Techniques for refreshing security keys for enciphering and deciphering packets in a wireless communications system are provided. An exemplary method generally includes transmitting, while in a state with no dedicated resources allocated to the UE, a first message to request resumption of a radio resource control (RRC) connection, the first message encrypted using a first set of one or more keys, receiving, in response to the first message, a second message encrypted using the first set of one or more keys or a second set of one or more keys, determining, based on an indication in the second message or received prior to the second message, whether portions of the second message are encrypted using the second set of one or more keys, and processing the second message using the first set of one or more keys or the second set of one or more keys, based on the determination.

The present invention relates to a method of transmitting a signal by a user equipment (UE) in a wireless communication system. Especially, the method includes the steps of receiving a handover command containing configurations for a second network, from a first network; performing a random access procedure to the second network; re-establishing a packet data convergence protocol (PDCP) entity associated with a signaling radio bearer (SRB) based on the configurations for the second network, after a random access procedure to the second network successes; transmitting a radio resource control (RRC) message to the second network using the re-established PDCP entity.

A solution for security negotiation during handover of a user equipment (UE) between different radio access technologies is provided. In the solution, the UE receives non-access stratum (NAS) security information and access stratum (AS) security information which are selected by the target system and then performs security negotiation with the target system according to the received NAS security information and AS security information. As such, the UE may obtain the key parameter information of the NAS and AS selected by a Long Term Evolution (LTE) system and perform security negotiation with the LTE system when the UE hands over from a different system, such as a Universal Terrestrial Radio Access Network (UTRAN), to the LTE system.

A handover handling method and apparatus applied to a scenario in which user equipment (UE) is handed over from a first access and management function (AMF) to a second AMF, and where the method includes receiving, by the UE, a handover command message from a first access network device, wherein the handover command message carries a Non-Access Stratum container (NASC), performing, by the UE, integrity verification on the NASC, and continuing, by the UE, to use a first NAS security context when the integrity verification performed on the NASC fails, wherein the first NAS security context is a security context used between the UE and the first AMF.

The present invention relates to a method of performing a handover procedure by a user equipment (UE) in a wireless communication system. Especially, the method includes the steps of receiving a handover command containing information about at least one COUNT value from a first network; establishing a first Packet Data Convergence Protocol (PDCP) entity associated with a second network while maintaining a second PDCP entity associated with the first network; performing a random access procedure with the second network; and based on a handover failure with the second network being detected, transmitting a message for informing the handover failure to the first network with setting at least one state variable for the first PDCP entity according to the at least one COUNT value.

Systems and methods are provided for seamless roaming in a network. First, a client device is authenticated at a first access point of the network. Next, a processor selectively determines, among remaining access points in the network, second access points at which respective precursor keys, such as Pairwise Master Keys R1 (PMK-R1s) are to be computed. The second access points are determined based on any of respective path losses from the first access point to the second access points and respective historical frequencies at which the client device associates at the respective remaining access points. For the second access points, the respective PMK-R1s are computed and transmitted to the second access points to be cached. Next, following a request from the client device to reassociate to a second access point of the second access points, the client device is authenticated at the second access point based on a corresponding PMK-R1.

Systems and methods are provided for optimizing resource consumption by bringing intelligence to the key allocation process for fast roaming. Specifically, embodiments of the disclosed technology use machine learning to predict which AP a wireless client device will migrate to next. In some embodiments, machine learning may also be used to select a subset of top neighbors from a neighborhood list. Thus, instead of allocating keys for each of the APs on the neighborhood list, key allocation may be limited to the predicted next AP, and the subset of top neighbors. In some embodiments, a reinforcement learning model may be used to dynamically adjust the size of the subset in order to optimize resources while satisfying variable client demand.

A method for carrying out data integrity protection on a communication network. According to an implementation, a wireless communication device indicates, to a wireless network, the maximum data rate up to which integrity protection is supported for user plane data. A network node (e.g., a node of the core network, such as an SMF) receives this information and determines whether or not to enable integrity protection for user plane data based on the information (possibly in conjunction with other information such as the minimum data rate to be supported, etc.). The network node then communicates the decision to enable or disable integrity protection to a RAN node (e.g., a wireless base station).

In a key obtaining method and an apparatus, a first core network device obtains a first key, and the first core network device performs derivation based on the first key to obtain a second key and a third key. The second key is for performing security processing on control plane signaling of a terminal device, and the third key is for performing security processing on user plane data of the terminal device. The first core network device sends the second key to a control plane entity of a first access network device, and sends the third key to a user plane entity of the first access network device.

The present application relates to devices and components including apparatus, systems, and methods for security enhancement with respect to reselection of relay user equipment.