Security techniques for non-terrestrial networks with regenerative payloads

EP4758891A1Pending Publication Date: 2026-06-17QUALCOMM INC

Patent Information

Authority / Receiving Office
EP · EP
Patent Type
Applications
Current Assignee / Owner
QUALCOMM INC
Filing Date
2024-07-26
Publication Date
2026-06-17

AI Technical Summary

Technical Problem

Existing non-terrestrial networks (NTNs) with regenerative payloads face challenges in ensuring security during handover procedures, as they often do not perform integrity checks and security key derivation.

Method used

The proposed solution involves a proxy network entity or a target NTN network entity performing an integrity check and deriving security keys for the handover procedure. This is achieved by receiving user equipment (UE) context information and a message authentication code (MAC) from a source NTN network entity, verifying the MAC, and then transmitting the security keys and context information to the target NTN network entity.

Benefits of technology

This approach enhances the security of handover procedures in NTNs with regenerative payloads by ensuring integrity checks and secure key derivation, thereby improving communication reliability and reducing the risk of security breaches.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure US2024039862_13022025_PF_FP_ABST
    Figure US2024039862_13022025_PF_FP_ABST
Patent Text Reader

Abstract

Methods, systems, and devices for wireless communications are described. The described techniques may enable a proxy network entity or a target NTN network entity to perform an integrity check and security key derivation for a handover procedure. The proxy network entity may receive UE context information from a source NTN network entity and may perform the integrity check. In some examples, the proxy network entity may derive security keys and may transmit the security keys and the UE context information to the target NTN network entity. In some examples, the target NTN network entity may derive the security keys. In some examples, the proxy network entity may receive and store the UE context information without performing the integrity check or deriving the security keys. In such examples, the target NTN network entity may perform the integrity check and security key derivation.
Need to check novelty before this filing date? Find Prior Art

Description

SECURITY TECHNIQUES FOR NON-TERRESTRIAL NETWORKS WITH REGENERATIVE PAYLOADSCROSS REFERENCE

[0001] The present Application for Patent claims priority to India Patent Application No. 202341053106 by SHRESTHA et al., entitled “SECURITY TECHNIQUES FOR NON-TERRESTRIAL NETWORKS WITH REGENERATIVE PAYLOADS,” filed August 8, 2023, assigned to the assignee hereof, and expressly incorporated by reference in its entirety herein.FIELD OF TECHNOLOGY

[0002] The following relates to wireless communications, including security techniques for non-terrestrial networks with regenerative payloads.BACKGROUND

[0003] Wireless communications systems are widely deployed to provide various types of communication content such as voice, video, packet data, messaging, broadcast, and so on. These systems may be capable of supporting communication with multiple users by sharing the available system resources (e.g., time, frequency, and power). Examples of such multiple-access systems include fourth generation (4G) systems such as Long Term Evolution (LTE) systems, LTE- Advanced (LTE-A) systems, or LTE-A Pro systems, and fifth generation (5G) systems which may be referred to as New Radio (NR) systems. These systems may employ technologies such as code division multiple access (CDMA), time division multiple access (TDMA), frequency division multiple access (FDMA), orthogonal FDMA (OFDMA), or discrete Fourier transform spread orthogonal frequency division multiplexing (DFT-S-OFDM). A wireless multiple-access communications system may include one or more base stations, each supporting wireless communication for communication devices, which may be known as user equipment (UE).SUMMARY

[0004] The described techniques relate to improved methods, systems, devices, and apparatuses that support security techniques for non-terrestrial networks (NTNs) with regenerative payloads. For example, the described techniques enable a proxy network entity or a target NTN network entity to perform an integrity check and security key derivation for a handover procedure. The proxy network entity may receive user equipment (UE) context information from a source NTN network entity and may perform the integrity check by verifying a message authentication code (MAC) for integrity checks (MAC -I) associated with the UE. In some examples, the proxy network entity may derive security keys and may transmit the security keys and the UE context information to the target NTN network entity. In some examples, the proxy network entity may transmit the UE context information to the target NTN network entity, and the target NTN network entity may derive the security keys. In some examples, the proxy network entity may receive and store the UE context information without performing the integrity check or deriving the security keys. In such examples, the target NTN network entity may receive the UE context information from the proxy network entity, and may perform the integrity check and security key derivation.

[0005] A method for wireless communications by a proxy network entity is described. The method may include receiving, from a first NTN network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from the first NTN network entity to a second NTN network entity, performing an integrity check for the handover procedure based on a MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key, and transmitting, to the second NTN network entity, a second message indicating the context information based on verification of the UE as a result of the integrity check.

[0006] A proxy network entity for wireless communications is described. The proxy network entity may include one or more memories storing processor executable code, and one or more processors coupled with the one or more memories. The one or more processors may individually or collectively operable to execute the code to cause the proxy network entity to receive, from a first NTN network entity, a first message indicating context information associated with a UE, where the context information isassociated with a handover procedure to handover the UE from the first NTN network entity to a second NTN network entity, perform an integrity check for the handover procedure based on a MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key, and transmit, to the second NTN network entity, a second message indicating the context information based on verification of the UE as a result of the integrity check.

[0007] Another proxy network entity for wireless communications is described. The proxy network entity may include means for receiving, from a first NTN network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from the first NTN network entity to a second NTN network entity, means for performing an integrity check for the handover procedure based on a MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key, and means for transmitting, to the second NTN network entity, a second message indicating the context information based on verification of the UE as a result of the integrity check.

[0008] A non-transitory computer-readable medium storing code for wireless communications is described. The code may include instructions executable by a processor to receive, from a first NTN network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from the first NTN network entity to a second NTN network entity, perform an integrity check for the handover procedure based on a MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key, and transmit, to the second NTN network entity, a second message indicating the context information based on verification of the UE as a result of the integrity check.

[0009] Some examples of the method, proxy network entities, and non-transitory computer-readable medium described herein may further include operations, features, means, or instructions for transmitting, to the second NTN network entity, an indication of one or more security keys associated with handover of the UE from the first NTN network entity to the second NTN network entity.

[0010] In some examples of the method, proxy network entities, and non-transitory computer-readable medium described herein, the one or more security keys associated with handover of the UE include one or more new security keys derived by the proxy network entity.

[0011] In some examples of the method, proxy network entities, and non-transitory computer-readable medium described herein, the one or more security keys associated with handover of the UE include one or more security keys associated with the first NTN network entity.

[0012] In some examples of the method, proxy network entities, and non-transitory computer-readable medium described herein, transmitting the indication may include operations, features, means, or instructions for transmitting an indication of whether the one or more security keys associated with handover of the UE may be one or more security keys derived by the proxy network entity or if the one or more security keys associated with handover of the UE may be one or more security keys associated with the first NTN network entity.

[0013] In some examples of the method, proxy network entities, and non-transitory computer-readable medium described herein, one or more of the first message, the second message, or the indication may be transmitted via backhaul X2 signaling.

[0014] In some examples of the method, proxy network entities, and non-transitory computer-readable medium described herein, the indication may be transmitted via an inter-node radio resource control (RRC) message.

[0015] Some examples of the method, proxy network entities, and non-transitory computer-readable medium described herein may further include operations, features, means, or instructions for receiving, from the UE or from the second NTN network entity, an indication of the MAC associated with the UE.

[0016] Some examples of the method, proxy network entities, and non-transitory computer-readable medium described herein may further include operations, features, means, or instructions for receiving, from the first NTN network entity, an indication of the authentication key.

[0017] In some examples of the method, proxy network entities, and non-transitory computer-readable medium described herein, performing the integrity check for the handover procedure may include operations, features, means, or instructions for deriving a second MAC based on the authentication key and comparing the MAC associated with the UE with the second MAC.

[0018] Some examples of the method, proxy network entities, and non-transitory computer-readable medium described herein may further include operations, features, means, or instructions for storing the context information associated with the UE.

[0019] A method for wireless communications by a first NTN network entity is described. The method may include receiving, from a proxy network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from a second NTN network entity to the first NTN network entity, receiving a second message indicating a MAC associated with the UE, performing an integrity check for the handover procedure based on the MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key, and deriving one or more security keys associated with handover of the UE based on verification of the UE as a result of the integrity check and on the context information associated with the UE.

[0020] A first NTN network entity for wireless communications is described. The first NTN network entity may include one or more memories storing processor executable code, and one or more processors coupled with the one or more memories. The one or more processors may individually or collectively operable to execute the code to cause the first NTN network entity to receive, from a proxy network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from a second NTN network entity to the first NTN network entity, receive a second message indicating a MAC associated with the UE, perform an integrity check for the handover procedure based on the MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key, and derive one or more security keys associated with handover of the UE based on verification of the UE as a result of the integrity check and on the context information associated with the UE.

[0021] Another first NTN network entity for wireless communications is described. The first NTN network entity may include means for receiving, from a proxy network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from a second NTN network entity to the first NTN network entity, means for receiving a second message indicating a MAC associated with the UE, means for performing an integrity check for the handover procedure based on the MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key, and means for deriving one or more security keys associated with handover of the UE based on verification of the UE as a result of the integrity check and on the context information associated with the UE.

[0022] A non-transitory computer-readable medium storing code for wireless communications is described. The code may include instructions executable by a processor to receive, from a proxy network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from a second NTN network entity to the first NTN network entity, receive a second message indicating a MAC associated with the UE, perform an integrity check for the handover procedure based on the MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key, and derive one or more security keys associated with handover of the UE based on verification of the UE as a result of the integrity check and on the context information associated with the UE.

[0023] Some examples of the method, first NTN network entities, and non- transitory computer-readable medium described herein may further include operations, features, means, or instructions for transmitting, to the proxy network entity, a request for the context information associated with the UE.

[0024] Some examples of the method, first NTN network entities, and non- transitory computer-readable medium described herein may further include operations, features, means, or instructions for receiving, from the proxy network entity, an indication of one or more additional security keys associated with the second NTN network entity.

[0025] In some examples of the method, first NTN network entities, and non- transitory computer-readable medium described herein, the indication includes an indication of whether the one or more additional security keys associated with the second NTN network entity may be one or more security keys generated by the proxy network entity and the first NTN network entity derives the one or more security keys based on the indication.

[0026] In some examples of the method, first NTN network entities, and non- transitory computer-readable medium described herein, one or more of the first message, the second message, or the indication may be transmitted via backhaul X2 signaling.

[0027] In some examples of the method, first NTN network entities, and non- transitory computer-readable medium described herein, the indication may be received via an inter-node RRC message.

[0028] In some examples of the method, first NTN network entities, and non- transitory computer-readable medium described herein, the first message further includes pending uplink data, pending downlink data, one or more status reports, or a combination thereof.

[0029] Some examples of the method, first NTN network entities, and non- transitory computer-readable medium described herein may further include operations, features, means, or instructions for transmitting, to the proxy network entity, a success message that indicates a success of the handover procedure and receiving, from a core network via the proxy network entity, one or more downlink data messages based on the success message.

[0030] In some examples of the method, first NTN network entities, and non- transitory computer-readable medium described herein, receiving the second message may include operations, features, means, or instructions for receiving the second message from the UE or from the proxy network entity.

[0031] Some examples of the method, first NTN network entities, and non- transitory computer-readable medium described herein may further include operations,features, means, or instructions for receiving, from the proxy network entity, an indication of the authentication key.

[0032] In some examples of the method, first NTN network entities, and non- transitory computer-readable medium described herein, performing the integrity check for the handover procedure may include operations, features, means, or instructions for deriving a second MAC based on the authentication key and comparing the MAC associated with the UE with the second MAC.BRIEF DESCRIPTION OF THE DRAWINGS

[0033] FIG. 1 shows an example of a wireless communications system that supports security techniques for non-terrestrial networks (NTNs) with regenerative payloads in accordance with one or more aspects of the present disclosure.

[0034] FIG. 2 shows an example of a wireless communications system that supports security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure.

[0035] FIG. 3 shows an example of a process flow that supports security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure.

[0036] FIG. 4 shows an example of a process flow that supports security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure.

[0037] FIGs. 5 and 6 show block diagrams of devices that support security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure.

[0038] FIG. 7 shows a block diagram of a communications manager that supports security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure.

[0039] FIG. 8 shows a diagram of a system including a device that supports security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure.

[0040] FIGs. 9 through 14 show flowcharts illustrating methods that support security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure.DETAILED DESCRIPTION

[0041] In some wireless communication systems, a user equipment (UE) may communicate with a source non-terrestrial network (NTN) network entity (e.g., a satellite). In some cases, the source NTN network entity may move out of a service range of the UE, and may therefore perform a handover procedure to a target NTN network entity. In such systems, the source NTN network entity may perform an integrity check of the UE and may derive security keys for the handover procedure. In some examples, however, the source NTN network entity may offload context information (e.g., UE capability information, security information, UE identifying information) to a proxy network entity (e.g., a terrestrial network entity). The source NTN network entity may therefore refrain from performing the integrity check and deriving the security keys for the handover procedure.

[0042] Accordingly, techniques described herein may allow for the proxy network entity or the target NTN network entity to perform the integrity check and derive the security keys for the handover procedure. For example, the proxy network entity may receive the UE context information from the source NTN network entity and may receive a message authentication code (MAC) for integrity checks (MAC-I). The proxy network entity may perform the integrity check by verifying the MAC-I. In some examples, the proxy network entity may derive the security keys and may transmit the security keys and the UE context information to the target NTN network entity. In some examples, the proxy network entity may transmit the UE context information to the target NTN network entity, and the target NTN network entity may derive the security keys. In some examples, the proxy network entity may receive and store the UE context information without performing the integrity check or deriving the security keys. In such examples, the target NTN network entity may receive the UE context information from the proxy network entity, and may receive and verify the MAC-I associated with the UE. The target NTN may derive the security keys based on success of the integrity check and the UE context information.

[0043] Aspects of the disclosure are initially described in the context of wireless communications systems. Aspects of the disclosure are further illustrated by and described with reference to process flow diagrams. Aspects of the disclosure are further illustrated by and described with reference to apparatus diagrams, system diagrams, and flowcharts that relate to security techniques for NTNs with regenerative payloads.

[0044] FIG. 1 shows an example of a wireless communications system 100 that supports security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure. The wireless communications system 100 may include one or more network entities 105, one or more UEs 115, and a core network 130. In some examples, the wireless communications system 100 may be a Long Term Evolution (LTE) network, an LTE- Advanced (LTE-A) network, an LTE-A Pro network, a New Radio (NR) network, or a network operating in accordance with other systems and radio technologies, including future systems and radio technologies not explicitly mentioned herein.

[0045] The network entities 105 may be dispersed throughout a geographic area to form the wireless communications system 100 and may include devices in different forms or having different capabilities. In various examples, a network entity 105 may be referred to as a network element, a mobility element, a radio access network (RAN) node, or network equipment, among other nomenclature. In some examples, network entities 105 and UEs 115 may wirelessly communicate via one or more communication links 125 (e.g., a radio frequency (RF) access link). For example, a network entity 105 may support a coverage area 110 (e.g., a geographic coverage area) over which the UEs 115 and the network entity 105 may establish one or more communication links 125. The coverage area 110 may be an example of a geographic area over which a network entity 105 and a UE 115 may support the communication of signals according to one or more radio access technologies (RATs).

[0046] The UEs 115 may be dispersed throughout a coverage area 110 of the wireless communications system 100, and each UE 115 may be stationary, or mobile, or both at different times. The UEs 115 may be devices in different forms or having different capabilities. Some example UEs 115 are illustrated in FIG. 1. The UEs 115 described herein may be capable of supporting communications with various types of devices, such as other UEs 115 or network entities 105, as shown in FIG. 1.

[0047] As described herein, a node of the wireless communications system 100, which may be referred to as a network node, or a wireless node, may be a network entity 105 (e.g., any network entity described herein), a UE 115 (e.g., any UE described herein), a network controller, an apparatus, a device, a computing system, one or more components, or another suitable processing entity configured to perform any of the techniques described herein. For example, a node may be a UE 115. As another example, a node may be a network entity 105. As another example, a first node may be configured to communicate with a second node or a third node. In one aspect of this example, the first node may be a UE 115, the second node may be a network entity 105, and the third node may be a UE 115. In another aspect of this example, the first node may be a UE 115, the second node may be a network entity 105, and the third node may be a network entity 105. In yet other aspects of this example, the first, second, and third nodes may be different relative to these examples. Similarly, reference to a UE 115, network entity 105, apparatus, device, computing system, or the like may include disclosure of the UE 115, network entity 105, apparatus, device, computing system, or the like being a node. For example, disclosure that a UE 115 is configured to receive information from a network entity 105 also discloses that a first node is configured to receive information from a second node.

[0048] In some examples, network entities 105 may communicate with the core network 130, or with one another, or both. For example, network entities 105 may communicate with the core network 130 via one or more backhaul communication links 120 (e.g., in accordance with an SI, N2, N3, or other interface protocol). In some examples, network entities 105 may communicate with one another via a backhaul communication link 120 (e.g., in accordance with an X2, Xn, or other interface protocol) either directly (e.g., directly between network entities 105) or indirectly (e.g., via a core network 130). In some examples, network entities 105 may communicate with one another via a midhaul communication link 162 (e.g., in accordance with a midhaul interface protocol) or a fronthaul communication link 168 (e.g., in accordance with a fronthaul interface protocol), or any combination thereof. The backhaul communication links 120, midhaul communication links 162, or fronthaul communication links 168 may be or include one or more wired links (e.g., an electrical link, an optical fiber link), one or more wireless links (e.g., a radio link, a wirelessoptical link), among other examples or various combinations thereof. A UE 115 may communicate with the core network 130 via a communication link 155.

[0049] One or more of the network entities 105 described herein may include or may be referred to as a base station 140 (e.g., a base transceiver station, a radio base station, an NR base station, an access point, a radio transceiver, a NodeB, an eNodeB (eNB), a next-generation NodeB or a giga-NodeB (either of which may be referred to as a gNB), a 5G NB, a next-generation eNB (ng-eNB), a Home NodeB, a Home eNodeB, or other suitable terminology). In some examples, a network entity 105 (e.g., a base station 140) may be implemented in an aggregated (e.g., monolithic, standalone) base station architecture, which may be configured to utilize a protocol stack that is physically or logically integrated within a single network entity 105 (e.g., a single RAN node, such as a base station 140).

[0050] In some examples, a network entity 105 may be implemented in a disaggregated architecture (e.g., a disaggregated base station architecture, a disaggregated RAN architecture), which may be configured to utilize a protocol stack that is physically or logically distributed among two or more network entities 105, such as an integrated access backhaul (IAB) network, an open RAN (O-RAN) (e.g., a network configuration sponsored by the O-RAN Alliance), or a virtualized RAN (vRAN) (e.g., a cloud RAN (C-RAN)). For example, a network entity 105 may include one or more of a central unit (CU) 160, a distributed unit (DU) 165, a radio unit (RU) 170, a RAN Intelligent Controller (RIC) 175 (e.g., a Near-Real Time RIC (Near-RT RIC), a Non-Real Time RIC (Non-RT RIC)), a Service Management and Orchestration (SMO) 180 system, or any combination thereof. An RU 170 may also be referred to as a radio head, a smart radio head, a remote radio head (RRH), a remote radio unit (RRU), or a transmission reception point (TRP). One or more components of the network entities 105 in a disaggregated RAN architecture may be co-located, or one or more components of the network entities 105 may be located in distributed locations (e.g., separate physical locations). In some examples, one or more network entities 105 of a disaggregated RAN architecture may be implemented as virtual units (e.g., a virtual CU (VCU), a virtual DU (VDU), a virtual RU (VRU)).

[0051] The split of functionality between a CU 160, a DU 165, and an RU 170 is flexible and may support different functionalities depending on which functions (e.g.,network layer functions, protocol layer functions, baseband functions, RF functions, and any combinations thereof) are performed at a CU 160, a DU 165, or an RU 170. For example, a functional split of a protocol stack may be employed between a CU 160 and a DU 165 such that the CU 160 may support one or more layers of the protocol stack and the DU 165 may support one or more different layers of the protocol stack. In some examples, the CU 160 may host upper protocol layer (e.g., layer 3 (L3), layer 2 (L2)) functionality and signaling (e.g., Radio Resource Control (RRC), service data adaption protocol (SDAP), Packet Data Convergence Protocol (PDCP)). The CU 160 may be connected to one or more DUs 165 or RUs 170, and the one or more DUs 165 or RUs 170 may host lower protocol layers, such as layer 1 (LI) (e.g., physical (PHY) layer) or L2 (e.g., radio link control (RLC) layer, medium access control (MAC) layer) functionality and signaling, and may each be at least partially controlled by the CU 160. Additionally, or alternatively, a functional split of the protocol stack may be employed between a DU 165 and an RU 170 such that the DU 165 may support one or more layers of the protocol stack and the RU 170 may support one or more different layers of the protocol stack. The DU 165 may support one or multiple different cells (e.g., via one or more RUs 170). In some cases, a functional split between a CU 160 and a DU 165, or between a DU 165 and an RU 170 may be within a protocol layer (e.g., some functions for a protocol layer may be performed by one of a CU 160, a DU 165, or an RU 170, while other functions of the protocol layer are performed by a different one of the CU 160, the DU 165, or the RU 170). A CU 160 may be functionally split further into CU control plane (CU-CP) and CU user plane (CU-UP) functions. A CU 160 may be connected to one or more DUs 165 via a midhaul communication link 162 (e.g., Fl, Fl-c, Fl-u), and a DU 165 may be connected to one or more RUs 170 via a fronthaul communication link 168 (e.g., open fronthaul (FH) interface). In some examples, a midhaul communication link 162 or a fronthaul communication link 168 may be implemented in accordance with an interface (e.g., a channel) between layers of a protocol stack supported by respective network entities 105 that are in communication via such communication links.

[0052] In wireless communications systems (e.g., wireless communications system 100), infrastructure and spectral resources for radio access may support wireless backhaul link capabilities to supplement wired backhaul connections, providing an IABnetwork architecture (e.g., to a core network 130). In some cases, in an IAB network, one or more network entities 105 (e.g., IAB nodes 104) may be partially controlled by each other. One or more IAB nodes 104 may be referred to as a donor entity or an IAB donor. One or more DUs 165 or one or more RUs 170 may be partially controlled by one or more CUs 160 associated with a donor network entity 105 (e.g., a donor base station 140). The one or more donor network entities 105 (e.g., IAB donors) may be in communication with one or more additional network entities 105 (e.g., IAB nodes 104) via supported access and backhaul links (e.g., backhaul communication links 120). IAB nodes 104 may include an IAB mobile termination (IAB-MT) controlled (e.g., scheduled) by DUs 165 of a coupled IAB donor. An IAB-MT may include an independent set of antennas for relay of communications with UEs 115, or may share the same antennas (e.g., of an RU 170) of an IAB node 104 used for access via the DU 165 of the IAB node 104 (e.g., referred to as virtual IAB-MT (vIAB-MT)). In some examples, the IAB nodes 104 may include DUs 165 that support communication links with additional entities (e.g., IAB nodes 104, UEs 115) within the relay chain or configuration of the access network (e.g., downstream). In such cases, one or more components of the disaggregated RAN architecture (e.g., one or more IAB nodes 104 or components of IAB nodes 104) may be configured to operate according to the techniques described herein.

[0053] In the case of the techniques described herein applied in the context of a disaggregated RAN architecture, one or more components of the disaggregated RAN architecture may be configured to support security techniques for NTNs with regenerative payloads as described herein. For example, some operations described as being performed by a UE 115 or a network entity 105 (e.g., a base station 140) may additionally, or alternatively, be performed by one or more components of the disaggregated RAN architecture (e.g., IAB nodes 104, DUs 165, CUs 160, RUs 170, RIC 175, SMO 180).

[0054] A UE 115 may include or may be referred to as a mobile device, a wireless device, a remote device, a handheld device, or a subscriber device, or some other suitable terminology, where the “device” may also be referred to as a unit, a station, a terminal, or a client, among other examples. A UE 115 may also include or may be referred to as a personal electronic device such as a cellular phone, a personal digitalassistant (PDA), a tablet computer, a laptop computer, or a personal computer. In some examples, a UE 115 may include or be referred to as a wireless local loop (WLL) station, an Internet of Things (loT) device, an Internet of Everything (loE) device, or a machine type communications (MTC) device, among other examples, which may be implemented in various objects such as appliances, or vehicles, meters, among other examples.

[0055] The UEs 115 described herein may be able to communicate with various types of devices, such as other UEs 115 that may sometimes act as relays as well as the network entities 105 and the network equipment including macro eNBs or gNBs, small cell eNBs or gNBs, or relay base stations, among other examples, as shown in FIG. 1.

[0056] The UEs 115 and the network entities 105 may wirelessly communicate with one another via one or more communication links 125 (e.g., an access link) using resources associated with one or more carriers. The term “carrier” may refer to a set of RF spectrum resources having a defined physical layer structure for supporting the communication links 125. For example, a carrier used for a communication link 125 may include a portion of a RF spectrum band (e.g., a bandwidth part (BWP)) that is operated according to one or more physical layer channels for a given radio access technology (e.g., LTE, LTE-A, LTE-A Pro, NR). Each physical layer channel may carry acquisition signaling (e.g., synchronization signals, system information), control signaling that coordinates operation for the carrier, user data, or other signaling. The wireless communications system 100 may support communication with a UE 115 using carrier aggregation or multi-carrier operation. A UE 115 may be configured with multiple downlink component carriers and one or more uplink component carriers according to a carrier aggregation configuration. Carrier aggregation may be used with both frequency division duplexing (FDD) and time division duplexing (TDD) component carriers. Communication between a network entity 105 and other devices may refer to communication between the devices and any portion (e.g., entity, subentity) of a network entity 105. For example, the terms “transmitting,” “receiving,” or “communicating,” when referring to a network entity 105, may refer to any portion of a network entity 105 (e.g., a base station 140, a CU 160, a DU 165, a RU 170) of a RAN communicating with another device (e.g., directly or via one or more other network entities 105).

[0057] Signal waveforms transmitted via a carrier may be made up of multiple subcarriers (e.g., using multi-carrier modulation (MCM) techniques such as orthogonal frequency division multiplexing (OFDM) or discrete Fourier transform spread OFDM (DFT-S-OFDM)). In a system employing MCM techniques, a resource element may refer to resources of one symbol period (e.g., a duration of one modulation symbol) and one subcarrier, in which case the symbol period and subcarrier spacing may be inversely related. The quantity of bits carried by each resource element may depend on the modulation scheme (e.g., the order of the modulation scheme, the coding rate of the modulation scheme, or both), such that a relatively higher quantity of resource elements (e.g., in a transmission duration) and a relatively higher order of a modulation scheme may correspond to a relatively higher rate of communication. A wireless communications resource may refer to a combination of an RF spectrum resource, a time resource, and a spatial resource (e.g., a spatial layer, a beam), and the use of multiple spatial resources may increase the data rate or data integrity for communications with a UE 115.

[0058] The time intervals for the network entities 105 or the UEs 115 may be expressed in multiples of a basic time unit which may, for example, refer to a sampling period of Ts= l / (A / mflx■ Ay) seconds, for which fmaxmay represent a supported subcarrier spacing, and Ay may represent a supported discrete Fourier transform (DFT) size. Time intervals of a communications resource may be organized according to radio frames each having a specified duration (e.g., 10 milliseconds (ms)). Each radio frame may be identified by a system frame number (SFN) (e.g., ranging from 0 to 1023).

[0059] Each frame may include multiple consecutively-numbered subframes or slots, and each subframe or slot may have the same duration. In some examples, a frame may be divided (e.g., in the time domain) into subframes, and each subframe may be further divided into a quantity of slots. Alternatively, each frame may include a variable quantity of slots, and the quantity of slots may depend on subcarrier spacing. Each slot may include a quantity of symbol periods (e.g., depending on the length of the cyclic prefix prepended to each symbol period). In some wireless communications systems 100, a slot may further be divided into multiple mini-slots associated with one or more symbols. Excluding the cyclic prefix, each symbol period may be associated with one ormore (e.g., Nf) sampling periods. The duration of a symbol period may depend on the subcarrier spacing or frequency band of operation.

[0060] A subframe, a slot, a mini-slot, or a symbol may be the smallest scheduling unit (e.g., in the time domain) of the wireless communications system 100 and may be referred to as a transmission time interval (TTI). In some examples, the TTI duration (e.g., a quantity of symbol periods in a TTI) may be variable. Additionally, or alternatively, the smallest scheduling unit of the wireless communications system 100 may be dynamically selected (e.g., in bursts of shortened TTIs (sTTIs)).

[0061] Physical channels may be multiplexed for communication using a carrier according to various techniques. A physical control channel and a physical data channel may be multiplexed for signaling via a downlink carrier, for example, using one or more of time division multiplexing (TDM) techniques, frequency division multiplexing (FDM) techniques, or hybrid TDM-FDM techniques. A control region (e.g., a control resource set (CORESET)) for a physical control channel may be defined by a set of symbol periods and may extend across the system bandwidth or a subset of the system bandwidth of the carrier. One or more control regions (e.g., CORESETs) may be configured for a set of the UEs 115. For example, one or more of the UEs 115 may monitor or search control regions for control information according to one or more search space sets, and each search space set may include one or multiple control channel candidates in one or more aggregation levels arranged in a cascaded manner. An aggregation level for a control channel candidate may refer to an amount of control channel resources (e.g., control channel elements (CCEs)) associated with encoded information for a control information format having a given payload size. Search space sets may include common search space sets configured for sending control information to multiple UEs 115 and UE-specific search space sets for sending control information to a specific UE 115.

[0062] A network entity 105 may provide communication coverage via one or more cells, for example a macro cell, a small cell, a hot spot, or other types of cells, or any combination thereof. The term “cell” may refer to a logical communication entity used for communication with a network entity 105 (e.g., using a carrier) and may be associated with an identifier for distinguishing neighboring cells (e.g., a physical cellidentifier (PCID), a virtual cell identifier (VCID), or others). In some examples, a cell also may refer to a coverage area 110 or a portion of a coverage area 110 (e.g., a sector) over which the logical communication entity operates. Such cells may range from smaller areas (e.g., a structure, a subset of structure) to larger areas depending on various factors such as the capabilities of the network entity 105. For example, a cell may be or include a building, a subset of a building, or exterior spaces between or overlapping with coverage areas 110, among other examples.

[0063] A macro cell generally covers a relatively large geographic area (e.g., several kilometers in radius) and may allow unrestricted access by the UEs 115 with service subscriptions with the network provider supporting the macro cell. A small cell may be associated with a lower-powered network entity 105 (e.g., a lower-powered base station 140), as compared with a macro cell, and a small cell may operate using the same or different (e.g., licensed, unlicensed) frequency bands as macro cells. Small cells may provide unrestricted access to the UEs 115 with service subscriptions with the network provider or may provide restricted access to the UEs 115 having an association with the small cell (e.g., the UEs 115 in a closed subscriber group (CSG), the UEs 115 associated with users in a home or office). A network entity 105 may support one or multiple cells and may also support communications via the one or more cells using one or multiple component carriers.

[0064] In some examples, a carrier may support multiple cells, and different cells may be configured according to different protocol types (e.g., MTC, narrowband loT (NB-IoT), enhanced mobile broadband (eMBB)) that may provide access for different types of devices.

[0065] In some examples, a network entity 105 (e.g., a base station 140, an RU 170) may be movable and therefore provide communication coverage for a moving coverage area 110. In some examples, different coverage areas 110 associated with different technologies may overlap, but the different coverage areas 110 may be supported by the same network entity 105. In some other examples, the overlapping coverage areas 110 associated with different technologies may be supported by different network entities 105. The wireless communications system 100 may include, for example, a heterogeneous network in which different types of the network entities 105 providecoverage for various coverage areas 110 using the same or different radio access technologies.

[0066] The wireless communications system 100 may be configured to support ultra-reliable communications or low-latency communications, or various combinations thereof. For example, the wireless communications system 100 may be configured to support ultra-reliable low-latency communications (URLLC). The UEs 115 may be designed to support ultra-reliable, low-latency, or critical functions. Ultra-reliable communications may include private communication or group communication and may be supported by one or more services such as push-to-talk, video, or data. Support for ultra-reliable, low-latency functions may include prioritization of services, and such services may be used for public safety or general commercial applications. The terms ultra-reliable, low-latency, and ultra-reliable low-latency may be used interchangeably herein.

[0067] In some examples, a UE 115 may be configured to support communicating directly with other UEs 115 via a device-to-device (D2D) communication link 135 (e.g., in accordance with a peer-to-peer (P2P), D2D, or sidelink protocol). In some examples, one or more UEs 115 of a group that are performing D2D communications may be within the coverage area 110 of a network entity 105 (e.g., a base station 140, an RU 170), which may support aspects of such D2D communications being configured by (e.g., scheduled by) the network entity 105. In some examples, one or more UEs 115 of such a group may be outside the coverage area 110 of a network entity 105 or may be otherwise unable to or not configured to receive transmissions from a network entity 105. In some examples, groups of the UEs 115 communicating via D2D communications may support a one-to-many (1 :M) system in which each UE 115 transmits to each of the other UEs 115 in the group. In some examples, a network entity 105 may facilitate the scheduling of resources for D2D communications. In some other examples, D2D communications may be carried out between the UEs 115 without an involvement of a network entity 105.

[0068] The core network 130 may provide user authentication, access authorization, tracking, Internet Protocol (IP) connectivity, and other access, routing, or mobility functions. The core network 130 may be an evolved packet core (EPC) or 5G core (5GC), which may include at least one control plane entity that manages access andmobility (e.g., a mobility management entity (MME), an access and mobility management function (AMF)) and at least one user plane entity that routes packets or interconnects to external networks (e.g., a serving gateway (S-GW), a Packet Data Network (PDN) gateway (P-GW), or a user plane function (UPF)). The control plane entity may manage non-access stratum (NAS) functions such as mobility, authentication, and bearer management for the UEs 115 served by the network entities 105 (e.g., base stations 140) associated with the core network 130. User IP packets may be transferred through the user plane entity, which may provide IP address allocation as well as other functions. The user plane entity may be connected to IP services 150 for one or more network operators. The IP services 150 may include access to the Internet, Intranet(s), an IP Multimedia Subsystem (IMS), or a Packet-Switched Streaming Service.

[0069] The wireless communications system 100 may operate using one or more frequency bands, which may be in the range of 300 megahertz (MHz) to 300 gigahertz (GHz). Generally, the region from 300 MHz to 3 GHz is known as the ultra-high frequency (UHF) region or decimeter band because the wavelengths range from approximately one decimeter to one meter in length. UHF waves may be blocked or redirected by buildings and environmental features, which may be referred to as clusters, but the waves may penetrate structures sufficiently for a macro cell to provide service to the UEs 115 located indoors. Communications using UHF waves may be associated with smaller antennas and shorter ranges (e.g., less than 100 kilometers) compared to communications using the smaller frequencies and longer waves of the high frequency (HF) or very high frequency (VHF) portion of the spectrum below 300 MHz.

[0070] The wireless communications system 100 may utilize both licensed and unlicensed RF spectrum bands. For example, the wireless communications system 100 may employ License Assisted Access (LAA), LTE-Unlicensed (LTE-U) radio access technology, or NR technology using an unlicensed band such as the 5 GHz industrial, scientific, and medical (ISM) band. While operating using unlicensed RF spectrum bands, devices such as the network entities 105 and the UEs 115 may employ carrier sensing for collision detection and avoidance. In some examples, operations using unlicensed bands may be based on a carrier aggregation configuration in conjunctionwith component carriers operating using a licensed band (e.g., LAA). Operations using unlicensed spectrum may include downlink transmissions, uplink transmissions, P2P transmissions, or D2D transmissions, among other examples.

[0071] A network entity 105 (e.g., a base station 140, an RU 170) or a UE 115 may be equipped with multiple antennas, which may be used to employ techniques such as transmit diversity, receive diversity, multiple-input multiple-output (MIMO) communications, or beamforming. The antennas of a network entity 105 or a UE 115 may be located within one or more antenna arrays or antenna panels, which may support MIMO operations or transmit or receive beamforming. For example, one or more base station antennas or antenna arrays may be co-located at an antenna assembly, such as an antenna tower. In some examples, antennas or antenna arrays associated with a network entity 105 may be located at diverse geographic locations. A network entity 105 may include an antenna array with a set of rows and columns of antenna ports that the network entity 105 may use to support beamforming of communications with a UE 115. Likewise, a UE 115 may include one or more antenna arrays that may support various MIMO or beamforming operations. Additionally, or alternatively, an antenna panel may support RF beamforming for a signal transmitted via an antenna port.

[0072] Beamforming, which may also be referred to as spatial filtering, directional transmission, or directional reception, is a signal processing technique that may be used at a transmitting device or a receiving device (e.g., a network entity 105, a UE 115) to shape or steer an antenna beam (e.g., a transmit beam, a receive beam) along a spatial path between the transmitting device and the receiving device. Beamforming may be achieved by combining the signals communicated via antenna elements of an antenna array such that some signals propagating along particular orientations with respect to an antenna array experience constructive interference while others experience destructive interference. The adjustment of signals communicated via the antenna elements may include a transmitting device or a receiving device applying amplitude offsets, phase offsets, or both to signals carried via the antenna elements associated with the device. The adjustments associated with each of the antenna elements may be defined by a beamforming weight set associated with a particular orientation (e.g., with respect to the antenna array of the transmitting device or receiving device, or with respect to some other orientation).

[0073] The wireless communications system 100 may be a packet-based network that operates according to a layered protocol stack. In the user plane, communications at the bearer or PDCP layer may be IP -based. An RLC layer may perform packet segmentation and reassembly to communicate via logical channels. A MAC layer may perform priority handling and multiplexing of logical channels into transport channels. The MAC layer also may implement error detection techniques, error correction techniques, or both to support retransmissions to improve link efficiency. In the control plane, an RRC layer may provide establishment, configuration, and maintenance of an RRC connection between a UE 115 and a network entity 105 or a core network 130 supporting radio bearers for user plane data. A PHY layer may map transport channels to physical channels.

[0074] Some wireless communications systems, such as the wireless communications system 100, may be NTNs (e.g., networks with one or more NTN network entities 105). In some examples, NTN network entities 105 may be transparent payload NTN network entities 105 which may not perform signal processing. That is, transparent NTN network entities 105 may reflect signaling from a ground-based network entity 105 (e.g., via a feeder link) to a UE 115 without performing signal processing techniques such as demodulation, decoding, switching, encoding, and modulation. In some other examples, NTN network entities 105 may be regenerative payload NTN network entities 105 which may perform signal processing. That is, regenerative payload NTN network entities 105 may regenerate signaling from a ground-based network entity 105 (e.g., via a satellite radio interface (SRI) channel) by performing signal processing techniques such as demodulation, decoding, switching, encoding, and modulation.

[0075] In some regenerative payload NTNs, a source NTN network entity 105 may perform a handover procedure to handover a UE 115 to a target NTN network entity 105 (e.g., as the source NTN network entity 105 moves away from the UE 115). The source NTN network entity 105 may not store context information associated with the UE 115 (e.g., UE security information, UE identifying information), and may accordingly offload such information to a ground-based network entity 105 (e.g., a proxy network entity 105). The source NTN network entity 105 may therefore notperform security procedures, such as integrity checks and security key derivation, for the handover procedure.

[0076] Techniques described herein may allow for a proxy network entity 105 or a target NTN network entity 105 to perform an integrity check and derive security keys for a handover procedure to a target NTN network entity 105 in a regenerative payload NTN. For example, the proxy network entity 105 may receive context information for a UE 115 from a source NTN network entity 105 and may receive a MAC-I associated with the UE 115 (e.g., from the UE 115 or from the target NTN network entity 105). The proxy network entity 105 may perform the integrity check based on the MAC-I. That is, the proxy network entity 105 may derive a MAC using an authentication key supplied by the source NTN network entity 105 and may compare the MAC with the MAC-I associated with the UE 115.

[0077] In some examples, the proxy network entity 105 may derive the security keys and may transmit the security keys and the UE context information to the target NTN network entity 105. In some examples, the proxy network entity 105 may transmit the UE context information to the target NTN network entity 105, and the target NTN network entity 105 may derive the security keys.

[0078] In some examples, the proxy network entity 105 may receive and store the UE context information without performing the integrity check or deriving the security keys. In such examples, the target NTN network entity 105 may receive the UE context information from the proxy network entity, and may receive and verify the MAC-I from the UE 115. The target NTN network entity 105 may derive the security keys based on success of the integrity check and the UE context information.

[0079] FIG. 2 shows an example of a wireless communications system 200 that supports security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure. The wireless communications system 200 may implement or may be implemented by aspects of the wireless communications system 100. For example, the wireless communications system 200 may include a UE 115 (e.g., a UE 115-a) and a network entity 105 (e.g., a source NTN network entity 105-a, a target NTN network entity 105-b, and a proxy network entity 105-c), which may be examples of the corresponding devices as described with reference to FIG. 1.

[0080] In some examples of the wireless communications system 200, a UE 115-a may operate in a coverage zone 220 of one or more NTN network entities 105, such as an NTN network entity 105-a or an NTN network entity 105-b. The NTN network entity 105-a and the NTN network entity 105-b may be examples of satellites with regenerative payloads (e.g., rather than NTN network entities 105 with transparent payloads which may not have processing capabilities). That is, the NTN network entity 105-a and the NTN network entity 105-b may have processing capabilities such that the NTN network entity 105-a and the NTN network entity 105-b may receive signaling from the UE 115-a and transmit signaling to the UE 115-a over a channel 235 without communicating with a ground-based network entity 105 (e.g., such as a proxy network entity 105-c). The NTN network entity 105-a and the NTN network entity 105-b may store, process, and forward data in non-feeder link, local access, or NTN backhaul scenarios.

[0081] In some examples, the NTN network entity 105-a and the NTN network entity 105-b may be examples of DUs with medium access control layer and radio link control (RLC) functionality. In such examples, the NTN network entity 105-a and the NTN network entity 105-b may be associated with a ground-based CU with PDCP and RRC functionality. In some examples, the NTN network entity 105-a and the NTN network entity 105-b may be non-distributed network entities 105 (e.g., with a full network entity on-board the satellites).

[0082] As the source NTN network entity 105-a moves away from the UE 115-a, the UE 115-a may no longer be in a coverage zone 220 of the source NTN network entity 105-a. That is, the UE 115-a may be within a coverage zone 220 of the target NTN network entity 105-b. Accordingly, the source NTN network entity 105-a and the target NTN network entity 105-b may perform a handover procedure to handover the UE 115-a from the source NTN network entity 105-a to the target NTN network entity 105-b. In such examples, the source NTN network entity 105-a may offload context information 210 of the UE 115-a to a proxy network entity 105 (e.g., the proxy network entity 105-c) via a backhaul channel 205-a when the source NTN network entity 105-a moves away from the UE 115-a. That is, the source NTN network entity 105-a may perform a context relocation process such that the proxy network entity 105-c can act as an interim source during resumption or reestablishment procedures. The contextinformation 210 may include one or more of UE capability information, UE identifying information, or UE security information (e.g., for a network entity 105 to verify or authorize the UE 115 -a).

[0083] In such examples, the proxy network entity 105-c may act as a source network entity for the target NTN network entity 105-b (e.g., if the source NTN network entity 105-a is out of reach from a current registration or tracking area). That is, the UE 115-a may be unaware that the context information 210 has been forwarded to the proxy network entity 105-c during the context relocation. The target NTN network entity 105-b may accordingly retrieve the context information 210 from the network entity 105-b via a backhaul channel 205-b (e.g., if the UE 115-a is in the coverage zone 220 of the target NTN network entity 105-b). Such context offloading techniques may reduce processing and power consumption by the source NTN network entity 105-a and the target NTN network entity 105-b by reducing an amount of information stored by the source NTN network entity 105-a, as well as reducing multi-hop inter-satellite link (ISL) routing between the source NTN network entity 105-a and the target NTN network entity 105-b.

[0084] In some NTN handover procedures (e.g., for transparent payload networks), the target NTN network entity 105-b may receive a handover request from the source NTN network entity 105-a, as well as a message (e.g., an RRCResumeRequest or RRCReestablishmentRequest message) from the UE 115-a. The RRCResumeRequest or RRCReestablishmentRequest message may contain a MAC-I (e.g., a. ResumeMAC-1. shortResumeMAC-I, or a shortMAC-I), which the target NTN network entity 105-b may forward to the source NTN network entity 105-a.

[0085] The source NTN network entity 105-a may perform an integrity check by verifying the MAC-I. That is, the source NTN network entity 105-a may derive a MAC using an authentication key, and may compare the MAC-I to the MAC derived by the source NTN network entity 105-a. If the integrity check is successful, the source NTN network entity 105-a may derive one or more security keys 215 (e.g., a {KNG-RAN*, NCC} pair), and may forward the security keys 215 to the target NTN network entity 105-b (e.g., in a UE 5G access stratum (AS) security context as part of the context information 210). A core node of the NTN (e.g., an AMF 225) may perform a path switch procedure to allow the target NTN network entity 105-b to communicate withthe UE 115-a over a communication channel 235. The AMF 225 may generate new handover security keys 215 (e.g., a {NCC, NH} pair) for the target NTN network entity 105-b to use in future handover procedures or security key derivation 230.

[0086] However, in some regenerative payload networks (e.g., when the source NTN network entity 105-a offloads UE context information 210-a to the proxy network entity 105-c), the source NTN network entity 105-a may not perform the integrity check and derive the security keys 215. Further, the AMF 225 may not compute a new {NH, NCC} pair for the proxy network entity 105-c (e.g., to avoid performing frequent path switching procedures) unless the AMF 225 is aware of the context relocation due to the UE 115-a resuming in a new cell (e.g., the cell of the target NTN network entity 105-b). Accordingly, different network entities 105 may perform security key derivation 230 and integrity check procedures in regenerative payload networks than in transparent payload networks.

[0087] For example, in some implementations of regenerative payload networks, the proxy network entity 105-c and the source NTN network entity 105-a may be a same node (e.g., from the perspective of the AMF 225). In such implementations, a security key 215 pair {KNG-RAN*, NCC} may be shared between the proxy network entity 105-c and the source NTN network entity 105-a. Accordingly, after the context relocation, the proxy network entity 105-c may function as a source cell on the ground. In such implementations, the proxy network entity 105-c may perform the integrity check (e.g., for resumption and reestablishment) by verifying a MAC -I associated with the UE 115-a. That is, the proxy network entity 105-c may receive an authentication key (e.g., from the source NTN network entity 105-a), generate a MAC, and compare the MAC with the MAC-I associated with the UE 115-a. For handover to the proxy network entity 105-c, the network entity 105-c may not perform the integrity check (e.g., because the UE 115-a may remain in a connected mode).

[0088] In some examples, the proxy network entity 105-c may perform a security key derivation 230-a to derive one or more new security keys 215 (e.g., a new {KNG- RAN*, NCC} pair) for the target NTN network entity 105-b to use. That is, the proxy network entity 105-c may derive the new security keys 215 and transmit an indication of the new {KNG-RAN*, NCC} pair to the target NTN network entity 105-b via thebackhaul channel 205-b to use for handover of the UE 115-a. The proxy network entity 105-c may not use the new security keys 215.

[0089] In some examples, the proxy network entity 105-c may not perform security key derivation 230-a. For example, the proxy network entity 105-c may perform the integrity check and may transmit an indication of one or more prior security keys 215 (e.g., a {KNG_RAN, NCC} pair associated with the source NTN network entity 105-a) to the target NTN network entity 105-b via the backhaul channel 205-b . The target NTN network entity 105-b may perform security key derivation 230-b (e.g., on-the-fly security key derivation 230-b) using the prior security keys 215 associated with the source NTN network entity 105-a. In some examples (e.g., if a case cell is unchanged, such as for satellite switch with an unchanged physical cell identification (PCI)), the proxy network entity 105-c may upload context information 210-b to the target NTN network entity 105-b via the backhaul channel 205-b (e.g., or back to the source NTN network entity 105-a) and handover may be performed without deriving new security keys 215.

[0090] In some implementations of regenerative payload networks (e.g., if the proxy network entity 105-c and the source NTN network entity 105-a are not a same node), the security keys 215 may originate at the proxy network entity 105-c. That is, the proxy network entity 105-c and the UE 115-a may be aware of one or more security keys 215 (e.g., a KgNB security key). The proxy network entity 105-c may accordingly perform security key derivation 230-b and supply the target NTN network entity 105-b with one or more security keys 215 (e.g., a {KNG-RAN*, NCC} pair) for successful handover and RRC reestablishment. The NTN network entities 105 (e.g., the target NTN network entity 105-b and the source NTN network entity 105-a) may not perform security key derivation 230-b (e.g., even for intra-cell handover). That is, NTN network entities 105 may transmit a request to the proxy network entity 105 for the security keys 215 rather than performing security key derivation 230 (e.g., on-the-fly security key derivation 230).

[0091] In such implementations, the proxy network entity 105-c may use information associated with the source NTN network entity 105-a and the target NTN network entity 105-b to perform the security key derivation 230-a. The proxy network entity 105-c may, additionally, or alternatively, perform an integrity check of the UE115-a. For example, the proxy network entity 105-c may perform the security key derivation 230-a based on success of the integrity check. Such techniques may be similar to edge computing scenarios, where computing procedures may occur relatively closer in proximity to the UE 115-a than in non-edge computing scenarios.

[0092] In some implementations of regenerative payload networks, the proxy network entity 105-c may function as a transparent proxy network entity 105-c (e.g., and the source NTN network entity 105-a and the target NTN network entity 105-b may function as regenerative NTN network entities 105). That is, the proxy network entity 105-c may function as storage for the UE context information 210 (e.g., without performing processing procedures such as integrity checks and security key derivation). The proxy network entity 105-c may map tunnels (e.g., for next generation application protocol (NG AP) or general packet radio service (GPRS) tunneling protocol U (GTP- U)) for each UE 115 in communication with NTN network entities 105 (e.g., the source NTN network entity 105-a and the target NTN network entity 105-b). Each tunnel may be associated with one UE 115 and may extend between the core network (e.g., the AMF 225) and the NTN network entity 105 in communication with the UE 115. For example, the proxy network entity 105-c may map an IP address one-to-one between the NTN network entities 105 and the core network (e.g., the AMF 225).

[0093] In such implementations, the proxy network entity 105-c may not perform security key derivation 230-a and may not perform an integrity check. The proxy network entity 105-c may receive, from the target NTN network entity 105-b, a request for the UE context information 210. The proxy network entity 105-c may transmit the context information 210-b in response to receiving the request.

[0094] The target NTN network entity 105-b may accordingly perform the security key derivation 230-b and integrity check. That is, when the UE 115-a resumes in the cell of the target NTN network entity 105-b, the target NTN network entity 105-b may perform MAC-I verification by comparing a MAC -I received from the UE 115-a with a MAC derived by the target NTN network entity 105-b (e.g., using an authentication key transmitted by the proxy network entity 105-c or the source NTN network entity 105-a). Based on success of the integrity check, the target NTN network entity 105-b may perform the security key derivation 230-b.

[0095] The target NTN network entity 105-b may perform the security key derivation 230-b using one or more prior security keys 215 supplied by the proxy network entity 105-c (e.g., a {KNG-RAN, NCC] pair associated with the source NTN network entity 105-a). That is, the proxy network entity 105-c may transmit an indication of the prior security keys 215 to the target NTN network entity 105-b (e.g., via a reused X2 backhaul signaling message or an inter-node RRC message). The indication may include a parameter which may indicate whether the security keys 215 are new security keys 215 derived by the proxy network entity 105-c or if they are the prior security keys 215 associated with the source NTN network entity 105-a. Additionally, or alternatively, the target NTN network entity 105-b may be configured to assume that the security keys 215 are new security keys 215 derived by the proxy network entity 105-c or if they are the prior security keys 215 associated with the source NTN network entity 105-a.

[0096] In some examples, the proxy network entity 105-c may store pending uplink or downlink data or one or more sequence number (SN) status reports from the source NTN network entity 105-a. The proxy network entity 105-c may forward (e.g., upload) the pending data or status reports to the target NTN network entity 105-b with the context information 210-b. The proxy network entity 105-c may, additionally, or alternatively, buffer new downlink data from the core network (e.g., the AMF 225), and may forward the new downlink data to the target NTN network entity 105-b (e.g., in response to a success indication message from the target NTN network entity 105-b or successful path switch with the core network).

[0097] FIG. 3 shows an example of a process flow 300 that supports security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure. The process flow 300 may implement or may be implemented by aspects of the wireless communications system 100 or the wireless communications system 200. For example, the process flow 300 may include a UE 115 and one or more network entities 105 (e.g., a target NTN network entity 105-d, a proxy network entity 105-e, and a source network entity 105-f), which may be examples of the corresponding devices as described with reference to FIG. 1.

[0098] In the following description of the process flow 300, the operations between the target NTN network entity 105-d, the proxy network entity 105-e, and the sourceNTN network entity 105-f may be transmitted in a different order than the example order shown. Some operations may also be omitted from the process flow 300, and other operations may be added to the process flow 300. Further, although some operations or signaling may be shown to occur at different times for discussion purposes, these operations may actually occur at the same time.

[0099] At 305, the proxy network entity 105-e may receive, from the source NTN network entity 105-f, a first message including context information associated with handover of a UE 115 from the source NTN network entity 105-f to the target NTN network entity 105-d. The context information may include, for example, one or more of UE capability information, UE identifying information, or UE security information.

[0100] The first message may include an indication of one or more security keys associated with the source NTN network entity 105-f (e.g., a {KNG-RAN, NCC} pair) and an indication of an authentication key for an integrity check procedure. In some examples, the proxy network entity 105-e may receive the indication of the one or more security keys associated with the source NTN network entity 105-f or the authentication key via an additional message. The first message, the additional message, or both may be reused X2 messages or inter-node RRC messages. The proxy network entity 105-h may store the context information.

[0101] At 310, the proxy network entity 105-e may perform an integrity check of the UE 115. That is, the proxy network entity 105-e may receive, from the UE 115 or from the target NTN network entity 105-d, an indication of a MAC-I associated with the UE 115. The proxy network entity 105-e may derive an additional MAC using the authentication key and may compare the MAC-I with the additional MAC to verify the MAC-I.

[0102] In some examples, at 315, the proxy network entity 105-e may derive one or more new security keys. That is, based on success of the integrity check, the network entity 105-e may derive a {KNG-RAN*, NCC} pair using the {KNG-RAN, NCC} pair associated with the source NTN network entity 105-f and the context information.

[0103] At 320, the proxy network entity 105-e may transmit a second message including the context information to the target NTN network entity 105-d. For example, the proxy network entity 105-e may transmit the second message in response toreceiving a request from the target NTN network entity 105-d. The second message may be, for example, a reused X2 message or an inter-node RRC message.

[0104] In some examples, at 325, the proxy network entity 105-e may transmit, to the target NTN network entity 105-d, an indication of one or more security keys. For example, the proxy network entity 105-e may transmit an indication of the security keys associated with the source NTN network entity 105-f (e.g., the {KNG-RAN, NCC} pair). Additionally, or alternatively, the proxy network entity 105-e may transmit an indication of the one or more new security keys derived by the proxy network entity 105-e (e.g., the {KNG-RAN*, NCC} pair). The indication may further include a parameter which indicates whether the one or more security keys are the security keys associated with the source NTN network entity 105-f or the one or more new security keys. In some examples, the target NTN network entity 105-d may be configured to assume the one or more security keys are the security keys associated with the source NTN network entity 105-f or the one or more new security keys. The indication may be, for example, in a reused X2 message or an inter-node RRC message.

[0105] In some examples, at 330, the target NTN network entity 105-d may derive one or more new security keys. For example, the target NTN network entity 105-d may derive the one or more new security keys using the {KNG-RAN, NCC} pair and the context information.

[0106] FIG. 4 shows an example of a process flow 400 that supports security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure. The process flow 400 may implement or may be implemented by aspects of the wireless communications system 100, the wireless communications system 200, or the process flow 300. For example, the process flow 400 may include a UE 115 and one or more network entities 105 (e.g., a target NTN network entity 105-g, a proxy network entity 105-h, and a source NTN network entity 105-i), which may be examples of the corresponding devices as described with reference to FIG. 1.

[0107] In the following description of the process flow 400, the operations between the target NTN network entity 105-g, the proxy network entity 105-h, and the source NTN network entity 105-i may be transmitted in a different order than the example order shown. Some operations may also be omitted from the process flow 400, andother operations may be added to the process flow 400. Further, although some operations or signaling may be shown to occur at different times for discussion purposes, these operations may actually occur at the same time.

[0108] At 405, the proxy network entity 105-h may receive, from the source NTN network entity 105-i, a first message including context information associated with handover of a UE 115 from the source NTN network entity 105-i to the target NTN network entity 105-g. The context information may include, for example, one or more of UE capability information, UE identifying information, or UE security information.

[0109] The first message may include an indication of one or more security keys associated with the source NTN network entity 105-i (e.g., a {KNG-RAN, NCC] pair) and an indication of an authentication key for an integrity check procedure. In some examples, the proxy network entity 105-h may receive the indication of the one or more security keys associated with the source NTN network entity 105-i or the authentication key in an additional message. The first message, the additional message, or both may be reused X2 messages or inter-node RRC messages. The proxy network entity 105-h may store the context information and one or more pending downlink or uplink data messages and one or more SN status reports.

[0110] In some examples, at 410, the proxy network entity 105-e may receive a request message from the target NTN network entity 105-g. The request message may include, for example, a request for the context information. The request message may be a reused X2 message or an inter-node RRC message.[OHl] At 415, the proxy network entity 105-h may transmit a second message including the context information to the target NTN network entity 105-g. For example, the proxy network entity 105-h may transmit the second message in response to receiving the request from the target NTN network entity 105-g. The second message may be, for example, a reused X2 message or an inter-node RRC message. The second message may include an indication of the authentication key. The proxy network entity 105-h may forward the one or more pending downlink or uplink data messages and the one or more SN status reports to the target NTN network entity 105-g in the second message.

[0112] In some examples, at 420, the proxy network entity 105-h may transmit, to the target NTN network entity 105-g, an indication of one or more security keys. For example, the proxy network entity 105-h may transmit an indication of the security keys associated with the source NTN network entity 105-i (e.g., the {KNG-RAN, NCC} pair). The indication may further include a parameter which indicates whether the one or more security keys are the security keys associated with the source NTN network entity 105-i or one or more new security keys. In some examples, the target NTN network entity 105-g may be configured to assume the one or more security keys are the security keys associated with the source NTN network entity 105-i or the one or more new security keys. The indication may be, for example, in a reused X2 message or an inter-node RRC message.

[0113] At 425, the target NTN network entity 105-g may perform an integrity check of the UE 115. That is, the target NTN network entity 105-g may receive, from the UE 115 or from the proxy network entity 105-h, an indication of a MAC -I associated with the UE 115. The proxy network entity 105-e may derive an additional MAC using the authentication key and may compare the MAC-I with the additional MAC to verify the MAC-I.

[0114] In some examples, at 430, the target NTN network entity 105-g may derive one or more new security keys. That is, based on success of the integrity check, the target NTN network entity 105-g may derive a {KNG-RAN*, NCC} pair using the {KNG-RAN, NCC} pair associated with the source NTN network entity 105-f and the context information.

[0115] In some examples, at 435, the target NTN network entity 105-g may transmit, to the proxy network entity 105-h, an indication of success of the handover procedure, integrity check, security key derivation, or some combination thereof. The success indication message may be, for example, a reused X2 message or an inter-node RRC message.

[0116] In some examples, at 440, the proxy network entity 105-h may transmit, to the target NTN network entity 105-g, one or more pending downlink data messages for the UE 115. For example, the proxy network entity 105-h may transmit the one or morepending downlink data messages in response to receiving the success indication message or in response to successful path switch with a core network (e.g., an AMF).

[0117] FIG. 5 shows a block diagram 500 of a device 505 that supports security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure. The device 505 may be an example of aspects of a network entity 105 as described herein. The device 505 may include a receiver 510, a transmitter 515, and a communications manager 520. The device 505, or one or more components of the device 505 (e.g., the receiver 510, the transmitter 515, and the communications manager 520), may include at least one processor, which may be coupled with at least one memory, to, individually or collectively, support or enable the described techniques. Each of these components may be in communication with one another (e.g., via one or more buses).

[0118] The receiver 510 may provide a means for obtaining (e.g., receiving, determining, identifying) information such as user data, control information, or any combination thereof (e.g., I / Q samples, symbols, packets, protocol data units, service data units) associated with various channels (e.g., control channels, data channels, information channels, channels associated with a protocol stack). Information may be passed on to other components of the device 505. In some examples, the receiver 510 may support obtaining information by receiving signals via one or more antennas. Additionally, or alternatively, the receiver 510 may support obtaining information by receiving signals via one or more wired (e.g., electrical, fiber optic) interfaces, wireless interfaces, or any combination thereof.

[0119] The transmitter 515 may provide a means for outputting (e.g., transmitting, providing, conveying, sending) information generated by other components of the device 505. For example, the transmitter 515 may output information such as user data, control information, or any combination thereof (e.g., I / Q samples, symbols, packets, protocol data units, service data units) associated with various channels (e.g., control channels, data channels, information channels, channels associated with a protocol stack). In some examples, the transmitter 515 may support outputting information by transmitting signals via one or more antennas. Additionally, or alternatively, the transmitter 515 may support outputting information by transmitting signals via one or more wired (e.g., electrical, fiber optic) interfaces, wireless interfaces, or anycombination thereof. In some examples, the transmitter 515 and the receiver 510 may be co-located in a transceiver, which may include or be coupled with a modem.

[0120] The communications manager 520, the receiver 510, the transmitter 515, or various combinations thereof or various components thereof may be examples of means for performing various aspects of security techniques for NTNs with regenerative payloads as described herein. For example, the communications manager 520, the receiver 510, the transmitter 515, or various combinations or components thereof may be capable of performing one or more of the functions described herein.

[0121] In some examples, the communications manager 520, the receiver 510, the transmitter 515, or various combinations or components thereof may be implemented in hardware (e.g., in communications management circuitry). The hardware may include at least one of a processor, a DSP, a CPU, an ASIC, an FPGA or other programmable logic device, a microcontroller, discrete gate or transistor logic, discrete hardware components, or any combination thereof configured as or otherwise supporting, individually or collectively, a means for performing the functions described in the present disclosure. In some examples, at least one processor and at least one memory coupled with the at least one processor may be configured to perform one or more of the functions described herein (e.g., by one or more processors, individually or collectively, executing instructions stored in the at least one memory).

[0122] Additionally, or alternatively, the communications manager 520, the receiver 510, the transmitter 515, or various combinations or components thereof may be implemented in code (e.g., as communications management software or firmware) executed by at least one processor. If implemented in code executed by at least one processor, the functions of the communications manager 520, the receiver 510, the transmitter 515, or various combinations or components thereof may be performed by a general-purpose processor, a DSP, a CPU, an ASIC, an FPGA, a microcontroller, or any combination of these or other programmable logic devices (e.g., configured as or otherwise supporting, individually or collectively, a means for performing the functions described in the present disclosure).

[0123] In some examples, the communications manager 520 may be configured to perform various operations (e.g., receiving, obtaining, monitoring, outputting,transmitting) using or otherwise in cooperation with the receiver 510, the transmitter 515, or both. For example, the communications manager 520 may receive information from the receiver 510, send information to the transmitter 515, or be integrated in combination with the receiver 510, the transmitter 515, or both to obtain information, output information, or perform various other operations as described herein.

[0124] The communications manager 520 may support wireless communications in accordance with examples as disclosed herein. For example, the communications manager 520 is capable of, configured to, or operable to support a means for receiving, from a first NTN network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from the first NTN network entity to a second NTN network entity. The communications manager 520 is capable of, configured to, or operable to support a means for performing an integrity check for the handover procedure based on a MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key. The communications manager 520 is capable of, configured to, or operable to support a means for transmitting, to the second NTN network entity, a second message indicating the context information based on verification of the UE as a result of the integrity check.

[0125] Additionally, or alternatively, the communications manager 520 may support wireless communications in accordance with examples as disclosed herein. For example, the communications manager 520 is capable of, configured to, or operable to support a means for receiving, from a proxy network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from a second NTN network entity to the first NTN network entity. The communications manager 520 is capable of, configured to, or operable to support a means for receiving a second message indicating a MAC associated with the UE. The communications manager 520 is capable of, configured to, or operable to support a means for performing an integrity check for the handover procedure based on the MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key. The communications manager 520 is capable of, configured to, or operable to support a means for deriving one or more security keys associated with handover of the UE basedon verification of the UE as a result of the integrity check and on the context information associated with the UE.

[0126] By including or configuring the communications manager 520 in accordance with examples as described herein, the device 505 (e.g., at least one processor controlling or otherwise coupled with the receiver 510, the transmitter 515, the communications manager 520, or a combination thereof) may support techniques for security procedures in regenerative payload NTNs, which may allow for reduced processing.

[0127] FIG. 6 shows a block diagram 600 of a device 605 that supports security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure. The device 605 may be an example of aspects of a device 505 or a network entity 105 as described herein. The device 605 may include a receiver 610, a transmitter 615, and a communications manager 620. The device 605, or one or more components of the device 605 (e.g., the receiver 610, the transmitter 615, and the communications manager 620), may include at least one processor, which may be coupled with at least one memory, to support the described techniques. Each of these components may be in communication with one another (e.g., via one or more buses).

[0128] The receiver 610 may provide a means for obtaining (e.g., receiving, determining, identifying) information such as user data, control information, or any combination thereof (e.g., I / Q samples, symbols, packets, protocol data units, service data units) associated with various channels (e.g., control channels, data channels, information channels, channels associated with a protocol stack). Information may be passed on to other components of the device 605. In some examples, the receiver 610 may support obtaining information by receiving signals via one or more antennas. Additionally, or alternatively, the receiver 610 may support obtaining information by receiving signals via one or more wired (e.g., electrical, fiber optic) interfaces, wireless interfaces, or any combination thereof.

[0129] The transmitter 615 may provide a means for outputting (e.g., transmitting, providing, conveying, sending) information generated by other components of the device 605. For example, the transmitter 615 may output information such as user data, control information, or any combination thereof (e.g., I / Q samples, symbols, packets,protocol data units, service data units) associated with various channels (e.g., control channels, data channels, information channels, channels associated with a protocol stack). In some examples, the transmitter 615 may support outputting information by transmitting signals via one or more antennas. Additionally, or alternatively, the transmitter 615 may support outputting information by transmitting signals via one or more wired (e.g., electrical, fiber optic) interfaces, wireless interfaces, or any combination thereof. In some examples, the transmitter 615 and the receiver 610 may be co-located in a transceiver, which may include or be coupled with a modem.

[0130] The device 605, or various components thereof, may be an example of means for performing various aspects of security techniques for NTNs with regenerative payloads as described herein. For example, the communications manager 620 may include a context information reception manager 625, an integrity check performance manager 630, a context information transmission manager 635, a MAC reception manager 640, a security key derivation manager 645, or any combination thereof. The communications manager 620 may be an example of aspects of a communications manager 520 as described herein. In some examples, the communications manager 620, or various components thereof, may be configured to perform various operations (e.g., receiving, obtaining, monitoring, outputting, transmitting) using or otherwise in cooperation with the receiver 610, the transmitter 615, or both. For example, the communications manager 620 may receive information from the receiver 610, send information to the transmitter 615, or be integrated in combination with the receiver 610, the transmitter 615, or both to obtain information, output information, or perform various other operations as described herein.

[0131] The communications manager 620 may support wireless communications in accordance with examples as disclosed herein. The context information reception manager 625 is capable of, configured to, or operable to support a means for receiving, from a first NTN network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from the first NTN network entity to a second NTN network entity. The integrity check performance manager 630 is capable of, configured to, or operable to support a means for performing an integrity check for the handover procedure based on a MAC associated with the UE and on the context informationassociated with the UE in accordance with an authentication key. The context information transmission manager 635 is capable of, configured to, or operable to support a means for transmitting, to the second NTN network entity, a second message indicating the context information based on verification of the UE as a result of the integrity check.

[0132] Additionally, or alternatively, the communications manager 620 may support wireless communications in accordance with examples as disclosed herein. The context information reception manager 625 is capable of, configured to, or operable to support a means for receiving, from a proxy network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from a second NTN network entity to the first NTN network entity. The MAC reception manager 640 is capable of, configured to, or operable to support a means for receiving a second message indicating a MAC associated with the UE. The integrity check performance manager 630 is capable of, configured to, or operable to support a means for performing an integrity check for the handover procedure based on the MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key. The security key derivation manager 645 is capable of, configured to, or operable to support a means for deriving one or more security keys associated with handover of the UE based on verification of the UE as a result of the integrity check and on the context information associated with the UE.

[0133] FIG. 7 shows a block diagram 700 of a communications manager 720 that supports security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure. The communications manager 720 may be an example of aspects of a communications manager 520, a communications manager 620, or both, as described herein. The communications manager 720, or various components thereof, may be an example of means for performing various aspects of security techniques for NTNs with regenerative payloads as described herein. For example, the communications manager 720 may include a context information reception manager 725, an integrity check performance manager 730, a context information transmission manager 735, a MAC reception manager 740, a security key derivation manager 745, a security key transmission manager 750, an authentication keyreception manager 755, a context information storage manager 760, a context information request manager 765, a security key reception manager 770, a success message transmission manager 775, a data message reception manager 780, a MAC derivation manager 785, a MAC comparison manager 790, or any combination thereof. Each of these components, or components or subcomponents thereof (e.g., one or more processors, one or more memories), may communicate, directly or indirectly, with one another (e.g., via one or more buses) which may include communications within a protocol layer of a protocol stack, communications associated with a logical channel of a protocol stack (e.g., between protocol layers of a protocol stack, within a device, component, or virtualized component associated with a network entity 105, between devices, components, or virtualized components associated with a network entity 105), or any combination thereof.

[0134] The communications manager 720 may support wireless communications in accordance with examples as disclosed herein. The context information reception manager 725 is capable of, configured to, or operable to support a means for receiving, from a first NTN network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from the first NTN network entity to a second NTN network entity. The integrity check performance manager 730 is capable of, configured to, or operable to support a means for performing an integrity check for the handover procedure based on a MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key. The context information transmission manager 735 is capable of, configured to, or operable to support a means for transmitting, to the second NTN network entity, a second message indicating the context information based on verification of the UE as a result of the integrity check.

[0135] In some examples, the security key transmission manager 750 is capable of, configured to, or operable to support a means for transmitting, to the second NTN network entity, an indication of one or more security keys associated with handover of the UE from the first NTN network entity to the second NTN network entity.

[0136] In some examples, the one or more security keys associated with handover of the UE include one or more new security keys derived by the proxy network entity.

[0137] In some examples, the one or more security keys associated with handover of the UE include one or more security keys associated with the first NTN network entity.

[0138] In some examples, to support transmitting the indication, the security key transmission manager 750 is capable of, configured to, or operable to support a means for transmitting an indication of whether the one or more security keys associated with handover of the UE are one or more security keys derived by the proxy network entity or if the one or more security keys associated with handover of the UE are one or more security keys associated with the first NTN network entity.

[0139] In some examples, one or more of the first message, the second message, or the indication are transmitted via backhaul X2 signaling.

[0140] In some examples, the indication is transmitted via an inter-node radio resource control message.

[0141] In some examples, the MAC reception manager 740 is capable of, configured to, or operable to support a means for receiving, from the UE or from the second NTN network entity, an indication of the MAC associated with the UE.

[0142] In some examples, the authentication key reception manager 755 is capable of, configured to, or operable to support a means for receiving, from the first NTN network entity, an indication of the authentication key.

[0143] In some examples, to support performing the integrity check for the handover procedure, the MAC derivation manager 785 is capable of, configured to, or operable to support a means for deriving a second MAC based on the authentication key. In some examples, to support performing the integrity check for the handover procedure, the MAC comparison manager 790 is capable of, configured to, or operable to support a means for comparing the MAC associated with the UE with the second MAC.

[0144] In some examples, the context information storage manager 760 is capable of, configured to, or operable to support a means for storing the context information associated with the UE.

[0145] Additionally, or alternatively, the communications manager 720 may support wireless communications in accordance with examples as disclosed herein. In some examples, the context information reception manager 725 is capable of, configured to, or operable to support a means for receiving, from a proxy network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from a second NTN network entity to the first NTN network entity. The MAC reception manager 740 is capable of, configured to, or operable to support a means for receiving a second message indicating a MAC associated with the UE. In some examples, the integrity check performance manager 730 is capable of, configured to, or operable to support a means for performing an integrity check for the handover procedure based on the MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key. The security key derivation manager 745 is capable of, configured to, or operable to support a means for deriving one or more security keys associated with handover of the UE based on verification of the UE as a result of the integrity check and on the context information associated with the UE.

[0146] In some examples, the context information request manager 765 is capable of, configured to, or operable to support a means for transmitting, to the proxy network entity, a request for the context information associated with the UE.

[0147] In some examples, the security key reception manager 770 is capable of, configured to, or operable to support a means for receiving, from the proxy network entity, an indication of one or more additional security keys associated with the second NTN network entity.

[0148] In some examples, the indication includes an indication of whether the one or more additional security keys associated with the second NTN network entity are one or more security keys generated by the proxy network entity. In some examples, the first NTN network entity derives the one or more security keys based on the indication.

[0149] In some examples, one or more of the first message, the second message, or the indication are transmitted via backhaul X2 signaling.

[0150] In some examples, the indication is received via an inter-node radio resource control message.

[0151] In some examples, the first message further includes pending uplink data, pending downlink data, one or more status reports, or a combination thereof.

[0152] In some examples, the success message transmission manager 775 is capable of, configured to, or operable to support a means for transmitting, to the proxy network entity, a success message that indicates a success of the handover procedure. In some examples, the data message reception manager 780 is capable of, configured to, or operable to support a means for receiving, from a core network via the proxy network entity, one or more downlink data messages based on the success message.

[0153] In some examples, to support receiving the second message, the MAC reception manager 740 is capable of, configured to, or operable to support a means for receiving the second message from the UE or from the proxy network entity.

[0154] In some examples, the authentication key reception manager 755 is capable of, configured to, or operable to support a means for receiving, from the proxy network entity, an indication of the authentication key.

[0155] In some examples, to support performing the integrity check for the handover procedure, the MAC derivation manager 785 is capable of, configured to, or operable to support a means for deriving a second MAC based on the authentication key. In some examples, to support performing the integrity check for the handover procedure, the MAC comparison manager 790 is capable of, configured to, or operable to support a means for comparing the MAC associated with the UE with the second MAC.

[0156] FIG. 8 shows a diagram of a system 800 including a device 805 that supports security techniques for NTNs with regenerative payloads in accordance with one or more aspects of the present disclosure. The device 805 may be an example of or include the components of a device 505, a device 605, or a network entity 105 as described herein. The device 805 may communicate with one or more network entities 105, one or more UEs 115, or any combination thereof, which may include communications over one or more wired interfaces, over one or more wireless interfaces, or any combination thereof. The device 805 may include components that support outputting and obtaining communications, such as a communications manager 820, a transceiver 810, an antenna 815, at least one memory 825, code 830, and at leastone processor 835. These components may be in electronic communication or otherwise coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more buses (e.g., a bus 840).

[0157] The transceiver 810 may support bi-directional communications via wired links, wireless links, or both as described herein. In some examples, the transceiver 810 may include a wired transceiver and may communicate bi-directionally with another wired transceiver. Additionally, or alternatively, in some examples, the transceiver 810 may include a wireless transceiver and may communicate bi-directionally with another wireless transceiver. In some examples, the device 805 may include one or more antennas 815, which may be capable of transmitting or receiving wireless transmissions (e.g., concurrently). The transceiver 810 may also include a modem to modulate signals, to provide the modulated signals for transmission (e.g., by one or more antennas 815, by a wired transmitter), to receive modulated signals (e.g., from one or more antennas 815, from a wired receiver), and to demodulate signals. In some implementations, the transceiver 810 may include one or more interfaces, such as one or more interfaces coupled with the one or more antennas 815 that are configured to support various receiving or obtaining operations, or one or more interfaces coupled with the one or more antennas 815 that are configured to support various transmitting or outputting operations, or a combination thereof. In some implementations, the transceiver 810 may include or be configured for coupling with one or more processors or one or more memory components that are operable to perform or support operations based on received or obtained information or signals, or to generate information or other signals for transmission or other outputting, or any combination thereof. In some implementations, the transceiver 810, or the transceiver 810 and the one or more antennas 815, or the transceiver 810 and the one or more antennas 815 and one or more processors or one or more memory components (e.g., the at least one processor 835, the at least one memory 825, or both), may be included in a chip or chip assembly that is installed in the device 805. In some examples, the transceiver 810 may be operable to support communications via one or more communications links (e.g., a communication link 125, a backhaul communication link 120, a midhaul communication link 162, a fronthaul communication link 168).

[0158] The at least one memory 825 may include RAM, ROM, or any combination thereof. The at least one memory 825 may store computer-readable, computerexecutable code 830 including instructions that, when executed by one or more of the at least one processor 835, cause the device 805 to perform various functions described herein. The code 830 may be stored in a non-transitory computer-readable medium such as system memory or another type of memory. In some cases, the code 830 may not be directly executable by a processor of the at least one processor 835 but may cause a computer (e.g., when compiled and executed) to perform functions described herein. In some cases, the at least one memory 825 may contain, among other things, a BIOS which may control basic hardware or software operation such as the interaction with peripheral components or devices. In some examples, the at least one processor 835 may include multiple processors and the at least one memory 825 may include multiple memories. One or more of the multiple processors may be coupled with one or more of the multiple memories which may, individually or collectively, be configured to perform various functions herein (for example, as part of a processing system).

[0159] The at least one processor 835 may include an intelligent hardware device (e.g., a general-purpose processor, a DSP, an ASIC, a CPU, an FPGA, a microcontroller, a programmable logic device, discrete gate or transistor logic, a discrete hardware component, or any combination thereof). In some cases, the at least one processor 835 may be configured to operate a memory array using a memory controller. In some other cases, a memory controller may be integrated into one or more of the at least one processor 835. The at least one processor 835 may be configured to execute computer-readable instructions stored in a memory (e.g., one or more of the at least one memory 825) to cause the device 805 to perform various functions (e.g., functions or tasks supporting security techniques for NTNs with regenerative payloads). For example, the device 805 or a component of the device 805 may include at least one processor 835 and at least one memory 825 coupled with one or more of the at least one processor 835, the at least one processor 835 and the at least one memory 825 configured to perform various functions described herein. The at least one processor 835 may be an example of a cloud-computing platform (e.g., one or more physical nodes and supporting software such as operating systems, virtual machines, or container instances) that may host the functions (e.g., by executing code 830) to perform thefunctions of the device 805. The at least one processor 835 may be any one or more suitable processors capable of executing scripts or instructions of one or more software programs stored in the device 805 (such as within one or more of the at least one memory 825). In some implementations, the at least one processor 835 may be a component of a processing system. A processing system may generally refer to a system or series of machines or components that receives inputs and processes the inputs to produce a set of outputs (which may be passed to other systems or components of, for example, the device 805). For example, a processing system of the device 805 may refer to a system including the various other components or subcomponents of the device 805, such as the at least one processor 835, or the transceiver 810, or the communications manager 820, or other components or combinations of components of the device 805. The processing system of the device 805 may interface with other components of the device 805, and may process information received from other components (such as inputs or signals) or output information to other components. For example, a chip or modem of the device 805 may include a processing system and one or more interfaces to output information, or to obtain information, or both. The one or more interfaces may be implemented as or otherwise include a first interface configured to output information and a second interface configured to obtain information, or a same interface configured to output information and to obtain information, among other implementations. In some implementations, the one or more interfaces may refer to an interface between the processing system of the chip or modem and a transmitter, such that the device 805 may transmit information output from the chip or modem.Additionally, or alternatively, in some implementations, the one or more interfaces may refer to an interface between the processing system of the chip or modem and a receiver, such that the device 805 may obtain information or signal inputs, and the information may be passed to the processing system. A person having ordinary skill in the art will readily recognize that a first interface also may obtain information or signal inputs, and a second interface also may output information or signal outputs.

[0160] In some examples, a bus 840 may support communications of (e.g., within) a protocol layer of a protocol stack. In some examples, a bus 840 may support communications associated with a logical channel of a protocol stack (e.g., between protocol layers of a protocol stack), which may include communications performedwithin a component of the device 805, or between different components of the device 805 that may be co-located or located in different locations (e.g., where the device 805 may refer to a system in which one or more of the communications manager 820, the transceiver 810, the at least one memory 825, the code 830, and the at least one processor 835 may be located in one of the different components or divided between different components).

[0161] In some examples, the communications manager 820 may manage aspects of communications with a core network 130 (e.g., via one or more wired or wireless backhaul links). For example, the communications manager 820 may manage the transfer of data communications for client devices, such as one or more UEs 115. In some examples, the communications manager 820 may manage communications with other network entities 105, and may include a controller or scheduler for controlling communications with UEs 115 in cooperation with other network entities 105. In some examples, the communications manager 820 may support an X2 interface within an LTE / LTE-A wireless communications network technology to provide communication between network entities 105.

[0162] The communications manager 820 may support wireless communications in accordance with examples as disclosed herein. For example, the communications manager 820 is capable of, configured to, or operable to support a means for receiving, from a first NTN network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from the first NTN network entity to a second NTN network entity. The communications manager 820 is capable of, configured to, or operable to support a means for performing an integrity check for the handover procedure based on a MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key. The communications manager 820 is capable of, configured to, or operable to support a means for transmitting, to the second NTN network entity, a second message indicating the context information based on verification of the UE as a result of the integrity check.

[0163] Additionally, or alternatively, the communications manager 820 may support wireless communications in accordance with examples as disclosed herein. For example, the communications manager 820 is capable of, configured to, or operable tosupport a means for receiving, from a proxy network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from a second NTN network entity to the first NTN network entity. The communications manager 820 is capable of, configured to, or operable to support a means for receiving a second message indicating a MAC associated with the UE. The communications manager 820 is capable of, configured to, or operable to support a means for performing an integrity check for the handover procedure based on the MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key. The communications manager 820 is capable of, configured to, or operable to support a means for deriving one or more security keys associated with handover of the UE based on verification of the UE as a result of the integrity check and on the context information associated with the UE.

[0164] By including or configuring the communications manager 820 in accordance with examples as described herein, the device 805 may support techniques for security procedures in regenerative payload NTNs, which may allow for improved communication reliability, reduced latency, improved user experience related to reduced processing, reduced power consumption, and improved coordination between devices.

[0165] In some examples, the communications manager 820 may be configured to perform various operations (e.g., receiving, obtaining, monitoring, outputting, transmitting) using or otherwise in cooperation with the transceiver 810, the one or more antennas 815 (e.g., where applicable), or any combination thereof. Although the communications manager 820 is illustrated as a separate component, in some examples, one or more functions described with reference to the communications manager 820 may be supported by or performed by the transceiver 810, one or more of the at least one processor 835, one or more of the at least one memory 825, the code 830, or any combination thereof (for example, by a processing system including at least a portion of the at least one processor 835, the at least one memory 825, the code 830, or any combination thereof). For example, the code 830 may include instructions executable by one or more of the at least one processor 835 to cause the device 805 to perform various aspects of security techniques for NTNs with regenerative payloads as described herein,or the at least one processor 835 and the at least one memory 825 may be otherwise configured to, individually or collectively, perform or support such operations.

[0166] FIG. 9 shows a flowchart illustrating a method 900 that supports security techniques for NTNs with regenerative payloads in accordance with aspects of the present disclosure. The operations of the method 900 may be implemented by a network entity or its components as described herein. For example, the operations of the method 900 may be performed by a network entity as described with reference to FIGs. 1 through 8. In some examples, a network entity may execute a set of instructions to control the functional elements of the network entity to perform the described functions. Additionally, or alternatively, the network entity may perform aspects of the described functions using special-purpose hardware.

[0167] At 905, the method may include receiving, from a first NTN network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from the first NTN network entity to a second NTN network entity. The operations of block 905 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 905 may be performed by a context information reception manager 725 as described with reference to FIG. 7.

[0168] At 910, the method may include performing an integrity check for the handover procedure based on a MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key. The operations of block 910 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 910 may be performed by an integrity check performance manager 730 as described with reference to FIG. 7.

[0169] At 915, the method may include transmitting, to the second NTN network entity, a second message indicating the context information based on verification of the UE as a result of the integrity check. The operations of block 915 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 915 may be performed by a context information transmission manager 735 as described with reference to FIG. 7.

[0170] FIG. 10 shows a flowchart illustrating a method 1000 that supports security techniques for NTNs with regenerative payloads in accordance with aspects of the present disclosure. The operations of the method 1000 may be implemented by a network entity or its components as described herein. For example, the operations of the method 1000 may be performed by a network entity as described with reference to FIGs. 1 through 8. In some examples, a network entity may execute a set of instructions to control the functional elements of the network entity to perform the described functions. Additionally, or alternatively, the network entity may perform aspects of the described functions using special-purpose hardware.

[0171] At 1005, the method may include receiving, from a first NTN network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from the first NTN network entity to a second NTN network entity. The operations of block 1005 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1005 may be performed by a context information reception manager 725 as described with reference to FIG. 7.

[0172] At 1010, the method may include performing an integrity check for the handover procedure based on a MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key. The operations of block 1010 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1010 may be performed by an integrity check performance manager 730 as described with reference to FIG. 7.

[0173] At 1015, the method may include transmitting, to the second NTN network entity, a second message indicating the context information based on verification of the UE as a result of the integrity check. The operations of block 1015 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1015 may be performed by a context information transmission manager 735 as described with reference to FIG. 7.

[0174] At 1020, the method may include transmitting, to the second NTN network entity, an indication of one or more security keys associated with handover of the UE from the first NTN network entity to the second NTN network entity. The operations ofblock 1020 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1020 may be performed by a security key transmission manager 750 as described with reference to FIG. 7.

[0175] FIG. 11 shows a flowchart illustrating a method 1100 that supports security techniques for NTNs with regenerative payloads in accordance with aspects of the present disclosure. The operations of the method 1100 may be implemented by a network entity or its components as described herein. For example, the operations of the method 1100 may be performed by a network entity as described with reference to FIGs. 1 through 8. In some examples, a network entity may execute a set of instructions to control the functional elements of the network entity to perform the described functions. Additionally, or alternatively, the network entity may perform aspects of the described functions using special-purpose hardware.

[0176] At 1105, the method may include receiving, from a first NTN network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from the first NTN network entity to a second NTN network entity. The operations of block 1105 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1105 may be performed by a context information reception manager 725 as described with reference to FIG. 7.

[0177] At 1110, the method may include performing an integrity check for the handover procedure based on a MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key. The operations of block 1110 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1110 may be performed by an integrity check performance manager 730 as described with reference to FIG. 7.

[0178] At 1115, the method may include transmitting, to the second NTN network entity, a second message indicating the context information based on verification of the UE as a result of the integrity check. The operations of block 1115 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1115 may be performed by a context information transmission manager 735 as described with reference to FIG. 7.

[0179] At 1120, the method may include transmitting, to the second NTN network entity, an indication of one or more security keys associated with handover of the UE from the first NTN network entity to the second NTN network entity. The operations of block 1120 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1120 may be performed by a security key transmission manager 750 as described with reference to FIG. 7.

[0180] At 1125, the method may include transmitting an indication of whether the one or more security keys associated with handover of the UE are one or more security keys derived by the proxy network entity or if the one or more security keys associated with handover of the UE are one or more security keys associated with the first NTN network entity. The operations of block 1125 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1125 may be performed by a security key transmission manager 750 as described with reference to FIG. 7.

[0181] FIG. 12 shows a flowchart illustrating a method 1200 that supports security techniques for NTNs with regenerative payloads in accordance with aspects of the present disclosure. The operations of the method 1200 may be implemented by a network entity or its components as described herein. For example, the operations of the method 1200 may be performed by a network entity as described with reference to FIGs. 1 through 8. In some examples, a network entity may execute a set of instructions to control the functional elements of the network entity to perform the described functions. Additionally, or alternatively, the network entity may perform aspects of the described functions using special-purpose hardware.

[0182] At 1205, the method may include receiving, from a proxy network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from a second NTN network entity to the first NTN network entity. The operations of block 1205 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1205 may be performed by a context information reception manager 725 as described with reference to FIG. 7.

[0183] At 1210, the method may include receiving a second message indicating a MAC associated with the UE. The operations of block 1210 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1210 may be performed by a MAC reception manager 740 as described with reference to FIG. 7.

[0184] At 1215, the method may include performing an integrity check for the handover procedure based on the MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key. The operations of block 1215 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1215 may be performed by an integrity check performance manager 730 as described with reference to FIG. 7.

[0185] At 1220, the method may include deriving one or more security keys associated with handover of the UE based on verification of the UE as a result of the integrity check and on the context information associated with the UE. The operations of block 1220 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1220 may be performed by a security key derivation manager 745 as described with reference to FIG. 7.

[0186] FIG. 13 shows a flowchart illustrating a method 1300 that supports security techniques for NTNs with regenerative payloads in accordance with aspects of the present disclosure. The operations of the method 1300 may be implemented by a network entity or its components as described herein. For example, the operations of the method 1300 may be performed by a network entity as described with reference to FIGs. 1 through 8. In some examples, a network entity may execute a set of instructions to control the functional elements of the network entity to perform the described functions. Additionally, or alternatively, the network entity may perform aspects of the described functions using special-purpose hardware.

[0187] At 1305, the method may include transmitting, to the proxy network entity, a request for the context information associated with the UE. The operations of block 1305 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1305 may be performed by a context information request manager 765 as described with reference to FIG. 7.

[0188] At 1310, the method may include receiving, from a proxy network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from a second NTN network entity to the first NTN network entity. The operations of block 1310 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1310 may be performed by a context information reception manager 725 as described with reference to FIG. 7.

[0189] At 1315, the method may include receiving a second message indicating a MAC associated with the UE. The operations of block 1315 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1315 may be performed by a MAC reception manager 740 as described with reference to FIG. 7.

[0190] At 1320, the method may include performing an integrity check for the handover procedure based on the MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key. The operations of block 1320 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1320 may be performed by an integrity check performance manager 730 as described with reference to FIG. 7.

[0191] At 1325, the method may include deriving one or more security keys associated with handover of the UE based on verification of the UE as a result of the integrity check and on the context information associated with the UE. The operations of block 1325 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1325 may be performed by a security key derivation manager 745 as described with reference to FIG. 7.

[0192] FIG. 14 shows a flowchart illustrating a method 1400 that supports security techniques for NTNs with regenerative payloads in accordance with aspects of the present disclosure. The operations of the method 1400 may be implemented by a network entity or its components as described herein. For example, the operations of the method 1400 may be performed by a network entity as described with reference to FIGs. 1 through 8. In some examples, a network entity may execute a set of instructions to control the functional elements of the network entity to perform the describedfunctions. Additionally, or alternatively, the network entity may perform aspects of the described functions using special-purpose hardware.

[0193] At 1405, the method may include receiving, from a proxy network entity, a first message indicating context information associated with a UE, where the context information is associated with a handover procedure to handover the UE from a second NTN network entity to the first NTN network entity. The operations of block 1405 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1405 may be performed by a context information reception manager 725 as described with reference to FIG. 7.

[0194] At 1410, the method may include receiving a second message indicating a MAC associated with the UE. The operations of block 1410 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1410 may be performed by a MAC reception manager 740 as described with reference to FIG. 7.

[0195] At 1415, the method may include performing an integrity check for the handover procedure based on the MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key. The operations of block 1415 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1415 may be performed by an integrity check performance manager 730 as described with reference to FIG. 7.

[0196] At 1420, the method may include receiving, from the proxy network entity, an indication of one or more additional security keys associated with the second NTN network entity. The operations of block 1420 may be performed in accordance with examples as disclosed herein. In some examples, aspects of the operations of 1420 may be performed by a security key reception manager 770 as described with reference to FIG. 7.

[0197] At 1425, the method may include deriving one or more security keys associated with handover of the UE based on verification of the UE as a result of the integrity check and on the context information associated with the UE. The operations of block 1425 may be performed in accordance with examples as disclosed herein. Insome examples, aspects of the operations of 1425 may be performed by a security key derivation manager 745 as described with reference to FIG. 7.

[0198] The following provides an overview of aspects of the present disclosure:

[0199] Aspect 1 : A method for wireless communications by a proxy network entity, comprising: receiving, from a first NTN network entity, a first message indicating context information associated with a UE, wherein the context information is associated with a handover procedure to handover the UE from the first NTN network entity to a second NTN network entity; performing an integrity check for the handover procedure based at least in part on a MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key; and transmitting, to the second NTN network entity, a second message indicating the context information based at least in part on verification of the UE as a result of the integrity check.

[0200] Aspect 2: The method of aspect 1, further comprising: transmitting, to the second NTN network entity, an indication of one or more security keys associated with handover of the UE from the first NTN network entity to the second NTN network entity.

[0201] Aspect 3 : The method of aspect 2, wherein the one or more security keys associated with handover of the UE comprise one or more new security keys derived by the proxy network entity.

[0202] Aspect 4: The method of aspect 2, wherein the one or more security keys associated with handover of the UE comprise one or more security keys associated with the first NTN network entity.

[0203] Aspect 5 : The method of any of aspects 2 through 4, wherein transmitting the indication comprises: transmitting an indication of whether the one or more security keys associated with handover of the UE are one or more security keys derived by the proxy network entity or if the one or more security keys associated with handover of the UE are one or more security keys associated with the first NTN network entity.

[0204] Aspect 6: The method of any of aspects 2 through 5, wherein one or more of the first message, the second message, or the indication are transmitted via backhaul X2 signaling.

[0205] Aspect 7: The method of any of aspects 2 through 6, wherein the indication is transmitted via an inter-node RRC message.

[0206] Aspect 8: The method of any of aspects 1 through 7, further comprising: receiving, from the UE or from the second NTN network entity, an indication of the MAC associated with the UE.

[0207] Aspect 9: The method of any of aspects 1 through 8, further comprising: receiving, from the first NTN network entity, an indication of the authentication key.

[0208] Aspect 10: The method of aspect 9, wherein performing the integrity check for the handover procedure comprises: deriving a second MAC based at least in part on the authentication key; and comparing the MAC associated with the UE with the second MAC.

[0209] Aspect 11 : The method of any of aspects 1 through 10, further comprising: storing the context information associated with the UE.

[0210] Aspect 12: A method for wireless communications by a first NTN network entity, comprising: receiving, from a proxy network entity, a first message indicating context information associated with a UE, wherein the context information is associated with a handover procedure to handover the UE from a second NTN network entity to the first NTN network entity; receiving a second message indicating a MAC associated with the UE; performing an integrity check for the handover procedure based at least in part on the MAC associated with the UE and on the context information associated with the UE in accordance with an authentication key; and deriving one or more security keys associated with handover of the UE based at least in part on verification of the UE as a result of the integrity check and on the context information associated with the UE.

[0211] Aspect 13: The method of aspect 12, further comprising: transmitting, to the proxy network entity, a request for the context information associated with the UE.

[0212] Aspect 14: The method of any of aspects 12 through 13, further comprising: receiving, from the proxy network entity, an indication of one or more additional security keys associated with the second NTN network entity.

[0213] Aspect 15: The method of aspect 14, wherein the indication comprises an indication of whether the one or more additional security keys associated with thesecond NTN network entity are one or more security keys generated by the proxy network entity, the first NTN network entity derives the one or more security keys based at least in part on the indication.

[0214] Aspect 16: The method of any of aspects 14 through 15, wherein one or more of the first message, the second message, or the indication are transmitted via backhaul X2 signaling.

[0215] Aspect 17: The method of any of aspects 14 through 16, wherein the indication is received via an inter-node RRC message.

[0216] Aspect 18: The method of any of aspects 12 through 17, wherein the first message further comprises pending uplink data, pending downlink data, one or more status reports, or a combination thereof.

[0217] Aspect 19: The method of any of aspects 12 through 18, further comprising: transmitting, to the proxy network entity, a success message that indicates a success of the handover procedure; and receiving, from a core network via the proxy network entity, one or more downlink data messages based at least in part on the success message.

[0218] Aspect 20: The method of any of aspects 12 through 19, wherein receiving the second message comprises: receiving the second message from the UE or from the proxy network entity.

[0219] Aspect 21 : The method of any of aspects 12 through 20, further comprising: receiving, from the proxy network entity, an indication of the authentication key.

[0220] Aspect 22: The method of aspect 21, wherein performing the integrity check for the handover procedure comprises: deriving a second MAC based at least in part on the authentication key; and comparing the MAC associated with the UE with the second MAC.

[0221] Aspect 23 : A proxy network entity for wireless communications, comprising one or more memories storing processor-executable code, and one or more processors coupled with the one or more memories and individually or collectively operable to execute the code to cause the proxy network entity to perform a method of any of aspects 1 through 11.

[0222] Aspect 24: A proxy network entity for wireless communications, comprising at least one means for performing a method of any of aspects 1 through 11.

[0223] Aspect 25: A non-transitory computer-readable medium storing code for wireless communications, the code comprising instructions executable by a processor to perform a method of any of aspects 1 through 11.

[0224] Aspect 26: A first NTN network entity for wireless communications, comprising one or more memories storing processor-executable code, and one or more processors coupled with the one or more memories and individually or collectively operable to execute the code to cause the first NTN network entity to perform a method of any of aspects 12 through 22.

[0225] Aspect 27: A first NTN network entity for wireless communications, comprising at least one means for performing a method of any of aspects 12 through 22.

[0226] Aspect 28: A non-transitory computer-readable medium storing code for wireless communications, the code comprising instructions executable by a processor to perform a method of any of aspects 12 through 22.

[0227] It should be noted that the methods described herein describe possible implementations, and that the operations and the steps may be rearranged or otherwise modified and that other implementations are possible. Further, aspects from two or more of the methods may be combined.

[0228] Although aspects of an LTE, LTE-A, LTE-A Pro, or NR system may be described for purposes of example, and LTE, LTE-A, LTE-A Pro, or NR terminology may be used in much of the description, the techniques described herein are applicable beyond LTE, LTE-A, LTE-A Pro, or NR networks. For example, the described techniques may be applicable to various other wireless communications systems such as Ultra Mobile Broadband (UMB), Institute of Electrical and Electronics Engineers (IEEE) 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), IEEE 802.20, Flash-OFDM, as well as other systems and radio technologies not explicitly mentioned herein.

[0229] Information and signals described herein may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referencedthroughout the description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof.

[0230] The various illustrative blocks and components described in connection with the disclosure herein may be implemented or performed using a general-purpose processor, a DSP, an ASIC, a CPU, an FPGA or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general-purpose processor may be a microprocessor but, in the alternative, the processor may be any processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices (e.g., a combination of a DSP and a microprocessor, multiple microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration). Any functions or operations described herein as being capable of being performed by a processor may be performed by multiple processors that, individually or collectively, are capable of performing the described functions or operations.

[0231] The functions described herein may be implemented using hardware, software executed by a processor, firmware, or any combination thereof. If implemented using software executed by a processor, the functions may be stored as or transmitted using one or more instructions or code of a computer-readable medium. Other examples and implementations are within the scope of the disclosure and appended claims. For example, due to the nature of software, functions described herein may be implemented using software executed by a processor, hardware, firmware, hardwiring, or combinations of any of these. Features implementing functions may also be physically located at various positions, including being distributed such that portions of functions are implemented at different physical locations.

[0232] Computer-readable media includes both non-transitory computer storage media and communication media including any medium that facilitates transfer of a computer program from one location to another. A non-transitory storage medium may be any available medium that may be accessed by a general-purpose or special-purpose computer. By way of example, and not limitation, non-transitory computer-readable media may include RAM, ROM, electrically erasable programmable ROM (EEPROM),flash memory, compact disk (CD) ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other non-transitory medium that may be used to carry or store desired program code means in the form of instructions or data structures and that may be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of computer-readable medium. Disk and disc, as used herein, include CD, laser disc, optical disc, digital versatile disc (DVD), floppy disk and Blu-ray disc. Disks may reproduce data magnetically, and discs may reproduce data optically using lasers. Combinations of the above are also included within the scope of computer-readable media. Any functions or operations described herein as being capable of being performed by a memory may be performed by multiple memories that, individually or collectively, are capable of performing the described functions or operations.

[0233] As used herein, including in the claims, “or” as used in a list of items (e.g., a list of items prefaced by a phrase such as “at least one of’ or “one or more of’) indicates an inclusive list such that, for example, a list of at least one of A, B, or C means A or B or C or AB or AC or BC or ABC (i.e., A and B and C). Also, as used herein, the phrase “based on” shall not be construed as a reference to a closed set of conditions. For example, an example step that is described as “based on condition A” may be based on both a condition A and a condition B without departing from the scope of the present disclosure. In other words, as used herein, the phrase “based on” shall be construed in the same manner as the phrase “based at least in part on.”

[0234] As used herein, including in the claims, the article “a” before a noun is open- ended and understood to refer to “at least one” of those nouns or “one or more” of those nouns. Thus, the terms “a,” “at least one,” “one or more,” “at least one of one or more” may be interchangeable. For example, if a claim recites “a component” that performs one or more functions, each of the individual functions may be performed by a single component or by any combination of multiple components. Thus, the term “acomponent” having characteristics or performing functions may refer to “at least one of one or more components” having a particular characteristic or performing a particular function. Subsequent reference to a component introduced with the article “a” using the terms “the” or “said” may refer to any or all of the one or more components. For example, a component introduced with the article “a” may be understood to mean “one or more components,” and referring to “the component” subsequently in the claims may be understood to be equivalent to referring to “at least one of the one or more components.” Similarly, subsequent reference to a component introduced as “one or more components” using the terms “the” or “said” may refer to any or all of the one or more components. For example, referring to “the one or more components” subsequently in the claims may be understood to be equivalent to referring to “at least one of the one or more components.”

[0235] The term “determine” or “determining” encompasses a variety of actions and, therefore, “determining” can include calculating, computing, processing, deriving, investigating, looking up (such as via looking up in a table, a database or another data structure), ascertaining and the like. Also, “determining” can include receiving (e.g., receiving information), accessing (e.g., accessing data stored in memory) and the like. Also, “determining” can include resolving, obtaining, selecting, choosing, establishing, and other such similar actions.

[0236] In the appended figures, similar components or features may have the same reference label. Further, various components of the same type may be distinguished by following the reference label by a dash and a second label that distinguishes among the similar components. If just the first reference label is used in the specification, the description is applicable to any one of the similar components having the same first reference label irrespective of the second reference label, or other subsequent reference label.

[0237] The description set forth herein, in connection with the appended drawings, describes example configurations and does not represent all the examples that may be implemented or that are within the scope of the claims. The term “example” used herein means “serving as an example, instance, or illustration,” and not “preferred” or “advantageous over other examples.” The detailed description includes specific details for the purpose of providing an understanding of the described techniques. Thesetechniques, however, may be practiced without these specific details. In some instances, known structures and devices are shown in block diagram form in order to avoid obscuring the concepts of the described examples.

[0238] The description herein is provided to enable a person having ordinary skill in the art to make or use the disclosure. Various modifications to the disclosure will be apparent to a person having ordinary skill in the art, and the generic principles defined herein may be applied to other variations without departing from the scope of the disclosure. Thus, the disclosure is not limited to the examples and designs described herein but is to be accorded the broadest scope consistent with the principles and novel features disclosed herein.

Claims

CLAIMSWhat is claimed is:

1. A proxy network entity, comprising: one or more memories storing processor-executable code; and one or more processors coupled with the one or more memories and individually or collectively operable to execute the code to cause the proxy network entity to: receive, from a first non-terrestrial network (NTN) network entity, a first message indicating context information associated with a user equipment (UE), wherein the context information is associated with a handover procedure to handover the UE from the first NTN network entity to a second NTN network entity; perform an integrity check for the handover procedure based at least in part on a message authentication code associated with the UE and on the context information associated with the UE in accordance with an authentication key; and transmit, to the second NTN network entity, a second message indicating the context information based at least in part on verification of the UE as a result of the integrity check.

2. The proxy network entity of claim 1, wherein the one or more processors are individually or collectively further operable to execute the code to cause the proxy network entity to: transmit, to the second NTN network entity, an indication of one or more security keys associated with handover of the UE from the first NTN network entity to the second NTN network entity.

3. The proxy network entity of claim 2, wherein the one or more security keys associated with handover of the UE comprise one or more new security keys derived by the proxy network entity.

4. The proxy network entity of claim 2, wherein the one or more security keys associated with handover of the UE comprise one or more security keys associated with the first NTN network entity.

5. The proxy network entity of claim 2, wherein, to transmit the indication, the one or more processors are individually or collectively operable to execute the code to cause the proxy network entity to: transmit an indication of whether the one or more security keys associated with handover of the UE are one or more security keys derived by the proxy network entity or if the one or more security keys associated with handover of the UE are one or more security keys associated with the first NTN network entity.

6. The proxy network entity of claim 2, wherein one or more of the first message, the second message, or the indication are transmitted via backhaul X2 signaling.

7. The proxy network entity of claim 2, wherein the indication is transmitted via an inter-node radio resource control message.

8. The proxy network entity of claim 1, wherein the one or more processors are individually or collectively further operable to execute the code to cause the proxy network entity to: receive, from the UE or from the second NTN network entity, an indication of the message authentication code associated with the UE.

9. The proxy network entity of claim 1, wherein the one or more processors are individually or collectively further operable to execute the code to cause the proxy network entity to: receive, from the first NTN network entity, an indication of the authentication key.

10. The proxy network entity of claim 9, wherein, to perform the integrity check for the handover procedure, the one or more processors are individually or collectively operable to execute the code to cause the proxy network entity to: derive a second message authentication code based at least in part on the authentication key; and compare the message authentication code associated with the UE with the second message authentication code.

11. The proxy network entity of claim 1, wherein the one or more processors are individually or collectively further operable to execute the code to cause the proxy network entity to: store the context information associated with the UE.

12. A first non-terrestrial network (NTN) network entity, comprising: one or more memories storing processor-executable code; and one or more processors coupled with the one or more memories and individually or collectively operable to execute the code to cause the first non-terrestrial network (NTN) network entity to: receive, from a proxy network entity, a first message indicating context information associated with a user equipment (UE), wherein the context information is associated with a handover procedure to handover the UE from a second NTN network entity to the first NTN network entity; receive a second message indicating a message authentication code associated with the UE; perform an integrity check for the handover procedure based at least in part on the message authentication code associated with the UE and on the context information associated with the UE in accordance with an authentication key; and derive one or more security keys associated with handover of the UE based at least in part on verification of the UE as a result of the integrity check and on the context information associated with the UE.

13. The first NTN network entity of claim 12, wherein the one or more processors are individually or collectively further operable to execute the code to cause the first NTN network entity to: transmit, to the proxy network entity, a request for the context information associated with the UE.

14. The first NTN network entity of claim 12, wherein the one or more processors are individually or collectively further operable to execute the code to cause the first NTN network entity to:receive, from the proxy network entity, an indication of one or more additional security keys associated with the second NTN network entity.

15. The first NTN network entity of claim 14, wherein the indication comprises an indication of whether the one or more additional security keys associated with the second NTN network entity are one or more security keys generated by the proxy network entity, and wherein the first NTN network entity derives the one or more security keys based at least in part on the indication.

16. The first NTN network entity of claim 14, wherein: one or more of the first message, the second message, or the indication are transmitted via backhaul X2 signaling.

17. The first NTN network entity of claim 14, wherein the indication is received via an inter-node radio resource control message.

18. The first NTN network entity of claim 12, wherein the first message further comprises pending uplink data, pending downlink data, one or more status reports, or a combination thereof.

19. The first NTN network entity of claim 12, wherein the one or more processors are individually or collectively further operable to execute the code to cause the first NTN network entity to: transmit, to the proxy network entity, a success message that indicates a success of the handover procedure; and receive, from a core network via the proxy network entity, one or more downlink data messages based at least in part on the success message.

20. The first NTN network entity of claim 12, wherein, to receive the second message, the one or more processors are individually or collectively operable to execute the code to cause the first NTN network entity to: receive the second message from the UE or from the proxy network entity.

21. The first NTN network entity of claim 12, wherein the one or more processors are individually or collectively further operable to execute the code to cause the first NTN network entity to: receive, from the proxy network entity, an indication of the authentication key.

22. The first NTN network entity of claim 21, wherein, to perform the integrity check for the handover procedure, the one or more processors are individually or collectively operable to execute the code to cause the first NTN network entity to: derive a second message authentication code based at least in part on the authentication key; and compare the message authentication code associated with the UE with the second message authentication code.

23. A method for wireless communications by a proxy network entity, comprising: receiving, from a first non-terrestrial network (NTN) network entity, a first message indicating context information associated with a user equipment (UE), wherein the context information is associated with a handover procedure to handover the UE from the first NTN network entity to a second NTN network entity; performing an integrity check for the handover procedure based at least in part on a message authentication code associated with the UE and on the context information associated with the UE in accordance with an authentication key; and transmitting, to the second NTN network entity, a second message indicating the context information based at least in part on verification of the UE as a result of the integrity check.

24. The method of claim 23, further comprising: transmitting, to the second NTN network entity, an indication of one or more security keys associated with handover of the UE from the first NTN network entity to the second NTN network entity.

25. The method of claim 24, wherein the one or more security keys associated with handover of the UE comprise one or more new security keys derived by the proxy network entity.

26. The method of claim 24, wherein the one or more security keys associated with handover of the UE comprise one or more security keys associated with the first NTN network entity.

27. A method for wireless communications by a first non-terrestrial network (NTN) network entity, comprising: receiving, from a proxy network entity, a first message indicating context information associated with a user equipment (UE), wherein the context information is associated with a handover procedure to handover the UE from a second NTN network entity to the first NTN network entity; receiving a second message indicating a message authentication code associated with the UE; performing an integrity check for the handover procedure based at least in part on the message authentication code associated with the UE and on the context information associated with the UE in accordance with an authentication key; and deriving one or more security keys associated with handover of the UE based at least in part on verification of the UE as a result of the integrity check and on the context information associated with the UE.

28. The method of claim 27, further comprising: transmitting, to the proxy network entity, a request for the context information associated with the UE.

29. The method of claim 27, further comprising: receiving, from the proxy network entity, an indication of one or more additional security keys associated with the second NTN network entity.

30. The method of claim 29, wherein the indication comprises an indication of whether the one or more additional security keys associated with the second NTN network entity are one or more security keys generated by the proxynetwork entity, and wherein the first NTN network entity derives the one or more security keys based at least in part on the indication.