Resource owner function authentication in common application programming interface framework

The implementation of mTLS and HMAC-based authentication in the CAPIF-8 reference point addresses security vulnerabilities, ensuring secure and reliable communication between resource owner functions and the common application programming interface framework core functions.

WO2026149696A1PCT designated stage Publication Date: 2026-07-16NOKIA TECHNOLOGIES OY

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
NOKIA TECHNOLOGIES OY
Filing Date
2025-11-28
Publication Date
2026-07-16

AI Technical Summary

Technical Problem

Current communication network environments lack secure and efficient mechanisms for establishing secure channels between resource owner functions and common application programming interface framework core functions, particularly in the context of the CAPIF-8 reference point, which are vulnerable to attacks such as message modification, sniffing, and replay.

Method used

Implementing a mutual transport layer security (mTLS) secure channel using a certificate generated with a public key for resource owner functions, along with hash-based message authentication codes (HMAC) and random strings, to authenticate and secure communications between resource owner functions and the common application programming interface framework core functions.

Benefits of technology

Enhances the security and integrity of communications over the CAPIF-8 reference point by providing confidentiality, integrity protection, and anti-replay mechanisms, thereby safeguarding against unauthorized access and attacks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure EP2025084697_16072026_PF_FP_ABST
    Figure EP2025084697_16072026_PF_FP_ABST
Patent Text Reader

Abstract

A user equipment comprising: means for providing, to a network, an indication that a common application programming interface framework is supported by the user equipment; means for determining a first key for the common application programming interface framework; and means for using the first key to determine an authentication code for a resource owner function associated with the user equipment.
Need to check novelty before this filing date? Find Prior Art

Description

RESOURCE OWNER FUNCTION AUTHENTICATION IN COMMON APPLICATION PROGRAMMING INTERFACE FRAMEWORKTECHNICAL FIELD

[0001] Various example embodiments of this disclosure relate to methods, apparatus, sand computer programs and in particular but not exclusively relating apparatus, methods and computer program in a common application programming interface framework.BACKGROUND

[0002] A communication network can be seen as a facility that enables communications between two or more communication devices or provides communication devices access to a data network. A mobile or wireless communication network is one example of a communication network. A communication device may be provided with a service by an application server.

[0003] Such communication networks operate in according with standards such as those provided by 3GPP (Third Generation Partnership Project) or ETSI (European Telecommunications Standards Institute). Examples of standards are the so-called 5G (5th Generation) standards and 6G (6th Generation) standards provided by 3GPP.

[0004] Modern communication network environments can have a wide variety of different types of networks (e.g., 5G core networks, 5G radio access networks, cloud computing networks, edge computing networks, public networks, private networks, and the like) interconnected to enable entities (e.g., users, applications, user equipment, network functions, and the like) to communicate with one another for some purpose within and / or across the different types of networks. For example, an entity may need to access a service of another entity in one of the networks, e.g., one application program may need to communicate with another application program. Typically, access to a given application program is facilitated through an application programming interface (API). Thus, an entity may first need to gain access to the API of the application program for which it seeks to utilize its corresponding service.

[0005] An API may be considered to be a mechanism that enables at least two applications to communicate with each other using a set of definitions and protocols, where an application may be considered to be a software component having a distinct service. An API architecture is often framed in terms of client and server. The application sending the request is called the client, and the application sending the response is called the server.SUMMARY

[0006] Some example embodiments of this disclosure will be described with respect to certain aspects. These aspects are not intended to indicate key or essential features of the embodiments of this disclosure, nor are they intended to be used to limit the scope of thereof. Other features, aspects, and elements will be readily apparent to a person skilled in the art in view of this disclosure.

[0007] According to a first aspect, there is provided an apparatus comprising a resource owner function, the resource owner function comprising: means for receiving a certificate for the resource owner function from a common application programming interface framework core function; and means for using the certificate for the resource owner function for a secure channel between the resource owner function and the common application programming interface framework core function.

[0008] The secure channel may be a mutual transport layer security secure channel.

[0009] The apparatus may comprise means for providing a public key to the common application programming interface framework core function, the certificate for the resource owner function being generated using said public key.

[0010] The apparatus may comprise means for generating the public key and a corresponding private key.

[0011] The certificate for the resource owner function may comprise an identity associated with the resource owner function.

[0012] The apparatus may comprise means for providing an authentication code to the common application programming interface framework core function.

[0013] The authentication code may comprise a hash-based message authentication code.

[0014] The apparatus may comprise means for receiving the authentication code from a user equipment.

[0015] The apparatus may comprise means for requesting the authentication code from the user equipment, said request comprising a random string to be used by the user equipment to generate the authentication code.

[0016] The apparatus may comprise means for receiving the random string from the common application programming interface framework core function.

[0017] The random string may be received from the common application programming interface framework core function in a request for the authentication code.

[0018] The apparatus may comprise means for generating the random string.

[0019] The apparatus may comprise means for providing the random string generated by the apparatus to the common application programming interface framework core function.

[0020] The apparatus may comprise means for providing, to the common application programming interface framework core function, identity information associated with a user equipment associated with the resource owner function

[0021] The apparatus may be provided in a user equipment.

[0022] According to a second aspect, there is provided a method comprising: receiving a certificate for a resource owner function from a common application programming interface framework core function; and using the certificate for the resource owner function for a secure channel between the resource owner function and the common application programming interface framework core function.

[0023] The secure channel may be a mutual transport layer security secure channel.

[0024] The method may comprise providing a public key to the common application programming interface framework core function, the certificate for the resource owner function being generated using said public key.

[0025] The method may comprise generating the public key and a corresponding private key.

[0026] The certificate for the resource owner function may comprise an identity associated with the resource owner function.

[0027] The method may comprise providing an authentication code to the common application programming interface framework core function.

[0028] The authentication code may comprise a hash-based message authentication code.

[0029] The method may comprise receiving the authentication code from a user equipment.

[0030] The method may comprise requesting the authentication code from the user equipment, said request comprising a random string to be used by the user equipment to generate the authentication code.

[0031] The method may comprise receiving the random string from the common application programming interface framework core function.

[0032] The random string may be received from the common application programming interface framework core function in a request for the authentication code.

[0033] The method may comprise generating the random string.

[0034] The method may comprise providing the random string generated by the apparatus to the common application programming interface framework core function.

[0035] The method may comprise providing, to the common application programming interface framework core function, identity information associated with a user equipment associated with the resource owner function.

[0036] The method may be performed by an apparatus.

[0037] The apparatus may be provided in a user equipment.

[0038] The apparatus may comprise at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to perform any one of the methods of the second aspect.

[0039] According to a third aspect, there is provided an apparatus comprising a common application programming interface framework core function, the common application programming interface framework core function comprising: means for determining a certificate for a resource owner function; means for sending the certificate for the resource owner function to the resource owner function: and means for using the certificate for the resource owner function for a secure channel between the resource owner function and the common application programming interface framework core function.

[0040] The secure channel may be a mutual transport layer security secure channel.

[0041] The apparatus may comprise means for receiving, from the resource owner function, a public key, the certificate for the resource owner function being determined using said public key.

[0042] The certificate for the resource owner function may comprise an identity associated with the resource owner function.

[0043] The apparatus may comprise means for receiving, from the resource owner function, an authentication code.

[0044] The authentication code may comprise a hash-based message authentication code.

[0045] The apparatus may comprise means for providing, to the resource owner function, a random string, said random string being used to generate the authentication code received from the resource owner function.

[0046] The random string may be provided in a request for the authentication code.

[0047] The apparatus may comprise means for generating the random string.

[0048] The apparatus may comprise means for receiving, from the resource owner function, identity information associated with a user equipment associated with the resource owner function.

[0049] The apparatus may comprise means for sending a request to a network function for a further authentication code, means for receiving from the network function the further authentication code, and means for comparing the further authentication code received from the network function with the authentication code received from the resource owner function to authenticate the resource owner function.

[0050] According to a fourth aspect, there is provided a method comprising: determining a certificate for a resource owner function; sending the certificate for the resource owner function to the resource owner function: and using the certificate for the resource owner function for a secure channel between the resource owner function and a common application programming interface framework core function.

[0051] The secure channel may be a mutual transport layer security secure channel.

[0052] The method may comprise receiving, from the resource owner function, a public key, the certificate for the resource owner function being determined using said public key.

[0053] The certificate for the resource owner function may comprise an identity associated with the resource owner function.

[0054] The method may comprise receiving, from the resource owner function, an authentication code.

[0055] The authentication code may comprise a hash-based message authentication code.

[0056] The method may comprise providing, to the resource owner function, a random string, said random string being used to generate the authentication code received from the resource owner function.

[0057] The random string may be provided in a request for the authentication code.

[0058] The method may comprise generating the random string.

[0059] The method may comprise receiving, from the resource owner function, identity information associated with a user equipment associated with the resource owner function.

[0060] The method may comprise sending a request to a network function for a further authentication code, receiving from the network function the further authentication code, and comparing the further authentication code received from the network function with the authentication code received from the resource owner function to authenticate the resource owner function.

[0061] The method may be performed by an apparatus. The apparatus may comprise a common application programming interface framework core function.

[0062] The apparatus may comprise at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to perform any one of the methods of the fourth aspect.

[0063] According to a fifth aspect, there is provided a user equipment comprising: means for providing, to a network, an indication that a common application programming interface framework is supported by the user equipment; means for determining a first key for the common application programming interface framework; and means for using the first key to determine an authentication code for a resource owner function associated with the user equipment.

[0064] The authentication code may comprise a hash-based message authentication code.

[0065] The user equipment may comprise means for receiving a request from the resource owner function for the authentication code with a random string, said random string further being used to determine the authentication code.

[0066] The user equipment may comprise means for providing the authentication code to the resource owner function.

[0067] The user equipment may comprise means for providing the resource owner function.

[0068] The means for providing the resource owner function may comprise means for generating the random string.

[0069] The means for providing the resource owner function may comprise means for receiving the random string from the common application programming interface framework core function.

[0070] The means for providing the resource owner function may comprise means for providing the authentication code to the common application programming interface framework core function.

[0071] The means for providing the resource owner function may comprise means for receiving a certificate for the resource owner function from the common application programming interface framework core function and means for using the certificate for the resource owner function for a secure channel between the resource owner function and the common application programming interface framework core function.

[0072] The secure channel may be a mutual transport layer security secure channel.

[0073] The means for providing the resource owner function may comprise means for providing a public key to the common application programming interface framework core function, the certificate for the resource owner function being generated using said public key.

[0074] The means for providing the resource owner function may comprise means for generating the public key and a corresponding private key.

[0075] The certificate for the resource owner function may comprise an identity associated with the resource owner function.

[0076] According to a sixth aspect, there is provided a method comprising: providing, to a network, an indication that a common application programming interface framework is supported by the user equipment; determining a first key for the common application programming interface framework; and using the first key to determine an authentication code for a resource owner function associated with the user equipment.

[0077] The authentication code may comprise a hash-based message authentication code.

[0078] The method may comprise receiving a request from the resource owner function for the authentication code with a random string, said random string further being used to determine the authentication code.

[0079] The method may comprise providing the authentication code to the resource owner function.

[0080] The method may comprise generating the random string.

[0081] The method may comprise receiving the random string from the common application programming interface framework core function.

[0082] The method may comprise providing the authentication code to the common application programming interface framework core function.

[0083] The method may comprise receiving a certificate for the resource owner function from the common application programming interface framework core function and using the certificate for the resource owner function for a secure channel between the resource owner function and the common application programming interface framework core function.

[0084] The secure channel may be a mutual transport layer security secure channel.

[0085] The method may comprise providing a public key to the common application programming interface framework core function, the certificate for the resource owner function being generated using said public key.

[0086] The method may comprise generating the public key and a corresponding private key.

[0087] The certificate for the resource owner function may comprise an identity associated with the resource owner function.

[0088] The method may be performed by an apparatus. The apparatus may be a user equipment. The user equipment may comprise the resource owner function.

[0089] The apparatus may comprise at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to perform any one of the methods of the sixth aspect.

[0090] According to a seventh aspect, there is provided an apparatus comprising a common application programming interface framework core function, the common application programming interface framework core function comprising: means for receiving a first authentication code for a resource owner function from the resource owner function; means for comparing the first authentication code with a second authentication code based on a first key for the common application programming interface framework; and means for authenticating the resource owner function based on the comparing of the first authentication code with the second authentication code.

[0091] The first and the second authentication codes may comprise a hash-based message authentication code.

[0092] The apparatus may comprise means for sending a request for the second authentication code to a network entity.

[0093] The request for the second authentication code may comprise identity information associated with a user equipment with which the resource owner function is associated.

[0094] The request for the second authentication code may comprise a random string, said random string being used to provide the first authentication code.

[0095] The apparatus may comprise means for sending the random string to the resource owner function for the providing of the first authentication code.

[0096] The apparatus may comprise means for generating the random string.

[0097] The apparatus may comprise means for receiving the random string from the resource owner function.

[0098] The apparatus may comprise means for generating a certificate for the resource owner function when the resource owner is authenticated and means for providing the certificate to the resource owner function, the certificate being used for a secure channel between the resource owner function and the common application programming interface framework core function.

[0099] The secure channel may be a mutual transport layer security secure channel.

[0100] The apparatus may comprise means for receiving a public key from the resource owner function, the certificate for the resource owner function being generated using said public key.

[0101] The certificate for the resource owner function may comprise an identity associated with the resource owner function.

[0102] According to an eighth aspect, there is provided a method comprising: receiving a first authentication code for a resource owner function from the resource owner function; comparing the first authentication code with a second authentication code based on a first key for a common application programming interface framework; and authenticating the resource owner function based on the comparing of the first authentication code with the second authentication code.

[0103] The first and the second authentication codes may comprise a hash-based message authentication code.

[0104] The method may comprise sending a request for the second authentication code to a network entity.

[0105] The request for the second authentication code may comprise identity information associated with a user equipment with which the resource owner function is associated.

[0106] The request for the second authentication code may comprise a random string, said random string being used to provide the first authentication code.

[0107] The method may comprise sending the random string to the resource owner function for the providing of the first authentication code.

[0108] The method may comprise generating the random string.

[0109] The method may comprise receiving the random string from the resource owner function.

[0110] The method may comprise generating a certificate for the resource owner function when the resource owner is authenticated and providing the certificate to the resource owner function, the certificate being used for a secure channel between the resource owner function and the common application programming interface framework core function.[OHl] The secure channel may be a mutual transport layer security secure channel.

[0112] The method may comprise receiving a public key from the resource owner function, the certificate for the resource owner function being generated using said public key.

[0113] The certificate for the resource owner function may comprise an identity associated with the resource owner function.

[0114] The method may be performed by an apparatus. The apparatus may comprise a common application programming interface framework core function.

[0115] The apparatus may comprise at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to perform any one of the methods of the eighth aspect.

[0116] According to a ninth aspect, there is provided an apparatus comprising a core network function, the core network function comprising: means for receiving a request to generate a second authentication code from a common application programming interface framework core function; means for generating the second authentication code using a first key for the common application programming interface framework; and means for providing the second authentication code to the common application programming interface framework core function.

[0117] The second authentication code may comprise a hash-based message authentication code.

[0118] The request to generate the second authentication code may comprise identity information associated with a user equipment with which the resource owner function is associated.

[0119] The apparatus may comprise means for using the information associated with the user equipment identity to determine the first key for the common application programming interface framework associated with the user equipment.

[0120] According to a tenth aspect, there is provided a method comprising: receiving a request to generate a second authentication code from a common application programming interface framework core function; generating the second authentication code using a first key for the common application programming interface framework; and providing the second authentication code to the common application programming interface framework core function.

[0121] The second authentication code may comprise a hash-based message authentication code.

[0122] The request to generate the second authentication code may comprise identity information associated with a user equipment with which the resource owner function is associated.

[0123] The method may comprise using the information associated with the user equipment identity to determine the first key for the common application programming interface framework associated with the user equipment.

[0124] The method may be performed by an apparatus. The apparatus may provide a core network function.

[0125] The apparatus may comprise at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to perform any one of the methods of the tenth aspect.

[0126] According to a eleventh aspect, there is provided an apparatus comprising a resource owner function, the resource owner function comprising: means for sending a request for a session to a common application programming interface framework core function, said request comprising a public key of the resource owner function and uniform resource identifier information associated with the resource owner function; and means for receiving in response to the request for the session, a certificate for the resource owner function from the common application programming interface framework core function, the certificate being for use in communications between the resource owner function and the common application programming interface framework core function.

[0127] The certificate may be used for establishing a secure channel between the resource owner function and the common application programming interface framework core function.

[0128] The secure channel may be a mutual transport layer security secure channel.

[0129] The apparatus may comprise means for generating the public key and a corresponding private key

[0130] The certificate for the resource owner function may be generated using said public key.

[0131] The apparatus may comprise means for establishing a connection with the common application programming interface framework core function using a certificate associated with the common application programming interface framework core function, said request for the session being sent via the connection with the common application programming interface framework core function.

[0132] The apparatus may comprise means for receiving information indicating that the certificate for the resource owner function has been revoked, via a uniform resource identifier associated with the uniform resource identifier information.

[0133] The means for sending may be for sending a further request to the common application programming interface framework core function when the information indicating that the certificate for the resource owner function has been revokes has been received, said further request comprising the public key of the resource owner function and the call back uniform resource identifier information associated with the resource owner function.

[0134] The means for receiving may be for receiving in response to the further request, a further certificate for the resource owner function from the common application programming interface framework core function, the further certificate being for use in communications between the resource owner function and the common application programming interface framework core function.

[0135] The uniform resource identifier information may be associated with a call-back uniform resource identifier or a redirect uniform resource identifier.

[0136] According to a twelfth aspect, there is provided a method comprising: sending a request for a session to a common application programming interface framework core function, said request comprising a public key of the resource owner function and uniform resource identifier information associated with the resource owner function; and receiving in response to the request for the session, a certificate for the resource owner function from the common application programming interface framework core function, the certificate being for use in communications between the resource owner function and the common application programming interface framework core function.

[0137] The certificate may be used for establishing a secure channel between the resource owner function and the common application programming interface framework core function.

[0138] The secure channel may be a mutual transport layer security secure channel.

[0139] The method may comprise generating the public key and a corresponding private key

[0140] The certificate for the resource owner function may be generated using said public key.

[0141] The method may comprise establishing a connection with the common application programming interface framework core function using a certificate associated with the common application programming interface framework core function, said request for the session being sent via the connection with the common application programming interface framework core function.

[0142] The method may comprise receiving information indicating that the certificate for the resource owner function has been revoked, via a uniform resource identifier associated with the uniform resource identifier information.

[0143] The method may comprise sending a further request to the common application programming interface framework core function when the information indicating that the certificate for the resource owner function has been revokes has been received, said further request comprising the public key of the resource owner function and the call back uniform resource identifier information associated with the resource owner function.

[0144] The method may comprise receiving in response to the further request, a further certificate for the resource owner function from the common application programming interface framework core function, the further certificate being for use in communications between the resource owner function and the common application programming interface framework core function.

[0145] The uniform resource identifier information may be associated with a call-back uniform resource identifier or a redirect uniform resource identifier.

[0146] The method may be performed by an apparatus.

[0147] The apparatus may be provided in a user equipment.

[0148] The apparatus may comprise at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to perform any one of the methods of the twelfth aspect.

[0149] According to a thirteenth aspect, there is provided an apparatus comprising a common application programming interface framework core function, the common application programming interface framework core function comprising: means for receiving a request for a session from a resource owner function, said request comprising a public key of the resource owner function and call back uniform resource identifier information associated with the resource owner function; means for determining a certificate for the resource owner function; and means for sending the certificate for the resource owner function to the resource owner function, the certificate being for use in communications between the resource owner function and the common application programming interface framework core function.

[0150] The certificate may be used for establishing a secure channel between the resource owner function and the common application programming interface framework core function.

[0151] The secure channel may be a mutual transport layer security secure channel.

[0152] The request for the session may comprise an authentication and key management for applications key identifier and the apparatus comprises means for sending a request to a network entity for identity information associated with a user equipment associated with the resource owner function with the authentication and key management for applications key identifier.

[0153] The apparatus may comprise means for receiving from the network identity information associated with the user equipment.

[0154] The certificate for the resource owner function may be generated using said public key.

[0155] The apparatus may comprise means for providing information to the resource owner function, the information indicating that the certificate for the resource owner function has been revoked, the information being provided via a uniform resource identifier associated with the uniform resource identifier information.

[0156] The uniform resource identifier information may be associated with a call-back uniform resource identifier or a redirect uniform resource identifier.

[0157] According to a fourteenth aspect, there is provided a method comprising: receiving a request for a session from a resource owner function, said request comprising a public key of the resource owner function and call back uniform resource identifier information associated with the resource owner function; determining a certificate for the resource owner function; and sending the certificate for the resource owner function to the resource owner function, the certificate being for use in communications between the resource owner function and the common application programming interface framework core function.

[0158] The certificate may be used for establishing a secure channel between the resource owner function and the common application programming interface framework core function.

[0159] The secure channel may be a mutual transport layer security secure channel.

[0160] The request for the session may comprise an authentication and key management for applications key identifier and the apparatus comprises means for sending a request to a network entity for identity information associated with a user equipment associated with the resource owner function with the authentication and key management for applications key identifier.

[0161] The method may comprise receiving from the network identity information associated with the user equipment.

[0162] The certificate for the resource owner function may be generated using said public key.

[0163] The method may comprise providing information to the resource owner function, the information indicating that the certificate for the resource owner function has been revoked, the information being provided via a uniform resource identifier associated with the uniform resource identifier information.

[0164] The uniform resource identifier information may be associated with a call-back uniform resource identifier or a redirect uniform resource identifier.

[0165] The method may be performed by an apparatus. The apparatus may comprise a common application programming interface framework core function.

[0166] The apparatus may comprise at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to perform any one of the methods of the fourteenth aspect.

[0167] According to another aspect, there is provided a computer readable medium comprising program instructions stored thereon for performing at least one of the above methods.

[0168] According to an aspect, there is provided a non-transitory computer readable medium comprising program instructions stored thereon for performing at least one of the above methods.

[0169] According to an aspect, there is provided a non-volatile tangible memory medium comprising program instructions stored thereon for performing at least one of the above methods.

[0170] In the above, many different aspects have been described. It should be appreciated that further aspects may be provided by the combination of any two or more of the aspects described above.

[0171] Various other aspects are also described in the following detailed description and in the attached claims.DESCRIPTION OF FIGURES

[0172] Some example embodiments will now be described, by way of non-limiting and illustrative example only, with reference to the accompanying Figures in which:

[0173] Fig. 1 illustrates an example common API Framework (CAPIF) configuration;

[0174] Fig. 2a illustrates a first procedure of some embodiments;

[0175] Fig. 2b illustrates a second procedure of some embodiments;

[0176] Fig. 3a illustrates a third procedure of some embodiments;

[0177] Fig. 3b illustrates a part of the third procedure in more detail;

[0178] Fig. 4 a schematic representation of a communication system for example a 5G communication system (5GS);

[0179] Fig. 5 illustrate a first example method of some embodiments;

[0180] Fig. 6 illustrates a second example method of some embodiments;

[0181] Fig. 7 illustrates a third example method of some embodiments;

[0182] Fig. 8 illustrates a fourth example method of some embodiments;

[0183] Fig. 9 illustrates a fifth example method of some embodiments;

[0184] Fig. 10 illustrates a sixth example method of some embodiments;

[0185] Fig. 11 illustrates a seventh example method of some embodiments; and

[0186] Fig.12 shows an example of an apparatus.DETAILED DESCRIPTION

[0187] The following embodiments are provided by way of non-limiting and illustrative example. Although the specification may refer to “an”, “one”, or “some” embodiment(s) in several locations of the text, this does not necessarily mean that each reference is made to the same embodiment(s), or that a particular feature only applies to a single embodiment. Single features of different embodiments may also be combined to provide other embodiments. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it intended such feature, structure, or characteristic may be applied in connection with other embodiments (whether or not explicitly described).

[0188] It shall be understood that although the terms “first,” “second” and the like may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another.

[0189] For the purposes of this disclosure, the phrases “at least one of A or B”, “at least one of A and B”, and “A and / or B” means (A), (B), or (A and B). For the purposes of this disclosure, the phrase “A, B, and / or C” means (A), (B), (C), (A and B), (A and C), (B and C), or (A, B, and C).

[0190] As used herein, the term “or” refers to a non-exclusive “or” unless otherwise indicated (e.g., use of “or else” or “or in the alternative”).

[0191] As used herein, unless stated explicitly, performing a respective feature, step, or functionality “in response to A” does not indicate that the respective feature, step, or functionality is performed immediately after “A” occurs as one or more intervening features, steps, or functionalities may be performed (at least in part) between an occurrence of the respective feature, step, or function and “A”. Analogously, performing a respective feature, step, or functionality “based on A” does not indicate that the respective feature, step, or functionality is performed solely based on “A” as the respective feature, step, or functionality may be further based on one or more other features, steps, or functionalities in addition to “A”. Embodiments described may be implemented in a communication network, such as any of the following radio access technologies (RATs): Worldwide Interoperability for Micro-wave Access (WiMAX), Global System for Mobile communications (GSM, 2G), GSM EDGE radio access Network (GERAN), General Packet Radio Service (GRPS), Universal Mobile Telecommunication System (UMTS, 3G) based on basic wideband-code division multipleaccess (W-CDMA), high-speed packet access (HSPA), Long Term Evolution (LTE), LTE-Advanced, and enhanced LTE (eLTE), 5G (also called NR), 6G, or beyond. Moreover, communication within the communication network may utilize any proper wireless communication technology, comprising but not limited to: Code Division Multiple Access (CDMA), Frequency Division Multiple Access (FDMA), Time Division Multiple Access (TDMA), Frequency Division Duplex (FDD), Time Division Duplex (TDD), Multiple-Input Multiple-Output (MIMO), Orthogonal Frequency Division Multiple (OFDM), and / or Discrete Fourier Transform spread OFDM (DFT-s-OFDM). In the following, reference to a UE is to be understood to be a reference to any suitable terminal device.

[0192] The term “terminal device” refers to any end device that may be capable of wireless communication. By way of example, a terminal device may be referred to as a communication device, user equipment (UE), a Subscriber Station (SS), or a Mobile Station (MS). The terminal device may include a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones a tablet, a wearable terminal device, a personal digital assistant (PDA), portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehiclemounted wireless terminal devices, USB dongles, an Internet of Things (loT) device, a watch or other wearable, a head-mounted display (HMD), a vehicle, a drone, a medical device and applications (e.g., remote surgery), an industrial device and applications (e.g., a robot and / or other wireless devices operating in an industrial and / or an automated processing chain contexts), a consumer electronics device, a device operating on commercial and / or industrial wireless networks, and / or the like.

[0193] Fig. 4 shows a schematic representation of a communication system for example a 5G communication system (5GS). The 5GS may comprise a user equipment (UE), a 5G core network (5GC) 202, and one or more application functions 203. The UE may connect to the 5GC via a radio access node 110 of a radio access network. An application function 203 may be deployed in the 5GS as trusted application function or may be deployed or host on one or more application servers of the data network (DN) 204. Such application functions may be untrusted application functions. The 5GS connects the UE to a data network, the access network, and the 5GC 202 (e.g., a UPF of the 5GC).

[0194] The 5GC may comprise the following network functions: Network Slice Selection Function (NSSF); Network Exposure Function (NEF) 205; Network Repository Function (NRF); Policy Control Function (PCF); Unified Data Management (UDM) 206; ApplicationFunction (AF) 203; Authentication Server Function (AUSF) 207; an Access and Mobility Management Function (AMF) 208; Session Management Function (SMF) 209; and a user plane function (UPF) 210.

[0195] Fig. 4 also shows the various interfaces (Nl, N2 etc.) that may be implemented between the various elements of the system. Not all of the above network functions are shown in Fig. 4, and that in some examples the 5GC may comprise additional network functions other than those mentioned above.

[0196] The AMF 208 may handle termination of non-access stratum (NAS) signalling, NAS ciphering & integrity protection, registration management, connection management, mobility management, access authentication and authorization, security context management. The UPF 210 may support packet routing and forwarding, packet inspection and quality of service (QoS) handling, for example.

[0197] Some embodiments relate to a common API framework (CAPIF).

[0198] CAPIF was specified by 3GPP in Rel-15 for providing a framework for accessing northbound 3 GPP APIs.

[0199] Fig. 1 shows a functional security architecture of CAPIF framework when RNAA (Resource owner-aware Northbound API Access) is supported. The resource owner may be a user of a UE or an owner of the subscription or the like. The resource owner may depend on the use case and / or associated regulations.

[0200] By way of example, a northbound interface is an API that enables a lower-level network layer or component to communicate with a higher-level network layer or component. A southbound interface enables a higher-level network layer or component to communicate with a lower-level network layer or component.

[0201] A CAPIF framework such as shown in Fig. 1 may have:I. an API provider which is an entity exposing one or more APIs, e.g., also referred to as an API exposing function (AEF) 303C. For example, in a 5G network, an AEF may be implemented by a network exposure function or NEF;II. an API Invoker 304, 305, which is an entity that consumes one or more APIs; and III. a CAPIF core function (CCF) 302 that manages interactions between the AEFs and API Invokers.

[0202] Fig. 1 illustrates a trusted domain that comprises at least one resource owner function ROF 301. The trusted domain function comprises a CAPIF core function (CCF) 302 that comprises an authorisation function 302A and at least one CAPIF API 302B. The trusteddomain function comprises an API provider domain 303 that comprises an API management function 303 A, an API publishing function 303B, an API exposing function 303C and at least one service API 303D, and a first API Invoker 304. Fig. 1 further illustrates a second API Invoker 305 located outside of the trusted domain, and various interfaces between the entities mentioned herein.

[0203] The resource owner function (ROF) may be deployed on the UE.

[0204] The authorization function may be a part of the CCF, as shown in Fig. 1.

[0205] This framework of Fig. 1 may use authorisation mechanisms as defined in the OAuth 2.0 framework The API invoker may be an OAuth 2.0 client.

[0206] The OAuth 2.0 client and the CCF may communicate using HTTPS (hypertext transfer protocol secure).

[0207] Different functional security models may be envisioned for the API invoker in relation to the ROF. The API invoker may be inside or outside of the trusted domain.

[0208] For example, the API invoker may be part of the UE and located on the device.

[0209] For example, the API invoker can be independent from the UE but still located on the device, for example deployed by a third party.

[0210] For example, the API invoker may be independent from the UE and located outside of the device. For example, the API invoker may be located on a game server.

[0211] Some embodiments may relate to the security procedures between the ROF and CCF. The interface between the ROF and CCF may be referred to as the CAPIF-8 interface or reference point.

[0212] The CAPIF may allow the resource owner to provide authorization to the API invoker for resource access. For that purpose, the CAPIF-8 reference point was introduced to CAPIF RNAA.

[0213] Some embodiments may relate to security associated with RNAA.

[0214] Current proposals do not address issues relating to secure transport of messages over CAPIF-8. Some embodiments may address or at least mitigate this issue.

[0215] Current proposals do not define the security procedures between the ROF and the authorization function / CCF supporting the resource owner-aware Northbound API Access (RNAA). Some embodiments may address or at least mitigate this issue.

[0216] It has been appreciated that without integrity protection for CAPIF-8 reference point, messages over the CAPIF-8 reference point may be modified by attackers in some scenarios. Some embodiments may address or at least mitigate this issue.

[0217] It has been appreciated that without confidentiality protection for CAPIF-8 reference point, messages over the CAPIF-8 reference point may be sniffed by attackers. Some embodiments may address or at least mitigate this issue.

[0218] It has been appreciated that without an anti-replay attack mechanism for CAPIF-8 reference point, messages over the CAPIF-8 reference point can be replayed by attackers. Some embodiments may address or at least mitigate this issue.

[0219] It has been proposed to protect the CAPIF-8 reference point based on the following. The authentication of the CCF may be based on the certificate of the CCF. The TLS (transport layer security) secure channel may be used to provide messages exchanged between the ROF and the CCF with integrity protection, confidentiality protection and / or replay protection.

[0220] Some embodiments may provide a ROF certificate to allow for mutual authentication after an initial request. This certificate may allow the performance of mTLS (mutual TLS) between the ROF and CCF in one or more subsequent communications.

[0221] In some embodiments, the ROF is a user-agent in UE. The ROF may be, for example, a web browser interface. The RO may be the (human) user or subscriber.

[0222] A ROF certificate may be a certificate to authenticate the user or subscriber behind the ROF. A ROF certificate may be specific for a ROF on a UE, i.e. specific to the subscriber of the UE.

[0223] In some embodiments a key (K-CAPIF) associated with CAPIF may be generated and used.

[0224] Some embodiments may allow the RO behind the ROF to be authenticated through key derivation based on the UE’s master key.

[0225] In some embodiments, a CAPIF specific secret cryptographic key (K-CAPIF) may be generated. This may be part of a key derivation process. This may be part of a 5G or 6G key derivation process. The CAPIF specific secret cryptographic key is referred to as K-CAPIF in the following.

[0226] In some embodiments, the K-CAPIF may be used for a first authentication of ROF to CCF. This may be via UE involvement.

[0227] In some embodiments, the UE may provide an indication that the CAPIF can be used by the UE.

[0228] In some embodiments, the CCF may compare a UE and core network generated hashbased message authentication code (HMAC). The core network may be a 5G core network, a6G core network or any other suitable core network. An AUSF or another network function of the core network may generate the HMAC.

[0229] In some embodiments, the CCF may provide the ROF with a certificate. This certificate may be referred to as a ROF certificate. The certificate may be a TLS certificate.

[0230] The certificate may be used to establish a secure connection between the ROF and the CCF for subsequent communication. The secure connection may be a mTLS connection.

[0231] Reference is made to Fig. 2a which shows a first example of a procedure of some embodiments

[0232] The part of the procedure relating to a first-time connection will now be described.

[0233] As referenced by 1, the UE sends a registration request to the core network. In this example, the core network is a 5G core network. In other embodiments, the core network may be any other suitable core network, for example a 6G core network

[0234] If CAPIF is to be used by UE, UE may indicate this to the core network. In this example, the UE indicates that CAPIF is to be used by the UE in the registration request.

[0235] As referenced by 2, primary authentication is performed between the UE and the core network. In the example show in Fig. 2a, the primary authentication is between the UE and the AUSF in the 5GC. A registration procedure in which the UE is registered with the core network may be performed. The primary authentication may be part of the registration procedure.

[0236] If CAPIF is supported by the network, then the network may send an indication that CAPIF is allowed to the UE. Optionally the CCF root certificate may be sent by the network to the UE. The indication that CAPIF is allowed and / or the CCF root certificate may be sent to the UE in a registration complete message.

[0237] It should be appreciated that the UE may obtain the CCF root certificate other than via the part of the procedure referenced 2.

[0238] As referenced by 2a, a key, K-AUSF, is derived at both the UE and the AUSF. This key, K-AUSF, may be used to derive other keys for authentication and encryption. In other embodiments, the relevant key may be derived at a different entity of the core network.

[0239] If the CAPIF allowed indication is provided by the UE and CAPIF is also supported by the network, then a key for use with CAPIF, K-CAPIF, is derived at the UE and the AUSF. In other embodiments, the relevant key may be derived at a different entity of the core network.

[0240] As referenced by 3, the ROF establishes a server-based TLS connection with the CCF. The ROF validates the CCF certificate using the CCF root certificate to establish the TLSconnection. The ROF may have knowledge of the root CCF certificate from the UE, from the network, or in any other way.

[0241] As referenced by 4a, the ROF may generate a random string / challenge.

[0242] As referenced by 4b, the ROF requests the UE to generate from the random-string a hash-based message authentication code HMAC. The ROF provides the random string / challenge to the UE in the request.

[0243] As referenced by 4c, the UE generates from the random-string a hash-based message authentication code HMAC, using its K-CAPIF.

[0244] As referenced by 4d, the ROF receives the HMAC from the UE.

[0245] The part of the procedure referenced 4a to 4d may be regarded as a HMAC procedure.

[0246] As referenced by 5, the ROF generates a public-private key pair. It should be appreciated that the generating of the public-private key pair may take place at any suitable time, for example, before the HMAC procedure, at least partly in parallel with the HMAC procedure, or after the HMAC procedure.

[0247] As referenced by 6, the ROF sends an authentication and certificate request to CCF. The ROF may be triggered to send the authentication and certificate request to CCF by the CCF, or by RO (user) involvement or in any other way. For example, the RO may be triggered to send the authentication and certificate request to CCF based on an automatic web browser configuration. The authentication and certificate request may comprise one or more of:GPSI (generic public subscription identifier) and / or SUPI (subscription permanent identifier); the UE-generated HMAC; the random string / challenge if self-generated; and / or the public key generated by the ROF.

[0248] As referenced by 7, the CCF sends a request for the generation of a HMAC to the AUSF or other suitable network entity. The CCF may include one or more of the GPSESUPI and the random string / challenge. This may be the GPSI / SUPI and / or the random string / challenge received from the ROF.

[0249] As referenced by 8, the AUSF or other suitable network entity identifies the K-CAPIF associated with SUPI / GPSI and generates the HMAC on the random string using K-CAPIF.

[0250] As referenced by 9, the AUSF or other suitable network entity sends the generated HMAC to the CCF. This may be sent in a response to the request for the generation of the HMAC.

[0251] As referenced by 10, the CCF compares the HMAC received from the AUSF or other suitable network entity with the HMAC received from the ROF. If the two HMACs are thesame, the HMACs are validated. This means that the authentication of the ROF is successful. On successful authentication of the ROF, the CCF generates a ROF certificate The ROF certificate is generated using the public key received from the ROF. The ROF certificate may comprise the resource owner identity.

[0252] As referenced by 11, the CCF sends an authentication and certificate response to the UE. The authentication and certificate response comprises the ROF certificate.

[0253] The part of the procedure relating to a subsequent connection will now be described.

[0254] As referenced by 12 and 13, the ROF creates a mTLS connection with the CCF using the ROF certificate received from the CCF.

[0255] Reference is made to Fig. 2b which shows a second example of a procedure of some embodiments

[0256] The part of the procedure relating to a first-time connection will now be described.

[0257] The parts of the procedure referenced 1, 2 and 2a are as described in relation to Fig. 2a.

[0258] As referenced by 3, the ROF may have knowledge of the CCF root certificate based in any r suitable way. The knowledge of the CCF root certificate may be via the UE. Using the CCF root certificate, the ROF can validate / authenticate the CCF certificate during TLS connection

[0259] As referenced by 4, the ROF establishes a server-based TLS connection with the CCF using the CCF root certificate.

[0260] As referenced by 5, the CCF generates a random string or challenge.

[0261] As referenced by 6, the CCF sends to the ROF a request to for the ROF to generate a HMAC. The CCF provides the random string or challenge in the request. This request may be an authentication request.

[0262] As referenced by 7a, the ROF requests the UE to generate from the random-string a hash-based message authentication code HMAC. The ROF provides the random string / challenge to the UE.

[0263] As referenced by 7b, the UE generates from the random-string a hash-based message authentication code HMAC, using its K-CAPIF.

[0264] As referenced by 7c, the ROF receives the HMAC from the UE.

[0265] The part of the procedure referenced 7a to 7c may be regarded as a HMAC procedure.

[0266] As referenced by 7d, the ROF generates a public-private key pair. It should be appreciated that the generating of the public-private key pair may take place at any suitabletime, for example, before the HMAC procedure, at least partly in parallel with the HMAC procedure, or after the HMAC procedure.

[0267] As referenced by 8, the ROF sends a response to the request to generate the HMAC. The response may comprise one or more of:GPSI (generic public subscription identifier) and / or SUPI (subscription permanent identifier); the UE-generated HMAC; the random string / challenge; a callback URI; and / or the public key generated by the ROF. The callback URI indicates where the ROF certificate is to be delivered.

[0268] As referenced by 9, the CCF sends a request for the generation of a HMAC to the AUSF or other suitable network entity. The CCF may include one or more of the GPSI / SUPI and the random string / challenge. This may be the GPSI / SUPI and / or the random string / challenge received from the ROF.

[0269] As referenced by 10, the AUSF or other suitable network entity identifies the K-CAPIF associated with SUPI / GPSI and generates the HMAC on the random string using K-CAPIF.

[0270] As referenced by 11, the AUSF or other suitable network entity sends the generated HMAC to the CCF. This may be sent in a response to the request for the generation of the HMAC.

[0271] As referenced by 12, the CCF compares the HMAC received from the AUSF or other suitable network entity with the HMAC received from the ROF. If the two HMACs are the same, the HMACs are validated. This means that the authentication of the ROF is successful. On successful authentication of the ROF, the CCF generates a ROF certificate The ROF certificate is generated using the public key received from the ROF. The ROF certificate may comprise the resource owner identity.

[0272] As referenced by 13, the CCF sends an authentication and certificate response to the UE. The authentication and certificate response comprises the ROF certificate.

[0273] The part of the procedure relating to a subsequent connection will now be described.

[0274] As referenced by 14 and 15, the ROF creates a mTLS connection with the CCF using the ROF certificate received from the CCF.

[0275] In this example, the CCF may not have access to any keys related to the UE. Instead, the CCF only needs to authenticate the ROF. The CCF authenticates the ROF by verifying the information through the 5GC or other suitable core network.

[0276] In one modification, to the example of Fig. 2a or to the example of Fig. 2b, the K-CAPIF may be sent to CCF by the network entity, for example AUSF. In this embodiment, theCCF on receiving the random string from the ROF, generates a HMAC locally and validates that HMAC with the one received from ROF. The CCF therefore does not need the AUSF (5GC) to generate the HMAC.

[0277] One example of a key derivation for K-CAPIF is as follows:

[0278] Generally, the key may be derived using

[0279] Key=KDF (Parent Key, FC IIP 1 ||L11| Other Inputs)

[0280] In one example, K-CAPIF=KDF(K_AUSF,FC||P1 ||L11| Other Inputs)

[0281] The derivation of K-CAPIF is from K-AUSF.

[0282] The following input parameters are used:FC = OxFFPl = random,LI = length of random (i.e. 0x000x04)The input key KEY is K-AUSF.The Pl parameter value is known to UE and the network as part of UE registration procedure

[0283] In some embodiments, as part of a first-time connection of the ROF with the CCF, the ROF determines that does not have a ROF certificate. Alternatively or additionally, the CCF requires further authentication to allow for future mutual authentication and triggers the ROF for authentication.

[0284] The ROF may initiate a request to the CCF. The request may be an application session request. The request may comprise an A-KID (AKMA (authentication and key management for applications) key identifier). This A-KID may be specific to the ROF. ROF authenticates the CCF via CCF certificate.

[0285] The CCF authenticates the ROF based on A-KID and may provide the ROF certificate via the application session response.

[0286] The ROF stores the ROF certificate for future use.

[0287] The CCF may close the connection and mark that ROF certificate is provided so that the CCF can avoid sending the ROF certificate unnecessarily.

[0288] When a connection needs to be made, the ROF may create a mTLS connection with CCF using the ROF certificate.

[0289] Reference is made to Fig. 3awhich shows a third example of a procedure of some embodiments

[0290] The part of the procedure relating to a first-time connection will now be described.

[0291] As referenced by la, there is a primary authentication between the UE and the core network. In this example, the core network is a 5G core network. The primary authentication may take place between the UE and the AUSF of the 5G core network. In other examples, the core network may be any other suitable core network such as a 6G core network. The successful primary authentication results in K-AUSF being stored at the AUSF and the UE.

[0292] As referenced by lb, the UE and 5GC generate a AKMA (authentication and key management for applications) Anchor Key (K-AKMA) and the A-KID from the K-AUSF.

[0293] As referenced by 1c, the AanF (AKMA anchor function) stores the A-KID, K-AKMA and SUPI of the UE.

[0294] The AAnF is an anchor function in the HPLMN (home public land mobile network). The AAnF stores the AKMA anchor key (KAKMA) and SUPI / GPSI for an AKMA service, which is received from the AUSF / UDM after the UE completes a successful 5G primary authentication. The AAnF may also generate the key material to be used between the UE and the Application Function (AF) and maintains UE AKMA contexts. In this example, the CCF is the application function. K-AKMA is derived after successful primary authentication. K-AKMA is derived from K-AUSF. A-KID may allow the AKMA AF to identify the AanF serving the UE. A-KID is usable as a key identifier.

[0295] As referenced by 2, the ROF knows the CCF root CA (certificate authority) certificate. The CCF root certificate may be known to the ROF from the UE, from the network, or through another channel.

[0296] As referenced by 3, the ROF establishes a TLS connection with the CCF. The TLS connection is based on the CCF root certificate.

[0297] As referenced by 4, the ROF generates a private - public key pair.

[0298] As referenced by 5, the ROF sends an application session establishment request to the CCF to establish application session. This request is sent via the TLS connection. The request may comprise one or more of:the A-KID; a call back URI; and / or the public key of the private-public key pair.

[0299] As referenced by 6, the CCF which acts as an AF in AKMA terminology gets the SUPEGPSI of the UE associated with the A-KID. The CCF uses the A-KID received from the ROF to get the SUPI / GPSI of the UE. This allows the CCF to indirectly authenticates the ROF running on the UE as only the right ROF knows the A-KID. The CCF generates ROF certificate using the public key received from ROF

[0300]

[0301] Reference is made to Fig. 3b which shows an example implementation of the part of the procedure referenced 6. This may be partly based on the procedure shown in Fig. 6.2-1: KAF generation from KAKMA of 3GPP TS 33. 535 to get the SUPI / GPSI of the UE associated with the A-KID. The current AKMA procedures may be modified in some embodiments such that k-AF does not need be generated and / or sent to the CCF.

[0302] As shown in Fig. 3c, as referenced 6a, a get request is sent by the CCF to the AanF. The request comprises the identity of the CCF, CCF-ID and the A-KID.

[0303] As referenced 6b, the AanF sends a request to the UDM with an identifier translation associated with the CCF identifier and the SUPI of the UE.

[0304] As referenced 6c, the UDM sends a get response to the AanF which comprises the GPSI of the UE.

[0305] As referenced 6d, the AanF sends the SUPI / GPSI of the UE to the CCF.

[0306]

[0307] Referring back to Fig. 3a, as referenced 7, the CCF sends a response to the request received from the ROF. The response may be an application session response. The response sent by the CCF to the ROF may comprise the ROF certificate.

[0308] As referenced 8 and 9, the ROF uses the ROF certificate to communicate with the CCF via a mTLS connection.

[0309] As referenced 10, the CCF revokes the ROF certificate.

[0310] As referenced 11, the CCF informs the ROF that the ROF certificate has been revoked. The CCF notifies the ROF via the call back URI received by the CCF in the part of the procedure referenced by 5.

[0311] As referenced 12, the ROF and CCF may repeat the part of the part of the procedure referenced 3 to 7 to get a new certificate for the ROF.

[0312] In relation to the embodiments discussed in relation to Figs. 2a, 3b or 3, the ROF certificate may be revoked.

[0313] In the case that the ROF certificate is revoked, the CCF will provide an indication to the ROF that the ROF certificate had been revoked.

[0314] Alternatively, the ROF will become aware that the ROF certificate is revoked when the ROF attempts to connect to the CCF via mTLS using the revoked ROF certificate. The CCF reject the attempt to connect with the revoked ROF certificate. The CCF will provide a response to the ROF with an indication that the ROF certificate is not valid.

[0315] The CCF may store information indicating that the ROF certificate is revoked. The CCF may store information indicating that a new ROF certificate needs to be provided. In this case, when the ROF certificate is attempted to be used, for example in the part of the procedure referenced 13 in Fig.2a, the part of the procedure referenced 15 in Fig.2b, or the part of the procedure referenced 9 in Fig.3, a message may be sent to the UE indicating that ROF certificate is invalid or revoked. The ROF would repeat the procedure to get a new ROF certificate.

[0316] Reference is made to Figs. 5 to 11 which show some methods of some example embodiments.

[0317] Each method may be performed by an apparatus.

[0318] The apparatus may comprise suitable means, such as circuitry for providing the respective method.

[0319] Alternatively or additionally, the apparatus may comprise at least one processor and at least one memory storing instructions that, when executed by the at least one processor cause the apparatus at least to provide the respective method.

[0320] Alternatively or additionally, the apparatus may be such as discussed in relation to Fig.12.

[0321] The respective methods may be provided by computer program code or computer executable instructions.

[0322] Reference is made to Fig. 5. The method may be performed by an apparatus. The apparatus may comprise a resource owner function. The apparatus may be or provided in a user equipment.

[0323] The method comprises as referenced Al, receiving a certificate for a resource owner function from a common application programming interface framework core function.

[0324] The method comprises as referenced A2, using the certificate for the resource owner function for a secure channel between the resource owner function and the common application programming interface framework core function.

[0325] It should be appreciated that the method described in relation to Fig. 5 may be modified to include one or more of the features discussed in relation to the previous examples.

[0326] Reference is made to Fig. 6. The method may be performed by an apparatus. The apparatus may comprise a common application programming interface framework core function.

[0327] The method comprises as referenced Bl, determining a certificate for a resource owner function.

[0328] The method comprises as referenced B2, sending the certificate for the resource owner function to the resource owner function.

[0329] The method comprises as referenced B3, using the certificate for the resource owner function for a secure channel between the resource owner function and a common application programming interface framework core function.

[0330] It should be appreciated that the method described in relation to Fig. 6 may be modified to include one or more of the features discussed in relation to the previous examples.

[0331] Reference is made to Fig. 7. The method may be performed by an apparatus. The apparatus may be or provided in a user equipment.

[0332] The method comprises as referenced Cl, providing, to a network, an indication that a common application programming interface framework is supported by the user equipment.

[0333] The method comprises as referenced C2, determining a first key for the common application programming interface framework.

[0334] The method comprises as referenced C3, using the first key to determine an authentication code for a resource owner function associated with the user equipment.

[0335] It should be appreciated that the method described in relation to Fig. 7 may be modified to include one or more of the features discussed in relation to the previous examples.

[0336] Reference is made to Fig. 8. The method may be performed by an apparatus. The apparatus may comprise a common application programming interface framework core function.

[0337] The method comprises as referenced DI, receiving a first authentication code for a resource owner function from the resource owner function.

[0338] The method comprises as referenced D2, comparing the first authentication code with a second authentication code based on a first key for a common application programming interface framework.

[0339] The method comprises as referenced D3, authenticating the resource owner function based on the comparing of the first authentication code with the second authentication code.

[0340] It should be appreciated that the method described in relation to Fig. 8 may be modified to include one or more of the features discussed in relation to the previous examples.

[0341] Reference is made to Fig. 9. The method may be performed by an apparatus. The apparatus may comprise a core network function, for example an AUSF.

[0342] The method comprises as referenced El, receiving a request to generate a second authentication code from a common application programming interface framework core function.

[0343] The method comprises as referenced E2, generating the second authentication code using a first key for the common application programming interface framework.

[0344] The method comprises as referenced E3, providing the second authentication code to the common application programming interface framework core function.

[0345] It should be appreciated that the method described in relation to Fig. 9 may be modified to include one or more of the features discussed in relation to the previous examples.

[0346] Reference is made to Fig. 10. The method may be performed by an apparatus. The apparatus may comprise a resource owner function. The apparatus may be or provided in a user equipment.

[0347] The method comprises as referenced Fl, sending a request for a session to a common application programming interface framework core function, said request comprising a public key of the resource owner function and uniform resource identifier information associated with the resource owner function.

[0348] The method comprises as referenced F2, receiving in response to the request for the session, a certificate for the resource owner function from the common application programming interface framework core function, the certificate being for use in communications between the resource owner function and the common application programming interface framework core function.

[0349] It should be appreciated that the method described in relation to Fig. 10 may be modified to include one or more of the features discussed in relation to the previous examples.

[0350] Reference is made to Fig. 11. The method may be performed by an apparatus. The apparatus may comprise a common application programming interface framework core function.

[0351] The method comprises as referenced Gl, receiving a request for a session from a resource owner function, said request comprising a public key of the resource owner function and call back uniform resource identifier information associated with the resource owner function.

[0352] The method comprises as referenced G2, determining a certificate for the resource owner function.

[0353] The method comprises as referenced G3, sending the certificate for the resource owner function to the resource owner function, the certificate being for use in communications between the resource owner function and the common application programming interface framework core function.

[0354] It should be appreciated that the method described in relation to Fig. 11 may be modified to include one or more of the features discussed in relation to the previous examples.

[0355] In some of the embodiments described previously, reference has been made to the determination of a HMAC. It should be appreciated that in other embodiments, any other suitable authentication code may be determined as an alternative to the HMAC.

[0356] In some of the embodiments described previously, reference has been made to the use of SUPI / GPSI as an identifier of the UE. It should be appreciated that in other embodiments, one or more other identifiers associated with the UE may be used instead of or in addition to the SUPI / GPSI. It should be appreciated that in some embodiments only one of the SUPI and GPSI may be used.

[0357] In some of the embodiments described previously, the secure connection has been described as being an mTLS connection. It should be appreciated that this is by way of example only and other embodiments may use any other suitable type of secure connection.

[0358] It should be appreciated that in some environments, the UE comprises the ROF.

[0359] In some of the embodiments described previously, reference is made to a call-back uniform resource identifier. It should be appreciated that this is by way of example only and other embodiments may use any other suitable type of uniform resource identifier information, for example a redirect URI or the like may be used.

[0360] It is understood that references in the above to various network functions may comprise apparatus that perform at least some of the functionality associated with those network functions. Further, an apparatus comprising a network function may comprise a virtual network function instance of that network function.

[0361] Although the apparatuses have been described as one entity, different modules and memory may be implemented in one or more physical or logical entities.

[0362] It is noted that whilst some embodiments have been described in relation to 5G networks and beyond, similar principles can be applied in relation to other networks and communication systems. Therefore, although certain embodiments were described above by way of example with reference to certain example architectures for wireless networks,technologies and standards, embodiments may be applied to any other suitable forms of communication systems than those illustrated and described herein.

[0363] It is also noted herein that while the above describes example embodiments, there are several variations and modifications which may be made to the disclosed solution without departing from the scope of the present invention.

[0364] Fig.12 shows, by way of example, a block diagram of an apparatus 10. The apparatus 10 comprises, for example, at least one processor 12 and at least one memory 14 storing instructions 15 that, when executed by the at least one processor, cause the apparatus 10 at least to perform the method or methods (or portion(s) there-of) as disclosed herein, and any of the embodiments (or respective portion(s) thereof). In an example, the at least one memory and the instructions (e.g. a computer program code, software), are configured, with the at least one processor, to cause the apparatus 10 to perform the method or methods (or portion(s) thereof) as disclosed herein, and any of the embodiments (or respective portion(s) thereof).

[0365] A processor 12 may comprise circuitry, or be constituted as circuitry or circuitries, the circuitry or circuitries being configured to perform phases of methods in accordance with embodiments described herein.

[0366] As used herein, the term “circuitry” may refer to one or more or all of the following: (a) hardware-only circuit implementations, such as implementations in only analog and / or digital circuitry, and (b) combinations of hardware circuits and software, such as, as applicable: (i) a combination of analog and / or digital hardware circuit(s) with software / firmware and (ii) any portions of hardware processor(s) with software (including digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a user equipment, to perform various functions) and (c) hardware circuit(s) and or processor(s), such as a microprocessor s) or a portion of a microprocessor s), that requires software (e.g., firmware) for operation, but the soft-ware may not be present when it is not needed for operation. This definition of circuitry applies to all uses of this term herein, including in any claims. As a further example, as used herein, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and / or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.

[0367] The memory 14 may be implemented using any suitable data storage technology. The memory may comprise a database for storing data. The memory 14 may, for example, be at least in part external to apparatus 10 but accessible to apparatus 10.

[0368] The instructions 15 may be comprised in a computer readable medium or a non-transitory computer readable medium. A term non-transitory, as used herein, is a limitation of the medium itself (i.e. tangible, not a signal) as opposed to a limitation on data storage persistency (e.g. random-access memory, RAM, vs. read only memory, ROM).

[0369] For example, the apparatus 10 may be provide a ROF. The apparatus may comprise a chipset, The apparatus 10 may be caused or configured to perform at least the method of Figs.5 and 10, and / or any one or more of the embodiments described herein.

[0370] For example, the apparatus 10 may be a UE or provided in a UE. The UE may comprise the ROF. The apparatus may comprise a chipset, The apparatus 10 may be caused or configured to perform at least the method of Fig. 5, 7, orlOa and / or any one or more of the embodiments described herein.

[0371] For example, the apparatus 10 may provide an CCF. The apparatus may comprise a chipset, The apparatus 10 may be caused or configured to perform at least the method of Figs.6, 8 or 11, and / or any one or more of the embodiments described herein.

[0372] For example, the apparatus 10 may provide a network entity, for example an AUSF. The apparatus may comprise a chipset, The apparatus 10 may be caused or configured to perform at least the method of Fig9. 9, and / or any one or more of the embodiments described herein.

[0373] The apparatus may comprise one or more entities of any of protocol layers, such as a MAC entity, an RRC entity, an RLC entity, a PDCP entity or a PHY entity.

[0374] The apparatus 10 optionally comprises a radio interface 16. The radio interface 16 may provide the apparatus 10 with communication capabilities. The radio interface 16 may comprise a receiver configured to receive information in accordance with at least one cellular or non-cellular standard. The radio interface 16 may comprise a transmitter configured to transmit information in accordance with at least one cellular or non-cellular standard. The receiver may comprise more than one receiver. The transmitter may comprise more than one transmitter. The radio interface 16 may comprise a transceiver configured to receive and transmit information in accordance with at least one cellular or non-cellular standard. The transceiver may comprise more than one transceiver.

[0375] The apparatus 10 may optionally comprise a user interface 18 comprising, for example, at least one of a keypad, a microphone, a touch display, a display, a speaker, etc. The user interface 18 may be used to control the apparatus by the user. The user interface 18 may be external to the apparatus 10. For example, the apparatus 10 may be connected to another device, such as a computer, either via wireless or wired connection, and the apparatus 10 is controlled by the user via the computer.

[0376] In an embodiment, at least some of the processes described herein may be carried out by an apparatus comprising means for carrying out at least some of the described processes. Means for performing method steps as disclosed herein may include software and / or hardware components of the apparatus 10. For example, the at least one processor 12, the memory 14, and the computer program code form means for carrying out the method or methods (or portion(s) thereof) as disclosed herein, and any of the embodiments (or respective portion(s) thereof). As used herein the term “means” is to be construed in singular form, i.e. referring to a single element, or in plural form, i.e. referring to a combination of single elements. Therefore, terminology “means for [performing A, B, C]”, is to be interpreted to cover an apparatus in which there is only one means for performing A, B and C, or where there are separate means for performing A, B and C, or partially or fully overlapping means for performing A, B, C. Further, terminology “means for performing A, means for performing B, means for performing C” is to be interpreted to cover an apparatus in which there is only one means for performing A, B and C, or where there are separate means for performing A, B and C, or partially or fully overlapping means for performing A, B, C.

[0377] Even though this disclosure has been described above with reference to non-limiting and illustrative examples according to the accompanying figures, it is clear that the scope of this disclosure is not restricted thereto - but can be modified in many different ways. As technology advances, it will become apparent to a person skilled in art as to how the disclosure can be further implemented and / or modified in various ways. Further, it is clear to a person skilled in the art that the embodiments described herein may, but are not required to, be combined in various ways with other embodiments described herein.

Claims

35CLAIMS1. A user equipment comprising:means for providing, to a network, an indication that a common application programming interface framework is supported by the user equipment;means for determining a first key for the common application programming interface framework; andmeans for using the first key to determine an authentication code for a resource owner function associated with the user equipment.

2. The user equipment as claimed in claim 2, wherein the authentication code comprises a hash-based message authentication code.

3. The user equipment as claimed in claim 1 or 2, comprising means for receiving a request from the resource owner function for the authentication code with a random string, said random string further being used to determine the authentication code.

4. The user equipment as claimed in claim 3, comprising means for providing the authentication code to the resource owner function.

5. The user equipment as claimed in any preceding claim, comprising means for providing the resource owner function.

6. The user equipment as claimed in claim 5 when appended to claim 3 or 4, wherein the means for providing the resource owner function comprises means for generating the random string.

7. The user equipment as claimed in claim 5 when appended to claim 3 or 4, wherein the means for providing the resource owner function comprises means for receiving the random string from the common application programming interface framework core function.

368. The user equipment as claimed in claim 5, 6 or 7, wherein the means for providing the resource owner function comprises means for providing the authentication code to the common application programming interface framework core function.

9. The user equipment as claimed in any of claims 5 to 8, wherein the means for providing the resource owner function comprises means for receiving a certificate for the resource owner function from the common application programming interface framework core function and means for using the certificate for the resource owner function for a secure channel between the resource owner function and the common application programming interface framework core function.

10. The user equipment as claimed in claim 9, wherein the secure channel is a mutual transport layer security secure channel.

11. The user equipment as claimed in claim 9 or 10, wherein the means for providing the resource owner function comprises means for providing a public key to the common application programming interface framework core function, the certificate for the resource owner function being generated using said public key.

12. The user equipment as claimed in claim 11, wherein the means for providing the resource owner function comprises means for generating the public key and a corresponding private key.

13. The user equipment as claimed in any of claims 9 to 12, wherein the certificate for the resource owner function comprises an identity associated with the resource owner function.

14. An apparatus comprising a common application programming interface framework core function, the common application programming interface framework core function comprising:means for receiving a first authentication code for a resource owner function from the resource owner function;means for comparing the first authentication code with a second authentication code based on a first key for the common application programming interface framework; andmeans for authenticating the resource owner function based on the comparing of the first authentication code with the second authentication code.

15. An apparatus comprising a core network function, the core network function comprising:means for receiving a request to generate a second authentication code from a common application programming interface framework core function;means for generating the second authentication code using a first key for the common application programming interface framework; andmeans for providing the second authentication code to the common application programming interface framework core function.

16. A method comprising:providing, to a network, an indication that a common application programming interface framework is supported by the user equipment;determining a first key for the common application programming interface framework; andusing the first key to determine an authentication code for a resource owner function associated with the user equipment.

17. A method comprising:receiving a first authentication code for a resource owner function from the resource owner function;comparing the first authentication code with a second authentication code based on a first key for a common application programming interface framework; and authenticating the resource owner function based on the comparing of the first authentication code with the second authentication code.

18. A method comprising:receiving a request to generate a second authentication code from a common application programming interface framework core function;generating the second authentication code using a first key for the common application programming interface framework; andproviding the second authentication code to the common application programming interface framework core function.

19. A computer program comprising computer executable instructions which when executed cause the method of claim 16, 17, or 18 to be performed.