Network-assisted access to secured local data

EP4771805A1Pending Publication Date: 2026-07-08TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)

Patent Information

Authority / Receiving Office
EP · EP
Patent Type
Applications
Current Assignee / Owner
TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)
Filing Date
2023-08-29
Publication Date
2026-07-08

AI Technical Summary

Technical Problem

There is a challenge in securely limiting where confidential data can be handled, revoking access permissions, and penalizing unauthorized access, especially when the data owner and user are different and GPS coordinates can be easily spoofed.

Method used

A method involving a network node that obtains location information of a user equipment (UE) and determines whether to transmit an access key for secured data based on the UE's location, ensuring secure access and allowing for revocation of access permissions.

Benefits of technology

This solution effectively restricts access to confidential data based on location, enhances security by preventing unauthorized access, and allows for timely revocation of access permissions, thereby protecting sensitive information.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure EP2023073667_06032025_PF_FP_ABST
    Figure EP2023073667_06032025_PF_FP_ABST
Patent Text Reader

Abstract

A method performed by a first network node is provided. The method comprises obtaining location information which indicates a location of a user equipment (UE), and based on the location of the UE, determining whether to transmit, to the UE, an access key for accessing secured data stored in at least one memory of the UE. The method further comprises, based on the determination, transmitting the access key to the UE
Need to check novelty before this filing date? Find Prior Art

Description

NETWORK-ASSISTED ACCESS TO SECURED LOCAL DATATECHNICAL FIELD

[0001] This disclosure relates to network-assisted access to secured local data.BACKGROUND

[0002] Non-public Network

[0003] In fifth generation (5G) network technologies, the concept of private 5G networks has been introduced. These private 5G networks are non-public networks (NPN) which can be deployed in different ways.

[0004] For example, an NPN can be deployed without relying on network functions provided by a public land mobile network (PLMN). This NPN is called a standalone NPN (SNPN). SNPN is a standalone 5G network which does not rely on network functions provided by a PLMN but may possibly utilize a radio access network (RAN) of a PLMN. SNPN may be operated by an entity that is not a wireless carrier. One example of such entity is an enterprise.

[0005] In another example, an NPN can be deployed by at least partly utilizing the infrastructure of a PLMN. This NPN is called a public network integrated NPN (PNI-NPN). For PNI-NPN, the subscription credentials are managed by the PLMN. Also PNI-NPN can be deployed as a network slice in the PLMN or as an external data network in which some network functions (NFs) of the NPN can be run. In the latter case, the NFs in the PLMN and the NFs in the external data network may communicate with each other (e.g., performing service-based architecture (SBA)-based communication between the NFs) over a secure connection, e.g., an IPsec tunnel.

[0006] Closed Subscriber Groups (CSG) / Closed Access Groups (CAG)

[0007] CSG, defined in 3GPP Technical Specification (TS) 23.401, is a feature that was defined before 5G, while Closed Access Groups (CAG), defined in 3GPP TS 23.501, is an evolved variant that is defined for 5G. Both provide access control on a cell level, meaning that one can reserve a cell and radio resources to a subset of subscriptions. This can be used, for example, to provide more reliable performance to those subscriptions and isolate their trafficfrom other subscribers’ traffic.

[0008] With CSG which is meant for small cells, one can implement a cell level access control. Those user equipments (UEs) and / or subscriptions that are authorized to access a CSG cell will have a corresponding CSG ID in their subscription information. The CSG ID and / or the subscription information may be available to the UE and stored in the core network (e.g., home subscriber server (HSS)).

[0009] When trying to attach to a network through a CSG cell or to perform a handover to the CSG cell, the network (e.g., mobility management entity (MME)) will verify that the subscription is allowed to use the specific CSG cell and only allow access through that cell for authorized CSG clients. The eNBs may advertise the CSG(s) they support so the UE knows where the UE can and / or cannot try to attach.

[0010] CAG is basically very similar to CSG. The addition introduced with CAG is that it is possible to restrict a UE to only attach to CAG cells, while, with CSG, both CSG cells and non-CSG cells can always be used by the UE / subscription. In 5G, the primary usage of CAG is for limiting access to cells dedicated for NPN use. For example, a factory deploying an NPN may rely on RAN access from a public operator. They might have an agreement that, in a certain factory location, certain cells should be dedicated for NPN use to guarantee radio performance for factory equipments, even in high network load times (e.g., new year, etc.), and to provide isolation for traffic associated with the factory equipments.

[0011] Network Exposure Function (NEF)

[0012] An external application function (AF) can interact with a mobile network operator (MNO) and get information via an NEF.

[0013] The AF can get an AF specific external identifier for UE(s) and / or subscription(s) (e.g., as disclosed in 3GPP TS 23.5024. 15.10 / 4.15.3.2.13), and can later use it to address specific UE(s) with requests via the NEF.

[0014] The AF can subscribe to and / or unsubscribe from events via the NEF. The NEF can be requested to monitor certain event(s) (e.g., as disclosed in 3GPP TS 23.502, 4.15.3.1), and may perform a reporting based on the monitoring of the event(s). One type of the reporting is “Location Reporting,” which can be a one-time reporting or a continuous location reporting. The continuous location reporting may provide information when an access managementfunction (AMF) is made aware of a location change of a UE. In some cases, the AMF can provide a notification when the UE moves in and / or moves out of “Area of Interest” (e.g., see TS 23.502 5.2.2.3.1 / D.1).

[0015] In the location reporting, the granularity of a location can be based on a cell level (e.g., using a cell identifier (ID)) or a tracking area (TA) level. Alternatively or additionally, the granularity of a location may be based on a geodetic shape (e.g., polygons, circles, etc.) and / or civic addresses.SUMMARY

[0016] Certain challenges presently exist. There may be a scenario where an owner of data which is stored in a device may be different from the user of the device. For example, data owned by a company may be stored in a mobile phone owned by an employee of the company. In such scenario, if the stored data contains confidential information, the user’s mishandling of the device may lead to exposure of such confidential information.

[0017] One way to prevent such exposure is limiting where the data can be handled by the user (e.g., accessed by the user). For example, the company may limit such that the stored data can only be handled in a secure environment (e.g., within the company’s premise).

[0018] But the data owner cannot easily and securely limit where the stored data can be handled. For example, even when the user’s access to the confidential data stored in the user’s device is set to be limited based on a GPS coordinate of the user’s device, the GPS coordinate can be easily spoofed. Thus, limiting the user’s access to the confidential data based on the device’s GPS coordinate may not be safe. Also, once the data owner gives the user an access to the data locally stored in the user’s device, it may be difficult for the data owner to block and / or restrict the user’s access to the data at a later stage. Furthermore, in case the user accesses the confidential data without the data owner’s authorization, it may be difficult for the data owner to apply a penalty to the user for the user’s unauthorized access.

[0019] Therefore, there is a need for a way to easily and securely limit where the confidential data can be handled, to revoke the permission to access the confidential data at a later stage, and to apply a penalty to the user in case the user accesses the confidential data without the data owner’s authorization.

[0020] Accordingly, in one aspect of some embodiments, there is provided a methodperformed by a first network node. The method comprises obtaining location information which indicates a location of a user equipment (UE), and based on the location of the UE, determining whether to transmit, to the UE, an access key for accessing secured data stored in at least one memory of the UE. The method further comprises, based on the determination, transmitting the access key to the UE.

[0021] In another aspect, there is provided a method performed by a user equipment (UE). The method comprises receiving, from a network node, an access key for accessing secured data stored in at least one memory of the UE, and using the access key, accessing the secured data stored in said at least one memory of the UE, wherein transmission of the access key from the network node to the UE is performed based on a determined location of the UE.

[0022] In a different aspect, there is provided a computer program comprising instructions which when executed by processing circuitry cause the processing circuitry to perform the method of any one of the embodiments described above.

[0023] In a different aspect, there is provided a carrier containing the computer program of the above embodiment, wherein the carrier is one of an electronic signal, an optical signal, a radio signal, and a computer readable storage medium.

[0024] In a different aspect, there is provided a first network node. The first network node is configured to obtain location information which indicates a location of a user equipment (UE). The first network node is further configured to, based on the location of the UE, determine whether to transmit, to the UE, an access key for accessing secured data stored in at least one memory of the UE. The first network node is further configured to, based on the determination, transmit the access key to the UE.

[0025] In a different aspect, there is provided a user equipment, UE. The UE is configured to receive, from a network node, an access key for accessing secured data stored in at least one memory of the UE; and using the access key, access the secured data stored in said at least one memory of the UE, wherein transmission of the access key from the network node to the UE is performed based on a determined location of the UE.

[0026] In a different aspect, there is provided an apparatus comprising a processing circuitry; and a memory, said memory containing instructions executable by said processing circuitry, whereby the apparatus is operative to perform the method of any one of the above embodiments.

[0027] In some embodiments of this disclosure, where confidential / sensitive data can be handled may be restricted based on location information obtainable from a wireless network connected to the device, thereby making it more difficult for the user to extract the confidential / sensitive data without the data owner’s authorization. Also some embodiments of this disclosure allow the data owner to detect the user’s non-compliance (e.g., the user’s continued unauthorized access to the confidential / sensitive data even after the data owner requested the user to stop accessing the data), to request for the user’s compliance, and to limit the user’s unauthorized access after the user’s non-compliance. Additionally, by providing a trusted component within the UE, in some embodiments, other components of the UE don’t have to be trusted as long as the integrity of the trusted component is intact.BRIEF DESCRIPTION OF THE DRAWINGS

[0028] The accompanying drawings, which are incorporated herein and form part of the specification, illustrate various embodiments.

[0029] FIG. 1 shows a system according to some embodiments.

[0030] FIG. 2 shows a user equipment (UE) according to some embodiments.

[0031] FIG. 3 shows a process according to some embodiments.

[0032] FIG. 4 shows a process according to some embodiments.

[0033] FIG. 5 shows a process according to some embodiments.

[0034] FIG. 6 shows an apparatus according to some embodiments.

[0035] FIG. 7 shows an apparatus according to some embodiments.DETAILED DESCRIPTION

[0036] FIG. 1 shows a system 100 according to some embodiments. The system 100 may comprise a base station (e.g., gNB, eNB, a WiFi router, etc.) 104 providing networks for areas 112, 114, and 116, and a base station 106 providing a network for area 118. Each of the areas 112-118 may correspond to a different geographical area and / or a different cell area. In case each of the areas 112-118 corresponds to a different cell area, each area may be associated witha different cell identifier (ID). Note that the numbers of the entities (e.g., the base stations, the areas, the UEs, the network nodes, etc.) shown in FIG. 1 are provided just for simple explanation purpose, and do not limit the embodiments of this disclosure in any way.

[0037] As mentioned above, in the embodiments shown in FIG. 1, the base station 104 may provide networks for all three areas 112-116, and the base station 106 may provide a network for the area 118. But, in different embodiments, a different base station may be used to provide a network for each of the areas 112-118. In this disclosure, a base station may be broadly referred as a network node.

[0038] In one exemplary scenario, the base station 104 may provide a network for a certain company. More specifically, the base station 104 may be configured to provide a network for the employees’ UEs (e.g., a UE 102) located within the company’s premises 120. In this exemplary scenario, the areas 112-116 may be included within the company’s premises 120 while the area 118 is located outside the company’s premises 120.

[0039] As shown in FIG. 2, according to some embodiments, the UE 102 may include one or more memories (hereinafter “UE memory”) 204 and an access management component (AMC) 202. The UE memory 204 may be configured to store secured data (e.g., locked data), and the AMC 202 may be configured to store a security key (e.g., a private key of the AMC 202) and control handling of the secured data (e.g., controlling access to the secured data). In the above exemplary scenario where the UE 102 is owned by an employee of the company, the secured data may be the company’s confidential information.

[0040] The data stored in the UE memory 204 may be “secured” in different ways. In one example, the UE 102 may freely access the UE memory 204, but the data stored in the UE memory 204 may be encrypted, thereby “securing” the data. In this example, the UE 102 may access the UE memory 204, retrieve the encrypted data, and then decrypt the encrypted data using an access key, in order to read the data. Similarly, in this example, in order to write data into the UE memory 204, the UE 102 may encrypt, using an access key, data to be written, and then write the encrypted data into the UE memory 204.

[0041] In another example, the data stored in the UE memory 204 may be “secured” by locking the UE memory 204, meaning that the UE 102 cannot freely access the UE memory 204. In this example, in order to access the secured data stored in the UE memory 204, the UE 102 must unlock the locked UE memory 204 first using an access key, and then access the data storedin the UE memory 204. Similarly, in this example, in order to write data into the UE memory 204, the UE 102 must first unlock the locked UE memory 204 using an access key, and then write data into the unlocked UE memory 204.

[0042] In this disclosure, the AMC 202 of the UE 102 may be referred as a “trusted component” because it is entrusted to control handling of the secured data. In some embodiments, the AMC 202 of the UE 102 may include an inline component placed between the UE memory 204 and the controller of the UE memory 204, and the AMC 202 may be configured to encrypt data to be written to the UE memory 204 and / or decrypt data read from the UE memory 204. In other embodiments, the AMC 202 of the UE 102 may include a component responsible for encrypting (locking) and / or decrypting (unlocking) a memory region. In different embodiments, the AMC 202 of the UE 102 may include a memory controller which is configured to authorize accessing the UE memory 204 when it has an access key (e.g., a token) in its register and / or block access to the UE memory 204 when it does not have the access key. In some embodiments, the AMC 202 of the UE 102 may be configured to perform a self-test functionality for determining whether the AMC 202 has been tampered.

[0043] Referring back to the exemplary scenario explained above, in case the secured data is the company’s confidential information, it may be desirable for the company to restrict the employee’s access to the secured data such that the secured data can only be accessed when the UE 102 is in the company’s premises 120. In other words, it may be desirable to restrict the UE 102’s access to the secured data such that the UE 102 can access the secured data only when the UE 102 is in one of the areas 112-116. On the other hand, in case the UE 102 is in the area 108 which is outside the company’s premises 120, it may be desirable for the company not to allow the UE 102 to access the secured data.

[0044] Accordingly, in some embodiments of this disclosure, a process 300 shown in FIG. 3 for managing the UE 102’s access to the secured data is provided. The process 300 may begin with step s302.

[0045] The step s302 comprises the UE 102 successfully connecting to a network provided by the base station 104 within the area 112. The network may be a public network, a non-public network, or may correspond to a closed access group (CAG) cell.

[0046] After successfully connecting to the network, the UE 102 can now request a network node (e.g., the company’s enterprise server) 122 to provide, to the UE 102, an accesskey needed for accessing the secured data stored in the UE memory. Thus, the process 200 may proceed to step s304.

[0047] The step s304 comprises the UE 102 transmitting, to the network node 122, a request for the access key. Such request may be either an explicit request or an implicit request. For example, when the UE 102 tries to access the secured data (e.g., trying to open a secured file or launching a dedicated application used for accessing a secured file), the UE 102 may be triggered to transmit, to the network node 122, an explicit request for the access key.

[0048] In another example, instead of transmitting such explicit request to the network node 122, the UE 102 may simply inform the network node 122 that the UE 102 is now connected to a certain part of the network (e.g., a network within the area 112). More specifically, the UE 102 may transmit, to the network node 122, a notification message indicating that the UE 102 is currently connected to a network within the area 112. In some embodiments, the notification message may include a cell ID identifying a cell corresponding to the area 112. FIG. 3 shows that the request for the access key is transmitted by the UE 102. However, in some embodiments, such request may be transmitted to the network node 122 by a different network entity.

[0049] After performing the step s304, the process 200 may proceed to step s306. The step s306 comprises the network node 122 (e.g., the company’s enterprise server) querying a network node 124 (e.g., a network exposure function (NEF)) for the UE 102’s current location. In one example, the network node 122 may transmit, to the network node 124, a request for location information which indicates the current location of the UE 102.

[0050] In response to receiving the request for the location information, in step s308, the network node 124 may transmit, to the network node 122, the requested location information. There are different ways to indicate the current location of the UE 102 in the location information. In one example, the location information may include a cell ID identifying a cell in which the UE 102 currently resides. There are different ways for the network node 124 to determine the current location of the UE 102. One exemplary way of determining the current location of the UE 102 is by using a triangulation. More specifically, the UE 102 may be configured to receive signals having different strengths from three different base stations belonging to three different cells and report measurements of the strengths of the received signals to the network node 124. Then the network node 124 may analyze the measurements of the strengths of the received signals, thereby triangulating the position of the UE 102.

[0051] Note that, in some embodiments, the request for the access key that the UE 102 transmitted to the network node 122 in step s304 may already include the location information indicating the current location of the UE 102. In such embodiments, the steps s306 and s308 may be skipped. Alternatively, in some embodiments, the steps s306 and s308 may be performed even when the request for the access key that the UE 102 transmitted to the network node 122 includes the location information. In these embodiments, the network node 122 may compare the location information it received from the UE 102 with the location information that it received from the network node 124, and the process 300 may proceed to step s308 only when the location information the network node 122 received from the UE 102 and the location information the network node 122 received from the network node 124 are the same. Alternatively, after performing the step s308, the process 300 may proceed to step s310 only when the location information the network node 122 received from the UE 102 and the location information the network node 122 received from the network node 124 are the same. The rationale here is that in case the location information the network node 122 received from the UE 102 and the location information the network node 122 received from the network node 124 are different, the location information that the UE 102 may be incorrect and the UE 102 may be a malicious UE, and thus the network node 122 may not transmit the access key to the UE 102. In this case, the process 300 may proceed to step s314.

[0052] Upon the network node 122 obtaining the location information, in step s310, the network node 122 may check whether the UE 102 is currently in at least one of the areas where the UE 102 is allowed to access the secured data stored in the UE memory 204. More specifically, in some embodiments, the network node 122 may include one or more memories (hereinafter, “network memory”) storing a list of one or more area IDs identifying areas where the UE 102 is allowed to access the secured data stored in the UE memory 204. For example, the UE 102 is allowed to access the secured data when the UE 102 is in any one or more of the areas 112-116 and, as shown below, a list of cell IDs identifying cells corresponding to the areas 112-116 may be stored in the network memory.

[0053] In this example, in the step s310, the network node 122 may check whether the cellID identifying the current location of the UE is included in the list of cell IDs identifying cells where the UE 102 is allowed access the secured data stored in the UE memory 204.

[0054] In response to determining that the current location of the UE 102 is in any one or more of the areas 112-116 (i.e., in response to determining that, at the current location of the UE 102, the UE 102 is authorized to access the secured data), in step s312, the network node 122 may transmit, to the UE 102, the access key and optionally a value of a freshness parameter, which indicates the freshness of the access key. For example, when the network node 122 transmits, to the UE 102, an access key at time t0, the network node 122 may transmit a value of the freshness parameter FP0. Then when the network node 122 transmits, to the UE 102, an access key at timethat is after the time t0, the network node 122 may transmit a value of the freshness parameter FP . By determining that FP0and FP are different, the UE 102 may determine that the network node 122’s transmission of the second access key is not a retransmission. In one example, the value of the freshness parameter may be a value of a counter which hinders a previously sent message, e.g., containing the access key, to be accepted by the AMC. Alternatively or additionally, the freshness of the access key may indicate how long ago the access key was generated and / or how long ago the access key was transmitted from the network node 122.

[0055] In some embodiments, before transmitting the access key (and optionally the value of the freshness parameter), the network node 122 may encrypt and optionally protect the integrity of the access key (and the value of the freshness parameter), and transmit the encrypted key (and the encrypted value of the freshness parameter) to the UE 102. The network node 122 may encrypt and / or protect the integrity of the access key and / or the value of the freshness parameter using security key(s) (e.g., encryption key(s)). One example of the security key(s) is a public key of the AMC 202 of the UE 102.

[0056] On the other hand, in case the network node 122 determines that the current location of the UE 102 is not in any one of the areas where the UE 102 is allowed to access the secured data, in step s314, the network node 122 may transmit, to the UE 102, a rejection message indicating that the UE 102’s request is rejected or a notification indicating that the UE 102 is not authorized to access the secured data and / or the UE memory of the UE 102. In some embodiments, the network node 122 may choose not to respond to the UE 102 if it is not in any of the areas where the UE 102 is allowed to access the secured data.

[0057] In case the network node 122 transmits the access key to the UE 102 in the step s312, in step s316, the UE 102 may provide the received access key to the AMC 202 of the UE 102. In case the access key is encrypted using an encryption key by the network node 122, the AMC 202 of the UE 102 may decrypt the encrypted access key using a decryption key. In some embodiments, the encryption key and the decryption key are the same. But, in other embodiments, the encryption key and the decryption key are different. For example, the encryption key may be a public key of the AMC 202 while the decryption key may be a private key of the AMC 202. Alternatively or additionally, the AMC 202 of the UE 102 may also check the integrity of the access key and determine whether the integrity of the access key is valid.

[0058] In case the UE 102 received the access key with a value of the freshness parameter in the step s312, in step s316, the UE 102 may also check the value of the freshness parameter and determine whether the access key is fresh. More specifically, in some embodiments, as explained above, the UE 102 may compare the value of the freshness parameter FP0it received from the network node 122 with the previous access key at t=t0to the value of the freshness parameter FP1it received from the network node 122 with the current access key at t=t15and determine that the current access key is fresh only if the value of the freshness parameter FP0and the value of the freshness parameter FP are different. Alternatively, the UE 102 may determine that the current access key is fresh only if the value of the freshness parameter FP1(corresponding to the later received access key) is greater than the value of the freshness parameter FP0(corresponding to the earlier received access key). In a summary, in these embodiments, the value of the freshness parameter must be previously unseen or strictly larger than the last freshness value.

[0059] In different embodiments, the UE 102 may compare the value of the freshness parameter to a threshold value and determine that the access key is fresh (and thus it is okay to use the access key to access the secured data) in case the value of the freshness parameter is less than the threshold value. For example, the value of the freshness parameter may indicate how long ago the access key was transmitted from the network node 122, and the UE 102 may be configured to determine that the access key is fresh only if the value of the freshness parameter is less than a threshold time period.

[0060] After successfully decrypting the access key (and optionally determining that the integrity of the access key is valid, and the access key is fresh) in the step s316, the process 200may proceed to step s318. In the step s318, the AMC 202 of the UE 102 may store the decrypted (and optionally verified) access key into a storage medium (e.g., a memory of a crypto component) and use the access key to access the secured data.

[0061] In one example, in case the data stored in the UE memory is encrypted, the AMC 202 of the UE 102 may access the encrypted data and decrypt the encrypted data using the access key. In another example, in case the UE memory 204 is locked (e.g., encrypted), the AMC 202 of the UE 102 may unlock (e.g., decrypt) the UE memory 204, and access and read the data stored in the unlocked UE memory 204.

[0062] In some embodiments, in addition to accessing the secured data, the UE 102 may write new data in the UE memory 204. In one example, the UE 102 may encrypt the new data and store the encrypted new data in the UE memory 204. In another example, the UE 102 may store the new data in the UE memory 204 and lock (e.g., encrypt) the UE memory 204 after the storing.

[0063] These processes of encrypting, decrypting, locking, and unlocking may be performed seamlessly (e.g., without the process and / or the application requiring the access to the secured data being aware of the occurrences of the processes). Alternatively, the processes of encrypting, decrypting, locking, and unlocking may be performed by configuring the process and / or the application to directly interact with the AMC 202 of the UE 102 and to explicitly request the occurrences of the processes.

[0064] Note that, as mentioned above, once the UE 102 has access to the secured data stored in the UE memory 204 or has a general access to the UE memory 204 (in case the UE memory 204 was locked), the UE 102 may read data stored in the UE memory 204 or write data into the UE memory 204 (which is network-protected). But the UE 102 may not move, from the UE memory 204, data stored in the UE memory 204, or copy data stored in the UE memory 204. For example, the AMC 202 of the UE 102 (or an external memory controller controlling the UE memory 204) may prevent the UE 102’s attempt to move or copy the data stored in the UE memory 204. The AMC may further require other means for the UE 102 to extract the data, e.g., taking screenshots, to be disabled when accessing the data.

[0065] There may be a scenario where, after the UE 102 obtains access to the secured data, in step s320, the UE 102 moves to another area (e.g., the area 108) where the UE is not allowed to access the secured data and / or becomes to be connected (and / or authenticated to) to a differentnetwork at which the UE is not allowed to access the secured data. In such scenario, in step s322, the UE 102 may detect the UE 102’s such movement and / or such connection to a different network, and then, in step s324, the UE 102 may inform the AMC 202 the UE 102’s such movement and / or such connection to the different network.

[0066] Then, in step s326, the AMC 202 of the UE 102 may automatically delete the access key (e.g., from the crypto component). Additionally, the AMC 202 (and / or other component(s) in the UE 102) may notify the network node 122 that the UE 102 has deleted the access key. For example, in step s328, the UE 102 may transmit to the network node 122 a proof-of-removal of the access key. In some embodiments, this proof-of-removal may be encrypted and / or the integrity of the proof-of-removal may be protected using security key(s) (e.g., a private key of the AMC 202 of the UE 102). Alternatively, or additionally, when transmitting the proof-of- removal, the UE 102 may also transmit a value of a freshness parameter, which indicates the freshness of the proof-of removal.

[0067] Upon receiving the proof-of removal and the value of the freshness parameter, the network node 122 may decrypt, using a security key (e.g., the public key of the AMC of the UE 102) the encrypted proof-of removal and the encrypted value of the freshness parameter, check the integrity of the proof-of-removal and the value of the freshness parameter, and / or check the freshness of the proof-of-removal. The way that the network node 122 checks the value of the freshness parameter for the proof-of-removal is similar to the way that the UE 102 checks the value of the freshness parameter for the access key.

[0068] In some embodiments, after the UE 102 moves to a different area and / or becomes connected to a different network, in step s330, the network node 124 may notify the network node 122 that the UE 102 has exited the area where the UE 102 is allowed to access the secured data. In some embodiments, the network node 122 may request the network node 124 to transmit a notification to the network node 122 when the UE 102 exists the area 112 (i.e., the area where the UE 102 is allowed to access the secured data stored in the UE memory).

[0069] Additionally or alternatively, the network node 122 may request the network node 124 to continuously report the current location of the UE 102. Alternatively, the network node 122 may request the network node 124 to report the current location of the UE 102 only when the UE 102 exits the area where the UE 102 is allowed to access the secured data and / or only when the UE 102 enters into the area where the UE 102 is allowed to access the secured data.

[0070] Once the network node 122 receives such notification from the network node 124, the network node 122 would know that it should receive, from the UE 102, the proof-of-removal of the access key. Thus, after receiving the notification from the network node 124, the network node 122 may wait for a predetermined time interval and in case the network node 122 does not receive such proof-of removal from the UE 102 within the predetermined time period, in step s332, the network node 122 may contact the UE 102 and explicitly requests the UE 102 to delete the access key and transmit, to the network node 122, the proof-of removal. In some embodiments, the AMC in the UE may require the UE 102 to continuously report the details of the network it is connected to (e.g., cell ID). Absence of said information for more than a threshold of time, may trigger the AMC to perform the step s326 without any indication received from the network.

[0071] If the UE 102 does not provide the proof-of-removal within the next predefined time period, or if the network node 122 does not accept the freshness parameter and / or integrity protection of the proof-of-removal, or if the UE 102 transmits, to the network node 122, a rejection message indicating the UE 102’s rejection of the network node 122’s request, the network node 122 may mark the UE 102 as a non-compliant UE and take an appropriate action against the UE 102. One example of the action that can be taken against the non-compliant UE is the network node 122 instructing the UE’s home network (e.g., via an NEF) to temporarily block the UE’s access to the network. Note that, even in case that the UE 102’s access to the network is temporarily blocked, the UE 102 may still be allowed to transmit the proof-of- removal to the network node 122. The action against the UE 102 may result in the subscription currently being used to access the network using the UE and / or the International Mobile Subscriber Identity (IMSI) of the UE being blacklisted by the network until compliance have been re-established.

[0072] The following paragraphs summarize the functional requirements of the UE 102 and the network node 122 for performing the process 200.

[0073] Functional Requirements of the UE 102

[0074] Functional Requirements of the network node 122 (e.g., a key enterprise server)

[0075] Protection Against a Malicious UE

[0076] As discussed above, after the UE 102 exits the area where the UE 102 is allowedo access the secured data, the network node 122 may transmit, to the UE 102, a request to deletethe access key. However, there may be a scenario where the UE 102 is a malicious UE, and thus attempts to access the secured data even after exiting the allowed area.

[0077] For example, the UE 102 may prevent the AMC 202 of the UE 102 from receiving the deletion request transmitted from the network node 122. In order to prevent the malicious UE from continuously attempting to access the secured data, in some embodiments, the network node 122 may be configured to continuously transmit, to the UE 102, a message (which is encrypted and / or signed by the network node 122) with a value of a freshness parameter indicating the freshness of the message. Also, the AMC 202 of the UE 102 may be configured to monitor the receipt of such message, and in case, the AMC 202 does not receive such message within a predefined threshold time interval, the AMC 202 may be configured to delete the access key.

[0078] In another example, the malicious UE may attempt to perform replay attacks, e.g., re-transmitting, to the network node 122, an old proof-of-removal message. In order to prevent this malicious UE from continuously attempting to access the secured data, in some embodiments, when the UE 102 transmits a proof-of-removal message, the UE 102 may be configured to transmit a value of a freshness parameter (e.g., timestamps and / or counter values), which indicates the freshness of the proof-of-removal message. This prevention concept may require a trusted time system to be available for the AMC 202 of the UE 102.

[0079] Updating the Access Key

[0080] In some embodiments, in addition to receiving the current access key from the network node 122, the AMC 202 of the UE 102 may receive the next access key from the network node 122. Alternatively, instead of receiving the next access key from the network node 122, the AMC 202 may derive the next access key using a key derivation function based on the current access key. Upon receiving, from the network node 122, an instruction to lock (e.g., encrypt) data (e.g., re-encrypting the secured data and / or the UE memory), the UE 102 may use the next access key to re-encrypt data before deleting both keys from its memory. In these embodiments, for the next access to the secured data, the UE 102 may receive the next access key as well as another next access key.

[0081] Integrity-Protected AMC

[0082] In some embodiments, the AMC 202 of the UE 102 is equipped with self-test circuitry which is supplied as input to the crypto component. This can be used to corrupt the signature if the self-test is not OK or to add a bit indicating the status into the proof-of-removal message, signed by the AMC 202.

[0083] Protection Against Spoofing

[0084] To protect against location spoofing (for example, using relays and / or fake base stations), the network node 122 may ask, via a network exposure function (NEF), a mobile network operator (MNO) to verify the location of the UE 102 using UE assisted measurements. In this case, the MNO may transmit to the UE 102 a request to measure beacons heard from surrounding base stations and provide its feedback to the MNO, where the location management function (LMF) can estimate the location of the UE 102 based on the measurements. This communication may be protected with control plane security such that a Man-in-the-middle (MITM) cannot modify it. This protection technique may make it extremely difficult for an attacker to duplicate spoofed location beacon signals to actual location of relayed UE and at the same time “hide” actual beacon signals of that location.

[0085] Additional User Authentication

[0086] In some embodiments, the user of the UE 102 may further need to authenticate itself using non-network credentials, e.g., signum and password, prior to receiving the access key. Said credentials may be verified by an enterprise server or security function connected to the enterprise server, as a part of the methods described.

[0087] FIG. 4 shows a process 400 performed by the network node 122 according to some embodiments. The process 400 may begin with step s402. The step s402 comprises obtaining location information which indicates a location of the UE 102. Step s404 comprises based on the location of the UE, determining whether to transmit, to the UE, an access key for accessing secured data stored in at least one memory of the UE. Step s406 comprises, based on the determination, transmitting the access key to the UE.

[0088] In some embodiments, the process 400 comprises transmitting, to a second network node, a request for the location information, wherein obtaining the location information comprises receiving the location information from the second network node based on transmitting the requestto the second network node.

[0089] In some embodiments, the request for the location information is a request for the second network node to provide, to the first network node, the location information only when a certain condition is satisfied.

[0090] In some embodiments, the certain condition is that the UE has entered or left a certain area.

[0091] In some embodiments, the first network node includes at least one memory, and one or more area identifiers identifying one or more areas in which the UE is allowed to access the secured data stored in said at least one memory of the UE are stored in said at least one memory of the first network node.

[0092] In some embodiments, determining whether to transmit the access key to the UE comprises determining whether the location of the UE is in at least one of the areas identified by the area identifiers.

[0093] In some embodiments, the process 400 comprises determining that the location of the UE is in a first area identified by one of the area identifiers; and transmitting, to the second network node, a request to notify the first network node when the UE leaves the first area.

[0094] In some embodiments, the UE is configured to store the access key in a memory of the UE, and the process 400 comprises: receiving, from the second network node, a notification indicating that the UE has left the first area; and based on receiving the notification, waiting for the UE to transmit, to the first network node, a deletion confirmation message indicating that the UE has deleted the access key stored in the memory of the UE.

[0095] In some embodiments, the process 400 comprises determining that the deletion confirmation message is not received within a predefined time period; and based at least on the determination, (i) transmitting, to the UE, a deletion request, requesting the UE to delete the access key, (ii) flagging the UE, and / or (iii) transmitting a request to block the UE’s access to a network.

[0096] In some embodiments, the process 400 comprises receiving the deletion confirmation message indicating that the UE has deleted the access key, wherein the deletion confirmation message includes a signature created using an integrity protection key; and verifyingthe signature of the deletion confirmation message using an integrity verification key, wherein the integrity protection key and the integrity verification key are the same or different.

[0097] In some embodiments, the integrity protection key and the integrity verification key are different, the integrity protection key is a private key of the UE’s access management component, AMC, for managing access to the secured data stored in said at least one memory of the UE, and the integrity verification key is a public key of the AMC.

[0098] In some embodiments, the deletion confirmation message comprises a value of a freshness parameter associated with the deletion confirmation message, and the value of the freshness parameter indicates freshness of the deletion confirmation message.

[0099] In some embodiments, the transmitted access key is encrypted using an encryption key.

[0100] In some embodiments, the UE comprises an access management component, AMC, for managing access to the secured data stored in said at least one memory of the UE, and the AMC is configured to decrypt the encrypted access key using a decryption key.

[0101] In some embodiments, the encryption key for encrypting the transmitted access key and the decryption key for decrypting the encrypted access key are the same.

[0102] In some embodiments, the encryption key for encrypting the transmitted access key is a public key of the AMC; and the decryption key for decrypting the encrypted access key is a private key of the AMC.

[0103] In some embodiments, the process 400 comprises transmitting a value of a freshness parameter, which indicates freshness of the access key, wherein the AMC of the UE is configured to: check the freshness of the access key based on the value of the freshness parameter; and access the secured data stored in said at least one memory of the UE using the access key based on the checked freshness of the access key.

[0104] In some embodiments, the process 400 comprises receiving, from the UE, a message (i) indicating that the UE is connected to a network and / or (ii) requesting for the access key, wherein whether to transmit the access key to the UE is determined based at least on receiving the message.

[0105] In some embodiments, the process 400 comprises transmitting a request to verify a validity of the location of the UE; and receiving a response to the request indicating whether the validity of the location of the UE is confirmed or not, wherein the validity of the location of the UE is checked based on one or more measurements performed by the UE.

[0106] In some embodiments, the process 400 comprises transmitting a request to provide, to the first network node, a location of the UE which is determined based on a measurement performed by the UE; receiving a response to the request, which indicates the location of the UE determined based on the measurement performed by the UE; and verifying a validity of the location of the UE indicated in the location information using the location of the UE which is determined based on the measurement performed by the UE.

[0107] FIG. 5 shows a process 500 performed by the UE 102 according to some embodiments. The process 500 may begin with step s502. The step s502 comprises receiving, from the network node 122, an access key for accessing secured data stored in at least one memory of the UE. Step s504 comprises, using the access key, accessing the secured data stored in said at least one memory of the UE, wherein transmission of the access key from the network node to the UE is performed based on a determined location of the UE.

[0108] In some embodiments, the process 500 comprises receiving one or more signals transmitted via a cellular network; and reporting the signal strength of said one or more signals received via the cellular network, wherein the location of the UE is determined based on the reporting of the signal strength of said one or more signals.

[0109] In some embodiments, accessing the secured data stored in said at least one memory of the UE comprises: accessing said at least one memory, decrypting encrypted data stored in said at least one memory, and reading the decrypted data; or unlocking said at least one memory which is locked, accessing the unlocked memory, and reading data stored in the unlocked memory.

[0110] In some embodiments, the network node includes at least one memory, and one or more area identifiers identifying one or more areas in which the UE is allowed to access the secured data stored in said at least one memory of the UE are stored in said at least one memory of the network node.

[0111] In some embodiments, the transmission of the access key from the network node tothe UE is performed based on determining that the location of the UE is in at least one of the areas identified by the area identifiers.

[0112] In some embodiments, the access key that the UE received from the network node is encrypted using an encryption key.

[0113] In some embodiments, the UE comprises an access management component, AMC, for managing access to the secured data stored in said at least one memory of the UE, and the encryption key is a public key of the AMC.

[0114] In some embodiments, the process 500 comprises decrypting the access key using a decryption key of the AMC.

[0115] In some embodiments, the process 500 comprises receiving, from the network node, a value of a freshness parameter associated with the access key, wherein the value of the freshness parameter indicates freshness of the access key; and checking the freshness of the access key, wherein accessing the secured data stored in said at least one memory of the UE using the access key is performed based on the checked freshness of the access key.

[0116] In some embodiments, the process 500 comprises storing the decrypted access key in a different memory of the UE; detecting (i) that the UE has moved from a first location to a second location, (ii) that a network associated with the first location is no longer available to the UE, or (iii) that a time threshold has been reached since last receiving an area identifier from the UE; and based on the detection, deleting the access key stored in the different memory of the UE.

[0117] In some embodiments, the process 500 comprises based on the detection, encrypting the decrypted data stored in said at least one memory using an encryption key; or based on the detection, locking said at least one memory using an encryption key.

[0118] In some embodiments, the process 500 comprises transmitting to the network node a deletion confirmation message indicating that the UE has deleted the access key.

[0119] In some embodiments, integrity of the deletion confirmation message is protected using the private key of the AMC.

[0120] In some embodiments, the deletion confirmation message comprises a value of a freshness parameter associated with the deletion confirmation message, and the value of thefreshness parameter indicates freshness of the deletion confirmation message.

[0121] In some embodiments, the process 500 comprises transmitting, to the network node, a message (i) indicating that the UE is connected to a network and / or (ii) requesting for the access key, wherein the UE receives the access key from the network node based on transmitting the message.

[0122] FIG. 6 is a block diagram of the UE 102, according to some embodiments. As shown in FIG. 6, UE 102 may comprise: processing circuitry (PC) 602, which may include one or more processors (P) 655 (e.g., one or more general purpose microprocessors and / or one or more other processors, such as an application specific integrated circuit (ASIC), field-programmable gate arrays (FPGAs), and the like); communication circuitry 648, which is coupled to an antenna arrangement 649 comprising one or more antennas and which comprises a transmitter (Tx) 645 and a receiver (Rx) 647 for enabling UE 102 to transmit data and receive data (e.g., wirelessly transmit / receive data); and a storage unit (a.k.a., “data storage system”) 608, which may include one or more non-volatile storage devices and / or one or more volatile storage devices. In embodiments where PC 602 includes a programmable processor, a computer readable storage medium (CRSM) 642 may be provided. CRSM 642 may store a computer program (CP) 643 comprising computer readable instructions (CRI) 644. CRSM 642 may be a non-transitory computer readable medium, such as, magnetic media (e.g., a hard disk), optical media, memory devices (e.g., random access memory, flash memory), and the like. In some embodiments, the CRI 644 of computer program 643 is configured such that when executed by PC 602, the CRI causes UE 102 to perform steps described herein (e.g., steps described herein with reference to the flow charts). In other embodiments, UE 102 may be configured to perform steps described herein without the need for code. That is, for example, PC 602 may consist merely of one or more ASICs. Hence, the features of the embodiments described herein may be implemented in hardware and / or software.

[0123] FIG. 7 is a block diagram of a network node 700 which can implement any of the network nodes 122 and 124, according to some embodiments. As shown in FIG. 7, network node 700 may comprise: processing circuitry (PC) 702, which may include one or more processors (P) 755 (e.g., one or more general purpose microprocessors and / or one or more other processors, such as an application specific integrated circuit (ASIC), field-programmable gate arrays (FPGAs), andthe like), which processors may be co-located in a single housing or in a single data center or may be geographically distributed (e.g., network node 700 may be a distributed computing apparatus comprising two or more computers or a monolithic computing apparatus consisting of a single computer); at least one network interface 748 (e.g., a physical interface or air interface) comprising a transmitter (Tx) 745 and a receiver (Rx) 747 for enabling network node 700 to transmit data to and receive data from other nodes connected to network 110 (e.g., an Internet Protocol (IP) network) to which network interface 748 is connected (physically or wirelessly) (e.g., network interface 748 may be coupled to an antenna arrangement comprising one or more antennas for enabling network node 700 to wirelessly transmit / receive data); and a storage unit (a.k.a., “data storage system”) 708, which may include one or more non-volatile storage devices and / or one or more volatile storage devices. In embodiments where PC 702 includes a programmable processor, a computer readable storage medium (CRSM) 742 may be provided. CRSM 742 may store a computer program (CP) 743 comprising computer readable instructions (CRI) 744. CRSM 742 may be a non-transitory computer readable medium, such as, magnetic media (e.g., a hard disk), optical media, memory devices (e.g., random access memory, flash memory), and the like. In some embodiments, the CRI 744 of computer program 743 is configured such that when executed by PC 702, the CRI causes network node 700 to perform steps described herein (e.g., steps described herein with reference to the flow charts). In other embodiments, network node 700 may be configured to perform steps described herein without the need for code. That is, for example, PC 702 may consist merely of one or more ASICs. Hence, the features of the embodiments described herein may be implemented in hardware and / or software.

[0124] While various embodiments are described herein, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of this disclosure should not be limited by any of the above-described exemplary embodiments. Moreover, any combination of the above-described elements in all possible variations thereof is encompassed by the disclosure unless otherwise indicated herein or otherwise clearly contradicted by context.

[0125] As used herein transmitting a message “to” or “toward” an intended recipient encompasses transmitting the message directly to the intended recipient or transmitting the message indirectly to the intended recipient (i.e., one or more other nodes are used to relay themessage from the source node to the intended recipient). Likewise, as used herein receiving a message “from” a sender encompasses receiving the message directly from the sender or indirectly from the sender (i.e., one or more nodes are used to relay the message from the sender to the receiving node). Further, as used herein “a” means “at least one” or “one or more.”

[0126] Additionally, while the processes described above and illustrated in the drawings are shown as a sequence of steps, this was done solely for the sake of illustration. Accordingly, it is contemplated that some steps may be added, some steps may be omitted, the order of the steps may be re-arranged, and some steps may be performed in parallel.

[0127] Abbreviations

Claims

CLAIMS1. A method performed by a first network node (122), comprising: obtaining (s402) location information which indicates a location of a user equipment, UE(102); based on the location of the UE, determining (s404) whether to transmit, to the UE, an access key for accessing secured data stored in at least one memory of the UE; and based on the determination, transmitting (s406) the access key to the UE.

2. The method of claim 1, comprising: transmitting, to a second network node, a request for the location information, wherein obtaining the location information comprises receiving the location information from the second network node based on transmitting the request to the second network node.

3. The method of claim 2, wherein the request for the location information is a request for the second network node to provide, to the first network node, the location information only when a certain condition is satisfied.

4. The method of claim 3, wherein the certain condition is that the UE has entered or left a certain area.

5. The method of any one of claims 1-4, wherein the first network node includes at least one memory, and one or more area identifiers identifying one or more areas in which the UE is allowed to access the secured data stored in said at least one memory of the UE are stored in said at least one memory of the first network node.

6. The method of claim 5, wherein determining whether to transmit the access key to the UE comprises determining whether the location of the UE is in at least one of the areas identified by the area identifiers.

7. The method of claim 6 (when claim 5 depends on claim 2), comprising: determining that the location of the UE is in a first area identified by one of the area identifiers; and transmitting, to the second network node, a request to notify the first network node when the UE leaves the first area.

8. The method of claim 7, wherein the UE is configured to store the access key in a memory of the UE, and the method comprises: receiving, from the second network node, a notification indicating that the UE has left the first area; and based on receiving the notification, waiting for the UE to transmit, to the first network node, a deletion confirmation message indicating that the UE has deleted the access key stored in the memory of the UE.

9. The method of claim 8, comprising: determining that the deletion confirmation message is not received within a predefined time period; and based at least on the determination, (i) transmitting, to the UE, a deletion request, requesting the UE to delete the access key, (ii) flagging the UE, and / or (iii) transmitting a request to block the UE’s access to a network.

10. The method of claim 8, comprising: receiving the deletion confirmation message indicating that the UE has deleted the access key, wherein the deletion confirmation message includes a signature created using an integrity protection key; and verifying the signature of the deletion confirmation message using an integrity verification key, wherein the integrity protection key and the integrity verification key are the same or different.

11. The method of claim 10, whereinthe integrity protection key and the integrity verification key are different, the integrity protection key is a private key of the UE’s access management component, AMC, for managing access to the secured data stored in said at least one memory of the UE, and the integrity verification key is a public key of the AMC.

12. The method of any one of claims 8-11, wherein the deletion confirmation message comprises a value of a freshness parameter associated with the deletion confirmation message, and the value of the freshness parameter indicates freshness of the deletion confirmation message.

13. The method of any one of claims 1-12, wherein the transmitted access key is encrypted using an encryption key.

14. The method of claim 13, wherein the UE comprises an access management component, AMC, for managing access to the secured data stored in said at least one memory of the UE, and the AMC is configured to decrypt the encrypted access key using a decryption key.

15. The method of claim 14, wherein the encryption key for encrypting the transmitted access key and the decryption key for decrypting the encrypted access key are the same.

16. The method of claim 14, wherein the encryption key for encrypting the transmitted access key is a public key of the AMC; and the decryption key for decrypting the encrypted access key is a private key of the AMC.

17. The method of any one of claims 14-16, comprising: transmitting a value of a freshness parameter, which indicates freshness of the access key, wherein the AMC of the UE is configured to:check the freshness of the access key based on the value of the freshness parameter; and access the secured data stored in said at least one memory of the UE using the access key based on the checked freshness of the access key.

18. The method of any one of claims 1-17, comprising: receiving, from the UE, a message (i) indicating that the UE is connected to a network and / or (ii) requesting for the access key, wherein whether to transmit the access key to the UE is determined based at least on receiving the message.

19. The method of any one of claims 1-18, comprising: transmitting a request to verify a validity of the location of the UE; and receiving a response to the request indicating whether the validity of the location of the UE is confirmed or not, wherein the validity of the location of the UE is checked based on one or more measurements performed by the UE.

20. The method of any one of claims 1-18, comprising: transmitting a request to provide, to the first network node, a location of the UE which is determined based on a measurement performed by the UE; receiving a response to the request, which indicates the location of the UE determined based on the measurement performed by the UE; and verifying a validity of the location of the UE indicated in the location information using the location of the UE which is determined based on the measurement performed by the UE.

21. A method performed by a user equipment, UE (102), comprising: receiving (s502), from a network node (122), an access key for accessing secured data stored in at least one memory of the UE; and using the access key, accessing (s504) the secured data stored in said at least one memory of the UE, whereintransmission of the access key from the network node to the UE is performed based on a determined location of the UE.

22. The method of claim 21, comprising: receiving one or more signals transmitted via a cellular network; and reporting the signal strength of said one or more signals received via the cellular network, wherein the location of the UE is determined based on the reporting of the signal strength of said one or more signals.

23. The method of claim 21 or 22, wherein accessing the secured data stored in said at least one memory of the UE comprises: accessing said at least one memory, decrypting encrypted data stored in said at least one memory, and reading the decrypted data; or unlocking said at least one memory which is locked, accessing the unlocked memory, and reading data stored in the unlocked memory.

24. The method of any one of claims 21-23, wherein the network node includes at least one memory, and one or more area identifiers identifying one or more areas in which the UE is allowed to access the secured data stored in said at least one memory of the UE are stored in said at least one memory of the network node.

25. The method of claim 24, wherein the transmission of the access key from the network node to the UE is performed based on determining that the location of the UE is in at least one of the areas identified by the area identifiers.

26. The method of any one of claims 21-25, wherein the access key that the UE received from the network node is encrypted using an encryption key.

27. The method of claim 26, whereinthe UE comprises an access management component, AMC, for managing access to the secured data stored in said at least one memory of the UE, and the encryption key is a public key of the AMC.

28. The method of claim 26 or 27, comprising decrypting the access key using a decryption key of the AMC.

29. The method of any one of claims 21-28, comprising: receiving, from the network node, a value of a freshness parameter associated with the access key, wherein the value of the freshness parameter indicates freshness of the access key; and checking the freshness of the access key, wherein accessing the secured data stored in said at least one memory of the UE using the access key is performed based on the checked freshness of the access key.

30. The method of claim 28 or 29 (when claim 29 depends on claim 28), comprising: storing the decrypted access key in a different memory of the UE; detecting (i) that the UE has moved from a first location to a second location, (ii) that a network associated with the first location is no longer available to the UE, or (iii) that a time threshold has been reached since last receiving an area identifier from the UE; and based on the detection, deleting the access key stored in the different memory of the UE.

31. The method of claim 30 (when claim 26 and / or claim 29 depends on claim 23), comprising: based on the detection, encrypting the decrypted data stored in said at least one memory using an encryption key; or based on the detection, locking said at least one memory using an encryption key.

32. The method of claim 30 or 31, comprising: transmitting to the network node a deletion confirmation message indicating that the UE has deleted the access key.

33. The method of claim 32, wherein integrity of the deletion confirmation message is protected using the private key of the AMC.

34. The method of claim 32 or 33, wherein the deletion confirmation message comprises a value of a freshness parameter associated with the deletion confirmation message, and the value of the freshness parameter indicates freshness of the deletion confirmation message.

35. The method of any one of claims 21-34, comprising: transmitting, to the network node, a message (i) indicating that the UE is connected to a network and / or (ii) requesting for the access key, wherein the UE receives the access key from the network node based on transmitting the message.

36. A computer program (600 or 700) comprising instructions (644 or 744) which when executed by processing circuitry (602 or 702) cause the processing circuitry to perform the method of any one of claims 1-35.

37. A carrier containing the computer program of claim 36, wherein the carrier is one of an electronic signal, an optical signal, a radio signal, and a computer readable storage medium.

38. A first network node (122) being configured to: obtain (s402) location information which indicates a location of a user equipment, UE (102); based on the location of the UE, determine (s404) whether to transmit, to the UE, an access key for accessing secured data stored in at least one memory of the UE; and based on the determination, transmit (s406) the access key to the UE.

39. The first network node of claim 38, wherein the first network node is configured to perform the method of any one of claims 2-20.

40. A user equipment, UE (102), being configured to: receive (s502), from a network node (122), an access key for accessing secured data stored in at least one memory of the UE; and using the access key, access (s504) the secured data stored in said at least one memory of the UE, wherein transmission of the access key from the network node to the UE is performed based on a determined location of the UE.

41. The UE of claim 40, wherein the UE is configured to perform the method of any one of claims 22-35.

42. An apparatus (600 or 700) comprising: a processing circuitry (602 or 702); and a memory (641 or 741), said memory containing instructions executable by said processing circuitry, whereby the apparatus is operative to perform the method of any one of claims 1-35.