Groups of devices may be prevented from accessing content by encrypting the content. A plurality of secrets associated with a decryption key may be generated using a secret sharing algorithm. The plurality of secrets may be sent to one or more groups of devices to derive the decryption key. A non-restricted subset of the groups of devices may receive one or more secrets. Devices within the non-restricted subset of the groups may be able to use one or more secrets to determine the decryption key for the content. Groups that do not receive one or more secrets may be unable to determine the decryption key for the content.

A device can (i) operate a primary platform (PP) within a tamper resistant element (TRE) and (ii) receive encrypted firmware images for operating within the primary platform. The TRE can store in nonvolatile memory of the TRE (i) a PP static private key (SK-static.PP), (ii) a server public key (PK.IDS1), and (iii) a set of cryptographic parameters. The TRE can generate a one-time PKI key pair of SK-OT1.PP and PK-OT1.PP and send the public key PK-OT1.PP to a server. The TRE can receive a one-time public key from the server comprising PK-OT1.IDS1. The TRE can derive a ciphering key using an elliptic curve Diffie Hellman key exchange and the SK-static.PP, SK-OT1.PP, PK.IDS1, and PK-OT1.IDS1 keys. The TRE can decrypt the encrypted firmware using the derived ciphering key. The primary platform can comprise a smart secure platform (SSP) and the decrypted firmware can comprise a virtualized image for the primary platform.

This application provides a communication system, method, and apparatus. The system is applied to implement AKMA service-based data transmission between a terminal device and an application function network element, and the system includes an AKMA anchor function network element and a network exposure function network element. The network exposure function network element obtains first identification information from a unified data management network element, where the first identification information is used to determine an authentication server function network element corresponding to the terminal device, and sends the first identification information to the AKMA anchor function network element. The AKMA anchor function network element obtains, from the unified data management network element based on the first identification information, identification information of the authentication server function network element corresponding to the terminal device.

The disclosed technology separates session management function signaling from the AMF. In particular, an SMF key is created for each SMF following the AMF generating an SM context request that contains gNB information and UE subscription information. Each PDU session creates a direct connection between the SMF and a local gNB. The gNB communicates with each SMF directly over a new interface (N3-C) for session management that is independent of the N2 interface used by the gNB to communicate with the AMF for mobility management. In this way, each SMF independently handles NAS signaling with the UE, using the SMF key and gNB related session-management signaling over an independent interface with the gNB. This removes the burden of relaying these communications through the AMF, which is then freed up to solely to handle mobility management signaling, resulting in an improved architecture.

The disclosed technology separates session management function signaling from the AMF. In particular, an SMF key is created for each SMF following the AMF generating an SM context request that contains gNB information and UE subscription information. Each PDU session creates a direct connection between the SMF and a local gNB. The gNB communicates with each SMF directly over a new interface (N3-C) for session management that is independent of the N2 interface used by the gNB to communicate with the AMF for mobility management. In this way, each SMF independently handles NAS signaling with the UE, using the SMF key and gNB related session-management signaling over an independent interface with the gNB. This removes the burden of relaying these communications through the AMF, which is then freed up to solely to handle mobility management signaling, resulting in an improved architecture.

Systems and methods are described for accessing resources of a Unified Endpoint Management (“UEM”) system through an enrolled device. In an example, an unenrolled device can be paired with an enrolled device. The unenrolled device can connect to the enrolled device on a local network. The enrolled device can verify the unenrolled device using a key provided during pairing. The unenrolled device can send requests for UEM resources to the enrolled device, which the enrolled device can send to a UEM server. The UEM server can send the requested UEM resources to the enrolled device, and the enrolled device can send the UEM resources to the enrolled device over the local network.

The disclosed technology separates session management function signaling from the AMF. In particular, an SMF key is created for each SMF following the AMF generating an SM context request that contains gNB information and UE subscription information. Each PDU session creates a direct connection between the SMF and a local gNB. The gNB communicates with each SMF directly over a new interface (N3-C) for session management that is independent of the N2 interface used by the gNB to communicate with the AMF for mobility management. In this way, each SMF independently handles NAS signaling with the UE, using the SMF key and gNB related session-management signaling over an independent interface with the gNB. This removes the burden of relaying these communications through the AMF, which is then freed up to solely to handle mobility management signaling, resulting in an improved architecture.

The disclosed technology separates session management function signaling from the AMF. In particular, an SMF key is created for each SMF following the AMF generating an SM context request that contains gNB information and UE subscription information. Each PDU session creates a direct connection between the SMF and a local gNB. The gNB communicates with each SMF directly over a new interface (N3-C) for session management that is independent of the N2 interface used by the gNB to communicate with the AMF for mobility management. In this way, each SMF independently handles NAS signaling with the UE, using the SMF key and gNB related session-management signaling over an independent interface with the gNB. This removes the burden of relaying these communications through the AMF, which is then freed up to solely to handle mobility management signaling, resulting in an improved architecture.

Systems and methods for message format communication among resource-constrained devices are generally described. In some examples, a first message sent by an edge computing device may be received. A determination may be made that the first message comprises a first data format identifier. A determination may be made that the first message comprises a first data format patch. A determination may be made that the first data format identifier was previously stored in a data structure in association with a first data format. In various examples, the first data format may be modified using the first data format patch to generate a first modified data format. The first modified data format may be stored in the data structure in association with the first data format identifier. In some examples, a payload of the first message may be read using the first modified data format.

– A network connection method is performed by a terminal, and the method comprises: establishing a pre-connection with a to-be-accessed device, and the to-be-accessed device being a device to access network; generating a first key pair, and sending a first public key In the first key pair to the to-be-accessed device; generating a first shared key based on the first key pair and first key negotiation information corresponding to the to-be-accessed device; encrypting network configuration information of a network device by using the first shared key, to obtain encrypted network configuration information; and sending the encrypted network configuration information to the to-be-accessed device, to allow the to-be-accessed device to decrypt the encrypted network configuration information by a second shared key, and access the network device based on the decrypted network configuration information. –