Security for traffic relaying by wireless communication devices

The Nearby Service Anchor Node facilitates efficient reuse of ProSe relay user keys in wireless networks, addressing inefficiencies by managing keys independently from authentication servers, thus optimizing security and reducing authentication overhead.

JP2026097855APending Publication Date: 2026-06-16TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)
Filing Date
2026-02-16
Publication Date
2026-06-16

Smart Images

  • Figure 2026097855000001_ABST
    Figure 2026097855000001_ABST
Patent Text Reader

Abstract

This provides a method for requesting the reuse of keys used for authentication of remote wireless communication devices. [Solution] The method in the communication system includes a nearby service anchor node 30 receiving a request for authentication of a remote wireless communication device, the request requesting the reuse of a nearby service relay user key to derive a new shared key to protect the interface between the remote wireless communication device 14 and the relay wireless communication device 12, and the relay wireless communication device receiving the request for authentication, configured to relay traffic for the remote wireless communication device.
Need to check novelty before this filing date? Find Prior Art

Description

[Technical Field]

[0001] This application relates in general to the relaying of traffic by wireless communication devices, and more specifically to security for such traffic relaying. [Background technology]

[0002] Neighborhood Services (ProSe) in wireless communication networks enable wireless communication devices that are in each other's vicinity to communicate directly over a path that does not traverse network nodes. Neighborhood service relays leverage ProSe to allow one wireless communication device to relay traffic for another nearby wireless communication device. For example, a so-called ProSe device-to-network relay is a wireless communication device that relays unicast traffic between a remote wireless communication device and a wireless communication network. The remote wireless communication device can then communicate with the network via the ProSe device-to-network relay, even if the remote wireless communication device is outside the network's coverage.

[0003] The interface between a remote wireless communication device and a relay wireless communication device can be protected based on a ProSe relay user key (PRUK), for example, called 5GPRUK in a 5G network. Generating a new ProSe relay user key each time the remote wireless communication device establishes an interface with the relay wireless communication device provides sufficient protection to the interface, as leakage of the ProSe relay user key would be limited to only one session of the interface. However, generating a new ProSe relay user key inefficiently requires the remote wireless communication device to perform primary authentication again. Therefore, reusing the ProSe relay user key across different sessions of the interface would prove to be more efficient. Nevertheless, there are challenges in reusing the ProSe relay user key in a way that is at least consistent with existing design principles for wireless communication networks. For example, the method described in 3GPP TS33.503 v0.2.0 for securing 5G ProSe communication via Layer-3 UE-to-Network Relay on the control plane, unlike the conventional method which only required managing the subscription IDs of remote wireless communication devices, places a burden on the authentication server (AUSF) to manage the PRUK IDs for PRUKs. [Overview of the Initiative]

[0004] Some embodiments of this specification introduce a new node called a Nearby Service Anchor Node to support the reuse of Nearby Service Relay User Keys in a wireless communication network. The Nearby Service Anchor Node, in this regard, stores Nearby Service Relay User Keys for remote wireless communication devices and can bind identifiers to those keys, so that the keys can be retrieved later (for reuse) based on those identifiers. The reuse of Nearby Service Relay User Keys supported in this way by the Nearby Service Anchor Node effectively isolates other nodes in the communication network from the details of Nearby Service Relay User Key reuse. An authentication server, for example, is isolated from having to manage identifiers bound to Nearby Service Relay User Keys and can therefore simply manage subscription IDs for remote wireless communication devices, as in the conventional method.

[0005] Other embodiments of this specification introduce near-neighbor service reuse signaling to request the reuse of a near-neighbor service relay user key. Such signaling can, for example, simply request the reuse of a near-neighbor service relay user key without specifying the identification information bound to the last used key, regardless of which near-neighbor service relay user key was last used. These embodiments thereby effectively relieve nodes in a wireless communication network of the burden of having to manage identifiers bound to near-neighbor service relay user keys.

[0006] Whether via a nearby service anchor node or via nearby service reuse signaling, some embodiments of this specification advantageously enable the reuse of nearby service relay user keys in a manner that conforms to existing design principles for wireless communication networks, for example, thereby requiring the authentication server to still rely only on the subscription ID of the remote wireless communication device.

[0007] More specifically, embodiments of the present specification include a method executed by a remote wireless communication device. The method includes sending, by a relay wireless communication device, a request for the relay wireless communication device to relay traffic for remote wireless communication. In this case, the request requests the reuse of a proximity service relay user key already associated with the remote wireless communication device.

[0008] In some embodiments, the request requests the reuse of a proximity service relay user key from an execution prior to a primary authentication procedure for primary authentication of the remote wireless communication device.

[0009] In some embodiments, the request includes a proximity service relay user key reuse flag that requests the reuse of a proximity service relay user key already associated with the remote wireless communication device.

[0010] In some embodiments, the proximity service relay user key is based on and / or unique to an execution of a primary authentication procedure for primary authentication of the remote wireless communication device.

[0011] In some embodiments, the method further includes receiving, from the relay wireless communication device, a response to the request indicating that the proximity service relay user key should be reused.

[0012] In some embodiments, the method further includes reusing the proximity service relay user key to generate a shared key for protecting an interface between the remote wireless communication device and the relay wireless communication device, and protecting the interface using the shared key. In one or more of these embodiments, the shared key is key K NR_ProSe and in one or more of these embodiments, the interface is a PC5 interface.

[0013] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0014] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0015] Other embodiments of this specification include a method performed by a relay radio communication device. This method includes the relay radio communication device receiving a request from a remote radio communication device for relaying traffic for the remote radio communication. In this case, the request requests the reuse of a nearby service relay user key already associated with the remote radio communication device.

[0016] In some embodiments, the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of a remote wireless communication device.

[0017] In some embodiments, the request includes a Nearby Services Relay User Key Reuse flag that requests the reuse of a Nearby Services Relay User Key already associated with a remote wireless communication device.

[0018] In some embodiments, the Nearby Service Relay User Key is based on and / or unique to a primary authentication procedure for primary authentication of a remote wireless communication device.

[0019] In some embodiments, the method further includes sending a response to a request to a remote wireless communication device indicating that the Nearby Service Relay User Key should be reused.

[0020] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0021] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0022] In some embodiments, the method further includes sending a request to a network node serving a relay radio communication device for a shared key to secure the interface between the remote radio communication device and the relay radio communication device. In this case, the request for the shared key requests the reuse of the Nearby Service Relay User Key to derive the shared key. In one or more of these embodiments, the request for the shared key includes a Nearby Service Relay User Key Reuse flag requesting the reuse of the Nearby Service Relay User Key. In one or more of these embodiments, the method further includes receiving a response from the network node to the request for the shared key. In this case, the response to the request for the shared key includes the shared key and indicates that the Nearby Service Relay User Key should be reused to derive the shared key.

[0023] Other embodiments of this specification include a method performed by a relay radio communication device. This method includes sending a request to a network node serving the relay radio communication device for a shared key to secure the interface between a remote radio communication device and the relay radio communication device. In this case, the relay radio communication device is configured to relay traffic for the remote radio communication device, and the request for the shared key requests the reuse of a neighbor service relay user key to derive the shared key.

[0024] In some embodiments, a request for a shared key includes a Nearby Services Relay User Key Reuse flag that requests the reuse of the Nearby Services Relay User Key.

[0025] In some embodiments, the method further includes receiving a response from a network node to a request for a shared key. In this case, the response to the request for a shared key includes the shared key and indicates that the neighbor service relay user key should be reused to derive the shared key.

[0026] In some embodiments, the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of a remote wireless communication device.

[0027] In some embodiments, the Nearby Service Relay User Key is based on and / or unique to a primary authentication procedure for primary authentication of a remote wireless communication device.

[0028] In some embodiments, the method further includes receiving a request from a remote radio communication device for a relay radio communication device to relay traffic for the remote radio communication. In this case, the request asks for the reuse of a nearby service relay user key already associated with the remote radio communication device. The method further includes sending a response to the request to the remote radio communication device. In this case, the response includes a shared key and indicates that the nearby service relay user key should be reused to derive the shared key.

[0029] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0030] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0031] In some embodiments, the shared key is key K NR_ProSe That is the case.

[0032] In some embodiments, network nodes implement access and mobility functions (AMF).

[0033] In some embodiments, the interface is a PC5 interface.

[0034] Other embodiments of this specification include a method performed by a network node serving a relay radio communication device. This method includes receiving a request from the relay radio communication device for a shared key to secure the interface between the remote radio communication device and the relay radio communication device. In this case, the relay radio communication device is configured to relay traffic for the remote radio communication device, and the request requests the reuse of a neighbor service relay user key to derive the shared key.

[0035] In some embodiments, the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of a remote wireless communication device.

[0036] In some embodiments, the request includes a Nearby Services Relay User Key Reuse flag that requests the reuse of a Nearby Services Relay User Key already associated with a remote wireless communication device.

[0037] In some embodiments, the Nearby Service Relay User Key is based on and / or unique to a primary authentication procedure for primary authentication of a remote wireless communication device.

[0038] In some embodiments, the method further includes sending a response to a request to a relay wireless communication device. In this case, the response includes a shared key and indicates that a neighbor service relay user key should be reused to derive the shared key.

[0039] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0040] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0041] In some embodiments, the shared key is key K NR_ProSe That is the case.

[0042] In some embodiments, network nodes implement access and mobility functions (AMF).

[0043] In some embodiments, the interface is a PC5 interface.

[0044] Other embodiments of this specification include a method performed by a network node serving a relay radio communication device. This method includes sending a request to an authentication server for authentication of a remote radio communication device. In this case, the request requests the reuse of a neighbor service relay user key to derive a shared key for protecting the interface between the remote radio communication device and the relay radio communication device, and the relay radio communication device is configured to relay traffic for the remote radio communication device.

[0045] In some embodiments, the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of a remote wireless communication device.

[0046] In some embodiments, the request includes a Nearby Services Relay User Key Reuse flag that requests the reuse of a Nearby Services Relay User Key already associated with a remote wireless communication device.

[0047] In some embodiments, the Nearby Service Relay User Key is based on and / or unique to a primary authentication procedure for primary authentication of a remote wireless communication device.

[0048] In some embodiments, the method further includes receiving a response to the request from an authentication server. In this case, the response includes a shared key and indicates that the Neighbor Service Relay User Key should be reused to derive the shared key.

[0049] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0050] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0051] In some embodiments, the shared key is key K NR_ProSe That is the case.

[0052] In some embodiments, network nodes implement access and mobility functions (AMF).

[0053] In some embodiments, the interface is a PC5 interface.

[0054] Other embodiments of this specification include a method performed by an authentication server. This method includes receiving a request for authentication of a remote radio communication device. In this case, the request requests the reuse of a neighbor service relay user key to derive a shared key for protecting the interface between the remote radio communication device and a relay radio communication device, and the relay radio communication device is configured to relay traffic for the remote radio communication device.

[0055] In some embodiments, the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of a remote wireless communication device.

[0056] In some embodiments, the request includes a Nearby Services Relay User Key Reuse flag that requests the reuse of a Nearby Services Relay User Key already associated with a remote wireless communication device.

[0057] In some embodiments, the Nearby Service Relay User Key is based on and / or unique to a primary authentication procedure for primary authentication of a remote wireless communication device.

[0058] In some embodiments, the method further includes sending a response to a request. In this case, the response includes a shared key and indicates that the Neighbor Service Relay User Key should be reused to derive the shared key.

[0059] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0060] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0061] In some embodiments, the shared key is key K NR_ProSe That is the case.

[0062] In some embodiments, requests are received from the Access and Mobility Function (AMF).

[0063] In some embodiments, the interface is a PC5 interface.

[0064] In some embodiments, the method further includes sending a request for authentication certification for a remote wireless communication device to a data management node. In this case, the request for authentication certification requests the reuse of a Nearby Service Relay User Key. In one or more of these embodiments, the method further includes receiving a response from the data management node to the request for authentication certification. In this case, the response indicates whether the Nearby Service Relay User Key is available for reuse. In one or more of these embodiments, the response indicates that the Nearby Service Relay User Key is available for reuse. In some embodiments, the method further includes obtaining a shared key as derived from the Nearby Service Relay User Key and sending a response to the request for authentication. In this case, the response to the request for authentication includes the obtained shared key and indicates that the Nearby Service Relay User Key should be reused to derive the shared key. In one or more of these embodiments, obtaining the shared key includes retrieving the Nearby Service Relay User Key from local storage in the authentication server and deriving the shared key from the retrieved Nearby Service Relay User Key. In one or more of these embodiments, obtaining a shared key includes forwarding a request for authentication to another authentication server where the Nearby Service Relay User Key is stored, and receiving a shared key from the other authentication server as derived from the Nearby Service Relay User Key. In one or more of these embodiments, the response indicates that the Nearby Service Relay User Key is not available for reuse and includes the requested authentication certificate. In this case, the method generates a Nearby Service Relay User Key based on key material derived during authentication of a remote radio communication device, further comprising the authentication of the remote radio communication device generating a Nearby Service Relay User Key based on the authentication certificate, deriving a shared key from the generated Nearby Service Relay User Key, and transmitting a response to the request for authentication. In this case, the response to the request for authentication includes the derived shared key.In one or more of these embodiments, the response to the authentication request indicates that the Nearby Service Relay User Key should not be reused to derive a shared key. Alternatively or additionally, the method may further include, after generating the Nearby Service Relay User Key, sending a signaling to the data management node indicating that the Nearby Service Relay User Key for a remote wireless communication device is available for reuse and indicating the identity of the authentication server where the Nearby Service Relay User Key is stored.

[0065] Other embodiments of this specification include a method performed by an authentication server. This method includes sending a request for authentication certification for a remote radio communication device to a data management node. In this case, the request for authentication certification requests the reuse of a neighbor service relay user key to derive a shared key for protecting the interface between the remote radio communication device and a relay radio communication device configured to relay traffic for the remote radio communication device.

[0066] In some embodiments, the request is received from a network node serving a relay wireless communication device. In other embodiments, the request is received from a separate authentication server.

[0067] In some embodiments, the method further includes receiving a response from a data management node to a request for authentication. In this case, the response indicates whether the Nearby Service Relay User Key is available for reuse. In one or more of these embodiments, the response indicates that the Nearby Service Relay User Key is available for reuse. In this case, the method further includes obtaining a shared key as derived from the Nearby Service Relay User Key and sending a response to the request for authentication to a network node. In this case, the response to the request for authentication includes the obtained shared key and indicates that the Nearby Service Relay User Key should be reused to derive the shared key. In one or more of these embodiments, obtaining the shared key includes retrieving the Nearby Service Relay User Key from local storage in the authentication server and deriving the shared key from the retrieved Nearby Service Relay User Key. In one or more of these embodiments, obtaining the shared key includes forwarding the request for authentication to another authentication server where the Nearby Service Relay User Key is stored and receiving the shared key from the other authentication server as derived from the Nearby Service Relay User Key.

[0068] In some embodiments, the response indicates that the Nearby Service Relay User Key is not available for reuse and includes the requested authentication certificate. In this case, the method further includes generating a Nearby Service Relay User Key based on key material derived during authentication of a remote wireless communication device. In this case, authentication of the remote wireless communication device is based on the authentication certificate. The method further includes deriving a shared key from the generated Nearby Service Relay User Key and sending a response to the authentication request to a network node. In this case, the response to the authentication request includes the derived shared key. In one or more of these embodiments, the response to the authentication request indicates that the Nearby Service Relay User Key should not be reused to derive the shared key.

[0069] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0070] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0071] In some embodiments, the shared key is key K NR_ProSe That is the case.

[0072] In some embodiments, network nodes implement access and mobility functions (AMF).

[0073] In some embodiments, the interface is a PC5 interface.

[0074] Other embodiments of this specification include a method performed by a data management node. This method includes receiving a request for authentication certification for a remote radio communication device from an authentication server. In this case, the request for authentication certification requests the reuse of a neighbor service relay user key to derive a shared key which is for protecting the interface between the remote radio communication device and a relay radio communication device configured to relay traffic for the remote radio communication device.

[0075] In some embodiments, the method further includes sending a response to the request to an authentication server, in which case the response indicates whether the Nearby Service Relay User Key is available for reuse. In one or more of these embodiments, the response indicates that the Nearby Service Relay User Key is available for reuse. In one or more of these embodiments, the response indicates the identification information of the authentication server where the Nearby Service Relay User Key is stored. In one or more of these embodiments, the response indicates that the Nearby Service Relay User Key is not available for reuse and includes the requested authentication certificate. In one or more of these embodiments, the method further includes, after sending the response, receiving a signaling indicating the identification information of the authentication server where the Nearby Service Relay User Key is stored, and storing information in a data management node indicating that the Nearby Service Relay User Key for a remote wireless communication device is available for reuse and indicating the identification information of the authentication server where the Nearby Service Relay User Key is stored.

[0076] In some embodiments, the method further includes determining whether a Nearby Service Relay User Key is available for reuse, based on information in a data management node indicating whether a Nearby Service Relay User Key is stored for a remote wireless communication device.

[0077] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0078] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0079] In some embodiments, the shared key is key K NR_ProSe That is the case.

[0080] In some embodiments, the interface is a PC5 interface.

[0081] Of course, this disclosure is not limited to the features and advantages described above. In fact, those skilled in the art will recognize additional features and advantages by reading the embodiments for carrying out the invention below and looking at the accompanying drawings. [Brief explanation of the drawing]

[0082] [Figure 1] This is a block diagram of nearby service relay user key reuse in several embodiments. [Figure 2] This is a block diagram of a key hierarchy according to several embodiments. [Figure 3A] This is a call flow diagram for user key reuse in a nearby service relay, according to several embodiments. [Figure 3B] This is a call flow diagram for user key reuse in a nearby service relay, according to several embodiments. [Figure 4A] This is a call flow diagram for user key reuse in a nearby service relay according to another embodiment. [Figure 4B] This is a call flow diagram for user key reuse in a nearby service relay according to another embodiment. [Figure 5A] Furthermore, here is a call flow diagram for user key reuse in a nearby service relay according to another embodiment. [Figure 5B] Furthermore, here is a call flow diagram for user key reuse in a nearby service relay according to another embodiment. [Figure 6A] This is a call flow diagram for reusing a nearby service relay user key according to another embodiment. [Figure 6B] This is a call flow diagram for reusing a nearby service relay user key according to another embodiment. [Figure 7] This is a block diagram of user key reuse for nearby service relay according to another embodiment. [Figure 8A] This is a call flow diagram for user key reuse in a nearby service relay, according to several embodiments. [Figure 8B]This is a call flow diagram for user key reuse in a nearby service relay, according to several embodiments. [Figure 9] This is a logical flow diagram of a method performed by a neighboring service anchor node, according to several embodiments. [Figure 10] This is a logical flow diagram of a method performed by an authentication server, according to several embodiments. [Figure 11] This is a logical flow diagram of a method executed by network nodes, according to several embodiments. [Figure 12] This is a logical flow diagram of a method performed by a remote wireless communication device, according to several embodiments. [Figure 13] This is a logic flow diagram of a method performed by a relay wireless communication device, according to several embodiments. [Figure 14] This is a logic flow diagram of a method performed by a relay wireless communication device, according to several embodiments. [Figure 15] This is a logical flow diagram of a method executed by network nodes, according to several embodiments. [Figure 16] This is a logical flow diagram of a method executed by network nodes, according to several embodiments. [Figure 17] This is a logical flow diagram of a method performed by an authentication server, according to several embodiments. [Figure 18] This is a logical flow diagram of a method performed by an authentication server, according to several embodiments. [Figure 19] This is a logical flow diagram of the methods performed by the data management node in several embodiments. [Figure 20] This is a block diagram of a wireless communication device according to several embodiments. [Figure 21] This is a block diagram of a neighboring service anchor node according to several embodiments. [Figure 22] This is a block diagram of an authentication server according to several embodiments. [Figure 23] This is a block diagram of a network node according to several embodiments. [Figure 24] This is a block diagram of a data management node according to several embodiments. [Figure 25] This is a block diagram of a communication system according to several embodiments. [Figure 26] This is a block diagram of user equipment according to several embodiments. [Figure 27] This is a block diagram of a network node according to several embodiments. [Figure 28] This is a block diagram of a host according to several embodiments. [Figure 29] This is a block diagram of a virtualization environment according to several embodiments. [Figure 30] This is a block diagram of several embodiments in which a host communicates with a UE via a network node over a partial wireless connection. Forms for carrying out the invention

[0083] Figure 1 shows several embodiments of ProSe relay. As shown, wireless communication devices 12 and 14 are in each other's vicinity and communicate directly over interface 16, for example, a PC5 interface defined according to the 3GPP standard. By communicating directly over interface 16, wireless communication devices 12 and 14 communicate over a path that does not traverse network nodes. Wireless communication devices 12 and 14 leverage this ProSe direct communication so that, for example, at layer 2 or layer 3 of their device protocol stack, wireless communication device 12 can relay traffic 18 for wireless communication device 14. Wireless communication device 12 is therefore called relay wireless communication device 12, while wireless communication device 14 is called remote wireless communication device 14. In one embodiment, as shown, for example, relay wireless communication device 12 relays traffic 18 between remote wireless communication device 14 and wireless communication network 20. Subsequently, via the relay wireless communication device 12, the remote wireless communication device 14 can communicate with the network 20 even if the remote wireless communication device 14 is outside the network coverage (i.e., remote to the network coverage).

[0084] The interface 16 between the wireless communication devices 12, 14 is protected based on the shared key 22, that is, shared between the wireless communication devices 12, 14. The shared key 22 can be, for example, a root key from which a cryptographic key for confidentiality protection and / or integrity protection of the interface 16 is directly or indirectly derived. In some embodiments, the shared key 22 is shared between the wireless communication devices 12, 14 in that the shared key 22 is established in both of the wireless communication devices 12, 14. For example, in one embodiment, the remote wireless communication device 14 generates the shared key 22 itself, while the relay wireless communication device 12 receives the same shared key 22 from a network node 24 in the wireless communication network 20 that implements, for example, an access and mobility function (AMF). Once the shared key 22 is established in both of the wireless communication devices 12, 14 in this way, each wireless communication device 12, 14 can use the shared key 22 to derive a cryptographic key (not shown) for confidentiality protection and / or integrity protection of the interface 16. The wireless communication devices 12, 14 can then communicate securely over the interface 16 by applying confidentiality protection using the confidentiality key and / or by applying integrity protection using the integrity key.

[0085] In the embodiments of this specification, the shared key 22 is derived from the proximity service relay user key 26, also referred to as the PRUK key 26, where PRUK represents the ProSe relay user key. FIG. 2 shows one exemplary implementation of the proximity service relay user key 26 in an embodiment where the wireless communication network 20 is a 5G network. As shown, an intermediate key K AUSF is established in the remote wireless communication device 14 and in the wireless communication network 10. This intermediate key K AUSF is used to derive the key 5GPRUK, where 5GPRUK exemplifies the proximity service relay user key 26. In one embodiment, 5GPRUK is a root proof derived from K AUSF which is the security root of the PC5 unicast link between the wireless communication devices 12, 14. Next, a key K is derived from 5GPRUKNR_ProSe This is derived, where key K NR_ProSe This exemplifies a shared key 22. In one embodiment, key K NR_ProSe This key K is a root key (for example, a 256-bit root key) established between wireless communication devices 12 and 14 communicating using a New Radio (NR) PC5 unicast link. NR_ProSe This is established in both the remote wireless communication device 14 and the relay wireless communication device 12. Each of the wireless communication devices 12 and 14 has key K. NR_ProSe Using this, a key is derived to protect the transfer of data between devices 12 and 14 on interface 16. In this regard, each of the wireless communication devices 12 and 14 uses key K. NR_ProSe Key K relay-sess We derive the following, where key K relay-sess This is derived for each unicast link and / or each time a unicast communication session is activated between devices 12 and 14. Each of the wireless communication devices 12 and 14 shall use a selected integrity algorithm and a selected encryption algorithm, respectively, to protect PC5-S signaling, PC5 radio resource control (RRC) signaling, and PC5 user plane data, with key K relay-int and key K relay-enc Derive the following.

[0086] However, regardless of whether the wireless communication network 10 is a 5G network or not, generating a new Nearby Service Relay User Key 26 each time the remote wireless communication device 14 establishes an interface 16 with the same or a different relay wireless communication device would adequately protect the interface 16, as leakage of the Nearby Service Relay User Key 26 would be limited to only one session of the interface 16. However, in some embodiments, the Nearby Service Relay User Key 26 is based on and / or unique to a certain execution of a primary authentication procedure 28 for the primary authentication of the remote wireless communication device 14 to the wireless communication network 10, for example. In these embodiments, then generating a new Nearby Service Relay User Key 26 each time the remote wireless communication device 14 establishes an interface 16 with the same or a different relay wireless communication device would inefficiently require the execution of the primary authentication procedure 28 again each time.

[0087] Some embodiments of this specification, for example, facilitate the reuse of the Nearby Service Relay User Key 26 across different sessions of interface 16. Furthermore, some embodiments of this specification facilitate the reuse of the Nearby Service Relay User Key 26 in a manner that conforms to existing design principles for wireless communication networks 10, for example, thereby requiring the authentication server to still rely only on the subscription ID of the remote wireless communication device.

[0088] In some embodiments, to support the reuse of the neighbor service relay user key 26, a new node called a neighbor service anchor node 30 is introduced. As shown in the figure, the neighbor service anchor node 30 receives the neighbor service relay user key 26 associated with the remote wireless communication device 14 from the authentication server 32. The neighbor service anchor node 30 derives a shared key 22 from this neighbor service relay user key 26 and sends the shared key 22 to the network node 24 that serves the relay wireless communication device 12. The neighbor service anchor node 30 may send the shared key 22 to the network node 24, for example, in a response 34 to a shared key request 36 from the network node 24 requesting the shared key 22.

[0089] In some embodiments, the Nearby Service Anchor Node 30 stores the Nearby Service Relay User Key 26 in storage on the Nearby Service Anchor Node 30, for example, so that the key 26 can be retrieved later for reuse. This reuse of the Nearby Service Relay User Key 26, supported by the Nearby Service Anchor Node 30, effectively isolates other nodes in the wireless communication network 10 from the details of Nearby Service Relay User Key reuse. The Authentication Server 32, for example, would be isolated from these details.

[0090] In one or more embodiments, as illustrated, for example, the Neighbor Service Anchor Node 30 also receives an identifier 38 bound to the Neighbor Service Relay User Key 26 from the Authentication Server 32. The identifier 38 may be called, for example, the PRUK ID. After sending the identifier 38 to the Neighbor Service Anchor Node 30, the Authentication Server 32 does not need to store or manage the identifier 38. Rather, the Neighbor Service Anchor Node 30 stores the Neighbor Service Relay User Key 26 in relation to the identifier 38. The Neighbor Service Anchor Node 30 can then use the identifier 38 bound to the key 26 to retrieve the Neighbor Service Relay User Key 26 from storage at a later date. This, in turn, allows the Network Node 24 to include its identifier 38 in its Shared Key Request 36 as a way to request that the Shared Key 22 be derived from a reused Neighbor Service Relay User Key bound to the identifier 38. These embodiments enable the reuse of the Nearby Service Relay User Key 26 in a manner that thereby frees the authentication server 32 from having to manage or store the identifier 38 bound to the Nearby Service Relay User Key 26, i.e., from having to follow the existing paradigm.

[0091] Figures 3A and 3B show exemplary call flows in several embodiments. As shown in Figure 3A, the remote radio communication device 14 sends a direct communication request to the relay radio communication device 12 to establish a secure unicast link on interface 16 (Step 1). This direct communication request includes a subscription identifier (ID) that identifies the subscription to the radio communication network 20. To establish a secure unicast link on interface 16, the relay radio communication device 12 correspondingly sends a shared key request to the network node 24 (e.g., AMF), where the shared key request requests a shared key 22 to secure interface 16 and includes the subscription identifier (Step 2). The network node 24 then sends the corresponding shared key request to the neighbor service anchor node 30 (Step 3).

[0092] After the Nearby Service Anchor Node 30 receives a shared key request from the Network Node 24, the Nearby Service Anchor Node 30 sends a request to the Authentication Server 32 for primary authentication of the remote wireless communication device 14 (Step 4). This request may include a subscription identifier for the remote wireless communication device 14. Based on this request, the Authentication Server 32 triggers the execution of the primary authentication procedure 28, during which the remote wireless communication device 14 and the Authentication Server generate a Nearby Service Relay User Key (PRUK) 26 and an identifier 38 bound to the Nearby Service Relay User Key (PRUK) 26 (indicated as a PRUK ID) (Step 5). After this, the Authentication Server 32 sends a response to the Nearby Service Anchor Node 30 for the request for primary authentication, where the response includes the Nearby Service Relay User Key 26 and the identifier 38 (Step 6). In some embodiments, although not illustrated, the response may also include a subscription identifier for the remote wireless communication device 14.

[0093] The neighbor service anchor node 30 correspondingly receives a response from the authentication server 32 containing the neighbor service relay user key (PRUK) 26 and an identifier 38. Upon obtaining the neighbor service relay user key (PRUK) 26, the neighbor service anchor node 30 derives the shared key 22 from the PRUK 26 (step 7). The neighbor service anchor node 30 also stores the PRUK 26 in relation to the identifier 38, for example, so that the PRUK 26 is indexed by the identifier 38 (step 8). The neighbor service anchor node 30 sends a response to the shared key request, where the response contains the shared key 22 (step 9). The network node 24 receives the shared key 22 in the response and correspondingly sends the shared key 22 to the relay wireless communication device 12 in response to a shared key request from the relay wireless communication device 12, for example (step 10).

[0094] The relay wireless communication device 12 sends a direct security mode command to the remote wireless communication device 14, as shown in the figure, which includes one or more other parameters, such as a nonce from which the shared key 22 can be derived (step 11). The remote wireless communication device 14 finally derives the shared key 22 from the PRUK 26 generated in step 5 (step 12).

[0095] Figure 3B shows a call flow diagram for reusing PRUK26 from Figure 3A to protect the subsequent establishment of an interface 16 between a remote radio communication device 14 and the same or a different relay radio communication device 12, for example. As shown, the remote radio communication device 14 sends a direct communication request to the same or a different relay radio communication device 12 (step 13). However, this direct communication request includes an identifier (PRUK ID) 38 bound to PRUK26, rather than a subscription identifier for the remote radio communication device 14. The relay radio communication device 12 correspondingly sends a shared key request to the network node 24 (step 14). Since this is a subsequent shared key request, the shared key request effectively requests a new shared key that is different from the previous shared key used in Figure 3A. However, this new shared key request includes an identifier (PRUK ID) 38 bound to PRUK26, rather than a subscription identifier. This means that the shared key request effectively requests that PRUK26 from Figure 3A be reused to derive the new shared key. In either case, the network node 24 similarly sends the corresponding shared key request to the neighbor service anchor node 30 (step 15).

[0096] The neighboring service anchor node 30 receives a new shared key request. Using the identifier 38 indicated in the new shared key request, the neighboring service anchor node 30 retrieves the PRUK 26 from storage in the neighboring service anchor node 30 (step 16). The neighboring service anchor node 30 then reuses the retrieved PRUK 26 to derive the requested new shared key 22 (step 17). That is, instead of triggering primary authentication of the remote wireless communication device 14 via the authentication server 32 for the generation of a new PRUK 26, the neighboring service anchor node 30 reuses the PRUK 26 generated from a previous execution of the primary authentication procedure 28 in Figure 3A. Moreover, once the PRUK 26 is stored in the neighboring service anchor node 30 and the reuse of the PRUK 26 is achieved by the neighboring service anchor node 30, the authentication server 32 does not need to be involved in or even affected by the reuse of the PRUK 26. In either case, the neighboring service anchor node 30 then sends the new shared key 22 to the network node 24 in response to the new shared key request (step 18).

[0097] Similar to Figure 3A, network node 24 receives the shared key 22 in response and, in response, transmits the shared key 22 to relay radio communication device 12, for example, in response to a shared key request from relay radio communication device 12 (step 19). Relay radio communication device 12 then transmits a direct security mode command to remote radio communication device 14 (step 20), and remote radio communication device 14 derives the shared key 22 from the reused PRUK 26 generated in step 5 (step 21).

[0098] Figures 4A to 4B show a more detailed example of the embodiment from Figures 3A to 3B in the context that the wireless communication network 20 is a 5G network. In this example, the remote wireless communication device 14 is exemplified as a remote user device (UE), the relay wireless communication device 12 is exemplified as a relay UE which is a 5G ProSe Layer 3 UE-network relay, the interface 16 is a PC5 interface, the network node 24 is exemplified as implementing AMF, the nearby service anchor node 30 is exemplified as implementing ProSe anchor network functionality (NF), and the authentication server 32 is exemplified as implementing authentication server functionality (AUSF). In some embodiments, the ProSe anchor functionality is hosted by an existing node and collated with a node that implements, for example, ProSe key management functionality (PKMF) or AAnF. Furthermore, the nearby service relay user key 26 is exemplified as PRUK, and the shared key 22 is key K NR_ProSe This is an example.

[0099] The call flow in Figures 4A and 4B in this context describes the security for 5G ProSe communication over a 5G ProSe Layer 3 (L3) UE-Network (U2N) relay on the control plane. The security mechanism for L3 U2N relay authentication, authorization, and key management uses primary authentication for PC5 key establishment. In this procedure, the remote UE establishes a PC5 link between the remote UE and the UE-Network relay. The procedure includes how the remote UE is authenticated by the AUSF via the relay UE and the relay UE's AMF during 5G ProSe PC5 establishment. This mechanism may be used by the remote UE while it is out of coverage. 0. Remote UEs and relay UEs shall be registered with the network. UE-Network relays shall be authenticated and authorized by the network to support relay UEs. Remote UEs shall be authenticated and authorized by the network to function as remote UEs. 1. Each remote UE shall initiate the discovery procedure using either the Model A method or the Model B method, as specified in Section 6.3.1.2 or Section 6.3.1.3 of TS23.304 v.17.0.0. 2-4. After UE-Network Relay discovery, the remote UE shall send a Direct Communication Request (DCR) to the relay UE to establish a secure PC5 unicast link. The remote UE shall include its security capabilities and security policy in the DCR message, as specified in TS33.536 v.16.4.0. The message shall also include the Subscription Confidentiality Identifier (SUCI) or PRUK ID, Relay Service Code (RSC), and Nonce_1. Upon receiving the DCR message, the relay UE shall send a relay key request to the relay AMF, including the parameters received in the DCR message. The relay AMF shall verify whether the relay UE is permitted to operate as a U2N relay. 5. The relay AMF shall select a Prose anchor function (PANF) based on the SUCI or PRUK ID and forward the key request to the PANF via the Npanf_ProseKey_Request message. This message may include the SUCI or PRUK ID, RSC, and Nonce_1. The Prose Anchor function (PANF) is located in the Home Public Land Mobile Network (HPLMN) of a remote UE (like AUSF and UDM). 6. If a SUCI is received, PANF shall select an AUSF based on the SUCI and forward the key request to AUSF via the Nausf_UEAuthentication_ProseAuth request message. This message may contain the SUCI, RSC, and Nonce_1. If a PRUK ID is received, PANF shall find the locally stored PRUK and proceed to step 13. If the PRUK ID is invalid or the PRUK cannot be found, PANF sends an error message back to the UE via relay AMF, which can trigger the remote UE to repeat step 2 with SUCI. 7-10. AUSF shall extract the authentication vector from the UDM and trigger UE authentication on the remote UE. 11. Upon successful UE authentication, AUSF and the remote UE shall generate a 5GPRUK and a PRUK ID based on the key material derived during UE authentication. 12. AUSF shall return the SUPI of the remote UE, along with the 5G PRUK and PRUK ID, to PANF via the Nausf_UEAuthentication_ProseAuth response message. 13. PANF generates Nonce_2, and K is based on 5G PRUK and Nonce_2. NR_ProSe The key will be derived. (in HPLMN of remote UEs) PANF also K NR_ProSe When deriving the key, Nonce_1 and RSC can be used as inputs. 14. PANF uses K in the Npanf_ProseKey_Response message. NR_ProSe The Nonce_2 signal will be sent to the relay AMF. 15. Relay AMF is K NR_ProSe Then, forward Nonce_2 to the relay UE. 16. The relay UE shall send the received Nonce_2 to the remote UE in a direct security mode command message. 17-18. The remote UE should be used for remote access via the relay UE in the same manner as specified in step 13. NR_ProSe The system shall generate a key. The remote UE shall send a direct security mode completion message to the UE-network relay.

[0100] Further communication between the remote UE and the network is securely conducted via the UE-network relay.

[0101] Figures 5A and 5B show an exemplary call flow according to another embodiment.

[0102] As shown in Figure 5A, the remote radio communication device 14 sends a direct communication request to the relay radio communication device 12 to establish a secure unicast link on interface 16 (Step 1). This direct communication request includes a subscription identifier (ID) that identifies the subscription to the radio communication network 20. To establish a secure unicast link on interface 16, the relay radio communication device 12 correspondingly sends a shared key request to the network node 24 (e.g., AMF), where the shared key request requests a shared key 22 to secure interface 16 and includes the subscription identifier (Step 2). In these embodiments, the network node 24 sends a request to the authentication server 32 for primary authentication of the remote radio communication device 14, where the authentication request includes the subscription ID (Step 3).

[0103] Based on the request, the authentication server 32 triggers the execution of the primary authentication procedure 28, during which the remote wireless communication device 14 and the authentication server generate a Nearby Service Relay User Key (PRUK) 26 and an identifier 38 bound to the Nearby Service Relay User Key (PRUK) 26 (indicated as a PRUK ID) (Step 4). After this, the authentication server 32 registers the PRUK 26 and the identifier 38 bound to the PRUK 26 with the Nearby Service Anchor Node 30. In this regard, the authentication server 32 sends a request to the Nearby Service Anchor Node 30 to register the PRUK 26 with the Nearby Service Anchor Node 30, where the PRUK 26 is included in the request to register the PRUK 26 (Step 5). The request to register the PRUK 26 may also include the identifier 38 bound to the PRUK 26 and / or the subscription identifier. The neighbor service anchor node 30 stores PRUK26 in relation to identifier 38 in accordance with this request, for example, storing PRUK26 indexed by identifier 38 (step 6). Once PRUK26 is registered with the neighbor service anchor node 30, the authentication server 32 returns a response to the authentication request that includes identifier 38 (PRUK ID) (step 7).

[0104] After registering PRUK26, the neighbor service anchor node 30 receives a shared key request from the network node 24 indicating an identifier 38 bound to PRUK26 (step 8). Using the identifier 38 indicated in the shared key request, the neighbor service anchor node 30 retrieves PRUK26 from its storage (step 9). The neighbor service anchor node 30 then derives the shared key 22 from the retrieved PRUK26 (step 10) and sends the shared key 22 to the network node 24 in response to the shared key request (step 11).

[0105] The network node 24 receives the shared key 22 in response and, in response, transmits the shared key 22 to the relay wireless communication device 12, for example, in response to a shared key request from the relay wireless communication device 12 (step 12).

[0106] The relay wireless communication device 12 sends a direct security mode command to the remote wireless communication device 14, as shown in the figure, which includes one or more other parameters, such as a nonce from which the shared key 22 can be derived (step 13). The remote wireless communication device 14 finally derives the shared key 22 from the PRUK 26 generated in step 5 (step 14).

[0107] Figure 5B shows a call flow diagram for reusing PRUK26 from Figure 5A to protect the subsequent establishment of an interface 16 between a remote radio communication device 14 and the same or a different relay radio communication device 12, for example. As shown, the remote radio communication device 14 sends a direct communication request to the same or a different relay radio communication device 12 (step 15). However, this direct communication request includes an identifier (PRUK ID) 38 bound to PRUK26, rather than a subscription identifier for the remote radio communication device 14. The relay radio communication device 12 correspondingly sends a shared key request to the network node 24 (step 16). Since this is a subsequent shared key request, the shared key request effectively requests a new shared key that is different from the previous shared key used in Figure 5A. However, this new shared key request includes an identifier (PRUK ID) 38 bound to PRUK26, rather than a subscription identifier. This means that the shared key request effectively requests that PRUK26 from Figure 5A be reused to derive the new shared key. In either case, the network node 24 similarly sends the corresponding shared key request to the neighbor service anchor node 30 (step 17).

[0108] The neighbor service anchor node 30 receives a new shared key request. Using the identifier 38 indicated in the new shared key request, the neighbor service anchor node 30 retrieves the PRUK 26 from storage in the neighbor service anchor node 30 (step 18). The neighbor service anchor node 30 then reuses the retrieved PRUK 26 to derive the requested new shared key 22 (step 19). That is, instead of triggering primary authentication of the remote wireless communication device 14 via the authentication server 32 for the generation of a new PRUK 26, the neighbor service anchor node 30 reuses the PRUK 26 generated from a previous execution of the primary authentication procedure 28 in Figure 5A. Moreover, once the PRUK 26 is stored in the neighbor service anchor node 30 and the reuse of the PRUK 26 is achieved by the neighbor service anchor node 30, the authentication server 32 does not need to be involved in or even affected by the reuse of the PRUK 26. In either case, the neighboring service anchor node 30 then sends the new shared key 22 to the network node 24 in response to the new shared key request (step 20).

[0109] Similar to Figure 5A, the network node 24 receives the shared key 22 in response and, in response, transmits the shared key 22 to the relay radio communication device 12, for example, in response to a shared key request from the relay radio communication device 12 (step 21). The relay radio communication device 12 then transmits a direct security mode command to the remote radio communication device 14 (step 22), and the remote radio communication device 14 derives the shared key 22 from the reused PRUK 26 generated in step 5 (step 23).

[0110] Figures 6A to 6B show more detailed examples of embodiments from Figures 5A to 5B in the context that the wireless communication network 20 is a 5G network. In this example, the remote wireless communication device 14 is exemplified as a remote user device (UE), the relay wireless communication device 12 is exemplified as a relay UE which is a 5G ProSe Layer 3 UE-network relay, the interface 16 is a PC5 interface, the network node 24 is exemplified as implementing AMF, the nearby service anchor node 30 is exemplified as implementing ProSe anchor network functionality (NF), and the authentication server 32 is exemplified as implementing authentication server functionality (AUSF). In some embodiments, the ProSe anchor functionality is hosted by an existing node and collated with a node that implements, for example, ProSe key management functionality (PKMF) or AAnF. Furthermore, the nearby service relay user key 26 is exemplified as PRUK, and the shared key 22 is key K NR_ProSe This is an example.

[0111] The call flow in Figures 6A and 6B in this context describes the security for 5G ProSe communication over a 5G ProSe Layer 3 (L3) UE-Network (U2N) relay on the control plane. The security mechanism for L3 U2N relay authentication, authorization, and key management uses primary authentication for PC5 key establishment. In this procedure, the remote UE establishes a PC5 link between the remote UE and the UE-Network relay. The procedure includes how the remote UE is authenticated by the AUSF via the relay UE and the relay UE's AMF during 5G ProSe PC5 establishment. This mechanism may be used by the remote UE while it is out of coverage.

[0112] Steps 1-4 in Figure 6A are the same as steps 1-4 in Figure 4A. 5. If a SUCI is received, the relay AMF shall select an AUSF based on the SUCI and forward the key request to the AUSF via a Nausf_UEAuthentication_ProseAuth request message. This message may contain a SUCI, an RSC, and a Nonce_1. If a PRUK ID is received, the relay AMF shall discover the PANF (in the HPLMN of the remote UE) based on the PRUK ID and proceed to step 14. Steps 6-10 in Figure 6A are the same as steps 7-11 in Figure 4A. 11-12. AUSF shall send the SUPI of the remote UE, the 5G PRUK and PRUK ID to PANF via the Npanf_AnchorKey_Register request / response. 13. AUSF shall return the PRUK ID to the relay AMF via the Nausf_UEAuthentication_ProseAuth response message. 14. The relay AMF shall send a Prose key request to PANF via the Npanf_ProseKey_Request message. This message may include the PRUK ID, RSC, and Nonce_1. Steps 15-20 in Figure 6B are the same as steps 13-18 in Figure 4B.

[0113] Next, generally speaking, Figures 3A to 6B illustrate an example in which the Prose anchor network function stores the prose security context of a remote UE, which includes the UE's 5G PRUK and PRUK ID, and optionally can also include the UE's subscription persistent identifier (SUPI). Thus, the UE's prose security context and key material can be managed entirely by this NF without incurring any additional impact on existing NFs, such as AUSF / UDM, AMF, etc.

[0114] Figure 7 illustrates another embodiment of this specification that leverages signaling to request or indicate the reuse of the last used neighbor service relay user key 26. Such signaling can advantageously enable the reuse of the neighbor service relay user key 26 without requiring an identifier 28 to be bound to its key 26, and therefore without requiring a node such as the authentication server 32 to store or maintain its identifier 28. Correspondingly, such signaling can avoid the introduction of the neighbor service anchor node 30 in the previous embodiment.

[0115] The description of Figure 7 is the same as the description of Figure 1, except for the differences mentioned below. As shown in Figure 7, the remote radio communication device 14 sends a request 42 to the relay radio communication device 12 for the relay radio communication device 12 to relay traffic 18 for the remote radio communication device 12. This relay request 42 requests the reuse of the nearby service relay user key 26 already associated with the remote radio communication device 14. The request 42 may, for example, request the reuse of the nearby service relay user key 24 from a previous execution (e.g., the last execution) of the primary authentication procedure 28 for the primary authentication of the remote radio communication device 14. The relay request 42 may include a nearby service relay user key reuse flag 44, for example, requesting the reuse of the nearby service relay user key 26 that is already (e.g., last) associated with the remote radio communication device 14.

[0116] The relay wireless communication device 12 receives such a request 42 from the remote wireless communication device 14. The relay wireless communication device 12 sends a request 46 to the network node 24 for a shared key 22 to protect the interface 16, where the request 46 for the shared key 22 requests the reuse of the neighbor service relay user key 26 to derive the shared key 22. For example, the request 46 for the shared key 22 may include a neighbor service relay user key reuse flag 48 that requests the reuse of the neighbor service relay user key 26.

[0117] Network node 24 then receives a shared key request 42 from relay wireless communication device 12. Network node 24 then sends a request 50 to authentication server 32 for authentication of remote wireless communication device 14, where request 50 requests the reuse of the nearest service relay user key 26 to derive the shared key 22. Request 50 may include, for example, a nearest service relay user key reuse flag 52 that requests the reuse of the nearest service relay user key 26 already associated with the remote wireless communication device 14.

[0118] The authentication server 32 receives the authentication request 50 in response. The authentication server 32 then sends a request 58 for authentication certification for the remote wireless communication device 14 to the data management node 40, where the request 58 requests the reuse of the Nearby Service Relay User Key 26 to derive the shared key 22. The authentication server 32 may receive a response 62 from the data management node 40 to the request 58 for authentication certification, where the response 62 indicates whether the Nearby Service Relay User Key 26 is available for reuse.

[0119] If response 62 indicates that the Nearby Service Relay User Key 26 is available for reuse, the authentication server 32 may retrieve the Nearby Service Relay User Key 26 from its local storage and reuse it to derive the shared key 22. Alternatively, the authentication server 32 may retrieve the shared key 22 from another authentication server (not shown) that was storing the Nearby Service Relay User Key 26 to be reused. In either case, after obtaining the shared key 22 derived through the reuse of the Nearby Service Relay User Key 26, the authentication server 32 sends a response 54 to the network node 24 for the authentication request, where the response 54 for the authentication request 50 includes the derived shared key 22 and indicates that the Nearby Service Relay User Key 26 should be reused to derive the shared key 22. Network node 24 may, in response, send a response to the shared key request 46 to relay radio communication device 12, the response which includes the shared key 22 and indicates (for example, via flag 56) that the neighbor service relay user key 26 should be reused to derive the shared key 22. Relay radio communication device 12 may similarly signal to remote radio communication device 14 that the neighbor service relay user key 26 should be reused to derive the shared key 22. Remote radio communication device 14 may then reuse the neighbor service relay user key 26 to derive the shared key 22.

[0120] Figures 8A and 8B show a more detailed example of the embodiment from Figure 7 in the context that the wireless communication network 20 is a 5G network. In this example, the remote wireless communication device 14 is exemplified as a remote user equipment (UE), the relay wireless communication device 12 is exemplified as a relay UE which is a 5G ProSe Layer 3 UE-network relay, the interface 16 is a PC5 interface, the network node 24 is exemplified as implementing AMF, the authentication server 32 is exemplified as implementing authentication server function (AUSF), and the data management node 40 is exemplified as implementing user data management (UDM) function. Furthermore, the nearest service relay user key 26 is exemplified as PRUK, and the shared key 22 is key K NR_ProSe This is an example.

[0121] The call flow in Figures 8A and 8B in this context describes the security for 5G ProSe communication over a 5G ProSe Layer 3 (L3) UE-Network (U2N) relay on the control plane. The security mechanism for L3 U2N relay authentication, authorization, and key management uses primary authentication for PC5 key establishment. In this procedure, the remote UE establishes a PC5 link between the remote UE and the UE-Network relay. The procedure includes how the remote UE is authenticated by the AUSF via the relay UE and the relay UE's AMF during 5G ProSe PC5 establishment. This mechanism may be used by the remote UE while it is out of coverage. 0. Remote UEs and relay UEs shall be registered with the network. UE-Network relays shall be authenticated and authorized by the network to support relay UEs. Remote UEs shall be authenticated and authorized by the network to function as remote UEs. 1. The remote UE shall initiate the discovery procedure. 2-4. After the discovery of the UE-Network Relay, the remote UE shall send a direct communication request to the relay UE to establish a secure PC5 unicast link. The remote UE shall include its security capabilities and security policy in the DCR message, as specified in TS33.536 v.16.4.0. The message shall also include the SUCI, the relay service code (RSC), Nonce_1, and an indicator, referred herein as PRUK_reuse_Flag, to indicate that the UE is attempting to reuse a PRUK obtained from a previous interaction with the network. Upon receiving the DCR message, the relay UE shall send a relay key request to the relay AMF, including the parameters received in the DCR message. The relay AMF shall verify whether the relay UE is permitted to operate as a U2N relay. 5. The relay AMF shall select the AUSF based on the SUCI and forward the key request to the AUSF via the Nausf_UEAuthentication_ProseAuth request message. This message may include the SUCI, RSC, Nonce_1, and PRUK_reuse_Flag. 6. AUSF shall send an authentication request to UDM that includes SUCI and PRUK_reuse_Flag in its message. 7. The UDM decrypts the SUCI and obtains the UE's SUPI. If the PRUK_reuse_Flag is received in the message, the UDM checks the PRUK storage status for the UE.

[0122] There are two alternative approaches to how UDM will progress, as described below. Alternative form 1: Step 8a, followed by steps 9a and 10a below. 8a. If the PRUK storage status indicates that there is a PRUK stored for the UE and an AUSF instance storing the PRUK (referred to herein as AUSFpruk), the UDM sends an authentication response to AUSF along with the AUSFpruk ID. 9a. If the AUSFpruk ID is the same instance of AUSF, AUSF fetches the locally stored 5G PRUK. AUSF generates Nonce_2 and K based on the 5G PRUK. NR_ProSe Derive the key.

[0123] If the AUSFpruk ID is a different instance, AUSF forwards the Nausf_UEAuthentication_ProseAuth request message to AUSFpruk. AUSFpruk fetches the locally stored 5G PRUK. AUSFpruk generates Nonce_2 and, based on the 5G PRUK, Nonce_1, Nonce_2, and RSC, K NR_ProSe Derive the key and send it back to AUSF. 10a. AUSF, via the Nausf_UEAuthentication_ProseAuth response message, K NR_ProSe The relay AMF shall return Nonce_2 and an indicator (referred to herein as PRUK_reuse_Ind) to indicate that the network has used the PRUK obtained from the previous interaction. Alternative form 2: Step 8b, followed by steps 9b, 10b, 11b, and 12b below. 8b. If the PRUK storage status indicates that there are no PRUKs stored for the UE, or if the UDM decides that the PRUK will not be reused, the UDM sends an authentication response to the AUSF along with the UE's SUPI and authentication vector. AUSF will proceed with the UE certification process. 9b. Upon successful UE authentication, the AUSF and the remote UE shall generate a 5GPRUK based on the key material derived during UE authentication. 10b. AUSF stores the 5G PRUK and updates the PRUK storage status to the UDM via the message Nudm_UEAuthentication_ProseResult. This message may include the SUPI, RSC, PRUK storage status, and AUSF ID. 11b. AUSF generates Nonce_2 and K based on 5G PRUK, Nonce_1, Nonce_2, and RSC. NR_ProSe Derive the key. 12b. AUSF receives the Nausf_UEAuthentication_ProseAuth response message via K NR_ProSe Nonce_2 will be returned to the relay AMF. 13. Relay AMF is K NR_ProSe The Nonce_2 message is forwarded to the relay UE. The message may contain PRUK_reuse_Ind. 14. The relay UE shall send the received Nonce_2 to the remote UE in a direct security mode command message. That message may contain PRUK_reuse_Ind. 15-16. The remote UE should be used for remote access via the relay UE in the same manner as the AUSF in step 9a / step 11b. NR_ProSe The system shall generate a key. The remote UE shall send a direct security mode completion message to the UE-network relay.

[0124] Further communication between the remote UE and the network is securely conducted via the UE-network relay.

[0125] In some embodiments, one or more of the keys in Figure 2 may be derived using a key derivation function (KDF), so that the derived key is equal to the KDF computed with respect to the string S using the key, given by derived key = HMAC-SHA-256(key, S). In one such embodiment, the string S is constructed from n+1 input parameters as follows: S=FC||P0||L0||P1||L1||P2||L2||P3||L3||...||Pn||Ln Here, FC is used to distinguish different instances of the algorithm, and is either a single octet or consists of two octets of the form FC1||FC2, where FC1=0xFF and FC2 is a single octet, where P0...Pn are n+1 input parameter codings and L0...Ln are two-octet representations of the corresponding input parameter codings P0...Pn of length.

[0126] In some embodiments, when deriving 5GPRUK from KAUSF, the following parameters are used to form the input S to KDF: FC=0xXX, P0=Subscription Persistence Identifier (SUPI), L0=Length of SUPI, P1=Relay Service Code, and L1=Length of Relay Service Code. The input key KEY is KAUSF.

[0127] Similarly, in some embodiments, when deriving KNR_ProSe from a 5GPRUK key, the following parameters are used to form the input S to the KDF: FC=0xZZ, P0=Nonce_2, L0=length of Nonce_2, P1=Nonce_1, and L1=length of Nonce_1. The input key KEY is a 5GPRUK key.

[0128] Furthermore, when deriving the 5GPRUK ID from KAUSF, the following parameters may be used to form the input S to KDF: FC=0xAA, P0="PRUK-ID", L0=length of "PRUK-ID", P1=relay service code, L1=length of relay service code, P2=SUPI, and L2=length of SUPI. The input key KEY is KAUSF.

[0129] For simplicity, the relay wireless communication device 12 is shown as being served by the home network of the remote wireless communication device, but this is not required. In other embodiments, for example, the relay wireless communication device 12 may be served by a wireless communication network different from the home network of the remote wireless communication device.

[0130] In view of modifications and variations of this specification, Figure 9 shows a method performed by a nearby service anchor node according to a particular embodiment. This method includes receiving a nearby service relay user key associated with a remote radio communication device from an authentication server (block 900). This method further includes deriving a shared key from the nearby service relay user key to protect the interface between the remote radio communication device and a relay radio communication device configured to relay traffic for the remote radio communication device (block 910). This method also includes transmitting the shared key to a network node serving the relay radio communication device (block 920).

[0131] In some embodiments, the Nearby Service Relay User Key is based on and / or unique to a primary authentication procedure for primary authentication of a remote wireless communication device.

[0132] In some embodiments, the method further includes receiving a shared key request from a network node requesting a shared key from a neighbor service anchor node; after receiving the shared key request, sending a request to an authentication server for primary authentication of a remote wireless communication device; and receiving a response from the authentication server to the request for primary authentication. In this case, the response to the request for primary authentication includes a neighbor service relay user key. In one or more of these embodiments, the shared key request includes a subscription identifier that identifies the remote wireless communication device's subscription to the home network. In one or more of these embodiments, the method further includes sending a response to the shared key request to a network node. In this case, the response to the shared key request includes a shared key.

[0133] In some embodiments, the method further includes storing the Nearby Service Relay User Key in storage at the Nearby Service Anchor Node in relation to an identifier bound to the Nearby Service Relay User Key (block 930). In one or more of these embodiments, the method further includes receiving a new shared key request indicating an identifier bound to the Nearby Service Relay User Key (block 940). The method may further include retrieving the Nearby Service Relay User Key from storage at the Nearby Service Anchor Node using the identifier indicated in the new shared key request (block 950), and deriving a new shared key for a remote wireless communication device from the retrieved Nearby Service Relay User Key (block 960). The method may then include transmitting the new shared key in response to the new shared key request (block 970).

[0134] For example, in some embodiments, the method further includes receiving an identifier bound to a Nearby Service Relay User Key from an authentication server. In one or more of these embodiments, the method further includes storing the Nearby Service Relay User Key in storage at a Nearby Service Anchor node in relation to the received identifier. In one or more of these embodiments, the method further includes receiving a new shared key request from a requesting node indicating an identifier bound to a Nearby Service Relay User Key, retrieving the Nearby Service Relay User Key from storage at a Nearby Service Anchor node using the identifier indicated in the new shared key request, deriving a new shared key for a remote radio communication device from the retrieved Nearby Service Relay User Key, and sending the new shared key to the requesting node in response to the new shared key request. In one or more of these embodiments, the method further includes storing the Nearby Service Relay User Key in relation to a subscription identifier that identifies the remote radio communication device's subscription to the home network of the remote radio communication device.

[0135] In some embodiments, the method further includes receiving a subscription identifier from an authentication server that identifies the subscription of the remote wireless communication device to the home network of the remote wireless communication device.

[0136] In some embodiments, the Nearby Service Relay User Key is received from the authentication server in a request to register the Nearby Service Relay User Key with the Nearby Service Anchor Node. In one or more of these embodiments, the request to register the Nearby Service Relay User Key also includes an identifier bound to the Nearby Service Relay User Key and / or a subscription identifier that identifies the remote wireless communication device's subscription to the home network of the remote wireless communication device. In one or more of these embodiments, the method further includes storing the Nearby Service Relay User Key in storage at the Nearby Service Anchor Node in relation to the received identifier. In one or more of these embodiments, the method further includes, after receiving the request to register the Nearby Service Relay User Key, receiving a shared key request from the network node indicating the identifier bound to the Nearby Service Relay User Key, and retrieving the Nearby Service Relay User Key from storage at the Nearby Service Anchor Node using the identifier indicated in the shared key request. In this case, the shared key is derived from the Nearby Service Relay User Key retrieved from storage, and sending the shared key to the network node includes sending a response to the shared key request to the network node, the response including the shared key.

[0137] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0138] In some embodiments, the shared key is key K NR_ProSe That is the case.

[0139] In some embodiments, the authentication server implements the Authentication Server Function (AUSF).

[0140] In some embodiments, network nodes implement access and mobility functions (AMF).

[0141] In some embodiments, the interface is a PC5 interface.

[0142] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0143] Figure 10 shows a method performed by an authentication server according to another specific embodiment. This method includes generating a nearby service relay user key associated with a remote wireless communication device (block 1000). This method also includes transmitting the nearby service relay user key to a nearby service anchor node (block 1010).

[0144] In some embodiments, the Nearby Service Relay User Key is based on and / or unique to a primary authentication procedure for primary authentication of a remote wireless communication device.

[0145] In some embodiments, the method further includes receiving a request for primary authentication of a remote wireless communication device from a nearby service anchor node, and sending a response to the request for primary authentication to the nearby service anchor node, wherein the response includes a nearby service relay user key. In one or more of these embodiments, the response also includes a subscription identifier that identifies the remote wireless communication device's subscription to the home network.

[0146] In some embodiments, the method further includes sending an identifier bound to a neighbor service relay user key to a neighbor service anchor node.

[0147] In some embodiments, the method further includes transmitting a subscription identifier to a nearby service anchor node that identifies the remote wireless communication device's subscription to the home network.

[0148] In some embodiments, the method further includes sending a request to a neighbor service anchor node to register a neighbor service relay user key with the neighbor service anchor node. In this case, the neighbor service relay user key is included in the request to register the neighbor service relay user key. In one or more of these embodiments, the request to register the neighbor service relay user key also includes an identifier bound to the neighbor service relay user key and / or a subscription identifier that identifies the remote wireless communication device's subscription to the home network of the remote wireless communication device.

[0149] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0150] In some embodiments, the authentication server implements the Authentication Server Function (AUSF).

[0151] In some embodiments, the Nearby Service Relay User Key is a proof from which a shared key can be derived to protect the interface between the remote radio communication device and the relay radio communication device. In this case, the relay radio communication device is configured to relay traffic for the remote radio communication device. In one or more of these embodiments, the interface is a PC5 interface. In one or more of these embodiments, the relay radio communication device is a Layer 3 UE-Network Relay.

[0152] Figure 11 shows a method performed by a network node serving a relay radio communication device configured to relay traffic for a remote radio communication device, according to another specific embodiment. This method includes sending a request to a nearby service anchor node for a shared key to secure the interface between the remote radio communication device and the relay radio communication device (block 1100). In response to the request, the method also includes receiving the shared key from the nearby service anchor node (block 1110) and sending the shared key to the relay radio communication device (block 1120).

[0153] In some embodiments, the shared key can be derived from the neighbor service relay user key. In this case, the neighbor service relay user key is based on and / or unique to a certain execution of the primary authentication procedure for the primary authentication of the remote wireless communication device.

[0154] In some embodiments, the shared key request includes an identifier bound to a neighbor service relay user key. In this case, the received shared key is derived from the neighbor service relay user key. In one or more of these embodiments, the neighbor service relay user key is a 5G neighbor service relay user key (5GPRUK).

[0155] In some embodiments, the shared key request includes a subscription identifier that identifies the remote wireless communication device's subscription to the home network.

[0156] In some embodiments, the shared key is key K NR_ProSe That is the case.

[0157] In some embodiments, network nodes implement access and mobility functions (AMF).

[0158] In some embodiments, the interface is a PC5 interface.

[0159] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0160] Figure 12 shows a method performed by a remote radio communication device according to another specific embodiment. This method includes sending a request to a relay radio communication device for the relay radio communication device to relay traffic for remote radio communication (block 1200). In this case, the request asks the remote radio communication device to reuse a nearby service relay user key already associated with it.

[0161] In some embodiments, the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of a remote wireless communication device.

[0162] In some embodiments, the request includes a Nearby Services Relay User Key Reuse flag that requests the reuse of a Nearby Services Relay User Key already associated with a remote wireless communication device.

[0163] In some embodiments, the Nearby Service Relay User Key is based on and / or unique to a primary authentication procedure for primary authentication of a remote wireless communication device.

[0164] In some embodiments, the method further includes receiving a response to a request from a relay wireless communication device indicating that a nearby service relay user key should be reused.

[0165] In some embodiments, the method further includes reusing a neighbor service relay user key to generate a shared key for protecting the interface between a remote wireless communication device and a relay wireless communication device (block 1210), and protecting the interface using the shared key (block 1220). In one or more of these embodiments, the shared key is key K NR_ProSeIn one or more of these embodiments, the interface is a PC5 interface.

[0166] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0167] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0168] Figure 13 illustrates a method performed by a relay radio communication device. This method includes receiving a request from a remote radio communication device for the relay radio communication device to relay traffic for the remote radio communication (block 1300). In this case, the request asks for the reuse of a nearby service relay user key already associated with the remote radio communication device.

[0169] In some embodiments, the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of a remote wireless communication device.

[0170] In some embodiments, the request includes a Nearby Services Relay User Key Reuse flag that requests the reuse of a Nearby Services Relay User Key already associated with a remote wireless communication device.

[0171] In some embodiments, the Nearby Service Relay User Key is based on and / or unique to a primary authentication procedure for primary authentication of a remote wireless communication device.

[0172] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0173] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0174] In some embodiments, the method further includes sending a request for a shared key to a network node serving a relay radio communication device to secure the interface between the remote radio communication device and the relay radio communication device (block 1310). In this case, the request for the shared key requests the reuse of the neighbor service relay user key to derive the shared key. In one or more of these embodiments, the request for the shared key includes a neighbor service relay user key reuse flag that requests the reuse of the neighbor service relay user key. In one or more of these embodiments, the method further includes receiving a response from the network node to the request for the shared key (block 1320). In this case, the response to the request for the shared key includes the shared key and indicates that the neighbor service relay user key should be reused to derive the shared key.

[0175] In some embodiments, the method further includes sending a response to a request to a remote wireless communication device indicating that the nearby service relay user key should be reused (block 1330).

[0176] Figure 14 illustrates a method performed by a relay radio communication device. In some embodiments, the method includes sending a request for a shared key to a network node serving the relay radio communication device to secure the interface between the remote radio communication device and the relay radio communication device (block 1410). In this case, the relay radio communication device is configured to relay traffic for the remote radio communication device, and the request for the shared key requests the reuse of a neighbor service relay user key to derive the shared key.

[0177] In some embodiments, a request for a shared key includes a Nearby Services Relay User Key Reuse flag that requests the reuse of the Nearby Services Relay User Key.

[0178] In some embodiments, the method includes receiving a response from a network node to a request for a shared key (block 1420). In this case, the response to the request for a shared key includes the shared key and indicates that the neighbor service relay user key should be reused to derive the shared key.

[0179] In some embodiments, the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of a remote wireless communication device.

[0180] In some embodiments, the Nearby Service Relay User Key is based on and / or unique to a primary authentication procedure for primary authentication of a remote wireless communication device.

[0181] In some embodiments, the method includes receiving a request from a remote radio communication device for the relay radio communication device to relay traffic for the remote radio communication (block 1400). In this case, the request asks for the reuse of a nearby service relay user key already associated with the remote radio communication device. In some embodiments, the method further includes sending a response to the request to the remote radio communication device (block 1430). In this case, the response includes a shared key and indicates that the nearby service relay user key should be reused to derive the shared key.

[0182] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0183] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0184] In some embodiments, the shared key is key K NR_ProSe That is the case.

[0185] In some embodiments, network nodes implement access and mobility functions (AMF).

[0186] In some embodiments, the interface is a PC5 interface.

[0187] Figure 15 illustrates a method performed by a network node serving a relay radio communication device. This method includes receiving a request from the relay radio communication device for a shared key to secure the interface between the remote radio communication device and the relay radio communication device (block 1500). In this case, the relay radio communication device is configured to relay traffic for the remote radio communication device, and the request asks for the reuse of a neighbor service relay user key to derive the shared key.

[0188] In some embodiments, the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of a remote wireless communication device.

[0189] In some embodiments, the request includes a Nearby Services Relay User Key Reuse flag that requests the reuse of a Nearby Services Relay User Key already associated with a remote wireless communication device.

[0190] In some embodiments, the Nearby Service Relay User Key is based on and / or unique to a primary authentication procedure for primary authentication of a remote wireless communication device.

[0191] In some embodiments, the method further includes sending a response to a request to a relay wireless communication device (block 1510). In this case, the response includes a shared key and indicates that a neighbor service relay user key should be reused to derive the shared key.

[0192] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0193] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0194] In some embodiments, the shared key is key K NR_ProSe That is the case.

[0195] In some embodiments, network nodes implement access and mobility functions (AMF).

[0196] In some embodiments, the interface is a PC5 interface.

[0197] Figure 16 illustrates a method performed by a network node serving a relay radio communication device. This method includes sending a request to an authentication server for authentication of a remote radio communication device (block 1600). In this case, the request asks for the reuse of a neighbor service relay user key to derive a shared key to secure the interface between the remote radio communication device and the relay radio communication device, and the relay radio communication device is configured to relay traffic for the remote radio communication device.

[0198] In some embodiments, the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of a remote wireless communication device.

[0199] In some embodiments, the request includes a Nearby Services Relay User Key Reuse flag that requests the reuse of a Nearby Services Relay User Key already associated with a remote wireless communication device.

[0200] In some embodiments, the Nearby Service Relay User Key is based on and / or unique to a primary authentication procedure for primary authentication of a remote wireless communication device.

[0201] In some embodiments, the method further includes receiving a response to the request from the authentication server (block 1610). In this case, the response includes a shared key and indicates that the Neighbor Service Relay User Key should be reused to derive the shared key.

[0202] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0203] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0204] In some embodiments, the shared key is key K NR_ProSe That is the case.

[0205] In some embodiments, network nodes implement access and mobility functions (AMF).

[0206] In some embodiments, the interface is a PC5 interface.

[0207] Figure 17 illustrates the method performed by the authentication server. This method includes receiving a request for authentication of a remote radio communication device (block 1700). In this case, the request asks for the reuse of a neighbor service relay user key to derive a shared key to secure the interface between the remote radio communication device and the relay radio communication device, and the relay radio communication device is configured to relay traffic for the remote radio communication device.

[0208] In some embodiments, the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of a remote wireless communication device.

[0209] In some embodiments, the request includes a Nearby Services Relay User Key Reuse flag that requests the reuse of a Nearby Services Relay User Key already associated with a remote wireless communication device.

[0210] In some embodiments, the Nearby Service Relay User Key is based on and / or unique to a primary authentication procedure for primary authentication of a remote wireless communication device.

[0211] In some embodiments, the method further includes sending a response to the request (block 1710). In this case, the response includes a shared key and indicates that the Neighbor Service Relay User Key should be reused to derive the shared key.

[0212] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0213] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0214] In some embodiments, the shared key is key K NR_ProSe That is the case.

[0215] In some embodiments, requests are received from the Access and Mobility Function (AMF).

[0216] In some embodiments, the interface is a PC5 interface.

[0217] In some embodiments, the method further includes sending a request for authentication certification for a remote wireless communication device to a data management node. In this case, the request for authentication certification requests the reuse of a Nearby Service Relay User Key. In one or more of these embodiments, the method further includes receiving a response from the data management node to the request for authentication certification. In this case, the response indicates whether the Nearby Service Relay User Key is available for reuse. In one or more of these embodiments, the response indicates that the Nearby Service Relay User Key is available for reuse. In some embodiments, the method further includes obtaining a shared key as derived from the Nearby Service Relay User Key and sending a response to the request for authentication. In this case, the response to the request for authentication includes the obtained shared key and indicates that the Nearby Service Relay User Key should be reused to derive the shared key. In one or more of these embodiments, obtaining the shared key includes retrieving the Nearby Service Relay User Key from local storage in the authentication server and deriving the shared key from the retrieved Nearby Service Relay User Key. In one or more of these embodiments, obtaining a shared key includes forwarding a request for authentication to another authentication server where the Nearby Service Relay User Key is stored, and receiving a shared key from the other authentication server as derived from the Nearby Service Relay User Key. In one or more of these embodiments, the response indicates that the Nearby Service Relay User Key is not available for reuse and includes the requested authentication certificate. In this case, the method generates a Nearby Service Relay User Key based on key material derived during authentication of a remote radio communication device, further comprising the authentication of the remote radio communication device generating a Nearby Service Relay User Key based on the authentication certificate, deriving a shared key from the generated Nearby Service Relay User Key, and transmitting a response to the request for authentication. In this case, the response to the request for authentication includes the derived shared key.In one or more of these embodiments, the response to the authentication request indicates that the Nearby Service Relay User Key should not be reused to derive a shared key. Alternatively or additionally, the method may further include, after generating the Nearby Service Relay User Key, sending a signaling to the data management node indicating that the Nearby Service Relay User Key for a remote wireless communication device is available for reuse and indicating the identity of the authentication server where the Nearby Service Relay User Key is stored.

[0218] Figure 18 illustrates the method performed by the authentication server. This method includes sending a request for authentication certification for a remote radio communication device to the data management node (block 1800). In this case, the request for authentication certification requests the reuse of a neighbor service relay user key to derive a shared key for protecting the interface between the remote radio communication device and a relay radio communication device configured to relay traffic for the remote radio communication device.

[0219] In some embodiments, the request is received from a network node serving a relay wireless communication device. In other embodiments, the request is received from a separate authentication server.

[0220] In some embodiments, the method further includes receiving a response from a data management node to a request for authentication (block 1810). In this case, the response indicates whether the Nearby Service Relay User Key is available for reuse. In one or more of these embodiments, the response indicates that the Nearby Service Relay User Key is available for reuse. In this case, the method further includes obtaining a shared key as derived from the Nearby Service Relay User Key and sending a response to the request for authentication to a network node. In this case, the response to the request for authentication includes the obtained shared key and indicates that the Nearby Service Relay User Key should be reused to derive the shared key. In one or more of these embodiments, obtaining the shared key includes retrieving the Nearby Service Relay User Key from local storage in the authentication server and deriving the shared key from the retrieved Nearby Service Relay User Key. In one or more of these embodiments, obtaining the shared key includes forwarding the request for authentication to another authentication server where the Nearby Service Relay User Key is stored and receiving the shared key from the other authentication server as derived from the Nearby Service Relay User Key.

[0221] In some embodiments, the response indicates that the Nearby Service Relay User Key is not available for reuse and includes the requested authentication certificate. In this case, the method further includes generating a Nearby Service Relay User Key based on key material derived during authentication of a remote wireless communication device. In this case, authentication of the remote wireless communication device is based on the authentication certificate. The method further includes deriving a shared key from the generated Nearby Service Relay User Key and sending a response to the authentication request to a network node. In this case, the response to the authentication request includes the derived shared key. In one or more of these embodiments, the response to the authentication request indicates that the Nearby Service Relay User Key should not be reused to derive the shared key.

[0222] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0223] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0224] In some embodiments, the shared key is key K NR_ProSe That is the case.

[0225] In some embodiments, network nodes implement access and mobility functions (AMF).

[0226] In some embodiments, the interface is a PC5 interface.

[0227] Figure 19 illustrates the method performed by the data management node. This method includes receiving a request for authentication certification for a remote radio communication device from the authentication server (block 1900). In this case, the request for authentication certification requests the reuse of a neighbor service relay user key to derive a shared key which is to protect the interface between the remote radio communication device and a relay radio communication device configured to relay traffic for the remote radio communication device.

[0228] In some embodiments, the method further includes sending a response to the request to an authentication server (block 1910). In this case, the response indicates whether the Nearby Service Relay User Key is available for reuse. In one or more of these embodiments, the response indicates that the Nearby Service Relay User Key is available for reuse. In one or more of these embodiments, the response indicates the identification information of the authentication server where the Nearby Service Relay User Key is stored. In one or more of these embodiments, the response indicates that the Nearby Service Relay User Key is not available for reuse and includes the requested authentication certificate. In one or more of these embodiments, the method further includes, after sending the response, receiving a signaling indicating the identification information of the authentication server where the Nearby Service Relay User Key is stored, and storing information in the data management node indicating that the Nearby Service Relay User Key for a remote wireless communication device is available for reuse and indicating the identification information of the authentication server where the Nearby Service Relay User Key is stored.

[0229] In some embodiments, the method further includes determining whether a Nearby Service Relay User Key is available for reuse, based on information in a data management node indicating whether a Nearby Service Relay User Key is stored for a remote wireless communication device.

[0230] In some embodiments, the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK).

[0231] In some embodiments, the relay wireless communication device is a Layer 3 UE-network relay.

[0232] In some embodiments, the shared key is key K NR_ProSe That is the case.

[0233] In some embodiments, the interface is a PC5 interface.

[0234] The embodiments described herein also include corresponding devices. The embodiments described herein include, for example, a wireless communication device configured to perform any of the steps of the embodiments described above with respect to a remote wireless communication device or a relay wireless communication device.

[0235] The embodiments also include a wireless communication device comprising a processing circuit and a power supply circuit. The processing circuit is configured to perform any of the steps of the embodiments described above for a remote wireless communication device or a relay wireless communication device. The power supply circuit is configured to supply power to the wireless communication device.

[0236] The embodiments further include a wireless communication device comprising a processing circuit. The processing circuit is configured to perform any of the steps of the embodiments described above for a remote wireless communication device or a relay wireless communication device. In some embodiments, the wireless communication device further comprises a communication circuit.

[0237] The embodiment further includes a wireless communication device comprising a processing circuit and a memory. The memory contains instructions that can be executed by the processing circuit, thereby configuring the wireless communication device to perform any of the steps of the embodiments described above for a remote wireless communication device or a relay wireless communication device.

[0238] Embodiments also include a user equipment (UE). The UE includes an antenna configured to transmit and receive radio signals. The UE also includes a radio front-end circuit connected to the antenna and the processing circuit and configured to condition signals communicated between the antenna and the processing circuit. The processing circuit is configured to execute any of the steps of any of the embodiments described above for a remote radio communication device or a relay radio communication device. In some embodiments, the UE also includes an input interface connected to the processing circuit and configured to enable information input to the UE to be processed by the processing circuit. The UE may include an output interface connected to the processing circuit and configured to output information from the UE processed by the processing circuit. The UE may also include a battery connected to the processing circuit and configured to supply power to the UE.

[0239] Embodiments herein also include a proximity service anchor node configured to execute any of the steps of any of the embodiments described above for the proximity service anchor node.

[0240] Embodiments also include a proximity service anchor node including a processing circuit and a power supply circuit. The processing circuit is configured to execute any of the steps of any of the embodiments described above for the proximity service anchor node. The power supply circuit is configured to supply power to the proximity service anchor node.

[0241] Embodiments further include a proximity service anchor node including a processing circuit. The processing circuit is configured to execute any of the steps of any of the embodiments described above for the proximity service anchor node. In some embodiments, the proximity service anchor node further includes a communication circuit.

[0242] The embodiment further includes a proximity service anchor node including a processing circuit and a memory. The memory includes instructions executable by the processing circuit, whereby the proximity service anchor node is configured to execute any of the steps of any of the embodiments described above for the proximity service anchor node.

[0243] The embodiments herein also include an authentication server configured to execute any of the steps of any of the embodiments described above for the authentication server.

[0244] The embodiment also includes an authentication server including a processing circuit and a power supply circuit. The processing circuit is configured to execute any of the steps of any of the embodiments described above for the authentication server. The power supply circuit is configured to supply power to the authentication server.

[0245] The embodiment further includes an authentication server including a processing circuit. The processing circuit is configured to execute any of the steps of any of the embodiments described above for the authentication server. In some embodiments, the authentication server further includes a communication circuit.

[0246] The embodiment further includes an authentication server including a processing circuit and a memory. The memory includes instructions executable by the processing circuit, whereby the authentication server is configured to execute any of the steps of any of the embodiments described above for the authentication server.

[0247] The embodiments herein also include a network node 24 configured to execute any of the steps of any of the embodiments described above for the network node 24.

[0248] The embodiment also includes an authentication server comprising a processing circuit and a power supply circuit. The processing circuit is configured to perform any of the steps of the embodiments described above with respect to the network node 24. The power supply circuit is configured to supply power to the network node 24.

[0249] The embodiment further includes a network node 24 having a processing circuit. The processing circuit is configured to perform any of the steps of the embodiments described above with respect to the network node 24. In some embodiments, the network node 24 further includes a communication circuit.

[0250] The embodiment further includes a network node 24 comprising a processing circuit and a memory. The memory contains instructions that can be executed by the processing circuit, thereby configuring the network node 24 to perform any of the steps of the embodiments described above.

[0251] Embodiments of this specification also include a data management node 40 configured to perform any of the steps of the embodiments described above.

[0252] The embodiment also includes a data management node 40 comprising a processing circuit and a power supply circuit. The processing circuit is configured to perform any of the steps of the embodiments described above with respect to the data management node 40. The power supply circuit is configured to supply power to the data management node 40.

[0253] The embodiment further includes a data management node 40 comprising a processing circuit. The processing circuit is configured to perform any of the steps of the embodiments described above with respect to the data management node 40. In some embodiments, the wireless data management node 40 further comprises a communication circuit.

[0254] The embodiment further includes a data management node 40 comprising a processing circuit and a memory. The memory contains instructions that can be executed by the processing circuit, thereby configuring the data management node 40 to perform any of the steps of the embodiments described above.

[0255] More specifically, the apparatus described above may perform the methods and any other processes described herein by implementing any functional means, modules, units, or circuits. In one embodiment, for example, the apparatus comprises a circuit or circuitry configured to perform the steps shown in the diagram of the method. The circuit or circuitry may comprise one or more microprocessors, along with circuits and / or memories dedicated to performing a certain functional process. For example, the circuit may include one or more microprocessors or microcontrollers, as well as other digital hardware, which may include a digital signal processor (DSP), dedicated digital logic, etc. The processing circuit may be configured to execute program code stored in memory, which may include one or more types of memory, such as read-only memory (ROM), random access memory, cache memory, flash memory devices, optical storage devices, etc. The program code stored in memory may, in some embodiments, include program instructions for executing one or more communication and / or data communication protocols, as well as instructions for performing one or more of the techniques described herein. In embodiments employing memory, the memory stores program code that performs the techniques described herein when executed by one or more processors.

[0256] Figure 20 shows, for example, a wireless communication device 2000 implemented according to one or more embodiments. The wireless communication device 2000 may be a remote wireless communication device or a relay wireless communication device. As shown in the figure, the wireless communication device 2000 includes a processing circuit 2010 and a communication circuit 2020. The communication circuit 2020 (for example, a wireless circuit) is configured to transmit and / or receive information from one or more other nodes, for example, via any communication technology. Such communication may occur via one or more antennas located either inside or outside the wireless communication device 2000. The processing circuit 2010 is configured to perform the processing described above, for example, in Figures 12, 13, and / or 14, by executing instructions stored in memory 2030, for example. The processing circuit 2010 may implement several functional means, units, or modules in this regard.

[0257] Figure 21 shows a neighbor service anchor node 30 implemented according to one or more embodiments. As shown, the neighbor service anchor node 30 includes a processing circuit 2110 and a communication circuit 2120. The communication circuit 2120 is configured to transmit and / or receive information from one or more other nodes, for example, via any communication technology. The processing circuit 2110 is configured to perform the processing described above, for example, in Figure 9, by executing instructions stored in memory 2130. The processing circuit 2110 may implement several functional means, units, or modules in this regard.

[0258] Figure 22 shows an authentication server 32 implemented according to one or more embodiments. As shown, the authentication server 32 includes a processing circuit 2210 and a communication circuit 2220. The communication circuit 2220 is configured, for example, to send information to and / or receive from one or more other nodes via any communication technology. The processing circuit 2210 is configured to perform the processing described above, for example, in Figures 10, 17, and / or 18, by executing instructions stored in memory 2230. The processing circuit 2210 may implement several functional means, units, or modules in this regard.

[0259] Figure 23 shows a network node 24 implemented according to one or more embodiments. As shown, the network node 24 includes a processing circuit 2310 and a communication circuit 2320. The communication circuit 2320 is configured to transmit and / or receive information from one or more other nodes, for example, via any communication technology. The processing circuit 2310 is configured to perform the processing described above, for example, in Figures 11, 15, and / or 16, by executing instructions stored in memory 2330. The processing circuit 2310 may implement several functional means, units, or modules in this regard.

[0260] Figure 24 shows a data management node 40 implemented according to one or more embodiments. As shown, the data management node 40 includes a processing circuit 2410 and a communication circuit 2420. The communication circuit 2420 is configured to transmit and / or receive information from one or more other nodes, for example, via any communication technology. The processing circuit 2410 is configured to perform the processing described above, for example, in Figure 19, by executing instructions stored in memory 2430. The processing circuit 2410 may implement several functional means, units, or modules in this regard.

[0261] Those skilled in the art will also understand that the embodiments of this specification further include corresponding computer programs.

[0262] When executed on at least one processor of the device, the computer program comprises instructions for causing the device to perform any of the respective processes described above. In this regard, the computer program may comprise one or more code modules corresponding to the means or units described above.

[0263] The embodiments further include a carrier containing such a computer program. This carrier may comprise one of an electronic signal, an optical signal, a wireless signal, or a computer-readable storage medium.

[0264] In this regard, the embodiments of this specification also include a computer program product stored in a non-transitory computer-readable (storage or recording) medium and comprising instructions for causing the device to be executed as described above when executed by a processor of the device.

[0265] The embodiments further include a computer program product comprising a program code portion for executing any of the steps of the embodiments of this specification when the computer program product is executed by a computing device. This computer program product may be stored in a computer-readable recording medium.

[0266] FIG. 25 shows an example of a communication system 2500 according to some embodiments.

[0267] In this example, the communication system 2500 includes a communication network 2502 which includes an access network 2504 such as a radio access network (RAN) and a core network 2506 which includes one or more core network nodes 2508. The access network 2504 includes one or more access network nodes (one or more of which may commonly be referred to as network nodes 2510), such as network nodes 2510a and 2510b, or any other similar Third Generation Partnership Project (3GPP) access nodes or non-3GPP access points. The network nodes 2510 facilitate direct or indirect connections of user equipment (UEs), such as by connecting UEs 2512a, 2512b, 2512c, and 2512d (one or more of which may commonly be referred to as UE2512) to the core network 2506 over one or more wireless connections.

[0268] Exemplary wireless communication over a wireless connection involves transmitting and / or receiving wireless signals using electromagnetic waves, radio waves, infrared waves, and / or other types of signals suitable for transmitting information without using wires, cables, or other material conductors. Furthermore, in different embodiments, the communication system 2500 may include any number of wired or wireless networks, network nodes, UEs, and / or any other components or systems that can facilitate or participate in the communication of data and / or signals, whether via a wired or wireless connection. The communication system 2500 may include and / or interface with any type of communication, telecommunication, data, cellular, wireless network, and / or other similar types of systems.

[0269] UE2512 may be any of a wide variety of communication devices, including a wireless device configured, set up, and / or operable to communicate wirelessly with network node 2510 and other communication devices. Similarly, network node 2510 is configured, capable, set up, and / or operable to communicate directly or indirectly with UE2512 and with other network nodes or devices in communication network 2502 to enable and / or provide network access, such as wireless network access, and / or to perform other functions, such as administration in communication network 2502.

[0270] In the illustrated example, the core network 2506 connects network node 2510 to one or more hosts, such as host 2516. These connections may be direct or indirect, via one or more intermediate networks or devices. In other examples, network nodes may be directly coupled to hosts. The core network 2506 includes one or more core network nodes (e.g., core network node 2508) structured with hardware and software components. The characteristics of these components may be substantially similar to those described with respect to the UE, network nodes, and / or hosts, and therefore, their descriptions are generally applicable to the corresponding components of core network node 2508. An exemplary core network node includes one or more of the following functions: Mobile Switching Center (MSC), Mobility Management Entity (MME), Home Subscriber Server (HSS), Access and Mobility Management Function (AMF), Session Management Function (SMF), Authentication Server Function (AUSF), Subscription Identifier De-concealing Function (SIDF), Unified Data Management (UDM), Security Edge Protected Proxy (SEPP), Network Exposure Function (NEF), and / or User Plane Function (UPF).

[0271] Host 2516 may be owned or under the control of a service provider other than the operator or provider of the access network 2504 and / or the communication network 2502, and may be operated by or on behalf of the service provider. Host 2516 may host a variety of applications to provide one or more services. Examples of such applications include data acquisition services such as extracting and compiling live and pre-recorded audio / video content, data on various ambient conditions detected by multiple UEs, analytical functions, social media, functions for controlling or possibly interacting with remote devices, functions for alarms and surveillance centers, or any other such functions performed by the server.

[0272] Overall, the communication system 2500 in Figure 25 enables connectivity between the UE, network nodes, and hosts. In that sense, the communication system may be configured to operate according to predefined rules or procedures, including, but not limited to, any other suitable wireless communication standards, such as GSM (Global System for Mobile Communications), Universal Mobile Telecommunications System (UMTS), Long Term Evolution (LTE), and / or other suitable 2G, 3G, 4G, 5G standards, or any applicable future-generation standard (e.g., 6G), wireless local area network (WLAN) standards such as the IEEE 802.11 standard (WiFi), and / or any other suitable wireless communication standards such as global interoperability for microwave access (WiMAX), Bluetooth, Z-Wave, near-field communications (NFC) ZigBee, LiFi, and / or LoRa and Sigfox, or any low-power wide area network (LPWAN) standards.

[0273] In some examples, the communication network 2502 is a cellular network implementing 3GPP standardized features. Therefore, the communication network 2502 may support network slicing to provide different logical networks to different devices connected to the communication network 2502. For example, the communication network 2502 may provide ultra-high reliability low latency communication (URLLC) services to some UEs while providing extended mobile broadband (eMBB) services to other UEs, and / or also provide massive machine-type communication (mMTC) / massive IoT services to further UEs.

[0274] In some examples, UE2512 is configured to transmit and / or receive information without direct human interaction. For example, the UE may be designed to transmit information to access network 2504 on a predetermined schedule when triggered by an internal or external event, or in response to a request from access network 2504. Furthermore, the UE may be configured to operate in single, multi-RAT, or multi-standard modes. For example, the UE may operate with one or a combination of Wi-Fi, NR (New Radio), and LTE, i.e., it may be configured for multi-radio dual connectivity (MR-DC), such as E-UTRAN (Enhanced UMTS Terrestrial Radio Access Network) New Radio-Dual Connectivity (EN-DC).

[0275] In this example, hub 2514 communicates with access network 2504 to facilitate indirect communication between one or more UEs (e.g., UE2512c and / or 2512d) and a network node (e.g., network node 2510b). In some examples, hub 2514 may be a controller, router, content source and content analysis, or any other communication device described herein with respect to the UE. For example, hub 2514 may be a broadband router that enables access to the core network 2506 for the UE. In another example, hub 2514 may be a controller that sends commands or instructions to one or more actuators in the UE. Commands or instructions may be received from the UE, network node 2510, or by executable code, scripts, processes, or other instructions in hub 2514. In yet another example, hub 2514 may be a data collector acting as temporary storage for UE data, and in some embodiments may perform data analysis or other processing. In yet another example, hub 2514 may be a content source. For example, with respect to a UE that is a VR headset, display, loudspeaker, or other media distribution device, the hub 2514 can retrieve VR assets, video, audio, or other media or data related to sensory information via network nodes, which the hub 2514 then provides to the UE either directly, after performing local processing, and / or after adding additional local content. In yet another example, the hub 2514 acts as a proxy server or orchestrator for the UE, particularly when one or more of the UEs are low-energy IoT devices.

[0276] Hub 2514 may have always-on / persistent or intermittent connectivity to network node 2510b. Hub 2514 may also enable different communication methods and / or schedules between Hub 2514 and UEs (e.g., UE2512c and / or 2512d), and between Hub 2514 and the core network 2506. In other examples, Hub 2514 connects to the core network 2506 and / or one or more UEs via wired connections. Furthermore, Hub 2514 may be configured to connect to an M2M service provider on the access network 2504 and / or another UE via a direct connection. In some scenarios, a UE may establish a wireless connection with network node 2510 while still being connected via wired or wireless connections through Hub 2514. In some embodiments, Hub 2514 may be a dedicated hub, i.e., a hub whose primary function is to route communications from UEs to network node 2510b and from network node 2510b to UEs. In other embodiments, the hub 2514 may be a non-dedicated hub, i.e., a device that can operate to route communication between the UE and the network node 2510b, but can also operate as a communication start and / or end point for several data channels.

[0277] Figure 26 shows the UE2600 in several embodiments. As used herein, UE refers to a device that is capable of, configured, and / or operable of communicating wirelessly with network nodes and / or other UEs. Examples of UEs include, but are not limited to, smartphones, mobile phones, cell phones, voice over IP (VoIP) phones, wireless local loop phones, desktop computers, personal digital assistants (PDAs), wireless cameras, gaming consoles or devices, music storage devices, playback devices, wearable terminal devices, wireless endpoints, mobile stations, tablets, laptop computers, laptop embedded devices (LEEs), laptop mounted devices (LMEs), smart devices, wireless customer premises equipment (CPEs), and vehicle-mounted or vehicle-embedded / integrated wireless devices. Other examples include any UE identified by the Third Generation Partnership Project (3GPP), including narrowband Internet of Things (NB-IoT) UEs, machine-type communications (MTC) UEs, and / or enhanced MTC (eMTC) UEs.

[0278] A UE may support device-to-device (D2D) communication by implementing 3GPP standards for sidelink communication, dedicated short-range communication (DSRC), vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), or vehicle-to-everything (V2X). In other examples, a UE does not necessarily have a user in the sense of a human user who owns and / or operates the associated device. Instead, a UE may represent a device (e.g., a smart sprinkler controller) that is intended to be sold to or operated by a human user, but may not be associated with a particular human user, or may not be initially associated with a particular human user. Alternatively, a UE may represent a device (e.g., a smart electricity meter) that is not intended to be sold to or operated by an end user, but may be associated with a user or may operate for the user's benefit.

[0279] The UE2600 includes processing circuitry 2602 operably coupled via bus 2604 to input / output interface 2606, power supply 2608, memory 2610, communication interface 2612, and / or any other components, or any combination thereof. Some UEs may utilize all or a subset of the components shown in Figure 26. The level of integration between components may vary from UE to UE. Furthermore, some UEs may include multiple instances of components, such as multiple processors, memories, transceivers, transmitters, and receivers.

[0280] The processing circuit 2602 is configured to process instructions and data and may be configured to implement any sequential state machine capable of executing instructions stored in memory 2610 as a machine-readable computer program. The processing circuit 2602 may be implemented as one or more hardware-implemented state machines (e.g., in discrete logic, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), etc.), programmable logic with appropriate firmware, a microprocessor or digital signal processor (DSP) with appropriate software, one or more stored computer programs, a general-purpose processor, or any combination of the above. For example, the processing circuit 2602 may include multiple central processing units (CPUs).

[0281] In this example, the input / output interface 2606 may be configured to provide an input device, an output device, or one or more interfaces to one or more input and / or output devices. Examples of output devices include speakers, sound cards, video cards, displays, monitors, printers, actuators, emitters, smart cards, other output devices, or any combination thereof. Input devices may allow a user to capture information to the UE2600. Examples of input devices include touch-sensitive or presence-sensitive displays, cameras (e.g., digital cameras, digital video cameras, webcams, etc.), microphones, sensors, mice, trackballs, directional pads, trackpads, scroll wheels, smart cards, etc. A presence-sensitive display may include a capacitive or resistive touch sensor for detecting user input. Sensors may include, for example, an accelerometer, gyroscope, tilt sensor, force sensor, magnetometer, light sensor, proximity sensor, biosensor, or any combination thereof. Output devices may use the same type of interface port as input devices. For example, a Universal Serial Bus (USB) port may be used to provide input and output devices.

[0282] In some embodiments, the power supply 2608 is structured as a battery or battery pack. Other types of power sources may be used, such as an external power source (e.g., an electrical outlet), a photovoltaic device, or a battery. The power supply 2608 may further include a power circuit for distributing power from the power supply 2608 itself and / or from an external power source via an interface such as an input circuit or power cable. Distributing power may, for example, be for charging the power supply 2608. The power circuit may perform any formatting, conversion, or other modifications to the power from the power supply 2608 to make that power suitable for each component of the UE2600 being powered.

[0283] Memory 2610 may be memory, or configured to contain memory, such as random access memory (RAM), read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), magnetic disks, optical disks, hard disks, removable cartridges, flash drives, etc. For example, memory 2610 may contain one or more application programs 2614, such as an operating system, a web browser application, a widget, a gadget engine, or other application, and corresponding data 2616. Memory 2610 may store any of a variety of operating systems or combinations of operating systems for use by the UE2600.

[0284] Memory 2610 may be configured to include several physical drive units, such as a redundant array of independent disks (RAID), flash memory, USB flash drives, external hard disk drives, thumb drives, pen drives, key drives, high-density digital versatile disk (HD-DVD) optical disk drives, internal hard disk drives, Blu-ray optical disk drives, holographic digital data storage (HDDS) optical disk drives, external mini dual in-line memory modules (DIMMs), synchronous dynamic random access memory (SDRAM), external microDIMM SDRAM, smart card memory such as a tamper-proof module in the form of a universal integrated circuit card (UICC) containing one or more subscriber identification modules (SIMs) such as USIM and / or ISIM, other memory, or any combination thereof. The UICC may be, for example, an embedded UICC (eUICC), an integrated UICC (iUICC), or a removable UICC commonly known as a "SIM card". Memory 2610 may enable UE2600 to access instructions, application programs, etc., stored in temporary or non-temporary memory media, to offload data, or to upload data. Products such as products utilizing a communication system may be tangibly embodied as memory 2610 or within memory 2610, and memory 2610 may be a device-readable storage medium or comprise a device-readable storage medium.

[0285] The processing circuit 2602 may be configured to communicate with an access network or other networks using a communication interface 2612. The communication interface 2612 may comprise one or more communication subsystems and may include or be communicatively coupled to an antenna 2622. The communication interface 2612 may include one or more transceivers used to communicate, such as by communicating with one or more remote transceivers of another device capable of wireless communication (e.g., another UE or network node in the access network). Each transceiver may include a transmitter 2618 and / or receiver 2620 suitable for providing network communication (e.g., optical, electrical, frequency-allocated, etc.). Furthermore, the transmitter 2618 and receiver 2620 may be coupled to one or more antennas (e.g., antenna 2622) and may share circuit components, software or firmware, or alternatively, may be implemented separately.

[0286] In the embodiments shown, the communication functions of the communication interface 2612 may include cellular communication, Wi-Fi communication, LPWAN communication, data communication, voice communication, multimedia communication, short-range communication such as Bluetooth, near-field communication, location-based communication such as the use of the Global Positioning System (GPS) to determine location, other similar communication functions, or any combination thereof. The communication may be implemented in accordance with one or more communication protocols and / or standards, such as IEEE 802.11, Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), GSM, LTE, New Radio (NR), UMTS, WiMAX, Ethernet, Transmission Control Protocol / Internet Protocol (TCP / IP), Synchronous Optical Networking (SONET), Asynchronous Transfer Mode (ATM), QUIC, Hypertext Transfer Protocol (HTTP), etc.

[0287] Regardless of the sensor type, the UE may provide the output of data captured by the UE's sensors to network nodes via a wireless connection through the UE's communication interface 2612. The data captured by the UE's sensors may be communicated to network nodes via another UE through a wireless connection. The output may be periodic (e.g., once every 15 minutes if reporting detected temperature), in response to a triggering event (e.g., an alarm is sent when humidity is detected), in response to a request (e.g., a user-initiated request), random (e.g., to equalize the load from reports from several sensors), or a continuous stream (e.g., a live video feed of a patient).

[0288] As another example, the UE may include an actuator, motor, or switch relating to a communication interface configured to receive radio input from a network node via a wireless connection. In response to the received radio input, the state of the actuator, motor, or switch may change. For example, the UE may include a motor that adjusts the control surface or rotor of a drone in flight according to the received input, or a robotic arm that performs a medical procedure according to the received input.

[0289] A UE, in the form of an Internet of Things (IoT) device, can be a device for use in one or more application areas, which include, but are not limited to, urban wearable technology, augmented industrial applications, and healthcare. Non-limiting examples of such IoT devices are devices that are connected refrigerators or freezers, TVs, connected lighting devices, energy meters, robotic vacuum cleaners, voice-controlled smart speakers, home security cameras, motion detectors, thermostats, smoke detectors, door / window sensors, flood / humidity sensors, electronic door locks, connected doorbells, air conditioning systems such as heat pumps, autonomous vehicles, surveillance systems, weather monitoring devices, vehicle parking monitoring devices, electric vehicle charging stations, smartwatches, fitness trackers, head-mounted displays for augmented reality (AR) or virtual reality (VR), wearables for haptic augmentation or perceptual augmentation, water sprinklers, animal or product tracking devices, sensors for monitoring plants or animals, industrial robots, unmanned aerial vehicles (UAVs), and any kind of medical device such as a heart rate monitor or remotely controlled surgical robot, or devices embedded in them. The UE in the form of an IoT device comprises circuitry and / or software depending on the intended application of the IoT device, in addition to the other components described with respect to the UE2600 shown in Figure 26.

[0290] In another specific example, in an IoT scenario, a UE may represent a machine or other device that performs monitoring and / or measurement and transmits the results of such monitoring and / or measurement to another UE and / or network node. In this case, the UE could be an M2M device, which is sometimes called an MTC device in a 3GPP context. In one specific example, the UE may implement the 3GPP NB-IoT standard. In other scenarios, the UE may represent a vehicle, such as a car, bus, truck, ship, and airplane, or other equipment capable of monitoring its operational status and / or reporting on its operational status, or other functions associated with its operation.

[0291] In practice, any number of UEs can be used together for a single use case. For example, the first UE may be the drone itself, or integrated within the drone, providing the drone's speed information (obtained through a speed sensor) to the second UE, which is the remote controller operating the drone. When the user makes changes from the remote controller, the first UE may adjust the throttle on the drone (for example, by controlling an actuator) to increase or decrease the drone's speed. The first and / or second UEs may also include two or more of the functions described above. For example, the UE may have sensors and actuators and handle the communication of data about both the speed sensor and the actuator.

[0292] Figure 27 shows a network node 2700 according to several embodiments. As used herein, a network node refers to a device that is configured, set up, and / or operable to communicate directly or indirectly with UEs in a communication network and / or with other network nodes or devices. Examples of network nodes include, but are not limited to, access points (APs) (e.g., radio access points) and base stations (BSs) (e.g., radio base stations, node Bs, evolved node Bs (eNBs), and NR node Bs (gNBs)).

[0293] Base stations can be categorized based on the amount of coverage they provide (or, in other words, the base station's transmit power level), and are therefore sometimes called femto base stations, pico base stations, micro base stations, or macro base stations, depending on the amount of coverage they provide. A base station can be a relay node or relay donor node that controls relays. Network nodes can also include one or more (or all) parts of a distributed radio base station, such as a centralized digital unit and / or remote radio unit (RRU), sometimes called a remote radio head (RRH). Such remote radio units may or may not be integrated with an antenna as an antenna-integrated radio. Parts of a distributed radio base station are sometimes called nodes in a distributed antenna system (DAS).

[0294] Other examples of network nodes include multiple transmit point (multi-TRP) 5G access nodes, MSR equipment such as multi-standard radio (MSR) BS, network controllers such as radio network controllers (RNCs) or base station controllers (BSCs), base station transceiver stations (BTSs), transmit points, transmit nodes, multi-cell / multicast cooperative entities (MCEs), operation and maintenance (O&M) nodes, operation support system (OSS) nodes, self-organizing network (SON) nodes, positioning nodes (e.g., evolved serving mobile location centers (E-SMLCs)), and / or drive test minimization (MDT).

[0295] Network node 2700 includes a processing circuit 2702, a memory 2704, a communication interface 2706, and a power supply 2708. Network node 2700 can be assembled from multiple physically distinct components (e.g., node B components and RNC components, or BTS components and BSC components), each of which may have its own respective components. In some scenarios where network node 2700 has multiple distinct components (e.g., BTS components and BSC components), one or more of the distinct components may be shared among several network nodes. For example, a single RNC may control multiple node Bs. In such a scenario, each unique node B-RNC pair may, in some cases, be considered a single distinct network node. In some embodiments, network node 2700 may be configured to support multiple radio access technologies (RATs). In such embodiments, some components may be duplicated (e.g., separate memory 2704 for different RATs), and some components may be reused (e.g., the same antenna 2710 may be shared by different RATs). The network node 2700 may also include multiple sets of various indicated components for different wireless technologies, such as GSM, WCDMA, LTE, NR, WiFi, Zigbee, Z-wave, LoRaWAN, Radio Frequency Identification (RFID), or Bluetooth wireless technologies, which are integrated into the network node 2700. These wireless technologies may be integrated into the same or different chips or sets of chips, and other components within the network node 2700.

[0296] The processing circuit 2702 may include one or more combinations of microprocessors, controllers, microcontrollers, central processing units, digital signal processors, application-specific integrated circuits, field-programmable gate arrays, or any other suitable computing devices, resources, or combinations of hardware, software, and / or encoded logic, which are capable of operating to provide network node 2700 functionality, either on its own or in combination with other network node 2700 components such as memory 2704.

[0297] In some embodiments, the processing circuit 2702 includes a system-on-a-chip (SOC). In some embodiments, the processing circuit 2702 includes one or more of the radio frequency (RF) transceiver circuit 2712 and the baseband processing circuit 2714. In some embodiments, the radio frequency (RF) transceiver circuit 2712 and the baseband processing circuit 2714 may be on separate chips (or sets of chips), boards, or units such as radio and digital units. In alternative embodiments, some or all of the RF transceiver circuit 2712 and the baseband processing circuit 2714 may be on the same chip or set of chips, board, or unit.

[0298] Memory 2704 may include, but is not limited to, any form of volatile or non-volatile computer-readable memory, including persistent storage, solid memory, remote-mount memory, magnetic media, optical media, random-access memory (RAM), read-only memory (ROM), mass storage media (e.g., hard disk), removable storage media (e.g., flash drive, compact disc (CD), or digital video disc (DVD)), and / or any other volatile or non-volatile, non-temporary device-readable and / or computer-executable memory device for storing information, data, and / or instructions that may be used by the processing circuit 2702. Memory 2704 may store any suitable instructions, data, or information, including other instructions that may be executed by the processing circuit 2702 and utilized by the network node 2700, including applications that include one or more computer programs, software, logic, rules, code, and tables. Memory 2704 may be used to store calculations performed by the processing circuit 2702 and / or data received via the communication interface 2706. In some embodiments, the processing circuit 2702 and the memory 2704 are integrated.

[0299] Communication interface 2706 is used in wired or wireless signaling and / or data between network nodes, access networks, and / or UEs. As shown, communication interface 2706 includes (one or more) ports / (one or more) terminals 2716 for sending and receiving data to and from the network, for example, over a wired connection. Communication interface 2706 also includes a wireless front-end circuit 2718, which is coupled to or, in some embodiments, may be part of antenna 2710. The wireless front-end circuit 2718 includes a filter 2720 and an amplifier 2722. The wireless front-end circuit 2718 may be connected to antenna 2710 and processing circuit 2702. The wireless front-end circuit may be configured to adjust signals communicated between antenna 2710 and processing circuit 2702. The wireless front-end circuit 2718 may receive digital data to be sent to other network nodes or UEs via the wireless connection. The wireless front-end circuit 2718 can convert digital data into a radio signal with appropriate channel and bandwidth parameters using a combination of filter 2720 and / or amplifier 2722. The radio signal can then be transmitted via antenna 2710. Similarly, when receiving data, antenna 2710 can collect a radio signal, which is then converted into digital data by the wireless front-end circuit 2718. The digital data can then be passed to processing circuit 2702. In other embodiments, the communication interface may comprise different components and / or different combinations of components.

[0300] In some alternative embodiments, the network node 2700 does not include a separate radio front-end circuit 2718; instead, the processing circuit 2702 includes the radio front-end circuit and is connected to the antenna 2710. Similarly, in some embodiments, all or part of the RF transceiver circuit 2712 is part of the communication interface 2706. In yet another embodiment, the communication interface 2706, as part of a radio unit (not shown), includes one or more ports or terminals 2716, the radio front-end circuit 2718, and the RF transceiver circuit 2712, and the communication interface 2706 communicates with a baseband processing circuit 2714, which is part of a digital unit (not shown).

[0301] Antenna 2710 may include one or more antennas or antenna arrays configured to transmit and / or receive radio signals. Antenna 2710 may be coupled to the radio front-end circuit 2718 and may be any type of antenna capable of wirelessly transmitting and receiving data and / or signals. In some embodiments, antenna 2710 is separate from the network node 2700 and can be connected to the network node 2700 through an interface or port.

[0302] Antenna 2710, communication interface 2706, and / or processing circuit 2702 may be configured to perform any receiving operations and / or certain acquisition operations as described herein as being performed by a network node. Any information, data, and / or signals may be received from the UE, another network node, and / or any other network equipment. Similarly, antenna 2710, communication interface 2706, and / or processing circuit 2702 may be configured to perform any transmitting operations as described herein as being performed by a network node. Any information, data, and / or signals may be transmitted to the UE, another network node, and / or any other network equipment.

[0303] Power supply 2708 provides power to various components of network node 2700 in a form suitable for each component (for example, at the voltage and current levels required for each respective component). Power supply 2708 may further include, or be coupled to, a power management circuit for supplying power to the components of network node 2700 to perform the functions described herein. For example, network node 2700 may be connectable to an external power source (e.g., a power grid, an electrical outlet) via an input circuit or interface such as an electrical cable, thereby the external power source powers the power circuit of power supply 2708. As a further example, power supply 2708 may include a power source in the form of a battery or battery pack, connected to or integrated into the power circuit. The battery may provide backup power in the event of an external power failure.

[0304] Embodiments of the network node 2700 may include additional components other than those shown in Figure 27 to provide several aspects of the network node's functionality, including any of the functions described herein and / or functions necessary to support the subject matter described herein. For example, the network node 2700 may include user interface equipment for enabling information input to and output from the network node 2700. This may enable a user to perform diagnostic, maintenance, repair, and other administrative functions for the network node 2700.

[0305] Figure 28 is a block diagram of host 2800, which may be one embodiment of host 2516 of Figure 25, according to various aspects described herein. Host 2800 as used herein may be a variety of combinations of hardware and / or software, or comprise a variety of combinations of hardware and / or software, including standalone servers, blade servers, cloud implementation servers, distributed servers, virtual machines, containers, or processing resources in a server farm. Host 2800 may provide one or more services to one or more UEs.

[0306] The host 2800 includes a processing circuit 2802 operably coupled to an input / output interface 2806, a network interface 2808, a power supply 2810, and memory 2812 via a bus 2804. Other embodiments may include other components. The features of these components may be substantially the same as those described with respect to the devices in previous figures, such as Figures 26 and 27, and therefore their descriptions are generally applicable to the corresponding components of the host 2800.

[0307] Memory 2812 may include one or more computer programs, each containing one or more host application programs 2814 and data 2816, the data 2816 of which may include user data, for example, data generated by the UE for host 2800, or data generated by host 2800 for the UE. Embodiments of host 2800 may utilize only a subset or all of the components shown. Host application programs 2814 may be implemented in a container-based architecture and may provide support for video codecs (e.g., Multipurpose Video Coding (VVC), High Efficiency Video Coding (HEVC), Advanced Video Coding (AVC), MPEG, VP9) and audio codecs (e.g., FLAC, Advanced Audio Coding (AAC), MPEG, G.711), including transcoding for multiple different classes, types, or implementations of the UE (e.g., handsets, desktop computers, wearable display systems, heads-up display systems). The host application program 2814 may also provide user authentication and license checks, and may periodically report health, route, and content availability to a central node, such as a device in the core network or a device at the edge of the core network. Thus, host 2800 may select and / or indicate a different host for over-the-top services for the UE. The host application program 2814 may support various protocols, including HTTP Live Streaming (HLS), Real-Time Messaging Protocol (RTMP), Real-Time Streaming Protocol (RTSP), and Dynamic Adaptive Streaming over HTTP (MPEG-DASH).

[0308] Figure 29 is a block diagram showing a virtualized environment 2900 in which functions implemented by several embodiments may be virtualized. In this context, virtualization means creating a virtual version of an apparatus or device, which may include virtualizing hardware platforms, storage devices, and networking resources. The virtualization used herein may apply to any device or its components described herein and relates to an implementation in which at least a portion of the functionality is implemented as one or more virtual components. Some or all of the functionality described herein may be implemented as virtual components, executed by one or more virtual machines (VMs) implemented in one or more virtualized environments 2900 hosted by one or more hardware nodes, such as network nodes, UEs, core network nodes, or hardware computing devices acting as hosts. Furthermore, in embodiments in which the virtual nodes do not require wireless connectivity (e.g., core network nodes or hosts), the nodes may be fully virtualized.

[0309] Application 2902 (which may alternatively be referred to as a software instance, virtual appliance, network function, virtual node, virtual network function, etc.) runs in the virtualized environment Q400 to implement some of the features, functions, and / or benefits of some of the embodiments disclosed herein.

[0310] Hardware 2904 includes processing circuits, memory for storing software and / or instructions executable by the hardware processing circuits, and / or other hardware devices described herein, such as network interfaces and input / output interfaces. The software is executed by the processing circuits to instantiate one or more virtualization layers 2906 (also called hypervisors or virtual machine monitors (VMMs)), providing VM2908a and 2908b (one or more of which may commonly be referred to as VM2908), and / or performing any of the functions, features, and / or benefits described with respect to some embodiments described herein. The virtualization layer 2906 may present VM2908 with a virtual operating platform that looks like networking hardware.

[0311] VM2908 features virtual processing, virtual memory, virtual networking or interfaces, and virtual storage, and may run on the corresponding virtualization layer 2906. Different embodiments of the virtual appliance 2902 example may be implemented on one or more of VM2908, and the implementation may be carried out in different ways. Hardware virtualization is referred to as network function virtualization (NFV) in several contexts. NFV can be used to consolidate many types of network equipment onto industry-standard high-volume server hardware, physical switches, and physical storage, which may reside in data centers and customer premises equipment.

[0312] In the context of NFV, a VM2908 can be a software implementation of a physical machine, where programs run as if they were running on a physical, non-virtualized machine. Each VM2908 and its portion of the hardware 2904 on which it runs, whether that hardware is dedicated to that VM and / or shared by that VM with other VMs in the VM, form a separate virtual network element. Furthermore, in the context of NFV, the virtual network function is responsible for handling specific network functions running in one or more VM2908s on the hardware 2904 and corresponds to application 2902.

[0313] Hardware 2904 may be implemented in a standalone network node with general or specific components. Hardware 2904 may implement some functions through virtualization. Alternatively, hardware 2904 may be part of a larger cluster of hardware (such as in a data center or CPE) where many hardware nodes cooperate and are managed via management and orchestration 2910, which oversees the lifecycle management of applications 2902. In some embodiments, hardware 2904 is coupled to one or more radio units, each including one or more transmitters and one or more receivers, which may be coupled to one or more antennas. The radio units may communicate directly with other hardware nodes via one or more suitable network interfaces and may be used in combination with virtual components to provide a virtual node with radio capabilities, such as a radio access node or base station. In some embodiments, some signaling may be provided using a control system 2912, which may be used alternatively for communication between hardware nodes and radio units.

[0314] Figure 30 shows a communication diagram of a host 3002 communicating with a UE 3006 via a network node 3004 over a partial wireless connection, according to several embodiments. Next, exemplary implementations of various embodiments of the UEs (such as UE2512a in Figure 25 and / or UE2600 in Figure 26), network nodes (such as network node 2510a in Figure 25 and / or network node 2700 in Figure 27), and hosts (such as host 2516 in Figure 25 and / or host 2800 in Figure 28), as described in the previous paragraph, will be described with reference to Figure 30.

[0315] Similar to host 2800, embodiments of host 3002 include hardware such as a communication interface, processing circuitry, and memory. Host 3002 also includes software that is stored in or accessible by host 3002 and executable by the processing circuitry. The software includes a host application that may be capable of operating to serve a remote user, such as UE3006 connected via an over-the-top (OTT) connection 3050 extending between UE3006 and host 3002. When serving a remote user, the host application may provide user data transmitted using the OTT connection 3050.

[0316] Network node 3004 includes hardware that enables network node 3004 to communicate with host 3002 and UE 3006. The connection 3060 may be direct or pass through a core network (similar to core network 2506 in Figure 25) and / or one or more other intermediate networks, such as one or more public networks, private networks, or hosted networks. For example, the intermediate network could be a backbone network or the internet.

[0317] UE3006 includes hardware and software that is stored in or accessible by UE3006 and executable by the UE's processing circuitry. The software includes client applications, such as a web browser or operator-specific “app,” which may be capable of operating to serve human or non-human users through UE3006, with the support of host 3002. On host 3002, the running host application may communicate with the running client application via an OTT connection 3050 that terminates in UE3006 and host 3002. When serving a user, the UE's client application may receive request data from the host's host application and provide user data in response to the request data. The OTT connection 3050 may transfer both the request data and the user data. The UE's client application may interact with the user to generate user data that the UE's client application provides to the host application via the OTT connection 3050.

[0318] The OTT connection 3050 may extend via connection 3060 between host 3002 and network node 3004, and via wireless connection 3070 between network node 3004 and UE3006, in order to provide a connection between host 3002 and UE3006. Connections 3060 and wireless connection 3070, which the OTT connection 3050 may provide, are depicted abstractly to illustrate communication between host 3002 and UE3006 via network node 3004, without explicit reference to intermediary devices and the precise routing of messages through these devices.

[0319] As an example of transmitting data via the OTT connection 3050, in step 3008, host 3002 provides user data, which may be done by running a host application. In some embodiments, the user data is associated with a specific human user interacting with UE 3006. In other embodiments, the user data is associated with UE 3006 sharing data with host 3002 without explicit human interaction. In step 3010, host 3002 initiates a transmission to carry the user data toward UE 3006. Host 3002 may initiate a transmission in response to a request sent by UE 3006. The request may be triggered by human interaction with UE 3006 or by the operation of a client application running on UE 3006. The transmission may proceed through network node 3004 in accordance with the teachings of embodiments described throughout this disclosure. Therefore, in step 3012, the network node 3004 transmits the user data carried in the transmission initiated by host 3002 to UE 3006, in accordance with the teachings of the embodiments described throughout this disclosure. In step 3014, UE 3006 receives the user data carried in the transmission, which may be done by a client application running on UE 3006 associated with a host application run by host 3002.

[0320] In some examples, UE3006 runs a client application that provides user data to host 3002. User data may be provided in response to or in response to data received from host 3002. Thus, in step 3016, UE3006 may provide user data, which may be done by running a client application. When providing user data, the client application may further consider user input received from the user via the input / output interface of UE3006. Regardless of the particular format in which the user data is provided, in step 3018, UE3006 initiates a transmission of the user data to host 3002 via network node 3004. In step 3020, in accordance with the teachings of embodiments described throughout this disclosure, network node 3004 receives user data from UE3006 and initiates a transmission of the received user data to host 3002. In step 3022, host 3002 receives the user data carried in the transmission initiated by UE3006.

[0321] One or more of the various embodiments improve the performance of the OTT service provided to the UE 3006 by using the OTT connection 3050, in which the wireless connection 3070 forms the final segment.

[0322] In an exemplary scenario, factory status information may be collected and analyzed by host 3002. As another example, host 3002 may process audio and video data that may be extracted from the UE for use in creating maps. As yet another example, host 3002 may collect and analyze real-time data to help control vehicle congestion (e.g., control traffic signals). As yet another example, host 3002 may store surveillance video uploaded by the UE. As yet another example, host 3002 may store or control access to media content, such as video, audio, VR, or AR, which host 3002 can broadcast, multicast, or unicast to the UE. As yet another example, host 3002 may be used for energy pricing, remote control of non-time-constrained electrical loads to balance generation needs, location services, presentation services (such as compiling diagrams etc. from data collected from remote devices), or any other function of collecting, extracting, storing, analyzing, and / or transmitting data.

[0323] In some embodiments, measurement procedures may be provided for the purpose of monitoring data rate, latency, and other factors, which are improved by one or more embodiments. Further optional network functions may be provided for reconfiguring the OTT connection 3050 between host 3002 and UE 3006 in response to variations in measurement results. Measurement procedures and / or network functions for reconfiguring the OTT connection may be implemented in the software and hardware of host 3002 and / or UE 3006. In some embodiments, sensors (not shown) may be deployed in or in relation to other devices through which the OTT connection 3050 passes, and the sensors may participate in the measurement procedure by supplying values ​​of the monitored quantities exemplified above, or values ​​of other physical quantities that the software can calculate or estimate the monitored quantities of. Reconfiguring the OTT connection 3050 may include message formatting, retransmission settings, preferred routing, etc., and the reconfiguration does not require a direct change in the operation of network node 3004. Such procedures and functions are known and practiced in the art. In some embodiments, the measurements may involve proprietary UE signaling by host 3002 to facilitate measurements such as throughput, propagation time, and latency. The measurements may be implemented in which software causes messages, particularly empty or "dummy" messages, to be sent using the OTT connection 3050 while monitoring propagation time, errors, etc.

[0324] The computing devices described herein (e.g., UEs, network nodes, hosts) may include the shown combinations of hardware components, but other embodiments may comprise computing devices with different combinations of components. It should be understood that these computing devices may comprise any suitable combination of hardware and / or software required to perform the tasks, features, functions, and methods disclosed herein. The determining, calculating, retrieving, or similar operations described herein may be performed by processing circuits, which may process information by, for example, converting retrieved information to other information, comparing the retrieved or converted information to information stored in a network node, and / or performing one or more operations based on the retrieved or converted information and as a result of the processing making a decision. Furthermore, although components are illustrated as a single box located within a larger box, or as a single box nested within multiple boxes, in practice, computing devices may comprise multiple different physical components that constitute a single shown component, and functions may be separated between the distinct components. For example, a communication interface may be configured to include any of the components described herein, and / or the functions of those components may be separated between the processing circuit and the communication interface. In another example, the non-computationally intensive functions of any of such components may be implemented in software or firmware, while the computationally intensive functions may be implemented in hardware.

[0325] In some embodiments, some or all of the functions described herein may be provided by a processing circuit that executes instructions stored in memory, which in some embodiments may be a computer program product in the form of a non-temporary computer-readable storage medium. In alternative embodiments, some or all of the functions may be provided by a processing circuit without executing instructions stored in a separate or individual device-readable storage medium, such as in a hardwired manner. In any of those particular embodiments, whether or not it executes instructions stored in a non-temporary computer-readable storage medium, the processing circuit may be configured to perform the functions described. The benefits provided by such functions are enjoyed by the processing circuit alone, or by the computing device as a whole, but not limited to other components of the computing device, and / or generally by the end user and the wireless network.

[0326] In particular, modifications and other embodiments of this disclosure will be conceivable to those skilled in the art who benefit from the teachings presented in the above description and the related drawings. Therefore, it should be understood that this disclosure should not be limited to the specific embodiments disclosed, and that modifications and other embodiments are included within the scope of this disclosure. Certain terms may be used herein, but they are used only in a general and descriptive sense and not for restrictive purposes.

[0327] Embodiment

[0328] Group A Embodiment A1. A method performed by a neighboring service anchor node, wherein the method is Receiving the nearby service relay user key associated with the remote wireless communication device from the authentication server, From the nearby service relay user key, a shared key is derived to protect the interface between a remote wireless communication device and a relay wireless communication device configured to relay traffic for the remote wireless communication device, Sending a shared key to a network node serving a relay wireless communication device and Methods that include... A2. The method according to Embodiment A1, wherein the Nearby Service Relay User Key is based on and / or unique to a certain execution of a primary authentication procedure for primary authentication of a remote wireless communication device. A3. Receiving a shared key request from a network node to a neighboring service anchor node, After receiving a shared key request, the authentication server is sent a request for primary authentication of the remote wireless communication device, Receiving a response from the authentication server to a request for primary authentication, wherein the response to the request for primary authentication includes a neighbor service relay user key. The method according to embodiment A1 or A2, further comprising: A4. The method according to Embodiment A3, wherein the shared key request includes a subscription identifier that identifies the remote wireless communication device's subscription to the home network of the remote wireless communication device. A5. The method of Embodiment A3 or A4, further comprising sending a response to a shared key request to a network node, wherein the response to the shared key request includes a shared key. A6. The method according to any one of embodiments A1 to A5, further comprising receiving an identifier bound to a neighbor service relay user key from an authentication server. A7. The method of Embodiment A6, further comprising storing a nearby service relay user key in relation to a received identifier in storage at a nearby service anchor node. A8. Receiving a new shared key request from the requesting node, which indicates an identifier bound to the neighbor service relay user key, Using the identifier provided in the new shared key request, retrieve the neighbor service relay user key from the storage at the neighbor service anchor node, Deriving a new shared key for a remote wireless communication device from the extracted nearby service relay user key, In response to a new shared key request, the new shared key is sent to the requesting node. The method according to Embodiment A7, further comprising: A9. The method of Embodiment A7 or A8, further comprising storing a Nearby Service Relay user key in relation to a subscription identifier that identifies the subscription of the remote wireless communication device to the home network of the remote wireless communication device. A10. The method according to any one of embodiments A1 to A9, further comprising receiving a subscription identifier from an authentication server that identifies the subscription of the remote wireless communication device to the home network of the remote wireless communication device. A11. The method according to any one of embodiments A1 to A10, wherein the Nearby Service Relay User Key is received from the authentication server in a request to register the Nearby Service Relay User Key with the Nearby Service Anchor Node. A12. The method according to Embodiment A11, wherein a request for registering a Nearby Service Relay User Key also includes an identifier bound to the Nearby Service Relay User Key, and / or a subscription identifier that identifies the remote wireless communication device's subscription to the home network of the remote wireless communication device. A13. The method according to Embodiment A12, further comprising storing a nearby service relay user key in relation to a received identifier in storage at a nearby service anchor node. A14. After receiving a request to register a neighbor service relay user key, the network node receives a shared key request indicating the identifier bound to the neighbor service relay user key, Using the identifier provided in the shared key request, retrieve the neighbor service relay user key from the storage at the neighbor service anchor node. It further includes, The shared key is derived from the neighbor service relay user key retrieved from storage. The method according to Embodiment A13, wherein sending a shared key to a network node includes sending a response to a shared key request to the network node, the response including the shared key. A15. The method according to any one of embodiments A1 to A14, wherein the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK). A16. Shared key is key K NR_ProSe The method according to any one of embodiments A1 to A15. A17. The method according to any one of embodiments A1 to A16, wherein the authentication server implements the authentication server function (AUSF). A18. The method according to any one of embodiments A1 to A17, wherein a network node implements access and mobility functions (AMF). A19. The method according to any one of embodiments A1 to A18, wherein the interface is a PC5 interface. A20. The method according to any one of embodiments A1 to A19, wherein the relay wireless communication device is a Layer 3 UE-network relay.

[0329] Group B Embodiment B1. A method performed by an authentication server, the method is To generate a nearby service relay user key associated with a remote wireless communication device, Sending the neighbor service relay user key to the neighbor service anchor node and Methods that include... B2. The method according to Embodiment B1, wherein the Nearby Service Relay User Key is based on and / or unique to a certain execution of a primary authentication procedure for primary authentication of a remote wireless communication device. B3. Receiving a request for primary authentication of a remote wireless communication device from a nearby service anchor node, Sending a response to a request for primary authentication to a neighboring service anchor node, wherein the response to the request for primary authentication includes the neighboring service relay user key. The method according to embodiment B1 or B2, further comprising: B4. The method according to Embodiment B3, wherein the response also includes a subscription identifier that identifies the remote wireless communication device's subscription to the home network of the remote wireless communication device. B5. The method according to any one of Embodiments B1 to B4, further comprising sending an identifier bound to a neighbor service relay user key to a neighbor service anchor node. B6. The method according to any one of Embodiments B1 to B5, further comprising transmitting a subscription identifier to a nearby service anchor node that identifies the remote wireless communication device's subscription to the home network of the remote wireless communication device. B7. The method according to any one of embodiments B1 to B6, further comprising sending a request to a nearby service anchor node for registration of a nearby service relay user key with the nearby service anchor node, wherein the nearby service relay user key is included in the request for registration of the nearby service relay user key. B8. The method according to Embodiment B7, wherein a request for registering a Nearby Service Relay User Key also includes an identifier bound to the Nearby Service Relay User Key, and / or a subscription identifier that identifies the remote wireless communication device's subscription to the home network of the remote wireless communication device. B9. The method according to any one of Embodiments B1 to B8, wherein the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK). B10. The method according to any one of embodiments B1 to B9, wherein the authentication server implements the authentication server function (AUSF). B11. The method according to any one of Embodiments B1 to B10, wherein the Nearby Service Relay User Key is a proof that a shared key for protecting the interface between the remote radio communication device and the relay radio communication device can be derived, and the relay radio communication device is configured to relay traffic for the remote radio communication device. B12. The method according to embodiment B11, wherein the interface is a PC5 interface. B13. The method according to embodiment B11 or B12, wherein the relay wireless communication device is a Layer 3 UE-network relay.

[0330] Group C Embodiment C1. A method performed by a network node serving a relay wireless communication device configured to relay traffic for a remote wireless communication device, wherein the method is Sending a request to the nearby service anchor node for a shared key to secure the interface between the remote wireless communication device and the relay wireless communication device, In responding to a request, the shared key is received from the neighboring service anchor node, Sending a shared key to a relay wireless communication device and Methods that include... C2. The method according to Embodiment C2, wherein the shared key is derivable from the Nearby Service Relay User Key, and the Nearby Service Relay User Key is based on and / or unique to a certain execution of a primary authentication procedure for the primary authentication of a remote wireless communication device. C3. The method according to Embodiment C1 or C2, wherein a shared key request includes an identifier bound to a neighbor service relay user key, and the received shared key is derived from the neighbor service relay user key. C4. The method according to Embodiment C2 or C3, wherein the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK). C5. The method according to Embodiment C1 or C2, wherein the shared key request includes a subscription identifier that identifies the remote wireless communication device's subscription to the home network of the remote wireless communication device. C6. Shared key is key K NR_ProSe The method according to any one of embodiments C1 to C5. C7. A method according to any one of embodiments C1 to C6, wherein a network node implements access and mobility functions (AMF). C8. The method according to any one of embodiments C1 to C7, wherein the interface is a PC5 interface. C9. The method according to any one of embodiments C1 to C8, wherein the relay wireless communication device is a Layer 3 UE-network relay.

[0331] Group D Embodiment D1. A method performed by a remote wireless communication device, the method is Sending a request to a relay radio communication device for the relay radio communication device to relay traffic for remote radio communication, wherein the request requests the reuse of a nearby service relay user key already associated with the remote radio communication device. Methods that include... D2. The method according to embodiment D1, wherein the request requests the reuse of a nearby service relay user key from a prior execution of the primary authentication procedure for primary authentication of a remote wireless communication device. D3. The method according to Embodiment D1 or D2, wherein the request includes a Nearby Services Relay User Key Reuse flag that requests the reuse of a Nearby Services Relay User Key already associated with a remote wireless communication device. D4. The method according to any one of Embodiments D1 to D3, wherein the Nearby Service Relay User Key is based on and / or unique to a certain execution of a primary authentication procedure for primary authentication of a remote wireless communication device. D5. The method according to any one of embodiments D1 to D4, further comprising receiving a response to a request from a relay wireless communication device indicating that a nearby service relay user key should be reused. D6. Reusing the Neighbor Service Relay User Key to generate a shared key to protect the interface between the remote wireless communication device and the relay wireless communication device, Using a shared key to protect the interface and The method according to any one of embodiments D1 to D5, further including the method described above. D7. Shared key is key K NR_ProSe The method according to embodiment D6. D8. The method according to embodiment D6 or D7, wherein the interface is a PC5 interface. D9. The method according to any one of embodiments D1 to D8, wherein the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK). D10. The method according to any one of embodiments D1 to D9, wherein the relay wireless communication device is a Layer 3 UE-network relay.

[0332] Group E Embodiment E1. A method performed by a relay wireless communication device, the method is: The relay radio communication device receives a request from a remote radio communication device to relay traffic for remote radio communication, wherein the request requests the reuse of a nearby service relay user key already associated with the remote radio communication device. Methods that include... E2. The method according to embodiment E1, wherein the request requests the reuse of a nearby service relay user key from a prior execution of the primary authentication procedure for primary authentication of a remote wireless communication device. E3. The method of Embodiment E1 or E2, wherein the request includes a Nearby Services Relay User Key Reuse flag that requests the reuse of a Nearby Services Relay User Key already associated with a remote wireless communication device. E4. The method according to any one of Embodiments E1 to E3, wherein the Nearby Service Relay User Key is based on and / or unique to a certain execution of a primary authentication procedure for primary authentication of a remote wireless communication device. E5. The method according to any one of embodiments E1 to E4, further comprising sending a response to a request to a remote wireless communication device indicating that the Nearby Service Relay User Key should be reused. E6. The method according to any one of embodiments E1 to E5, wherein the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK). E7. The method according to any one of embodiments E1 to E6, wherein the relay wireless communication device is a Layer 3 UE-network relay. E8. The method according to any one of embodiments E1 to E7, wherein the request for a shared key for protecting the interface between a remote wireless communication device and the relay wireless communication device is sent to a network node serving a relay wireless communication device, further comprising sending a request for the reuse of a nearby service relay user key for deriving the shared key. E9. The method of Embodiment E8, wherein a request for a shared key includes a Nearby Service Relay User Key Reuse flag that requests the reuse of a Nearby Service Relay User Key. E10. The method according to Embodiment E8 or E9, further comprising receiving a response from a network node to a request for a shared key, the response to the request for a shared key includes a shared key and indicates that a neighbor service relay user key should be reused to derive the shared key. EE1. A method performed by a relay wireless communication device, the method is: Sending a request for a shared key to a network node serving a relay wireless communication device, wherein the relay wireless communication device is configured to relay traffic for the remote wireless communication device, and the request for the shared key requests the reuse of a nearby service relay user key to derive the shared key. Methods that include... EE2. The method of Embodiment EE1, wherein a request for a shared key includes a Nearby Service Relay User Key Reuse flag that requests the reuse of a Nearby Service Relay User Key. EE3. The method of Embodiment EE1 or Embodiment EE2, further comprising receiving a response from a network node to a request for a shared key, wherein the response to the request for a shared key includes a shared key and indicates that a neighbor service relay user key should be reused to derive the shared key. EE4. The method according to any one of Embodiments EE1 to EE3, wherein the request requests the reuse of a nearby service relay user key from a prior execution of the primary authentication procedure for primary authentication of a remote wireless communication device. EE5. The method according to any one of Embodiments EE1 to EE4, wherein the Nearby Service Relay User Key is based on and / or unique to a certain execution of a primary authentication procedure for primary authentication of a remote wireless communication device. EE6. Receiving a request from a remote wireless communication device for a relay wireless communication device to relay traffic for remote wireless communication, wherein the request requests the reuse of a nearby service relay user key already associated with the remote wireless communication device. Sending a response to a request to a remote wireless communication device, the response indicating that the Nearby Service Relay User Key should be reused to derive a shared key. A method according to any one of embodiments EE1 to EE5, further comprising: EE7. The method according to any one of Embodiments EE1 to EE6, wherein the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK). EE8. The method according to any one of embodiments EE1 to EE7, wherein the relay wireless communication device is a Layer 3 UE-network relay. EE9. Shared key is key K NR_ProSe The method according to any one of embodiments EE1 to EE8. EE10. A method according to any one of Embodiments EE1 to EE9, wherein a network node implements Access and Mobility Functions (AMF). EE11. The method according to any one of embodiments EE1 to EE10, wherein the interface is a PC5 interface.

[0333] Group F Embodiment F1. A method performed by a network node serving a relay wireless communication device, the method being: Receiving a request from a relay wireless communication device for a shared key to protect the interface between a remote wireless communication device and the relay wireless communication device, wherein the relay wireless communication device is configured to relay traffic for the remote wireless communication device, and the request is for a shared key request that requests the reuse of a nearby service relay user key to derive the shared key. Methods that include... F2. The method according to embodiment F1, wherein the request requests the reuse of a nearby service relay user key from a prior execution of the primary authentication procedure for primary authentication of a remote wireless communication device. F3. The method according to Embodiment F1 or F2, wherein the request includes a Nearby Services Relay User Key Reuse flag that requests the reuse of a Nearby Services Relay User Key already associated with a remote wireless communication device. F4. The method according to any one of embodiments F1 to F3, wherein the Nearby Service Relay User Key is based on and / or unique to a certain execution of a primary authentication procedure for primary authentication of a remote wireless communication device. F5. The method according to any one of embodiments F1 to F4, wherein the method involves transmitting a response to a request to a relay wireless communication device, the response further comprising transmitting a response that includes a shared key and indicates that a neighbor service relay user key should be reused to derive the shared key. F6. The method according to any one of embodiments F1 to F5, wherein the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK). F7. The method according to any one of embodiments F1 to F6, wherein the relay wireless communication device is a Layer 3 UE-network relay. F8. Shared key is key K NR_ProSe The method according to any one of embodiments F1 to F7. F9. A method according to any one of embodiments F1 to F8, wherein a network node implements access and mobility functions (AMF). F10. The method according to any one of embodiments F1 to F9, wherein the interface is a PC5 interface. FF1. A method performed by a network node serving a relay wireless communication device, the method being: Sending an authentication request to an authentication server for the authentication of a remote wireless communication device, wherein the request requests the reuse of a nearby service relay user key to derive a shared key for protecting the interface between the remote wireless communication device and the relay wireless communication device, and the relay wireless communication device sends an authentication request configured to relay traffic for the remote wireless communication device. Methods that include... FF2. The method according to embodiment FF1, wherein the request requests the reuse of a nearby service relay user key from a prior execution of the primary authentication procedure for primary authentication of a remote wireless communication device. FF3. The method of Embodiment FF1 or FF2, wherein the request includes a Nearby Services Relay User Key Reuse flag that requests the reuse of a Nearby Services Relay User Key already associated with a remote wireless communication device. FF4. The method according to any one of Embodiments FF1 to FF3, wherein the Nearby Service Relay User Key is based on and / or unique to a certain execution of a primary authentication procedure for primary authentication of a remote wireless communication device. FF5. The method according to any one of Embodiments FF1 to FF4, further comprising receiving a response from an authentication server to a request, the response including a shared key and indicating that a neighbor service relay user key should be reused to derive the shared key. FF6. The method according to any one of Embodiments FF1 to FF5, wherein the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK). FF7. The method according to any one of embodiments FF1 to FF6, wherein the relay wireless communication device is a Layer 3 UE-network relay. FF8. Shared key is key K NR_ProSe The method according to any one of the embodiments FF1 to FF7. FF9. A method according to any one of Embodiments FF1 to FF8, wherein a network node implements Access and Mobility Functions (AMF). FF10. The method according to any one of the embodiments FF1 to FF9, wherein the interface is a PC5 interface.

[0334] Group G Implementation G1. A method performed by the authentication server, the method is: Receiving an authentication request for a remote wireless communication device, wherein the request asks for the reuse of a nearby service relay user key to derive a shared key to secure the interface between the remote wireless communication device and the relay wireless communication device, and the relay wireless communication device is configured to relay traffic for the remote wireless communication device upon receiving the authentication request. Methods that include... G2. The method according to embodiment G1, wherein the request requests the reuse of a nearby service relay user key from a prior execution of the primary authentication procedure for primary authentication of a remote wireless communication device. G3. The method of Embodiment G1 or G2, wherein the request includes a Nearby Services Relay User Key Reuse flag that requests the reuse of a Nearby Services Relay User Key already associated with a remote wireless communication device. G4. The method according to any one of Embodiments G1 to G3, wherein the Nearby Service Relay User Key is based on and / or unique to a certain execution of a primary authentication procedure for primary authentication of a remote wireless communication device. G5. The method according to any one of embodiments G1 to G4, further comprising sending a response to a request, the response including a shared key and indicating that a neighbor service relay user key should be reused to derive the shared key. G6. The method according to any one of embodiments G1 to G5, wherein the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK). G7. The method according to any one of embodiments G1 to G6, wherein the relay wireless communication device is a Layer 3 UE-network relay. G8. Shared key is key K NR_ProSe The method according to any one of embodiments G1 to G7. G9. The method according to any one of embodiments G1 to G8, wherein the request is received from an Access and Mobility Function (AMF). G10. The method according to any one of embodiments G1 to G9, wherein the interface is a PC5 interface. G11. The method according to any one of embodiments G1 to G10, further comprising sending a request for authentication for a remote wireless communication device to a data management node, wherein the request for authentication requests the reuse of a nearby service relay user key. G12. The method according to Embodiment G11, further comprising receiving a response from a data management node to a request for authentication certificate, the response indicating whether a neighbor service relay user key is available for reuse. G13. The response indicates that the neighbor service relay user key is available for reuse, and the method is: Obtaining a shared key derived from a nearby service relay user key, Sending a response to an authentication request, the response to the authentication request includes the obtained shared key and indicates that the Neighbor Service Relay User Key should be reused to derive the shared key. The method according to embodiment G12, further comprising: G14. The method according to Embodiment G13, wherein obtaining a shared key includes retrieving a neighbor service relay user key from local storage on the authentication server and deriving a shared key from the retrieved neighbor service relay user key. G15. Obtaining a shared key is The authentication request is forwarded to another authentication server where the Nearby Service Relay user key is stored, Receiving a shared key from another authentication server, which is derived from the Nearby Service Relay User Key. The method according to embodiment G13, including the method described in embodiment G13. G16. The response indicates that the Neighbor Service Relay user key is not available for reuse, and includes the requested authentication certificate, and the method is: Generating a nearby service relay user key based on key material derived during authentication of a remote wireless communication device, wherein the authentication of the remote wireless communication device generates a nearby service relay user key based on authentication proof, The process involves deriving a shared key from the generated neighbor service relay user key, Sending a response to an authentication request, wherein the response to the authentication request includes the derived shared key. The method according to embodiment G12, further comprising: G17. The method of Embodiment G16, wherein the response to an authentication request indicates that the Neighbor Service Relay User Key should not be reused to derive a shared key. G18. The method of Embodiment G16 or G17, further comprising, after generating a Nearby Service Relay User Key, sending a signaling to a data management node indicating that the Nearby Service Relay User Key for a remote wireless communication device is available for reuse and indicating the identification information of the authentication server where the Nearby Service Relay User Key is stored. G19. The method according to any one of embodiments G1 to G18, wherein the request is received from a network node serving a relay wireless communication device. G20. The method according to any one of embodiments G1 to G18, wherein the request is received from another authentication server. GG1. A method performed by an authentication server, the method is: Sending a request for authentication for a remote wireless communication device to a data management node, wherein the request for authentication requests the reuse of a nearby service relay user key to derive a shared key for protecting the interface between the remote wireless communication device and a relay wireless communication device configured to relay traffic for the remote wireless communication device. Methods that include... GG2. The method according to Embodiment GG1, further comprising receiving a response from a data management node to a request for authentication certificate, wherein the response indicates whether a neighbor service relay user key is available for reuse. GG3. The response indicates that the neighbor service relay user key is available for reuse, and the method is: Obtaining a shared key derived from a nearby service relay user key, Sending a response to an authentication request to a network node, the response to the authentication request includes the obtained shared key and indicates that the neighbor service relay user key should be reused to derive the shared key. The method of embodiment GG2, further comprising: GG4. The method according to Embodiment GG3, wherein obtaining a shared key includes retrieving a neighbor service relay user key from local storage on the authentication server and deriving a shared key from the retrieved neighbor service relay user key. GG5. Obtaining a shared key is The authentication request is forwarded to another authentication server where the Nearby Service Relay user key is stored, Receiving a shared key from another authentication server, which is derived from the Nearby Service Relay User Key. The method according to embodiment GG3, including the method described above. GG6. The response indicates that the Neighbor Service Relay user key is not available for reuse, and includes the requested authentication certificate, and the method is: Generating a nearby service relay user key based on key material derived during authentication of a remote wireless communication device, wherein the authentication of the remote wireless communication device generates a nearby service relay user key based on authentication proof, The process involves deriving a shared key from the generated neighbor service relay user key, Sending a response to an authentication request to a network node, wherein the response to the authentication request includes the derived shared key. The method of embodiment GG2, further comprising: GG7. The method of embodiment GG6, wherein the response to an authentication request indicates that the neighbor service relay user key should not be reused to derive a shared key. GG8. The method according to any one of Embodiments GG1 to GG7, wherein the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK). GG9. The method according to any one of embodiments GG1 to GG8, wherein the relay wireless communication device is a Layer 3 UE-network relay. GG10. Shared key is key K NR_ProSe The method according to any one of embodiments GG1 to GG9. GG11. A method according to any one of embodiments GG1 to GG10, wherein a network node implements access and mobility functions (AMF). GG12. The method according to any one of embodiments GG1 to GG11, wherein the interface is a PC5 interface.

[0335] Group H Embodiment H1. A method performed by a data management node, the method is: Receiving a request for authentication from an authentication server for a remote wireless communication device, wherein the request for authentication requests the reuse of a nearby service relay user key to derive a shared key that is intended to protect the interface between the remote wireless communication device and a relay wireless communication device configured to relay traffic for the remote wireless communication device. Methods that include... H2. The method according to Embodiment H1, further comprising sending a response to an authentication server for a request, the response indicating whether a nearby service relay user key is available for reuse. H3. The method according to embodiment H2, wherein the response indicates that the Nearby Service Relay User Key is available for reuse. H4. The method according to Embodiment H3, wherein the response indicates the identification information of the authentication server where the Nearby Service Relay User Key is stored. H5. The method of Embodiment H2, wherein the response indicates that the Nearby Service Relay User Key is not available for reuse and includes the requested authentication certificate. H6. After sending a response, Receiving a signal indicating the identification information of the authentication server where the nearby service relay user key is stored, The data management node stores information indicating that the Nearby Service Relay user key for a remote wireless communication device is available for reuse, and that the authentication server on which the Nearby Service Relay user key is stored is identified. The method according to embodiment H5, further comprising: H7. The method according to any one of Embodiments H1 to H6, further comprising determining whether a Nearby Service Relay User Key is available for reuse, based on information in a data management node indicating whether a Nearby Service Relay User Key is stored for a remote wireless communication device. H8. The method according to any one of embodiments H1 to H7, wherein the Nearby Service Relay User Key is a 5G Nearby Service Relay User Key (5GPRUK). H9. The method according to any one of embodiments H1 to H8, wherein the relay wireless communication device is a Layer 3 UE-network relay. H10. Shared key is key K NR_ProSe The method according to any one of embodiments H1 to H9. H11. The method according to any one of embodiments H1 to H10, wherein the interface is a PC5 interface.

[0336] Group J Embodiment J1. A neighboring service anchor node configured to perform one of the steps described in any one of the embodiments of Group A. J2. A neighboring service anchor node comprising a processing circuit configured to perform any of the steps described in any one of the embodiments of Group A. J3. Neighboring service anchor node, Communication circuit and A processing circuit configured to perform any of the steps described in any one of the embodiments of Group A A nearby service anchor node equipped with this feature. J4. Neighboring service anchor node, A processing circuit configured to perform any of the steps described in any one of the embodiments of Group A, A power supply circuit configured to supply power to a nearby service anchor node and A nearby service anchor node equipped with this feature. J5. Neighboring service anchor node, A neighbor service anchor node comprising a processing circuit and a memory, wherein the memory contains instructions that can be executed by the processing circuit, thereby configuring the neighbor service anchor node to perform any of the steps described in any one of the embodiments of Group A. J6. A computer program comprising instructions that, when executed by at least one processor of a neighboring service anchor node, cause the neighboring service anchor node to perform the steps described in any one of the embodiments of Group A. J7. A carrier comprising the computer program described in Embodiment J6, wherein the carrier is one of an electronic signal, an optical signal, a radio signal, or a computer-readable storage medium. J8. An authentication server configured to perform any of the steps described in either one of the embodiments of Group B or Group G. J9. An authentication server comprising a processing circuit configured to perform any of the steps described in any one of the embodiments of Group B or Group G. J10. Authentication server, Communication circuit and A processing circuit configured to perform any of the steps described in either one of the embodiments of Group B or Group G, An authentication server equipped with the necessary features. J11. Authentication server, A processing circuit configured to perform any of the steps described in either one of the embodiments of Group B or Group G, A power supply circuit configured to supply power to the authentication server and An authentication server equipped with the necessary features. J12. Authentication server, An authentication server comprising a processing circuit and a memory, wherein the memory contains instructions that can be executed by the processing circuit, thereby configured to perform any of the steps described in any one of the embodiments of Group B or Group G. J13. A computer program that, when executed by at least one processor of an authentication server, provides instructions to cause a neighboring service anchor node to perform the steps described in any one of the embodiments of group B or group G. J14. A carrier comprising the computer program described in Embodiment J13, wherein the carrier is one of an electronic signal, an optical signal, a radio signal, or a computer-readable storage medium. J15. A network node configured to perform any of the steps described in either the embodiment of Group C or Group F. J16. A network node comprising a processing circuit configured to perform any of the steps described in any one of the embodiments of Group C or Group F. J17. Network node, Communication circuit and A processing circuit configured to perform any of the steps described in either one of the embodiments of Group C or Group F, A network node equipped with these features. J18. Network node, A processing circuit configured to perform any of the steps described in either one of the embodiments of Group C or Group F, A power supply circuit configured to supply power to network nodes and A network node equipped with these features. J19. Network node, A network node comprising a processing circuit and a memory, wherein the memory contains instructions that can be executed by the processing circuit, thereby configuring the network node to perform any of the steps described in any one of the embodiments of group C or group F. J20. A computer program, when executed by at least one processor of a network node, comprising instructions that cause a network node to perform the steps described in either one of the embodiments of group C or group F. J21. A carrier comprising the computer program described in Embodiment J20, wherein the carrier is one of an electronic signal, an optical signal, a radio signal, or a computer-readable storage medium. J22. A wireless communication device configured to perform any of the steps described in either one of the embodiments of Group D or Group E. J23. A wireless communication device comprising a processing circuit configured to perform any of the steps described in any one of the embodiments of Group D or Group E. J24. Wireless communication device, Communication circuit and A processing circuit configured to perform any of the steps described in either one of the embodiments of Group D or Group E, A wireless communication device equipped with the following features. J25. Wireless communication device, A processing circuit configured to perform any of the steps described in either one of the embodiments of Group D or Group E, A power supply circuit configured to supply power to a wireless communication device and A wireless communication device equipped with the following features. J26. Wireless communication device, A wireless communication device comprising a processing circuit and a memory, wherein the memory contains instructions that can be executed by the processing circuit, thereby configuring the wireless communication device to perform any of the steps described in any one of the embodiments of Group D or Group E. J27. A computer program, when executed by at least one processor of a wireless communication device, comprising instructions that cause a wireless communication device to perform the steps described in any one of the embodiments of group D or group E. J28. A carrier comprising the computer program described in Embodiment J27, wherein the carrier is one of an electronic signal, an optical signal, a radio signal, or a computer-readable storage medium. J29. User equipment (UE), An antenna configured to send and receive wireless signals, A wireless front-end circuit connected to an antenna and processing circuit, configured to adjust the signals communicated between the antenna and the processing circuit, A processing circuit configured to perform any of the steps described in either one of the embodiments of Group D or Group E, An input interface connected to a processing circuit and configured to allow information input to the UE to be processed by the processing circuit, An output interface connected to a processing circuit and configured to output information from the UE processed by the processing circuit, A battery and a processing circuit connected to the UE, configured to supply power to the UE. User equipment (UE) equipped with these features. J30. A data management node configured to perform any of the steps described in any one of the embodiments of Group H. J31. A data management node comprising a processing circuit configured to perform any of the steps described in any one of the embodiments of Group H. J32. A data management node, Communication circuit and A processing circuit configured to perform any of the steps described in any one of the embodiments of Group H, A data management node equipped with this feature. J33. A data management node, A processing circuit configured to perform any of the steps described in any one of the embodiments of Group H, A power supply circuit configured to supply power to the data management node and A data management node equipped with this feature. J34. A data management node, A data management node comprising a processing circuit and a memory, wherein the memory contains instructions that can be executed by the processing circuit, thereby configuring the data management node to perform any of the steps described in any one of the embodiments of group H. J35. A computer program that, when executed by at least one processor of a data management node, comprises instructions causing the data management node to perform the steps described in any one of the embodiments of group H. J36. A carrier comprising the computer program described in Embodiment J35, wherein the carrier is one of an electronic signal, an optical signal, a radio signal, or a computer-readable storage medium.

[0337] Group K Embodiment K9. A communication system including a host computer, wherein the host computer is A processing circuit configured to provide user data, A communication interface configured to transfer user data to a cellular network for transmission to user devices (UEs), and Equipped with, A communication system in which the UE comprises a wireless interface and processing circuitry, and the components of the UE are configured to perform any of the steps described in any one of the embodiments of Group D or Group E. K10. The communication system according to embodiment K9, further comprising a base station configured to communicate with a UE on a cellular network. K11. The host computer's processing circuitry is configured to execute the host application and thereby provide user data. The UE's processing circuitry is configured to run the client application associated with the host application. A communication system according to embodiment K9 or K10. K12. A method implemented in a communication system including a host computer, a base station, and user equipment (UE), the method being: Providing user data on the host computer, The host computer initiates a transmission to transport user data to the UE via a cellular network equipped with a base station, wherein the UE performs one of the steps described in any one of the embodiments of Group D or Group E. Methods that include... K13. The method according to embodiment K12, further comprising receiving user data from a base station in the UE. K14. A communication system including a host computer, wherein the host computer is A communication interface configured to receive user data originating from a user device (UE) transmission to a base station. Equipped with, A communication system in which the UE comprises a wireless interface and a processing circuit, the processing circuit of the UE is configured to perform any of the steps described in any one of the embodiments of Group D or Group E. K15. The communication system according to embodiment K14, further comprising a UE. K16. The communication system according to embodiment K14 or K15, further comprising a base station, the base station comprising a radio interface configured to communicate with a UE and a communication interface configured to transfer user data carried by transmission from the UE to the base station to a host computer. K17. The host computer's processing circuitry is configured to run the host application. The UE's processing circuitry is configured to run a client application associated with the host application, thereby providing user data. A communication system according to any one of embodiments K14 to K16. K18. The host computer's processing circuitry is configured to execute the host application and thereby provide the requested data. The UE's processing circuitry is configured to execute a client application associated with the host application, thereby providing user data in response to request data. A communication system according to any one of embodiments K14 to K17. K19. A method implemented in a communication system including a host computer, a base station, and user equipment (UE), the method being: In a host computer, receiving user data transmitted from a UE to a base station, wherein the UE receives user data by performing one of the steps described in any one of the embodiments of Group D or Group E. Methods that include... K20. The method according to embodiment K19, further comprising providing user data to a base station in the UE. K21. In the UE, the client application is executed, thereby providing the user data to be sent. On the host computer, the host application associated with the client application is executed. The method according to embodiment K19 or K20, further comprising: K22. In UE, running a client application and In UE, receiving input data to a client application, where the input data is provided on the host computer by running a host application associated with the client application. It further includes, The method according to any one of embodiments K19 to K21, wherein the user data to be transmitted is provided by the client application in response to the input data. K27. A method implemented in a communication system including a host computer, a base station, and user equipment (UE), the method being: In a host computer, receiving user data from a base station, which originates from a transmission received by the base station from a UE, wherein the UE performs one of the steps described in any one of the embodiments of Group D or Group E. Methods that include... K28. The method according to embodiment K27, further comprising receiving user data from a UE at a base station. K29. The method according to embodiment K27 or K28, further comprising initiating the transmission of received user data to a host computer at a base station.

Claims

1. A method performed by an authentication server, wherein the method is Receiving an authentication request for a remote wireless communication device, wherein the request requests the reuse of a nearby service relay user key to derive a shared key for protecting the interface between the remote wireless communication device and the relay wireless communication device, and the relay wireless communication device is configured to receive the authentication request for relaying traffic for the remote wireless communication device. Methods that include...

2. The method according to claim 1, wherein the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of the remote wireless communication device.

3. The method according to claim 1 or 2, wherein the request includes a Nearby Service Relay User Key Reuse flag requesting the reuse of a Nearby Service Relay User Key already associated with the remote wireless communication device.

4. The method according to any one of claims 1 to 3, wherein the nearby service relay user key is based on and / or unique to a certain execution of a primary authentication procedure for primary authentication of the remote wireless communication device.

5. The method according to any one of claims 1 to 4, further comprising transmitting a response to the request, the response comprising the shared key and indicating that the neighbor service relay user key should be reused to derive the shared key.

6. The method according to any one of claims 1 to 5, wherein the nearest service relay user key is a 5G nearest service relay user key (5GPRUK).

7. The method according to any one of claims 1 to 6, wherein the relay wireless communication device is a Layer 3 UE-network relay.

8. The aforementioned shared key is key K NR_ProSe The method according to any one of claims 1 to 7.

9. The method according to any one of claims 1 to 8, wherein the request is received from the Access and Mobility Function (AMF).

10. The method according to any one of claims 1 to 9, wherein the interface is a PC5 interface.

11. The method according to any one of claims 1 to 10, further comprising transmitting a request for authentication for the remote wireless communication device to a data management node, the request for authentication being a request for the reuse of the nearby service relay user key.

12. The method according to claim 11, further comprising receiving a response from the data management node to the request for authentication, the response indicating whether the neighbor service relay user key is available for reuse.

13. The response indicates that the neighbor service relay user key is available for reuse, and the method Obtaining the shared key as derived from the aforementioned neighboring service relay user key, Sending a response to the aforementioned request for authentication, wherein the response to the aforementioned request for authentication includes the acquired shared key and indicates that the neighbor service relay user key should be reused to derive the shared key. The method according to claim 12, further comprising:

14. The method according to claim 13, wherein obtaining the shared key includes retrieving the neighbor service relay user key from the local storage of the authentication server and deriving the shared key from the retrieved neighbor service relay user key.

15. Obtaining the aforementioned shared key means The aforementioned authentication request is forwarded to another authentication server where the nearby service relay user key is stored, The shared key is received from the aforementioned other authentication server as derived from the nearby service relay user key. The method according to claim 13, including the method described in claim 13.

16. The response indicates that the neighbor service relay user key is not available for reuse, and includes the requested authentication certificate, and the method, A nearby service relay user key is generated based on key material derived during authentication of the remote wireless communication device, wherein the authentication of the remote wireless communication device generates a nearby service relay user key based on the authentication certificate. The process involves deriving the shared key from the generated neighbor service relay user key, Sending a response to the aforementioned request for authentication, wherein the response to the aforementioned request for authentication includes the derived shared key. The method according to claim 12, further comprising:

17. A method performed by an authentication server, wherein the method is Sending a request for authentication for a remote wireless communication device to a data management node, wherein the request for authentication requests the reuse of a nearby service relay user key to derive a shared key for protecting the interface between the remote wireless communication device and a relay wireless communication device configured to relay traffic for the remote wireless communication device. Methods that include...

18. The method according to claim 17, further comprising receiving a response from the data management node to the request for authentication, wherein the response indicates whether the neighbor service relay user key is available for reuse.

19. The response indicates that the neighbor service relay user key is available for reuse, and the method Obtaining the shared key as derived from the aforementioned neighboring service relay user key, Sending a response to a network node for an authentication request, the response to the authentication request includes the obtained shared key and indicates that the neighbor service relay user key should be reused to derive the shared key. The method according to claim 18, further comprising:

20. The method according to claim 19, wherein obtaining the shared key includes retrieving the neighbor service relay user key from the local storage of the authentication server and deriving the shared key from the retrieved neighbor service relay user key.

21. Obtaining the aforementioned shared key means The aforementioned authentication request is forwarded to another authentication server where the nearby service relay user key is stored, The shared key is received from the aforementioned other authentication server as derived from the nearby service relay user key. The method according to claim 20, including the method described in claim 20.

22. The response indicates that the neighbor service relay user key is not available for reuse, and includes the requested authentication certificate, and the method, A nearby service relay user key is generated based on key material derived during authentication of the remote wireless communication device, wherein the authentication of the remote wireless communication device generates a nearby service relay user key based on the authentication certificate. The process involves deriving the shared key from the generated neighbor service relay user key, Sending a response to a request for authentication to a network node, wherein the response to the request for authentication includes the derived shared key. The method according to claim 21, further comprising:

23. A method performed by a data management node, the method is: Receiving a request for authentication certificate from an authentication server, wherein the request for authentication certificate requests the reuse of a nearby service relay user key to derive a shared key which is for protecting the interface between the remote wireless communication device and a relay wireless communication device configured to relay traffic for the remote wireless communication device. Methods that include...

24. The method according to claim 23, further comprising transmitting a response to the request to the authentication server, the response indicating whether the nearby service relay user key is available for reuse.

25. The method according to claim 24, wherein the response indicates that the nearby service relay user key is available for reuse.

26. The method according to claim 25, wherein the response indicates identification information of the authentication server in which the nearby service relay user key is stored.

27. The method of claim 24, wherein the response indicates that the neighbor service relay user key is not available for reuse, and includes the requested authentication certificate.

28. After sending the aforementioned response, Receiving a signal indicating the identification information of the authentication server where the nearby service relay user key is stored, The data management node stores information indicating that the nearby service relay user key for the remote wireless communication device is available for reuse, and that the authentication server storing the nearby service relay user key has its identification information stored. The method according to claim 27, further comprising:

29. The method according to any one of claims 23 to 28, further comprising determining whether the nearby service relay user key is available for reuse based on information in the data management node indicating whether the nearby service relay user key is stored for the remote wireless communication device.

30. A method performed by a remote wireless communication device, wherein the method is Sending a request to a relay wireless communication device for the relay wireless communication device to relay traffic for remote wireless communication, wherein the request requests the reuse of a nearby service relay user key already associated with the remote wireless communication device. Methods that include...

31. The method according to claim 30, wherein the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of the remote wireless communication device.

32. The method according to claim 30 or 31, wherein the request includes a Nearby Service Relay User Key Reuse flag requesting the reuse of a Nearby Service Relay User Key already associated with the remote wireless communication device.

33. The method according to any one of claims 30 to 32, wherein the nearby service relay user key is based on and / or unique to a certain execution of a primary authentication procedure for primary authentication of the remote wireless communication device.

34. The method according to any one of claims 30 to 33, further comprising receiving a response to the request from the relay wireless communication device indicating that the nearby service relay user key should be reused.

35. Reusing the nearby service relay user key to generate a shared key for protecting the interface between the remote wireless communication device and the relay wireless communication device, The interface is protected using the shared key mentioned above. The method according to any one of claims 30 to 34, further comprising:

36. A method performed by a relay wireless communication device, the method is The relay wireless communication device receives a request from a remote wireless communication device for relaying traffic for remote wireless communication, wherein the request requests the reuse of a nearby service relay user key already associated with the remote wireless communication device. Methods that include...

37. The method according to claim 36, wherein the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of the remote wireless communication device.

38. The method according to claim 36 or 37, wherein the request includes a Nearby Service Relay User Key Reuse flag requesting the reuse of a Nearby Service Relay User Key already associated with the remote wireless communication device.

39. The method according to any one of claims 36 to 38, wherein the nearby service relay user key is based on and / or unique to a certain execution of a primary authentication procedure for primary authentication of the remote wireless communication device.

40. The method according to any one of claims 36 to 39, further comprising transmitting a response to the request to the remote wireless communication device indicating that the nearby service relay user key should be reused.

41. A method performed by a relay wireless communication device, the method is Sending a request for a shared key to a network node serving the relay wireless communication device, wherein the relay wireless communication device is configured to relay traffic for the remote wireless communication device, and the request for the shared key sends a request for a shared key that requests the reuse of a nearby service relay user key to derive the shared key. Methods that include...

42. The method according to claim 41, wherein the request for the shared key includes a Nearby Service Relay User Key Reuse Flag requesting the reuse of the Nearby Service Relay User Key.

43. The method according to claim 41 or 42, further comprising receiving a response from the network node to the request for the shared key, the response to the request for the shared key comprising the shared key and indicating that the neighbor service relay user key should be reused to derive the shared key.

44. The method according to any one of claims 41 to 43, wherein the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the Primary Authentication Procedure for the Primary Authentication of the Remote Wireless Communication Device.

45. The relay wireless communication device receives a request from the remote wireless communication device for relaying traffic for remote wireless communication, wherein the request requests the reuse of a nearby service relay user key already associated with the remote wireless communication device. Sending a response to the request to the remote wireless communication device, the response indicating that the Nearby Service Relay User Key should be reused to derive the shared key. The method according to any one of claims 41 to 44, further comprising:

46. A method performed by a network node serving a relay wireless communication device, the method being: Receiving a request from the relay wireless communication device for a shared key to protect the interface between the remote wireless communication device and the relay wireless communication device, wherein the relay wireless communication device is configured to relay traffic for the remote wireless communication device, and the request is a request for a shared key that requests the reuse of a nearby service relay user key to derive the shared key. Methods that include...

47. The method according to claim 46, wherein the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of the remote wireless communication device.

48. The method according to claim 46 or 47, wherein the request includes a Nearby Service Relay User Key Reuse flag requesting the reuse of a Nearby Service Relay User Key already associated with the remote wireless communication device.

49. The method according to any one of claims 46 to 48, further comprising transmitting a response to the request to the relay wireless communication device, the response comprising the shared key and indicating that the neighbor service relay user key should be reused to derive the shared key.

50. A method performed by a network node serving a relay wireless communication device, the method being: Sending a request to an authentication server for authentication of a remote wireless communication device, wherein the request requests the reuse of a nearby service relay user key to derive a shared key for protecting the interface between the remote wireless communication device and the relay wireless communication device, and the relay wireless communication device is configured to send an authentication request for relaying traffic for the remote wireless communication device. Methods that include...

51. The method according to claim 50, wherein the request requests the reuse of the Nearby Service Relay User Key from a prior execution of the primary authentication procedure for the primary authentication of the remote wireless communication device.

52. The method according to claim 50 or 51, wherein the request includes a Nearby Service Relay User Key Reuse flag requesting the reuse of a Nearby Service Relay User Key already associated with the remote wireless communication device.

53. The method according to any one of claims 50 to 52, further comprising receiving a response from the authentication server to the request, the response including the shared key and indicating that the neighbor service relay user key should be reused to derive the shared key.

54. It is an authentication server, An authentication server comprising a processing circuit and a memory, wherein the memory contains instructions that can be executed by the processing circuit, and thereby the authentication server is configured to perform any of the steps of the method according to any one of claims 1 to 22.

55. A computer program, when executed by at least one processor of an authentication server, comprising instructions causing a neighboring service anchor node to perform any step of the method according to any one of claims 1 to 22.

56. Communication circuit and A processing circuit configured to perform any one of the steps of the method described in any one of claims 30 to 49 A wireless communication device equipped with the following features.

57. A computer program, when executed by at least one processor of a wireless communication device, comprising instructions causing the wireless communication device to perform any step of the method according to any one of claims 30 to 49.

58. Communication circuit and A processing circuit configured to perform any one of the steps of the method described in any one of claims 23 to 29 A data management node equipped with this feature.

59. A computer program that, when executed by at least one processor of a data management node, includes instructions causing the data management node to perform any step of the method according to any one of claims 23 to 29.

60. Network node, A processing circuit configured to perform any of the steps of the method described in any one of claims 50 to 53, A power supply circuit configured to supply power to the aforementioned network node and A network node equipped with these features.

61. A computer program, when executed by at least one processor of a network node, comprising instructions causing the network node to perform any step of the method according to any one of claims 50 to 53.

62. A computer program product comprising, when executed by at least one processor, an instruction causing the at least one processor to perform any step of the method according to any one of claims 1 to 53.