A method for creating single-use authentication messages includes creating, at a consumer network function of a core network of a telecommunications network, a message hash of at least a subset of a request message. The method includes adding, at the consumer network function, the message hash to a client credentials assertion (CCA) token for the consumer network function. The method includes sending, from the consumer network function, the request message with the CCA token to a producer network function.

A method and device are disclosed for PC5 Signaling (PC5-S) message reception from the perspective of a UE-to-UE relay. The UE-to-UE relay receives a first PC5-S message on a first sidelink Signal Radio Bearer (SRB) from a first UE, wherein the first PC5-S message is used to establish a first sidelink security between the UE-to-UE relay and the first UE, to update link identifier(s) associated with a first link between the first UE and the UE-to-UE relay, or to modify the first link between the first UE and the UE-to-UE relay. The UE-to-UE relay also delivers the first PC5-S message to an upper layer of the UE-to-UE relay.

A method and device are disclosed for PC5 Signaling (PC5-S) message reception from the perspective of a UE-to-UE relay. The UE-to-UE relay receives a first PC5-S message on a first sidelink Signal Radio Bearer (SRB) from a first UE, wherein the first PC5-S message is used to establish a first sidelink security between the UE-to-UE relay and the first UE, to update link identifier(s) associated with a first link between the first UE and the UE-to-UE relay, or to modify the first link between the first UE and the UE-to-UE relay. The UE-to-UE relay also delivers the first PC5-S message to an upper layer of the UE-to-UE relay.

A method of a relay user equipment (UE) can include receiving, at the relay UE, from a first neighbor UE, a communication request message for establishing a connection between an initiating UE and a target UE, the communication request message including first security-establishment-related information originating from the initiating UE for establishing a security association between the initiating UE and the target UE; modifying the communication request message to add second security-establishment-related information for establishing a security association between the relay UE and a second neighbor UE; and transmitting to the second neighbor UE the modified communication request message that includes the first security-establishment-related information originating from the initiating UE for establishing the security association between the initiating UE and the target UE, and the second security-establishment-related information added by the relay UE for establishing the security association between the relay UE and the second neighbor UE.

A method of a relay user equipment (UE) can include receiving, at the relay UE, from a first neighbor UE, a communication request message for establishing a connection between an initiating UE and a target UE, the communication request message including first security-establishment-related information originating from the initiating UE for establishing a security association between the initiating UE and the target UE; modifying the communication request message to add second security-establishment-related information for establishing a security association between the relay UE and a second neighbor UE; and transmitting to the second neighbor UE the modified communication request message that includes the first security-establishment-related information originating from the initiating UE for establishing the security association between the initiating UE and the target UE, and the second security-establishment-related information added by the relay UE for establishing the security association between the relay UE and the second neighbor UE.

A method for identifier management for user devices operating in an inactive mode includes receiving a first uplink transmission including a user device identifier associated with a user device, transmitting a first downlink transmission including an indication of an ephemeral identifier assigned to the user device, transmitting a second downlink transmission including data associated with the ephemeral identifier, and discarding the ephemeral identifier.

A method for identifier management for user devices operating in an inactive mode includes receiving a first uplink transmission including a user device identifier associated with a user device, transmitting a first downlink transmission including an indication of an ephemeral identifier assigned to the user device, transmitting a second downlink transmission including data associated with the ephemeral identifier, and discarding the ephemeral identifier.

A communication method includes receiving, by an access network (AN) node, indication information from a mobility management device. The indication information is indicative of a security policy of a quality of service (QoS) flow. The method also includes obtaining, by the access network node based on the indication information, security information of a radio bearer corresponding to the QoS flow. The security information is indicative of a security policy of the radio bearer. The method further includes sending, by the access network node, an identifier of the radio bearer and the security information of the radio bearer to a terminal.

A communication method includes receiving, by an access network (AN) node, indication information from a mobility management device. The indication information is indicative of a security policy of a quality of service (QoS) flow. The method also includes obtaining, by the access network node based on the indication information, security information of a radio bearer corresponding to the QoS flow. The security information is indicative of a security policy of the radio bearer. The method further includes sending, by the access network node, an identifier of the radio bearer and the security information of the radio bearer to a terminal.

A method of operating a Master gNodeB (MgNB) in a radio access network RAN is disclosed. An indication of a user plane security policy is received from a core network node, wherein the user plane security policy requires user plane integrity protection for a protocol data unit PDU session. Responsive to the user plane security policy requiring user plane integrity protection for the PDU session and responsive to determining that a secondary base station supporting the user plane security policy requiring user plane integrity protection is unavailable, a data radio bearer DRB of the PDU session is established directly between the MgNB and a user equipment UE. Related MgNBs are also discussed.