Protection scheme configuration in a communication network environment

By employing UE Parameter Update and Roaming Steering procedures, the home network dynamically configures authorized protection schemes for user equipment in visited networks, addressing security risks and ensuring secure communication across 5G networks.

JP7881761B2Active Publication Date: 2026-06-29NOKIA TECHNOLOGIES OY

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Patents
Current Assignee / Owner
NOKIA TECHNOLOGIES OY
Filing Date
2023-06-21
Publication Date
2026-06-29

AI Technical Summary

Technical Problem

The challenge of configuring protection schemes in communication networks as user equipment moves between networks, particularly in 5G systems, is exacerbated by the lack of dynamic updating mechanisms in visited public land mobile networks (VPLMNs), leading to security risks due to the use of non-specific and potentially insecure protection schemes.

Method used

A mechanism is provided for the home communication network to transmit protection scheme configuration data to user equipment using UE Parameter Update (UPU) or Roaming Steering (SoR) procedures, ensuring that only authorized protection schemes are used in visited networks, thereby enhancing security management.

Benefits of technology

This approach ensures secure and dynamic configuration of protection schemes, reducing the risk of identity revelation and maintaining security standards across different networks, thus enhancing overall network security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 0007881761000001
    Figure 0007881761000001
  • Figure 0007881761000002
    Figure 0007881761000002
  • Figure 0007881761000003
    Figure 0007881761000003
Patent Text Reader

Abstract

Techniques for configuring a protection scheme in a communication network are disclosed. For example, a home communication network of a given user equipment uses a user equipment parameter update procedure or a roaming steering procedure in a visited communication network scenario to send protection scheme configuration data to the given user equipment.
Need to check novelty before this filing date? Find Prior Art

Description

[Technical Field]

[0001] This field generally relates to communication networks, and more specifically, to security management in communication networks, though not limited to them. [Background technology]

[0002] This section presents aspects that may help facilitate a better understanding of the present invention. Therefore, the descriptions in this section should be read in this regard and should not be understood as acknowledging what constitutes prior art and what does not.

[0003] Fourth-generation (4G) wireless mobile communication technology, also known as Long-Term Evolution (LTE) technology, was designed to provide high-capacity mobile multimedia with high data rates, particularly for human interfaces. Next-generation or fifth-generation (5G) technology is intended not only for human interfaces but also for machine-type communication in so-called Internet of Things (IoT) networks.

[0004] 5G networks are intended to enable high-capacity IoT services (e.g., a very large number of devices with limited capacity) and mission-critical IoT services (e.g., those requiring high reliability), but improvements beyond legacy mobile communication services will be supported in the form of enhanced mobile broadband (eMBB) services, which provide improved wireless internet access for mobile devices.

[0005] In an example communication system, user devices such as mobile terminals (subscribers) (5G UEs in a 5G network, or more broadly UEs) communicate via an air interface through a base station or an access point of an access network called a 5G AN in a 5G network. An access point (e.g., a gNB) is exemplary part of the access network of a communication system. For example, in a 5G network, an access network called a 5G AN is described in 5G Technical Specification (TS) 23.501, titled "Technical Specification Group Services and System Aspects; System Architecture for the 5G System," and TS 23.502, titled "Technical Specification Group Services and System Aspects; Procedures for the 5G System (5GS)," the disclosures of which are incorporated herein by reference in their entirety. Generally, an access point (e.g., a gNB) provides a UE with access to the core network (CN or 5GC), and then provides the UE with access to other UEs and / or data networks such as a packet data network (e.g., the Internet).

[0006] TS23.501 then defines a 5G service-based architecture (SBA) that models services as network functions (NFs) that communicate with each other using a representative state transfer application programming interface (restful API).

[0007] Furthermore, the disclosure of the 5G Technical Specification (TS) 33.501, titled "Technical Specification Group Services and System Aspects; Security Architecture and Procedures for the 5G System," is incorporated herein in its entirety by reference and further details security management related to 5G networks. [Prior art documents] [Non-patent literature]

[0008] [Non-Patent Document 1] Technical Specification Group Services and System Aspects; System Architecture for the 5G System, 5G Technical Specification TS23.501 [Non-Patent Document 2] Technical Specification Group Services and System Aspects;Procedures for the 5G System(5GS), TS23.502 [Non-Patent Document 3] Technical Specification Group Services and System Aspects;Security Architecture and Procedures for the 5G System, TS33.501 [Non-Patent Document 4] Technical Specification Group Core Network and Terminals;Secured Packet Structure for(Universal)Subscriber Identity Module(U)SIM Toolkit Applications, TS31.115 [Overview of the project] [Problems that the invention aims to solve]

[0009] Security management is an important consideration in any communication system. However, due to ongoing efforts to improve the architecture and protocols associated with 5G networks in order to enhance network efficiency and / or subscriber convenience, security management challenges related to configuring protection schemes as UEs move between communication networks can become a significant issue. [Means for solving the problem]

[0010] Exemplary embodiments provide a technology for configuring protection schemes in communication networks.

[0011] For example, in one exemplary embodiment from the perspective of a user device, the method includes, in the user device, receiving protection scheme configuration data from a network entity of a communication system in accordance with an update procedure between the user device and the communication network, and in the user device, generating a unique identifier for the user device based on at least a portion of the received protection scheme configuration data.

[0012] For example, in one exemplary embodiment from the perspective of a network entity, the method includes, in a network entity of a communication network, receiving and generating protection scheme configuration data for user equipment connected to the communication network, and transmitting the protection scheme configuration data to the user equipment in accordance with an update procedure between the user equipment and the communication network, so as to enable the user equipment to generate a unique identifier for the user equipment based on at least a portion of the received protection scheme configuration data.

[0013] Advantageously, an exemplary embodiment provides a home communication network of a given user equipment for transmitting protection scheme configuration data to the given user equipment, using a user equipment parameter update procedure or a roaming steering procedure in a visited communication network scenario.

[0014] Preferably, a further exemplary embodiment is provided in the form of a non - transient computer - readable storage medium embodying executable program code that, when executed by a processor, causes the processor to perform the above steps. Another exemplary embodiment comprises an apparatus having a processor and a memory configured to perform the above steps.

[0015] These and other features and advantages of the embodiments described herein will become more apparent from the accompanying drawings and the following detailed description.

Brief Description of the Drawings

[0016] [Figure 1] FIG. is a diagram showing a communication system in which one or more exemplary embodiments may be implemented. [Figure 2] FIG. is a diagram showing a user equipment and network entities in which one or more exemplary embodiments may be implemented. [Figure 3] FIG. shows a format as an example of a subscription anonymization identifier for a user equipment according to one or more exemplary embodiments. [Figure 4] FIG. shows an authorized protection scheme and a corresponding communication network mapping table according to one or more exemplary embodiments. [Figure 5] FIG. shows a first procedure for configuring a protection scheme according to one or more exemplary embodiments. [Figure 6] FIG. shows a second procedure for configuring a protection scheme according to one or more exemplary embodiments.

Modes for Carrying Out the Invention

[0017] This specification provides embodiments relating to exemplary communication systems and related technologies for security management in communication systems. However, it will be understood that the claims are not limited to any particular type of communication system and / or process disclosed. Embodiments can be implemented in a wide variety of other types of communication systems using alternative processes and operations. For example, although illustrated in the context of a wireless cellular system utilizing 3GPP system elements such as 3GPP Next Generation Systems (5G), the disclosed embodiments can be adapted in a simple manner to a wide variety of other types of communication systems.

[0018] According to exemplary embodiments implemented in a 5G communication system environment, one or more 3GPP technical specifications (TS) and technical reports (TRs) may provide further descriptions of network elements / functions and / or operations that may interact with inventive solutions, such as parts of 3GPP TS23.501 and 3GPP TS33.501 referenced above. Other 3GPP TS / TR documents, for example, their disclosures, such as 3GPP TS31.115, titled "Technical Specification Group Core Network and Terminals; Secured Packet Structure for (Universal) Subscriber Identity Module (U)SIM Toolkit Applications," which is incorporated herein in its entirety by reference, may provide other details that would be understood by those skilled in the art. However, while embodiments are well suited to 5G-related 3GPP standards, they are not necessarily intended to be limited to any particular standard.

[0019] Before describing exemplary embodiments, a general description of the specific key components of a 5G network is given below in relation to Figures 1 and 2.

[0020] Figure 1 shows a communication system 100 in which an exemplary embodiment is implemented. It should be understood that the elements shown in communication system 100 are intended to represent the main functions brought into the system, such as UE access functions, mobility management functions, authentication functions, serving gateway functions, etc. Therefore, the blocks shown in Figure 1 refer to specific elements in a 5G network that bring about these main functions. However, other network elements may be used to implement some or all of the main functions represented. Also, it should be understood that Figure 1 does not show all the functions of a 5G network. Rather, it shows at least some functions to facilitate the explanation of the exemplary embodiment. Subsequent figures may show some additional elements / functions (i.e., network entities).

[0021] Therefore, as shown, the communication system 100 includes a user equipment (UE) 102 that communicates with an access point (gNB) 104 via an air interface 103. It should be understood that the UE 102 may use one or more other types of access points (e.g., access functions, networks, etc.) to communicate with 5G cores other than the gNB. For example only, the access point 104 could be any 5G access network, an untrusted non-3GPP access network using N3IWF (Non-3GPP Interworking Function), a trusted non-3GPP network using TNGF (Trusted Non-3GPP Gateway Function), or a wired access using W-AGF (Wired Access Gateway Function), or it could correspond to a legacy access point (e.g., an eNB).

[0022] UE102 can be a mobile station, such a mobile station may comprise, for example, a mobile phone, a computer, an IoT device, or any other type of communication device. The term “user equipment” as used herein is therefore intended to be interpreted broadly to encompass a variety of different types of mobile stations, subscriber stations, or, more generally, communication devices, including, for example, a combination of other devices such as a smartphone or a data card inserted into a laptop. Such communication devices are also intended to encompass devices commonly referred to as access terminals.

[0023] In one embodiment, the UE102 comprises a universal integrated circuit card (UICC) portion and a mobile device (ME) portion (as shown in Figure 1). The UICC is the user-dependent portion of the UE and includes at least one subscriber identification module (USIM as shown in Figure 1) and appropriate application software. The USIM securely stores a persistent subscriber identifier and its associated key, which is used to uniquely identify and authenticate the subscriber to the access network. The ME is the user-independent portion of the UE and includes terminal device (TE) functions and various mobile terminal (MT) functions. The USIM may more commonly be referred to herein as the “subscriber identification-dependent portion” of the UE, and the ME may more commonly be referred to herein as the “subscriber identification-independent portion” of the UE.

[0024] Note that in one example, the persistent subscriber identifier is the International Mobile Subscriber Identification Number (IMSI) unique to the UE. In one embodiment, the IMSI is a fixed 15-digit length and consists of a 3-digit Mobile Country Code (MCC), a 3-digit Mobile Network Code (MNC), and a 9-digit Mobile Station Identification Number (MSIN). In 5G communication systems, the IMSI is called the Subscriber Persistent Identifier (SUPI). In the case of the IMSI as a SUPI, the MSIN provides subscriber identification. Therefore, typically only the MSIN portion of the IMSI needs to be encrypted. The MNC and MCC portions of the IMSI provide routing information used by the serving network to route to the correct home network. When the MSIN of the SUPI is encrypted, it is called the Subscriber Secrecy Identifier (SUCI). Another example of a SUPI uses the Network Access Identifier (NAI). NAIs are typically used for IoT communications. Further details of the format as an example of a SUCI are described below in relation to Figure 3.

[0025] Access point 104 is, in example, part of the access network of communication system 100. Such an access network may include, for example, a 5G system having multiple base stations.

[0026] Furthermore, in this exemplary embodiment, the access point 104 is operably coupled to the Access and Mobility Management Function (AMF) 106. In a 5G network, the AMF supports, among other things, Mobility Management (MM) and Security Anchor (SEAF) functions.

[0027] In this exemplary embodiment, the AMF 106 is operablely coupled with other network functions 108 (e.g., using their services). As shown, some of these other network functions 108 include, but are not limited to, an authentication server function (AUSF), an integrated data management (UDM) function, and other network functions that can act as service producers (NFp) and / or service consumers (NFc). Note that any network function can be a service producer for one service and a service consumer for another. Furthermore, when the service provided includes data, a data-providing NFp is called a data producer, and a data-requesting NFc is called a data consumer. A data producer can also be an NF that generates data by modifying or otherwise processing data produced by another NF.

[0028] It should be noted that UEs such as UE102 typically subscribe to what is called the Home Public Land Mobile Network (HPLMN), in which some or all of functions 106 and 108 reside. Alternatively, UEs such as UE102 may receive services from a Private Network (NPN) in which these functions may reside. The HPLMN is also called the Home Environment (HE). When a UE roams (outside the HPLMN), it typically connects to a Visited Public Land Mobile Network (VPLMN), also called the Visited Network, while the network currently serving the UE is also called the Serving Network. In the case of roaming, some of the network functions 106 and 108 may reside within the VPLMN, in which case the functions within the VPLMN communicate with the functions within the HPLMN as needed. However, in non-roaming scenarios, the mobility management function 106 and the other network functions 108 reside within the same communication network, i.e., the HPLMN. The embodiments described herein are not necessarily limited by which functions reside within which PLMN (i.e., HPLMN or VPLMN). Furthermore, it should be understood that the embodiments described herein are not necessarily limited to PLMNs and can be implemented in standalone private networks (SNPNs). An SNPN is a private communications network managed by an NPN operator.

[0029] Access point 104 is also operably coupled to a session management function (SMF) 110 (via one or more of functions 106 and / or 108), which is operably coupled to a user plane function (UPF) 112. The UPF 112 is operably coupled to a packet data network, e.g., the internet 114. Note that the thick solid lines in this figure represent the user plane (UP) of the communication network, in contrast to the thin solid lines that represent the control plane (CP) of the communication network. Note that network 114 in Figure 1 may, or may not, represent other network infrastructure, including, but is not limited to, cloud computing infrastructure and / or edge computing infrastructure. Further typical operations and functions of such network elements are not the focus of this exemplary embodiment and can be found in the appropriate 3GPP 5G documentation, so they are not discussed here. Note that the functions shown in 106, 108, 110, and 112 are examples of network functions (NF).

[0030] This particular arrangement of system elements is for illustrative purposes only, and it should be recognized that other types and arrangements of additional or alternative elements may be used to implement the communication system in other embodiments. For example, in other embodiments, system 100 may include other elements / functions not expressly shown herein.

[0031] Therefore, the arrangement in Figure 1 is merely one illustrative configuration of a wireless cellular system, and numerous alternative configurations of system elements may be used. For example, only one element / function is shown in the embodiment of Figure 1, but this is solely for the sake of brevity and clarity of explanation. A given alternative embodiment may, of course, include more such system elements, as well as additional or alternative elements of types generally related to typical system implementation forms.

[0032] Furthermore, while Figure 1 shows system elements as single functional blocks, it should be noted that the various subnetworks that make up a 5G network are partitioned into so-called network slices. A network slice (network partition) is a logical network that brings about specific network capabilities and network characteristics, which can optionally use Network Function Virtualization (NFV) on a common physical infrastructure to support the corresponding service type. Through NFV, a network slice is instantiated as needed for a given service, eMBB service, large-scale IoT service, and mission-critical IoT service. A network slice or function is therefore instantiated when that network slice or function is created. In some embodiments, this involves installing or otherwise running the network slice or function on one or more host devices of the underlying physical infrastructure. UE102 is configured to access one or more of these services via gNB104.

[0033] Figure 2 is a block diagram illustrating a methodological computing architecture for various participants according to an exemplary embodiment. More specifically, it is shown that system 200 comprises a user device (UE) 202 and a number of network entities 204-1, ..., 204-N. For example, in the exemplary embodiment, and referring back to Figure 1, UE 202 may represent UE 102, and network entities 204-1, ..., 204-N may represent functions 106 and 108. It should be noted that UE 202 and network entities 204-1, ..., 204-N are configured to interact in order to provide security management and other techniques as described herein.

[0034] The user device 202 includes a processor 212 coupled to a memory 216 and an interface circuit 210. The processor 212 of the user device 202 includes a security management processing module 214, which may be implemented in the form of software executed by the processor, at least in part. The processing module 214 performs security management as described in subsequent figures or otherwise in relation to this specification. The memory 216 of the user device 202 includes a security management storage module 218 for storing data that is generated or otherwise used during security management operations.

[0035] Each network entity (hereinafter referred to herein individually or collectively as 204) comprises a processor 222 (222-1, ..., 222-N) coupled to a memory 226 (226-1, ..., 226-N) and an interface circuit 220 (220-1, ..., 220-N). Each processor 222 of each network entity 204 includes a security management processing module 224 (224-1, ..., 224N), which may be implemented in the form of software executed by the processor 222, at least in part. The processing module 224 performs security management operations as described in subsequent figures and, otherwise, in relation to this specification. Each memory 226 of each network entity 204 includes a security management storage module 228 (228-1, ..., 228-N) for storing data generated during security management operations or otherwise used.

[0036] Processors 212 and 222 may include, for example, microprocessors such as central processing units (CPUs), application-specific integrated circuits (ASICs), digital signal processors (DSPs), or other types of processing devices, and parts or combinations of such elements.

[0037] Memory 216 and memory 226 may be used to store one or more software programs executed by processors 212 and 222, respectively, to perform at least a portion of the functions described herein. For example, security management operations and other functions described in subsequent figures and otherwise relating to this specification may be performed in a direct manner using software code executed by processors 212 and 222.

[0038] Therefore, either memory 216 or memory 226 may be seen herein more generally as an example of what is called a computer program product, or even more generally, a processor-readable storage medium having embodied executable program code. Other examples of processor-readable storage media may include disks or other types of magnetic or optical media in any combination. Exemplary embodiments may include products comprising such computer program products or other processor-readable storage media.

[0039] Furthermore, memories 216 and 226 may more specifically include electronic random-access memory (RAM), such as static RAM (SRAM), dynamic RAM (DRAM), or other types of volatile or non-volatile electronic memory. The latter may include non-volatile memory, such as flash memory, magnetic RAM (MRAM), phase-change RAM (PC-RAM), or ferroelectric RAM (FRAM). The term “memory” as used herein is intended to be interpreted broadly and may, in addition or alternatively, include, for example, read-only memory (ROM), disk-based memory, or other types of storage devices, and parts or combinations of such devices.

[0040] Interface circuits 210 and 220 include, as an example, transceivers or other communication hardware or firmware that enable the related system elements to communicate with each other in the manner described herein.

[0041] As can be seen from Figure 2, the user device 202 and the multiple network entities 204 are configured to communicate with each other as security-managing participants via their respective interface circuits 210 and 220. This communication includes each participant sending data to and / or receiving data from one or more other participants. As used herein, the term “data” is intended to be interpreted broadly to encompass any type of information that may be sent between participants, including but not limited to identification data, key pairs, key indicators, security management messages, registration request / response messages and data, request / response messages, authentication request / response messages and data, metadata, control data, audio, video, multimedia, consent data, and other messages.

[0042] It should be noted that the specific arrangement of components shown in Figure 2 is an example, and numerous alternative components may be used in other embodiments. For example, any given network element / function may be configured to incorporate additional or alternative components and support other communication protocols.

[0043] Other system elements, such as gNB104, SMF110, and UPF112, may each be configured to include components such as a processor, memory, and network interface. These elements do not need to be implemented on separate standalone processing platforms; instead, they may represent different functional parts of a single common processing platform, for example.

[0044] More generally, Figure 2 can be thought of as representing processing devices configured to provide their respective security management functions and coupled together in a communication system to operate with one another.

[0045] As described above, a SUCI is established for each UE102. The SUCI is defined in 3GPP TS33.501 referenced above and serves as a privacy-preserving identifier containing a concealed SUPI, as shown in format 300 of Figure 3. As shown, the SUCI format 300 comprises a SUPI type 302, a home network identifier 304, a routing indicator 306, a protection scheme identifier (ID) 308, a home network public key ID 310, and a scheme output 312. Some of the values ​​in format 300 have a fixed range, while some values ​​depend on other values, as shown.

[0046] More specifically, as shown, protection scheme ID 308 has a value in the range of 0 to 15. Protection scheme ID 308 represents a null scheme, a non-null scheme as defined in Annex C of 3GPP TS33.501 referenced above, or a protection scheme as defined by HPLMN. A null scheme is used when the SUPI type is a global line identifier (GLI) or global cable identifier (GCI) and privacy is not protected.

[0047] UE102 generates SUCI using the null scheme only in the following cases: (i) When UE102 has established an unauthenticated emergency session and does not have a 5G-GUTI for the selected PLMN, (ii) When the home network is configured to use a null scheme, (iii) When the home network has not provisioned the public key required to generate SUCI.

[0048] If the network operator has decided that the ME of UE102 should calculate the SUCI, the home network operator provisions an ordered priority list of protection scheme IDs permitted by the operator within the USIM of UE102. The priority list of protection scheme identifiers within the USIM contains only the protection scheme IDs specified in Annex C of 3GPP TS33.501, as referenced above, and the list may contain one or more protection scheme IDs. The ME reads the SUCI calculation information from the USIM, which includes the SUPI, SUPI type, routing indicator, home network public key ID, home network public key, and the list of protection scheme IDs. The ME selects a protection scheme from the supported schemes that has the highest priority in the list obtained from the USIM. If the home network public key or priority list is not provisioned within the USIM, the ME calculates the SUCI using a null scheme. Note that this feature will be provisioned for newer releases than the ME release, as additional protection schemes may be specified in the future. In this case, the protection scheme selected by the older ME may not be the protection scheme with the highest priority in the USIM list. If the network operator chooses that the SUCI calculation should be performed in the USIM, the network operator should use its own identifier for the protection scheme.

[0049] Currently, schemes for SUCI (i.e., null, profile A, and profile B) are configured in the UICC of UE102 by a priority list. For all VPLMNs, UE / UICC uses the same configuration (i.e., the same priority list) as HPLMNs. For some countries or VPLMNs, the null scheme or customized (proprietary) schemes configured by operators are not permitted. Secondly, the use of the null scheme should not be used in certain networks because it carries the risk of revealing one's identity.

[0050] For example, if a null scheme is enabled in UE102 within HPLMN (e.g., due to lawful interception or LI requirements), and UE102 then enters another country or geographical area and accesses VPLMN, the same null scheme will be used in VPLMN. This increases the risk of UE identification over the radio. Since LI requirements are country-specific, using a null scheme in VPLMN poses a significant security risk to UE102.

[0051] Currently, the protection scheme can be modified via over-the-air (OTA) procedures, which typically operate within HPLMN. However, USIM configuration messages sent to VPLMN may be discarded due to security / firewall issues and may incur additional charges; therefore, VPLMN is either avoided or not supported.

[0052] Currently, there is no available mechanism in VPLMN to dynamically update the protection scheme via 5GC. Furthermore, the protection schemes stored in the UE102's USIM are not specific to the PLMN. Therefore, network operators cannot control which protection scheme should be used in which PLMN.

[0053] The exemplary embodiments overcome the above and other shortcomings by providing a technical solution that provides an improved protection scheme configuration in a communication network. For example, according to one or more exemplary embodiments, the HPLMN transmits the permitted protection schemes and PLMN mapping table to the UICC of UE102 using a UE Parameter Update (UPU) procedure or a Roaming Steering (SoR) procedure in a VPLMN scenario. In one or more further exemplary embodiments, the HPLMN updates the home network public key list and the protection schemes configured in the UICC. Furthermore, in one or more exemplary embodiments, UE102 indicates its capabilities via a container transparent to the VPLMN and via a 5G Mobility Management (5GMM) capability information element (IE) that is not transparent to the VPLMN (the VPLMN forwards the capability indication to the HPLMN).

[0054] The following explanation is based on the PLMN case, but it should be noted that the configuration of the protection scheme in the exemplary embodiment can be extended to the SNPN case without loss of generality.

[0055] Next, further details of the IE sent to UE102 are explained with reference to Figure 4, which shows an example of an authorized protection scheme and PLMN mapping table 400. HPLMN may send a protection scheme associated with a PLMN ID.

[0056] In Proposal A Format 402, the UICC of UE102 has each PLMN listed in the corresponding permitted scheme.

[0057] In Proposal B Format 404, the UICC of UE102 has each protection scheme along with an authorized list corresponding to VPLMN and HPLMN.

[0058] The default option for VPLMN is to check if UICC can use the corresponding authorized scheme for that particular VPLMN if the VPLMN is not listed in this configuration.

[0059] In a configuration with only permitted protection schemes, HPLMN can simply update the list of protection schemes for UE102; see, for example, Protection Scheme Table 406.

[0060] Furthermore, HPLMN can update (add or delete) home network public keys configured within the UICC of UE102; see, for example, Home Network Public Key Identifier Table 408.

[0061] An exemplary embodiment provides a procedure for transmitting protection scheme information elements (e.g., those described above in relation to Figure 4) to the UE102. Figure 5 shows the UPU procedure for transmitting protection scheme information, and Figure 6 shows the SoR procedure for transmitting protection scheme information.

[0062] In embodiments where the UPU procedure is updated, the UDM updates the information described above in relation to Figure 4 (referred to herein, exemplary, as “Protection Scheme Configuration Data”) via the UPU procedure. For example, the UDM may perform this procedure based on an internal trigger, such as the UE roaming in a particular PLMN (i.e., a registration request in the UDM) or based on a provisioning change request.

[0063] More specifically, Figure 5 shows procedure 500 for configuring a static protection scheme using the UPU procedure according to an exemplary embodiment. As shown, procedure 500 includes UE502, AMF504, AUSF506, and UDM508.

[0064] In step 1, UDM508 decides to update the PLMN protection scheme mapping table, update the home network public key, or update the protection scheme.

[0065] In step 2a, the UDM508 generates a secure packet containing the new and updated information (protection scheme configuration data) and includes the secure packet in the UPU data. Alternatively, the UDM508 can prepare the UPU data by directly including the updated information (protection scheme configuration data).

[0066] In step 2b, the UDM508 sends UPU data as part of a Nausf UPU Protection message, as described in 3GPP TS31.115 referenced above.

[0067] In step 3, the AUSF506 uses UPU data, including protection scheme configuration data, to perform UPU-MAC-I AUSF Generates.

[0068] In step 4, the AUSF506 generates the UPU-MAC-I AUSF This information, along with the counter information, is sent back to the UDM508 as part of the Nausf UPU Protection response.

[0069] In step 5, UDM508 sends UPU data to AMF504, and AMF504 sends the same to UE502. Step 5 can be carried out according to TS33.501 Figure 6.15.2.1-1 as follows (note that steps (i), (ii), and (iii) below correspond to steps 4, 5, and 6 of TS33.501 Figure 6.15.2.1-1).

[0070] i) UDM508 initiates the Nudm_SDM_Notification service operation, which includes the UPU-transparent container if AMF504 supports UPU-transparent containers, or within the access and mobility enrollment data, UE Parameters Update Data, UPU-MAC-I AUSF , including a separate IE with CounterUPU. UDM508 requests an acknowledgment, the expected UPU-XMAC-I UE Temporarily store it.

[0071] ii) Upon receiving the Nudm_SDM_Notification message, AMF504 sends a DL NAS Transport message to the serviced UE502. If AMF504 received it from UDM508 in step (i) above, it includes the transparent container in the DL NAS Transport message. Otherwise, if UDM508 provided a separate IE in step (i) above, AMF must construct the UPU transparent container.

[0072] iii) Upon receiving the DL NAS Transport message, UE502 will send the received UE Parameters Update Data and CounterUPU to UPU-MAC-I in the same manner as AUSF506. AUSF It calculates the UPU-MAC-I received within the UPU-transparent container of the DL NAS Transport message. AUSF Verify if the value matches. UPU-MAC-I AUSF If the verification is successful and the UPU data contains any parameters protected by a secure packet, the ME forwards the secure packet to the USIM. UPU-MAC-I AUSF If the verification is successful and the UPU data contains any parameters that are not protected by secure packets, the ME updates the parameters stored therein with the received parameters in the UDM update data.

[0073] Since the information is for the UICC of UE502, the ME of UE502 transfers the information to the UICC, and in step 6, the UICC stores the information. Alternatively, the last recipient of the information can be the ME of UE502, in which case the ME of UE502 stores the information.

[0074] In step 7, the following steps occur according to TS33.501 Figure 6.15.2.1-1 as follows (note that the following steps (iv), (v), and (vi) correspond to steps 7, 8, and 9 of TS33.501 Figure 6.15.2.1-1).

[0075] iv) If the UDM508 requests a positive response from the UE502 and the UE502 successfully verifies and updates the UE Parameters Update Data provided by the UDM508, the UE502 sends a UL NAS Transport message to the AMF504. The UE502 generates a UPU-MAC-I UE and includes the generated UPU-MAC-I UE in a transparent container within the UL NAS Transport message.

[0076] v) If a transparent container with UPU-MAC-I UE is received within the UL NAS Transport message, the AMF504 sends a Nudm_SDM_Info request message to the UDM508 together with the transparent container.

[0077] vi) If the UDM508 indicates that the UE502 should positively respond to the success of the security check of the received UE Parameters Update Data, the UDM508 compares the received UPU-MAC-I UE with the expected UPU-XMAC-I UE temporarily stored by the UDM508 in step (i) above.

[0078] In step 8, if HPLMN requests re-registration due to being updated to a new configuration, UE502 triggers a registration request and the generation of a SUCI with the updated information.

[0079] Next, looking at embodiments where updates are performed via SoR procedures, the UDM updates the protection scheme configuration data via SoR procedures. The UDM can perform this procedure based on internal triggers, such as a UE roaming within a particular PLMN (i.e., a registration request in the UDM), or based on a provisioning change request.

[0080] More specifically, Figure 6 shows a procedure 600 for configuring a dynamic protection scheme using an SoR procedure, according to an exemplary embodiment. As shown, procedure 600 includes UE602, VPLMN AMF604, HPLMN AUSF606, and HPLMN UDM608.

[0081] In Step 1, the HPLMN UDM608 dynamically decides whether to update the PLMN protection scheme mapping table, update the home network public key, or update the protection scheme.

[0082] In step 2a, the HPLMN UDM608 generates a secure packet using the newly updated information (protection scheme configuration data).

[0083] In step 2b, the HPLMN UDM608 sends a secure packet as part of the Nausf SoR Protection message described in 3GPP TS31.115 referenced above.

[0084] In step 3, the HPLMN AUSF606 uses SoR data, including protection scheme configuration data, to perform SoR-MAC-I AUSF Generates.

[0085] In step 4, the HPLMN AUSF606 generates the SoR-MAC-I AUSF This information, along with counter information, is sent back to the HPLMN UDM608 as part of the Nausf SoR Protection response.

[0086] In step 5, the HPLMN UDM608 sends SoR data to the VPLMN AMF604, and the VPLMN AMF604 sends the same data to the UE602. Step 5 can be carried out according to Figure 6.14.2.2-1 of TS33.501 as follows (note that steps (i), (ii), and (iii) below correspond to steps 4, 5, and 6 of Figure 6.14.2.2-1 of TS33.501).

[0087] i) HPLMN UDM608 initiates the Nudm_SDM_Notification service operation, which, if VPLMN AMF604 supports SoR transparent containers, includes SoR transparent containers, or a preferred PLMN / access technology combination or secure packets, ACK Indication, SoR-MAC-I AUSF , and Counter in access and mobility subscription data SoR Includes individual IEs containing an optional list of options. HPLMN UDM608 requests an acknowledgment, expecting SoR-XMAC-I UE Temporarily store it.

[0088] ii) Upon receiving a Nudm_SDM_Notification message, if the message contains a SoR transparent container, VPLMN AMF604 sends a DL NAS Transport message to the serviced UE602 containing the received SoR transparent container; otherwise, VPLMN AMF604 receives the ACK Indication, steering list, and SoR-MAC-I from HPLMN UDM608. AUSF and Counter SoRBased on this, a SoR transparent container (including the SoR header) is constructed, and the constructed SoR transparent container is included in the DL NAS Transport message and sent to the serviced UE602.

[0089] iii) Upon receiving a DL NAS Transport message, the UE602 will, on the received SoR transparent container, perform SoR-MAC-I in the same manner as the HPLMN AUSF606. AUSF Calculate and Counter SoR And including the SoR header, the SoR-MAC-I received within the DL NAS Transport message AUSF Verify whether the value matches.

[0090] Since the dynamic configuration is for UICC and the ME of UE602, the ME transfers the protection scheme configuration data to UICC. In step 6, UICC and ME store the protection scheme configuration data. UICC can also share the configuration with ME.

[0091] In step 7, the following steps occur according to Figure 6.14.2.2-1 of TS33.501 (note that steps (iv), (v), and (vi) below correspond to steps 7, 8, and 9 of Figure 6.14.2.2-1 of TS33.501).

[0092] iv) If HPLMN UDM608 requests an acknowledgment from UE602 and UE602 verifies that steering information is supplied by HPLMN, UE602 sends a UL NAS Transport message to VPLMN AMF604. UE602 then sends a SoR-MAC-I message. UE Generates the generated SoR-MAC-I UE Include this in the SoR transparent container within the UL NAS Transport message.

[0093] v) The VPLMN AMF604 sends a Nudm_SDM_Info request message to the HPLMN UDM608. SoR-MAC-I UE If an SoR-transparent container having SoR-MAC-I is received in a UL NAS Transport message, and VPLMN AMF604 supports SoR-transparent containers, VPLMN AMF604 will include the received SoR-transparent container in the Nudm_SDM_Info request message; otherwise, VPLMN AMF604 will include SoR-MAC-I UE Include this in the Nudm_SDM_Info request message.

[0094] vi) If HPLMN instructs UE602 to acknowledge the success of the security check of the received roaming steering information, HPLMN UDM608 should acknowledge the received SoR-MAC-I UE This is the expected SoR-XMAC-I that the HPLMN UDM608 temporarily stored in step (i) above. UE Compare it to this.

[0095] In step 8, if the HPLMN requests re-registration due to a new dynamic configuration update, the UE602 triggers a registration request and SUCI generation with the updated information. The received dynamic configuration takes precedence over the static configuration. If the ME leaves this PLMN and remains with a different PLMN, this dynamic configuration is deleted.

[0096] HPLMN should be aware that it transmits protection scheme configuration data only to UEs that support receiving such information. To achieve this capability, according to an exemplary embodiment, a UE capable of receiving such information informs HPLMN of its capability. The UE informs HPLMN of its capability in at least one of the following ways: (i) via a transparent container to VPLMN, and (ii) via a non-transparent 5GMM capability IE to VPLMN (VPLMN forwards the capability indication to HPLMN). Alternatively, the capability of a UE to update such information may be configured within HPLMN.

[0097] It should be understood that the term “communication network” as used herein may, in some embodiments, comprise two or more separate communication networks. Furthermore, specific processing operations and other system functions described in relation to the figures described herein are presented only as illustrative examples and should not be construed as limiting the scope of this disclosure in any way. Alternative embodiments may use other types of processing operations and messaging protocols. For example, the ordering of steps may be changed in other embodiments, or some steps may be performed at least partially concurrently with each other, rather than sequentially. Also, one or more steps may be repeated periodically, and multiple instances of the method may be executed in parallel with each other.

[0098] Again, it should be emphasized that the various embodiments described herein are presented only as illustrative examples and should be construed as limiting the scope of the claims. For example, alternative embodiments may utilize different communication system configurations, user equipment configurations, base station configurations, provisioning and usage processes, messaging protocols, and message formats other than those described above in relation to the exemplary embodiments. These and numerous other alternative embodiments within the appended claims will be readily apparent to those skilled in the art.

Claims

1. At least one processor, At least one memory containing computer program code and The device comprises at least one memory and computer program code, and at least one processor provides the device with at least one Receiving protection scheme configuration data from the network entity of the communication network, following the update procedure between the device and the communication network, Based on at least a portion of the received protection scheme configuration data, configure a protection scheme in the communication network and generate a unique identifier for the device. A device configured to perform a certain action.

2. The apparatus according to claim 1, wherein the update procedure includes a user device parameter update procedure.

3. The apparatus according to claim 1, wherein the update procedure includes a roaming steering procedure.

4. The apparatus according to claim 1, wherein at least one memory and computer program code are further configured to cause at least one processor to perform at least one of (i) storing protection scheme configuration data and (ii) updating previously stored protection scheme configuration data with the protection scheme configuration data.

5. The apparatus according to claim 1, wherein the protection scheme configuration data comprises one or more identifiers corresponding to one or more of the permitted protection schemes.

6. The apparatus according to claim 1, wherein the protection scheme configuration data comprises one or more identifiers corresponding to one or more of the permitted communication networks.

7. The apparatus according to claim 1, wherein the protection scheme configuration data comprises one or more identifiers corresponding to one or more of the permitted public keys of the communication network.

8. The apparatus according to claim 1, wherein at least one memory and computer program code are further configured to cause the apparatus to perform actions to notify a communication network of configured protection scheme capabilities by at least one processor.

9. The apparatus according to claim 1, wherein the communication network is either a home communication network or a communication network at a visited location.

10. The apparatus according to claim 1, wherein the communication network is either a public communication network or a private communication network.

11. The apparatus according to claim 1, wherein the apparatus is part of user equipment connected to a communication network.

12. On the user device, protection scheme configuration data is received from the network entity of the communication network in accordance with the update procedure between the user device and the communication network. In the user device, a protection scheme is configured in the communication network based on at least a portion of the received protection scheme configuration data, and a unique identifier is generated for the user device. Methods that include...

13. The method according to claim 12, wherein the update procedure comprises one of (i) a user device parameter update procedure and (ii) a roaming steering procedure.

14. A product comprising a non-temporary computer-readable storage medium in which executable program code is embodied, which causes the processor to perform the steps described in claim 12 when executed by the processor.

15. At least one processor, At least one memory containing computer program code and The device comprises at least one memory and computer program code, and at least one processor provides the device with at least one memory and computer program code. Receiving or generating protection scheme configuration data for user devices connected to a communication network, Based on at least a portion of the received protection scheme configuration data, the protection scheme configuration data is transmitted to the user device in accordance with an update procedure between the user device and the communication network, enabling the user device to configure the protection scheme in the communication network and generate a unique identifier for the user device. A device configured to perform a certain action.

16. The apparatus according to claim 15, wherein the update procedure includes a procedure for updating user equipment parameters.

17. The apparatus according to claim 15, wherein the update procedure includes a roaming steering procedure.

18. The apparatus according to claim 15, wherein the protection scheme configuration data comprises one or more identifiers corresponding to one or more of the permitted protection schemes.

19. The apparatus according to claim 15, wherein the protection scheme configuration data comprises one or more identifiers corresponding to one or more of the permitted communication networks.

20. The apparatus according to claim 15, wherein the protection scheme configuration data comprises one or more identifiers corresponding to one or more of the permitted communication network public keys.

21. The apparatus according to claim 15, wherein at least one memory and computer program code are further configured to cause the apparatus to receive notifications from user equipment regarding the capabilities of a configured protection scheme, by at least one processor.

22. The apparatus according to claim 15, wherein the communication network is either a home communication network or a communication network at a visited location.

23. The apparatus according to claim 15, wherein the communication network is either a public communication network or a private communication network.

24. The apparatus according to claim 15, wherein the apparatus is part of the integrated data management function of a communication network.

25. The apparatus according to claim 15, wherein the apparatus is part of the authentication server function of a communication network.

26. The apparatus according to claim 15, wherein the apparatus is part of the access and mobility management functions of a communication network.

27. In a network entity of a communication network, at least one of receiving and generating protection scheme configuration data for user devices connected to the communication network, Based on at least a portion of the received protection scheme configuration data, the protection scheme configuration data is transmitted to the user device in accordance with an update procedure between the user device and the communication network, enabling the user device to configure the protection scheme in the communication network and generate a unique identifier for the user device. Methods that include...

28. The method according to claim 27, wherein the update procedure comprises one of (i) a user device parameter update procedure and (ii) a roaming steering procedure.

29. A product comprising a non-temporary computer-readable storage medium in which executable program code is embodied, which causes the processor to perform the steps described in claim 27 when executed by the processor.

30. Receiving protection scheme configuration data from the network entity of the communication network, following the update procedure between the device and the communication network, Based on at least a portion of the received protection scheme configuration data, configure a protection scheme in the communication network and generate a unique identifier for the device. A device equipped with means for performing an action.

31. Receiving or generating protection scheme configuration data for user devices connected to a communication network, Based on at least a portion of the received protection scheme configuration data, the protection scheme configuration data is transmitted to the user device in accordance with an update procedure between the user device and the communication network, enabling the user device to configure a protection scheme in the communication network and generate a unique identifier for the user device. A device equipped with means for performing an action.