(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT)
`
`(19) World Intellectual Property
`Organization
`
`International Bureau
`(43) International Publication Date
`15 October 2020 (15.10.2020)
`
`=
`=—
`WIPOIPCT
`
`ADQD UT AA
`
`(10) International Publication Number
`WO 2020/208996 Al
`
`(51) International Patent Classification:
`HOAL 9/32 (2006.01)
`H04W 12/08 (2009.01)
`ATOAW 12/04 (2009.01)
`HO4AW 88/06 (2009.01)
`
`(21) International Application Number:
`
`PCT/JP2020/0 10735
`
`(22) International Filing Date:
`
`(25) Filing Language:
`
`(26) Publication Language:
`
`12 March 2020 (12,03,2020)
`
`English
`
`English
`
`(30) Priority Data:
`201941014041
`
`08 April 2019 (08.04.2019)
`
`IN
`
`(71) Applicant: NEC CORPORATION[JP/JP]: 7-1, Shiba 5-
`chome, Minato-ku, Tokyo, L088001 (JP).
`
`(72) Inventors: TTWARI Kundan; c/o NEC Technologies In-
`dia Pvt. Ltd., SP Infocity, Block-A, 9th Floor, Module-2A,
`40, MGRSalai, Kandanchavadi, Perungudi, Chennai, Tamil
`Nadu, 600096 (IN). TAMURA Toshiyuki: c/o NEC Cor-
`poration, 7-1, Shiba 5-chome, Minato-ku, Tokyo, 1088001
`
`QP). DE KIEVIT Sander; c/o NEC Corporation, 7-1, Shi-
`ba 5-chome, Minato-ku, Tokyo, 1088001 (JP).
`
`IP Law Firm, Asahi
`(74) Agent: TEIRI Takeshi; HIBIKI
`Bldg.5th Floor, 3-33-8, Tsuruya-cho, Kanagawa-ku, Yoko-
`hama-shi, Kanagawa, 2210835 (JP).
`
`(81) Designated States (uless otherwise indicated, for every
`kind ofnational protection available); AE, AG, AL, AM,
`AO, AT, AU, AZ, BA, BB. BG, BH, BN, BR, BW, BY, BZ,
`CA, CH, CL, CN, CO, CR, CU, CZ, DE, DJ, DK, DM, DO,
`DZ, EC, EE, EG, ES, FI, GB, GD, GE, GH, GM, GT, HN,
`HR, HU, ED, IL, IN, TR, 18, JO, JP. KE, KG, KH, KN, KP,
`KR, RW, RZ, LA, LC, LK, LR, LS, LU, LY. MA, MD, ME,
`MG, MK. MN, MW. MX, MY, MZ, NA, NG, NL NO, NZ,
`OM, PA, PE, PG, PH, PL, PT, QA, RO, RS, RU, RW, SA,
`SC, SD, SE, SG, SK. SL, ST. SV, SY, TH, TJ, TM, TN, TR,
`TT, TZ, UA, UG, US, UZ, VC, VN, WS, ZA, ZM, ZW.
`
`(84) Designated States (unless otherwise indicated, for every
`kind ofregional protection available); ARIPO (BW, GH,
`GM, KE, LR, LS, MW, MZ, NA, RW, SD, SL, ST, SZ. TZ,
`UG, ZM, ZW), Eurasian (AM, AZ, BY, KG, KZ, RU, TJ,
`
`(54) Title: PROCEDURE TO PROVIDE INTEGRITY PROTECTION TO A UE PARAMETER DURING UE CONFIGURATION
`UPDATE PROCEDURE
`
`
`
`0. A UE is registered over a first access network to a first PLHN
`1. Registration Request over a second RAT
`
`
`2. Authentication procedure for second RAT to a second PLMN
`Ke
`
`
`
`3-a. Nudm_UEGMRegistration (RAT)
`13. Security Mode Control procedure
`4. Nudm_SDM_Get
`
`
`
`
`
`
`
`WoO2020/208996A1.IIITIMIINTMITNCHIN000UTMOAA
`
`
`[ue|[_ VPLNN-I_ AMF
`| VPLUN-I1 ANF
`
`
`
`
`
`6. AUSF uses Kausf related to RAT to calculate SoR-MAG-lausf
`
`
`8. Nudm_SDM_Get_Response ([List]. SoR Header,
`SoR-MAC~IAusF, Counter $oR)
`
`
`5. Nausf_SoRProtection (SUPI, SoR header,
`[List], [ACKIndi cation], PLMN, RAT)
`
`and optionally
`
`ion Response (SoR-MAC—
`7. Nausf_SoRProtect
`TausF[SoR-XMAC-1UE], Countersor)
`
`Fig.
`
`1
`
`9. Registration Accept ([List], SoR Header,
`SoR-MAC-Tausr, CounterSok)
`
`
`
`
`(37) Abstract: A method ina user equipment (UE), the method comprising: storing security keys, wherein eachof the security keys
`corresponds to a RAT(Radio Access Technology); receiving from a communications apparatus, a message including informationof a
`first RAT which the UE communicates with; and determining a first security key in the security keys based onthe information of the
`first RAT, the first security key being used to verifyintegrity of the message.
`
`[Continued on next page]
`
`APPLE 1004
`
`APPLE 1004
`
`1
`
`

`

`WO 2020/208996 AX |IMTIMINIDNMM UNNI VIN U0U0A IAA
`
`TM), European (AL, AT, BE, BG, CH, CY, CZ, DE, DK,
`EE, ES, FI, FR, GB, GR, HR, HU, IE, 18, IT, LT, LU, LV,
`MC, MK, MT, NL, NO, PL, PT, RO, RS, SE, SI, SK, SM,
`TR), OAPI (BF, BJ, CF, CG, Cl, CM, GA, GN, GQ, GW,
`KM, ML, MR,NE, SN, TD, TG).
`
`Published:
`
`— with international search report (Art. 21(3))
`
`2
`
`

`

`WO 2020/208996
`
`PCT/JP2020/010735
`
`Description
`Title of Invention: PROCEDURE TO PROVIDE INTEGRITY
`
`PROTECTION TO A UE PARAMETER DURING UE CON-
`
`FIGURATION UPDATE PROCEDURE
`
`[0001]
`
`[0002]
`
`[0003]
`
`Technical Field
`
`This disclosure is related to the procedure to provide integrity protection to a UE
`parameter during the Steering of Roaming and VE parameter update procedure using
`Control Plane signaling. More specifically the method provides a mechanism to choose
`a security key to integrity protect a UE parameter whenthe UEis registered to more
`than one PLMN(Public land mobile network) and more than onesecurity key existing
`in the network.
`
`Background Art
`Whena UE registers to two different PLMNswhichare not equivalent PLMNs via
`a 3GPPaccess and a non-3GPPaccess, then the UEis registered to two different
`AMFs(Access and Mobility Management Functions) belonging to each PLMN. Inthis
`scenario, the UE maintains two independent 5G security contexts (Kayp and keys
`lowerin the key hierarchy), one for each serving PLMN. Whena UEis registered to a
`same PLMNor equivalent PLMN via a 3GPP access and a non-3GPP access, then the
`UEis registered to the single AMF and maintains one security context.
`When the UDM (Unified Data Management) decides to update the preferred
`PLMNlist or RAT (Radio Access Technology) to the UE whenthe UEis registered to
`the visited PLMN, then the UDM initiates Steering of Roaming (SoR) procedure to
`transfer the steering information(preferred list of PLMN or RAT) for PLMN selection.
`Thesteering of roaming informationis integrity protected using the security key Kause
`at an AUSF (Authentication Server Function). When the UE receives steering in-
`formation, the UE uses Kausto verify the integrity protection. Similar procedureis
`applied to update the UE parameters using the UDM control plane procedure.
`
`Citation List
`
`Non Patent Literature
`
`[0004]
`
`NPL 1:3GPP TR 21.905: "Vocabulary for 3GPP Specifications”. V15.0.0 (2018-03).
`NPL 2:3GPP TS 23.501: "System Architecture for the 5G System; Stage 2". V15.4.0
`(2019-01).
`
`NPL 3:3GPP TS 23.502: "Procedures for the 5G System; Stage 2" V15.4.0
`(2019-01).
`
`NPL 4:3GPP TS 24.501: "Non-Access-Stratum (NAS) protocol Stage 3" V15.2.1
`
`3
`
`

`

`WO 2020/208996
`
`PCT/JP2020/010735
`
`bho
`
`(2019-01).
`
`NPL 5:3GPP TS 33.501: "Security architecture and procedures for 5G system"
`V15.3.1 (2018-12).
`Summaryof Invention
`Technical Problem
`
`[0005]
`
`Problem Statement 1:
`
`Whena UE is registered to two different PLMNs whichare not equivalent PLMNs
`via a 3GPP access and non-3GPPaccess, then the UE has two 5G security contexts
`(e.g Security Keys) at the various network nodes. In this scenario, the AUSF has one K
`ausp; Namely the Kays resulting from the latest authentication. During the registration
`procedure over one access network if the UDM decidesto send steering information to
`the UE and sends a message containing steering information and requesting AUSF to
`provide integrity protection to the steering information, the AUSFcalculates the MAC-
`I for integrity protection of the message using the Kausr resulting from the latest au-
`thentication. Then, if the UE receives the message, it is unclear to the UE which Kausr
`the AUSFhasusedforthe calculation of the MAC-Ifor integrity protection of the
`steering of roaming message.
`In an another scenarios, when the UEsare registered to two different PLMNs
`which are not equivalent and the UDM decides to send steering information to the UE,
`then it is not clear at UDM among tworegistered PLMNs which PLMNis chosento
`send Steering information.
`
`[0006]
`
`[0007]
`
`Problem Statement 2:
`
`Whena UEis registered to two different PLMNs which are not equivalent PLMNs
`via a 3GPP access and non-3GPPaccess, then the UE has two 5G security contexts
`(e.g Security Keys) at the various network nodes. In this scenario, when a UDM
`decides to perform UE parameter update procedure to update the UE configuration
`(e.g. Routing Identity) using control plane signalling, thenit is not clear among two
`registered PLMNs which PLMN the UDM will choose to send an updated UE con-
`figuration.
`
`Solution to Problem
`
`[0008]
`
`In a first aspect of the present disclosure, a method in a user equipment (UE), the
`method comprising: storing security keys, wherein each ofthe security keys cor-
`responds to a RAT(Radio Access Technology);
`receiving from a communications
`apparatus, a message including information ofa first RAT which the UE com-
`municates with; and determininga first security key in the security keys based on the
`information ofthe first RAT,the first security key being used to verify integrity ofthe
`
`message.
`
`4
`
`

`

`WO 2020/208996
`
`PCT/JP2020/010735
`
`[0009]
`
`In a second aspect of the present disclosure, a method in a first communications
`apparatus comprising, storing security keys, wherein each ofthe security keys cor-
`responds to a RAT(Radio Access Technology);
`receiving, from a second commu-
`nications apparatus, information of a first RAT which a UE communicates with; and
`determining a first security key in the security keys based on the informationof the
`
`first RAT.
`
`[0010]
`
`[OO11}
`
`In a third aspect ofthe present disclosure, a user equipment (UE) comprising: a
`memory configured to store security keys, wherein each ofthe security keys cor-
`responds to a RAT(Radio Access Technology); a transceiver configured to receive
`from a communications apparatus, a message including information ofa first RAT
`which the UE communicates with; and a controller configured to determinea first
`security key in the security keys based on the information ofthe first RAT,thefirst
`security key being used to verify integrity of the message.
`In a fourth aspectof the present disclosure, a first communications apparatus
`comprising, a memory configured to store security keys, wherein each ofthe security
`keys corresponds to a RAT(Radio Access Technology); a transceiver configured to
`receive, from a second communications apparatus, information of a first RAT which a
`UE communicates with; and a controller configured to determineafirst security key in
`the security keys based on the information ofthe first RAT.
`Brief Description of Drawings
`[fig.1]Fig.
`1
`is a diagram showingthe procedure accordingto a first embodimentofthe
`present disclosure.
`[fig.2|]Fig. 2 is a diagram showing the procedure according to a variant ofthe first em-
`bodimentofthe present disclosure.
`[fig.3]Fig. 3 is a diagram showing the procedure according to a second embodimentof
`the present disclosure.
`[fig.4]Fig. 4 is a diagram showing the procedure according to a third embodimentof
`the present disclosure.
`[fig.5]Fig. 5 is a diagram showing the procedure accordingto a variantla of the first
`embodimentofthe present disclosure.
`[fig.6]Fig. 6 is a diagram showing the procedure according to a fourth embodiment of
`the present disclosure.
`[fig.7|Fig. 7 is a diagram showing the procedure according to a variant of the fourth
`embodimentofthe present disclosure.
`[fig.8]Fig. 8 is a block diagram illustrating the main components of the UE.
`[fig.9]Fig. 9 is a block diagram illustrating the main components of an exemplary
`(R)AN node.
`
`[0012]
`
`5
`
`

`

`WO 2020/208996
`
`PCT/JP2020/010735
`
`[fig.10]Fig. 10 is a block diagram illustrating the main components of the AMF.
`[fig.11]Fig. 11 is a block diagram illustrating the main components of the AUSF.
`[fig.12]Fig. 12 is a block diagramillustrating the main components of the UDM.
`Description of Embodiments
`Abbreviations
`
`[0013]
`
`For the purposesof the present document, the abbreviations given in NPL | and
`the following apply. An abbreviation defined in the present documenttakes precedence
`over the definition of the same abbreviation, if any, in NPL 1.
`5GC
`5G Core Network
`
`5GS
`5G-AN
`
`5G System
`5G Access Network
`
`5G Globally Unique Temporary Identifier
`5G-GUTI
`5GS-Temporary Mobile Subscription 5QI 5G QoSIdentifier
`5G S-TMSI
`AF
`Application Function
`AMF
`Access and Mobility Management Function
`
`AN
`
`AS
`
`Access Node
`
`Access Stratum
`
`AUSF
`
`Authentication Server Function
`
`CM
`
`CP
`
`Connection Management
`
`Control Plane
`
`CSFB
`
`Circuit Switched (CS) Fallback
`
`DL
`
`DN
`
`Downlink
`
`Data Network
`
`DNAI
`
`DN Access Identifier
`
`DNN
`
`Data Network Name
`
`EDT
`EPS
`
`EPC
`
`FQDN
`GFBR
`
`Early Data Transmission
`Evolved Packet System
`
`Evolved Packet Core
`
`Fully Qualified Domain Name
`Guaranteed Flow BitRate
`
`Gateway Mobile Location Centre
`GMLC
`Generic Public Subscription Identifier
`GPSI
`GUAMI—Globally Unique AMFIdentifier
`HR
`HomeRouted (roaming)
`I-RNTI
`I-Radio Network Temporary Identifier
`LADN
`Local Area Data Network
`
`LBO
`
`Local Break Out (roaming)
`
`6
`
`

`

`WO 2020/208996
`
`PCT/JP2020/010735
`
`LMF
`LRF
`
`Location Management Function
`Location Retrieval Function
`
`MAC
`
`Medium Access Control
`
`MFBR
`
`Maximum Flow Bit Rate
`
`MICO
`MME
`N3IWF
`NAI
`
`Mobile Initiated Connection Only
`Mobility Management Entity
` Non-3GPP Inter Working Function
`Network Access Identifier
`
`NAS
`
`NEF
`
`NF
`
`Non-Access Stratum
`
`Network Exposure Function
`
`Network Function
`
`NG-RAN_Next Generation Radio Access Network
`
`NR
`
`New Radio
`
`NRF
`
`Network Repository Function
`
`NSIID
`
`Network Slice Instance Identifier
`
`NSSAI
`
`Network Slice Selection Assistance Information
`
`NSSF
`
`NSSP
`PCF
`PEI
`PER
`
`Network Slice Selection Function
`
`NetworkSlice Selection Policy
`Policy Control Function
`Permanent Equipment Identifier
`Packet Error Rate
`
`PFD
`PLMN
`
`Packet Flow Description
`Public land mobile network
`
`PPD
`PPI
`
`PSA
`
`QFI
`
`Paging Policy Differentiation
`Paging Policy Indicator
`
`PDU Session Anchor
`
`QoS Flow Identifier
`
`QoE
`(R)AN
`
`Quality of Experience
`(Radio) Access Network
`
`RLC
`
`RM
`ROA
`
`RQI
`
`RRC
`
`Radio Link Control
`
`Registration Management
`Reflective QoS Attribute
`
`Reflective QoS Indication
`
`Radio Resource Control
`
`SA NR
`
`Standalone New Radio
`
`SBA
`
`Service Based Architecture
`
`SBI
`
`SD
`
`Service Based Interface
`
`Slice Differentiator
`
`7
`
`

`

`WO 2020/208996
`
`PCT/JP2020/010735
`
`SDAP
`SEAF
`SEPP
`SMF
`S-NSSAI
`SSC
`SST
`SUCI
`SUPI
`SoR
`UDSF
`UICC
`UL
`UL‘CL
`USIM
`UPF
`
`Service Data Adaptation Protocol
`Security Anchor Functionality
`Security Edge Protection Proxy
`Session Management Function
`Single Network Slice Selection Assistance Information
`Session and Service Continuity
`Slice/Service Type
`Subscription Concealed Identifier
`Subscription PermanentIdentifier
`Steering of Roaming
`Unstructured Data Storage Function
`Universal Integrated Circuit Card
`Uplink
`Uplink Classifier
`Universal Subscriber Identity Module
`User Plane Function
`
`UDR
`URSP
`SMS
`SMSF
`
`Unified Data Repository
`UE Route Selection Policy
`Short Message Service
`SMS Function
`
`MT
`
`Mobile Terminated
`
`UAC
`
`Unified Access Control
`
`[0014]
`
`[0015]
`
`ODACD Operator Defined Access Category Definitions
`OS
`Operating System
`Definitions
`
`For the purposesof the present document, the terms and definitions given in NPL
`1 and the following apply. A term defined in the present documenttakes precedence
`over the definition of the same term, if any, in NPL 1.
`Embodiments
`
`Exemplary embodiments now will be described with reference to the ac-
`companying drawings. The disclosure may, however, be embodied in many different
`
`forms and should not be construed as limited to the embodimentsset forth herein;
`
`rather, these embodiments are provided so that this disclosure will be thorough and
`complete, and will fully convey its scope to those skilled in the art. The terminology
`used in the detailed description ofthe particular exemplary embodimentsillustrated in
`the accompanying drawingsis notintended to be limiting. In the drawings,like
`
`numbersrefer to like elements.
`
`It is to be noted, however, that the reference numerals in claimsillustrate only
`
`8
`
`

`

`WO 2020/208996
`
`PCT/JP2020/010735
`
`[0016]
`
`[0017]
`
`typical embodiments of the present subject matter, and are therefore, not to be
`considered for limiting of its scope, for the subject matter may admit to other equally
`effective embodiments.
`
`The specification may refer to "an", "one" or "some" embodiment(s) in several
`locations. This does not necessarily imply that each such reference is to the same em-
`bodiment(s), or that the feature only applies to a single embodiment. Single features of
`different embodiments may also be combinedto provide other embodiments.
`As used herein, the singular forms "a", "an" and "the" are intended to include the
`plural forms as well, unless expressly stated otherwise. It will be further understood
`that the terms "includes", "comprises", "including" and/or "comprising" whenused in
`this specification, specify the presence of stated features, integers, steps, operations,
`elements, and/or components, but do not preclude the presence or addition of one or
`more other features, integers, steps, operations, elements, components, and/or groups
`thereof. It will be understood that when an elementis referred to as being "connected"
`or "coupled" to another element, it can be directly connected or coupled to the other
`element or intervening elements maybe present. Furthermore, "connected" or
`"coupled" as used herein may include operatively connected or coupled. As used
`herein, the term "and/or" includes any and all combinations and arrangements of one or
`more ofthe associated listed items.
`
`[0018]
`
`Unless otherwise defined, all terms (including technical and scientific terms) used
`herein have the same meaning as commonly understood by one of ordinary skill in the
`art to which this disclosure pertains. It will be further understood that terms, such as
`those defined in commonlyused dictionaries, should be interpreted as having a
`meaning that is consistent with their meaning in the context of the relevantart and will
`not be interpreted in an idealized or overly formal sense unless expressly so defined
`
`herein.
`
`[0019]
`
`[0020]
`
`[0021]
`
`The figures depict a simplified structure only showing some elements and
`functional entities, all being logical units whose implementation may differ from what
`is shown. The connections shownare logical connections; the actual physical con-
`nections may bedifferent. It is apparent to a person skilled in the art that the structure
`may also comprise other functions andstructures.
`Also,all logical units described and depicted in the figures include the software
`and/or hardware components required for the unit to function. Further, each unit may
`comprise within itself one or more components which are implicitly understood. These
`components may be operatively coupled to each other and be configured to com-
`municate with each other to perform the functionof the said unit.
`First embodiment
`(Solution |
`to
`solve problem statement 1):
`
`Indicating PLMNidentity or RAT to select a security key to provide integrity
`
`9
`
`

`

`WO 2020/208996
`
`PCT/JP2020/010735
`
`protection to SoR in SoR transmission procedure during the registration procedure.
`Fig.
`| is a diagram showing the procedure accordingto a first embodiment of the
`present disclosure.
`The detailed steps to transfer the SoR to a UE whenthe UEis registered to two
`different PLMNs via two different RAT or to a same PLMN via two different 5G-AN.
`
`[0023]
`
`0. A UE is registered toafirst visited PLMNovera first 5G Access Network
`[0022]
`(5G-AN). During the authentication procedure, the AUSF storesthe first Kaus of the
`UEandstoresthe first PLMNidentity and the first SG-AN together with this Kause. As
`such, the AUSF keeps not only the Kaysp and the UE Identifier, such as SUPI
`(Subscription Permanent Identifier), but also the PLMN ID and the related RAT. Upon
`completion of the authentication procedure, the UE also stores the Kays, the PLMN ID
`and the RAT associated with this Kausin a storage in the UE.
`1. The UEinitiates a second registration procedure over a second 5G-AN toa
`second visited PLMN by sending Registration Request message. This registration
`procedure mayinitial registration procedure, registration update procedure orperiodic
`registration update procedure.
`2. The AMFdecidesto initiate authentication procedure. The AMF/SEAF
`executes authentication procedure as described in the embodiment. According to the
`priorart, the AUSF would overwrite the K,usp in storage during the authentication
`procedure. In this embodiment, the AUSF will store a second Kays in addition to the
`first one together with the PLMNID ofthe access network and the RATofthe access
`network that was used during the authentication. Whenthe authentication completes,
`the UEalso stores a second Kaysp and associates the PLMN ID of the second access
`
`{0024}
`
`network with it, just like the AUSF does. The UE now has a storage including two
`tuples of Kausp and PLMN IDs. This storage can be extended for each further run of
`authentications to new networks, for example if the UE attachesto a third access
`network and a new authentication run is completed.
`3. The network executes the Security Mode Control procedure.
`3-a. The AMF sends the Nudm_UECM_Registration to the UDM to inform the
`Radio Access Technology (RAT) being used.
`4. The AMFsends a message Nudm_SDM_Get to the UDMto get the subscriber
`data.
`
`5. The UDM decides to send Steering information to the UE via the second
`PLMN. The UDMsends a message Nausf_SoRProtection containing information
`element, at least one of the parameter SUPI, SoR Header, the second PLMNidentity or
`the selected Radio Access Technology (RAT). The UDM may send the second PLMN
`identity or the RAT ofthe second PLMN identity or both.
`6. When the AUSFreceives the Nausf_SoRProtection message, then the AUSF
`
`[0025]
`
`[0026]
`
`[0027]
`
`[0028]
`
`10
`
`10
`
`

`

`WO 2020/208996
`
`PCT/JP2020/010735
`
`retrieves the Kaysp related to the UE Identity and the indicated PLMNIdentity or the
`indicated RAT in the Nausf_SoRProtection message from storage andselects it to be
`used forintegrity protection. The AUSF usesthe selected Kausp to calculate SoR-
`MAC-Iausfand optionally SoR-MAC-lue according to the mechanism specified in
`NPL5, namely:
`SoR-MAC-I,usp = KDF (SoR Header, PLMN ID Access Technology list, Kausp).
`The KDFis a key derivation function, which is a cryptographic one way function
`such as a HMAC-SHA256.Other cryptographic hash functions could also be used. The
`fields indicated between the brackets indicate the clear text parts and the last field
`indicates that a Kaysp is used as input key to the KDF.In the case that the SoR
`mechanism is used for different purposes than sending the PLMN ID AccessList, the
`plain text inputfields will change, but the input key will remain the same. Also, as one
`skilled in the art will appreciate, it is also possible to use a different input key, for
`example, a key derived from Kausr specifically for the purpose or another key resulting
`from an earlier authentication run.
`
`7. The AUSFsends the Nausf_SoRProtection_Response message containing SoR-
`MAC-lausf , Counter SoR and optionally SoR-XMAC-lue to the UDM.
`8. The UDM sends Nudm_SDM_Get_Responsecontaining List, SoR-MAC-I and
`SoR-Counter to the AMF.
`
`9. The AMFsends Registration Accept message containing at least one of the
`parameter List, SoR hearder, SoR-MAC-I and SoR-Counterto the UE.
`10. Upon reception ofthe message, the UEfirst verifies which 5G-AN or a PLMN
`was used to send the message. Then, the UE retrieves the Kausp associated with the
`S5G-ANor the PLMNidentity from storage and selects this key to be used for verifying
`the integrity protection applied by the AUSF. The UE subsequently verifies the
`integrity protection by verifying the SOR-MAC-I,us; applied to the message andif
`correct, the UE mayreturn a registration acknowledgement message to the UDM. If
`the UE returns a registration acknowledgement message to the UDM,it will integrity
`protect the message by calculating the SoR-MAC-I,, using the same Kaysp aS was
`selected for the verification of the SoR-MAC-I,usp.
`
`[0029]
`
`[0030]
`
`[0031]
`
`[0032]
`
`[0033]
`
`The Nausf_SoRProtection and Nausf_SoRProtection_Response message are
`further defined in the fifth embodiment.
`
`[0034]
`
`Variant of first embodiment.
`
`Fig. 2 is a diagram showing the procedure accordingto a variantofthe first em-
`bodiment ofthe present disclosure.
`The detailed steps of transfer of SoR when the UEis registered to a PLMN via
`
`different 5G-AN or to a different PLMN via different 5G-AN:
`
`0. A UEis registered to a first PLMN overfirst 5G-AN and to a second PLMN
`
`11
`
`11
`
`

`

`WO 2020/208996
`
`PCT/JP2020/010735
`
`over a second 5G-AN. Accordingto the first embodiment, both the UE and the AUSF
`have kept a storage with at least two Kaysps associated with the access network. As
`such, the AUSFhas two Kauses for this particular UE, one for the first PLMN and
`another for the second PLMN. The UEsimilarly has two Kauses, one associated with
`the first PLMN and oneassociated with the second PLMN.
`
`[0035]
`
`1. A UDM decidesto notify of the changes ofSteering information (list of
`preferred PLMN/access technology combinations). The UDMselects a PLMN from
`the first PLMN and the second PLMN when thefirst PLMN and second PLMN are
`
`different and are not equivalent PLMNsor a RATfrom thefirst S5G-AN and the second
`SG-AN whenthe first PLMN and the second PLMN are identical PLMN or equivalent
`PLMN based on for example the following factors:
`i) The UEis in connected state over a PLMN, (e.g. the UDM delivers the SoR via
`a PLMNwherethe UEis in connected state).
`
`li) 5G-ANtype (e.g. 3GPP access is preferred over non-3GPPaccess).
`ili) Congestion in the PLMN(e.g. sends through the PLMN which is least
`congested or is not congested).
`iv) The PLMNthat the UE latest authenticated to (some UEs may not support the
`feature of storing multiple Kausrs, which meansthat the UDM should decide to use the
`latest)
`
`2-4. Steps 5, 6 and 7 ofthe first embodiment are executed.
`5. The UDMinitiates Nudm_SDM_UpdateNotification message to the AMF of
`the selected PLMN orselected RATinstep 2.
`The UDM includesa selected RAT in the Nudm_SDM_UpdateNotification
`message if the UEs are registered to the same AMF whenthe first PLMN and the
`second PLMN are identical or equivalent PLMNs.
`In case of core network sharing when an AMF is shared by multiple PLMN,then
`UDMalso includes selected PLMN Identity in the Nudm_SDM_UpdateNotification
`
`message.
`6. The AMF delivers the SoR using DL NAS Transport message via the RAT
`present in the Nudm_SDM_UpdateNotification message or via the network corre-
`sponding to the PLMN identity present in the Nudm_SDM_UpdateNotification
`
`message.
`7. The AMF sends the DL NASTransport message to the UE. Then, Step 10 of the
`first embodiment is executed.
`
`In one example, if the UDM acknowledgesthat the UE has two associated AMFs
`(i.e. two PLMNs) one for 3GPPaccess and the other one for non-3GPPaccess, the
`
`UDM maysend two Nudm_UDM_Notification messages containing (SoR in-
`formation, SoR-Header, SoR-MAC-I,usp, Counterg.r to two AMEFs.
`
`[0036]
`
`[0037]
`
`[0038]
`
`[0039]
`
`[0040]
`
`[0041]
`
`12
`
`12
`
`

`

`WO 2020/208996
`
`PCT/JP2020/010735
`
`[0042]
`
`[0043]
`
`Second Embodiment(Solution 2 to solve problem statement 2)
`Selecting a PLMN and corresponding security key to provide integrity protection
`to UE configuration data in UE parameter update procedure using control plane
`solution.
`
`Fig. 3 is a diagram showing the procedure according to a second embodimentof
`the present disclosure.
`The detailed UE Parameters Update using control plane procedure are described
`below:
`
`0. A UEis registered to a first PLMNovera first 5G-AN and to a second PLMN
`over a second 5G-AN. The AUSFhas generated and stored two Kays¢s in a key
`storage, one for the first PLMN and anotherfor the second PLMN. Similarly, the UE
`has stored two KAUSFs,one associated with the first PLMN and one associated with
`
`the second PLMN.
`
`[0044]
`
`1. AUDMdecides to perform the UE parameters Update procedure (UPU) using
`control plane procedure. The UDM selects a PLMN from the first PLMN and the
`second PLMNwhenthe first PLMN and second PLMN aredifferent and are not
`
`equivalent PLMNs or a RATfrom thefirst 5G-AN and the second S5G-AN whenthe
`UEthefirst PLMN and the second PLMN are identical PLMN or equivalent PLMN
`based onatleast one ofthe following factors:
`i) the UE is in connected state over a PLMN,(e.g. the UE delivers the SoR viaa
`PLMN where the UE is in connected state).
`
`li) SG-AN type (e.g. 3GPP access is preferred over non-3GPPaccess).
`iii) Congestion in the PLMN(e.g. sends through the PLMN whichisleast
`congested or is not congested).
`iv) The PLMNthat the UE latest authenticated to (some UEs may not support the
`feature of storing multiple Kyuses, which means that the UDM should decide to use the
`latest)
`
`2. The UDM sends Nausf_UPUProtection message containing SUPI, UPU data
`and optionally Ack Indication at least one ofthe selected RAT orthe selected PLMN
`ID to the AUSF.
`
`3-4. The AUSFselects Kausf corresponding to the RAT or the PLMNsentin the
`Nausf_UPUProtection message according to the description in embodiment | or 2. The
`AUSF usesthe selected Kausf to calculate UPU-MAC-lausf, Counterupu or UPU-
`XMAC-lue. The AUSF sends Nausf_UPUProtection Response containging UPU-
`MAC-lIausf or UPU-XMAC-Iue or Counterupu.
`5. The UDM sends Nudm_SDM_Notification message containing (UPUdata,
`UPU-MAC-lausf, Counterupu) to the AMF ofthe selected PLMN. The UDMalso
`includes the selected RATasdescribed in the step 2 in Nudm_SDM_Notification
`
`[0045]
`
`[0046]
`
`[0047]
`
`13
`
`13
`
`

`

`WO 2020/208996
`
`PCT/JP2020/010735
`
`[0048]
`
`[0049]
`
`[0050]
`
`[0051]
`
`[0052]
`
`[0053]
`
`message. The UDM mayinclude new parameter "subscriber data reload required"in
`Nudm_SDM_Notification message.
`In case that the UDM acknowledgesthat the UE has two associated AMFs(i.e.
`two registered PLMNs), one for 3GPPaccessandthe other one for non-3GPPaccess,
`the UDM may send two Nudm_UDM_Notification messages to two AMFs.
`Alternatively, the UDM indicates the AMF that reloading subscriber data from the
`UDM is required in the Nudm_SDM_Notification message.If the AMFreceives the
`Nudm_SDM_Notification message with the parameter "subscriber data reload
`required". The AMFsets new flag "subscriber data reload required" active and the
`AMFsends the DL NAStransport message to the UE with parameter "re registration
`required”so that the UE can perform tworegistration procedures, one for 3GPP access
`and the other one for non-3GPP access. When the AMF receivesthe registration
`request message from the UE and the AMFhasa flag "subscriber data reload required"
`active, the AMF invokes the Nudm_SDM_Get procedure to the UDM tofetch the
`latest subscriber data from the UDM even when the AMF has the subscriber data.
`
`Once the AMFperforms the Nudm_SDM_Getprocedure, then the AMFsetsthe flag
`"subscriber data reload required" inactive.
`Alternatively, the UDM indicates the AMFthat reloading subscriber data from the
`UDM is required in the Nudm_SDM_Notification message. If the AMF receives the
`Nudm_SDM_Notification message with the parameter "subscriber data reload
`required". The AMF sends the DL NAStransport message to the VE with new
`parameter "re-registration required for subscriber data reloading” so that the UE can
`perform tworegistration procedures, one for 3GPP access and the other one for non-
`3GPP access. When the AMFreceivesthe registration request message with the
`parameter "re-registration required for subscriber data reloading" from the UE,the
`AMF invokes the Nudm_SDM_Getprocedure to the UDM tofetchthelatest
`subscriber data from the UDM even when the AMF has the subscriberdata.
`
`In case that the UDM acknowledgesthat the UE has two associated AMFsbut new
`updated UE configuration data affects only one AMF,then the UDM maysend only
`one Nudm_UDM_Notification message to the AMF thatis affected by this update.
`6. The AMFdelivers the UPU data, UPU-MAC-Iausf, Counterupu to the UE in
`DL NAS Transport message via selected PLMNorvia selected RAT.
`7. According to embodiment1, the UE selects the appropriate key from the
`storage, i.e. because it detects which AN was used for sending the SoR message or
`becauseit reads a field in the SoR message that indicates the AN (or other key
`identifying information), Using the selected key, the UE performsthe integrity
`protection and optionally returns a messageintegrity protected using the same
`mechanism.
`
`14
`
`14
`
`

`

`WO 2020/208996
`
`PCT/JP2020/010735
`
`[0054]
`
`[0055]
`
`[0056]
`
`The UEconfiguration data may be the UE subscription data i.e. Subscription data
`stored at AMF or SMF(5G subscription, Subscribed S-NSSAJI, Allowed or non-
`allowed tracking area) or the UE subscriberdatai.e. the data stored in the ME memory
`or USIM (e.g. Routing Identity, Default configured NSSAI).
`The Nausf_UPUProtection message and Nausf_UPUProtection Response message
`are further defined in the fifth embodiment.
`
`One example, there could be a situation where the UDM needsto ask the UE or
`the AMF to perform authentication procedure. For example, the UE performsthe hand
`over from the EPSto the 5GS and any 5G based authentication takes place in the 5GS.
`In this case, the UE and the network may end up with a so-called 'mapped'security
`context. This meansthat the UE previously authenticated to another network type, for
`example EPC / LTE andthat the UE has com