Communication device, non-transitory computer-readable medium storing computer-readable instructions for communication device and method executed by communication device

A communication device may: comprise an output unit configured to output first information obtained by using a first public key in a memory in a case where a predetermined instruction is inputted to the communication device; after the first information has been outputted, receive an authentication request in which the first public key is used from a terminal device; send an authentication response to the terminal device; establish a wireless connection between the communication device and an external device; and in a case where a predetermined condition is satisfied after the first information has been outputted, create a second public key different from the first public key and store the second public key in the memory. In a case where the predetermined instruction is inputted to the communication device again, the output unit may be configured to output second information obtained by using the second public key in the memory.

METHODS FOR AUTHENTICATION AND KEY MANAGEMENT IN A WIRELESS COMMUNICATIONS NETWORK AND RELATED APPARATUSES

A method performed by a network server is provided for authentication and key management for a terminal device in a wireless communication network. The method includes authenticating the terminal device during a primary authentication session for the terminal device. The method further includes responsive to a successful authentication of the terminal device, obtaining a first key. The method further includes generating bootstrapping security parameters. The parameters include a second key derived from the first key and a temporary identifier. The temporary identifier identifies the terminal device and the bootstrapping security parameters. 133-. (canceled)34. A method for authentication and key management for applications , AKMA , for a terminal device in a wireless communication network , the method being performed by a network server , the method comprising:authenticating the terminal device during a primary authentication session for the terminal device;responsive to a successful authentication of the terminal device, obtaining a first key; andgenerating bootstrapping security parameters, wherein the parameters comprise a second key derived from the first key, and a temporary identifier, and wherein the temporary identifier identifies the terminal device and the bootstrapping security parameters.35. The method of claim 34 , wherein the authenticating the terminal device uses 5G authentication and key agreement protocol signaling during a primary authentication session for the terminal device.36. The method of claim 34 , wherein the authenticating the terminal device uses Extensible Authentication Protocol-Authentication and Key Agreement Prime claim 34 , EAP-AKA′ claim 34 , protocol signaling during a primary authentication session for the terminal device.37. The method of claim 34 , further comprising:storing the bootstrapping security parameters in the network server.38. The method of claim 34 , further comprising:providing the bootstrapping security ...

APPARATUS, SYSTEM AND METHOD FOR DUAL CONNECTIVITY

An SeNB (30) informs an MeNB (20) that it can configure bearers for the given UE (10). At this time, the MeNB (20) manages the DRB status, and then sends a key S-KeNB to the SeNB (30). The MeNB (20) also sends a KSI for the S-KeNB to both of the UE (10) and the SeNB (30). After this procedure, the MeNB (20) informs an EPC (MME (40) and S-GW (50)) about the new bearer configured at the SeNB (30), such that the S-GW 50 can start offloading the bearer(s) to the SeNB 30. Prior to the offloading, the EPC network entity (MME (40) or S-GW (50)) performs verification that: 1) whether the request is coming from authenticated source (MeNB); and 2) whether the SeNB (30) is a valid eNB to which the traffic can be offload.

Method and apparatus for identifying security key in next generation mobile communication system

The disclosure relates to a communication scheme and system for converging a 5thgeneration (5G) communication system for supporting a data rate higher than that of a 4thgeneration (4G) system with an internet of things (IoT) technology. The disclosure is applicable to intelligent services (e.g., smart home, smart building, smart city, smart car or connected car, health care, digital education, retail, and security and safety-related services) based on the 5G communication technology and the IoT-related technology. The disclosure relates to a method and apparatus for allowing a base station to identify a ciphering key (COUNT value) for security enhancement.

Authentication and/or key management method, first device, terminal and communication device

Provided are an authentication and/or key management method, a first device, a terminal and a communication device, the method comprising: a device receiving a session establishment request message initiated by a UE, the request message carrying a key identifier; and acquiring a first key with the UE according to the key identifier. According to the invention, the application agent is newly added in the AKMA network architecture, one or more AFs can be replaced to apply for the AKMA application key, the AFs trust the application agent and can belong to the same trust domain, resources generated when the AUSF and the AAnF establish the AKMA application key for the UE and the AFs can be reduced, the time delay of obtaining the AKMA key is reduced, and the service requirement of a low-time-delay scene is met.

METHODS FOR CONTROLLING ACCESS AND SYSTEM IMPLEMENTING SAID METHODS

A system for controlling access comprising at least one electronic access control box (2) and a remote access control server (3). The access control box (2) includes security keys in a memory, including a valid security key. The remote access control server is adapted to communicate with multi-function mobile units (4) that have downloaded a local access control application (APP) and that also have security keys in a memory. A method for controlling access implemented in said box and adapted to communicate with the multi-function mobile units (4). The method for controlling access comprises a step of updating the valid security key of the box, the instruction of which is addressed by an active multi-function mobile unit (4). A method for periodically updating a valid security key for the method for controlling access implemented in the remote access control server.

KEY MATERIAL GENERATION OPTIMIZATION FOR AUTHENTICATION AND KEY MANAGEMENT FOR APPLICATIONS

A method performed by a wireless device (110) includes determining whether a first message received from a network node (160) includes an Authentication and Key Management for Applications (AKMA) key indicator and, based on whether the first message includes the AKMA indicator, determining whether to generate AKMA key material for the authentication procedure with the network.

NETWORK MANAGEMENT SYSTEM TO ONBOARD HETEROGENEOUS CLIENT DEVICES TO WIRELESS NETWORKS

Techniques are described that enable onboarding of a plurality of heterogeneous client devices with secure access to a wireless network using a network management system (NMS). The NMS has a memory to store a plurality of private pre-shared keys (PPSKs), where each PPSK is provisioned for a particular client device or a particular group of client devices. In response to a key lookup request from an access point (AP) device for a client device, the NMS performs a key lookup and, in response to identifying a PPSK provisioned for the client device, authenticates the client device to access the wireless network via the AP device. The NMS then manages one or more of tracking the client device, policy application to the client device, or handling of network traffic from the client device while connected to the wireless network using the PPSK as an identifier of the client device.

Cryptographic security in multi-access point networks

A method for communication in a WLAN includes onboarding, authenticating, and configuring respective BSSs of multiple access points in a multi-AP network. Respective cryptographic keys are generated for the multi-AP agents in the network by carrying out a handshaking procedure between the multi-AP controller and the multi-AP agents over the backhaul network. Upon detecting a predefined rekeying event in communications between the multi-AP controller and any given multi-AP agent, a new cryptographic key is generated for the given multi-AP agent by repeating the handshaking procedure, and applying the new cryptographic key in encrypting and authenticating messages following the rekeying event.

Security context handling in 5G during handover

The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, and sends a key change indication to the UE, either directly or through some other network node. The UE can then derive the new NAS key from the old NAS key. In some embodiments, the AMF may provide a key generation parameter to the UE to use in deriving the new NAS key. In other embodiments, the target AMF may change one or more security algorithms.

UAS AUTHENTICATION AND SECURITY ESTABLISHMENT

Apparatuses, methods, and systems are disclosed for UAS authentication and security establishment. One apparatus includes a transceiver that sends, from a first network function of a mobile wireless communication network, an authentication request message from a user equipment (“UE”) to a UAS Service Supplier (“USS”)/UAS Traffic Management (“UTM”), the UE comprising at least one of an unmanned aerial vehicle (“UAV”) and a UAV controller (“UAV-C”). The transceiver receives, at the first network function from the USS/UTM, an authentication response message comprising a UAS identifier and a UAS security context.

СПОСОБ ОБНОВЛЕНИЯ КЛЮЧА И УСТРОЙСТВО

Изобретение относится к средствам обновления ключа. Технический результат заключается в обеспечении обновления NAS ключа в процессе, в котором AMF узел выполняет повторную аутентификацию на оконечном устройстве с использованием одной технологии доступа, который влияет на нормальную связь, которая выполняется между оконечным устройством и AMF узлом с использованием другой технологии доступа. Оконечное устройство осуществляет доступ к основному сетевому устройству, используя одновременно как первую технологию доступа, так и вторую технологию доступа. Выполняют основным сетевым устройством повторную аутентификацию на оконечном устройстве через первое соединение, соответствующее первой технологии доступа и, если условие запуска выполнено, обновление основным сетевым устройством ключа для второго соединения, соответствующего второй технологии доступа. 6 н. и 18 з.п. ф-лы, 17 ил.

PUBLISH/SUBSCRIBE MESSAGING

Some embodiments of the present invention comprise a method, system, and/or computer program product for a publish/subscribe messaging system. A processor identifies a subscriber of a pub/sub messaging system. The processor retrieves a stored encrypted key for the identified subscriber of the pub/sub messaging system. The processor communicates the retrieved encrypted key to a user selected from a group comprising a publisher of the pub/sub messaging system and the identified subscriber of the pub/sub messaging system. The processor implements end-to-end encryption of messages of the pub/sub messaging system based on key-groups.

Identity-based message integrity protection and verification for wireless communication

Techniques for identity-based message integrity protection and verification between a user equipment (UE) and a wireless network entity, include use of signatures derived from identity-based keys. To protect against attacks from rogue network entities before activation of a security context with a network entity, the UE verifies integrity of messages by checking a signature using an identity-based public key PKID derived by the UE based on (i) an identity value (ID) of the network entity and (ii) a separate public key PKPKG of a private key generator (PKG) server. The network entity generates signatures for messages using an identity-based private key SKID obtained from the PKG server, which generates the identity-based private key SKID using (i) the ID value of the network entity and (ii) a private key SKPKG that is known only by the PKG server and corresponds to the public key PKPKG.

Systems and methods for post-hoc device registration

A method for managing a post-hoc device registration in an ecosystem is provided. The method includes assembling an electronic device, having a system on a chip (SoC) integrated therein. The method further includes activating/onboarding the device, receiving, by a CA from the device, a communication containing at least one keypair, validating, from the CA to the device, the at least one keypair, triggering, by the CA, data capture of validation data. The validation data includes user registration data, and manufacture/status data for least one of the device and the SoC. The captured validation data is stored in a database of the CA, and then aggregated, along with the received at least one keypair, from the CA database into a billing invoice to the device assembler. The registration data is referenced to the at least one keypair and other validation data by the CA.

WLAN MULTI-LINK TDLS KEY DERIVATION

Systems and methods for WLAN multi-link TDLS key derivation. An aspect of the disclosure provides a method for WLAN multi-link communication. Such a method includes sending, by a first station to a second station, a discovery request comprising a link identifier indicating a non-access point (AP) multi-link device (MLD), wherein the first station and the second station are associated with an AP MLD. Such a method further includes receiving, by the first station from the second station, a discovery response. In some embodiments, the method further includes receiving, by the first station from an AP affiliated with the AP MLD, a message indicating a MAC address of the second station. In some embodiments, the discovery request is sent via an AP affiliated with the AP MLD and a non-AP station affiliated with the second station. 1. A method comprising:sending, by a first station to a second station, a discovery request comprising a link identifier indicating a non-access point (AP) multi-link device (MLD), wherein the first station and the second station are associated with an AP MLD; andreceiving, by the first station from the second station, a discovery response.2. The method of further comprising:receiving, by the first station from an AP affiliated with the AP MLD, a message indicating a MAC address of the second station.3. The method of claim 1 , wherein the discovery request is sent via an AP affiliated with the AP MLD and a non-AP station affiliated with the second station.4. The method of claim 1 , wherein one of the discovery request or the discovery response further comprises a multi-link element (MLE) indicating one or more addresses of AP entities.5. The method of claim 1 , further comprising:sending, by the first station to the second station, a setup request; andreceiving, by the first station from the second station, a setup response.6. The method of claim 5 , wherein the setup request indicates an authentication and key management (AKM) suite for ...

Terminal device, key distribution management device, server-client system, communication method, and programs

To provide a terminal device that can share a session key for use in encryption communication with multiple terminal devices at a certain timing without relying on an existing server device. The terminal device includes: a list/request sending unit that, when the terminal device operates as an owner device, generates a key distribution request, signs the key distribution request, and transmits the key distribution request to a key distribution management device; a participation request sending unit that, when the terminal device operates as a general device, generates a participation request, signs the participation request, and transmits the participation request to the key distribution management device; a session key generating unit that executes an authentication-based multipoint key distribution algorithm of server-client type in cooperation with another terminal device participating in the session and with the key distribution management device to generate a session key; and a post-confirmation ...

Secure computation system and relay device, and method, program, and recording medium thereof

A relay device transfers a plurality of original data fragments corresponding to a plurality of secret sharing values of original data to a plurality of secure computation devices, transfers, to each of the secure computation devices, a request to send a result fragment based on a secure computation result corresponding to any one of the original data fragments, and transfers the result fragment. The relay device controls timing with which the original data fragments are transferred and timing with which the request to send is transferred.

Method and apparatus of supporting lossless PDCP version change in next-generation mobile communication system

A method and terminal are provided in which a radio resource control (RRC) message is received which includes information instructing a version change from a first packet data convergence protocol (PDCP) to a second PDCP entity. First data is transferred from the first PDCP entity to the second PDCP entity in case that the first PDCP entity is changed to the second PDCP entity, and the first PDCP entity is released. A new PDCP header associated with the transferred first data is configured. The transferred first data is encrypted with a new security key. The first data is data having a value greater than or equal to a PDCP sequence number for which successful delivery is not acknowledged, from a radio link control (RLC) entity connected to the first PDCP entity, before reception of the RRC message.

Multi-device communication management

A device implementing the subject technology may include at least one processor configured to transmit an allocation request requesting allocation of a group communication session with a plurality of devices and receive an allocation response in response to the allocation request, the allocation response including credential information for the device to use to join the group communication session. The at least one processor may be further configured to transmit an allocation bind request with the credential information to join the group communication session using the credential information and receive an allocation bind success response in response to the allocation bind request, the allocation bind success response indicating that the device has joined the group communication session. The at least one processor may be further configured to provide a join notification to the plurality of devices via an intermediary device to notify that the device has joined the group communication session ...

METHOD AND APPARATUS FOR DISTINGUISHING BETWEEN DATA FORMATS, AND COMMUNICATION DEVICE

The embodiments of the present application provide a method and apparatus for distinguishing between data formats, and a communication device. The method comprises: a terminal receives a downlink data packet, and determines whether the data format of the downlink data packet is a first data format or a second data format, wherein the first data format indicates that the downlink data packet is encrypted using a first key of a source base station and/or compressed using a first header compression format of the source base station, and the second data format indicates that the downlink data packet is encrypted using a second key of a target base station and/or compressed using a second header compression format of the target base station.

Communication system

A communication system is described in which user plane communication and control plane communication for a particular mobile communication device can be split between a base station that operates a small cell and a macro base station. Appropriate security for the user plane and control plane communications is safeguarded by ensuring that each base station is able to obtain or derive the correct security parameters for protecting the user plane or control plane communication for which it is responsible.

Method for generating Bluetooth network authenticating through authentication code generated based on post-quantum cryptography and Bluetooth network operating system performing same

The present inventive idea relates to a method for forming a Bluetooth network which authenticates through an authentication code generated based on post-quantum cryptography and a Bluetooth network operating system performing the same. The method for forming a Bluetooth network performed by a master device to perform Bluetooth communication with a slave device according to an embodiment of the present disclosure may include: obtaining an address of the slave device by scanning the Bluetooth network; generating a public key and a private key; transmitting the public key to the scanned slave device; receiving a key capsule and an authentication code corresponding to the public key; generating a verification code by using the key capsule; generating a symmetric key by comparing the verification code with the authentication code; and performing communication through the Bluetooth network by using the symmetric key.

DEVICE PROVISIONING AND AUTHENTICATION

Among other things, techniques are described for provisioning and authentication of devices in vehicles. In one aspect, a device in a vehicle establishes a communication session with a network server that manages provisioning of devices corresponding to an enterprise associated with the vehicle. The device receives instructions from the network server to generate cryptographic keys, and in response, generates a public and private key pair. The device sends, to the network server, a certificate signing request that includes the public key and an identifier of the device. In response, the device receives a digital security certificate for the device, and a security certificate of a signing certificate authority. The device authenticates the security certificate of the certificate authority using a known enterprise root certificate, and upon successful authentication, stores the device security certificate and the security certificate of the signing certificate authority.

NON-3GPP DEVICE ACCESS TO CORE NETWORK

A non-SI device (120) is arranged for wireless communication (130) and cooperates with an SI device (110) having access to a subscriber identity. The non-SI device has a transceiver (121) to communicate in a local network and a processor (122) to establish an association with the SI. A non-SI public key is provided to the SI device via a first communication channel. A verification code is shared with the SI device via a second communication channel. The channels are different and include an out-of-band channel (140). Proof of possession of a non-SI private key is provided to the SI device via the first or the second communication channel. From the SI device, security data is received that is related to the SI and is computed using the non-SI public key. The security data reliably enables the non-SI device to access the core network via the local network and a gateway between the local network and the core network.

OPTIMIZING THE COEXISTENCE OF OPPORTUNISTIC WIRELESS ENCRYPTION AND OPEN MODE IN WIRELESS NETWORKS

This disclosure describes systems, methods, and devices related to coexistence network integration. A device may transmit a beacon frame or a probe response frame containing a security element that is not a robust security network element (RSNE) element to indicate opportunistic wireless encryption (OWE) support. The device may identify a first association request frame received from a first station device (STA) comprising an RSNE element with OWE Authentication Key Management (AKM) indicating a compatibility of the first STA with OWE. The device may identify a second association request frame from a second station device (STA) indicating no compatibility with OWE. The device may generate one or more encryption keys for securing data transmission with OWE-compatible STAs. The device may transmit encrypted and unencrypted versions of groupcast data frames to the first STA and the second STA.

DATA TRANSMISSION METHOD AND DEVICE

AUTHENTICATION SERVER FUNCTION SELECTION IN AUTHENTICATION AND KEY MANAGEMENT

Embodiments include methods performed by a key management node in a communication network. Such methods can include receiving, from an application function, a request for a security key specific to an application session for a particular user. The request can include a representation of the following information associated with the particular user: a first identifier of a non-application-specific anchor security key, and a second identifier related to a network subscription. Such methods can also include, based on the representation, determining an authentication server function that generated the non-application-specific anchor security key. Other embodiments include complementary methods performed by application functions, authentication server functions, and unified data management functions in the communication network. Other embodiments include network nodes configured to perform such methods.

Security association reuse for multiple connections

In some embodiments, a method receives address information for two or more paths between a first network device and a second network device. A connection is established between the first network device and the second network device to determine one or more security keys for the first network device and the second network device. Then, the method installs the one or more security keys with the address information for the two or more paths. The one or more security keys are used to provide a security service on one or more packets that are sent or received between the first network device and the second network device using the address information for the two or more paths.

Transaction cryptogram

A method for generating transaction credentials for a user in a transaction, comprising: storing in a mobile device, an encrypted session key, and an encrypted user authentication credential; receiving an authorisation request; initiating a user authorisation process wherein in the event that the user is an authenticated user, the method comprises: decrypting the encrypted session key and encrypted user authentication credential; generating a transaction cryptogram in dependence on the user authentication credential and the session key; transmitting the transaction cryptogram and a user authentication status to a transaction processing entity for use in a transaction.

APPARATUS AND METHOD FOR MULTI-LINK MANAGEMENT IN MULTI-LINK COMMUNICATION SYSTEMS

Embodiments of an apparatus and method are disclosed. In an embodiment, a method of executing multi-link operations in a multi-link communications system comprises performing a single frame exchange between a first multi-link device and a second multi-link device to execute a multi-link operation for multiple links between the first and second multi-link devices using a frame transmitted on a first link among the multiple links, wherein the frame includes an element that carries other link information on at least one link of the multiple links other than the first link, wherein the frame includes per-link value information that has different values for different links of the multiple link, and wherein successful execution of the single frame exchange completes the multi-link operation for at least two links of the multiple links between the first and second multi-link devices. 1. A method of executing multi-link operations in a multi-link communications system , the method comprising:performing a single frame exchange between a first multi-link device and a second multi-link device to execute a multi-link operation for multiple links between the first and second multi-link devices using a frame transmitted on a first link among the multiple links,wherein the frame includes an element that carries other link information on at least one link of the multiple links other than the first link,wherein the frame includes per-link value information that has different values for different links of the multiple link, andwherein successful execution of the single frame exchange completes the multi-link operation for at least two links of the multiple links between the first and second multi-link devices.2. The method of claim 1 , wherein the other link information carried in the element includes link identifier of the at least one link of the multiple links other than the first link.3. The method of claim 2 , wherein the element is an extensible element and wherein the other ...

METHOD AND APPARATUS FOR CONFIGURING TEMPORARY USER EQUIPMENT (UE) EXTERNAL IDENTIFIER IN WIRELESS COMMUNICATION SYSTEM

The disclosure relates to a 5G or 6G communication system for supporting a higher data transmission rate. According to the disclosure, it is possible for an external server located outside a mobile communication system to efficiently configure a temporary UE identifier for identifying a UE subscribing to the mobile communication system.

Embedded universal integrated circuit card (eUICC) profile content management

A mobile network operator (MNO) uses a provisioning server to update or install profile content in a profile or electronic subscriber identity module (eSIM). In an exemplary embodiment, the profile is present on a secure element such as an embedded universal integrated circuit card (eUICC) in a wireless device. One or more MNOs use the provisioning server to perform profile content management on profiles in the eUICC. In some embodiments, an MNO has a trust relationship with the provisioning server. In some other embodiments, the MNO does not have a trust relationship with the provisioning server and protects payload targeted for an MNO-associated profile using an over the air (OTA) key.

Communication method and related product

A communication method and a related product are provided. The communication method includes: When UE switches from a source slice to a target slice mutually exclusive with the source slice, both the UE and a target AMF serving the target slice can obtain a first AMF key Kamf_new. The first AMF key Kamf_new is different from a second AMF key Kamf, and the second AMF key Kamf is a key of a source AMF serving the source slice. According to the application communication security and effectiveness are significantly improved_in a mutually exclusive slice switching scenario.

Area-aware group key negotiation method in unmanned system

The invention discloses a group key negotiation method for area perception in an unmanned system, and mainly solves the problems that the prior art does not support multi-level group division, location privacy is leaked, the overhead is too large and a group key is not safe. According to the implementation scheme, an unmanned aerial vehicle system is constructed; each unmanned device converts its own position coordinate into a hierarchical coding bit string set with hierarchical region attributes, and calculates a matching result of the region according to the set; each unmanned device calculates a member list of each hierarchical region according to a matching result; each unmanned device generates multiple signatures for the member list, and the remote control station verifies the consistency of the member list according to the multiple signatures of the unmanned devices; the remote control station and the unmanned equipment in the member list of each region jointly negotiate a group ...

RELAY SIDELINK COMMUNICATIONS FOR SECURE LINK ESTABLISHMENT

Methods, systems, and devices for wireless communications are described that enable establishment of secure communications and security keys for a remote user equipment (UE) and a relay UE to perform relayed sidelink communications in which the remote UE communicates with a network via the relay UE. To establish secure communications for the direct communications between the relay UE and the remote UE, one or more security keys may be established encryption and decryption of communications. To establish the security keys, the relay UE may forward a request for direct communications to a key management function (e.g., a ProSe key management function (PKMF)) in a control plane of a core network (e.g., in a control plane message to the PKMF via an access and mobility function (AMF)). The PKMF may derive relay keys and return information related to the relay keys to the relay UE the remote UE.

NARROWBAND IQ SIGNAL OBFUSCATION

Narrow brand IQ signals are obfuscated by embedding the signal in a buffered portion of wideband IQ frequency data. After the data has been received and buffered, the receiving transceiver, using a wideband IQ frequency data key, of a predetermined and shared format, decodes and reconstitute the narrowband IQ signal.

Restricting broadcast and multicast traffic in a wireless network to a VLAN

Traffic broadcast to a VLAN is restricted. To do so, a plurality of stations are associated with a BSSID (basic service set identifier). A first VLAN is configured by sending a first group key to each station from the plurality of stations that is a member of the first VLAN, wherein each VLAN is associated with a unique group key. One or more frames addressed to the first VLAN are received. The one or more frames are encrypted with the first group key to prevent stations without the first group key from being able to decrypt the one or more frames. The one or more encrypted VLAN frames are broadcast to the plurality of stations associated with the BSSID.

KEY GENERATION METHOD, APPARATUS, AND SYSTEM

This application relates to the field of wireless communications technologies. Embodiments of this application provide a key generation method, an apparatus, and a system, to resolve a problem that security protection for a voice service cannot be implemented in a voice service handover process. The method in this application includes: receiving, by an MME, a redirection request message from an AMF node, where the redirection request message includes keyrelated information; and generating, by the MME, an encryption key and an integrity protection key based on the keyrelated information. The redirection request message is used to request to hand over a voice service from a packet switched PS domain to a circuit switched CS domain. This application is applicable to a voice service handover process.

MULTI-DEVICE COMMUNICATION MANAGEMENT

A device implementing the subject technology may include at least one processor configured to transmit an allocation request requesting allocation of a group communication session with a plurality of devices and receive an allocation response in response to the allocation request, the allocation response including credential information for the device to use to join the group communication session. The at least one processor may be further configured to transmit an allocation bind request with the credential information to join the group communication session using the credential information and receive an allocation bind success response in response to the allocation bind request, the allocation bind success response indicating that the device has joined the group communication session. The at least one processor may be further configured to provide a join notification to the plurality of devices via an intermediary device to notify that the device has joined the group communication session ...

Multi-link wireless communications connections

A method includes establishing a multi-link security association between a transmitter upper Media Access Control (MAC) logic entity of a transmitter and a receiver upper MAC logic entity of a receiver. The transmitter includes one or more transmitter links. The receiver includes one or more receiver links.

ENABLERS FOR RADIO ACCESS NETWORK CONTEXT STORAGE AND RESILIENCY

Techniques for improving the resiliency of communication networks by providing radio access network data stored in a radio access network database to one or more associated radio access network nodes are provided. A network entity receives a connection request from a user device including at least a radio access network set identifier or radio access network database identifier. The network entity determines whether the radio access network set identifier received in the connection request corresponds to an associated radio access network set identifier. In an instance in which the radio access network set identifier received in the connection request corresponds to the associated radio access network set identifier, radio access network database data are retrieved from the radio access network database associated with the radio access network set identifier. The radio access network database data include at least user device context data for the associated user device.

SECURITY CONTEXT FOR TARGET AMF

Hotspot auxiliary networking method and device and computer readable storage medium

The invention relates to a hotspot auxiliary networking method and device, computer equipment, a storage medium and a computer program product. Comprising the following steps: after entering a hotspot network distribution mode, acquiring a connection key required by current network connection from an Internet of Things server; receiving a key string broadcasted by the Internet of Things equipment after the Internet of Things equipment is restarted and enters a hotspot network distribution mode; searching a decryption string corresponding to the key string, and feeding back the searched decryption string to the Internet of Things device; the decryption string is generated by the user terminal when the Internet of Things equipment performs hotspot network distribution for the first time; after the Internet of Things equipment verifies the received decryption string and the verification is passed, connecting the UDP service of the Internet of Things equipment; and sending the network information ...

Transmission data protection system, method, and apparatus

A system for transmission data protection includes user equipment (UE) and an access point. The access point sends a broadcast message that carries a public key for encryption. The UE receives and stores the public key for encryption. The UE obtains a global public key or a private key corresponding to the UE, and protects transmission data using the public key for encryption and the global public key or the private key corresponding to the UE.

MALE AND FEMALE SEXUAL AID WITH WIRELESS CAPABILITIES

Described herein are interactive devices that mimic a portion of a human male and a female genitalia. The male device includes a unique bead drive assembly for providing an extending and retracting motion. Also included on the male device is a massager sub-assembly able to inflate and deflate while being able to slide along a shaft of the male device. The female device includes a clamshell constrictor having an inflation mechanism that is able to provide a squeezing motion as well as being able to slide back and forth within the body of the female device. Also disclosed herein are method of communication and interaction between a pair of interactive devices or multiple interactive devices. Finally, methods of managing interactive sessions between multiple interactive devices are also described.

METHOD AND DEVICE FOR SUPPORTING DOUBLE CONNECTION OF RRC INACTIVATION MODE IN NEXT GENERATION MOBILE COMMUNICATION SYSTEM

Disclosed are: a communication technique for merging, with IoT technology, a 5G communication system for supporting a data transmission rate higher than that of a 4G system; and a system therefor. The present disclosure can be applied to intelligent services (for example, smart home, smart building, smart city, smart car or connected car, healthcare, digital education, retail, security, and safety-related services, and the like) on the basis of 5G communication technology and IoT-related technology. Disclosed are a method and a device for supporting the connection of a terminal operating in an RRC inactivation mode.

TECHNIQUES TO FACILITATE FAST ROAMING BETWEEN A MOBILE NETWORK OPERATOR PUBLIC WIRELESS WIDE AREA ACCESS NETWORK AND AN ENTERPRISE PRIVATE WIRELESS WIDE AREA ACCESS NETWORK

Presented herein are techniques to facilitate fast roaming between a mobile network operator-public (MNO-public) wireless wide area (WWA) access network and an enterprise private WWA access network. In one example, a method is provided that may include generating, by an authentication node, authentication material for a user equipment (UE) based on the UE being connected to a public WWA access network, wherein the public WWA access network is associated with a mobile network operator, and the authentication node and the UE are associated with an enterprise entity; obtaining, by the authentication node, an indication that the UE is attempting to access a private WWA access network associated with the enterprise entity; and providing, by the authentication node, the authentication material for the UE, wherein the authentication material facilitates connection establishment between the UE and the private WWA access network.

SUPPORTING REMOTE UNIT REAUTHENTICATION

Apparatuses, methods, and systems are disclosed for supporting remote unit reauthentication. One apparatus apparatus includes a processor and a transceiver that sends a first authentication message to a network function in a mobile communication network and receives a second authentication message from the network function in response to the first authentication message. Here, the first authentication message contains an indicator that the apparatus supports EAP Reauthentication Protocol and the second authentication message contains a key management domain name indicating a group of network functions that can share reauthentication security context. The processor derives reauthentication security context in response to successful authentication with the mobile communication network and locally stores the received key management domain name and the derived reauthentication security context for subsequent reauthentication with the mobile communication network.

Management of groups of connected objects using wireless communication protocols

Management of a group of connected objects in a communications network including at least one local network. The connected objects, known as client objects, have at least one functional attribute. The method includes: obtaining an identifier of the group and an encryption key of the group); assigning the group at least one connected object according to at least one functional attribute of the connected object; obtaining an encryption key of the object; encrypting the encryption key of the group using the encryption key of the object; transmitting the identifier of the group, and the encrypted encryption key of the group to the at least one connected object.

Bluetooth network and network configuration method

The invention discloses a method for network configuration via Bluetooth, the method comprising: a Bluetooth communication device establishing a connection to a mobile terminal via Bluetooth; the Bluetooth communication device and the mobile terminal negotiating to determine a data encryption mode and a shared key for data decryption; connecting the Bluetooth communication device to an external wireless network; configuring the wireless network via Bluetooth is realized. According to the invention, during the process of network configuration via Bluetooth, a symmetric encryption method is utilized as the encryption mode for message data, and an asymmetric encryption method is utilized to generate the corresponding shared key, ensuring the data security during network configuration via Bluetooth and network communication processes.

Subscriber identification module (SIM) management for cloud-based private mobile networks

The present disclosure relates to devices, methods, and systems for subscriber identification module (SIM) management for a private mobile network. The methods and systems may include a private mobile network service on a cloud computing system. Users of the cloud computing system may use the private mobile network service to create a private mobile network. The private mobile network service may facilitate the creation of the private mobile network by providing interfaces for secure communications with the users of the cloud computing system, the SIM service partners, and the packet core partners. The mobile network service may also manage the SIM cards for the private mobile networks by coordinating the transmission of the SIM operation details for the SIM cards.

MTC KEY MANAGEMENT FOR KEY DERIVATION AT BOTH UE AND NETWORK

There is provided a new IWF SMC procedure for establishing security association between an MTC UE (10) and an MTC-IWF (20). The MTC-IWF (20) sends to the UE (10) at least an algorithm identifier which instructs the UE (10) to select one of algorithms for deriving a root key (K_iwf). The UE (10) derives the root key (K_iwf) in accordance with the selected algorithm, and derives at least a subkey for checking the integrity of messages transferred between the UE (10) and the MTC-IWF (20) by using the derived root key (K_iwf). The UE (10) protects uplink messages transmitted to the MTC-IWF (20) with the derived subkey. The MTC-IWF (20) protects downlink messages transmitted to the UE (10) with the same subkey derived at a core network.

AUTHENTICATION SERVER FUNCTION SELECTION IN AUTHENTICATION AND KEY MANAGEMENT

Embodiments include methods performed by a key management node in a communication network. Such methods can include receiving, from an application function, a request for a security key specific to an application session for a particular user. The request can include a representation of the following information associated with the particular user: a first identifier of a non-application-specific anchor security key, and a second identifier related to a network subscription. Such methods can also include, based on the representation, determining an authentication server function that generated the non-application-specific anchor security key. Other embodiments include complementary methods performed by application functions, authentication server functions, and unified data management functions in the communication network. Other embodiments include network nodes configured to perform such methods.

Security Context Handling in 5G During Idle Mode

The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes in idle mode. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, along with a key change indication indicating that the NAS key has changed. The target AMF sends the key change indication to the user equipment.

APPARATUSES AND METHODS FOR WIRELESS COMMUNICATION

Authentication and key agreement is performed with a device and authentication information associated with the device is obtained, the authentication information including t an authentication session key. A session key management entity (SKME) generates a mobility session key based on the authentication session key and transmits the mobility session key to a mobility management entity (MME) serving the device.

Communication method and communication device

The embodiment of the invention provides a communication method and a communication device. The method comprises the following steps: when UE (User Equipment) initiates a connection establishment request, different key identifiers are carried in different connection establishment requests, and the different key identifiers are used for identifying the same anchor point key. On one hand, the opposite end communication equipment of the UE can be notified through the key identifier, such as the first equipment and the second equipment, to obtain the shared key generated by using the anchor point key, so that the UE and the opposite end communication equipment can establish secure communication by using the shared key. And on the other hand, the key identifier used by the UE is changed, so that an attacker is difficult to obtain the privacy of the user according to the key identifier used by the UE, and the security of privacy protection is improved.

Peripheral-free secure pairing protocol by randomly switching power

A method for pairing a plurality of devices in the context of internet of things (IoT), including: connecting power supplies of the plurality of devices to a same power source, wherein the plurality of devices includes an initiator device and a responder device; synchronizing clocks of the initiator device and the responder device; switching the power source off and on for a plurality of times n; recording time stamps S(T)={T1, T2, T3, . . . Tn} corresponding to time stamps when the initiator device and the responder device switch off in response to switching off of the power source; and performing the pairing of the initiator device and the responder device if each of the initiator device time stamps is within a predefined delay tolerance of a corresponding time stamp of the responder device time stamps, otherwise rejecting the pairing of the initiator device and the responder device.

Full configuration handover techniques

Various aspects and techniques for facilitating handovers in communication networks are disclosed. In a particular implementation, a method of wireless communication includes transmitting, from a first base station to a second base station, a handover request message corresponding to a user equipment (UE) associated with the first base station. The handover request message includes a request for full configuration. The method further includes receiving, from the second base station, a handover response message. The handover response message includes an indicator of acceptance of the full configuration. Other aspects and features are also claimed and described.

Session establishment method and means and communication system

An exemplary method, device, and system for configuring a session for communication between electronic devices. The method includes sending, by a session management entity of a wireless network, a first request message to a policy control entity of the wireless network, the first request message comprising a key identifier, receiving, by the session management entity, a first response message from the policy control entity, wherein the first response message corresponds to a response to the first request message, and the first response message comprises a session policy for a communication session corresponding to the key identifier, and configuring, by the session management entity, the communication session based at least in part on the session policy.

APPARATUS AND METHOD FOR GENERATING KEY HIERARCHY IN WIRELESS NETWORK

Method and device for managing security context

The invention provides a security context management method and device, and the method can comprise the steps that terminal equipment sends a registration request message to a target mobile management network element, and the registration request message comprises an identifier of the terminal equipment; the terminal device receives a non-access stratum (NAS) security mode command message from the target mobility management network element, wherein the NAS security mode command message comprises horizontal deduction indication information; according to the horizontal deduction indication information, the terminal device generates a new key Kamf'according to a key Kamf in a first security context; wherein the first security context is the current security context of the terminal equipment; and under the condition that the registration process is not successfully completed, the terminal equipment uses the first security context as the current security context. According to the scheme, the ...

Secure key exchange mechanism in a wireless communication system

Security features for a wireless communications system including encryption and decryption of communications, secure key exchange, secure pairing, and secure re-pairing are provided. The encryption/decryption mechanism uses AES-256 block cypher with counter mode to generate blocks of cypher bits used to encrypt and decrypt communications between a master and devices. Session keys are generated using a random salt and a counter value. The random salt is generated using a secure random number generator. A master key (or device key) is also used in generating session keys. Impermanent session keys are used to encrypt/decrypt finite amount of data. Thereafter, the session key is replaced and cypher bits are generated using the new session key. A synchronized key jump procedure ensures that the master and device switch to the new session key at the same time.

Subscriber identity privacy protection against fake base stations

Techniques to protect a subscriber identity, by encrypting a subscription permanent identifier (SUPI) to form one-time use subscription concealed identifiers (SUCIs) using a set of one-time ephemeral asymmetric keys, generated by a user equipment (UE), and network provided keys are disclosed. Encryption of the SUPI to form the SUCIs can mitigate snooping by rogue network entities, such as fake base stations. The UE is restricted from providing the unencrypted SUPI over an unauthenticated connection to a network entity. In some instances, the UE uses a trusted symmetric fallback encryption key KFBor trusted asymmetric fallback public key PKFBto verify messages from an unauthenticated network entity and/or to encrypt the SUPI to form a fallback SUCIFBfor communication of messages with the unauthenticated network entity.

Method and apparatus for distinguishing between data formats, and communication device

The embodiments of the present disclosure provide a method and apparatus for distinguishing between data formats, and a communication device. The method includes a terminal receives a downlink data packet, and determines whether the data format of the downlink data packet is a first data format or a second data format, wherein the first data format indicates that the downlink data packet is encrypted using a first key of a source base station and/or compressed using a first header compression format of the source base station, and the second data format indicates that the downlink data packet is encrypted using a second key of a target base station and/or compressed using a second header compression format of the target base station.

SECURITY CONTEXT FOR TARGET AMF

Apparatuses, methods, and systems are disclosed for security context handling during AMF reallocation. One apparatus (700) in a mobile communication network includes a network interface (740) and a processor (705) that derives (805) a Reroute Security Context and derives (810) a first authentication parameter for authenticating a Target AMF. The network interface (740) receives (815) a Key Request message from a SEAF co-located with the Target AMF following an AMF reallocation during a UE Registration procedure. The processor (705) verifies (820) the Key Request message by determining whether the second authentication parameter matches the first authentication parameter derived for authenticating the Target AMF. The processor (705) derives (825) a new security context for the Target AMF/SEAF in response to successfully verifying the Key Request message. The network interface (740) sends (830) a Key Response message to the Target AMF/SEAF.

Communication device, communication method, and storage medium

A communication device obtains identification information and a public key of a first other communication device by a particular obtaining method that does not use a wireless LAN and notifies the first other communication device of a role of the first other communication device in a communication based on Wi-Fi Direct. In addition, the communication device obtains identification information and a public key of a second other communication device by the particular obtaining method and notifies the second other communication device of a role of the second other communication device in the communication based on Wi-Fi Direct. One of the notified roles is a P2P Group Owner and the other one is a P2P Client, and the communication based on Wi-Fi Direct can be performed between the first other communication device and the second other communication device based on the notifications.

Certificate authority master key tracking on distributed ledger

An apparatus for use in a digital messaging system includes a storage device and a processor coupled to the storage device. The storage device storing software instructions for controlling the processor that when executed by the processor configured the processor to: generate a master private and public key pair; associate the master private and public key pair with a first certificate; and derive at least one domain-specific key from the one of the master private and public key pair. The first certificate is registered to a group comprising a plurality of domains. The domain-specific key is associated with one of the plurality of domains.

Communication device configured to establish wireless connection between communication device and external device, non-transitory computer-readable medium storing computer-readable instructions for such communication device and method executed by such communication device

A communication device may: comprise an output unit configured to output first information obtained by using a first public key in a memory in a case where a predetermined instruction is inputted to the communication device; after the first information has been outputted, receive an authentication request in which the first public key is used from a terminal device; send an authentication response to the terminal device; establish a wireless connection between the communication device and an external device; and in a case where a predetermined condition is satisfied after the first information has been outputted, create a second public key different from the first public key and store the second public key in the memory. In a case where the predetermined instruction is inputted to the communication device again, the output unit may be configured to output second information obtained by using the second public key in the memory.

METHODS SUPPORTING AUTHENTICATION IN WIRELESS COMMUNICATION NETWORKS AND RELATED NETWORK NODES AND WIRELESS TERMINALS

Methods in a wireless communication network may include providing a first authentication key, and deriving a second authentication key based on the first authentication key, with the second authentication key being associated with the wireless terminal. Responsive to deriving the second authentication key, a key response message may be transmitted including the second authentication key and/or an EAP-Finish/Re-auth message. Some other methods in a wireless communication network may include receiving a key response message including a core network mobility management authentication key and an EAP-Finish/Re-auth message. Responsive to receiving the key response message, the network may initiate transmission of an EAP-Finish/Re-auth message and/or a freshness parameter used to derive the core network mobility management authentication key from the wireless communication network to the wireless terminal responsive to the key response message. Related wireless terminal methods are also discussed ...

SYSTEMS AND METHODS FOR POST-HOC DEVICE REGISTRATION

A method for managing a post-hoc device registration in an ecosystem is provided. The method includes assembling an electronic device, having a system on a chip (SoC) integrated therein. The method further includes activating/onboarding the device, receiving, by a CA from the device, a communication containing at least one keypair, validating, from the CA to the device, the at least one keypair, triggering, by the CA, data capture of validation data. The validation data includes user registration data, and manufacture/status data for least one of the device and the SoC. The captured validation data is stored in a database of the CA, and then aggregated, along with the received at least one keypair, from the CA database into a billing invoice to the device assembler. The registration data is referenced to the at least one keypair and other validation data by the CA.

MTC KEY MANAGEMENT FOR KEY DERIVATION AT BOTH UE AND NETWORK

Low power RRC operating method and device

Disclosed are a communication technique of merging, with IoT technology, a 5G communication system for supporting a data transmission rate higher than that of a 4G system, and a system therefor. The disclosure can be applied to intelligent services (for example, smart home, smart building, smart city, smart car or connected car, health care, digital education, retail, security and safety related services, and the like) on the basis of 5G communication technology and IoT related technology. According to one embodiment of the present invention, a communication method of a base station comprises the steps of: determining an RRC state transition condition of a terminal; and transmitting information on the RRC state transition condition to the terminal, wherein the RRC state transition condition can include at least one timer for the transition between RRC states and/or information indicating an RRC state to be changed.

Key obtaining method and device, and communications system

A method for security handling in a mobility of a terminal device, where the method includes: a target access and mobility management function (AMF) entity receiving a first message for registering a terminal device; the target AMF entity sending a second message to a source AMF entity after receiving the first message; the source AMF entity deriving a first key based on a key between the source AMF entity and the terminal device; the source AMF entity sending the first key to the target AMF entity; the target AMF entity determining to use the first key based on security related information after receiving the first key; and the target AMF entity determining a communication key between the target AMF entity and the terminal device based on the first key after determining to use the first key.

Communication method between a terminal and an access point

A terminal includes: a communicator that wirelessly performs encrypted communication with an access point; a processor; and a memory that stores at least one program executed by the processor and a key management table for storing a group key for the encrypted communication. The processor performs: acquiring the group key from the access point and storing the group key acquired in the key management table as a first group key; receiving a broadcast packet encrypted by the access point via the communicator; making a first determination as to whether the broadcast packet received is decryptable by using the first group key; and when it is determined, in the first determination, that the broadcast packet is not decryptable by using the first group key, generating information indicating that the first group key needs to be updated.

Method for Exchanging and Storing Electronic Keys

In one example, a first wireless device transmits one or more electronic keys, and a second wireless device receives and stores the electronic key(s) in a memory. A server or a user device uploads, receives or synchronizes the electronic key(s) from the second wireless device. In another example, one or more electronic keys are transmitted using a first wireless device, the electronic key(s) are received and stored in a memory of a second wireless device, and the electronic key(s) or other data are transmitted, uploaded or synchronized to a server or a user device. In another example, a device comprises: a wireless transceiver; a memory; and a processor communicably coupled to the wireless transceiver and the memory, wherein the processor receives one or more electronic keys from one or more wireless devices, and stores the electronic key(s) in the memory.

User-centric connections to a location comprising digital collaboration tools

A method, device and system for providing user-centric connections to a location comprising digital collaboration tools, as well as software for carrying out the method. The method includes a network device having a beacon system for proximity detection and a BYOD (Bring Your Own Device). A confirmed BYOD proximity can be used to initiate the setup of a data channel between the network device and the BYOD, and further join the BYOD to a UC (Unified Communications systems and tools) session.

Binaural earphone key synchronization method and binaural encryption earphone

The invention provides a binaural earphone key synchronization method and a binaural encryption earphone, and the method comprises the steps: setting the binaural earphone to be in communication connection with a terminal single link in a state of being separated from a charging bin, encrypting a service session key which is obtained by one earphone and is used for encrypting a to-be-transmitted audio through a synchronization key, and sharing the encrypted service session key to a second earphone; the method avoids the leakage of a service session key, guarantees the safety of key synchronization between the earphones, enables the two earphones to encrypt the collected audio based on the same service session key on this basis, achieves the safety of audio transmission between the earphones and between a transmitting side and a receiving side, and also avoids the tedious decryption processing of the audio at the receiving side and the generation of obvious time delay. Besides, the first ...

SUPPORTING REMOTE UNIT REAUTHENTICATION

Apparatuses, methods, and systems are disclosed for supporting remote unit reauthentication. One apparatus (700) includes a network interface (740) that receives (905) a first authentication message for reauthenticating a remote unit and a processor (705) that verifies (910) a first domain-name. The first domain-name identifies a key management domain name and an associated gateway function holding a reauthentication security context. Here, the first authentication message includes a NAI containing a first username and the first domain-name. The processor (705) validates (915) the first authentication message using at least the first username and generates (920) a second authentication message in response to successfully validating the first authentication message. Via the network interface (740), the processor (705) responds (925) to the first authentication message by sending the second authentication message.

Key update method and apparatus

Embodiments of this application provide key update methods and apparatuses in the field of communications technologies. A communications system includes a terminal and a core network device. The terminal can access the core network device using both a first access technology and a second access technology. The first connection and the second connection have a shared key. Key update for the first connection is performed in obtaining a first key identifier that identifies a first key obtained by performing the key update for the first connection. In response to determining that the second connection is in a connected state, the shared key for the second connection and a second key identifier that identifies the shared key are retained. The shared key is kept using for the second connection before performing key update for the second connection.

METHOD AND SYSTEM TO ENABLE SECURE COMMUNICATION FOR INTER-ENB TRANSMISSION

The embodiments herein provide a method and system for creating a secure connection for a User Equipment (UE) in a wireless network including a UE, carrier aggregated with at least one first serving frequency served by a first eNB and at least one second serving frequency served by a second eNB. A unique non-repetitive security base key associated with the second eNB is generated using a freshness parameter and security key associated with the first eNB. The use of a different freshness parameter for each security base key derivation avoids key stream repetition. Further, a user plane encryption key is derived based on the generated unique non-repetitive security base key associated with the second eNB for encrypting data transfer over at least one data radio bearer.

AUTHENTICATION PROXY FOR AKMA AUTHENTICATION SERVICE

Systems, methods, and software of performing an Authentication and Key Management for Applications (AKMA) authentication service. An AKMA authentication proxy resides between User Equipment (UE) and a plurality of Application Functions (AFs). The AKMA authentication proxy receive an application session establishment request message from the UE requesting an application session with a first application function, sends a key request message toward an AKMA anchor function (AAnF) requesting AKMA application keys for a plurality of application functions, receives a key response message sent from the AAnF that includes the AKMA application keys, identifies a first AKMA application key for the first application function from the AKMA application keys derived by the AAnF, and forwards the application session establishment request message to the first application function with the first AKMA application key.

Bluetooth mesh network system and control method having control authority sharing mechanism

The present invention discloses a Bluetooth mesh network system having control authority sharing mechanism that includes an original provisioner node and at least one newly added provisioner node. The original provisioner node stores control authority information related to a Bluetooth mesh network, controls the Bluetooth mesh network accordingly and performs a control authority broadcast. The newly added provisioner node receives the control authority broadcast and establishes connection with the original provisioner node according to a connection protocol. The newly added provisioner node further requests the control authority information from the original provisioner node so as to control the Bluetooth mesh network after receiving the control authority information from the original provisioner node.

Security context handling in 5G during connected mode

The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, and sends a key change indication to the UE, either directly or through some other network node. The UE can then derive the new NAS key from the old NAS key. In some embodiments, the AMF may provide a key generation parameter to the UE to use in deriving the new NAS key. In other embodiments, the target AMF may change one or more security algorithms.

Session establishment method and means and communication system

A method, device, and system for configuring a session for communication between electronic devices includes sending, by a session management entity of a wireless network, a first request message to a policy control entity of the wireless network, the first request message comprising a key identifier, receiving, by the session management entity, a first response message from the policy control entity, wherein the first response message corresponds to a response to the first request message, and the first response message comprises a session policy for a communication session corresponding to the key identifier, and configuring, by the session management entity, the communication session based at least in part on the session policy.

SECURE TOKENS FOR CONTROLLING ACCESS TO A RESOURCE IN A RESOURCE DISTRIBUTION NETWORK

SUPPORTING REMOTE UNIT REAUTHENTICATION

AUTHENTICATION IN UBIQUITOUS ENVIRONMENT

Encryption communication system and method for Beidou short message

The invention discloses a Beidou short message encryption communication system and method, and relates to the technical field of Beidou short message security. In order to solve the problems that Beidou short message communication is easily attacked by a man-in-the-middle, communication data is easily maliciously tampered by an intermediate link, communication keys of two communication parties are difficult to synchronize and update, the randomness and strength of the communication keys are poor and the like, the encryption communication system of the Beidou short message is composed of a key management center and a Beidou short message terminal, a two-layer key management system is adopted, bidirectional identity authentication between Beidou short message terminals and a key management center and between the Beidou short message terminals is achieved through asymmetric digital signatures, and automatic updating and synchronization of communication encryption keys are achieved through ...

Encrypted communication system and method of unmanned aerial vehicle

The present disclosure relates to an encrypted communication system and an encrypted communication method for an unmanned aerial vehicle, the encrypted communication system comprising an unmanned aerial vehicle and a base station, the unmanned aerial vehicle comprising a first encryption module and a first timer, the base station comprising a second encryption module and a second timer, the base station being configured to control the unmanned aerial vehicle with an initial flight instruction, a second encryption module of the base station encrypts the initial password, the flight approval code, the initial flight instruction and the time stamp of the base station into a first password and a second password, the unmanned aerial vehicle receives the first password and the second password, and the unmanned aerial vehicle decodes the second password into the initial flight instruction; and generating a third password by using the decoded initial flight instruction, the initial password, the ...

SUPPORTING REMOTE UNIT REAUTHENTICATION

Apparatuses, methods, and systems are disclosed for supporting remote unit reauthentication. One apparatus (600) apparatus includes a processor (605) and a transceiver (625) that sends (805) a first authentication message to a network function in a mobile communication network and receives (810) a second authentication message from the network function in response to the first authentication message. Here, the first authentication message contains an indicator that the apparatus supports EAP Reauthentication Protocol and the second authentication message contains a key management domain name indicating a group of network functions that can share reauthentication security context. The processor (605) derives (815) reauthentication security context in response to successful authentication with the mobile communication network and locally stores (820) the received key management domain name and the derived reauthentication security context for subsequent reauthentication with the mobile communication ...

IDENTITY-BASED MESSAGE INTEGRITY PROTECTION AND VERIFICATION FOR WIRELESS COMMUNICATION

Techniques for identity-based message integrity protection and verification between a user equipment (UE) and a wireless network entity, include use of signatures derived from identity-based keys. To protect against attacks from rogue network entities before activation of a security context with a network entity, the UE verifies integrity of messages by checking a signature using an identity-based public key PKderived by the UE based on (i) an identity value (ID) of the network entity and (ii) a separate public key PKof a private key generator (PKG) server. The network entity generates signatures for messages using an identity-based private key SKobtained from the PKG server, which generates the identity-based private key SKusing (i) the ID value of the network entity and (ii) a private key SKthat is known only by the PKG server and corresponds to the public key PK. 1. A method for protecting message integrity , the method comprising:{'claim-text': [{'b': '1', '#text': 'sending a request to a private key generator (PKG) server, the request including a first identity value (ID) for the network entity;'}, {'sub': ['ID1', 'PKG'], 'b': '1', '#text': 'receiving from the PKG server a response that includes a first private key (SK) that is based on ID and on a private key of the PKG server (SK); and'}, {'claim-text': [{'sub': 'ID1', '#text': 'generating a signature for a first message, the signature based on SK; and'}, 'sending the first message concatenated with the signature to the UE.'], '#text': 'prior to establishing a security context with a user equipment (UE):'}], '#text': 'by a network entity:'}2. The method of claim 1 , further comprising:{'claim-text': [{'b': '1', '#text': 'providing ID to the UE before sending the first message,'}, {'sub': ['ID1', 'ID1'], '#text': 'wherein the UE verifies the first message using a first public key (PK) that corresponds to SK.'}], '#text': 'by the network entity:'}31. The method of claim 2 , wherein the UE generates PKusing ID ...

Communication system

A communication system is described in which user plane communication and control plane communication for a particular mobile communication device can be split between a base station that operates a small cell and a macro base station. Appropriate security for the user plane and control plane communications is safeguarded by ensuring that each base station is able to obtain or derive the correct security parameters for protecting the user plane or control plane communication for which it is responsible.

SUBSCRIPTION DATA UPDATE METHOD AND APPARATUS, NODE, AND STORAGE MEDIUM

The present application discloses a subscription data update method and apparatus, a node, and a storage medium. Said method comprises: in cases where a first network function node determines that AKMA subscription data of a user is updated, the first network function node determining a second network function node storing an AKMA context of the user; the first network function node sending a subscription data management notification message to the second network function node; and the first network function node receiving a subscription data management notification response message sent by the second network function node, the subscription data management notification response message being sent after the second network function node deletes the AKMA context of the user according to the subscription data management notification message.

User plane security for disaggregated RAN nodes

A method of coordinating a change in cryptographic key sets from a first cryptographic key set to a second cryptographic key set between a radio access network (RAN) node and a wireless device (WD) served by the RAN node. The RAN node includes a user plane (UP) component and a control plane (CP) component. The method includes transmitting, from the UP component to the wireless device (WD), a key change indicator indicative of changeover to the second cryptographic key set, the key change indicator included in one of a data protocol data unit (PDU) and a control PDU; and subsequently cryptographically encoding PDUs for transmission to the WD and cryptographically decoding PDUs received from the WD in accordance with the second cryptographic key set.

4-WAY HANDSHAKE OPTIMIZATION

The application relates to a 4-way handshake optimization. An initiating entity includes processor circuitry configured to: transmit a first open authentication frame to a responding entity via a wireless interface, wherein the first open authentication frame comprises information that helps the responding entity to identify a Pairwise Master Key (PMK) and a first random number; receive a second open authentication frame from the responding entity, wherein the second open authentication frame comprises a second random number; transmit an association request frame to the responding entity via the wireless interface, wherein the association request frame is encrypted with at least part of a Pairwise Transient Key (PTK) derived by the initiating entity from the PMK; and receive an association response frame from the responding entity, wherein the association response frame is encrypted with at least part of the PTK derived by the responding entity from the PMK.

Handover method and apparatus

Embodiments of the present disclosure disclose a handover method and an apparatus, so as to reduce a handover delay in a process of handing over an MN from a previous access network to a new access network. The method includes: sending, by the MN, first instruction information to a NAR by using a PAR, where the first instruction information is used to instruct the NAR to construct a care-of test initialization message and send the care-of test initialization message to a CN, and the care-of test initialization message includes an NCoA of the MN and is used to request a care-of keygen token from the CN based on the NCoA; handing over the MN from the PAR to the NAR; receiving, by the MN, the care-of keygen token sent by the NAR from the CN; and binding the MN with the CN based on the care-of keygen token.

LOW POWER RRC OPERATING METHOD AND DEVICE

Disclosed are a communication technique of merging, with IoT technology, a 5G communication system for supporting a data transmission rate higher than that of a 4G system, and a system therefor. The disclosure can be applied to intelligent services (for example, smart home, smart building, smart city, smart car or connected car, health care, digital education, retail, security and safety related services, and the like) on the basis of 5G communication technology and IoT related technology. According to one embodiment of the present invention, a communication method of a base station comprises the steps of: determining an RRC state transition condition of a terminal; and transmitting information on the RRC state transition condition to the terminal, wherein the RRC state transition condition can include at least one timer for the transition between RRC states and/or information indicating an RRC state to be changed. 1. A method performed by a terminal in a wireless communication system , the method comprising:identifying that the terminal is in a radio resource control (RRC) inactive state;transmitting, to a base station, a first message for switching the RRC inactive state to a RRC connected state over a signaling radio bearer (SRB) 0, wherein the first message comprises resume cause information indicating a resume cause for the switching of the RRC inactive state to the RRC connected state;receiving, from the base station, a second message to switch the RRC inactive state to the RRC connected state over an SRB1 in case that a user equipment (UE) context is retrieved, as a response to the first message; andreceiving, from the base station, a third message to perform an RRC connection setup procedure over the SRB0 in case that the UE context is not retrieved, as a response to the first message.2. The method of claim 1 , wherein the first message further includes at least one of an identity of the terminal to facilitate a UE context retrieval at the base station claim ...

SUPPORTING REMOTE UNIT REAUTHENTICATION

Backscattering equipment system group key generation method, system, equipment and terminal

The invention belongs to the technical field of backscatter communication key generation, and discloses a backscatter equipment system group key generation method, system, equipment and terminal, backscatter equipment measures downlink channel information from a received signal, and a full duplex signal source measures reflection cascade channel information from a reflection signal; the signal source calculates from the reflection cascade channel information to obtain uplink channel information, and generates a symmetric shared key; all shared channel information of the group is acquired, and a difference value sequence between the uplink channel information and the uplink channel information of the reference equipment is calculated; and carrying out shared channel extraction and key construction based on the difference value sequence, and constructing group keys among all small groups at the same time. According to the backscatter device group key generation method based on the shared ...

Relay device, wireless communications device, network system, program storage medium, and method

A relay device first uses latest authentication data to determine whether request-authentication data transmitted from a wireless communications device is valid. If the latest authentication data is used to determine that the request-authentication data is valid, the relay device carries out relayed communications with the wireless communications device. If the latest authentication data is used to determine that the request-authentication data is invalid, the relay device next uses a former authentication data to determine whether the request-authentication data is valid. If the former authentication data is used to determine that the request-authentication data is valid, the relay device provides the wireless communications device with the latest authentication data to update authentication data in the wireless communications device.

Method, device, and system for deriving keys

Method, device, and system for deriving keys are provided in the field of mobile communications technologies. The method for deriving keys may be used, for example, in a handover process of a User Equipment (UE) from an Evolved Universal Terrestrial Radio Access Network (EUTRAN) to a Universal Terrestrial Radio Access Network (UTRAN). If a failure occurred in a first handover, the method ensures that the key derived by a source Mobility Management Entity (MME) for a second handover process of the UE is different from the key derived for the first handover process of the UE. This is done by changing input parameters used in the key derivation, so as to prevent the situation in the prior art that once the key used on one Radio Network Controller (RNC) is obtained, the keys on other RNCs can be derived accordingly, thereby enhancing the network security.

Method, Apparatus and System for Processing Security Key when Reestablishing Radio Resource Control (RRC) Connection

A method for processing a security key when a Radio Resource Control (RRC) connection is reestablished is provided, which comprises: receiving a Radio Resource Control connection reestablishment request from a user equipment by a node B; the node B judging whether there is a need to generate a new access layer security key, and generating the new access layer security key or using an original access layer security key based on this judgment result; and sending corresponding Radio Resource Control connection reestablishment information to the user equipment by the node B, so that the user equipment carries out the connection reestablishment. The method adds in the judgment steps into the process of generating an access layer security key, and thus solving the problem in the conventional method that a new key is generated regardless of the situation, thereby saving a large number of computation process of generating the key and reducing the time delay of the systems.

IP Multimedia Security

A method of establishing keys for at least partially securing media plane data exchanged between first and second end users via respective first and second media plane network nodes. The method comprises sending session set-up signalling from said first end point towards said second end point, said session set-up signalling including a session key generated by said first end point. The set-up signalling is intercepted at a first signalling plane network node and a determination made as to whether or not a signalling plane key has already been established for securing the signalling plane between said first end point and said first signalling plane network node. If a signalling plane key has already been established, then a media plane key is derived from that signalling plane key, and the media plane key sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node. If a signalling plane key has not already been established, then an alternative media plane key is derived from said session key and sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node.

Mobile communication method

In a mobile communication method according to the present invention includes the steps of: transmitting, from a handover source radio base station to a swithcing center, a handover request including an NCC, a PCI and a K eNB *; changing, at the swithcing center, the NCC, changing, at the swithcing center, the K eNB * on the basis of the PCI, and transmitting, from the swithcing center to the handover target radio base station, the handover request including the changed NCC and the changed K eNB *; generating, at the handover target radio base station, a first key on the basis of the K eNB *; and generating, at the mobile station, the first key on the basis of the NCC and the PCI included in a handover command.

Method and Device for Data Processing in a Wireless Network

A method and a device for data processing in a wireless network are provided, wherein a direct connection between two mobile terminals is set up based on a seed information provided by the wireless network. Furthermore, a communication system is suggested including at least one such device.

Method and apparatus for tunneled direct link setup (tdls) for establishing basic service set

Certain aspects of the present disclosure relate to a technique for establishing a direct link between a pair of apparatuses (e.g., stations or access terminals), and setting up a basic service set of the apparatuses via the direct link. An apparatus in the pair can communicate with another apparatus in the pair through a device (e.g., an access point) in a first bandwidth, establish the direct link with the other apparatus in the first bandwidth, and communicate directly with the other apparatus in a second bandwidth different than the first bandwidth, wherein the apparatus and the other apparatus form the basic service set operating in the second bandwidth.

Method for sharing secret values between sensor nodes in multi-hop wireless communication network

A method for sharing a secret key between a source node and a destination node includes (a) adding, at each forward intermediate node, a secret key between the forward intermediate node and a node before the forward intermediate node to the secret key sharing request message; (b) generating a shared secret key between the source node and the destination node from the secret key between the forward intermediate node and the node before the forward intermediate node added in the secret key sharing request message; (c) adding, at each backward intermediate node, a secret key between the backward intermediate node and a node before it to the secret key sharing response message; and (d) generating the shared secret key between the destination node and the source node from the secret key between the backward intermediate node and the node before it added in the secret key sharing response message.

Electronic key registration system

An offline immobilizer ECU reads an encryption key generation code from an offline additional electronic key and generates an electronic key encryption key for the offline additional electronic key using the encryption key generation code and a communication subject key encryption key held by the immobilizer ECU. The immobilizer ECU stores, in a memory, the generated electronic key encryption key and a key ID code that is read from the offline additional electronic key.

Secure execution and update of application module code

A dynamic root of trust can be injected in an application module on a client device using a backend server and can be continuously monitored to ensure authenticity, integrity and confidentiality at load time, run time and update time of the application module. The dynamic root of trust can be updated directly from the backend server and can be used to establish a time bound trust chain for the other software modules loaded and executed as part of the application module.

Key management for wireless communication system for communicating engine data

Systems and methods for recording and communicating engine data are provided. One example aspect of the present disclosure is directed to a method for key management. The method includes generating a pair of keys, wherein one of the pair of keys is a private key, and wherein one of the pair of keys is a public key. The method includes transmitting the public key to a first remote computing device, wherein the first remote computing device transmits the public key to a second remote computing device. The method includes receiving a host key from the first remote computing device, wherein the first remote computing device received the host key from the second remote computing device. The method includes accessing the second remote computing device using the private key. The method includes verifying a request from the second remote computing device using the host key.

Method, Apparatus and System for Key Derivation

Method, apparatus and systems are provided for key derivation. A target base station receives multiple keys derived by a source base station, where the keys correspond to cells of the target base station. The target base station selects a key corresponding to the target cell after obtaining information regarding a target cell that a user equipment (UE) is to access. An apparatus for key derivation and a communications system are also provided.

COMMUNICATION APPARATUS, COMMUNICATION METHOD, PROGRAM, AND STORAGE MEDIUM

Identification information indicates that a communication parameter to be provided in accordance with a Device Provisioning Protocol standard is a communication parameter that allows connection processing compliant with an Institute of Electrical and Electronics Engineers 802.11r standard. The identification information is set in an Authentication and Key Management field, and the communication parameter that allows connection processing compliant with the Institute of Electrical and Electronics Engineers 802.11r standard is provided. 1. A communication apparatus comprising:a setting unit configured to set first identification information in an Authentication and Key Management field, the first identification information indicating that a communication parameter to be provided in accordance with a Device Provisioning Protocol standard is a first communication parameter allowing connection processing compliant with an Institute of Electrical and Electronics Engineers 802.11r standard; anda transmitting unit configured to transmit a frame to another communication apparatus, the frame including the Authentication and Key Management field having therein the first identification information set by the setting unit and the first communication parameter.2. The communication apparatus according to claim 1 , further comprising an acquiring unit configured to acquire information from the other communication apparatus claim 1 , the information indicating that the other communication apparatus performs connection processing compliant with the Institute of Electrical and Electronics Engineers 802.11r standard claim 1 ,wherein the setting unit sets the first identification information in the Authentication and Key Management field in a case where the acquiring unit acquires the information indicating that the other communication apparatus performs connection processing compliant with the Institute of Electrical and Electronics Engineers 802.11r standard.3. The communication ...

Secure multi-party communication with quantum key distribution managed by trusted authority

Techniques and tools for implementing protocols for secure multi-party communication after quantum key distribution (“QKD”) are described herein. In example implementations, a trusted authority facilitates secure communication between multiple user devices. The trusted authority distributes different quantum keys by QKD under trust relationships with different users. The trusted authority determines combination keys using the quantum keys and makes the combination keys available for distribution (e.g., for non-secret distribution over a public channel). The combination keys facilitate secure communication between two user devices even in the absence of QKD between the two user devices. With the protocols, benefits of QKD are extended to multi-party communication scenarios. In addition, the protocols can retain benefit of QKD even when a trusted authority is offline or a large group seeks to establish secure communication within the group.

SMALL DATA TRANSMISSION (SDT) PROCEDURES AND FAILURE RECOVERY DURING AN INACTIVE STATE

A computer-readable storage medium stores instructions for execution by one or more processors of a UE. The instructions configure the UE for small data transmission (SDT) in a 5G NR network and cause the UE to perform operations comprising detecting while in an RRC_Inactive state, a radio link failure during a first SDT of UL data to a base station. A secure key for a second SDT is generated based on the radio link failure. A configuration message including an indication of the second SDT is transmitted to the base station. A response message including a UL grant is received from the base station. The UL data is encoded for the second SDT using the secure key. The second SDT is performed using the UL grant while the UE is in the RRC_Inactive state. 1. An apparatus for a user equipment (UE) configured for operation in a Fifth Generation New Radio (5G NR) network , the apparatus comprising: detect while in a Radio Resource Control Inactive (RRC_Inactive) state, a radio link failure during a first SDT of uplink (UL) data to a base station;', 'generate a secure key for a second SDT based on the radio link failure;', 'encode a configuration message for transmission to the base station, the configuration message including an indication of the second SDT;', 'decode a response message from the base station, the response message including a UL grant; and', 'encode the UL data for the second SDT, the UL data encoded using the secure key, and the second SDT performed using the UL grant while the UE is in the RRC Inactive state; and, 'processing circuitry, wherein to configure the UE for small data transmission (SDT) in the 5G NR network, the processing circuitry is toa memory coupled to the processing circuitry and configured to store the secure key.2. The apparatus of claim 1 , wherein the processing circuitry is to:decode a second configuration message received from the base station, the second configuration message including at least one next-hop chaining count (NCC) ...

Apparatus and method for transmitting secure data in wireless communication system

An apparatus and method for transmitting secure data in a wireless communication system are provided. The apparatus includes a key generation unit, and a transmission and reception unit. The key generation unit generates an encryption key stream that is used to convert plain text data into an encrypted data signal. The transmission and reception unit obtains wireless channel state information from a received pilot signal and transmits the obtained wireless channel state information to the key generation unit, and encrypts the plain text data based on the encryption key stream and transmits the encrypted plain text data to a counterpart terminal over a wireless channel. The key generation unit generates the encryption key stream based on the wireless channel state information, and transmits the encryption key stream to the transmission and reception unit.

Communication apparatus and communication parameter configuration method thereof

A communication apparatus functioning as a master device denies participation by new communication apparatuses in a network in communication parameter configuration mode based on participation statuses of communication apparatuses functioning as slave devices in the network. The communication apparatus functioning as a master device establishes the network in communication parameter configuration mode between the communication apparatuses participating in the network, and configures communication parameters.

TRANSMISSION OF GROUP HANDOVER MESSAGE

Methods, apparatuses, and computer readable medium for enabling an efficient group handover mechanism that has less signaling overhead than single UE handover are provided. An example method at a base station includes transmitting a group handover request for the group of UEs to a target base station. The method further includes receiving a group handover acknowledgment from the target base station. The method further includes transmitting a group handover message to the group of UEs. 1. An apparatus for wireless communication of a base station , comprising:a memory; and transmit a group handover request for a group of user equipment (UEs) to a target base station;', 'receive a group handover acknowledgment from the target base station; and', 'transmit a group handover message to the group of UEs., 'at least one processor coupled to the memory and configured to2. The apparatus of claim 1 , wherein the base station communicates with the group of UEs via a satellite claim 1 , and wherein the group handover message is transmitted to each UE in the group of UEs in a radio resource control (RRC) reconfiguration with synchronization.3. The apparatus of claim 1 , wherein the group handover message is transmitted to the group of UEs based on a cell specific common search space claim 1 , and wherein at least a portion of the group handover message is scrambled with a cell specific group radio network temporary identifier (RNTI).4. The apparatus of claim 3 , wherein the at least one processor coupled to the memory is further configured to:provide a common access stratum (AS) key and group specific or default signaling radio bearer configuration to the group of UEs;wherein the base station sends new signaling radio bearer (SRB) information to the group of UEs with integrity protection and ciphering based on the common AS key and a group specific new SRB configuration.5. The apparatus of claim 1 , wherein the group handover message comprises an RRC message comprising a list of ...

Security unit for an iot device and method for running one or more applications for the secured exchange of data with one or more servers which provide web services

A security unit which is suitable for a device, in particular an IOT device, for running one or more applications for a secure data exchange with one or more servers which provide web services is provided. The security unit is designed with the following:—means for imaging original data onto corresponding replacement data and/or vice versa, wherein the original and/or replacement data forms a respective original and/or replacement key and/or can be used to form same—means for detecting a replacement key which is supplied by an application being ran and which corresponds to an original key, and—means for providing a required original key which corresponds to the replacement key using the imaging means in order to allow the original key to be used for the secure data exchange with the server.

CONTEXT PREPARATION FOR CONSECUTIVE CONDITIONAL HANDOVERS

A method includes determining, by a source base station, based on at least one of a measurement report received from a terminal device and a mobility trajectory of the terminal device, a prepared cell list that includes a set of cells where the terminal device is capable of handover. The method includes sending at least one required context for the handover to the set of cells in the prepared cell list. The method also includes receiving acknowledgement from the set of cells. The method further includes sending a handover complete message, which contains the prepared cell list, to the terminal device, wherein the prepared cell list provides a capability for the terminal device to make a number of handovers when the terminal device is within a coverage area of the set of cells. 111.-. (canceled)12. A method , comprising:sending, by a terminal device, at least one measurement report to a source base station;receiving, by the terminal device and in response to the at least one measurement report, a handover command from the source base station, wherein the handover command includes a prepared cell list of a set of cells where the terminal device is capable of handover and the prepared cell list provides a capability for the terminal device to make a number of handovers in response to the terminal device being within a coverage area of the set of cells;performing, by the terminal device, synchronization and random access with at least one cell from the set of cells; andsending, by the terminal device, a handover complete message to the at least one cell.13. The method according to claims 12 , wherein the handover complete message further includes a handover history of the terminal device of one or more handovers from the source base station to reach the at least one cell.14. The method according to claim 12 , wherein each prepared cell in the prepared cells list has multiple contexts claim 12 , wherein each context is based on a path for the terminal device to reach a ...

First Network Node, Second Network Node, Wireless Device and Methods Therein for Handling Broadcast Information

A method for handling broadcast information is described. A first network node ( 111 ) operating in a wireless communications network ( 100 ) determines ( 403 ) one or more decryption keys (K 1, K 2, K 3 ) to be provided to a wireless device ( 131 ) in the wireless communications network ( 100 ). The decryption keys enable the wireless device ( 131 ) to decrypt information to be broadcasted by a second network node ( 112 ) in the wireless communications network ( 100 ). The information comprises a plurality of subsets of positioning information. Each of the subsets is to be, or is, encrypted with a different encryption key based on a respective type of subscription for wireless devices ( 131, 132, 133 ) in the wireless communications network ( 100 ). The determined decryption keys are based on at least one type of subscription of the wireless device ( 131 ). The first network node ( 111 ) then initiates ( 404 ) providing the determined to the wireless device ( 131 ).

System and Method for Security Activation with Session Granularity

A method for operating a user equipment (UE) includes deriving security keys for a signaling radio bearer (SRB) in accordance with a first message received from an access node, initiating security for the SRB in accordance with the first message, receiving, from the access node, a second message including at least one security parameter for at least one data radio bearer (DRB), wherein the at least one security parameter is associated with a session that includes the at least one DRB, and wherein the second message is secured with the security keys for the SRB, and initiating security for the at least one DRB in accordance with the at least one security parameter. 1. A method comprising:receiving, by a user equipment (UE) from an access node, a first message indicating a security algorithm for a protocol data unit (PDU) session;determining, by the UE, the security algorithm for a signaling radio bearer (SRB) of the PDU session;receiving, by the UE from the access node and based on the security algorithm, a first radio resource control (RRC) connection reconfiguration message over the SRB of the PDU session, the first RRC connection reconfiguration message instructing the UE to add a first DRB to the PDU session and to activate integrity protection for the first DRB of the PDU session; andtransmitting or receiving, by the UE and based on the security algorithm, integrity-protected data over the first DRB of the PDU session after the receiving the first RRC connection reconfiguration message.2. The method of claim 1 , wherein the first message further indicates a ciphering algorithm claim 1 , the receiving the first RRC connection reconfiguration message comprising:receiving, by the UE and further based on the ciphering algorithm for the PDU session, the first RRC connection reconfiguration message, wherein the first RRC connection reconfiguration message further instructs the UE to activate ciphering for the first DRB, and the transmitting or receiving comprising: ...

Methods supporting authentication in wireless communication networks and related network nodes and wireless terminals

Some methods in a wireless communication network may include providing a first authentication key, and deriving a second authentication key based on the first authentication key, with the second authentication key being associated with the wireless terminal. Responsive to deriving the second authentication key, a key response message may be transmitted including the second authentication key and/or an EAP-Finish/Re-auth message. Some other methods in a wireless communication network may include receiving a key response message including a core network mobility management authentication key and an EAP-Finish/Re-auth message. Responsive to receiving the key response message, the network may initiate transmission of an EAP-Finish/Re-auth message and/or a freshness parameter used to derive the core network mobility management authentication key from the wireless communication network to the wireless terminal responsive to the key response message. Related wireless terminal methods are also discussed.

Multi-dimensional progressive security for personal profiles

Aspects of the subject disclosure may include, for example, a system that includes a processing system including at least one processor and a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations including receiving a unique identifying number for an entity, a vector associated with the entity, and a timestamp from a requestor, generating a key using the unique identifying number, the vector, and the timestamp, and sending the key to the requestor, wherein the requestor uses the key to store information associated with the entity. Other embodiments are disclosed. 1. A system , comprising:a processing system including at least one processor; anda memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations, the operations comprising:receiving, from equipment of a requestor, a unique identifying number for an entity, a vector associated with the entity, and a timestamp;generating a key using the unique identifying number, the vector, and the timestamp, wherein the generating comprises identifying an object, an axis of rotation, and a speed of rotation, determining an orientation of the object at the timestamp based upon rotation of the object about the axis of rotation at the speed of rotation, and determining points of intersection of the vector with the object at the orientation; andcausing the key to be provided to the equipment of the requestor, wherein the equipment of the requestor uses the key to store information associated with the entity.2. The system of claim 1 , wherein the processing system comprises at least three processors communicatively coupled by a communications network.3. The system of claim 2 , wherein the at least three processors are at different locations.4. The system of claim 2 , wherein each processor of the at least three processors comprises a respective memory claim 2 , resulting in respective memories. ...

Communication Method And Device In Wireless Local Area Network

This application provides a communication method and device in a wireless local area network. The communication method includes: A receive end receives indication information from a transmit end, where a buffer of the receive end stores a log-likelihood ratio (LLR) corresponding to coded bits in an aggregated media access control protocol data unit (A-MPDU) subframe including a target media access control protocol data unit (MPDU). The receive end discards the LLR corresponding to the coded bits in the A-MPDU subframe including the target MPDU according to the indication information. According to the technical solutions provided in this application, the LLR corresponding to the coded bits in the buffer of the receive end can be discarded in time, thereby improving throughput of a system and reducing memory requirements. 1. A key configuration method , comprising:receiving, by a target mobility management entity, a first message sent by a source mobility management entity, wherein the first message comprises first bearer information of a terminal device in a source network;determining, by the target mobility management entity, first information based on the first bearer information, wherein the first information is used to indicate a security protection mode of first bearer data in a target network; andsending, by the target mobility management entity, the first information to the source mobility management entity.2. The method according to claim 1 , wherein the first information comprises any one of the following information:non-access stratum NAS protection indication information, access stratum AS protection indication information, and user plane function entity UPF protection indication information; andthe UPF protection indication information is used to indicate that the first bearer data in the target network uses a security protection mechanism between the terminal device and a user plane function entity.3. The method according to claim 1 , wherein the method ...

Autonomous vehicle authentication key delivery

A server includes one or more processors, programmed to responsive to receiving, from a mobile device of a user, a hailing request that identifies the user as requesting to schedule a ride, select a vehicle to respond to the hailing request based on a capacity to accept an encryption key of the vehicle, the hailing request including a user profile, generate an encryption key to authenticate the mobile device of the user with the vehicle, send the encryption key to both the vehicle and the mobile device to schedule the ride.

Method and device for generating access stratum key in communications system

In one example method for generating an access stratum key in a communication system, a terminal device acquires an input parameter, where the terminal device is communicably coupled to a first network-side device through a first air interface and at the same time is communicably coupled to a second network-side device through a second air interface. The terminal device has access to a core network via the first network-side device, and has access to the core network via the second network-side device which has access to the core network through the first network-side device. The terminal device calculates an access stratum root key of the second air interface according to the input parameter and an access stratum root key of the first air interface, and generates an access stratum key of the second air interface according to the access stratum root key of the second air interface.

KEY REVOCATION FOR THE AKMA FEATURE IN 5G

A method performed by an Authentication and Key Management for Applications security anchor function (AAnF) includes determining that an anchor key associated with a user equipment (UE) is no longer valid and sending, to at least one Authentication and Key Management for Applications application function (AKMA AF) a message that revokes the anchor key. 1. A method performed by an Authentication and Key Management for Applications security anchor function , AAnF , the method comprising:determining that an anchor key associated with a user equipment, UE, is no longer valid; andsending, to at least one Authentication and Key Management for Applications application function, AKMA AF, a message that revokes the anchor key, the message comprising an application key identifier for revoking at least one application key based on the message indicating that the anchor key is no longer valid.2. The method of claim 1 , wherein the AKMA AF comprises an interface that communicates with the UE.3. The method of claim 1 , further comprising maintaining a list of AKMA AFs for the UE claim 1 , wherein the AAnF uses the list to determine the at least one AKMA AF to which to send the message revoking the anchor key.4. (canceled)5. The method of claim 1 , wherein determining that the anchor key associated with the UE is no longer valid comprises determining that the anchor key has been compromised.6. The method of claim 1 , wherein determining that the anchor key associated with the UE is no longer valid comprises determining that the UE is not authenticated anymore.7. The method of claim 1 , wherein the message is transmitted over an integrity protected connection.8. The method of claim 1 , further comprising receiving claim 1 , from the AKMA AF claim 1 , a response message indicating successful reception of the message.9. The method of claim 1 , further comprising receiving claim 1 , from the AKMA AF claim 1 , a response message indicating unsuccessful reception of the message.1018.-. ...

Persona-Notitia Intellection Codifier

A persona-notitia intellection codifier (P-NIC) server intelligently codifies and disburses personal user information from a user device (smartphone, laptop, etc.) to a multiplicity of designee devices. Masking Persona-Notitia Intellection Codes (a.k.a. PICs) are created that each stipulate control(s) and parametric limitation(s) for the associated one of a variety of personal user information. The Persona-Notitia Intellection Codifier (P-NIC) server rapidly produces a mask comprising a multiple bit “key” value (i.e., a persona-notitia intellection code (PIC)) that is uniquely distinguishable from every other PIC that's ever been generated for a given user. The value of the PIC is typically many bytes in length, and associates attributes to a unique key value that describes a desired subset of all the user's available personal user information to be unlocked by the key value (i.e., by the PIC).

Base station and method in relay node mobility

The present disclosure relates to a base station and a method for security key synchronization during relay node (RN) mobility. In one embodiment, the base station may include a first transceiver configured to receive a Next Hop Chaining Counter in use, NCC use — use , sent from a source base station; a security key synchronization determining unit configured to determine that a security key synchronization criteria as follows is met: NCC latest −NCC use — use >Threshold, wherein NCC latest denotes a Next Hop Chaining Counter corresponding to the last Next Hop (NH) received from evolved packet core (EPC) for the user equipment (UE), and Threshold is a predetermined threshold; a second transceiver configured to send a security key update request to a relay node serving the UE, and to receive a security key update response from the relay node serving the UE; and a security key updater configured to update the NCC use — use as the NCC latest .

KEY NEGOTIATION AND PROVISIONING FOR DEVICES IN A NETWORK

The present disclosure proposes method and systems for establishing secure communication session (s) between a first device and a second device, where the first device operates in a user network and implements a first key exchange protocol for secure communication. The second device is capable of communicating with the first device over a wireless communication network. The second device implements a second key exchange protocol that is different to the first key exchange protocol for secure communication. A proxy entity configured for implementing the first and the second key exchange protocols for secure communication is provided. The proxy entity is configured for generating and/or provisioning one or more session keys for the first and the second devices using the key exchange protocols specific to each device for establishing secure communication between the first and second device based on the generated session key(s). 1. A method of establishing a secure communication session between a first device and a second device , the first device operating in a user network and implementing a first key exchange protocol for secure communication , the second device capable of communicating with the first device using a wireless communication network , the second device implementing a second key exchange protocol different to the first key exchange protocol for secure communication , the method comprising providing a proxy entity configured for implementing the first and the second key exchange protocols for secure communication , the proxy entity implementing the steps of:negotiating a first device key for the first device using the first key exchange protocol and negotiating a second device key for the second device using the second key exchange protocol;computing a first session key for the first device and a second session key for the second device,receiving data from the first device, the data encrypted with the first session key;decrypting the data using the first ...

Method to Retrieve Security Keys of UE in Gateways

Methods, systems, and computer readable media are presented for retrieving security keys in gateways. In one example embodiment, a method is presented. The method of retrieving security keys from a User Equipment (UE) in gateways includes retrieving, by a HetNet Gateway (HNG) as the HNG virtualizes an eNodeB towards n Mobility Management Entity (MME) through a first message and a second message exchange, a fresh Next Hop, Next Hop Chaining Count {NH, NCC} pair from the MME; and mocking, by the HNG, an X2 handover towards the MME by sending a third message with required Information Elements filled when a fourth message from the eNodeB reaches the HNG. 1. A method of retrieving security keys from a User Equipment (UE) in gateways , comprising:retrieving, by a HetNet Gateway (HNG) as the HNG virtualizes an eNodeB towards n Mobility Management Entity (MME) through a first message and a second message exchange, a fresh Next Hop, Next Hop Chaining Count {NH, NCC} pair from the MME; andmocking, by the HNG, an X2 handover towards the MME by sending a third message with required Information Elements filled when a fourth message from the eNodeB reaches the HNG.2. The method of wherein the first message comprises a PATH SWITCH REQUEST.3. The method of wherein the second message comprises a PATH SWITCH REQUEST ACK.4. The method of wherein the third message comprises a HANDOVER REQEST.5. The method of wherein the fourth message comprises a HANDOVER REQUEST ACK message.6. The method of wherein the fresh {NH claim 1 , NCC} are derived using vertical key derivation.7. A system for retrieving security keys in gateways claim 1 , comprising:a HetNet Gateway (HNG), wherein the HNG retrieves, as the HNG virtualizes an eNodeB towards a Mobility Management Entity (MME) through a first message and a second message exchange, a fresh Next Hop, Next Hop Chaining Count {NH, NCC} pair from the MME; andmocks an X2 handover towards the MME by sending a third message with required Information ...

DISTRIBUTION NETWORK SYSTEM AND METHOD

A distribution network system and method. The distribution system has a plurality of communication channels and is connected to a mesh network. The mesh network uses one of the plurality of communication channels as a distributable network channel. The distribution network system includes an already-distributed network node and a to-be-distributed network node. The already-distributed network node is located in the mesh network and is configured to broadcast a mesh network beacon to the distributable network channel. The to-be-distributed node is configured to alternately monitor whether the mesh network beacon is detected on each communication channel. The to-be-distributed node outputs a network distribution request message to the already-distributed node according to the mesh network beacon, monitors whether a distribution network response message corresponding to the distribution network request message is detected on the distributable network channel, and joins the mesh network according to the distribution network response message. 1. A distribution network system , having a plurality of communication channels , wherein the distribution network system is communicatively connect to a mesh network , the mesh network uses one of the plurality of communication channels as a distributable network channel , and the distribution network system comprises:a first already-distributed network node, located in the mesh network, and configured to broadcast a first mesh network beacon to the distributable network channel;a first to-be-distributed network node, configured to alternately monitor whether the first mesh network beacon is detected on each communication channel, wherein the first to-be-distributed network node outputs a first distribution network request message to the first already-distributed network node according to the first mesh network beacon, monitors whether a first distribution network response message corresponding to the first distribution network ...

TELECOMMUNICATIONS APPARATUS AND METHODS

A method of operating a second network access node comprises configuring the second network access node to act as a secondary network access node for a dual connectivity mode for a terminal device in which a first network access node acts as a master network access node. The method further comprises establishing, while acting as a secondary network access node for the dual connectivity mode, that the second network access node should switch to acting as a master network access node, deriving a new master network access node security key for use by the second network access node when switched to acting as a master network access node for the dual connectivity mode, and configuring the second network access node to act a master network access node for the dual connectivity mode using the new master network access node security key. 1. A method of operating a second network access node in a wireless telecommunication system comprising a terminal device , a first network access node and the second network access node , wherein the method comprises:configuring the second network access node to act as a secondary network access node for a dual connectivity mode of operation for the terminal device in which the first network access node acts as a master network access node, wherein the first network access node is associated with a master network access node security key and the second network access node is associated with a secondary network access node security key, wherein the secondary network access node security key is derived from the master network access node security key and is established by the second network access node from information received from the first network access node;establishing, while the second network access node is acting as secondary network access node for the dual connectivity mode of operation for the terminal device, that the second network access node should switch to acting as a master network access node for the dual connectivity ...

Enhanced VoLTE PDCP Protection Using Hybrid Approach

Systems, methods and computer software are disclosed for providing Voice over Long-Term Evolution (VoLTE) Packet Data Conversion Protocol (PDCP) protection. In one embodiment a method is disclosed, comprising: connecting a User Equipment (UE) Radio Resource Control (RRC); providing a VoLTE call; determining, when the VoLTE call has ended, if unused bearer values for a current key are used; and when unused bearer values for a current key are unused, allocating new bearer value for a next VoLTE call.

Distributing secret keys for managing access to ecus

A system and method of controlling access to electronic control units (ECUs) includes: receiving, at an ECU supplier computer, a supplier encryption key derived from a master encryption key using a supplier identifier that identifies an ECU supplier; issuing an ECU identifier that identifies an ECU and includes the supplier identifier; generating for the ECU an ECU unlock authorization key using the supplier encryption key and the ECU identifier; and storing the ECU unlock authorization key and the ECU identifier in the ECU.

Secure group key agreement for wireless networks

A method for secure key agreement among a subset of a plurality of transceivers includes generating a first ordered subset of a plurality of keys k λj , where j=0 to S. Each of the subset of the plurality of transceivers may possess at least one of the plurality of keys k λj from the first ordered subset. Each of the subset of the plurality of transceivers possessing one or more keys k λi , i=1 to S, also possesses at least one key from a second ordered subset of the plurality of keys k λj , j=0 to i−1. A key with index λ0 is designated as a group key. A binary sum of the group key k λ0 and a key k λj , where j≠0, is transmitted from one or more of the subset of the plurality of transceivers that possesses the group key k λ0 .

METHOD, DEVICE, AND SYSTEM FOR DERIVING KEYS

Method, device, and system for deriving keys are provided in the field of mobile communications technologies. The method for deriving keys may be used, for example, in a handover process of a User Equipment (UE) from an Evolved Universal Terrestrial Radio Access Network (EUTRAN) to a Universal Terrestrial Radio Access Network (UTRAN). If a failure occurred in a first handover, the method ensures that the key derived by a source Mobility Management Entity (MME) for a second handover process of the UE is different from the key derived for the first handover process of the UE. This is done by changing input parameters used in the key derivation, so as to prevent the situation in the prior art that once the key used on one Radio Network Controller (RNC) is obtained, the keys on other RNCs can be derived accordingly, thereby enhancing the network security. 1. A communication system , comprising:a base station of a source radio access network; and the base station is configured to send, in a first handover process from the source radio access network to a target radio access network, a handover required message to the mobility management entity; and', receive the handover required message from the base station;', 'obtain a first non-access stratum (NAS) downlink COUNT value in the first handover process;', 'derive, according to a key derivation function (KDF), a root key, the first NAS downlink COUNT value, and a first key comprising a ciphering key and an integrity key;', 'send at least a portion of the first NAS downlink COUNT value to a user equipment in the first handover process;', 'after deriving the first key, obtain, in the first handover process, a second NAS downlink COUNT value by incrementing a value to the first NAS downlink COUNT value, wherein the second NAS downlink COUNT value is obtained in the absence of the mobility management entity sending a NAS message; and', 'after the first handover process fails, derive a second key in a second handover process ...

SECURITY ASSOCIATION REUSE FOR MULTIPLE CONNECTIONS

In some embodiments, a method receives address information for two or more paths between a first network device and a second network device. A connection is established between the first network device and the second network device to determine one or more security keys for the first network device and the second network device. Then, the method installs the one or more security keys with the address information for the two or more paths. The one or more security keys are used to provide a security service on one or more packets that are sent or received between the first network device and the second network device using the address information for the two or more paths. 1. A method to establish a secure connection between network devices , the method comprising:identifying, by an agent of a first networking device, a plurality of data paths between the first networking device and a second networking device, wherein a given data path connects an interface of the first device with an interface of the second networking device, each interface being uniquely identified by an associated Internet Protocol (IP) address;establishing, by the agent, a secure connection, wherein establishing the secure connection includes:establishing a connection between the first and second network devices using a first virtual IP address of the first network device and a second virtual IP address of the second network device;negotiating one or more security keys to establish the secure connection, the one or more security keys including at least an encryption key and a decryption key;generating an inbound security association and an outbound security association for each of the plurality of data paths, a given inbound security association including IP addresses associated with the given data path and the decryption key, a given outbound. security association including IP addresses associated with the given data path and the encryption key; andinstalling the inbound security association and ...

END-TO-END ENCRYPTION WITH DISTRIBUTED KEY MANAGEMENT IN A TRACKING DEVICE ENVIRONMENT

A tracking device can provide a hashed identifier to a mobile device, for instance within an advertisement packet. The mobile device can query each of a plurality of entities with the hashed identifier to identify an entity associated with the hash key used to generate the hashed identifier. In some embodiments, the mobile device can query a centralized key server, which in turn can query the plurality of entities to identify the entity associated with the hash key. The mobile device can then receive a public key from the identified entity, can determine a location of the mobile device, and can encrypt the location with the public key. The mobile device can then provide the hashed identifier and the encrypted location to the identified entity, which can provide the encrypted location to an owner of the tracking device for decryption using a private key corresponding to the public key. 1. A method comprising:receiving, by a mobile device, a hashed identifier from a tracking device, the tracking device configured to compute the hashed identifier using a hash key, the hashed identifier corresponding to the tracking device;querying, by the mobile device, a server associated with each of a plurality of entities with the hashed identifier, each of the plurality of entities associated with a set of hash keys and associated with a set of tracking devices, the server comprising a directory storing, for each entity, a candidate hashed identifier for each combination of hash key in the set of hash keys associated with the entity and tracking device in the set of tracking devices associated with the entity;receiving, by the mobile device, a public key from a server associated with a first entity of the plurality of entities associated with the hash key used to compute the hashed identifier, the public key associated with the tracking device;accessing, by the mobile device, location data representative of a location of the mobile device;encrypting, by the mobile device, the ...

Remote Interface For Digital Configuration And Security Of Safety Equipment

In some examples, a system includes: a plurality of different articles of personal protection equipment (PPE) that are all controlled by a particular user, and a computing device. The computing device may include one or more computer processors configured to receive sets of data from each of the different articles of PPE, wherein each set of data is based at least in part on a type of each of the different articles of PPE; generate for display a user interface that contemporaneously includes a plurality of graphical elements that are based at least in part on at least two sets of data that correspond to at least two different articles of PPE of the plurality of different articles of PPE; and in response to receiving an indication of user input that corresponds to at least one of the plurality of graphical elements, perform at least one operation. 127-. (canceled)28. A system comprising:{'b': 13', '326', '328', '10', '14, 'a plurality of different articles of personal protection equipment (PPE) (, , ) that are all controlled by a particular user (), wherein each respective article of PPE comprises a respective communication device ();'}{'b': 16', '302', '320, 'claim-text': [{'b': '306', 'a second communication device ();'}, {'b': '304', 'one or more computer processors (); and'}, {'b': 324', '318', '322, 'a memory (, , ) comprising instructions that when executed by the one or more computer processors cause the one or more computer processors to, {'b': '314', 'receive sets of data () from each of the different articles of PPE, wherein each set of data is based at least in part on a type of each of the different articles of PPE;'}, {'b': 800', '814', '802, 'generate for display a user interface () that contemporaneously includes a plurality of graphical elements (, ) that are based at least in part on at least two sets of data that correspond to at least two different articles of PPE of the plurality of different articles of PPE;'}, 'in response to receiving an ...

ENHANCED BEACON PROTECTION REKEYING AND ATTACK DETECTION FOR WIRELESS COMMUNICATIONS

This disclosure describes systems, methods, and devices related to beacon protection rekeying and attack detection. A device may set a first beacon integrity group transient key (BIGTK). The device may generate a first frame including a first indication of a second BIGTK to be used for a first integrity analysis of the first frame, a second indication of the first BIGTK, and a third indication that the first BIGTK is to be used for a second integrity analysis of a second frame to be sent after the first frame. The device may send the first frame, and may generate the second frame, the second frame including an indication that the first BIGTK is to be used for the second integrity analysis of the second frame. The device may send the second frame. 1. A device , the device comprising processing circuitry coupled to storage , the processing circuitry configured to:set a first beacon integrity group transient key (BIGTK);generate a first frame comprising a first indication of a second BIGTK to be used for a first integrity analysis of the first frame, a second indication of the first BIGTK, and a third indication that the first BIGTK is to be used for a second integrity analysis of a second frame to be sent after the first frame;send the first frame;generate the second frame, the second frame comprising a fourth indication that the first BIGTK is to be used for the second integrity analysis of the second frame; andsend the second frame.2. The device of claim 1 , wherein the first frame is a first beacon frame claim 1 , wherein the second frame is a second beacon frame claim 1 , and wherein the third indication comprises a switch count indicative of a number of beacon frames to be sent after the first beacon frame and before the second beacon frame claim 1 , the number of beacon frames comprising the first indication of the second BIGTK to be used for integrity analyses of the number of beacon frames.3. The device of claim 2 , wherein the switch count is two claim 2 , ...

Method for allocating communication key based on android intelligent mobile terminal

Disclosed is a method for allocating a communication key based on an Android intelligent mobile terminal. By establishing a universal secret communication platform on the bottom layer of an Android operating system, an intelligent mobile terminal is equipped with the functions of being able to interact with a secret communication support network, receiving a two-level key and using a received service key after decrypting same, thereby being able to provide universal bottom-layer support for a VoIP secret call, a secret short message, a secret video call, file encryption transmission, secure mobile payment and other communication services which require secrecy support. The secret communication support network provides the service keys required for various communication services for a reformed intelligent mobile terminal, and after obtaining the service keys, the intelligent mobile terminal uses same to conduct the secret communication.

CRYPTOGRAPHIC KEY GENERATION FOR MOBILE COMMUNICATIONS DEVICE

According to an example aspect of the present invention, there is provided method, comprising: generating a first key based on a first input specific to a mobile device, wherein the first input comprises measurement of mutable code of the mobile device and a unique device secret, generating a symmetric second key on the basis of the first key and a second input specific to the mobile device, and generating authentication credentials on the basis of the second key for authenticating the mobile device to a mobile communications network. 127-. (canceled)28. An apparatus comprising at least one processor; and at least one memory including computer program code , the at least one memory and computer program code being configured to , with the at least one processor , to cause the apparatus to at least perform:generate a first key based on a first input specific to a mobile device, wherein the first input comprises measurement of mutable code of the mobile device and a unique device secret,generate a symmetric second key on the basis of the first key and a second input specific to the mobile device, andgenerate authentication credentials on the basis of the second key for authenticating the mobile device to a mobile communications network.29. The apparatus of claim 28 , wherein the authentication credentials are generated as part of an authentication and key agreement based authentication procedure.30. The apparatus of claim 28 , wherein the at least one memory and computer program code are further configured to claim 28 , with the at least one processor claim 28 , to cause the apparatus to perform: generate a cipher key and an integrity key on the basis of the second key.31. The apparatus of claim 28 , wherein the at least one memory and computer program code are further configured to claim 28 , with the at least one processor claim 28 , to cause the apparatus to perform: generate an extended master session key on the basis of the second key.32. The apparatus of claim 28 ...

METHODS AND SYSTEMS FOR SECURE COMMAND, CONTROL, AND COMMUNICATIONS

In some aspects, an apparatus for encoding data for delivery to or for decoding data retrieved from a storage medium comprises a memory device and at least one hardware processor. The memory device is configured to store at least one parameter associated with at least one cryptographic protocol, the at least one parameter comprising one or more of a first cryptographic scheme, a first cryptographic key operation, a first cryptographic key length, and first cipher directives. The hardware processor is configured to generate a first frame comprising a first field for one parameter selected from the first cryptographic scheme, the first cryptographic key operation, the first cryptographic key length, and the first cipher directives and excluding fields for non-selected parameters, wherein the first frame is associated with the data delivered to or retrieved from the storage medium. 1. A first device for encoding data for transmission , comprising: one or more configurable cryptographic system parameters; and', 'one or both of a control bit and a status bit; and, 'a memory configured to store [ the plurality of fields comprises one or more fields associated with the one or more configurable cryptographic system parameters, and', 'the plurality of fields comprises at least a control bit field or a status bit field; and, 'generate a frame comprising a plurality of fields, wherein, a cryptographic key used by the second device in a first communication with the first device; and', 'the one or more configurable cryptographic system parameters., 'define instructions to derive a second cryptographic key configured to encrypt or decrypt a second communication with a second device based on], 'a hardware processor configured to2. The first device of claim 1 , wherein the one or more configurable cryptographic system parameters comprise one or more of:a cryptographic scheme parameter;a cipher directive parameter;a key operation parameter; ora key length parameter.3. The first ...

WWAN-WLAN AGGREGATION SECURITY

One feature pertains to a method for secure wireless communication at an apparatus of a network. The method includes receiving a user equipment identifier identifying a user equipment and a cryptographic key from a wireless wide area network node, and using the cryptographic key as a pairwise master key (PMK). A PMK identifier (PKMID) is generated based on the PMK and the two are stored at the network. A PMK security association is initialized by associating the PMK with at least the PMKID and an access point identifier identifying an access point of the apparatus. An association request is received that includes a PMKID from the user equipment, and it's determined that the PMKID received from the user equipment matches the PMKID stored. A key exchange is initiated with the user equipment based on the PMK to establish a wireless local area network security association with the user equipment. 1. A method for secure wireless communication at an apparatus associated with a network , the method comprising:receiving a wireless local area network (WLAN) termination point addition request from a wireless wide area network (WWAN) node, the WLAN termination point addition request including a cryptographic key and a user equipment identifier identifying a user equipment;generating a network-generated first identifier based on the user equipment identifier and the cryptographic key received from the WWAN node;storing the network-generated first identifier at the apparatus and associating the network-generated first identifier with the cryptographic key;receiving an extensible authentication protocol (EAP) identity response from an access point associated with the network, the EAP identity response including a user equipment-generated first identifier;determining that the user equipment-generated first identifier corresponds to the stored network-generated first identifier;generating a master session key (MSK); andtransmitting an EAP success message and the MSK to the access ...

METHOD AND APPARATUS FOR GUARANTEEING TRUST OF PACKET IN DISTRIBUTED COMMUNICATION SYSTEM

An operation method of a first communication node in a wireless distributed communication system may comprise: providing a group code and a primary secret key to a third communication node via a second communication node; receiving, from the third communication node, a first packet including a first group trust field through wireless distributed communication, the first group trust field being generated using the group code and the primary secret key; and performing a trustworthiness check of the received first packet by using the first group trust field included in the received first packet, the group code, and the primary secret key. 1. An operation method of a first communication node in a wireless distributed communication system , the operation method comprising:providing a group code and a primary secret key to a third communication node via a second communication node;receiving, from the third communication node, a first packet including a first group trust field through wireless distributed communication, the first group trust field being generated using the group code and the primary secret key; andperforming a trustworthiness check of the received first packet by using the first group trust field included in the received first packet, the group code, and the primary secret key.2. The operation method according to claim 1 , further comprising:receiving, from the third communication node, first position information of the third communication node together with the first group trust field;determining whether the third communication node has entered an entry restricted area based on the first position information; andin response to determining that the third communication node has entered the entry restricted area, permitting the third communication node to enter the entry restricted area when a trustworthiness of the first packet is confirmed.3. The operation method according to claim 1 , further comprising:generating a secondary secret key by updating the ...

SECURITY CONFIGURATIONS FOR CONDITIONAL HANDOVERS

A wireless terminal comprises receiver circuitry and processor circuitry. The receiver circuitry is configured to receive a configuration message comprising one or more conditional handover configurations, each of the one or more conditional handover configurations comprising at least one identity of a candidate target cell, and at least one triggering condition. The processor circuitry is configured to establish, using a first key set, a first security context with a first wireless access node; to perform a conditional handover to a candidate target cell configured by one of the one or more conditional handover configurations, in a case that the at least one triggering condition associated with the candidate target cell is met; and to establish a second security context with a second wireless access node that serves the candidate target cell, based on whether or not a security configuration associated with the candidate target cell is configured by the configuration message. 1. A wireless terminal comprising:receiver circuitry configured to receive a configuration message comprising one or more conditional handover configurations, each of the one or more conditional handover configurations comprising at least one identity of a candidate target cell, and at least one triggering condition;processor circuitry configured:to establish, using a first key set, a first security context with a first wireless access node;to perform a conditional handover to a candidate target cell configured by one of the one or more conditional handover configurations, in a case that the at least one triggering condition associated with the candidate target cell is met;to establish a second security context with a second wireless access node that serves the candidate target cell, based on whether or not a security configuration associated with the candidate target cell is configured by the configuration message.2. The wireless terminal of claim 1 , wherein claim 1 , in a case that the ...

COMMUNICATION DEVICE AND NON-TRANSITORY COMPUTER-READABLE MEDIUM STORING COMPUTER-READABLE INSTRUCTIONS FOR COMMUNICATION DEVICE

A communication device may execute an output control process for externally outputting output information obtained by using a public key, receive an authentication request in which the public key is used from a terminal device, send an authentication response to the terminal device, receive N pieces of wireless setting information from the terminal device, send, by using each of the N pieces of wireless setting information, a confirm signal to an access point corresponding to each of the N pieces of wireless setting information, receive a response signal in response to sending the confirm signal from each of M access points among N access points, select a target access point from among the M access points, and establish a wireless connection with the target access point. 1. A communication device comprising;a wireless interface configured to execute a wireless communication in conformity with Wi-Fi standard; anda controller configured to:execute an output control process for externally outputting output information, the output information being obtained by using a public key;receive, from a terminal device, via the wireless interface, an authentication request in which the public key is used;send an authentication response to the terminal device via the wireless interface;after the authentication response has been sent to the terminal device, receive plural pieces of wireless setting information from the terminal device via the wireless interface, each of the plural pieces of wireless setting information being for establishing a wireless connection with an access point corresponding to the wireless setting information;send, by using plural pieces of wireless setting information, a confirm signal to the access point corresponding to each of the plural pieces of wireless setting information via the wireless interface;receive, via the wireless interface, a response signal in response to sending the confirm signal from an access point to which the confirm signal is sent ...

METHOD AND SYSTEM FOR PAIRING WIRELESS MOBILE DEVICE WITH IoT DEVICE

A computer-implemented method and system for pairing one or more source devices with at least one target device are disclosed. The computer implemented method for pairing one or more source devices with at least one target device, the method includes receiving device identifiers for the one or more source devices and the at least one target device; generating pairing resource for at least one of the one or more source devices and the at least one target device; and using the pairing resource to allow authenticated and authorized users to perform a remote operation on the at least one target device from the at least one of the one or more source devices.

APPARATUS AND METHOD FOR MANAGING SECURITY KEYS IN WIRELESS COMMUNICATION SYSTEM

The present disclosure relates to a pre-5-Generation (5G) or 5G communication system to be provided for supporting higher data rates Beyond 4-Generation (4G) communication system such as Long Term Evolution (LTE). Disclosed is method of refreshing a security key in a secondary cell group (SCG) controlled by a secondary node (SN) of a wireless communication system, wherein the network is configured to operate in dual connectivity (DC) mode and further comprises a master cell group (MCG) controlled by a master node (MN) the method comprising: the SN indicating in a first message to a user equipment (UE) that security key refresh is to be performed; the UE generating the refreshed security key and transmitting a second message to the SN, wherein the second message indicates that the security key has been refreshed. 1. A method performed by a secondary node (SN) controlling a secondary cell group (SCG) in a wireless communication system , wherein the wireless communication system is configured to operate in dual connectivity (DC) mode and further comprises a master cell group (MCG)controlled by a master node (MN) , the method comprising:transmitting, to a user equipment (UE), a first message informing that a security key refresh is to be performed; and receiving, from the UE, a second message indicating that a security key has been refreshed.2. A method performed by a user equipment (UE) in a wireless communication system , wherein the wireless communication system is configured to operate in dual connectivity (DC) mode and further comprises a master cell group (MCG) controlled by a master node (MN) and a secondary cell group (SCG) controlled by a secondary node (SN) , the method comprising:receiving, to the SN, a first message informing that a security key refresh is to be performed; andtransmitting, to the SN, a second message indicating that a security key has been refreshed.3. The method of claim 1 , wherein the first message comprises a counter value to be used in ...

Application Function Key Derivation and Refresh

Apparatuses, systems, and methods for application function (AF) key generation and AF key renewal. A user equipment device (UE) may communicate with an application function (AF) via a radio access network (RAN) using a first AF key and determine that the first AF key has expired. The UE may derive a second AF key based on at least an Architecture for Authentication and Key Management for Applications (AKMA) anchor key (KAKMA) and a counter parameter and communicate with the AF via the RAN using the second AF key. At least one of the UE, the AF, and/or an AKMA Anchor Function (AAnF) may be configured to monitor expiration of the first AF key based on an associated lifetime of the first AF key. The first and second AF keys may be derived using a key derivation function that includes at least one variable parameter. 1. A non-transitory computer readable memory medium storing program instructions executable by processing circuitry to cause a user equipment device (UE) to:communicate with an application function (AF) via a radio access network (RAN) using a first application function key (AF key), wherein the first AF key is associated with a lifetime;determine that the first AF key has expired;derive a second AF key based on at least an Architecture for Authentication and Key Management for Applications (AKMA) anchor key (KAKMA) and a counter parameter; andcommunicate with the AF via the RAN using the second AF key.2. The non-transitory computer readable memory medium of claim 1 , 'receive, from an AKMA Anchor Function (AAnF), a first message, wherein the first message indicates expiration of the first AF key.', 'wherein, to determine that the first AF key has expired, the program instructions are further executable to cause the UE to3. The non-transitory computer readable memory medium of claim 2 ,wherein the first message includes the counter parameter, and wherein the counter parameter is incremented each time a new AF key associated with the first AF key is derived. ...

Secure Virtual Personalized Network with Preconfigured Wallets

A computer that provides a secure, virtual personalized network (SVPN) with one or more preconfigured digital wallets for a first user in the SVPN is described. Notably, the computer may execute a virtual machine that provides a container for the SVPN of the first user, and the first electronic device associated with the first user may execute an instance of an application that facilitates secure communication in the SVPN and/or conducting of one or more distributed secure transactions (such as a transaction associated with a cryptocurrency or a non-fungible token or NFT) via the SVPN. Moreover, the virtual machine may provide a container for the SVPN of the first user. This container may include the one or more preconfigured digital wallets associated with the first user, where a given preconfigured digital wallet includes cryptographic keys and a distributed ledger for use in conducting the one or more distributed secure transactions. 1. A computer , comprising:an interface circuit;memory configured to store program instructions; and receiving a set-up request associated with a first user of a first electronic device; and', 'establishing an instance of a virtual machine that provides a container for a secure, virtual personalized network (SVPN) of the first user, wherein the container comprises one or more preconfigured digital wallets associated with the first user, and', 'wherein a given preconfigured digital wallet comprises cryptographic keys and a distributed ledger for use in conducting one or more distributed secure transactions., 'a processor, coupled to the interface circuit and the memory, configured to execute the program instructions, wherein, when executed by the processor, the program instructions cause the computer to perform one or more operations comprising2. The computer of claim 1 , wherein the one or more distributed secure transactions comprise a transaction associated with a cryptocurrency or a non-fungible token.3. The computer of claim 1 , ...

Verified Anonymous Persona for a Distributed Token

A computer that provides one or more verified personas for a distributed token (such as a non-fungible token or NFT) of a first user is described. Notably, the computer may provide the one or more verified personas for the first user that are based at least in part on their account(s) with a provider of a secure, virtual private network (SVPN) of the first user. Consequently, the identity of the first user may be known to the provider. However, the one or more verified personas may obfuscate the known identity of the first user when conducting one or more discrete secure transactions (such as a transaction associated with a cryptocurrency or the NFT) using or associated with the distributed token. In particular, the first user may associate or link the one or more verified personas with the distributed token, thereby providing the benefits of privacy and selective (as-needed) identification. 1. A computer , comprising:an interface circuit configured to communicate with a second computer;memory configured to store program instructions; and receiving, at the interface circuit, a verification query associated with the second computer, wherein the verification query comprises information specifying a verified persona, wherein an identity of an individual associated with the verified persona is anonymous to the second computer and is known to the computer based at least in part on a secure, virtual personal network (SVPN) that comprises the individual, and wherein the verified persona is associated with a distributed token;', 'confirming that the verified persona is valid based at least in part on the verification query; and', 'providing, from the interface circuit, a verification response addressed to the second computer, wherein the verification response indicates whether the verified persona is valid, while keeping the identity of the individual associated with the verified persona anonymous to at least the second computer., 'a processor, coupled to the interface ...

Establishing multiple security associations in a connection operation

Disclosed methods and systems employ an agent to identify data paths between first and second networking devices, such that a data path connects an interface of the first networking device with an interface of the second networking device, each interface being uniquely identified by an associated Internet Protocol (IP) address. The agent establishes a secure connection as follows. First a connection is established between the first and second networking devices using respective first and second IP addresses. Next, security keys are negotiated to establish the secure connection, the security keys including encryption keys and decryption keys. Next, inbound and outbound security associations are established for each of the plurality of data paths, inbound and outbound security associations including IP addresses associated with respective data paths and respective decryption keys. Finally, the inbound and outbound security associations are established in a data plane of the first networking device.

Method for the vehicle-internal management of cryptographic keys

A method for the vehicle-internal management of cryptographic keys comprises provision of at least one secret for a vehicle-internal key generation device and generation of at least one new cryptographic key by the vehicle-internal key generation device on the basis of the at least one secret.

Secure Session Method And Apparatus

This application provides an example secure session method and apparatus. The method includes receiving, by a user plane gateway, a service request message from user equipment UE, where the service request message is used to request to establish a connection between the UE and a service server in a data network. The user plane gateway and the UE separately generate an encryption key and an integrity protection key based on the service request message, and activate encryption protection and/or integrity protection based on the generated encryption key and integrity protection key. 1. A secure session method , comprising:receiving, by a user plane gateway, a service request message from user equipment (UE), wherein the service request message is used to request to establish a connection between the UE and a service server in a data network;generating, by the user plane gateway, an encryption key and an integrity protection key based on the service request message; andactivating, by the user plane gateway, at least one of encryption protection or integrity protection based on the encryption key and the integrity protection key.2. The method according to claim 1 , wherein the method further comprises:determining, by the user plane gateway, a first security algorithm based on a security capability of the UE, a security capability of the user plane gateway, and a security requirement of a service; andsending, by the user plane gateway, indication information of the first security algorithm to the UE.3. The method according to claim 1 , wherein the method further comprises:receiving, by the user plane gateway, indication information of a first security algorithm from a session management network element, wherein the first security algorithm is determined based on a security capability of the UE, a security capability of the user plane gateway, and a security requirement of a service.4. The method according to claim 1 , wherein the generating claim 1 , by the user plane ...

VEHICLE DIGITAL KEY SHARING SERVICE METHOD AND SYSTEM

The present invention relates to a vehicle digital key sharing service method. The vehicle digital key sharing service method according to one embodiment includes a digital registration step in which a management server generates a terminal digital key and a vehicle digital key after user authentication in response to a digital key registration request through a dedicated application of a mobile terminal and the mobile terminal stores the terminal digital key in a secure world that is separated from a normal world and a digital key using step in which an authentication token is generated using the terminal digital key stored in the secure world when the mobile terminal approaches or tags a vehicle and a vehicle device locks or unlocks a door of the vehicle by activating the vehicle digital key, which is registered from the management server, to validate the authentication token. 1. A vehicle digital key sharing service method comprising:a digital registration step in which a management server generates a terminal digital key and a vehicle digital key after user authentication in response to a digital key registration request through a dedicated application of a mobile terminal and the mobile terminal stores the terminal digital key in a secure world that is separated from a normal world; anda digital key using step in which an authentication token is generated using the terminal digital key stored in the secure world when the mobile terminal approaches or tags a vehicle, and a vehicle device locks or unlocks a door of the vehicle by activating the vehicle digital key, which is registered from the management server, to validate the authentication token.2. The vehicle digital key sharing service method of claim 1 , wherein the digital key registration step comprises a step of registering the digital key in a mobile terminal-based relay mode in which on behalf of the vehicle device the mobile terminal relays registration of the vehicle digital key through ...

Key Distribution Method, Key Receiving Method, First Key Management System, and First Network Element

The present invention disclose a key distribution method. The method includes obtaining, by a first key management system, a shared key of a first network element, where the shared key of the first network element is generated according to a key parameter obtained after the first network element performs authentication or a root key of the first network element; obtaining a service key, where the service key is used to perform encryption and/or integrity protection on communication data in a first service between the first network element and a second network element; performing encryption and/or integrity protection on the service key by using the shared key of the first network element, to generate a first security protection parameter; and sending the first security protection parameter to the first network element. According to present invention, data can be protected against an eavesdropping attack in a sending process. 1. A method , comprising:obtaining, by a first key management system, a shared key of a first network element, wherein the shared key of the first network element is generated according to a key parameter obtained after the first network element is authenticated;obtaining, by the first key management system based on the shared key, a service key, wherein encryption or integrity protection is performed on communication data using the service key in a first service between the first network element and a second network element; andsending, by the first key management system, the service key to the second network element.2. The method according to claim 1 , wherein obtaining claim 1 , by the first key management system claim 1 , the shared key of the first network element comprises:obtaining, by the first key management system, a first parameter, wherein the first parameter is obtained by performing Authentication and Key Agreement (AKA) authentication with the first network element, wherein the first parameter comprises an integrity key, and a ...

Transmission Data Protection System, Method, and Apparatus

A system for transmission data protection includes user equipment (UE) and an access point. The access point sends a broadcast message that carries a public key for encryption. The UE receives and stores the public key for encryption. The UE obtains a global public key or a private key corresponding to the UE, and protects transmission data using the public key for encryption and the global public key or the private key corresponding to the UE.

TRUE WIRELESS STEREO SYSTEM AND METHOD

A wireless audio system that may include a first wireless transceiver that is configured to receive audio information from an audio source over a bi-directional wireless link; a second wireless transceiver that is configured to sniff audio information sent over the bi-directional wireless link; and wherein the first and second wireless transceivers are configured to share sniff enabling information, over a shared link and before an establishment of the bi-directional wireless link. 1. A wireless audio system , comprising:a first wireless transceiver that is configured to receive audio information from an audio source over a bi-directional wireless link;a second wireless transceiver that is configured to sniff audio information sent over the bi-directional wireless link; andwherein the first and second wireless transceivers are configured to share sniff enabling information, over a shared link and before an establishment of the bi-directional wireless link.2. The system according to wherein the shared link is a wired link.3. The system according to wherein the first and second wireless transceivers are configured to share the sniff enabling information while being charged.4. The system according to wherein the first and second wireless transceivers are configured to perform clock synchronization while being charged.5. The system according to wherein the first and second wireless transceivers are configured to share private and public keys.6. The system according to wherein the first wireless transceiver is configured to inform the second wireless transceiver about a future change in the sniff enabling information.7. The system according to wherein the first wireless transceiver is configured to check whether the second wireless transceiver received the sniff enabling information claim 1 , and to re-establish communication with the second wireless transceiver when determining that the second wireless transceiver did not receive the sniff enabling information.8. The ...

Security key generator

A communication system has a first and a second communicating device operable to send and receive data units through a communication channel. Some of the data are encrypted using a security key. The first device comprises a first key generator generating a first embodiment of the key independently of a second embodiment of the key generated by a second generator of the second device, the second embodiment being generated independently of the first, which depends on parameter(s) characterizing a first transmission quality of the channel when receiving a first set of unencrypted data sent by the second device. The second embodiment depends on parameter(s) characterizing a second transmission quality of the channel when receiving a second set of unencrypted data sent by the first device, the first set being different from the second set.

METHOD AND SYSTEM FOR GENERATING AN ADVANCED STORAGE KEY IN A MOBILE DEVICE WITHOUT SECURE ELEMENTS

A method for building an advanced storage key includes: storing, in a mobile device, at least (i) device information associated with the mobile device, (ii) program code associated with a first program including an instance identifier, and (iii) program code associated with a second program including a first key; generating a device fingerprint associated with the mobile device based on the device information via execution of the code associated with the first program; generating a random value via execution of the code associated with the first program; building a diversifier value based on the generated device fingerprint, the generated random value, and the instance identifier included in the code associated with the first program; and decrypting the built diversifier value using the first key stored in the code associated with the second program via execution of the code associated with the second program to obtain a storage key. 1. A method for building an advanced storage key , comprising:generating, by a processing device of a mobile communication device, a device fingerprint associated with the mobile communication device based on stored device information via a first application program on the mobile communication device;generating, by the processing device via the first application program, a random value;generating, by the processing device via the first application program, a diversifier value based on at least the generated device fingerprint, the generated random value, and an instance identifier included in the first application program, the instance identifier being unique to an instance of the first application program;building, by the processing device via the first application program, the advanced storage key the advanced storage key being unique to the instance of the first application program;storing, by the processing device via the first application program, data in a local database of the mobile communication device; andencrypting, by the ...

Secure Virtual Personalized Network

A computer provides a secure, virtual personalized network (SVPN) for a first user with master privileges and at least a second user with guest privileges in the SVPN. Notably, the computer may execute a virtual machine that provides a container for the SVPN of the first user, and the first electronic device associated with the first user and a second electronic device associated with the second user may execute instances of an application that facilitates secure communication in the SVPN. Moreover, the first electronic device may store a set of first encryption keys and the second electronic device may store a set of second encryption keys, which allow the first electronic device and the second electronic device to securely communicate with each other via the SVPN. Note that the computer may not be able to access the set of first encryption keys or the set of second encryption keys. 1. A computer , comprising:an interface circuit configured to communicate with a group of electronic devices, wherein the group of electronic devices includes at least a first electronic device and a second electronic device;memory configured to store program instructions; and performing secure device-to-device communication between the first electronic device and the second electronic device in a secure virtual personalized network (SVPN) of a first user associated with the first electronic device, wherein the secure device-to-device communication is performed via an instance of a virtual machine in the computer that provides a container for the SVPN,', 'wherein the SVPN is independent of another SVPN of another user that is hosted by the computer that is, at least in part, implemented using another instance of a virtual machine in the computer, and', 'wherein payloads in packets or frames in the secure device-to-device communication associated with a given electronic device in the first electronic device and the second electronic device are encrypted using an encryption key and the ...

Anchor Key Generation Method, Device, and System

An anchor key generation method, device, and system, where the method includes generating, by a unified data management network element (UDM), an intermediate key based on a cipher key (CK), an integrity key (IK), and indication information regarding an operator; sending, by the UDM, the intermediate key to an authentication server function (AUSF); receiving, by the AUSF, the intermediate key; generating, by the AUSF, an anchor key based on the intermediate key; sending, by the AUSF, the anchor key to a security anchor function (SEAF); and generating, by the SEAF, a key (Kamf) based on the anchor key, where the Kamf is used to derive a 3Generation Partnership Project (3GPP) key. 1. A method implemented in a communication system , comprising:generating, by a user equipment, an intermediate key based on a cipher key (CK), an integrity key (IK), and an operator type identifier comprising a service network (SN) identifier;generating, by the user equipment, an anchor key based on the intermediate key, wherein the anchor key is to implement compatibility with various access modes;generating, by the user equipment, a key (Kamf) based on the anchor key;deriving, by the user equipment, a base station key based on the Kamf; andderiving, by the user equipment based on the base station key, a user plane cipher key, a user plane integrity key, a control plane cipher key, and a control plane integrity key.2. The method according to claim 1 , wherein generating claim 1 , by the user equipment claim 1 , the anchor key based on the intermediate key comprises:generating, by the user equipment, an extended master session key (EMSK′) based on the intermediate key;{'sub': 'left', 'generating, by the user equipment, a key (K) by truncating a bit of the EMSK′; and'}{'sub': 'left', 'obtaining, by the user equipment, the anchor key based on the Kand the SN identifier.'}3. The method according to claim 1 , further comprising deriving claim 1 , by the user equipment claim 1 , a non-access ...

SECURITY CONTEXT OBTAINING METHOD AND APPARATUS

This application provides a security context obtaining method and apparatus. The method includes: receiving, by a user plane gateway, a PDU session establishment request from UE, where the PDU session establishment request is used to request to establish a PDU session between the user plane gateway and the UE, and the PDU session is carried between the UE and a service server of a data network; and separately obtaining, by the user plane gateway and the UE, a security context used for the PDU session, and activating user plane security protection based on the security context. Therefore, during PDU session reestablishment, for example, PDU session reestablishment triggered by switching of the user plane gateway, a session management network element, and the like, the user plane gateway and the UE can obtain a new security context, thereby achieving end-to-end protection between the UE and the user plane gateway. 1. A security context obtaining method , comprising:receiving, by a user plane gateway, a packet data unit (PDU) session establishment request, wherein the PDU session establishment request is used to request to establish a PDU session between the user plane gateway and user equipment (UE), and the PDU session is carried between the UE and a service server of a data network;obtaining, by the user plane gateway, a security context used for the PDU session; andactivating, by the user plane gateway, user plane security protection based on the security context.2. The method according to claim 1 , wherein the obtaining claim 1 , by the user plane gateway claim 1 , of the security context used for the PDU session comprises:obtaining, by the user plane gateway, a shared security context from a session management network element, wherein the shared security context is a security context corresponding to the UE; anddetermining, by the user plane gateway, the shared security context as the security context.3. The method according to claim 1 , wherein the security ...

Transaction device use of a dynamically generated value based on a next expected session key

A system, method, and computer readable medium (collectively, the “system”) are provided. The system may include a processor configured to perform operations and/or steps comprising receiving a selection of a transaction account to be used as payment for a transaction; and transmitting a wireless signal carrying emulated track data for payment of the transaction, wherein the emulated track data emulates data in tracks of a magnetic card and includes alias transaction account data in place of actual transaction account data.

Identity Information Processing Method, Device, and System

An identity information processing method, a device, and a system, the method including obtaining, by a first network element, a first parameter, where the first parameter is associated with a domain to which a network slice belongs, and determining, by the first network element, according to the first parameter, whether the network slice is managed by an operator. 1. An identity information processing method , comprising:obtaining, by a first network element, a first parameter, wherein the first parameter is associated with a domain to which a network slice belongs; anddetermining, by the first network element, according to the first parameter, whether the network slice is managed by an operator.2. The identity information processing method according to claim 1 , wherein the first network element is at least one of a slice selection network element claim 1 , a network repository network element claim 1 , or an access and mobility management network element.3. The identity information processing method according to claim 2 , wherein the first network element is at least one of the slice selection network element or the network repository network element; and 'sending, by the first network element, indication information to an access and mobility management network element, wherein the indication information indicates whether the network slice is managed by the operator.', 'wherein the method further comprises4. The identity information processing method according to claim 1 , wherein the first parameter comprises at least one of network slice selection assistance information (NSSAI) corresponding to the network slice claim 1 , a routing area identifier (TAI) of a terminal claim 1 , or a service type of the terminal.5. An identity information processing method claim 1 , comprising:determining, by a second network element, whether to hide first identity information of a terminal; andhiding, by the second network element, in response to the second network element ...

COMMUNICATION APPARATUS, COMMUNICATION METHOD, AND NON-TRANSITORY COMPUTER-READABLE STORAGE MEDIUM

Based on an instruction for starting communication parameter sharing processing using a Wi-Fi Device Provisioning Protocol, a public key to be used in the communication parameter sharing processing is shared, and authentication processing with a providing apparatus that provides a communication parameter is executed using the shared public key. After the authentication processing, a Configuration Request packet indicating a request for a plurality of network identifiers is generated, and the generated Configuration Request packet is transmitted to the providing apparatus. 1. A communication apparatus comprising:an acceptance unit configured to accept an instruction for starting communication parameter sharing processing using a Wi-Fi Device Provisioning Protocol;an execution unit configured to execute processing of sharing a public key to be used in the communication parameter sharing processing, based on the instruction;an authentication unit configured to execute authentication processing with a providing apparatus that provides a communication parameter, using the public key shared by processing of the execution unit;a generation unit configured to generate a Configuration Request packet indicating a request for a plurality of network identifiers, after the authentication processing; anda transmission unit configured to transmit the Configuration Request packet generated by the generation unit to the providing apparatus.2. The communication apparatus according to claim 1 , wherein the generation unit generates a Configuration Request packet including information indicating a network encryption scheme to request claim 1 , in addition to requesting a plurality of network identifiers.3. The communication apparatus according to claim 1 , further comprising:a receiving unit configured to receive a Configuration Response packet transmitted from the providing apparatus in response to the Configuration Request packet transmitted by the transmission unit; anda setting ...

COMMUNICATION APPARATUS, METHOD OF CONTROLLING COMMUNICATION APPARATUS, AND NON-TRANSITORY COMPUTER-READABLE STORAGE MEDIUM

A communication apparatus receives a communication parameter for wireless communication with a first communication apparatus via a wireless network from a second communication apparatus, generates encryption key information to be shared with the first communication apparatus based on the received communication parameter, acquires an expiration date for connection to the wireless network from the received communication parameter, connects to the first communication apparatus via the wireless network using the generated encryption key information, and determines whether the acquired expiration date has passed and restricts connection to the first communication apparatus using the encryption key information in a case where the expiration date has passed. 1. A communication apparatus comprising:a reception unit configured to receive a communication parameter for wireless communication with a first communication apparatus via a wireless network from a second communication apparatus;a generation unit configured to generate encryption key information to be shared with the first communication apparatus based on the communication parameter received by the reception unit;an acquisition unit configured to acquire an expiration date for connection to the wireless network from the communication parameter received by the reception unit;a connection unit configured to connect to the first communication apparatus via the wireless network using the encryption key information generated by the generation unit; anda control unit configured to determine whether the expiration date acquired by the acquisition unit has passed and to control the connection unit to restrict connection to the first communication apparatus using the encryption key information in a case where the expiration date has passed.2. The communication apparatus according to claim 1 , further comprising a storage unit configured to store the encryption key information generated by the generation unit in association ...

SYSTEM FOR GENERATING CRYPTOGRAPHIC MATERIAL

A system for generating cryptographic material includes a cryptomaterial server and developer module. The cryptomaterial server has at least one cryptomaterial generator and a cryptomaterial distributor. The cryptomaterial generator is set up to generate cryptographic material by using specifications that can be predetermined via the developer module. The cryptomaterial server has a receiving part of a specification interface and the developer module has a corresponding sending part of the specification interface, which can be coupled directly or indirectly for the secure transmission of data. The developer module has a user interface or can be coupled directly or indirectly to one that is set up for an input of the specifications in abstract form. A transformation module automatically transforms the input specifications into a syntax of the cryptomaterial generator. 115-. (canceled)16. A system for generating cryptographic material , the system comprising:a developer module; and a cryptomaterial generator configured to generate cryptographic material using specifications that are predetermined via the developer module; and', 'a cryptomaterial distributor,, 'a cryptomaterial server comprising'}wherein the cryptomaterial server has a receiving part of a specification interface and the developer module has a corresponding sending part of the specification interface, wherein the receiving and sending parts of the specification interface are couplable directly or indirectly for the secure transmission of data,wherein the developer module has a user interface or is coupled directly or indirectly to the user interface, wherein the user interface is configured to accept an input of the specifications in abstract form, andwherein the system includes a transformation module configured to automatically transform the input specifications into a syntax of the cryptomaterial generator.17. The system of claim 16 , wherein the transformation module is part of the cryptomaterial ...

Security Key Generation for Dual Connectivity

Techniques for the secure generation of a set of encryption keys to be used for communication between a wireless terminal and an assisting base station in a dual-connectivity scenario. An example method includes generating an assisting security key for the assisting base station, based on an anchor base station key. The generated assisting security key is sent to the assisting base station, for use by the assisting base station in encrypting data traffic sent to the wireless terminal or in generating one or more additional assisting security keys for encrypting data traffic sent to the wireless terminal while the wireless terminal is dually connected to the anchor base station and the assisting base station. The anchor base station key, or a key derived from the anchor base station key, is used for encrypting data sent to the wireless terminal by the anchor base station.

Packet number determination in a neighbor aware network

A wireless communication device includes a memory and a processor coupled to the memory. The processor is configured to set a packet number to a particular value in accordance with a packet number initialization scheme associated with a data link group of a neighbor aware network (NAN). The processor is further configured to generate a packet based on the packet number.

AUTHENTICATION SYSTEM USING PAIRED, ROLE REVERSING PERSONAL DEVICES

An authentication system is provided for authenticating users in accordance with an encryption/decryption algorithm using first and second separately unique encryption keys that are time variable and are uniquely associated with each user, having a first user controlled computing device under the control of the user for generating said first encryption key using an encryption key generating algorithm. The first user controlled computing device includes a key transmitter for transmitting wirelessly within the immediate vicinity of the user the first encryption key, a second user controlled computing device, operating as a coordinating device under the control of the user, for generating the second encryption key using the encryption key generating algorithm. The second user controlled computing device includes a key receiver for receiving the first encryption key. 130-. (canceled)31. An encryption system operating in accordance with an encryption/decryption algorithm using first and second separately unique encryption keys , comprisingA. a first user controlled computing device under the control of the user for generating said first encryption key using an encryption key generating algorithm, said first user controlled computing device including a key transmitter for transmitting wirelessly said first encryption key;B. a second user controlled computing device, operating as a coordinating device under the control of the user, for generating said second encryption key using the encryption key generating algorithm, said second user controlled computing device includingi. a key receiver for receiving the first encryption key, andii. a message transmitter for transmitting said encrypted message; andC. an encrypting signal processor for forming said encrypted message using said first and second encryption keys in accordance with said encryption/decryption algorithm, whereby said encrypted message may be transmitted wirelessly and decrypted securely using said first and ...

CORE NETWORK, USER EQUIPMENT, AND COMMUNICATION CONTROL METHOD FOR DEVICE TO DEVICE COMMUNICATION

A communications system is provided. A network device controls the setting up of a device to device communication link, as sent between a device in the core network and the base station(s) servicing the relevant mobile devices, including disclosure of the common security information for two mobile devices to communicate securely over the direct device to device communications link. 1. A core network for a mobile communication system , the core network comprising:a processor; anda memory storing instructions executable by the processor, determine whether a first user equipment (UE) and a second UE can support a direct device to device communications link; and', 'send security information to the first UE and the second UE, wherein the sent security information is configured such that the first UE and the second UE can derive a security key, for protecting user plane traffic between the first UE and the second UE, based on the security information., 'wherein the instructions are configured to, if executed by the processor, cause the core network to2. The core network according to claim 1 , wherein the sent security information is configured such that the first UE and the second UE can derive algorithm information based on the security information.3. A communication method of a core network for a mobile communication system claim 1 , the communication method comprising: 'sending security information to the first UE and the second UE, wherein the sent security information is configured such that the first UE and the second UE can derive a security key, for protecting user plane traffic between the first UE and the second UE, based on the security information.', 'determining whether a first user equipment (UE) and a second UE can support a direct device to device communications link; and'}4. The communication method according to claim 3 , wherein the sent security information is configured such that the first UE and the second UE can derive algorithm information using the ...

KEY REFRESH FOR SMALL-DATA TRAFFIC

Apparatuses, methods, and systems are disclosed for key refresh triggering. One apparatus includes a transceiver and a processor that starts a counter corresponding to a UE having a small-data traffic pattern. In response to the transceiver receiving small-data traffic associated with the UE, the processor determines if a security key is valid based on a value of the counter. If the value of the counter indicates the security key is invalid, then the processor triggers a key refresh procedure. The processor relays the small-data traffic in response to the UE having a valid security key. 1starting a counter corresponding to a remote unit having a small-data traffic pattern;receiving small-data traffic associated with the remote unit;determining if a security key is valid based on a value of the counter;triggering a key refresh procedure if the value of the counter indicates the security key is invalid; andrelaying the small-data traffic in response to the remote unit having a valid security key.. A method of a network function comprising: This application is a continuation of patent application Ser. No. 16/746,471 entitled “KEY REFRESH FOR SMALL-DATA TRAFFIC” filed on Jan. 17, 2020 which claims priority to U.S. Provisional Patent Application No. 62/794,476 entitled “Key Refresh Triggering for IoT Devices” and filed on Jan. 18, 2019 for Andreas Kunz, Genadi Velev, Joachim Loehr, Prateek Basu Mallick, Ravi Kuchibhotla, and Alexander Golitschek Edler von Elbwart, which application is incorporated herein by reference.The subject matter disclosed herein relates generally to wireless communications and more particularly relates to security key refresh triggering for small-data traffic (e.g., among IoT devices).The following abbreviations are herewith defined, at least some of which are referred to within the following description: Third Generation Partnership Project (“3GPP”), Fifth Generation Core Network (“5CG”), Fifth Generation System (“5GS”), Absolute Radio Frequency ...

Service processing method and apparatus

The disclosure relates to a service processing method and apparatus. The method includes: setting up, by a proxy node, a first encrypted connection to UE, and setting up a second encrypted connection to the network server; obtaining, by the proxy node from the UE, an encryption context generated in the process of setting up the first encrypted connection, and generating a first key according to the encryption context; and receiving, by the proxy node, a ciphertext sent by the UE, decrypting the ciphertext by using the first key, processing obtained service information, and sending the processed service information to the network server by using the second encrypted connection, where the ciphertext is obtained by the UE by encrypting the service information by using a second key, the first key corresponds to the second key, and the second key is generated by the UE according to the encryption context.

CONCURRENT ID ALLOCATION IN A SERVICE-BASED ARCHITECTURE

A method and control plane node capable of receiving, from a requester, a request for a unique identifier, selecting an identifier from a pool comprising a plurality of unique identifiers held by the control plane node, creating a key representing the selected identifier in the pool, attempting to write to an initial version of a value of the created key in order to create a key-value pair in the key-value store, wherein the writing is successful if no write previously has been performed to said initial version of the value, and if so returning, to the requester, the selected identifier as an allocated identifier. 1. A method of a control plane node of allocating , for a communication device accessing a network in which the control plane node is arranged , a unique identifier using a key-value store , the method comprising:receiving, from a requester, a request for a unique identifier;selecting an identifier from a pool comprising a plurality of unique identifiers held by the control plane node;creating a key representing the selected identifier in the pool;attempting to write to an initial version of a value of the created key in order to create a key-value pair in the key-value store, wherein the writing is successful if no write previously has been performed to said initial version of the value; and if so;returning, to the requester, the selected identifier as an allocated identifier.2. The method of claim 1 , wherein the key name is configured to comprise an indication of the identifier selected from the pool.3. The method of claim 2 , wherein the selected identifier is configured to be encoded in the key name.4. The method of claim 2 , wherein the key name further is configured to comprise an identifier of the pool from which the identifier is selected.5. The method of claim 4 , wherein the identifier of the pool is configured to be encoded in the key name.6. The method of claim 1 , wherein if the attempt to write to an initial version of a value of the created ...

Method and apparatus for enhancing communication security

A method and apparatus can be configured to transmit indicators to a network entity. The indicators indicate whether security will be applied to a media data, whether security will be applied by an application layer, and whether security will be applied by an evolved-packet-system layer. The method can also include transmitting the media data to the network entity.

Apparatus and method for sharing wifi security data in an internet of things (iot) system

A method and system for connecting an Internet of Things (IoT) hub to a wireless network. One embodiment of the method includes establishing a secure communication channel between an IoT hub and an IoT service through a client device using a first secret; generating a second secret on the client device and transmitting it to the IoT hub; encrypting a wireless key using the second secret to generate a first-encrypted key and transmitting it to the IoT service; encrypting the first-encrypted key using the first secret to generate a twice-encrypted key and transmitting it to the IoT hub over the secure communication channel; decrypting the twice-encrypted key at the IoT hub using the first secret to generate the first-encrypted key and decrypting it using the second secret to generate the wireless key usable to establish a secure wireless connection between the IoT hub and the local wireless network.

Low power rrc operating method and device

Disclosed are a communication technique of merging, with IoT technology, a 5G communication system for supporting a data transmission rate higher than that of a 4G system, and a system therefor. The disclosure can be applied to intelligent services (for example, smart home, smart building, smart city, smart car or connected car, health care, digital education, retail, security and safety related services, and the like) on the basis of 5G communication technology and IoT related technology. According to one embodiment of the present invention, a communication method of a base station comprises the steps of: determining an RRC state transition condition of a terminal; and transmitting information on the RRC state transition condition to the terminal, wherein the RRC state transition condition can include at least one timer for the transition between RRC states and/or information indicating an RRC state to be changed.

Electronic apparatus and controlling method thereof

An electronic apparatus is provided. The electronic apparatus includes a memory configured to store waveform information of a signal received from a user's body, a transceiver configured to receive a signal from an external apparatus using the user's body as a communication medium, and at least one processor configured to confirm whether or not a waveform of the received signal corresponds to the stored waveform information, and perform a predetermined function depending on a confirmation result.

Apparatus and method for generating key hierarchy in wireless network

A method for generating a key hierarchy by a MS in a wireless network is provided. The method includes transmitting an authentication request message to a new BS, receiving an authentication response message as a response message to the authentication request message from the new BS, determining whether to perform a full authentication operation with a H3A server based on the authentication response message, performing the full authentication operation or a crypto-handshake operation with the H3A server based on the determining result, after performing the full authentication operation or the crypto-handshake operation, determining whether a first expected signature value received from the new BS is identical to a first expected signature value calculated by the MS, and if the first expected signature value received from the new BS is equal to a first expected signature value calculated by the MS, determining that an authentication for the new BS has succeeded.

Security framework for msg3 and msg4 in early data transmission

Systems and methods of a security framework for an RRC connection are described. The UE receives a release message that comprises a current Next Hop Chaining Counter (NCC). The UE derives a new K eNB* using the current NCC and transmits an EDT RA preamble to same or a different base station. After receiving an RAR with an uplink allocation, the UE transmits a RRCConnectionResumeRequest message. The UE transmits uplink data encrypted using K eNB* if the uplink allocation includes a data allocation sufficient for the data, fall backs to a legacy RRC connection procedure in which the stored K eNB* is discarded and then K eNB* is re-derived if the data allocation is insufficient for the data due to a CE level change, and fall backs to a legacy RRC connection procedure in which the stored K eNB* is used instead of discarding K eNB* if the uplink allocation excludes the data allocation.

ENCRYPTED AUDIO STREAMING

The disclosed technology relates to broadcasting encrypted data to multiple receiver devices, where some receiver devices have long-term access to the encrypted data and some receiver devices have a temporary access to the encrypted data. Receivers having long-term access are part of a “member group” because these member group devices have a master key and the master key enables the member group devices to derive the necessary information to decrypt the encrypted broadcast. In contrast, devices with temporary access possess only a guest key and not master key, without a master key the devices need to receive the guest key from another device to decrypt the broadcast. Access to the encrypted stream can also be based on broadcasting multiple or single diversifiers, where a diversifier can include group identification information to assist in restricting access to the encrypted stream. 1. A method to broadcast encrypted data , the method comprising:providing a master key to a member device,providing a guest key to a guest device, wherein the single diversifier enables the member device to derive the guest key from the master key and the single diversifier and to derive a session key from the guest key and the single diversifier;', 'wherein the single diversifier enables the guest device to derive the session key from the guest key and the single diversifier;, 'broadcasting, from a broadcaster device, a single diversifier,'} 'wherein the encrypted data is encrypted based on the session key; and', 'broadcasting, from the broadcaster device, encrypted data,'}revoking access to the encrypted data stream for the guest device while maintaining access for the member device by broadcasting a new single diversifier.2. The method of claim 1 , wherein the broadcaster device performs the providing the master key to the member device with a secure communication.3. The method of claim 1 , wherein the broadcaster device performs the providing of the master key claim 1 , and the ...

TERMINAL, COMMUNICATION METHOD, AND RECORDING MEDIUM

A terminal includes: a communicator that wirelessly performs encrypted communication with an access point; a processor; and a memory that stores at least one program executed by the processor and a key management table for storing a group key for the encrypted communication. The processor performs: acquiring the group key from the access point and storing the group key acquired in the key management table as a first group key; receiving a broadcast packet encrypted by the access point via the communicator; making a first determination as to whether the broadcast packet received is decryptable by using the first group key; and when it is determined, in the first determination, that the broadcast packet is not decryptable by using the first group key, generating information indicating that the first group key needs to be updated. 1. A terminal , comprising:a communicator that wirelessly performs encrypted communication with an access point;a processor; anda memory that stores at least one program executed by the processor and a key management table for storing a group key for the encrypted communication,wherein the processor performs:acquiring the group key for the encrypted communication from the access point and storing the group key acquired in the key management table as a first group key;receiving a broadcast packet encrypted by the access point via the communicator;making a first determination as to whether the broadcast packet received is decryptable by using the first group key; andwhen it is determined, in the first determination, that the broadcast packet is not decryptable by using the first group key, generating information indicating that the first group key needs to be updated.2. The terminal according to claim 1 ,wherein the processor further performs, based on the information generated:after a wireless connection with the access point is disconnected, establishment processing of establishing a new wireless connection with the access point via the ...

KEY GENERATION METHOD, DEVICE, AND SYSTEM

A key generation method includes a user plane network function and a terminal device obtain key update information sent by each other. The user plane network function updates, by using the obtained key update information, a sub-key derived from a permanent key, to obtain a new protection key. The terminal device updates, by using the obtained key update information, a sub-key derived from the permanent key, to obtain a new protection key. The terminal device and the user plane network function perform, by using the new protection key, security protection on user plane data transmitted between the terminal device and the user plane network function. 1. A key generation method , wherein the method comprises:receiving, by a terminal device, first key update information sent by a communications apparatus implementing a user plane network function;generating, by the terminal device, a second key based on a first key and the first key update information; andusing the second key to perform security protection on data transmitted between the communications apparatus implementing the user plane network function and the terminal device, whereinthe first key is the same as a third key obtained by the communications apparatus implementing the user plane network function; andthe first key and the third key are derived from a permanent key.2. The method according to claim 1 , whereinthe first key is generated by the terminal device based on a first group of generation parameters,the first group of generation parameters comprises the permanent key or a sub-key derived from the permanent key, andthe first group of generation parameters is sent by a communications apparatus implementing a mobility management network function or a security anchor function network function to the terminal device.3. The method according to claim 1 , wherein the method further comprises:receiving, by the terminal device, a first indication from the communications apparatus implementing the user plane ...

Anchor Key Generation Method, Device, and System

An anchor key generation method, device, and system, where the method includes generating, by a unified data management network element (UDM), an intermediate key based on a cipher key (CK), an integrity key (IK), and indication information regarding an operator; sending, by the UDM, the intermediate key to an authentication server function (AUSF); receiving, by the AUSF, the intermediate key; generating, by the AUSF, an anchor key based on the intermediate key; sending, by the AUSF, the anchor key to a security anchor function (SEAF); and generating, by the SEAF, a key (Kamf) based on the anchor key, where the Kamf is used to derive a 3Generation Partnership Project (3GPP) key. 1. A method implemented in a communication system , comprising:generating, by a user equipment, an intermediate key based on a cipher key (CK), an integrity key (IK), and an operator type identifier comprising a service network (SN) identifier;generating, by the user equipment, an anchor key based on the intermediate key, wherein the anchor key is to implement compatibility with various access modes;generating, by the user equipment, a key (Kamf) based on the anchor key;deriving, by the user equipment, a base station key based on the Kamf; andderiving, by the user equipment based on the base station key, a user plane cipher key, a user plane integrity key, a control plane cipher key, and a control plane integrity key.2. The method according to claim 1 , wherein generating claim 1 , by the user equipment claim 1 , the anchor key based on the intermediate key comprises:generating, by the user equipment, an extended master session key (EMSK′) based on the intermediate key;{'sub': 'left', 'generating, by the user equipment, a key (K) by truncating a bit of the EMSK′; and'}{'sub': 'left', 'obtaining, by the user equipment, the anchor key based on the Kand the SN identifier.'}3. The method according to claim 1 , further comprising deriving claim 1 , by the user equipment claim 1 , a non-access ...

NON-3GPP DEVICE ACCESS TO CORE NETWORK

A non-SI device () is arranged for wireless communication () and cooperates with an SI device () having access to a subscriber identity. The non-SI device has a transceiver () to communicate in a local network and a processor () to establish an association with the SI. A non-SI public key is provided to the SI device via a first communication channel. A verification code is shared with the SI device via a second communication channel The channels are different and include an out-of-band channel (). Proof of possession of a non-SI private key is provided to the SI device via the first or the second communication channel. From the SI device, security data is received that is related to the SI and is computed using the non-SI public key. The security data reliably enables the non-SI device to access the core network via the local network and a gateway between the local network and the core network. 1. A non-subscriber identity (“non-SI”) device arranged for wireless communication in a local network according to a local communication protocol ,wherein the local communication protocol defines protocol messages and wireless transceiving across a limited area,the non-SI device not comprising an SI and being arranged for cooperating with an SI device having access to the subscriber identity (“SI”,the SI comprising subscriber identity data of a subscriber to a provider for accessing a core network, the core network providing wireless communication for mobile devices across at least a regional area, a non-SI private key constituting a pair with a non-SI public key;', 'a transceiver arranged for local transceiving according to the local communication protocol;, 'the non-SI device comprisinga processor arranged to execute an association sequence to establish an association with the SI, the association sequence comprising:providing the non-SI public key to the SI device via a first communication channel,sharing a verification code with the SI device via a second communication ...

Transaction device use of a dynamically generated value based on a next expected session key

A system, method, and computer readable medium (collectively, the “system”) are provided. The system may include a processor configured to perform operations and/or steps comprising storing, by a processor, a session key on a mobile device, wherein the session key is encrypted. The system receiving a transaction request, decrypting the session key, and broadcasting a signal configured for being received by a magnetic stripe reader. Track 1 data and/or track 2 data may be encoded in the signal. The track 1 data and/or the track 2 data may also comprise a dynamically generated value that is generated based on the session key.

Key Exchange Method and Apparatus

Embodiments of the present invention disclose a key exchange method and apparatus. A network device acquires a first key, and sends a message including the first key to a second user equipment, so that the second user equipment uses, when communicating with a first user equipment by using a D2D link, the first key to protect transmitted information. 120.-. (canceled)21. An apparatus , comprising:a non-transitory memory storage comprising instructions; and acquire a second key, wherein the second key is shared by a network device and the apparatus;', 'generate, according to the second key and a first parameter, a first key using a key derivation function; and', 'protect device to device (D2D) communication information between the apparatus and a first user equipment based on the first key., 'one or more processors in communication with the non-transitory memory storage, wherein the one or more processors are configured to execute the instructions to22. The apparatus according to claim 21 , wherein the first parameter comprises a random number.23. The apparatus according to claim 21 , wherein the one or more processors are configured to further execute the instructions to:obtain an encryption algorithm identifier; andgenerate an encryption key according to the first key and the encryption algorithm identifier; and 'encrypt, based on the encryption key and an encryption algorithm corresponding to the encryption algorithm identifier, the D2D communication information.', 'wherein the one or more processors being configured to execute the instructions to protect the D2D communication information based on the first key, comprises the one or more processors being configured to execute the instructions to24. The apparatus according to claim 21 , wherein the one or more processors are configured to further execute the instructions to:obtain the first parameter from the network device.25. An apparatus claim 21 , comprising:a non-transitory memory storage comprising ...

Transaction cryptogram

A method for generating transaction credentials for a user in a transaction, comprising: storing in a mobile device, an encrypted session key, and an encrypted user authentication credential; receiving an authorisation request; initiating a user authorisation process wherein in the event that the user is an authenticated user, the method comprises: decrypting the encrypted session key and encrypted user authentication credential; generating a transaction cryptogram in dependence on the user authentication credential and the session key; transmitting the transaction cryptogram and a user authentication status to a transaction processing entity for use in a transaction

INTEGRITY FOR MOBILE NETWORK DATA STORAGE

According to an example aspect of the present invention, there is provided method, comprising: generating or receiving a first hash on the basis of the mobile network data change by a source network function, providing the first hash and security credentials information of the source network function for validation by a set of validator entities, and in response to detecting validation of the first hash and the security credentials information, generating a first transaction for a first blockchain, the first transaction being indicative of the mobile network data change and comprising the first hash. 115-. (canceled)16. An apparatus comprisingat least one processor; andat least one memory including computer program code; generate or receive a first hash on the basis of mobile network data change by a source network function,', 'provide the first hash and security credentials information of the source network function for validation by a set of validator entities, and', 'in response to detecting validation of the first hash and the security credentials information, generate a first transaction for a first blockchain, the first transaction being indicative of the mobile network data change and comprising the first hash., 'the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to17. The apparatus of claim 16 , wherein the at least one processor and the at least one memory including the computer program code are further configured to cause the apparatus to receive the first hash by a writer entity by a request to update the blockchain from the source network function initiating or performing the mobile network data change.18. The apparatus of claim 16 , wherein the at least one processor and the at least one memory including the computer program code are further configured to cause the apparatus to generate a second transaction for a second blockchain claim 16 , the second transaction comprising ...

Communication Device, Non-Transitory Computer-Readable Medium Storing Computer-Readable Instructions for Communication Device and Method Executed by Communication Device

A communication device may: comprise an output unit configured to output first information obtained by using a first public key in a memory in a case where a predetermined instruction is inputted to the communication device; after the first information has been outputted, receive an authentication request in which the first public key is used from a terminal device; send an authentication response to the terminal device; establish a wireless connection between the communication device and an external device; and in a case where a predetermined condition is satisfied after the first information has been outputted, create a second public key different from the first public key and store the second public key in the memory. In a case where the predetermined instruction is inputted to the communication device again, the output unit may be configured to output second information obtained by using the second public key in the memory. 1. A communication device comprising:a first wireless interface;a processor;a memory storing computer-readable instructions therein and configured to store a first public key; andan output unit configured to output first information obtained by using the first public key in the memory in a case where a predetermined instruction is inputted to the communication device after the first public key has been stored in the memory, after the first information has been outputted, receive, via the first wireless interface, an authentication request in which the first public key is used from a terminal device that obtained the first public key;', 'in a case where the authentication request is received from the terminal device, send an authentication response, as a response for the authentication request, to the terminal device via the first wireless interface;', 'after the authentication response has been sent to the terminal device, receive connection information from the terminal device via the first wireless interface, the connection information ...

COMMUNICATION SYSTEM

A communication system is described in which user plane communication and control plane communication for a particular mobile communication device can be split between a base station that operates a small cell and a macro base station. Appropriate security for the user plane and control plane communications is safeguarded by ensuring that each base station is able to obtain or derive the correct security parameters for protecting the user plane or control plane communication for which it is responsible. 148-. (canceled)49. A secondary base station comprising:a controller; anda transceiver configured to communicate with a user equipment, UE, which is configured for simultaneous connection to a master base station and to the secondary base station, control the transceiver to receive, from the master base station that provides control plane signaling to the UE, a security key of the secondary base station derived by the master base station;', 'derive a user plane security key, for use in protection of user plane traffic between the UE and the secondary base station, using the security key of the secondary base station;', 'control the transceiver to provide user plane communication by using the user plane security key;', transmit, to the master base station, a first message related to security key update when a Packet Data Convergence Protocol, PDCP, count is about to wrap around, and', 'receive, from the master base station, a second message to deliver an updated security key of the secondary base station derived by the master base station using a security key of the master base station while the UE is connected to the master base station and the secondary base station;, 'control the transceiver to, 'derive an updated user plane security key using the updated security key of the secondary base station; and', 'use the updated user plane security key in protection of user plane traffic between the UE and the secondary base station., 'wherein the controller is configured ...