WO2025034237A1

WO2025034237A1 - Security in a distributed nas connection terminations architecture

Info

Publication number: WO2025034237A1
Application number: PCT/US2023/071929
Authority: WO
Inventors: Martin Mcgrath; Devaki Chandramouli
Original assignee: Nokia Technologies Oy; Nokia of America Corp
Current assignee: Nokia Technologies Oy; Nokia of America Corp
Priority date: 2023-08-09
Filing date: 2023-08-09
Publication date: 2025-02-13
Anticipated expiration: 2026-02-09

Abstract

Various embodiments provide methods and apparatus for security in a distributed NAS connection terminations architecture. In an embodiment, a method performed by a terminal device comprises: receiving an initialization key set identifier from the first network function entity; and generating a set of allowed assigned key set identifiers, based on the initialization key set identifier.

Description

SECURITY IN A DISTRIBUTED NAS CONNECTION TERMINATIONS ARCHITECTURE

TECHNICAL FIELD

[1] Embodiments of the present disclosure generally relate to wireless communication, and more particularly, to methods and apparatuses for security in a distributed non-access stratum (NAS) connection terminations architecture.

BACKGROUND

[2] In a 3GPP 5G System Architecture, as defined in 3GPP TS23.501 vl8.0.0, a NAS connection for a user equipment (UE) is always terminated in the serving network at a single network function (NF), e.g. access and mobility management function (AMF), as shown in FIG. 1. A single NAS connection is supported per access type, i.e., 3GPP or Non 3GPP access, and per PLMN. The NAS connection is integrity, confidentiality and replay protected by means of a NAS security procedure that is initiated by the serving network NF and executed between the UE and the NF. This NAS security procedure establishes a NAS security context in both NAS connection end points (i.e., the UE and the NF), and the NAS security context is maintained by both UE and NF for the lifetime of the NAS connection. This NAS security context includes, among other parameters, security keys, key identifiers, algorithms and counters used to protect the NAS connection.

[3] In a distributed NAS connection terminations architecture on the other hand, a UE may have multiple NAS connections which are terminated in the serving network at multiple different NFs. That is, the NAS connections are terminated across different NFs depending on the NAS procedures that the NAS connections are supporting, as shown in FIG. 2. As an example, the UE may have two NAS connections, one carrying NAS mobility management (MM) signaling and being terminated at NF1, and the other NAS connection carrying NAS session management signaling and being terminated at NF2. As such, this architecture requires that multiple NAS connections be secured as opposed to one NAS connection currently supported by the 3GPP 5G System.

[4] FIG. 3 depicts how the 3GPP 5G system secures a NAS connection. As shown in FIG. 3, initially when a UE attempts to register with a 5G network, the UE and AMF/Security Anchor Function (SEAF) will authenticate each other and verify that both parties have access to a pre-shared secret key via an 5G/Extensible Authentication Protocol (EAP) Authentication and Key Agreement (AKA) procedure. For a successful 5G/EAP AKA procedure run, the AMF/SEAF generates and provides the UE with a Key Set Identifier (ngKSl). The Key Set Identifier is associated with Kseaf/Kamf keys derived from a successful 5G/EAP AKA run. [5] Note that the terms Anchor Key and Parent Key, which are analogous to Kseaf and Kamf keys respectively, are used throughout this disclosure. While the mechanism used to derive the Anchor key is the same as that used to derive the Kseaf key, the mechanism used to derive the Parent Key does differ from that used to derive the Kamf key and will be explained below.

[6] Then, the AMF initiates establishment of a secure NAS connection with the UE using a NAS security mode command (SMC) procedure. A NAS SMC command message sent to the UE contains the Key Set Identifier(ngKSI) which enables the UE to identify and validate the kamf used to secure the NAS connection. The NAS Connection end points (i.e., the UE and AMF) create and maintain for each NAS Connection a NAS security context containing NAS security parameters (including Key Set Identifier (ngKSI), Parent Key (Kamf), UE capabilities, NAS keys, NAS algorithm identifiers, NAS counts, NAS connection identifier and public land mobile network (PLMN) identifier). Over the life time of this NAS Connection, some of these security parameters may change, for example NAS counts change, as may the Parent Key (Kamf), due to mobility, handovers and configured network policies, however the Key Set Identifier remains unchanged.

171 Distributed NAS connection terminations architecture is a publicly known concept. In terms of securing NAS connections, it has been assumed that the NAS connections are independently secured. However, this results in additional overhead from both UE and network standpoints.

SUMMARY

[8] This summary is provided to introduce simplified concepts of subnetwork configuration and procedures to enable subnetwork operations, particularly on subnetwork identities. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.

[9] According to a first aspect of the disclosure, there is provided a terminal device. The terminal device comprises at least one processor and at least one memory storing instructions that, when executed by the at least one processor, cause the terminal device at least to: receive an initialization key set identifier (KSI) from the first network function entity; and generate a set of allowed assigned key set identifiers, based on the initialization key set identifier.

[10] According to a second aspect of the disclosure, there is provided a first network function entity. The first network function entity comprises at least one processor and at least one memory storing instructions that, when executed by the at least one processor, cause the first network function entity at least to: during an AKA procedure with a terminal device, generate an initialization key set identifier; derive a set of allowed assigned key set identifier and a set of parent keys, based on the initialization key set identifier, wherein each of the set of parent keys is associated with a parent key identifier; and send the initialization key set identifier to the terminal device.

[11] According to a third aspect of the disclosure, there is provided a second network function entity. The second network function entity comprises at least one processor and at least one memory storing instructions that, when executed by the at least one processor, cause the second network function entity at least to: send, to a first network function entity, a request for an assigned key set identifier and a parent key for a NAS connection terminated at the second network function entity; receive an assigned key set identifier and a parent key from the first network function entity; and generate and store a NAS security context for the NAS connection, the NAS security context being identified by the assigned key set identifier.

[12] According to a fourth aspect of the disclosure, there is provided a method performed by a terminal device. The method comprises: receiving an initialization key set identifier from the first network function entity; and generating a set of allowed assigned key set identifiers, based on the initialization key set identifier.

[13] According to a fifth aspect of the present disclosure, there is provided a method performed by a first network function entity. The method comprises: generating an initialization key set identifier; deriving a set of allowed assigned key set identifier and a set of parent keys, based on the initialization key set identifier, wherein each of the set of parent keys is associated with a parent key identifier; and sending the initialization key set identifier to the terminal device.

[14] According to a sixth aspect of the present disclosure, there is provided a method performed by a second network function entity. The method comprises: sending, to a first network function entity, a request for an assigned key set identifier and a parent key for a NAS connection terminated at the second network function entity; receiving the assigned key set identifier and the parent key from the first network function entity; and generating and storing a NAS security context for the NAS connection, the NAS security context being identified by the assigned key set identifier.

[15] According to a seventh aspect of the present disclosure, there is provided a terminal device. The terminal device comprises means for performing steps of any method according to the fourth aspect.

[16] According to an eighth aspect of the present disclosure, there is provided a first network function entity. The first network function entity comprises means for performing steps of any method according to the fifth aspect. [17] According to a ninth aspect of the present disclosure, there is provided a second network function entity. The second network function entity comprises means for performing steps of any method according to the sixth aspect.

[18] According to a tenth aspect of the present disclosure, it is provided a computer readable storage medium having instructions stored thereon, wherein the instructions, when executed by at least one processor, cause the at least one processor to perform any method according to the fourth or fifth or sixth aspect.

[19] According to an eleventh aspect of the present disclosure, it is provided a computer program product comprising instructions which when executed by at least one processor, cause the at least one processor to perform any method according to the fourth or fifth or sixth aspect.

[20] It is to be understood that the summary section is not intended to identify key or essential features of embodiments of the present disclosure, nor is it intended to be used to limit the scope of the present disclosure. Other features of the present disclosure will become easily comprehensible through the following description.

BRIEF DESCRIPTION OF THE DRAWINGS

[21] Some example embodiments will now be described with reference to the accompanying drawings in which:

[22] FIG. 1 illustrates an example of a single NAS connection termination in the 5G system architecture;

[23] FIG. 2 illustrates an example of the distributed NAS connection terminations architecture;

[24] FIG. 3 illustrates an example of securing a NAS connection in the 5G system;

[25] FIG. 4 illustrates an exemplary call flow of securing multiple NAS connections in the distributed NAS connection terminations architecture according to some embodiments of the present disclosure;

[26] FIG. 5 illustrates an example of an initialization KSI setting, an allowed assigned KSIs setting and some allocation examples of assigned KSIs according to some embodiments of the present disclosure;

[27] FIG. 6 illustrates an exemplary scenario in which each NAS connection has a unique parent key according to some embodiments of the present disclosure; [28] FIG. 7 illustrates another example of an initialization KSI setting, a possible assigned KSIs setting and some allocation examples of assigned KSIs according to some embodiments of the present disclosure;

[29] FIG. 8 is a flow chart depicting a method for security in the distributed NAS connection terminations architecture according to some embodiments of the present disclosure;

[30] FIG. 9 is a flow chart depicting a method for security in the distributed NAS connection terminations architecture according to some embodiments of the present disclosure;

[31 ] FIG. 10 is a flow chart depicting a method for security in the distributed NAS connection terminations architecture according to some embodiments of the present disclosure;

[32] FIG. 11 is a call flow diagram depicting an initial NAS registration procedure according to some embodiments of the present disclosure;

[33] FIG. 12 is a call flow diagram depicting an initial NAS session management request procedure according to some embodiments of the present disclosure;

[34] FIG. 13 is a call flow diagram depicting UE idle to connected mode transitions according to some embodiments of the present disclosure; and

[35] FIG. 14 shows a simplified block diagram of an apparatus according to some embodiments of the present disclosure.

DETAILED DESCRIPTION

[36] Some example embodiments will now be described more fully hereinafter with reference to the accompanying drawings, in which some, but not all embodiments are shown. Indeed, the example embodiments may take many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will satisfy applicable legal requirements. Like reference numerals refer to like elements throughout.

[37] In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skills in the art to which this disclosure belongs.

[38] References in the present disclosure to “one embodiment”, “an embodiment”, “an example embodiment”, and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an example embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.

[39] It shall be understood that although the terms “first” and “second” etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.

[40] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises”, “comprising”, “has”, “having”, “includes” and/or “including”, when used herein, specify the presence of stated features, elements, and/or components etc., but do not preclude the presence or addition of one or more other features, elements, components and/ or combinations thereof.

[41] As used in this application, the term “circuitry” may refer to one or more or all of the following:

(a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and

(b) combinations of hardware circuits and software, such as (as applicable):

(i) a combination of analog and/or digital hardware circuit(s) with software/firmware and

(ii) any portions of hardware processor(s) with software (including digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and

(c) hardware circuit(s) and or processor(s), such as a microprocessor(s) or a portion of a microprocessor(s), that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.

[42] This definition of “circuitry” applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term “circuitry” also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term “circuitry” also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.

[43] As used herein, the term “communication network” refers to a network following any suitable communication standards, such as Long Term Evolution (LTE), LTE- Advanced (LTE-A), Wideband Code Division Multiple Access (WCDMA), High-Speed Packet Access (HSPA), Narrow Band Internet of Things (NB-IoT), New Radio (NR) and so on. Furthermore, the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G), the second generation (2G), 2.5G, 2.75G, the third generation (3G), the fourth generation (4G), 4.5G, 5G, the future sixth generation (6G) communication protocols, and/or any other protocols either currently known or to be developed in the future. Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system.

[44] As used herein, the term “terminal device” refers to any end device that can access a communication network and receive services therefrom. By way of example and not limitation, the terminal device may refer to a user equipment (UE) which may be a combination of a Universal Integrated Circuit Card (UICC)/Subscriber Identity Module (SIM) Card and a mobile equipment (ME), or other suitable devices. In the following description, the terms “terminal device”, “user equipment” and “UE” may be used interchangeably.

[45] As used herein, the term “network function entity” refers to any entity for supporting a network function in a communication network. The network function entity can be implemented in a physical network node, or in a virtual network node which perform a function by logical resources in more than one physical network node.

[46] As used herein, the term “NAS connection terminating end point” means an end point terminating a NAS connection, e.g. UE or an NF entity.

[47] As used herein, the term “security key” refers to a parent key, and they can be used interchangeably. The term “security identifier” refers to a key set identifier (KSI), and two types of key set identifiers are defined, i.e., an initialization key set identifier and an assigned key set identifier, which will be described in detail later.

[48] As mentioned above, the 3GPP 5G system specifies a solution that enables securing a single NAS connection which is per access type and per PLMN. So, while a UE may have multiple NAS connections, each of these NAS connections are for a different access type and/or PLMN. However, with the distributed AS connection terminations architecture, there can be multiple NAS connections for the same access type and PLMN. However, no solution is defined to achieve security for multiple NAS connections in the distributed NAS connection terminations architecture.

[49] The 3GPP 5G system currently does not specify the distributed NAS connection terminations architecture, nor enable security of multiple NAS connections in the distributed NAS connection terminations architecture.

[50] Thus, various embodiments of the present disclosure propose a light weight security solution which enables securing multiple NAS connections in the distributed NAS connection terminations architecture. Specifically, the proposed security solution provides mechanisms to generate and distribute security identifiers and keys for multiple NAS connections to end points responsible for terminating and securing multiple NAS connections. Each of the multiple NAS connections is assigned with a security identifier which uniquely identifies the NAS security context of that NAS connection at its terminating end points, i.e., in the UE and the serving network. Each NAS connection may be secured using a common parent key or a unique parent key along with a unique key set identifier. In addition, the security keys can be allocated to the NAS connections in a flexible manner, for example, the common key or unique key per NAS connection or a combination of both based on configurations.

[51] The proposed solution introduces a new network function (namely, a security key management function, SKMF) entity supporting mechanisms for the derivation, allocation and distribution of security parameters (including security keys and key set identifiers) plus enhanced capabilities in NAS connection terminating end points (i.e., the UE and the serving network functions) to support the usage of these security parameters.

[52] In the current security solution in the 5G system, each NAS connection is secured using the 3GPP NAS SMC procedure and security parameters as described in the background section. However, in the distributed NAS connection terminations architecture, since there are now multiple NAS connections, each NAS connection terminating end point (i.e., UE and a serving NF) needs to establish and maintain a unique NAS security context per NAS connection. This means that instead of having to support just a single NAS security context (key set identifier), the UE and the serving network need to support multiple NAS security contexts. Furthermore, in order for the UE and the serving network to identify which NAS security context a NAS Connection is associated with, both end points need to be able to indicate to each other which NAS security context is being used. As such this means there needs to be some means to uniquely identify multiple different NAS security contexts. In addition, since the NAS connections are terminated across multiple NFs in the serving network, these NFs need to support mechanisms to obtain NAS security parameters (e.g. security keys, UE Capabilities, key set identifier, etc.) for the NAS Connections they terminate. The following sections describe how the proposed security solution addresses and solves these requirements.

[53] The identification of a unique NAS security contexts can be realized by assigning a unique key set identifier to each NAS connection, associated to a common Parent Key.

[54] The new NF, SKMF, is introduced, which in terms of functionality encompasses that of the 3GPP SEAF and builds on it to support new and enhanced capabilities to support the generation of one or multiple key set identifiers, derivation of one or multiple parent keys and the ability to associate the key set identifiers with the parent key(s). The SKMF can also expose its services via a service based interface (SBI) enabling other NFs to request key set identifier(s) and parent key(s) to secure NAS connections they terminate. The NAS connection terminating NFs must also support NAS SMC procedures as well as support consuming SKMF services via SBI. Also, the UE must be capable of supporting procedures and parameters that enable the generation of one or multiple key set identifiers, derivation of one or multiple parent keys and the usage of these to secure NAS connections.

[55] An overview of the proposed security solution for multiple NAS connections in the distributed NAS connection terminations architecture will be provided below. FIG. 4 illustrates an exemplary call flow of securing multiple NAS connections in the distributed NAS connection terminations architecture according to some embodiments of the present disclosure. As shown in FIG. 4, the security of multiple NAS connection involves the UE, multiple NFs (e.g. NF1 and NF2), and the SKMF.

[56] As shown in operations la and lb in FIG. 4, initially when the UE attempts to register with the communication network, both the UE and the SKMF in the communication network will authenticate each other and verify that both parties have access to a pre-shared secret key via the AKA procedure. As part of a successful AKA procedure, the SKMF will inform the UE via a parameter “key set identifier” of how many key set identifiers (KSIs) and parent keys (Kp) and how to derive them and how to associate the key set identifiers with the parent keys. For the sake of simplicity, it is assumed in this example that there is only one parent key used for all NAS connections. The scenario with multiple parent keys will be discussed later. At the end of the successful AKA procedure, both the UE and the SKMF will have the same Anchor Key, parent key and a set of key set identifiers associated with the parent key. Note that enhancements to the 5G/EAP AKA procedure are required to adopt usage of the parameter “key set identifier”.

[57] When an NF, e.g. NF1, needs to establish a secure NAS connection with the UE, it requests the SKMF to provide a parent key (Kp) and a key set identifier (KSI) for the NAS connection between the UE and NF1. The SKMF selects from its set of “available” key set identifiers a single KSI (e.g. KSI1), and marks it as “in use” in the set. The SKMF returns Kp and KSI1 to NF1 and automatically subscribes NF1 to receive notifications regarding changes to the parent key, Kp, e.g. as result of a new AKA run. Operation 2 shows that NF1 obtains the parent key (Kp) and the key set identifier (KS11) for the NAS connection from the SKMF.

[58] Then at operation 3, NF1 creates a NAS security context for the NAS connection containing the NAS security parameters (including KST1 , Kp, UE capabilities, NAS keys, NAS algorithm identifiers, NAS counts, NAS connection identifier and PLMN ID). NF1 then triggers a NAS SMC procedure and sends a NAS SMC command message to the UE containing the key set identifier KSI1 and other 3GPP defined security parameters. This NAS SMC command message is integrity protected by the NAS keys that NF1 derived from the parent key Kp. Then the UE uses KSI1 in the received NAS SMC command message to check whether KSI1 belongs to its set of “available” key set identifiers and checks whether it is associated with the parent key belonging to a successful AKA run. Upon a successful check outcome, the UE uses its parent key associated with KSI1 to derive the NAS keys and integrity check the received NAS SMC command message with the NAS keys, a successful check outcome indicates that the parent keys in the UE and NF1 are the same parent key. The UE then creates a NAS security context for this NAS connection containing the NAS security parameters (including KSI1, Kp, UE capabilities, NAS keys, NAS algorithm identifiers, NAS counts, NAS connection identifier and PLMN ID). The UE also marks KSI1 as “in-use” in its set of key set identifiers. The UE then sends to NF1 a NAS SMC complete message which is integrity and confidentiality protected with its NAS keys. NF1 uses its NAS keys to check integrity and confidentiality of the NAS SMC complete message to complete the setup of the secure NAS connection. The NAS security context for this NAS connection between the UE and NF1 is now uniquely identified by the key set identifier KSI1.

[59] Subsequently, if NF2 establishes a secure NAS connection with the same UE, the same procedure as outlined above for NF1 is followed, except that the SKMF will allocate a new key set identifier, e.g. KSI2, from its set of “available” key set identifiers to NF2, , and mark KSI2 as “in-use” in the set. As in this example, only one parent key is used for all NAS connections, the same parent key allocated to NF1 is also allocated to NF2, i.e., Kp.

[60] In general, any network function NFx establishing a NAS connection towards a UE will obtain KSIx and Kp from the SKMF and establish a secure NAS connection with the UE. The NAS security context of this secure NAS connection is uniquely identified by KSIx at both the UE and the NFx.

[61] The proposed security solution leverages and extends existing mechanisms of the 3GPP 5G system for securing NAS connections. In particular, the existing 3GPP NAS AKA and NAS SMC procedures are leveraged and enhanced to establish and manage security of multiple NAS connections. Also the existing 5G NAS key hierarchy is reused with the exception that only NFs related to NAS mobility management (e.g. the AMF) derive and distribute Access Stratum (AS) keying material to access nodes. No changes are required to AS key hierarchy or key derivation.

[62] The followings will describe some principles used in various embodiments of the present disclosure.

[63] 1. Principles about security key, security identifier and NAS security context

[64] Each NAS connection between a UE and an NF is secured using a parent key. A single parent key may be used to secure one or more NAS connections.

[65] Each NAS connection terminating end point (e.g. UE and NF) maintains a NAS security context identified by an assigned key set identifier. The assigned key set identifier is unique across all NAS connections, and contains a parent key identifier associated with the parent key for the NAS connection and a value between 1 and a maximum number of allowed assigned key set identifiers.

[66] Another type of key set identifier, i.e., an initialization key set identifier, may contain information that:

• defines an allowed range and a maximum number of assigned key set identifiers allowed;

• defines a maximum number of parent keys allowed; and

• enables derivation and identification of parent key(s).

[67] The maximum number of parent keys and the maximum number of allowed assigned key set identifiers defined in the initialization key set identifier is based on policies/rules in the SKMF which may be pre-configured or dynamic. These maximum numbers may be changed on a per AKA procedure basis.

[68] The SKMF is responsible for derivation, distribution and management of the initialization key set identifier and the assigned key set identifiers. Also the SKMF encompasses existing SEAF functionality.

[69] During an AKA procedure, the SKMF provides an initialization key set identifier to a UE. Based on the initialization key set identifier, both the SKMF and the UE may:

• determine the allowed range and the maximum number of assigned key set identifiers;

• derive a set of parent keys; and

• associate a parent key identifier to each parent key, i.e., each parent key is assigned with a unique parent key identifier. Thus, at the end of a successful AKA procedure, both the SKMF and the UE shall have:

• the same set of parent keys;

• the same set of parent key identifiers associated with parent keys; and

• the same set of assigned key set identifiers.

[70] Alternatively, a UE may defer the derivation of a parent key and only derive the parent key when it is required, e.g., upon receipt of a NAS SMC message which includes an assigned key set identifier containing a specific parent key identifier.

[71] The SKMF may be a standalone network function or combined with another NF, e.g. a mobility management network function. The SKMF may communicate via a service based interfaces (SB1) with other NF(s).

[72] An NF terminating a NAS connection may establish a secure NAS connection with a UE by means of a NAS SMC procedure. Prior to NAS SMC initiation, the NF requests from the SKMF an assigned key set identifier and a parent key. The SKMF allocates to the NF an assigned key set identifier available for use in the range of allowed assigned key set identifiers agreed as per the initialization key set identifier. And the SKMF allocates to the NF a parent key that is associated with the parent key Identifier populated into the assigned key set identifier.

[73] A parent key identifier in an assigned key set identifier may be assigned according to parent key assignment policies/rules in the SKMF. For example, NAS connections belonging to a specific network slice, NF type, NF SET ID, PEMN ID and so on may be desirable to have their own unique parent key assigned, the SKMF may use this and other information as input to its parent key assignment policies/rules.

[74] A parent key identifier (and hence a parent key since there is a one to one relationship) may be dedicated to a single NAS connection only, or shared across a subset of NAS connections, or shared across all NAS connections.

[75] An NF stores a received parent key and assigned key set identifier to a NAS security context of a NAS connection, and uses the received assigned key set identifier as an identifier of the NAS security context in the NF for the NAS connection. Moreover, the NF uses the received parent key to secure the NAS connection by means of a NAS SMC procedure, and provides the received assigned key set identifier to the UE in the NAS SMC procedure.

[76] A UE uses the assigned key set identifier received in an NAS SMC procedure to identify the parent key used to secure a NAS connection. The assigned key set identifier contains a parent key identifier which the UE can use to identify a parent key from the set of parent keys. The parent key identifier is based on the initialization key set identifier during the latest AKA procedure. If the parent key was not previously derived, the UE may derive it at this point. The UE uses the identified parent key to run a security check on the received NAS SMC message, and if it passes, the UE stores the parent key and the assigned key set identifier to the NAS security context of the NAS connection. The UE also checks if the received assigned key set identifier is within the range of allowed assigned key set identifiers specified by the initialization key set identifier, and if this check passes, the assigned key set identifier is used as an identifier of the NAS security context in the UE for the NAS connection.

[77] A parent key may be derived by a key derivation function (KDF) in both the SKMF and UE using Anchor Key (akin to Kseaf key), a subscription permanent identifier (SUPI), Anti-Bidding down Between Architectures (ABBA), and a random number concatenated with a number between 1 and the maximum number of parent keys allowed. The random number and the maximum number of parent keys allowed are indicated in the initialization key set identifier and provided by the SKMF to the UE. The use of the random number can ensure that unique parent keys are derived between different AKA procedures.

[78] In addition to be used as an input to derive the parent key, the random number concatenated with a number between 1 and the maximum number of parent keys can be used as a parent key identifier.

[79] An NF shall use the unique assigned key set identifier agreed as a result of a NAS SMC procedure, to apply security to a NAS message destined for a UE. The NAS message which has been secured is referred to here as a secured NAS message.

[80] The NF shall include the assigned key set identifier for identifying the NAS security context in all secured NAS messages sent to the UE. The assigned key set identifier in a secured NAS message is integrity protected but not ciphered to enable the UE to identify the assigned key set identifier and apply the associated NAS security context that the UE stores to the received secured NAS message.

[81] The Access Stratum (AS) layers (e.g. Radio Resource Control (RRC) layer) may enable ciphering and integrity protection to avoid exposing the assigned key set identifier.

[82] 2. Principles about NAS message routing and NAS security context identification

[83] In a distributed NAS connection terminations architecture, a UE may have multiple NAS connections and each NAS connection may be assigned with a unique temporary identifier (e.g. Globally Unique Temporary Identifier (GUTI)) by an NF terminating the NAS connection. The temporary identifier may be subsequently informed to the UE. As such the UE may have multiple assigned GUTIs. Each GUTI may uniquely identify a UE NAS sub-functional context associated with the corresponding NAS connection. For instance, a Mobility Management GUTI (MM-GUTI) identifies a UE NAS MM context, a Session Management GUTI (SM-GUT1) identifies a UE SM Context. In general, an XX-GUTI identifies a UE XX context.

[84] The first secured NAS message sent to a UE shall contain a GUTI assigned by an NF terminating the NAS connection. The GUTI shall be integrity, confidentiality and replay protected. Note that the first and all subsequent secured NAS message sent to the UE shall contain the assigned key set identifier.

[85] An NF terminating a NAS connection shall maintain context information that links the GUTI and the assigned key set identifier assigned to the NAS connection. Similarly, a UE shall maintain context information that links the GUTI and the assigned key set identifier received in a secured NAS message.

[86] In general, a one-to-one relationship exists between an assigned key set identifier and GUTI. Reception of the first secured NAS message enables the UE to associate the received GUTI and assigned key set identifier, such that subsequent secured NAS messages can include only the assigned key set identifier which the UE can use to link to the associated GUTI and process it accordingly.

[87] As an example, an NF managing NAS MM functionality can establish a NAS security context identified by an assigned key set identifier (AssignedKSI = MM) with a UE, and exchange secured NAS messages with the UE using the NAS security context identified by AssignedKSI = MM. The NF also can assign a GUTI (e.g. MM-GUTI) to identify the UE MM NAS context in the network and inform the GUTI to the UE via the first secured NAS message.

[88] In general, an NF managing NAS XX functionality may establish a NAS security context identified by an assigned key set identifier (AssignedKSI = XX) with a UE, exchange secured NAS messages with the UE using the NAS security context identified by AssignedKSI =XX, and assign a GUTI (e.g., XX-GUTI) to identify UE XX NAS context in the network and inform the GUTI to the UE via the first secured NAS message. The NF and the UE shall both maintain context information that links the XX-GUTI and the assigned key set identifier AssignedKSI = XX.

[89] When a UE sends a NAS message identified by a XX-GUTI towards an NF terminating a NAS connection, it shall use the assigned key set identifier linked to the XX-GUTI to secure the NAS message. In addition to sending the secured NAS message to an (radio) access node ((R)AN), the UE shall provide the XX-GUTI/XX-S-TMSI (S-Temporary Mobile Subscription Identifier) or an identifier derived from it to the lower layers (e.g., RRC layer) to assist the (R)AN in routing the secured NAS message to the correct NF. The (R)AN shall obtain Globally Unique Network Function Identifier (GUNFI) from the received XX-GUTI/XX-S-TMSI to identify the NF. [90] During establishment of a NAS connection, an NF terminating the NAS connection and a serving AN for a UE terminating the NAS connection may exchange temporary identifiers, a UE-NF ID and UE-AN ID, with each other. The UE-NF ID uniquely identifies a UE context associated with the GUTI and the assigned key set identifier in the NF on a connection between the AN and the NF (denoted by AN-NF connection). The UE-AN ID uniquely identifies a UE context associated with a UE-AN connection (e.g. RRC connection) in the AN on the connection between the AN and the NF. The AN and the NF have a l connection relationship, i.e., one AN has connections to multiple (n) NFs, whereby each NF is a NAS connection termination end point in the network and each connection between the AN and the NF is identified by a connection identifier which is a unique combination of the temporary identifiers, i.e. UE-AN ID-UE-NF1 ID, UE-AN ID-UE-NF2 ID, ..., UE-AN ID-UE- NFn ID etc.

[91] A secured NAS message forwarded from an AN serving a UE to an NF on a AN-NF connection are implicitly associated with an assigned key set identifier and GUTI in the NF, once a NAS security context for a NAS connection between the UE and the NF has been established. As such, the secured NAS messages sent from the AN to the NF over a specific AN-NF connection need not contain the assigned key set identifier and GUTI. The receiving NF will use the connection identifier (UE-AN ID- UE-NF ID) to determine the associated assigned key set identifier and GUTI, and apply security checks (integrity, confidentiality and replay checks) on the secured NAS message using the associated assigned key set identifier and process it accordingly.

[92] To send a NAS message to a UE, an NF shall use the UE-AN ID of the AN serving the UE in connected mode to establish an AN-NF connection which is identified by the connection identifier UE-AN ID-UE-NF ID, and send the NAS message to the UE via the NF-AN connection.

[93] A MM NAS connection shall be the first NAS connection to be established and secured. Non- MM Initial NAS messages, for which no NAS security context exists in the UE, are sent via the secure MM NAS connection to the MM NF. The MM NF is responsible for selecting an appropriate NF (e.g., XX NF) according to network policies to process the Non-MM Initial NAS Messages. The selected NF (i.e., XX NF) shall then establish a secure NAS connection with the UE directly via the AN.

[94] Mobile originated NAS messages which trigger Idle to Connected Mode transitions for NAS connections with established NAS security contexts are formatted as Initial NAS messages and carry both the assigned key set identifier to identify the NAS security context and the temporary identifier (i.e., XX-GUTFXX-S-TMSI, where XX = type of NAS container (e.g. MM, SM, link management (LM), policy, timing, sensing, etc.)) to identify the correct serving NF (e.g. XX NF) for processing the NAS container. The UE capabilities shall also be included in an Initial NAS message. [95] An NF terminating a NAS connection shall include an assigned key set identifier and a temporary identifier TMP-XX-GUTI in a NAS SMC command message sent to a UE, and the NAS SMC message shall be integrity protected using the NAS security context identified by the assigned key set identifier. The UE shall respond to the NAS SMC command message by providing the received TMP-XX-GUTFTMP-XX-S-TMSI to the lower layers (e.g. RRC layer) and sending a NAS security mode complete message which is integrity, confidentiality and replay secured using the NAS security context identified by the received assigned key set identifier.

[96] An NF terminating a NAS connection shall include a temporary identifier TMP-XX-GUTI in a NAS authentication request and send the NAS authentication request to a UE. The UE shall respond to the NAS authentication request by providing the received TMP-XX-GUTI/TMP-XX-S-TMS I to the lower layers (e.g. RRC layer) and sending a NAS authentication response/failure message.

[97] The purpose of the temporary identifier TMP-XX-GUTI is to enable an access node (AN) (e.g. gNB) to select the correct AN-NF connection on which a NAS security mode complete/NAS authentication response/failure message is to be sent. The TMP-XX-GUTI contains the GUAMI of the NF that allocates it and a random number for the TMSI. The UE may identify a GUTI as a TMP-XX- GUTI based on the type of the NAS message it is received in, i.e., NAS SMC messages, NAS authentication messages and non-secured NAS messages.

[98] In view of the above principles, new and enhanced functionality involved in the various embodiments of the present disclosure will be summarized below.

[99] Enhancements to a UE may include one or more of:

• AKA procedure enhancements to support usage of an initialization key set identifier in a NAS authentication request(for a 5G/EAP AKA procedure) and a NAS authentication result messages (for a EAP AKA procedure);

• NAS SMC procedure enhancements to support usage of an assigned key set identifier per NAS connection;

• Parent key derivation based on an initialization key set identifier or an assigned key set identifier;

• Association of a parent key with a NAS security context based on an assigned key set identifier;

• Storage and management of multiple NAS security contexts, parent keys, initialization key set identifier and assigned key set identifiers per NAS connection; New initial NAS messages handling; and

• Support for temporary identifier TMP-GUTFTMP-S-TMSI handling.

[100] Functionality of a SKMF entity may include one or more of:

• Generation, allocation and distribution of an initialization key set identifier and assigned key set identifiers;

• Derivation, allocation and distribution of parent keys;

• Maintaining a list of NFs to which assigned key set identifiers and parent keys are provided;

• AKA procedure enhancements to support usage of an initialization key set identifier in a NAS authentication request(for a 5G/EAP AKA procedure) and a NAS authentication result messages (for a EAP AKA procedure) sent to a UE;

• Service exposure via SBI to enable other NF(s) to obtain an assigned key set identifier and a parent key and trigger a NAS SMC procedure;

• New initial NAS registration request message handling; and

• Notifying NFs sequentially to re-key NAS connections (avoid over loading UE).

[101] Enhancements to a NF terminating a NAS connection may include one or more of:

• Support for consuming services of the SKMF;

• Derivation of NAS keys and horizontal key;

• Connection request and response services (e.g., paging and Idle/Connected Mode transitions);

• New initial NAS messages handling; and

• Support for temporary identifier TMP-GUTI/TMP-S-TMSI handling

[102] Enhancements to a (radio) access node may include:

• Support for a single context for a UE served by the (radio) access node and routing NAS messages and receiving NAS message on multiple AN-NF connections associated with the UE.

[103] In various embodiments of the present disclosure, the key set identifier is a fundamental concept, which is akin to the ngKSI in 5G, but extended to contain additional information fields which are used in the derivation and identification of a NAS security context and a parent key. As mentioned above, there are two types of key set identifiers, i.e., an initialization KSI and an assigned KSI.

[104] An initialization KSI is configured by SKMF and provided to a UE during an AKA procedure in a NAS authentication request message (for a 5G/EAP AKA procedure) and a NAS authentication result message (for an EAP AKA procedure). The purpose of the initialization KST is to inform the UE of the number of parent keys and the range of allowed assigned KSI allowed for a specific AKA run. It may also be used in derivation and identification of parent keys. At the end of a successful AKA procedure, based on the initialization KSI, both SKMF and UE know the number of parent keys and assigned KSIs allowed, their respective values and the implicit knowledge that only those assigned KSIs are allowed to be associated with those parent keys.

[105] In some embodiments, the initialization KSI may include the following fields: Base KSI, which is a random number assigned by SKMF; Max Kp, which indicates a maximum number of parent keys; and Max KSI, which indicates a maximum number of allowed assigned KSIs per parent key. Alternatively, in some embodiments, the Max KSI may indicate a maximum number of allowed assigned KSIs globally, i.e., across all the parent keys.

[106] In some embodiments, a key derivation function (KDF) is used in both SKMF and UE to derive a parent key with the followings as inputs: Anchor Key (which is akin to Kseaf, and is generated during an AKA procedure); SUPI; ABBA; and Base KSI II a value from 1 to Max Kp.

[107] Each of values from 1 up to Max Kp, in increments of 1, may be concatenated (indicated by II here) with the Base KSI to be used as the input to derive unique parent keys. In addition, the Base KSI concatenated with the value is also be used as a unique parent key identifier.

[108] For example, if Base KSI equals to 0x6E and Max Kp equals to 0x02, Base KSI II 1 to Max Kp results in two values, 0x6E01 and 0x6E02. These two values, 0x6E01 and 0x6E02 can be used (along with other inputs mentioned above) to derive a total of 2 parent keys, Kp-1 and Kp-2, respectively. In addition, these two values act as parent key identifiers for the respective parent keys. That is, 0x6E01 identifies Kp- 1 and 0x6E02 identifies Kp-2. The parent key identifier is contained in the assigned KSI to enable the UE to identify the associated parent key, which will be explained in more detail below.

[109] An assigned KSI is a unique key set identifier configured by SKMF and provided on request to an NF which in turn provides it to a UE during a NAS SMC procedure. The assigned KSI can be used as a unique NAS security context identifier for uniquely identifying a NAS security context. With the assigned KSI, the UE can know which parent key is associated with this identifier.

[110] In some embodiments, the assigned KSI may include the following fields: Base KSI, which is always same as Base KSI of initialization KSI; Kp separator, which indicates a parent key separator value in a range from 1 to Max Kp; and KSI separator, which indicates an assigned KSI separator value per parent key in a range from 1 to Max KSL

[111] Thus, the SKMF may configure the assigned KSI, such that the Base KSI is the same as the Base KSI of the initialization KSI, the Kp separator is within the range between 1 and Max Kp of the initialization KSI, and the KSI separator is within the range between 1 and Max KSI of the initialization KSI. The KSI separator value may only be assigned once per parent key and should be marked as “in- use”. If subsequently freed up, it should be marked as “available”.

[112] In some embodiments, the concatenation of BASE KSI and Kp Separator may form a parent key identifier, and this may be used multiple times in an assigned KSI. However, KSI Separator shall only be used once per parent key.

[113] FIG. 5 illustrates an example of an initialization KSI setting, an allowed assigned KSIs setting and some allocation examples of assigned KSIs according to some embodiments of the present disclosure. Note that the hexadecimal digits used for the different fields of the initialization KSI and the assigned KSI are only for illustrative purposes.

[114] As shown in FIG. 5, in this example, assume that the initialization KSI equals to 0x5E0203, that is, BASE KSI is 0x5E, Max Kp is 02, and Max KSI is 03. So, it can be derived that a maximum of 2 parent keys and a maximum of 3 assigned KSIs per parent key are allowed, i.e., 6 assigned KSIs in total are allowed. Further, SKMF may allocate a part or all of the allowed assigned KSIs to NFs according to different policies or requirements. In FIG. 5, four examples of the allocated assigned KSIs are also shown.

[115] Example 1 shows that the maximum number of parent keys (2) are used and the maximum number of assigned KSIs per parent key (3) are used. Example 2 shows that only one parent key identified by 0x5E02 is used and the maximum number of assigned KSIs per parent key (3) are used. Example 3 shows that the maximum number of parent keys (2) are used and 2 assigned KSIs per parent key are used. Example 4 shows that the maximum number of parent keys (2) are used and 2 assigned KSIs are allocated to one parent key and 3 assigned KSIs are allocated to the other parent key.

[116] The above four examples show that the assigned KSIs are allocated in a sequential order, but it will be appreciated that the assigned KSIs may be allocated in any order as long as the assigned KSI is available.

[117] Several exemplary scenarios will be described below to further illustrate how the initialization KSI and the assigned KSI are used.

[118] Scenario 1 : single parent key shared by multiple NAS connections [119] In this scenario, assume there are 3 NAS connections. Firstly, SKMF configures and provides the initialization KS1 (= 0x5E0203) to a UE during an AKA procedure, wherein Base KSI = 0x5E, Max Kp = 0x02 indicating two parent keys allowed, Max KSI = 0x03 indicating three assigned KSI allowed per parent key, i.e., one assigned KSI for each NAS connection.

[120] From the initialization KSI, SKMF and the UE may derive two parent keys which is assigned with a respective parent key identifier. Specifically, a parent key Kp-1 is derived by using 0x5E01 as an input and is identified by a parent key identifier 0x5E01, and a parent key Kp-2 is derived by using 0x5E02 as an input and is identified by a parent key identifier 0x5E02. Instead of deriving the parent key during the AKA procedure, the UE may derive the parent key upon receipt of an assigned KSI in a NAS SMC command message from an NF.

[121] The allowed assigned KSIs are from 1, in increments of 1, up to Max KSI which in this case is 0x03. So, there are total 6 assigned KSIs allowed, i.e., assigned KSI-1 = 0x5E0101, assigned KSI-2 = 0x5E0102, assigned KSI-3 = 0x5E0103, assigned KSI-4 = 0x5E0201, assigned KSI-5 = 0x5E0202, and assigned KSI-6 = 0x5E0203. Assigned KSI-1, KSI-2 and KSI-3 all contain 0x5E01 which is the parent key identifier for the parent key Kp- 1 , and assigned KSI-4, KSI-5 and KSI-6 all contain 0x5 E02 which is the parent key identifier for the parent key Kp-2.

[122] Subsequent to the AKA procedure, SKMF selects and provides 3 assigned KSIs to NFs requesting to establish a secure NAS connection: assigned KSI-1 = 0x5E0101, where Base KSI = 0x5E, Kp separator = 0x01, and KSI separator = 0x01; assigned KSI-2 = 0x5E0102, where Base KSI = 0x5E, Kp separator = 0x01, and KSI separator = 0x02; and assigned KSI-3 = 0x5E0103, where Base KSI = 0x5E, Kp separator = 0x01, and KSI separator = 0x03. Each of the NFs provides the respective assigned KSI to the UE in a NAS SMC procedure. The assigned KSIs are selected such that they are associated with a single parent key. Then SKMF marks these assigned KSIs as “in-use”.

[123] When the UE receives assigned KSI-1, assigned KSI-2, and assigned KSI-3 in the respective NAS SMC procedures, it uses Base KSI and Kp Separator in the assigned KSIs to identify the parent key identifier. In this case, all assigned KSIs have the same Base KSI and Kp Separator, i.e., 0x5E01, which identifies the parent key Kp-1. The UE also checks if the received 3 assigned KSI are allowed as per the initialization KSI.

[124] Upon the successful identification and check, 3 NAS connections will be secured using the same parent key Kp- 1 , and the NAS security contexts of the 3 NAS connections are uniquely identified by the assigned KSIs, KSI-1, KSI-2 and KSI-3, respectively. The parent key identified by 0x5E02 and the assigned KSIs, KSI-4, KSI-5 and KSI-6, are unused in this scenario.

[125] Scenario 2: unique parent key for each NAS connection [126] In this scenario, each NAS connection will have its own unique parent key. SKMF configures an initialization KS1 to allow 5 parent keys and 1 assigned KS1 per parent key. FIG. 6 illustrates this exemplary scenario in which n =5.

[127] Firstly, SKMF configures and provides the initialization KSI (=0x5E0501) to the UE in an AKA procedure, wherein Base KSI = 0x5E, Max Kp = 0x05 indicating five parent keys allowed, Max KSI = 0x01 indicating 1 assigned KSI allowed per parent key.

[128] From the initialization KSI, SKMF and the UE may derive 5 parent keys which is assigned with a respective parent key identifier. Specifically, a parent key Kp-1 is derived by using 0x5E01 as an input and is identified by a Parent Key Identifier 0x5E01, a parent key Kp-2 is derived by using 0x5E02 as an input and is identified by a parent key identifier 0x5E02, a parent key Kp-3 is derived by using 0x5E03 as an input and is identified by a parent key identifier Ox5EO3, a parent key Kp-4 is derived by using 0x5E04 as an input and is identified by a parent key identifier 0x5E04, a parent key Kp-5 is derived by using Ox5EO5 as an input and is identified by a parent key identifier Ox5EO5. Moreover, there are total 5 assigned KSIs allowed, i.e., assigned KSI-1 = 0x5E0101, assigned KSI-2 = 0x5E0201, assigned KSI-3 = 0x5E0301, assigned KSI-4 = 0x5E0401, and assigned KS1-5 = Ox5EO5Ol.

[129] SKMF receives requests for assigned KSI and parent key for a NAS connection from NF1 and NF2 via SBI, respectively. Considering it is required that each NAS connection has its unique parent key, SKMF selects and provides the following assigned KSIs and parent keys to the requesting NF1 and NF2: Assigned KSI-1 =0x5E0101 and parent key Kp-1 to NF1; and Assigned KSI-2 =0x5E0201 and parent key Kp-2 to NF2. SKMF then marks these assigned KSIs as “in-use”, which means there are only 3 assigned KSIs available to allocate as of this AKA procedure. In a new AKA procedure, SKMF can adjust the max numbers for parent keys and assigned KSIs per parent key as deemed necessary.

[130] Upon receipt of the assigned KSI and the parent key, each of NF1 and NF2 provides the assigned KSI to the UE via a NAS SMC procedure. When the UE receives assigned KSI-1, it uses Base KSI and Kp separator (0x5E01) in the assigned KSI-1 to identify the parent key, which is Kp-1. Likewise, when the UE receives Assigned KSI-2, it uses Base KSI and Kp separator (0x5E02) to identify the parent key, which is Kp-2. The UE also checks if the received 2 assigned KSIs are allowed as per the initialization KSI.

[131] Upon the successful identification and check, 2 NAS connections will be secured using different parent keys Kp-1 and Kp-2, respectively, and the NAS security contexts of the 2 NAS connections are uniquely identified by the assigned KSIs, KSI-1 and KSI-2, respectively. [132] Scenario 3: unique parent key for NAS connection(s) of same network slice

[133] In this scenario, NAS connection(s) of the same network slice will share a single parent key, while different parent keys are used for different network slices. Assume there are 2 network slices, one with 5 NAS connections and the other with 3 NAS connections.

[134] Firstly, SKMF configures and provides the initialization KSI (= 0x5E0205) to a UE during an AKA procedure, wherein Base KSI = 0x5E, Max Kp = 0x02 indicating two parent keys allowed, Max KSI = 0x05 indicating 5 assigned KSI allowed per parent key.

[135] From the initialization KSI, SKMF and the UE may derive two parent keys which is assigned with a respective parent key identifier. Specifically, a parent key Kp-1 is derived by using 0x5E01 as an input and is identified by a parent key identifier 0x5E01, and a parent key Kp-2 is derived by using 0x5E02 as an input and is identified by a parent key identifier 0x5E02. Moreover, there are total 10 assigned KSIs allowed.

[136] SKMF receives requests for assigned KSI and parent key for 5 NAS connections in network slice 1 from NFs. Then SKMF selects and provides the following assigned KSIs and parent keys to the requesting NFs in network slice 1: assigned KSI-1 = 0x5E0101 and parent key Kp-1, assigned KSI-2 = 0x5E0102 and parent key Kp-1, assigned KSI-3 = 0x5E0103 and parent key Kp-1, assigned KSI-4 = 0x5E0104 and parent key Kp- 1 , and assigned KSI-5 = 0x5E0105 and parent key Kp- 1. Then, SKMF marks these assigned KSIs as “in-use” for parent key Kp-1, i.e., no more assigned KSIs can be allocated to Kp-1, however other 5 assigned KSIs can still be allocated to Kp-2. In a new AKA run, the SKMF can adjust the max numbers for parent keys and assigned KSIs as deemed necessary.

[137] Upon receipt of the assigned KSI and the parent key, each of NFs provides the assigned KSI to the UE via a NAS SMC procedure. When the UE receives assigned KSIs KSI-1 ~ KSI-5, it uses the Base KSI and Kp Separator (0x5E01) to identify the parent key, which is Kp-1. The UE also checks if the received 5 assigned KSIs are allowed as per the initialization KSI.

[138] SKMF may also receive requests for assigned KSI and parent key for 3 NAS connections in network slice 2 from NFs. Then SKMF selects and provides the following assigned KSIs and parent keys to the requesting NFs in network slice 2: assigned KSI-6 = 0x5E0201 and parent key Kp-2, assigned KSI-7 = 0x5E0202 and parent key Kp-2, and assigned KSI-8 = 0x5E0203 and parent key Kp- 2. Then, SKMF marks these assigned KSIs as “in-use”, which means there remains 2 assigned KSIs available to allocate to Kp-2 as of this AKA run.

[139] When the UE receives assigned KSIs, KSI-6 ~ KSI-8, it uses Base KSI and Kp Separator (0x5E02) to identify the parent key, which is Kp-2. The UE also checks if the received 3 assigned KSIs are allowed as per the initialization KSI. [140] Upon the successful identification and check, 5 NAS connections in network slice 1 are secured using the same parent key Kp-1, and 3 NAS connections in network slice 2 are secured using the same parent key Kp-2, each NAS connection have a unique NAS security context identified by KSI-1 ~ KSI-8 respectively.

[141 ] Although in the above description the assigned KSTs are allocated in a sequential order, it will be appreciated that the assigned KSIs may be allocated in any order as long as it is available. However, once an assigned KSI is used per parent key, it must be marked as “in-use” and cannot be re-used unless explicitly released and marked as “available”. Also, the number of assigned KSIs cannot exceed the Max KSI value per parent key.

[142] In addition to allocating parent keys per network slice, other scenarios can also be supported, for example, NAS connections belonging to a specific NF type, NF SET ID, PLMN ID and so on may be desirable to have their own unique parent key allocated. These and other scenarios can be easily supported by SKMF configuring the initialization KSI and assigned KSIs according to pre-configured rules/policies and dynamic triggers such as receipt of specific information such as a NF type or network slice ID (S-NSSAI) and so on.

[143] Alternatively, in some embodiments, Max KSI in the initialization KSI may be defined to indicate a maximum number of assigned KSIs allowed overall or globally, but not on a per parent key basis. It means that once this maximum number is reached, SKMF shall not allocate any assigned KSI until the assigned KSIs in use become available. Accordingly, the definition of KSI separator in the assigned KSI would change.

[144] Thus, the initialization KSI may include the following fields: Base KSI, which is a random number assigned by SKMF; Max Kp, which indicates a maximum number of parent keys; and Max KSI, which indicates a maximum number of allowed assigned KSIs overall or globally. The assigned KSI may include the following fields: Base KSI, which is always same as Base KSI of initialization KSI; Kp separator, which indicates a parent key separator value in a range from 1 to Max Kp; and KSI separator, which indicates an assigned KSI separator value in a range from 1 to Max KSI.

[145] With this alternative definition of Max KSI and KSI separator, the range of allowed assigned KSIs will be reduced. FIG. 7 illustrates an alternative example of an initialization KSI setting, a possible assigned KSIs setting and some allocation examples of assigned KSIs according to some embodiments of the present disclosure.

1146| As shown in FIG. 7, in this example, assume that the initialization KSI equals to 0x5E0203, that is, BASE KSI is 0x5E, Max Kp is 02, and Max KSI is 03. So, it can be derived that a maximum of 2 parent keys and a maximum of 3 assigned KSIs are allowed. Although FIG. 7 shows the range of possible assigned KSIs includes 6 assigned KSIs, only 3 assigned KSIs from the range can be used as defined by Max KSI. SKMF may allocate at most 3 assigned KSIs to NFs. In FIG. 7, four examples of the allocated assigned KSIs are also shown.

[147] Example 1 shows that all 3 assigned KSIs are associated with the parent key identified by 0x5E01 , i.e., in this case, only a single parent key is used to secure all NAS connections. Example 2 shows that all 3 assigned KSIs are associated with the parent key identified by 0x5E02. Example 3 shows that the 3 assigned KSIs are assigned with 2 different parent keys, where 2 assigned KSIs are associated with the parent key identified by 0x5E01 and 1 assigned KSI is associated with the parent key identified by 0x5E02. In this case, 2 NAS connections are secured by the parent key identified by 0x5E01 and 1 NAS connection is secured by the parent key identified by 0x5E02. Example 4 shows that 1 assigned KSI is assigned with the parent key identified by 0x5E01 and 2 assigned KSIs are assigned with the parent key identified by 0x5E02.

[148] More details of the example embodiments in accordance with the present disclosure will be described with reference to FIG. 8 to FIG. 10.

[149] FIG. 8 is a flow chart depicting a method 800 for security in the distributed NAS connection terminations architecture according to some embodiments of the present disclosure. The method 800 may be performed by a terminal device such as a UE for handling security of multiple NAS connections in the distributed NAS connection terminations architecture. In the distributed NAS connection terminations architecture, the UE may have multiple NAS connection with multiple network function entities. In the figure, optional steps are shown in dashed box.

[150] As shown in FIG. 8, during an AKA procedure with a first network function entity (i.e., a network function entity configured to implement SKMF as mentioned above, which is also referred to as SKMF entity and can be used interchangeably with SKMF herein), the terminal device receives an initialization KSI from the SKMF entity, at block 810.

[151] In some embodiment, the initialization KSI may comprise a base key set identifier (i.e., Base KSI) which is a random number, a maximum number of parent keys (i.e., Max Kp), and a maximum number of assigned key set identifiers (i.e., Max KSI). In some embodiments, the maximum number of assigned key set identifiers may be defined per parent key or globally, i.e., across all the parent keys. The details of the initialization KSI has been provided above, and will be omitted here.

[152] In some embodiments, the initialization KSI may be received in a NAS authentication message from the SKMF entity. Depending on the type of the AKA procedure, the AS authentication message may be different. In an embodiment, the NAS authentication message may be a NAS authentication request message, for a 5G/EAP AKA procedure. Alternatively, the NAS authentication message may be a NAS authentication result message, for an EAP AKA procedure.

[153] Upon receipt of the initialization KSI, the terminal device generates a set of allowed assigned KSIs, based on the initialization KSI, at block 820. In some embodiments, the assigned KSI may comprise a base key set identifier (i.e., Base KSI) which is same as the base key set identifier of the initialization KSI, a parent key separator (i.e., Kp separator) which indicates a value ranging from 1 to the maximum number of parent keys in the initialization KSI, and an assigned KSI separator (i.e., KSI separator) which indicates a value ranging from 1 to the maximum number of assigned KSIs in the initialization KSI. In some embodiments, the base key set identifier concatenated with the parent key separator in the assigned KSI may form a parent key identifier.

[154] Further in some embodiments, at block 830, the terminal device may derive a set of parent keys from the initialization KSI during the AKA procedure, and each of the set of parent keys is associated with a parent key identifier. In some embodiments, the parent key may be derived by a KDF based on the base key set identifier concatenated with a value within a range from 1 to the maximum number of parent keys (i.e., the parent key identifiers), along with other information such as the anchor key, SUPI, and ABBA. Each of the generated parent key may be assigned or associated with a parent key identifier and can be identified by the parent key identifier.

[155] Further in some embodiment, at block 840, the terminal device may receive, from a second network function entity terminating a NAS connection with the terminal device, an integrity protected NAS SMC message comprising an assigned KSI for the NAS connection and a temporary identifier (e.g. XX-GUTI/TMP-XX-GUTI) assigned by the second network function entity to the NAS connection, in a NAS SMC procedure for establishing a secure NAS connection. In some embodiments, the second network function entity may be any network function entity that is defined as a part of 3GPP Mobile Core Network, such as a mobility management NF entity, a session management NF entity, or a policy management NF entity, etc.. Then at block 850, the terminal device may identify a parent key identifier from the received assigned KSI, and identify, from the set of parent keys derived at block 830, a parent key based on the parent key identifier. The terminal device may also check whether the received assigned KSI is available in the set of assigned KSIs. Then the terminal device may perform a security check on the received NAS SMC message using the identified parent key, at block 860. Specifically, the terminal device may derive NAS keys from the parent key and integrity check the NAS SMC message using the NAS keys. At block 870, the terminal device may generate and store a NAS security context for the NAS connection, the NAS security context being identified by the assigned KSI. The NAS security context may include the assigned KSI, the parent key, the NAS keys, capabilities of the terminal device (also referred to as UE capabilities), NAS algorithm identifiers, NAS counts, NAS connection identifier and PLMN identifier. Then at block 880, the terminal device may send, to the second network function entity, a NAS security mode complete message secured with the NAS security context. Further, the terminal device may mark the assigned KSI as in use in the set of allowed assigned KSIs, and mark the assigned KSI as available once it is freed up.

[156] Further in some embodiments, to optimize signaling, NAS messages may be piggy backed in a NAS security mode command messages sent to the terminal device. The NAS security mode command message may contain a NAS Container. The NAS Container may carry other NAS message(s) and/or parameter(s). The NAS Container is ciphered and the whole NAS security mode command message is integrity protected. Thus, the terminal device uses the assigned KSI in the NAS SMC message to identify the parent key which is used to preform integrity checks on the whole NAS security mode command message and ciphering checks on the NAS Container.

[157] Alternatively in some embodiments, the terminal device may derive a parent key upon receipt of a specific assigned KSI in a NAS SMC procedure. In some embodiments, the terminal device may receive, from the second network function entity, an integrity protected NAS SMC message comprising an assigned KSI for the NAS connection and a temporary identifier ((e.g. XX-GUTI/TMP- XX-GUTI) assigned by the second network function entity to the NAS connection. Then the terminal device may identify a parent key identifier from the received assigned KSI and derive a parent key based on the assigned KSI in the NAS SMC message. The KDF is used to derive the parent key based on the identified parent key identifier along with the anchor key, SUPI and ABBA. The derived parent key may be assigned or associated with the parent key identifier and may be identified by the parent key identifier. Then the terminal device may perform a security check on the received NAS SMC message using the derived parent key. After the successful check, the terminal device may generate and store the NAS security context for the NAS connection, and the NAS security context is identified by the assigned KSI. Then the terminal device may send, to the second network function entity, a NAS security mode complete message secured with the NAS security context. Also the terminal device may mark the assigned KSI as in use.

[158] Additionally, in some embodiments, upon establishment of the secure NAS connection, the terminal device may receive, from the second network function entity, a secured NAS message comprising an assigned KSI and a temporary identifier (i.e., XX-GUTI) associated with the NAS connection. In some embodiments, there is a one-to-one relationship between the assigned KSI and the temporary identifier. Then the terminal device may maintain context information that links the temporary identifier and the assigned KSI. Thus, the subsequent secured NAS message from the second network function entity may include only the assigned KSI. [159] Additionally, in some embodiments, the terminal device may send, to the second network function entity, a NAS message secured with the AS security context identified by the assigned KSI for the NAS connection, wherein the secured NAS message comprises the assigned KSI. The assigned KSI identifies the used NAS security context. The terminal device may also provide the received temporary identifier (e.g. XX-GUTI) or a shortened version of the received temporary identifier (e.g. XX-S-TMSI) to a lower layer (e.g. RRC layer) to enable an access node serving the terminal device to route the secured NAS message to the second network function entity.

[160] Additionally, in some embodiments, the assigned KSI may be contained in all secured NAS messages towards the terminal device on the NAS connection, and the assigned KSI is integrity protected but not encrypted in the secured NAS messages.

[161] Additionally, in some embodiments, in the case that the second network function entity is a mobility management network function entity, the terminal device may receive a NAS authentication message comprising a temporary identifier (e.g. XX-GUTI) associated with the NAS connection along with the initialization KSI.

[162] Although the operations of the terminal device are described in detail taking one NAS connection with the second network function entity as an example, the above operations are also applicable to multiple NAS connections with multiple network function entities. All NAS security contexts associated with NAS connections are per PLMN and per access type, i.e., 3GPP and Non 3GPP access.

[163] FIG. 9 is a flow chart depicting a method 900 for security in the distributed NAS connection terminations architecture according to some embodiments of the present disclosure. The method 900 may be performed by the SKMF entity. In the figure, optional steps are shown in dashed box.

[164] As shown in FIG. 9, during an AKA procedure with a terminal device (e.g. UE), the SKMF entity may generate an initialization KSI, at block 910. The details of the initialization KSI have been presented in the above description, and will be omitted here.

[165] At block 920, the SKMF entity derives a set of allowed assigned KSIs and a set of parent keys, based on the initialization KSI, wherein each of the set of parent keys is assigned or associated with a parent key identifier. With respect to the assigned KSI, the parent key, the parent key identifier and the derivation of the parent keys, the details have been presented in the above description, and will be omitted here.

[166] Then, at block 930, the SKMF entity sends the initialization KSI to the terminal device. In some embodiments, the initialization key set identifier may be sent in a NAS authentication request message (for a 5G/EAP AKA procedure) and a NAS authentication result message (for a EAP AKA procedure), depending on the AKA procedure being the 5G/EAP AKA procedure or the EAP AKA procedure. Upon receipt of the initialization KS1, the terminal device may perform the operations described above in conjunction with FIG. 8.

[167] Additionally, in some embodiments, at block 940, the SKMF entity may receive, from a second network function entity, a request for an assigned key set identifier and a parent key for a NAS connection terminated at the second network function entity. The request may be received over an SBI via which the SKMF entity may expose its services to the second NF entity and other NF entities. In some embodiments, the second NF entity may be any network function entity that is defined as a part of 3GPP Mobile Core Network, such as a mobility management NF entity, a session management NF entity, or a policy management NF entity, etc..

[168] Then at block 950, the SKMF entity may select an assigned KSI from the set of allowed assigned KSIs, and mark the selected assigned KSI as in use. Once the assigned KSI is freed up, the SKMF entity will mark it as available. In some embodiments, the selection may be performed on the assigned KSIs marked as available in the set of allowed assigned KSIs. In some embodiments, the selection may be based on a predetermined/predefined policy in the SKMF entity. Such policy may be based on at least one of following factors: a network slice which the NAS connection belongs to, a type of the second network function entity, a network function set identifier, or a PLMN identifier. It will be appreciated that other factors may be used for determine or define the policy.

[169] Then at block 960, the SKMF entity may identify a parent key identifier from the selected assigned KSI, and identify a parent key from the set of parent keys based on the parent key identifier. Then the SKMF entity may send the selected assigned KSI and the parent key to the second network function entity, e.g. via SBI, at block 970. In some embodiments, the assigned key set identifier and the parent key may be sent in a service based interface message to the second network function entity. Depending on different types of the second network function entity, the service based interface message may be varied. For example, for the mobility management network function entity, the service based interface message is an authentication response, and for the session management network function entity, the service based interface message is a key response.

[ 170] Additionally, in some embodiments, the SKMF entity may maintain a list of network function entities to which the assigned KSI and the parent key are provided. Thus, when a new AKA procedure runs to generate new assigned KSIs and new parent keys, the SKMF entity may notify the NF entities in the list, which will be described later. [171] Additionally, in some embodiments, the SKMF entity may receive, from a mobility management NF entity, an authentication request to trigger the AKA procedure, which will be described later.

[172] Additionally, in some embodiments, the SKMF entity may be a standalone entity, or may be combined with another network function entity, e.g. a mobility management network function entity.

[173] FIG. 10 is a flow chart depicting a method 1000 for security in the distributed NAS connection terminations architecture according to some embodiments of the present disclosure. The method 1000 may be performed by a second network function entity configured to implement a network function. The second network function entity may be any network function entity that is defined as a part of a 3GPP Mobile Core Network, such as a mobility management NF entity, or a session management NF entity, or a policy management NF entity, etc.

[174] As shown in FIG. 10, the second NF entity sends, to the SKMF entity, a request for an assigned key set identifier and a parent key for a NAS connection terminated at the second NF entity, at block 1010. The request may be sent to the SKMF entity via SBI.

[175] At block 1020, the second NF entity receives an assigned KSI and a parent key from the SKMF entity. The assigned KSI is one of a set of allowed assigned KSIs derived by the SKMF entity from an initialization KSI, and the parent key is associated with the assigned KSI and is one of a set of parent keys derived by the SKMF from the initialization KSL In some embodiments, the assigned KSI and the parent key may be received in a service based interface message via the SBI. Depending on different type of the second network function entity, the service based interface message may be varied. For example, for the mobility management network function entity, the service based interface message is an authentication response, and for the session management network function entity, the service based interface message is a key response. With respect to the initialization KSI, the assigned KSI, the parent key, and the derivation of the parent key, their details have been presented in the above description, and will be omitted here.

[176] Upon receipt of the assigned KSI and the parent key, the second NF entity generates and stores a NAS security context for the NAS connection, at block 1030. The NAS security context is identified by the assigned KSI received. In some embodiments, the second NF entity may derive NAS keys from the received parent key, and create the NAS security context including the assigned KSI, the parent key, the NAS keys, UE capabilities, NAS algorithm identifiers, NAS counts, NAS connection identifier and PLMN identifier.

[177] Additionally, in some embodiments, the second NF entity may send, to a terminal device terminating the NAS connection, a NAS SMC message to initiate a NAS SMC procedure to establish a secure NAS connection, at block 1040. The NAS SMC message may comprise the assigned KSI for the NAS connection received at block 1020 and a temporary identifier (e.g. XX-GUT1) assigned to the NAS connection, and may be integrity protected using the NAS security context identified by the assigned KSI. Upon receipt of the NAS SMC message, the terminal device will perform the operations described above in conjunction with FIG. 8. Then, at block 1050, the second NF entity receives a secured NAS security mode complete message from the terminal device, and performs a security check of the secured NAS security mode complete message using the stored NAS security context identified by the assigned KSI for the NAS connection, at block 1060.

[178] Further in some embodiments, to optimize signaling, the NAS SMC message may include a NAS Container carrying another NAS message. The NAS Container is ciphered with the NAS keys in the NAS security context.

[179] Upon the establishment of the secure NAS connection with the terminal device, the second NF entity may send, to the terminal device, a NAS message secured with the NAS security context identified by the assigned KSI for the NAS connection. This secured NAS message may include the assigned key set identifier and a temporary context identifier (e.g., XX-GUTI mentioned above) associated with the NAS connection. And the second NF entity may maintain context information that links the temporary context identifier and the assigned KSI. Then the subsequent NAS messages sent to the terminal device may only include the assigned KSI.

[180] Further, in some embodiments, the assigned KSI for the NAS connection may be contained in all secured NAS messages towards the terminal device on the NAS connection, and the assigned KSI is integrity protected but not encrypted in the secured NAS messages.

[181] Additionally, in some embodiments, the secured NAS message towards the second NF entity may or may not include an assigned KSI. In the case that the secured NAS message does not include the assigned KSI, the second NF may determine the assigned KSI for the NAS connection based on a connection identifier provided by the access node serving the terminal device, which will be describe later

[182] Additionally, in some embodiments, in the case that the second NF entity is a mobility management NF entity, the second NF entity may send an authentication request to the SKMF entity to trigger the AKA procedure.

[183] Further, in some embodiments, the mobility management NF entity may send to the terminal device, a NAS authentication message comprising a temporary identifier (e.g. XX-GUTI) associated with the NAS connection along with the initialization KSI. [184] Further, in some embodiments, the mobility management NF entity may discover and select an appropriate network function entity upon receipt of a non-MM initial NAS message.

[185] Further, in some embodiments, after the secured NAS connection with the terminals device is established, the mobility management NF entity may send a request for allocation of access stratum (AS) resources and provide AS keying material to an access node serving the terminal device.

[186] Additionally, in some embodiments, during establishment of a NAS connection with the terminal device, the second NF entity may send a first temporary identifier, e.g. the above described UE-NF ID, to the access node serving the terminal device. The first temporary identifier uniquely identifies a first context information of the terminal device in the second NF entity on a first connection between the access node and the second NF (i.e., AN-NF connection), and the first context information is associated with the assigned KSI for the NAS connection and with a temporary identifier (e.g. XX- GUTI) associated with the NAS connection. Also the second NF entity may receive from the access node a second temporary identifier, e.g. the above-described UE-AN ID. The second temporary identifier uniquely identifies a second context information of the terminal device in the access node on the first connection, and the second context information is associated with a second connection between the terminal device and the access node (i.e., UE-AN connection, e,g, RRC connection). Thus, the first connection, i.e., the AN-NF connection, can be identified by a combination of the first temporary identifier and the second temporary identifier, which forms a connection identifier of the AN-NF connection.

[187] Further in some embodiments, the second NF entity may receive, from the access node, a message including a secured NAS message and the connection identifier. The secured NAS message may not include an assigned KSI. As the connection identifier is associated with the assigned KSI, the second NF may determine the assigned KSI based on the connection identifier.

[188] Additionally, in some embodiments, before sending a NAS message to the terminal device, the second NF entity may establish the first connection between the second NF entity and the access node using the second temporary identifier.

[189] The above-described various embodiments of the present disclosure provide a simple, flexible, scalable, secure and network managed solution to secure multiple NAS connections in the distributed NAS connection terminations architecture. The proposed solution leverages, extends and improves the existing NAS security mechanisms with new parameters and procedures, and it is agnostic to the Access Stratum. In the proposed solution, the same NAS parent key can be used in a flexible manner, e.g., only for one NAS connection, or across all NAS connections or a subset of the NAS connections. Each NAS connection can have its own assigned KSI irrespective of whether the parent key is dedicated or shared across the NAS connections. Moreover, the maximum numbers of parent keys and/or assigned KSIs can be adjusted dynamically per AKA run basis by the SKMF entity to accommodate the need for multiple parent Keys and multiple NAS connections. Further, the derivation of Anchor Key and parent keys are restricted to the SKMF in a secured network location and the SIM on the UE, and the transmission of the parent keys within the communication network is over secured links using mutual TLS. In addition, the derivation and allocation of the parent keys and KSIs are network controlled, and hence the network operator can decide whether to use a common parent key, or dedicated parent keys, or combination thereof to secure multiple NAS connections.

[190] FIG. 11 is a call flow diagram depicting an initial NAS registration procedure according to some embodiments of the present disclosure. For sake of simplicity and clarity, only operations involving the improvements of the procedure will be discussed.

[191] At operation 1, a UE initiates a Registration Request with a selected communication network, and sends an Initial NAS MM Message (e.g. NAS MM Registration Request) in the clear, i.e. not security protected, with the minimum mandatory Information Elements (e.g., Subscription Concealed Identifier (SUC1) or MM-S-TMS1 if available, UE security capabilities, assigned KS1 indicating whether NAS security context is available or not). The UE also provides network slice information and/or MM-GUTI/MM-S-TMSI to the lower layers (e.g. RRC layer) to enable the (R)AN to perform load balancing, discovery and selection of a suitable NF entity to which this NAS message is to be sent. Details on this NF selection mechanisms are defined in the 3GPP 23.501 VI 8.0.0 as part of AMF selection. In this example call flow, assume NF#1(MM) is selected.

[192] At operation 2, based on the received NAS Registration Request, NF#1 determines that UE authentication is required, because, for example, SUCI is received and/or the assigned KSI indicates a valid assigned KSI does not exist. Then, NF#1 sends an Authentication Request to the SKMF which includes the SUCI, service node (SN) ID.

[193] At operation 3, in response to receiving the Authentication Request, the SKMF triggers a primary AKA procedure. During the AKA procedure, the UE receives and stores an initialization KSI provided by the SKMF. The SKMF provides the initialization KSI and ABBA in the NAS Authentication Request to the UE for both 5G AKA and EAP AKA procedures. For the EAP AKA procedure, the SKMF may send a NAS Authentication Result to the UE which contains the initialization KSI and ABBA. Then the UE stores the received initialization KSI. NF#1 includes a temporary GUTI (TMP-GUTI) in the NAS Authentication Request to the UE. The UE subsequently provides the TMP-GUTI/TMP-S-TMSI to the lower layers (e.g. RRC layer) to assist the (R)AN route the NAS Authentication Response back to NF#1. The TMP-GUTI/TMP-S-TMSI contains GUAMI of NF#1 and a random number for the TMSI. NF#1 and (R)AN exchange UE context identifiers, i.e., UE-AN ID and UE-NF ID) to enable identification of the UE context and communication between the (R)AN and NF#1.

[194] At operation 4, SKMF configures an assigned KSI (KSI-1) and identifies the associated parent key (Kp-1), and returns this assigned KSI along with the parent key to NF#1 in an Authentication Response.

[195] At operation 5, NF#1 creates a NAS security context which contains the assigned KSI KSI-1, the parent key Kp-1 and other security parameters, and sends a NAS SMC Command message to the UE containing TMP-GUTI, the assigned KSI KSI-1 and other 3GPP defined NAS SMC parameters. The TMP-GUTI and KSI-1 are integrity protected only. The TMP-GUTI/ TMP-S-TMSI is used to assist in routing a NAS SMC Complete message back to NF#1.

[196] At operation 6, based on the assigned KSI, KSI-1, received in the NAS SMC Command message, the UE checks if the parent key associated with the assigned KSI is the same as the parent key that the UE has derived from the latest successful AKA run. If the check is successful, it means that both the UE and NF#1 have the same parent key Kp-1. The UE then uses Kp-1 to derive NAS keys, integrity checks the NAS SMC Command message, creates a NAS security context containing KSI-1, Kp-1, plus other security parameters, provides the TMP-GUTI/TMP-S-TMSI to the lower layers (e.g. RRC layer), and sends an NAS SMC Complete message which is integrity and confidentiality protected to NF#1. NF#1 checks integrity and confidentiality of the NAS SMC Complete message to complete the setup of the secure NAS Connection. The NAS security context for this NAS connection between the UE and NF#1 is now uniquely identified by the assigned KSI KSI- 1.

[197] At operation 7, NF#1 triggers a request for allocation of Access Stratum (e.g. RAN) resources and provides AS security material which enables the establishment of Access Stratum security (including integrity and confidentiality).

[198] At operation 8, NF#1 processes the Initial NAS Registration Request and responds by sending a secured NAS message containing the assigned KSI KSI-1 and a NAS Registration Response message which includes a UE Temporary Context Identifier (MM-GUTI) for this NAS connection. The MM- GUTI uniquely identifies a UE MM context within NF #1 and includes the NF set to which NF#1 belongs along with NF#1 pointer information. The UE MM context contains, among other information, the NAS security context for MM NAS connections of the UE. The assigned KSI KSI-1 is integrity protected only to enable the UE to identify the NAS security context associated with the secured NAS message. [199] At operation 9, since the UE is assigned with a new MM-GUTI/MM-S-TMSI, it sends in a secured NAS message a NAS Registration Complete to acknowledge receipt of the MM-GUTI. The NAS security context identified by the assigned KSI KSI-1 is used to apply security (including integrity/confidentiality) to the contents of the secured NAS message. The UE provides the MM- GUTI/MM-S-TMSI to the lower layers to enable the Access Stratum to route the secured NAS message back to NF#1. NF#1 uses its stored NAS security context identified by assigned KSI KSI-1 to perform security checks on the received secured NAS message.

[200] Subsequent secured NAS messages sent from NF#1 to the UE shall contain the assigned KSI KSI-1 integrity protected. Subsequent secured NAS messages sent from the UE to NF#1 contain the assigned KSI KSI-1. The UE provides the lower layers with the MM-GUTI/MM-S-TMSI to enable routing to NF#1. All NAS messages exchanged between the UE and NF#1 are secured using the NAS security context in the UE and NF#1 identified by the assigned KSI KSI-1.

[201] FIG. 12 is a call flow diagram depicting an initial NAS session management request procedure according to some embodiments of the present disclosure. For sake of simplicity and clarity, only operations involving the improvements of the procedure will be discussed.

[202] In this scenario, the UE has already successfully registered with the network, established a NAS security context and received a NAS temporary identifier (MM-GUTI/MM-S-TMSI ) from NF#1.

[203] At operation 1, the UE is authenticated and registered with the network, and a UE NAS MM context (identified by MM-GUTI/MM-S-TMSI) and a NAS security context identified by the assigned KSI KSI-1 has been established between the UE and NF#1. If the UE is in Idle mode, the UE sends a NAS MM Service Request (containing MM-S-TMSI, the assigned KSI, UE Capabilities) which reestablishes the secured NAS connection between the UE and NF#1.

[204] At operation 2, the UE initiates the establishment of a PDU session using a NAS session management (SM) procedure. The UE sends a secured NAS message containing the NAS SM message (NAS PDU Session Establishment Request), and provides the MM-GUTI/MM-S-TMSI to lower layers to assist (R)AN in routing the secured NAS message to NF#1. This NAS SM message is secured by the NAS security context identified by the assigned KSI KSI-1 established earlier between UE and NF#1.

[205] At operation 3, NF#1 performs a security check on the received secured NAS message using its NAS security context identified by the assigned KSI KSI-1, extracts the NAS SM message, and discovers and selects a suitable NF (e.g. NF#2) for processing the NAS SM message, and forwards the NAS SM message with the MM-GUTI/MM-S-TMSI, SUPI, UE Capabilities and (R)AN UE context identifier to NF#2. [206] At operation 4, NF#2 uses the SUPI to request and receive from the SKMF an assigned KSI (KSI-2) and the parent key (Kp-1).

[207] At operation 5, NF#2 creates a NAS security context identified by the assigned KSI KSI-2, which contains the assigned KSI KSI-2, the parent key Kp-1 and other security parameters, and sends a NAS SMC Command message to the UE containing a TMP-GUTI and the assigned KSI KSI-2 integrity protected and other 3GPP defined NAS SMC parameters. NF#2 uses the (R)AN UE context identifier (i.e., UE-AN ID) to identify and establish a communication link with the (R)AN and (R)AN UE context via which the UE is connected to the (R)AN in order to exchange NAS messages with the UE. NF#2 also provides its NF UE context identifier (UE-NF2 ID) to the (R)AN to enable the (R)AN to identify and communicate with the UE context held in NF#2.

[208] At operation 6, based on the assigned KSI, KSI-2, received in the NAS SMC Command message, the UE checks if the parent key associated with the assigned KSI is the same as the parent key that the UE has derived from the latest successful AKA run. If the check is successful, it means that both the UE and NF#2 have the same parent key Kp-1. The UE then uses Kp-1 to derive NAS keys, integrity checks the NAS SMC Command message, create a NAS security context containing the assigned KSI KSI-2, the parent key Kp-1 plus other security parameters, provides the received TMP-GUTI/ TMP-S-TMSI to lower layers, and send an NAS SMC Complete message integrity and confidentiality protected to NF#2. The (R)AN uses the TMP-GUTI/ TMP-S-TMSI to identify GUAMI and NF ID of NF#2, and forwards the secured NAS message to NF#2. NF#2 checks integrity and confidentiality of the NAS SMC Complete message to complete the setup of the secure NAS connection. The NAS security context for this NAS connection between the UE and NF#2 is now uniquely identified by the assigned KSI KSI-2.

[209] At operation 7, NF#2 sends a NAS SM message response with a SM-GUTI/SM-S-TMSI and the assigned KSI KSI-2 via NF#1 towards the UE. The SM-GUTI uniquely identifies the UE SM context in NF#2. The UE SM context contains, among other information, the NAS security context for SM NAS connections with the UE.

[210] At operation 8, NF#1 sends a secured NAS message to the UE which contains the NAS SM message response, SM-GUTI and the assigned KSI KSI-2 received from NF#2. The NAS security context identified by the assigned KSI KSI-1 is used by NF#1 to apply security to the secured NAS message, which will also contain the assigned KSI KSI-1 integrity protected. The UE uses the assigned KSI KSI- 1 received in the secured NAS message to apply security checks to the received secured NAS message containing the NAS message, SM-GUTI and the assigned KSI KSI-2 provided by NF#2. The UE shall associate the received SM-GUTI with the assigned KSI KSI-2 which identifies the NAS security context established earlier between the UE and NF#2. [211] Alternatively, at operation 5, NF#2 may send a NAS security mode command message piggybacking a NAS Container to the UE. The NAS container is populated with a NAS SM message response, i.e., NAS PDU Sessions Establishment Response. In this case, the TMP-GUTI in the NAS SMC message becomes the SM-GUTI that the UE will store and associate with the received assigned KSI KSI-2. The SM-GUTI uniquely identifies the UE SM context in NF#2. The UE SM context contains, among other information, the NAS security context for SM NAS connections with the UE. Thus, operations 7 and 8 can be skipped.

[212] At operation 9, subsequent NAS SM messages related to this NAS PDU session (e.g. Modify/Delete) are forwarded directly between the UE and NF#2, and secured using the NAS security context identified by the Assigned KSI KSI-2. The (R)AN forwards the secured NAS SM messages to NF#2 based on the SM-GUTI/SM-S-TMSI and NF#2 ID.

[213] Note that the above call flow is an illustration of a certain type of NAS container (which is, in this example, NAS SM), but the same call flow is also applicable for other types of NAS container, such as NAS location management, NAS policy management, NAS timing management, NAS sensing management, etc.

[214] The following will present some additional aspects/embodiments of the present disclosure.

[215] 1. Idle to Connected Mode Transitions

[216] If a UE in Idle mode triggers sending a NAS message to an NF entity, the information sent in the NAS message will depend on whether the UE already has a mobile temporary identifier and a NAS security context or not. The UE that has successfully registered with a network may have established multiple NAS connections, for instance a NAS MM connection, a NAS SM connection, a NAS XX connection and so on, and for each of these NAS connections, the UE has received from the network a temporary identifier and an assigned KSI. Subsequently, the UE may transition to Idle mode when the NAS connection is dropped, however, the UE and the network will maintain the mobile temporary identifiers and NAS security contexts.

[217] When the UE transitions to Connected mode, an initial NAS message sent after the transition for each of these previously established NAS connections shall carry information in cleartext to identify the serving NF, the NAS security context and the UE capabilities. That is, the initial NAS message for each NAS connection after the transition to Connected mode shall contain the temporary identifier, the assigned KSI and the UE capabilities in cleartext IES. In addition, the initial NAS message may also contain a NAS container, which holds the complete initial NAS message. The cleartext IEs are integrity protected only while the NAS container is both ciphered and integrity protected. [218] As an example, if a UE has established a NAS MM connection with NF#1, and a NAS SM connection with NF#2 and a NAS XX connection with NF#n, and subsequently transitions to Idle mode and later transitions back to Connected mode, the initial NAS messages that the UE sends to these NFs (NF#1, NF#2 and NF#n) respectively shall contain the temporary identifier, the assigned KSI for the respective NAS connection and the UE capabilities. The order in which the initial NAS messages are sent shall be such that the initial MM NAS message is always sent first. FIG. 13 is a call flow diagram depicting UE Idle to Connected mode transitions according to some embodiments of the present disclosure.

[219] The handling of the initial NAS messages mentioned above shall be according to that described in 3GPP 33.501 V18.0.0 section 6.4.6 with the exception that the ngKSI is replaced by the assigned KSI. In addition, the AMF behavior equates to that of NF#1 (MM NF) here. If the security check by a NAS MM NF fails, e.g. due to an invalid NAS security context, it requests the SKMF to trigger an AKA procedure and establish a secure NAS connection with the UE as described earlier.

[220] For a non-MM NF, e.g. SM NF and XX NF, if the assigned KSI received is invalid, the non MM NF shall trigger the establishment of a new NAS security context with the UE. The non-MM NF requests the SKMF for an assigned KSI and a Parent Key, and triggers a NAS SMC procedure with the UE to establish a new NAS security context. The NAS SMC Command requests the UE to re-send the initial NAS message in the NAS SMC Complete message.

[221] Thus, in some embodiments, the UE may send, upon transition from Idle mode to Connected mode, an Initial NAS message for a previously established NAS connection. The initial NAS message may comprise the assigned key set identifier for the previously established NAS connection, a temporary identifier (e.g. XX-GUTI) associated with the previously established NAS connection, and UE capabilities. Correspondingly, the NF entity may receive the initial NAS message for the previously established NAS connection terminated at this NF entity.

[222] 2. AKA Re-keying

[223] An MM NF entity may trigger a new AKA run by sending a request to SKMF which in turn executes the 5G/EAP AKA procedure to establish new parent keys and initialization KSI. The SKMF maintains a list of NFs to which it has provided the assigned KSI and parent key on a per UE basis, and sequentially notifies each listed NF, starting from the MM NF, with the new parent key and assigned KSI based on the latest successful AKA run.

12241 When an NF completes its NAS security context update, via a NAS SMC procedure, it informs the SKMF which then notifies the next listed NF until all NFs on the list have been re -keyed. This approach avoids the scenario where all listed NFs’ try to re-key with the UE at the same time. [225] Thus, in some embodiments, the SKMF may receive, from a mobility management network function entity, an authentication request to trigger an AKA procedure. Upon the generation of new initialization KSI and new parent keys in a new AKA procedure, the SKMF may sequentially notify each of NF entities to which the assigned KSI and the parent key have been provided, starting with the mobility management network function entity, of a new parent key and a new assigned KSI.

[226] In some embodiments, the second NF entity may receive from the SKMF a new assigned KSI and a new parent key for the NAS connection, and update the NAS security context for the NAS connection using the new assigned key set identifier and the new parent key. Then the second NF entity may inform the SKMF of the completion of the update.

[227] 3. Access Stratum (AS) Key Handling

[228] AS key parameters are derived, distributed and managed by the MM NF entity in the same manner as done so by the AMF, which has been describe above.

[229] Now reference is made to FIG. 14 illustrating a simplified block diagram of an apparatus 1400 that may be embodied as the terminal device, or the first network function entity configured to implement SKMF, or the second network function entity. The apparatus 1400 may comprise at least one processor 1401, such as a data processor (DP), and at least one memory (MEM) 1402 coupled to the at least one processor 1401. The apparatus 1400 may further comprise a sending unit and a receiving unit 1403 coupled to the one or more processors 1401.

[230] The processors 1401 may be of any type suitable to the local technical environment, and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples.

[231] The MEM(s) 1402 may be of any type suitable to the local technical environment and may be implemented using any suitable data storage technology, such as semiconductor-based memory devices, magnetic memory devices and systems, optical memory devices and systems, fixed memory and removable memory, as non-limiting examples.

[232] The MEM 1402 stores a program (PROG) 1404. The PROG 1404 may include instructions that, when executed on the associated processor 1401, enable the apparatus 1400 to operate in accordance with the embodiments of the present disclosure, for example to perform one of the methods 800, 900 and 1000 as shown in FIG. 8, FIG. 9 and FIG. 10. A combination of the at least one processor 1401 and the at least one MEM 1402 may form processing circuitry or means 1405 adapted to implement various embodiments of the present disclosure. [233] Various embodiments of the present disclosure may be implemented by a computer program executable by one or more of the processors 1401, software, firmware, hardware or in a combination thereof.

[234] In general, the various exemplary embodiments may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. For example, some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device, although the invention is not limited thereto. While various aspects of the exemplary embodiments of this disclosure may be illustrated and described as block diagrams, flow charts, or using some other pictorial representation, it is well understood that these blocks, apparatus, systems, techniques or methods described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.

[235] As such, it should be appreciated that at least some aspects of the exemplary embodiments of the disclosures may be practiced in various components such as integrated circuit chips and modules. It should thus be appreciated that the exemplary embodiments of this disclosure may be realized in an apparatus that is embodied as an integrated circuit, where the integrated circuit may comprise circuitry (as well as possibly firmware) for embodying at least one or more of a data processor, a digital signal processor, baseband circuitry and radio frequency circuitry that are configurable so as to operate in accordance with the exemplary embodiments of this disclosure.

[236] It should be appreciated that at least some aspects of the exemplary embodiments of the disclosures may be embodied in computer-executable instructions, such as in one or more program modules, executed by one or more computers or other devices. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types when executed by a processor in a computer or other device. The computer executable instructions may be stored on a computer readable medium, for example, non-transitory computer readable medium, such as a hard disk, optical disk, removable storage media, solid state memory, RAM, etc. As will be appreciated by one of skills in the art, the function of the program modules may be combined or distributed as desired in various embodiments. In addition, the function may be embodied in whole or in part in firmware or hardware equivalents such as integrated circuits, field programmable gate arrays (FPGA), and the like.

[237] Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are contained in the above discussions, these should not be construed as limitations on the scope of the present disclosure, but rather as descriptions of features that may be specific to particular embodiments. Certain features that are described in the context of separate embodiments may also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment may also be implemented in multiple embodiments separately or in any suitable sub-combination.

[238] The present disclosure includes any novel feature or combination of features disclosed herein either explicitly or any generalization thereof. Various modifications and adaptations to the foregoing exemplary embodiments of this disclosure may become apparent to those skilled in the relevant arts in view of the foregoing description, when read in conjunction with the accompanying drawings. However, any and all modifications will still fall within the scope of the non-limiting and exemplary embodiments of this disclosure.

Claims

1. A terminal device, comprising: at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the terminal device at least to: during an authentication and key agreement (AKA) procedure with a first network function entity, receive an initialization key set identifier from the first network function entity; and generate a set of allowed assigned key set identifiers, based on the initialization key set identifier.

2. The terminal device according to claim 1, wherein the terminal device is further caused to derive a set of parent keys from the initialization key set identifier during the AKA procedure, wherein each derived parent key is associated with a parent key identifier.

3. The terminal device according to claim 2, wherein the terminal device is further caused to: receive, from a second network function entity terminating a NAS connection with the terminal device, an integrity protected NAS security mode command (SMC) message comprising an assigned key set identifier for the NAS connection and a temporary identifier assigned by the second network function entity to the NAS connection; identify a parent key identifier from the received assigned key set identifier; identify, from the set of parent keys, a parent key based on the parent key identifier; perform a security check on the received NAS SMC message using the identified parent key; generate and store a NAS security context for the NAS connection, the NAS security context being identified by the assigned key set identifier; and send, to the second network function entity, a NAS security mode complete message secured with the NAS security context.

4. The terminal device according to claim 1, wherein the terminal device is further caused to: receive, from a second network function entity terminating a NAS connection with the terminal device, an integrity protected NAS security mode command (SMC) message comprising an assigned key set identifier for the NAS connection and a temporary identifier assigned by the second network function entity to the NAS connection; identify a parent key identifier from the received assigned key set identifier; derive a parent key based on the assigned key set identifier in the NAS SMC message, the parent key being associated with the parent key identifier; perform a security check on the received NAS security mode command message using the derived parent key; generate and store a NAS security context for the NAS connection, the NAS security context being identified by the assigned key set identifier and send, to the second network function entity, a NAS security mode complete message secured with the NAS security context.

5. The terminal device according to claim 3 or 4, wherein to generate the NAS security context for the NAS connection, the terminal device is caused to: derive NAS keys from the parent key; and create the NAS security context comprising the assigned key set identifier, the parent key, and the NAS keys.

6. The terminal device according to any of claims 3 to 5, wherein the NAS SMC message further comprises a ciphered NAS container carrying another NAS message.

7. The terminal device according to any of claims 3 to 6, wherein the terminal device is further caused to mark the assigned key set identifier as in use in the set of allowed assigned key set identifiers, and mark the assigned key set identifier as available once it is freed up.

8. The terminal device according to claim 7, wherein the terminal device is further caused to check, before identifying the parent key identifier, whether the assigned key set identifier received in the NAS SMC message is available in the set of allowed assigned key set identifiers.

9. The terminal device according to any of claims 3 to 8, wherein the terminal device is further caused to: receive, from the second network function entity, a secured NAS message comprising an assigned key set identifier and a temporary identifier associated with the NAS connection; and maintain context information that links the temporary identifier and the assigned key set identifier.

10. The terminal device according to claim 9, wherein the terminal device is further caused to send, to the second network function entity, a NAS message secured with the NAS security context identified by the assigned key set identifier for the NAS connection, and provide the received temporary identifier or a shortened version of the received temporary identifier to a lower layer to enable an access node serving the terminal device to route the secured NAS message to the second network function entity.

11. The terminal device according to any of claims 3 to 10, wherein the terminal device is further caused to send, upon the terminal device is transitioned from Idle mode to Connected mode, an integrity protected Initial NAS message for a previously established NAS connection comprising an assigned key set identifier for the previously established NAS connection, a temporary identifier associated with the previously established NAS connection, and capabilities of the terminal device.

12. The terminal device according to any of claims 9 to 11, wherein the assigned key set identifier is contained in all secured NAS messages received by the terminal device on the NAS connection, and the assigned key set identifier is integrity protected but not encrypted in the secured NAS messages.

13. The terminal device according to any of claims 1 to 12, wherein the initialization key set identifier comprises a base key set identifier which is a random number, a maximum number of parent keys, and a maximum number of assigned key set identifiers.

14. The terminal device according to claim 13, wherein the maximum number of assigned key set identifiers is defined per parent key or globally.

15. The terminal device according to any of claims 13 to 14, wherein the assigned key set identifier comprises a base key set identifier which is same as the base key set identifier of the initialization key set identifier, a parent key separator which indicates a value ranging from 1 to the maximum number of parent keys, and an assigned key set identifier separator which indicates a value ranging from 1 to the maximum number of assigned key set identifiers.

16. The terminal device according to claim 15, wherein the parent key identifier is represented by the base key set identifier concatenated with the parent key separator.

17. The terminal device according to any of claims 13 to 16, wherein a parent key is derived by a Key Derivation Function based on the base key set identifier concatenated with a value within a range from 1 to the maximum number of parent keys.

18. The terminal device according to any of claims 1 to 17, wherein the initialization key set identifier is received in a NAS authentication message.

19. The terminal device according to any of claims 1 to 18, wherein the second network function entity is a mobility management network function entity, and the terminal device is further caused to receive, from the mobility management network function entity, a NAS authentication message comprising a temporary identifier associated with the NAS connection along with the initialization key set identifier.

20. A first network function entity, comprising: at least one processor; and at least one memory storing instructions that, when executed on the at least one processor, cause the first network function entity at least to: during an AKA procedure with a terminal device, generate an initialization key set identifier; derive a set of allowed assigned key set identifiers and a set of parent keys, based on the initialization key set identifier, wherein each derived parent key is associated with a parent key identifier; and send the initialization key set identifier to the terminal device.

21. The first network function entity according to claim 20, wherein the first network function entity is further caused to: receive, from a second network function entity, a request for an assigned key set identifier and a parent key for a NAS connection terminated at the second network function entity; select an assigned key set identifier from the set of allowed assigned key set identifiers; identify a parent key identifier from the selected assigned key set identifier; identify a parent key from the set of parent keys based on the parent key identifier; and send the selected assigned key set identifier and the parent key to the second network function entity.

22. The first network function entity according to claim 21, wherein the first network function entity is further caused to mark the selected assigned key set identifier as in use in the set of allowed assigned key set identifiers, and mark it as available once the assigned key set identifier is freed up.

23. The first network function entity according to claim 22, wherein the selection is performed on the assigned key set identifiers marked as available in the set of allowed assigned key set identifiers.

24. The first network function entity according to any of claims 21 to 23, wherein the selection is based on a predetermined policy in the first network function entity.

25. The first network function entity according to any of claims 21 to 24, wherein the receiving and the sending between the first network function entity and the second network function entity are via a service based interface.

26. The first network function entity according to any of claims 21 to 25, wherein the assigned key set identifier and the parent key are sent in a service based interface message to the second network function entity.

27. The first network function entity according to any of claims 21 to 26, wherein the first network function entity is further caused to maintain a list of network function entities to which the assigned key set identifier and the parent key are provided.

28. The first network function entity according to any of claims 20 to 27, wherein the initialization key set identifier comprises a base key set identifier which is a random number, a maximum number of parent keys, and a maximum number of assigned key set identifiers.

29. The first network function entity according to claim 28, wherein the maximum number of assigned key set identifiers is defined per parent key or globally.

30. The first network function entity according to any of claims 28 to 29, wherein the assigned key set identifier comprises a base key set identifier which is same as the base key set identifier of the initialization key set identifier, a parent key separator which indicates a value ranging from 1 to the maximum number of parent keys, and an assigned key set identifier separator which indicates a value ranging from 1 to the maximum number of assigned key set identifiers.

31. The first network function entity according to claim 30, wherein the parent key identifier is represented by the base key set identifier concatenated with the parent key separator.

32. The first network function entity according to any of claims 28 to 31, wherein a parent key is derived by a Key Derivation Function based on the base key set identifier concatenated with a value within a range from 1 to the maximum number of parent keys.

33. The first network function entity according to any of claims 20 to 32, wherein the initialization key set identifier is sent in a NAS authentication message.

34. The first network function entity according to any of claims 20 to 33, wherein the first network function entity is further caused to receive, from a mobility management network function entity, an authentication request to trigger an AKA procedure.

35. The first network function entity according to any of claims 20 to 34, wherein the first network function entity is further caused to, upon the generation of new initialization key set identifier and new parent keys in a new AKA procedure, sequentially notify each of network function entities to which the assigned key set identifier and the parent key have been provided, starting with a mobility management network function entity, of a new parent key and a new assigned key set identifier.

36. The first network function entity according to any of claims 20 to 35, wherein the first network function entity is a standalone entity or is combined with another network function entity.

37. A second network function entity, comprising: at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the second network function entity at least to: send, to a first network function entity, a request for an assigned key set identifier and a parent key for a NAS connection terminated at the second network function entity; receive an assigned key set identifier and a parent key from the first network function entity; and generate and store a NAS security context for the NAS connection, the NAS security context being identified by the assigned key set identifier.

38. The second network function entity according to claim 37, wherein the receiving and the sending between the second network function entity and the first network function entity are via a service based interface.

39. The second network function entity according to any of claims 37 to 38, wherein the assigned key set identifier and the parent key are received in a service based interface message from the first network function entity.

40. The second network function entity according to any of claims 37 to 39, wherein to generate the NAS security context for the NAS connection, the second network function entity is caused to: derive NAS keys from the parent key; and create the NAS security context comprising the assigned key set identifier, the parent key, and the NAS keys.

41. The second network function entity according to any of claims 37 to 40, wherein the second network function entity is further caused to: send, to a terminal device terminating the NAS connection, a NAS security mode command (SMC) message comprising the assigned key set identifier for the NAS connection and a temporary identifier assigned to the NAS connection; receive, from the terminal device, a secured NAS security mode complete message; and perform a security check of the secured NAS security mode complete message; wherein the NAS SMC message is integrity protected using the NAS security context identified by the assigned key set identifier.

42. The second network function entity according to claim 41, wherein the NAS SMC message further comprises a ciphered NAS container carrying another NAS message.

43. The second network function entity according to claim 41 or 42, wherein the second network function entity is further caused to: send, to the terminal device, a NAS message secured with the NAS security context identified by the assigned key set identifier for the NAS connection, wherein the secured NAS message comprises the assigned key set identifier and a temporary identifier associated with the NAS connection; and maintain context information that links the temporary identifier and the assigned key set identifier.

44. The second network function entity according to any of claims 41 to 43, wherein the second network function entity is further caused to receive an integrity protected Initial NAS message for a previously established NAS connection terminated at the second network function entity, wherein the Initial NAS message comprises an assigned key set identifier for the previously established NAS connection, a temporary identifier associated with the previously established NAS connection, and capabilities of the terminal device.

45. The second network function entity according to any of claims 41 to 44, wherein the assigned key set identifier is contained in all secured NAS messages sent to the terminal device on the NAS connection, and the assigned key set identifier is integrity protected but not encrypted in the secured NAS messages.

46. The second network function entity according to any of claims 37 to 45, wherein the second network function entity is further caused to: receive, from the first network function entity, a new assigned key set identifier and a new parent key for the NAS connection; update the NAS security context for the NAS connection using the new assigned key set identifier and the new parent key; and inform the first network function entity of the completion of the update.

47. The second network function entity according to any of claims 37 to 46, wherein the second network function entity is further caused to derive a horizontal key from the parent key.

48. The second network function entity according to any of claims 37 to 47, wherein the second network function entity is a mobility management network function entity, and wherein the second network function entity is further caused to send, to the first network function entity, an authentication request to trigger an AKA procedure.

49. The second network function entity according to claim 48, wherein the second network function entity is further caused to send, to the terminal device, a NAS authentication message comprising a temporary identifier associated with the NAS connection along with the initialization key set identifier.

50. The second network function entity according to claim 48 or 49, wherein the second network function entity is further caused to discover and select an appropriate network function entity upon receipt of a non-mobility management initial NAS message.

51. The second network function entity according to any of claims 48 to 50, wherein the second network function entity is further caused to send, after the secured NAS connection with the terminals device is established, a request for allocation of access stratum (AS) resources and provide AS keying material to an access node serving the terminal device.

52. The second network function entity according to any of claims 41 to 51, wherein the second network function entity is further caused to: during establishment of a NAS connection with the terminal device, send, to an access node serving the terminal device, a first temporary identifier identifying a first context information of the terminal device in the second network function entity on a first connection between the access node and the second network function entity, the first context information being associated with the assigned key set identifier for the NAS connection and with a temporary identifier associated with the NAS connection; and receive, from the access node, a second temporary identifier identifying a second context information of the terminal device in the access node on the first connection, the second context information being associated with a second connection between the terminal device and the access node; and wherein the first temporary identifier and the second temporary identifier are combined as a connection identifier to identify the first connection.

53. The second network function entity according to claim 52, wherein the second network function entity is further caused to: receive, from the access node, a message comprising a secured NAS message and the connection identifier, wherein the secured NAS message does not comprise an assigned key set identifier; and determine the assigned key set identifier associated with the connection identifier.

54. The second network function entity according to claim 52 or 53, wherein the second network function entity is further caused to establish, before sending a NAS message to the terminal device, the first connection using the second temporary identifier.

55. A method performed by a terminal device, the method comprising: receiving an initialization key set identifier from the first network function entity; and generating a set of allowed assigned key set identifiers, based on the initialization key set identifier.

56. The method according to claim 55, further comprising: deriving a set of parent keys from the initialization key set identifier during the AKA procedure, wherein each derived parent key is associated with a parent key identifier.

57. The method according to claim 56, further comprising: receiving, from a second network function entity terminating a NAS connection with the terminal device, an integrity protected NAS security mode command (SMC) message comprising an assigned key set identifier for the NAS connection and a temporary identifier assigned by the second network function entity to the NAS connection; identifying a parent key identifier from the received assigned key set identifier; identifying, from the set of parent keys, a parent key based on the parent key identifier; performing a security check on the received NAS SMC message using the identified parent key; generating and storing a NAS security context for the NAS connection, the NAS security context being identified by the assigned key set identifier; and sending, to the second network function entity, a NAS security mode complete message secured with the NAS security context.

58. The method according to claim 55, further comprising: receiving, from a second network function entity terminating a NAS connection with the terminal device, an integrity protected NAS security mode command (SMC) message comprising an assigned key set identifier for the NAS connection and a temporary identifier assigned by the second network function entity to the NAS connection; identifying a parent key identifier from the received assigned key set identifier; deriving a parent key based on the assigned key set identifier in the NAS SMC message, the parent key being associated with the parent key identifier; performing a security check on the received NAS security mode command message using the derived parent key; generating and storing a NAS security context for the NAS connection, the NAS security context being identified by the assigned key set identifier; and sending, to the second network function entity, a NAS security mode complete message secured with the NAS security context.

59. The method according to any of claims 57 to 58, wherein generating the NAS security context comprises: deriving NAS keys from the parent key; and creating the NAS security context comprising the assigned key set identifier, the parent key, and the NAS keys.

60. The method according to any of claims 57 to 59, wherein the NAS SMC message further comprises a ciphered NAS container carrying another NAS message.

61. The method according to any of claims 57 to 60, further comprising: marking the assigned key set identifier as in use in the set of allowed assigned key set identifiers; and marking the assigned key set identifier as available once it is freed up.

62. The method according to claim 61, further comprising: checking, before identifying the parent key identifier, whether the assigned key set identifier received in the NAS SMC message is available in the set of allowed assigned key set identifiers.

63. The method according to any of claims 57 to 62, further comprising: receiving, from the second network function entity, a secured NAS message comprising an assigned key set identifier and a temporary identifier associated with the NAS connection; and maintaining context information that links the temporary identifier and the assigned key set identifier.

64. The method according to claim 63, further comprising: sending, to the second network function entity, a NAS message secured with the NAS security context identified by the assigned key set identifier for the NAS connection, , and providing the received temporary identifier or a shortened version of the received temporary identifier to a lower layer to enable an access node serving the terminal device to route the secured NAS message to the second network function entity.

65. The method according to any of claims 57 to 64, further comprising: sending, upon the terminal device is transitioned from Idle mode to Connected mode, an integrity protected Initial NAS message for a previously established NAS connection comprising an assigned key set identifier for the previously established NAS connection, a temporary identifier associated with the previously established NAS connection, and capabilities of the terminal device.

66. The method according to any of claims 63 to 65, wherein the assigned key set identifier is contained in all secured NAS messages received by the terminal device on the NAS connection, and the assigned key set identifier is integrity protected but not encrypted in the secured NAS messages.

67. The method according to any of claims 55 to 66, wherein the initialization key set identifier comprises a base key set identifier which is a random number, a maximum number of parent keys, and a maximum number of assigned key set identifiers.

68. The method according to claim 67, wherein the maximum number of assigned key set identifiers is defined per parent key or globally.

69. The method according to any of claims 67 to 68, wherein the assigned key set identifier comprises a base key set identifier which is same as the base key set identifier of the initialization key set identifier, a parent key separator which indicates a value ranging from 1 to the maximum number of parent keys, and an assigned key set identifier separator which indicates a value ranging from 1 to the maximum number of assigned key set identifiers.

70. The method according to claim 69, wherein the parent key identifier is represented by the base key set identifier concatenated with the parent key separator.

71. The method according to any of claims 67 to 70, wherein a parent key is derived by a Key Derivation Function based on the base key set identifier concatenated with a value within a range from 1 to the maximum number of parent keys.

72. The method according to any of claims 55 to 71, wherein the initialization key set identifier is received in a NAS authentication message.

73. The method according to any of claims 55 to 72, wherein the second network function entity is a mobility management network function entity, and wherein the method further comprises receiving, from the mobility management network function entity, a NAS authentication message comprising a temporary identifier associated with the NAS connection along with the initialization key set identifier.

74. A method performed by a first network function entity, the method comprising: generating an initialization key set identifier; deriving a set of allowed assigned key set identifier and a set of parent keys, based on the initialization key set identifier, wherein each derived parent key is associated with a parent key identifier; and sending the initialization key set identifier to the terminal device.

75. The method according to claim 74, further comprising: receiving, from a second network function entity, a request for an assigned key set identifier and a parent key for a NAS connection terminated at the second network function entity; selecting an assigned key set identifier from the set of allowed assigned key set identifier; identifying a parent key identifier from the selected assigned key set identifier; identifying a parent key from the set of parent keys based on the parent key identifier; and sending the selected assigned key set identifier and the parent key to the second network function entity.

76. The method according to claim 75, further comprising: marking the selected assigned key set identifier as in use in the set of allowed assigned key set identifiers, and marking the assigned key set identifier as available once it is freed up.

77. The method according to 76, wherein the selection is performed on the assigned key set identifiers marked as available in the set of allowed assigned key set identifiers.

78. The method according to any of claims 75 to 77, wherein the selection is based on a predetermined policy in the first network function entity.

79. The method according to any of claims 75 to 78, wherein the receiving and the sending between the first network function entity and the second network function entity are via a service based interface.

80. The method according to any of claims 75 to 79, wherein the assigned key set identifier and the parent key are sent in a service based interface message to second network function entity.

81. The method according to any of claims 75 to 80, further comprising: maintaining a list of network function entities to which the assigned key set identifier and the parent key are provided.

82. The method according to any of claims 74 to 81, wherein the initialization key set identifier comprises a base key set identifier which is a random number, a maximum number of parent keys, and a maximum number of assigned key set identifiers.

83. The method according to claim 82, wherein the maximum number of assigned key set identifiers is defined per parent key or globally.

84. The method according to claim 82 or 83, wherein the assigned key set identifier comprises a base key set identifier which is same as the base key set identifier of the initialization key set identifier, a parent key separator which indicates a value ranging from 1 to the maximum number of parent keys, and an assigned key set identifier separator which indicates a value ranging from f to the maximum number of assigned key set identifiers.

85. The method according to claim 84, wherein the parent key identifier is represented by the base key set identifier concatenated with the parent key separator.

86. The method according to any of claims 82 to 85, wherein a parent key is derived by a Key Derivation Function based on the base key set identifier concatenated with a value within a range from 1 to the maximum number of parent keys.

87. The method according to any of claims 74 to 86, wherein the initialization key set identifier is sent in a NAS authentication message.

88. The method according to any of claims 74 to 87, further comprising: receiving, from a mobility management network function entity, an authentication request to trigger an AKA procedure.

89. The method according to any of claims 74 to 88, further comprising: upon the generation of new initialization key set identifier and new parent keys in a new AKA procedure, sequentially notifying each of network function entities to which the assigned key set identifier and the parent key have been provided, starting with a mobility management network function, of a new parent key and a new assigned key set identifier.

90. The method according to any of claims 74 to 89, wherein the first network function entity is a standalone entity or is combined with another network function entity.

9f . A method performed by a second network function entity, comprising: sending, to a first network function entity, a request for an assigned key set identifier and a parent key for a NAS connection terminated at the second network function entity; receiving the assigned key set identifier and the parent key from the first network function entity; and generating and storing a NAS security context for the NAS connection, the NAS security context being identified by the assigned key set identifier.

92. The method according to claim 91, wherein the receiving and the sending between the second network function entity and the first network function entity are via a service based interface.

93. The method according to claim 91 or 92, wherein the assigned key set identifier and the parent key are received in a service based interface message from the first network function entity.

94. The method according to any of claims 91 to 93, wherein generating the NAS security context for the NAS connection further comprises: deriving NAS keys from the parent key; and creating the NAS security context comprising the assigned key set identifier, the parent key, and the NAS keys.

95. The method according to any of claim 91 to 94, further comprising: sending, to a terminal device terminating the NAS connection, a NAS security mode command (SMC) message comprising the assigned key set identifier for the NAS connection and a temporary identifier assigned to the NAS connection; receiving, from the terminal device, a secured NAS security mode complete message; and performing a security check of the secured NAS security mode complete message; wherein the NAS SMC message is integrity protected using the NAS security context identified by the assigned key set identifier.

96. The method according to claim 95, wherein the NAS SMC message further comprises a ciphered NAS container carrying another NAS message.

97. The method according to claim 95 or 96, further comprising: sending, to the terminal device, a NAS message secured with the NAS security context identified by the assigned key set identifier for the NAS connection, wherein the secured NAS message comprises the assigned key set identifier and a temporary identifier associated with the NAS connection; and maintaining context information that links the temporary identifier and the assigned key set identifier.

98. The method according to any of claims 95 to 97, further comprising: receiving an integrity protected Initial NAS message for a previously established NAS connection terminated at the second network function entity, wherein the Initial NAS message comprises an assigned key set identifier for the previously established NAS connection, a temporary identifier associated with the previously established NAS connection, and capabilities of the terminal device.

99. The method according to any of claims 95 to 98, wherein the assigned key set identifier is contained in all secured NAS messages sent to the terminal device on the NAS connection, and the assigned key set identifier is integrity protected but not encrypted in the secured NAS messages.

100. The method according to any of claims 91 to 99, further comprising: receiving, from the first network function entity, a new assigned key set identifier and a new parent key for the NAS connection; updating the NAS security context for the NAS connection using the new assigned key set identifier and the new parent key; and informing the first network function entity of the completion of the update.

101. The method according to any of claims 91 to 100, further comprising: deriving a horizontal key from the parent key.

102. The method according to any of claims 91 to 101, wherein the second network function entity is a mobility management network function entity, and wherein the method further comprises: sending, to the first network function entity, an authentication request to trigger an AKA procedure.

103. The method according to claim 102, further comprising: sending, to the terminal device, a NAS authentication message comprising a temporary identifier associated with the NAS connection along with the initialization key set identifier.

104. The method according to claim 102 or 103, further comprising: discovering and selecting an appropriate network function entity upon receipt of a non-mobility management initial NAS message.

105. The method according to any of claim 102 to 104, further comprising: sending, after the secured NAS connection with the terminals device is established, a request for allocation of access stratum (AS) resources and provide AS keying material to an access node serving the terminal device.

106. The method according to any of claims 95 to 105, further comprising: during establishment of a NAS connection with the terminal device, sending, to an access node serving the terminal device, a first temporary identifier identifying a first context information of the terminal device in the second network function entity on a first connection between the access node and the second network function entity, the first context information being associated with the assigned key set identifier for the NAS connection and with a temporary identifier associated with the NAS connection; and receiving, from the access node, a second temporary identifier identifying a second context information of the terminal device in the access node on the first connection, the second context information being associated with a second connection between the terminal device and the access node; and wherein the first temporary identifier and the second temporary identifier are combined as a connection identifier to identify the first connection.

107. The method according to claim 106, further comprising: receiving, from the access node, a message comprising a secured NAS message and the connection identifier, wherein the secured NAS message does not comprise an assigned key set identifier; and determining the assigned key set identifier associated with the connection identifier.

108. The method according to claim 106 or 107, further comprising: establishing, before sending a NAS message to the terminal device, the first connection using the second temporary identifier.