b, the fifth node 115 may also alert the first device 131 that a notification has been sent to the second device 132 to call the processed subscriber identity of the first device 131. The second device 132 may then be enabled to initiate a voice call to the secured party using the processed subscriber identity as the encrypted number X'.
[0123] Figure 5 shows another sequence diagram describing a second non-limiting example of a method performed in the communications system 100, according to embodiments herein. In the depicted example, the communications system 100 is a 5G network comprising network elements wherein the first node 111 is a NEF, the third node 113 is an SMSF, the fourth node 114 is a PCT, the fifth node 115 is an AMF and the second radio network node 142 is a gNB. The example of Figure 5 depicts an example of a scenario wherein a secured connection may be established between the first device 131, depicted as secured party X and the second device 132, depicted as untrusted party Y. In Step 1, the second device 132 may initiate a voice call to the first device 131 using the processed subscriber identity as the encrypted number (prefix)X'. The encrypted number reaches the mobile network via the second radio network node 142, which in-turn reaches the SMF via the AMF. At Step 2, the SMF detects the called number is encrypted and routes it to the NEF instead by, according to Action 201, sending the first request, requesting the decrypted subscriber identity that is, the descripted telephone number of X. The NEF alone may have the authorization to decrypt the X'. In Step 3, according to Action 301 and Action 202, the first node 111 , via its BCS API, sends the second request to the second node 112, here the decryption API in the blockchain, to request the decryption of X’, providing the second subscriber identity of the second device 132, Y, as input. In Step 4, the second node 112, in accordance with Action 302 and Action 203 sends the processed subscriber identity to the first node 111 , via its BCS API, as the decrypted number X. In Step 4, the first node 111, in accordance with Action 204, validates the set of rules for the call via the fourth node 114, here the PCF. Next, in accordance with Action 205, the first node 111 triggers an event to the third node 113, here the SMSF, to establish a call between the first device 131 and the second device 132. The SMF may initiate a session with the decrypted number X.
[0124] As a summarized view of the foregoing, embodiments herein may be understood to leverage the decentralized, immutable aspects of blockchain and use them in the mobile flow context. Embodiments herein may enable a mobile network to facilitate encryption of mobile numbers using 5G network-elements and thereby ensure the establishment of secure communications between parties via the communications system. Embodiments herein may thereby enable privacy of those seeking services from untrusted / third parties and also enable to avoid vishing.
[0125] Certain embodiments disclosed herein may provide one or more of the following technical advantage(s), which may be summarized as follows.
[0126] Embodiments herein may be understood to enable to secure subscriber identities, e.g., mobile numbers, so that only trusted and authorized third parties may be enabled to use the numbers. This may avoid vishing and irrelevant messages being received to mobile numbers. The actual mobile numbers may not be exposed. Accordingly, the first node may avoid that communications from untrusted parties which, if not managed, may be very numerous, may impact the capacity and latency of the network, as well as the ability to provide services in the network in an optimal fashion.
[0127] Furthermore, by enabling the usage of the set of rules, embodiments herein may enable to provide more control to the usage of the subscriber identities, e.g., their mobile numbers, by, for example, limiting the number of calls from a thirty party, time of call etc.
[0128] Advantageously, no additional application may be required for secured communication with untrusted parties, as it may be handled by the network elements.
[0129] Moreover, by using blockchain technology, the following advantages of blockchain may be applicable to embodiments herein: a) decentralization, b) immutability of an encryption / decryption algorithm on which rules may be run, and c) ledger lifetime configuration.
[0130] Figure 6 depicts an example of the arrangement that the first node 111 may comprise to perform the method described in Figure 2 and / or Figures 4-5. The first node 111 may be understood to be for handling the subscriber identity. The first node 111 is configured to operate in the communications system 100.
[0131] Several embodiments are comprised herein. It should be noted that the examples herein are not mutually exclusive. One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. Components from one embodiment may be tacitly assumed to be present in another embodiment and it will be obvious to a person skilled in the art how those components may be used in the other exemplary embodiments. The detailed description of some of the following corresponds to the same references provided above, in relation to the actions described for the first node 111 and will thus not be repeated here. For example, in some embodiments, the subscriber identity may be configured to be a telephone number.
[0132] The first node 111 is configured to receive the first request to process the subscriber identity for communication with the second device 132. The subscriber identity is configured to belong to the first device 131 configured to operate in the communications system 100. The first device 131 is configured to be a secured party and the second device 132 is configured to be an untrusted party. At least one of the following applies: i) with the proviso the subscriber identity is encrypted, the first request is configured to be to decrypt the subscriber identity, and ii) with the proviso the subscriber identity is unencrypted, the first request is configured to be to encrypt the subscriber identity.
[0133] The first node 111 is also configured to obtain the processed subscriber identity based on the first request configured to be received. At least one of the following applies: i) with the proviso the first request is configured to be to decrypt the subscriber identity, the processed subscriber identity is the decrypted subscriber identity, and ii) with the proviso the first request is configured to be to encrypt the subscriber identity, the processed subscriber identity is the encrypted subscriber identity.
[0134] The first node 111 is further configured to initiate provision of the first indication of the processed subscriber identity.
[0135] In some embodiments, the obtaining of the processed subscriber identity may be configured to be via the BCS API.
[0136] In some embodiments wherein the processed subscriber identity may be configured to be obtained from the second node 112 configured to be operating in the communications system 100 using blockchain, the first node 111 may be further configured to send, responsive to the first request configured to be received, the second request to the second node 112. The second request may be configured to request the processed subscriber identity. The processed subscriber identity may be configured to be obtained responsive to the second request configured to be sent.
[0137] In some embodiments, the processed subscriber identity configured to be obtained may be configured to be based on the set of rules configured to be provided to the BCS API.
[0138] In some embodiments, the set of rules may be configured to comprise the first rule configured to restrict the number of times the decryption of the processed subscriber identity may be configured to be allowed to be requested.
[0139] In some embodiments, the first node 111 may be further configured to validate the set of rules before the initiating of the provision of the first indication. The provision of the first indication may be configured to be initiated with the proviso the set of rules may have been validated.
[0140] In some embodiments, initiating the provision of the first indication of the processed subscriber identity may be configured to comprise initiating establishing the communication between the first device 131 and the second device 132 using the processed subscriber identity. The initiating establishing of the communication may be configured to comprise triggering the event to the third node 113 configured to operate in the communications system 100. The event may be configured to comprise generating the second indication, to at least one of the first device 131 and the second device 132. The second indication may be configured to indicate that the communication has been initiated with the processed subscriber identity.
[0141] In some embodiments, at least one of the following may apply: a) the first node 111 may be configured to be the NEF, the third node 113 may be configured to be the SMF, and c) the validating may be configured to be performed via the fourth node 114. The fourth node 114 may be configured to be the PCF. The embodiments herein in the first node 111 may be implemented through one or more processors, such as a processing circuitry 601 in the first node 111 depicted in Figure 6, together with computer program code for performing the functions and actions of the embodiments herein. A processor, as used herein, may be understood to be a hardware component. The program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the first node 111. One such carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick. The computer program code may furthermore be provided as pure program code on a server and downloaded to the first node 111.
[0142] The first node 111 may further comprise a memory 602 comprising one or more memory units. The memory 602 is arranged to be used to store obtained information, store data, configurations, schedulings, and applications etc. to perform the methods herein when being executed in the first node 111.
[0143] In some embodiments, the first node 111 may receive information from, e.g., the first device 131 , the second node 112, the third node 113, the fourth node 114, the fifth node 115, the first radio network node 141, the second radio network node 142, the second device 132, another node, and / or another structure in the communications system 100, through a receiving port 603. In some embodiments, the receiving port 603 may be, for example, connected to one or more antennas in first node 111. In other embodiments, the first node 111 may receive information from another structure in the communications system 100 through the receiving port 603. Since the receiving port 603 may be in communication with the processing circuitry 601 , the receiving port 603 may then send the received information to the processing circuitry 601. The receiving port 603 may also be configured to receive other information.
[0144] The processing circuitry 601 in the first node 111 may be further configured to transmit or send information to e.g., the first device 131 , the second node 112, the third node 113, the fourth node 114, the fifth node 115, the first radio network node 141, the second radio network node 142, the second device 132, another node, and / or another structure in the communications system 100, through a sending port 604, which may be in communication with the processing circuitry 601 , and the memory 602.
[0145] Those skilled in the art will also appreciate that the units comprised within the first node 111 described above as being configured to perform different actions, may refer to a combination of analog and digital circuits, and / or one or more processors configured with software and / or firmware, e.g., stored in memory, that, when executed by the one or more processors such as the processing circuitry 601 , perform as described above. One or more of these processors, as well as the other digital hardware, may be included in a single Application-Specific Integrated Circuit (ASIC), or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).
[0146] Also, in some embodiments, the different units comprised within the first node 111 described above as being configured to perform different actions described above may be implemented as one or more applications running on one or more processors such as the processing circuitry 601.
[0147] Thus, the methods according to the embodiments described herein for the first node 111 may be respectively implemented by means of a computer program 605 product, comprising instructions, i.e. , software code portions, which, when executed on at least one processing circuitry 601 , cause the at least one processing circuitry 601 to carry out the actions described herein, as performed by the first node 111. The computer program 605 product may be stored on a computer-readable storage medium 606. The computer-readable storage medium 606, having stored thereon the computer program 605, may comprise instructions which, when executed on at least one processing circuitry 601 , cause the at least one processing circuitry 601 to carry out the actions described herein, as performed by the first node 111. In some embodiments, the computer-readable storage medium 606 may be a non-transitory computer- readable storage medium, such as a CD ROM disc, or a memory stick. In other embodiments, the computer program 605 product may be stored on a carrier containing the computer program 605 just described, wherein the carrier is one of an electronic signal, optical signal, radio signal, or the computer-readable storage medium 606, as described above.
[0148] The first node 111 may comprise a communication interface configured to facilitate, or an interface unit to facilitate, communications between the first node 111 and other nodes or devices, e.g., the first device 131 , the second node 112, the third node 113, the fourth node 114, the fifth node 115, the first radio network node 141 , the second radio network node 142, the second device 132, another node, and / or another structure in the communications system 100. The interface may, for example, include a transceiver configured to transmit and receive radio signals over an air interface in accordance with a suitable standard.
[0149] In other embodiments, the first node 111 may comprise a radio circuitry 607, which may comprise e.g., the receiving port 603 and the sending port 604.
[0150] The radio circuitry 607 may be configured to set up and maintain at least a wireless connection with the first device 131, the second node 112, the third node 113, the fourth node 114, the fifth node 115, the first radio network node 141 , the second radio network node 142, the second device 132, another node, and / or another structure in the communications system 100. Circuitry may be understood herein as a hardware component.
[0151] Hence, embodiments herein also relate to the first node 111 operative to operate in the communications system 100. The first node 111 may comprise the processing circuitry 601 and the memory 602, said memory 602 containing instructions executable by said processing circuitry 601 , whereby the first node 111 is further operative to perform the actions described herein in relation to the first node 111 , e.g., in Figure 2 and / or Figures 4-5.
[0152] Figure 7 depicts an example of the arrangement that the second node 112 may comprise to perform the method described in Figure 3 and / or Figures 4-5. The second node 112 may be understood to be for handling the subscriber identity. The second node 112 is configured to operate in the communications system 100.
[0153] Several embodiments are comprised herein. It should be noted that the examples herein are not mutually exclusive. One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. Components from one embodiment may be tacitly assumed to be present in another embodiment and it will be obvious to a person skilled in the art how those components may be used in the other exemplary embodiments. The detailed description of some of the following corresponds to the same references provided above, in relation to the actions described for the second node 112 and will thus not be repeated here. For example, in some embodiments, the subscriber identity may be configured to be a telephone number.
[0154] The second node 112 is configured to receive the second request, from the first node
[0155] 111 configured to operate in the communications system 100, to process the subscriber identity for communication with a second device 132. The subscriber identity is configured to belong to the first device 131 configured to operate in the communications system 100. At least one of the following applies: i) with the proviso the subscriber identity is encrypted, the second request is configured to be to decrypt the subscriber identity, and ii) with the proviso the subscriber identity is unencrypted, the second request is configured to be to encrypt the subscriber identity.
[0156] The second node 112 is also configured to provide the processed subscriber identity to the first node 111 based on the second request configured to be received. The second node
[0157] 112 is configured to obtain the processed subscriber identity using blockchain. At least one of the following applies: i) with the proviso the second request is to decrypt the subscriber identity, the processed subscriber identity is a decrypted subscriber identity, and ii) with the proviso the second request is to encrypt the subscriber identity, the processed subscriber identity is an encrypted subscriber identity.
[0158] In some embodiments, the providing of the processed subscriber identity may be configured to be via a BCS API.
[0159] In some embodiments, the processed subscriber identity configured to be obtained may be configured to be based on the set of rules configured to be provided to the blockchain security API. In some embodiments, the set of rules may be configured to comprise the first rule configured to restrict the number of times the decryption of the processed subscriber identity may be configured to be allowed to be requested.
[0160] In some embodiments, the first node 111 may be configured to be a NEF.
[0161] In some embodiments, the subscriber identity may be configured to be a telephone number.
[0162] The embodiments herein in the second node 112 may be implemented through one or more processors, such as a processing circuitry 701 in the second node 112 depicted in Figure 7, together with computer program code for performing the functions and actions of the embodiments herein. A processor, as used herein, may be understood to be a hardware component. The program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the second node 112. One such carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick. The computer program code may furthermore be provided as pure program code on a server and downloaded to the second node 112.
[0163] The second node 112 may further comprise a memory 702 comprising one or more memory units. The memory 702 is arranged to be used to store obtained information, store data, configurations, schedulings, and applications etc. to perform the methods herein when being executed in the second node 112.
[0164] In some embodiments, the second node 112 may receive information from, e.g., the first device 131 , the third node 113, the fourth node 114, the fifth node 115, the first radio network node 141, the second radio network node 142, the first node 111, the second device 132, another node, and / or another structure in the communications system 100, through a receiving port 703. In some embodiments, the receiving port 703 may be, for example, connected to one or more antennas in second node 112. In other embodiments, the second node 112 may receive information from another structure in the communications system 100 through the receiving port 703. Since the receiving port 703 may be in communication with the processing circuitry 701 , the receiving port 703 may then send the received information to the processing circuitry 701. The receiving port 703 may also be configured to receive other information.
[0165] The processing circuitry 701 in the second node 112 may be further configured to transmit or send information to e.g., the first device 131, the third node 113, the fourth node 114, the fifth node 115, the first radio network node 141 , the second radio network node 142, the first node 111, the second device 132, another node, and / or another structure in the communications system 100, through a sending port 704, which may be in communication with the processing circuitry 701 , and the memory 702. Those skilled in the art will also appreciate that the units comprised within the second node 112 described above as being configured to perform different actions, may refer to a combination of analog and digital circuits, and / or one or more processors configured with software and / or firmware, e.g., stored in memory, that, when executed by the one or more processors such as the processing circuitry 701 , perform as described above. One or more of these processors, as well as the other digital hardware, may be included in a single Application-Specific Integrated Circuit (ASIC), or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).
[0166] Also, in some embodiments, the different units comprised within the second node 112 described above as being configured to perform different actions described above may be implemented as one or more applications running on one or more processors such as the processing circuitry 701.
[0167] Thus, the methods according to the embodiments described herein for the second node 112 may be respectively implemented by means of a computer program 705 product, comprising instructions, i.e. , software code portions, which, when executed on at least one processing circuitry 701 , cause the at least one processing circuitry 701 to carry out the actions described herein, as performed by the second node 112. The computer program 705 product may be stored on a computer-readable storage medium 706. The computer- readable storage medium 706, having stored thereon the computer program 705, may comprise instructions which, when executed on at least one processing circuitry 701 , cause the at least one processing circuitry 701 to carry out the actions described herein, as performed by the second node 112. In some embodiments, the computer-readable storage medium 706 may be a non-transitory computer-readable storage medium, such as a CD ROM disc, or a memory stick. In other embodiments, the computer program 705 product may be stored on a carrier containing the computer program 705 just described, wherein the carrier is one of an electronic signal, optical signal, radio signal, or the computer-readable storage medium 706, as described above.
[0168] The second node 112 may comprise a communication interface configured to facilitate, or an interface unit to facilitate, communications between the second node 112 and other nodes or devices, e.g., the first device 131, the third node 113, the fourth node 114, the fifth node 115, the first radio network node 141, the second radio network node 142, the first node 111 , the second device 132, another node, and / or another structure in the communications system 100. The interface may, for example, include a transceiver configured to transmit and receive radio signals over an air interface in accordance with a suitable standard.
[0169] In other embodiments, the second node 112 may comprise a radio circuitry 707, which may comprise e.g., the receiving port 703 and the sending port 704. The radio circuitry 707 may be configured to set up and maintain at least a wireless connection with the first device 131 , the third node 113, the fourth node 114, the fifth node 115, the first radio network node 141, the second radio network node 142, the first node 111 , the second device 132, another node, and / or another structure in the communications system 100. Circuitry may be understood herein as a hardware component.
[0170] Hence, embodiments herein also relate to the second node 112, operative to operate in the communications system 100. The second node 112 may comprise the processing circuitry 701 and the memory 702, said memory 702 containing instructions executable by said processing circuitry 701 , whereby the second node 112 is further operative to perform the actions described herein in relation to the second node 112, e.g., in Figure 5 and / or Figures 4- 5.
[0171] Embodiments herein may also comprise the communications system 100 comprising the first node 111 configured as described in relation to Figure 6, and the second node 112, configured as described in relation to Figure 7.
[0172] When using the word "comprise" or “comprising”, it shall be interpreted as non-limiting, i.e. , meaning "consist at least of'.
[0173] The embodiments herein are not limited to the above-described preferred embodiments. Various alternatives, modifications and equivalents may be used. Therefore, the above embodiments should not be taken as limiting the scope of the invention.
[0174] Generally, all terms used herein are to be interpreted according to their ordinary meaning in the relevant technical field, unless a different meaning is clearly given and / or is implied from the context in which it is used. All references to a / an / the element, apparatus, component, means, step, etc. are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any methods disclosed herein do not have to be performed in the exact order disclosed, unless a step is explicitly described as following or preceding another step and / or where it is implicit that a step must follow or precede another step. Any feature of any of the embodiments disclosed herein may be applied to any other embodiment, wherever appropriate. Likewise, any advantage of any of the embodiments may apply to any other embodiments, and vice versa. Other objectives, features and advantages of the enclosed embodiments will be apparent from the following description.
[0175] As used herein, the expression “at least one of:” followed by a list of alternatives separated by commas, and wherein the last alternative is preceded by the “and” term, may be understood to mean that only one of the list of alternatives may apply, more than one of the list of alternatives may apply or all of the list of alternatives may apply. This expression may be understood to be equivalent to the expression “at least one of:” followed by a list of alternatives separated by commas, and wherein the last alternative is preceded by the “or” term.
[0176] Any of the terms processor and circuitry may be understood herein as a hardware component. As used herein, the expression “in some embodiments” has been used to indicate that the features of the embodiment described may be combined with any other embodiment or example disclosed herein.
[0177] As used herein, the expression “in some examples” has been used to indicate that the features of the example described may be combined with any other embodiment or example disclosed herein.
Claims
CLAIMS:
1. A computer-implemented method performed by a first node (111), the method being for handling a subscriber identity, the first node (111) operating in a communications system (100), and the method comprising:- receiving (201) a first request to process a subscriber identity for communication with a second device (132), the subscriber identity belonging to a first device (131) operating in the communications system (100), wherein the first device (131) is a secured party and the second device (132) is an untrusted party, wherein at least one of: i) with the proviso the subscriber identity is encrypted, the first request is to decrypt the subscriber identity, and ii) with the proviso the subscriber identity is unencrypted, the first request is to encrypt the subscriber identity, and- obtaining (203) a processed subscriber identity based on the received first request, wherein at least one of: i) with the proviso the first request is to decrypt the subscriber identity, the processed subscriber identity is a decrypted subscriber identity, and ii) with the proviso the first request is to encrypt the subscriber identity, the processed subscriber identity is an encrypted subscriber identity, and- initiating (205) provision of a first indication of the processed subscriber identity.
2. The method according to claim 1, wherein the obtaining (203) of the processed subscriber identity is via a blockchain security application programming interface, API.
3. The method according to claim 2, wherein the processed subscriber identity is obtained from a second node (112) operating in the communications system (100) using blockchain, and wherein the method further comprises:- sending (202), responsive to the received first request, a second request to the second node (112), the second request requesting the processed subscriber identity and wherein the processed subscriber identity is obtained responsive to the sent second request.
4. The method according to any of claims 2-3, wherein the obtained processed subscriber identity is based on a set of rules provided to the blockchain security API.
5. The method according to claim 4, wherein the set of rules comprises a first rule restricting a number of times a decryption of the processed subscriber identity is allowed to be requested.
6. The method according to claim 3 and any of claims 4-5, further comprising:- validating (204) the set of rules before the initiating (205) of the provision of the first indication, and wherein the provision of the first indication is initiated with the proviso the set of rules has been validated.
7. The method according to any of claims 1-6, wherein initiating (205) the provision of the first indication of the processed subscriber identity comprises initiating establishing the communication between the first device (131) and the second device (132) using the processed subscriber identity, and wherein the initiating (205) establishing of the communication comprises triggering an event to a third node (113) operating in the communications system (100), the event comprising generating a second indication, to at least one of the first device (131) and the second device (132), the second indication indicating that the communication has been initiated with the processed subscriber identity.
8. The method according to claim 7, wherein at least one of:- the first node (111) is a Network Exposure Function, NEF,- the third node (113) is a Session Management Function, SMF, and- the validating (204) is performed via a fourth node (114), wherein the fourth node (114) is a Policy Control Function, PCF.
9. The method according to any of claims 1-8, wherein the subscriber identity is a telephone number.
10. A computer-implemented method performed by a second node (112), the method being for handling a subscriber identity, the second node (112) operating in a communications system (100), and the method comprising:- receiving (301) a second request from a first node (111) operating in the communications system (100), to process a subscriber identity for communication with a second device (132), the subscriber identity belonging to a first device (131) operating in the communications system (100), wherein at least one of:i) with the proviso the subscriber identity is encrypted, the second request is to decrypt the subscriber identity, and ii) with the proviso the subscriber identity is unencrypted, the second request is to encrypt the subscriber identity, and- providing (302) a processed subscriber identity to the first node (111) based on the received second request, wherein the second node (112) obtains the processed subscriber identity using blockchain, and wherein at least one of: i) with the proviso the second request is to decrypt the subscriber identity, the processed subscriber identity is a decrypted subscriber identity, and ii) with the proviso the second request is to encrypt the subscriber identity, the processed subscriber identity is an encrypted subscriber identity.
11. The method according to claim 10, wherein the providing (302) of the processed subscriber identity is via a blockchain security application programming interface, API.
12. The method according to any of claims 10-11, wherein the obtained processed subscriber identity is based on a set of rules provided to the blockchain security API.
13. The method according to claim 12, wherein the set of rules comprises a first rule restricting a number of times a decryption of the processed subscriber identity is allowed to be requested.
14. The method according to any of claims 10-13, wherein the first node (111) is a Network Exposure Function, NEF.
15. The method according to any of claims 10-14, wherein the subscriber identity is a telephone number.
16. A first node (111), for handling a subscriber identity, the first node (111) being configured to operate in a communications system (100), and the first node (111) being further configured to:- receive a first request to process a subscriber identity for communication with a second device (132), the subscriber identity being configured to belong to a first device (131) configured to operate in the communications system (100), wherein the first device (131) is configured to be a secured party and thesecond device (132) is configured to be an untrusted party, wherein at least one of: i) with the proviso the subscriber identity is encrypted, the first request is configured to be to decrypt the subscriber identity, and ii) with the proviso the subscriber identity is unencrypted, the first request is configured to be to encrypt the subscriber identity, and- obtain a processed subscriber identity based on the first request configured to be received, wherein at least one of: i) with the proviso the first request is configured to be to decrypt the subscriber identity, the processed subscriber identity is a decrypted subscriber identity, and ii) with the proviso the first request is configured to be to encrypt the subscriber identity, the processed subscriber identity is an encrypted subscriber identity, and- initiate provision of a first indication of the processed subscriber identity.
17. The first node (111) according to claim 16, wherein the obtaining of the processed subscriber identity is configured to be via a blockchain security application programming interface, API.
18. The first node (111) according to claim 17, wherein the processed subscriber identity is configured to be obtained from a second node (112) configured to be operating in the communications system (100) using blockchain, and wherein the first node (111) is further configured to:- send, responsive to the first request configured to be received, a second request to the second node (112), the second request being configured to request the processed subscriber identity and wherein the processed subscriber identity is configured to be obtained responsive to the second request configured to be sent.
19. The first node (111) according to any of claims 17-18, wherein the processed subscriber identity configured to be obtained is configured to be based on a set of rules configured to be provided to the blockchain security API.
20. The first node (111) according to claim 19, wherein the set of rules is configured to comprise a first rule configured to restrict a number of times a decryption of the processed subscriber identity is configured to be allowed to be requested.
21. The first node (111) according to claim 18 and any of claims 19-20, being further configured to:- validate the set of rules before the initiating of the provision of the first indication, and wherein the provision of the first indication is configured to be initiated with the proviso the set of rules has been validated.
22. The first node (111) according to any of claims 16-21 , wherein initiating the provision of the first indication of the processed subscriber identity is configured to comprise initiating establishing the communication between the first device (131) and the second device (132) using the processed subscriber identity, and wherein the initiating establishing of the communication is configured to comprise triggering an event to a third node (113) configured to operate in the communications system (100), the event being configured to comprise generating a second indication, to at least one of the first device (131) and the second device (132), the second indication being configured to indicate that the communication has been initiated with the processed subscriber identity.
23. The first node (111) according to claim 22, wherein at least one of:- the first node (111) is configured to be a Network Exposure Function, NEF,- the third node (113) is configured to be a Session Management Function, SMF, and- the validating is configured to be performed via a fourth node (114), wherein the fourth node (114) is configured to be a Policy Control Function, PCF.
24. The first node (111) according to any of claims 16-23, wherein the subscriber identity is configured to be a telephone number.
25. A second node (112), for handling a subscriber identity, the second node (112) being configured to operate in a communications system (100), and the second node (112) being further configured to:- receive a second request, from a first node (111) configured to operate in the communications system (100), to process a subscriber identity forcommunication with a second device (132), the subscriber identity being configured to belong to a first device (131) configured to operate in the communications system (100), wherein at least one of: i) with the proviso the subscriber identity is encrypted, the second request is configured to be to decrypt the subscriber identity, and ii) with the proviso the subscriber identity is unencrypted, the second request is configured to be to encrypt the subscriber identity, and- provide a processed subscriber identity to the first node (111) based on the second request configured to be received, wherein the second node (112) is configured to obtain the processed subscriber identity using blockchain, and wherein at least one of: i) with the proviso the second request is to decrypt the subscriber identity, the processed subscriber identity is a decrypted subscriber identity, and ii) with the proviso the second request is to encrypt the subscriber identity, the processed subscriber identity is an encrypted subscriber identity.
26. The second node (112) according to claim 25, wherein the providing of the processed subscriber identity is configured to be via a blockchain security application programming interface, API.
27. The second node (112) according to any of claims 25-26, wherein the processed subscriber identity configured to be obtained is configured to be based on a set of rules configured to be provided to the blockchain security API.
28. The second node (112) according to claim 27, wherein the set of rules is configured to comprise a first rule configured to restrict a number of times a decryption of the processed subscriber identity is configured to be allowed to be requested.
29. The second node (112) according to any of claims 25-28, wherein the first node (111) is configured to be a Network Exposure Function, NEF.
30. The second node (112) according to any of claims 25-29, wherein the subscriber identity is configured to be a telephone number.
31. A computer program (605), comprising instructions which, when executed on at least one processor (601), cause the at least one processor (601) to carry out the method according to any of claims 1-9.
32. A computer-readable storage medium (606), having stored thereon a computer program (605), comprising instructions which, when executed on at least one processor (601), cause the at least one processor (601) to carry out the method according to any of claims 1-9.
33. A computer program (705), comprising instructions which, when executed on at least one processor (701), cause the at least one processor (701) to carry out the method according to any of claims 10-15.
34. A computer-readable storage medium (706), having stored thereon a computer program (705), comprising instructions which, when executed on at least one processor (701), cause the at least one processor (701) to carry out the method according to any of claims 10-15.