СПОСОБ МОБИЛЬНОЙ СВЯЗИ И УЗЕЛ УПРАВЛЕНИЯ МОБИЛЬНОСТЬЮ

Изобретение относится к мобильной связи. Технический результат заключается в устранении нерационального использования ресурса в операции присоединения собственно ретрансляционного узла RN. Способ мобильной связи включает шаг передачи из базовой радиостанции DeNB первоначального сообщения UE (S1), указывающего на выполнение операции присоединения собственно ретрансляционным узлом RN, в узел ММЕ управления мобильностью в ответ на запрос присоединения (RN), принятый из указанного ретрансляционного узла RN, имеющего защищенный канал, установленный между ретрансляционным узлом RN и USIM-RN; шаг запуска узлом ММЕ управления мобильностью операции EPS-AKA между ретрансляционным узлом RN и указанным USIM-RN в ответ на указанное первоначальное сообщение UE (S1); и шаг отказа в выполнении операции EPS-AKA, если определено, что данный USIM-RN не может быть использован для операции присоединения собственно ретрансляционного узла RN. 2 н.п. ф-лы, 4 ил.

АУТЕНТИФИКАЦИЯ ПРИЛОЖЕНИЯ

Изобретение относится к области сетей передачи данных. Технический результат заключается в оптимизации доступа приложений. Сущность изобретения заключается в том, что способ включает выполнение серверным приложением (408) процедур (412) начальной загрузки между этим серверным приложением (408) и функцией (400) сервера начальной загрузки; получение (420, 422) общего ключа на основе, по меньшей мере, ключа, принятого от сервера (400) функции сервера начальной загрузки во время процедур (412) начальной загрузки, и идентификатора функции сетевого приложения; предоставление (414) приложению (406) идентификатора транзакции начальной загрузки, принятого от сервера функции сервера начальной загрузки (400) во время процедур начальной загрузки (412); прием ответа от приложения (406) и аутентификацию (426) приложения путем проверки ответа с использованием общего ключа. 7 н. и 42 з.п. ф-лы, 5 ил.

ПРЕДОТВРАЩЕНИЕ ЛОЖНОПОЛОЖИТЕЛЬНОГО ОПРЕДЕЛЕНИЯ КАРТЫ

Изобретение относится к способу и системе аутентификации транзакции. Технический результат заключается в повышении оперативности аутентификации транзакции. Способ содержит этапы, на которых осуществляют прием запроса транзакции для определения, может ли запрос транзакции быть одобрен без дополнительной обработки, и разрешение транзакции, если определено, что запрос транзакции может быть одобрен без дальнейшей обработки, в противном случае осуществляют прием данных, идентифицирующих регион, где запрашивается транзакция, определение из регистра местоположения (LR) данных, полученных от провайдера мобильной сети для устройства мобильной связи, ассоциированного с лицом, запрашивающим транзакцию, причем данные идентифицируют регион, где расположено устройство мобильной связи, сравнение данных, идентифицирующих регион, где запрашивается транзакция, с данными, идентифицирующими регион, где расположено устройство мобильной связи, и в случае их совпадения, разрешение транзакции, а если данные региона ...

УСТРОЙСТВО И СПОСОБ ПЕРЕХОДА ОТ ОБСЛУЖИВАЮЩЕГО СЕТЕВОГО УЗЛА, КОТОРЫЙ ПОДДЕРЖИВАЕТ РАСШИРЕННЫЙ КОНТЕКСТ БЕЗОПАСНОСТИ К УНАСЛЕДОВАННОМУ ОБСЛУЖИВАЮЩЕМУ СЕТЕВОМУ УЗЛУ

Изобретение относится к мобильной связи. Технический результат заключается в обеспечении взаимодействия удаленного терминала с обслуживающими сетевыми узлами, поддерживающими расширенный контекст безопасности и с унаследованными обслуживающими сетевыми узлами. Удаленный терминал обеспечивает унаследованный ключ и генерирует сеансовый ключ на основе элемента информации, связанного с расширенным контекстом безопасности. Удаленный терминал направляет первое сообщение, имеющее элемент информации к новому обслуживающему сетевому узлу. Удаленный терминал принимает второе сообщение от нового обслуживающего сетевого узла, имеющее ответ на основе либо унаследованного ключа, либо сеансового ключа. Удаленный терминал определяет, что новый обслуживающий сетевой узел не поддерживает расширенный контекст безопасности, если ответ второго сообщения основан на унаследованном ключе и защищает передачу данных, основанную на унаследованном ключе при определении, что расширенный контекст безопасности не поддерживается ...

СПОСОБ УПРАВЛЕНИЯ И ОЦЕНКИ ТРАФИКА СООБЩЕНИЙ КОММУНИКАЦИОННОГО УСТРОЙСТВА ПОСРЕДСТВОМ ПЕРВОГО СЕТЕВОГО УСТРОЙСТВА В СИСТЕМЕ МОБИЛЬНОЙ СВЯЗИ И СООТВЕТСТВУЮЩИЕ КОММУНИКАЦИОННОЕ УСТРОЙСТВО И ПЕРВОЕ СЕТЕВОЕ УСТРОЙСТВО

Заявлены способ управления и оценки трафика сообщений коммуникационного устройства посредством первого сетевого устройства в системе мобильной связи. Технический результат состоит в том, что обеспечиваются простота и эффективность такого способа управления и оценки трафика сообщений коммуникационного устройства. Для этого в способе управления и оценки трафика сообщений коммуникационного устройства (КЕ) посредством первого сетевого устройства (NE1) в системе (MS) мобильной связи все сообщения трафика сообщений посылаются через первое сетевое устройство (NE1), посредством первого сетевого устройства (NE1) с помощью одной или более служебных информаций (N1) коммуникационного устройства (КЕ) принимается решение, следует ли одно или более сообщений посылать далее на второе сетевое устройство (NE2) для дальнейшей обработки или оно должно блокироваться, и посредством первого сетевого устройства (NE1) с помощью одной или более служебных информаций (N1) коммуникационного устройства (КЕ) принимается ...

СПОСОБ И СИСТЕМА, ПРЕДНАЗНАЧЕННЫЕ ДЛЯ УСТАНОВЛЕНИЯ СОЕДИНЕНИЯ ЧЕРЕЗ СЕТЬ ДОСТУПА

Изобретение относится к способу и системе, предназначенным для установления соединения через сеть доступа. Технический результат - обеспечение возможности доступа из сети WLAN или из любой другой сети доступа к широкому диапазону услуг. Способ для установления соединения через сеть доступа осуществляет связь, по меньшей мере, с одним пользовательским терминалом и, по меньшей мере, с одной магистральной сетью, содержащей, по меньшей мере, средство аутентификации и санкционирования пользовательского терминала, и, по меньшей мере, один узел обработки пользовательских данных, при этом выполняют аутентификацию соединения пользовательского терминала в упомянутую сеть доступа и выбирают один из упомянутого, по меньшей мере, одного узла обработки пользовательских данных на основе информации выбора, переданной в сигнальном сообщении аутентификации. Затем передают с помощью сигнала информацию параметра туннеля выбранного узла обработки пользовательских данных в сеть доступа и создают туннельное соединение ...

ГЕНЕРАЦИЯ КРИПТОГРАФИЧЕСКОГО КЛЮЧА

Изобретение относится к передаче данных, а именно к способу генерации криптографического ключа. Техническим результатом является повышение безопасности связи. Технический результат достигается тем, что заявлен способ генерации криптографического ключа (120) для защиты связи между двумя объектами (202, 204), причем этот способ выполняется первым объектом (202, 302) как часть распределенной операции безопасности, инициированной вторым объектом (202, 304), и содержит этапы, на которых: предоставляют (306) по меньшей мере два параметра (106, 108), из которых первый параметр (106) содержит в себе или выводится из ряда криптографических ключей (110, 112), вычисленных первым объектом (202) при выполнении операции безопасности, а второй параметр содержит в себе или выводится из маркера (116), имеющего разное значение при каждой инициации операции безопасности вторым объектом (204, 304) для первого объекта (202, 302); и применяют (308) функцию выведения ключа для генерации криптографического ключа ...

УСТРОЙСТВО СОВМЕСТНОГО ИСПОЛЬЗОВАНИЯ КЛЮЧА И СИСТЕМА ДЛЯ ЕГО КОНФИГУРАЦИИ

Изобретение относится к области сетевой связи. Технический результат – обеспечение безопасности между двумя сетевыми устройствами за счет ключа совместного использования. Система для конфигурирования сетевого устройства для совместного использования ключа, содержащая: средство получения материала ключей для получения в электронной форме личного модуля (122, p), открытого модуля (110, N) и симметрического многочлена (124, f) от двух переменных, имеющего целочисленные коэффициенты, причем двоичное представление открытого модуля и двоичное представление личного модуля одинаковы в по меньшей мере последовательных битах длины (b) ключа, генератор (200) для генерирования локального материала ключей для сетевого устройства, содержащий средство (250) управления сетевыми устройствами для получения в электронной форме идентификационного номера (A) для сетевого устройства и для электронного сохранения генерируемого локального материала ключей в сетевом устройстве и сохранения открытого модуля в сетевом ...

СПОСОБ, УСТРОЙСТВО И СИСТЕМА ОТКЛОНЕНИЯ ДОСТУПА, НОСИТЕЛЬ ИНФОРМАЦИИ И ПРОЦЕССОР

Изобретение относится к области связи. Техническим результатом является обеспечение возможности проверки терминалом достоверности сообщения отклонения доступа. Способ отклонения доступа содержит: прием, первой базовой станцией, запроса возобновления доступа терминала; и отправку, первой базовой станцией, сообщения отклонения доступа в терминал, причем сообщение отклонения доступа включает: контрольное значение, выработанное на основе ключа терминала, полученного из второй базовой станции, и сообщения отклонения доступа, и время ожидания, указывающее время, когда терминал отправит другой запрос возобновления доступа. 6 н. и 8 з.п. ф-лы, 9 ил.

СЕТЬ И СПОСОБ ДЛЯ ИНИЦИАЛИЗАЦИИ КЛЮЧА ДЛЯ ЛИНИИ ЦЕНТРА УПРАВЛЕНИЯ БЕЗОПАСНОСТЬЮ

... 1. Сеть, содержащая: ! новый узел (106), содержащий специфический для узла материал криптографического ключа, причем этот новый узел выполнен с возможностью задания криптографического ключа на основе специфического для узла материала криптографического ключа, ! первый узел (102), требующий криптографический ключ для инициализации защиты сети, и ! средство для обеспечения (108) отсутствующего криптографического ключа в первый узел из запоминающего устройства, отличного от нового узла, причем отсутствующий криптографический ключ равен упомянутому криптографическому ключу, причем ! запоминающее устройство является защищенным сервером (210), содержащим материал криптографического ключа, соответствующий новому узлу (106), причем ! средство обеспечения (108) выполнено с возможностью загрузки отсутствующего криптографического ключа из защищенного сервера (210), причем ! новый узел (106) может вычислять разные криптографические ключи, отличительной чертой каждого из которых служит индекс ключа, ...

СПОСОБ И УСТРОЙСТВО ДЛЯ УСТАНОВЛЕНИЯ БЕЗОПАСНОЙ АССОЦИАЦИИ

... 1. Способ установления безопасной связи между узлом услуги и клиентом для доставки информации из узла услуги клиенту, где клиент и функция формирования ключа совместно используют базовую секретную информацию, при этом способ содержит: ! передачу запроса на формирование и инициализацию ключа услуги из узла услуги в функцию формирования ключа, упомянутый запрос содержит идентификаторы узла услуги и клиента; ! формирование ключа услуги в функции формирования ключа с использованием идентификатора узла услуги, базовой секретной информации и дополнительной информации, и передачу ключа услуги в узел услуги совместно с упомянутой дополнительной информацией; ! инициализацию сеанса связи с упомянутым клиентом в узле услуги, причем инициализация включает в себя направление упомянутой дополнительной информации и упомянутого идентификатора узла услуги из узла услуги клиенту; ! формирование упомянутого ключа услуги с использованием принятой дополнительной информации, идентификатора узла услуги и базовой ...

АУТЕНТИФИКАЦИЯ ПРИЛОЖЕНИЯ

... 1. Способ аутентификации приложения, включающий: ! выполнение с использованием серверного приложения процедур начальной загрузки между серверным приложением и функцией сервера начальной загрузки; ! получение общего ключа на основе, по меньшей мере, ключа, принятого от сервера функции сервера начальной загрузки во время процедур начальной загрузки, и идентификатора функции сетевого приложения; ! предоставление приложению идентификатора транзакции начальной загрузки, принятого с сервера функции сервера начальной загрузки во время процедур начальной загрузки; !прием ответа от приложения и ! аутентификация приложения путем проверки ответа с использованием общего ключа. ! 2. Способ по п.1, в котором аутентификация приложения содержит ! аутентификацию приложения путем сравнения общего ключа с ответом. ! 3. Способ по п.1, также содержащий ! создание вызова и ! предоставление вызова приложению, ! где шаг аутентификации содержит аутентификацию приложения путем проверки ответа с использованием вызова ...

ПРОФИЛЬ СРЕДСТВ ОБЕСПЕЧЕНИЯ БЕЗОПАСНОСТИ СМАРТ-КАРТ В ДОМАШНЕМ АБОНЕНТСКОМ СЕРВЕРЕ

... 1. Способ, включающий:определение, в функции сетевого приложения, списка желаемых для использования средств обеспечения безопасности пользовательского оборудования, при этом средства обеспечения безопасности в списке упорядочены в соответствии с предпочтением функции сетевого приложения;отправку списка в базу данных настроек безопасности пользователя посредством функции сервера начальной загрузки; иприем функцией сетевого приложения, посредством функции сервера начальной загрузки, ответа о средствах обеспечения безопасности, включающего ключ безопасности, извлеченный из информации, хранящейся в базе данных, и соответствующий желаемому средству обеспечения безопасности, имеющемуся в списке, что обеспечивает информирование функции сетевого приложения о доступности по меньшей мере одного из желаемых средств обеспечения безопасности в пользовательском оборудовании.2. Способ по п.1, в котором список отправляют в базу данных настроек безопасности пользователя через домашний абонентский сервер ...

СПОСОБЫ ДЛЯ ЗАЩИТЫ ЦЕЛОСНОСТИ ДАННЫХ ПОЛЬЗОВАТЕЛЬСКОЙ ПЛОСКОСТИ

ПРЕДОТВРАЩЕНИЕ ЛОЖНОПОЛОЖИТЕЛЬНОГО ОПРЕДЕЛЕНИЯ КАРТЫ

... 1. Способ аутентификации транзакции, содержащий следующие этапы:принимают данные, идентифицирующие регион, где была запрошена транзакция;определяют из регистра местоположения (LR) данные для устройства мобильной связи, ассоциированного с лицом, запрашивающим данные транзакции, идентифицирующие регион, где расположено устройство мобильной связи;сравнивают данные, идентифицирующие регион, где запрашивается транзакция, с данными, идентифицирующими регион, где расположено устройство мобильной связи; иаутентифицируют транзакцию в зависимости от результата сравнения.2. Способ по п.1, дополнительно содержащий этап: принимают данные, идентифицирующие устройство мобильной связи, ассоциированное с лицом, запрашивающим транзакцию.3. Способ по п.1 или 2, дополнительно содержащий этап приема данных регистра исходного местоположения для мобильного устройства, ассоциированного с лицом, запрашивающим транзакцию.4. Способ по п.2, в котором данные, идентифицирующие устройство мобильной связи, ассоциированное ...

СПОСОБ РАСПРЕДЕЛЕННОГО УПРАВЛЕНИЯ КЛЮЧАМИ НА ОСНОВЕ СХЕМЫ ПРЕДВАРИТЕЛЬНОГО РАСПРЕДЕЛЕНИЯ КЛЮЧЕЙ

... 1. Способ распределенного управления ключами на основе схемы предварительного распределения ключей, включающий в себя следующие операции: формируют внешним центром регистрации уникальный идентификатор узла mesh-сети; записывают внешним центром регистрации уникальный идентификатор в локальную память узла mesh-сети; формируют доверенным центром матрицу инцидентности схемы KEDYS; формируют доверенным центром матрицу инцидентности тривиальной схемы; генерируют доверенным центром долговременные секретные ключи; записывают доверенным центром сформированный ключевой блок схемы KEDYS и соответствующий столбец матрицы инцидентности в локальную память узла mesh-сети; записывают доверенным центром сформированный ключевой блок схемы KEDYS и соответствующий столбец матрицы инцидентности в локальную память управляющего узла распределенного центра управления ключами; записывают доверенным центром сформированный ключевой блок тривиальной схемы и широковещательный ключ в локальную память управляющего узла ...

ЗАЩИТА ПРИ ОБЕСПЕЧЕНИИ МОБИЛЬНОСТИ МЕЖДУ СЕРВЕРАМИ MBMS

... 1. Способ, включающий:активизацию пользовательским оконечным устройством нового потокового сервера для генерации новых заданных индивидуально для пользователя ключей защиты;прием в пользовательском оконечном устройстве от упомянутого нового потокового сервера нового ключа защиты, заданного индивидуально для нового потокового сервера;генерацию в пользовательском оконечном устройстве заданных индивидуально для пользователя ключей защиты для потокового сервера ииспользование пользовательским оконечным устройством новых заданных индивидуально для пользователя ключей защиты, сгенерированных в пользовательском оконечном устройстве, с новым потоковым сервером для ранее установленной потоковой услуги.2. Способ по п. 1, отличающийся тем, что потоковая услуга представляет собой мультимедийную широковещательную/многоадресную услугу, и ранее установленную потоковую услугу предоставляют посредством упомянутого нового потокового сервера, в зону которого переместилось пользовательское оконечное устройство ...

Benutzergerät (User Equipment, UE) und Verfahren zum Empfang von Downlink-Datendiensten

Hierin werden allgemein Ausführungsformen eines Benutzergeräts (UE) und Verfahren zum Empfang von Downlink-Datendiensten beschrieben. In einigen Ausführungsformen kann das UE so konfiguriert sein, dass es Downlink-Signale von einem Evolved Node-B (eNB) eines Third-Generation-Partnership-Project(3GPP)-Long-Term-Evolution(LTE)-Netzwerks empfängt. Das Senden von Uplink-Signalen an das 3GPP-LTE-Netzwerk kann in einigen Fällen beschränkt sein. Das UE kann an einen Zugangspunkt (AP) und gemäß einem Wireless-Local-Area-Network(WLAN)-Protokoll eine Anforderung für einen Dienstschlüssel für einen Downlink-Datendienst mit dem eNB senden. Das UE kann einen Dienstschlüssel von dem AP empfangen und kann den Dienstschlüssel verwenden, um einen Verkehrsschlüssel zu entschlüsseln, der von dem eNB empfangen wird. Der Verkehrsschlüssel kann verwendet werden, um Datenpakete zu entschlüsseln, die als Teil des Downlink-Datendiensts empfangen werden.

Verfahren zur geschützten Kommunikation eines Fahrzeugs

Die Erfindung betrifft ein Verfahren zur geschützten Kommunikation eines Fahrzeugs (14). Es sind die Schritte vorgesehen, – Erzeugen eines Schlüsselpaars (22) bestehend aus privatem Schlüssel und öffentlichem Schlüssel und/oder eines oder mehrerer symmetrischer Schlüssel für das Fahrzeug (14) oder für ein Steuergerät (28, 30, 32) des Fahrzeugs (14) im Einflussbereich des Fahrzeugherstellers, – Erzeugen eines ersten Zertifikats (24) mit dem Schlüsselpaar (22), – Einbringen des Schlüsselpaars (22) und des ersten Zertifikats (24) und/oder des oder der mehreren symmetrischen Schlüssel in das Fahrzeug (14) oder das Steuergerät (28, 30, 32), – Authentisieren des Fahrzeugs (14) oder des Steuergeräts (28, 30, 32) gegenüber einem neuen Kommunikationspartner (38, 40) durch die Generierung eines neuen Schlüsselpaares (50) für diesen Kommunikationsweg und das Absenden einer signierten Nachricht zusammen mit dem Zertifikat (24), und – Authentisieren eines neuen Kommunikationspartners (38, 40) gegenüber ...

System und Verfahren zur User-Zertifikat-Anlage, -Verteilung und zur-Verfügung-stellen in konvergierten WLAN-WWAN zusammenarbeitenden Netzwerken

Ein Verfahren für sichere Abläufe in einem konvergierten zusammenarbeitenden Netzwerk, umfassend: – Erhalten eines public key aus einer Recheneinrichtung (108); – Durchführen (208) eines Bootstrapping-(Urlade-)vorganges mit einem Netzbetreiber; – Erhalten (210) einer ersten Instanz eines Nutzerzertifikats von dem Netzbetreiber, wobei das Nutzerzertifikat auf dem public key basiert, und – Übertragen (214) einer zweiten Instanz des Nutzerzertifikats an die Recheneinrichtung (108) zu Zwecken der digitalen Signatur, Verifikation und Verschlüsselung, wobei das konvergierte zusammenarbeitende Netzwerk ein drahtloses Großflächennetzwerk (WWAN) und ein drahtloses lokales Netzwerk (WLAN) umfasst, wobei die erste und die zweite Instanz des Nutzerzertifikats gleichzeitig und jeweils in den WWAN und WLAN-Netzwerken genutztwerden, um einen Abonnenten zu authentifizieren.

VERFAHREN UND SYSTEM ZUR SICHERSTELLUNG EINER SICHEREN WEITERLEITUNG VON NACHRICHTEN

System für mobile Authentifizierung mit reduzierten Authentifizierungsverzögerung

Zugriffsauthentifizierungssystem für eine Funkumgebung

Verfahren zur Steuerung und Auswertung eines Nachrichtenverkehrs einer Kummunikationseinheit durch eine erste Netzwerkeinheit innerhalb eines Mobilfunksystems, sowie dazugehörige Kommunikationseinheit und erste Netzwerkeinheit

Bei einem Verfahren zur Steuerung und Auswertung eines Nachrichtenverkehrs einer Kommunikationseinheit (KE) durch eine erste Netzwerkeinheit (NE1) innerhalb eines Mobilfunksystems (MS), bei dem alle Nachrichten des Nachrichtenverkehrs über die erste Netzwerkeinheit (NE1) geschickt werden, wird sowohl durch die erste Netzwerkeinheit (NE1) mit Hilfe einer oder mehrerer Nutzungsinformationen (NI) der Kommunikationseinheit (KE) entschieden, ob eine oder mehrere Nachrichten an eine zweite Netzwerkeinheit (NE2) zur Weiterbearbeitung weitergeleitet oder abgeblockt werden, als auch durch die erste Netzwerkeinheit (NE1) mit Hilfe einer oder mehrerer Nutzungsinformationen (NI) der Kommunikationseinheit (KE) festgelegt, ob die jeweilige Nachricht des Nachrichtenverkehrs durch die erste Netzwerkeinheit (NE1) in einer Protokolldatei (PD) protokolliert wird.

Verfahren, System und Zentrum zur Authentifizierung bei End-to-End-Kommunikationen auf Mobilfunknetzbasis

Verfahren und System zum Bereitstellen eines Mesh-Schlüssels

Verfahren zum Bereitstellen eines Mesh-Schlüssels, welcher zur Verschlüsselung von Nachrichten zwischen einem ersten Knoten (1A) und einem zweiten Knoten (1B) eines Mesh-Netzes (1) einsetzbar ist, wobei bei einer Authentisierung des ersten Knotens (1A) bei einem Authentisierungsserver (2) ein Sitzungsschlüssel generiert wird, aus dem der erste Knoten (1A) und der Authentisierungsserver (2) oder ein Authentisierungs-Proxy-Server (3) mittels einer vorgegebenen Schlüsselableitungsfunktion (KDF) den Mesh-Schlüssel ableiten, welcher an den zweiten Knoten (1B) übertragen wird.

Distributed control architecture for relays in broadband wireless networks

Wireless network security

Machine-to-machine cellular communication security

Distribution of enciphering keys

A method of distributing through a communications network enciphering keys for a secure communications session via said network between first and second terminals (2a,2b) corresponding first and second terminal keys (Ka,Kb) comprising: storing said first and second terminal keys (Ka,Kb) remotely to said terminals (2a,2b); providing a number (RAND); generating first and second corresponding partial keys (Kpa,Kpb) each comprising a corresponding function of said number (RAND) and a corresponding one of said terminal keys (Ka,Kb) ; and dispatching the first partial key (Ka) towards the second terminal (2b), and vice-versa.

A cryptographic key sharing method

A system for sharing secure keying information with a new device not of a secure wireless network. The keying information may be used for encryption and provided to the new device in a manner which is not susceptible to exposure outside of the secure network. The keying information shared with the new device may be regarded as a birth key. Upon appropriate provision of the birth key, the new device may request with a birth key encrypted message via a communication mode exposed to potential adversaries to be added to the secure network.

Authentication method

An authentication comprises: receiving at least one request for an action in relation to an electronic device, wherein performance of the action requires verification of an association of a group of IDs specified by the request; verifying, via cryptographic verification, whether the group of IDs specified by the request match a cryptographically attested group of IDs associated with the electronic device, to determine whether the at least one request for an action is an authentic request; and, having determined the at least one request for an action is an authentic request, approving the at least one request, wherein the group of IDs comprises at least an Integrated Circuit Card Identifier ICCID of a Subscriber Identity Module SIM of the electronic device and a device identifier associated with the electronic device. The device identifier may be an IMEI, Trusted Execution Environment TEE, or MAC address. The method prevents fraudulent activity by the use of Cloned sim cards.

Authorising a user device comprising a subscriber identity module to access wireless networks other than a cellular network

Authorising a user device comprising a subscriber identity module (SIM) to access wireless networks other than a cellular network, in order to reduce the data traffic on the cellular networks due to the proliferation of smart phones and the provision of mobile broadband for laptop and tablet computer devices. Data-related traffic on the cellular networks may be offloaded to nearby wireless networks (WLAN, WMAN, etc).

Communicating with a machine to machine device

Administering an interface Ua 150 between a machine-to-machine, M2M, device 110 and a network application function, NAF, 122 for secure communication between the M2M device and the NAF. In one method, the M2M device comprises security information for enabling secure communication via the interface, and administers the interface by: setting a secure interface lifetime parameter based on a lifetime of at least part of the security information; and transmitting administration data to the NAF, wherein the administration data comprises the secure interface lifetime parameter. Also disclosed is a method for a NAF to administer an interface between the NAF and a M2M device, comprising: receiving administration data from the M2M device, the registration data comprising a secure interface lifetime parameter that has been set based on a lifetime of at least part of the security information; and transmitting an administration response to the M2M device. The interface may be a Lightweight M2M, LWM2M ...

Communicating with an machine to machine device

Administering an interface Ua 150 between a machine-to-machine, M2M, device 110 and a network application function, NAF, 122 for secure communication between the M2M device and the NAF. In one method, the M2M device comprises security information for enabling secure communication via the interface, and administers the interface by transmitting administration data to the NAF wherein the administration data comprises a name for the M2M device which is equal to, or derived at least in part from, or otherwise linked to, at least part of data that are shared between the M2M device and a bootstrapping server. Also disclosed is a method for a NAF to administer an interface between the NAF and a M2M device, comprising: receiving administration data from the M2M device, including the determined name of the M2M device and transmitting an administration response to the M2M device. The interface may be a Lightweight M2M, LWM2M, interface.

Efficient cellular network security configuration

Security key management is provided between a cellular network and a mobile terminal. The mobile terminal and an authentication management node of the cellular network both store a common security key. A key management message is communicated between the cellular network and the mobile terminal 10. In response to the communication 20, an intermediate security key specific to the mobile terminal is generated 30 using the stored common authentication key . A session security key 40 is generated using the intermediate security key, for securing a communications session between the cellular network and the mobile terminal. Using an intermediate key which is longer lived than a session key increases the time required between rekeying the device. This is especially useful for Machine-Type-Communication (MTC) devices which are typically low-usage, low-power devices. For these devices, frequent updating of a security key may represent a large proportion of the data they communicates and subsequently ...

Server initiated remote device registration

A method and system for the creation, management and authentication of links between entities

Communicating with a machine to machine device

The present disclosure provides a wireless communication module for use in a machine to machine device, M2M, the M2M device also comprising an integrated circuit card. The present disclosure also provides an integrated circuit card for use in a machine to machine device. The wireless communication module of the first aspect and the integrated circuit card of the alternative aspect are each configured for using a shared secret and at least part of a first data object to obtain a second data object from the integrated circuit card. The second data object is derived from the existing shared secret, is suitable for deriving security information and is suitable for use in establishing secure communication between the M2M device and a network application function, NAF. Many possible implementations are described using various aspects of lightweight M2M (LWM2M) standards, Generic Authentication Architecture (GAA) standards, Generic Bootstrapping Architecture (GBA) standards, OMA standards, 3GPP ...

Security enhancements for LTE WLAN aggregation

A method for managing ciphering configurations for LTE WLAN Aggregation (LWA). A source evolved Node B (eNB) ciphering configuration is implemented at a mobile device 13 and at a source eNB 5, for communicating data between the mobile device and the source eNB via a WLAN node 11. A WLAN ciphering configuration is implemented at the mobile device and at the WLAN node, for communicating data between the mobile device and the source eNB via the WLAN node. It is determined whether the WLAN ciphering configuration has been implemented 316 and in response a message 317 is transmitted indicating that the WLAN ciphering configuration has been implemented and at least one action 318 is performed in response to the message. The at least one action may comprise deactivating Packet Data Convergence Protocol (PDCP) encryption at the source eNB. Other embodiments for managing ciphering configurations are also provided.

A set of servers for "machine-to-machine" communications using public key infrastructure

Feature(s) generation

A method comprises extracting 10 data or metadata 11 selected in dependence upon an identity of a counterpart user 8 with whom the data has been exchanged, extracting 12 at least one characterising feature 15 from the data or metadata using a predefined extraction method, and storing the at least one feature in a memory 14. The at least one feature may either be used as an encryption key 25 or used in a process of key generation prior to transmitting encrypted data. Features may include text in a given position, emojis, time of arrival or sending, and image-specific features such as RGB colour data and image size. Based on such features extracted from previous communications between devices, a common memory 14 shared between and specific to a pair of devices may be developed. Keys generated based on such shared memory need not be exchanged over insecure public channels nor derived from a public key pool. Such shared memory may be unique to and identical between an intended user pair, and ...

Distributed control architecture for relays in broadband wireless networks

Communicating With A Device

Low latency security

Providing a secure communication session between a mobile terminal and a serving network node of a cellular network by sending a key management message between the core network and the serving network node wherein the intermediate security key is generated, derived or recovered within the serving network node. A key management message is sent between the serving network node and the mobile terminal and in response to this message an intermediate key is generated, derived or recovered within the mobile terminal. A session key is generated from the intermediate key and this is used to secure the communication session. Further embodiments include a delegated subscriber server (DSS) of a visiting network deriving a key using key material held in the home subscriber server (HSS) of a subscriber's home network. A further embodiment provides the generation, reception or derivation of a shared secret, using public and private key information, at the mobile terminal and the serving network node.

Enabling communications between devices

Secure packet radio network.

A packet radio network comprises at least one work operatorstation and a number of user stations. The user stations transmit message data to one another, either directly or via intermediate stations. When stations are first activated, they transmit key request messages to the network operator station. Other, authenticated stations in the network will not communicate with the new station, but will pass the key request message to the network operator station. The network operator station transmits the necessary keys back to the new station via the other stations to permit the new station to operate. Each user station transmits key probe signals from time to time which advise other stations of its public key.

Smart card security feature profile in home subscriber server

SIGNALING RADIO BEARER SECURITY HANDLING FOR SINGLE RADIO VOICE CALL CONTINUITY OPERATION

Security mechanism for external code

Secure packet radio network

Method and apparatus for source identification forkey handling following a handover failure

Method and apparatus for source identification forkey handling following a handover failure.

Signaling radio bearer security handling for single radio voice call continuity operation

Security mechanism for external code

PROCEDURE, DEVICE AND SYSTEM FOR THE TREATMENT OF MORE AUTHENTIFIZIERUNGSFEHLER OF A BETWEEN A GSM NET AND A WLAN NET WANDERING PARTICIPANT

AUTHENTIFIKATION IN A MOBILE COMMUNICATION SYSTEM

PROCEDURE FOR THE COMMON ONE AUTHENTIFIZIERUNG AND AUTHORIZATION OVER DIFFERENT NETWORKS

FURNISH A SAFE CONTEXT FOR THE TRANSMISSION OF MESSAGES BETWEEN COMPUTER SYSTEMS

USE OF A TOGETHER USED SECRET FOR BOOTSTRAPPING

SECURITY IN MOBILE COMMUNICATION SYSTEMS

PROCEDURE FOR THE ADMINISTRATION OF A PERIPHERAL UNIT BY A SIM MAP IN WIRELESS COMMUNICATION TERMINALS AND PERIPHERAL UNIT FOR THE IMPLEMENTATION OF THE PROCEDURE

AUTHENTIFIZIERUNG MEANS ATM FUNCTIONALITY FOR UNIDIRECTIONAL NETWORK CONNECTIONS

PROCEDURE AND DEVICE FOR THE DETERMINATION OF A AUTHENTIFIKATIONSPROZEDUR

INTERWORKING FUNCTION TO AUTHENTIFIZIERUNG A TERMINAL IN WIRELESS LOCAL A NETWORK

DEVICE AND PROCEDURE FOR THE DYNAMIC ASSIGNMENT OF AN EXTERNAL LOCAL REPRESENTATIVE FOR PRIVATE VIRTUAL ONES OF NETS

PROCEDURE FOR THE PRODUCTION OF SAFETY LINKAGES IN MOBILE IP NETWORKS

PROCEDURE AND SYSTEM FOR THE MECHANISM OF A PEER TON PEER OF COMMUNICATION CHANNEL

PROCEDURE FOR STORING AND DISTRIBUTING CODING KEYS

SYSTEM AND PROCEDURE FOR THE EFFICIENT ONE AUTHENTIFIKATION OF KNOTS OF A MEDICAL WIRELESS AD-HOC-NETWORK

SAFE BOOTSTRAPPING FOR WIRELESS COMMUNICATION

PROCEDURE AND DEVICE FOR THE GUARANTEE OF THE AUTHENTIFIZIERUNG IN A COMMUNICATION SYSTEM

WIRELESS CONNECTIONS OF SHORT RANGE IN A TELECOMMUNICATIONS NET

PROCEDURE AS A CHECK OF A TRANSMISSION

PROCEDURE, DEVICE AND SYSTEM FOR THE TREATMENT OF MORE AUTHENTIFIZIERUNGSFEHLER OF A BETWEEN A GSM NET AND A WLAN NET WANDERING PARTICIPANT

PROCEDURE, DEVICE AND SYSTEM FOR THE TREATMENT OF MORE AUTHENTIFIZIERUNGSFEHLER OF A BETWEEN A GSM NET AND A WLAN NET WANDERING PARTICIPANT

PROCEDURE, DEVICE AND SYSTEM FOR THE TREATMENT OF MORE AUTHENTIFIZIERUNGSFEHLER OF A BETWEEN A GSM NET AND A WLAN NET WANDERING PARTICIPANT

PROCEDURE, DEVICE AND SYSTEM FOR THE TREATMENT OF MORE AUTHENTIFIZIERUNGSFEHLER OF A BETWEEN A GSM NET AND A WLAN NET WANDERING PARTICIPANT

PROCEDURE, DEVICE AND SYSTEM FOR THE TREATMENT OF MORE AUTHENTIFIZIERUNGSFEHLER OF A BETWEEN A GSM NET AND A WLAN NET WANDERING PARTICIPANT

PROCEDURE, DEVICE AND SYSTEM FOR THE TREATMENT OF MORE AUTHENTIFIZIERUNGSFEHLER OF A BETWEEN A GSM NET AND A WLAN NET WANDERING PARTICIPANT

PROCEDURE, DEVICE AND SYSTEM FOR THE TREATMENT OF MORE AUTHENTIFIZIERUNGSFEHLER OF A BETWEEN A GSM NET AND A WLAN NET WANDERING PARTICIPANT

PROCEDURE, DEVICE AND SYSTEM FOR THE TREATMENT OF MORE AUTHENTIFIZIERUNGSFEHLER OF A BETWEEN A GSM NET AND A WLAN NET WANDERING PARTICIPANT

PROCEDURE, DEVICE AND SYSTEM FOR THE TREATMENT OF MORE AUTHENTIFIZIERUNGSFEHLER OF A BETWEEN A GSM NET AND A WLAN NET WANDERING PARTICIPANT

Internet of things device burning verification method and apparatus, and identity authentication method and apparatus

Provided in the present application are an Internet of Things device burning verification method and apparatus, and an identity authentication method and apparatus, the burning verification method comprising: a burning verification apparatus receives a burning request sent by a burning production line, the burning request being used for requesting the burning apparatus to allocate an identity ID and device keys to an Internet of Things device to be burned; the device keys comprise a device private key and a device public key; the burning verification apparatus verifies whether the burning request is legitimate, and if so, then allocates an identity ID and device keys to the Internet of Things device to be burned; and the burning verification apparatus sends the identity ID and the device keys to the burning production line, such that the burning production line burns the identity ID and the device keys to the corresponding Internet of Things device. Using the embodiments of the present ...

Secure packet radio network

Subscriber authentication in a mobile communications system

A method and apparatus for new key derivation upon handoff in wireless networks

Method for handling ciphering keys in a mobile station

Techniques for handling ciphering keys in a mobile station comprising a mobile equipment (ME) and a Universal Subscriber Identity Module (USIM) are disclosed. An example method includes obtaining a UMTS cipher key (CK), integrity key (IK), and ciphering key sequence number (CKSN) from the USIM, deriving a 128-bit ciphering key (Kc-128) from the CK and the IK, and storing the Kc-128 and the CKSN on the mobile equipment, separate from the USIM. The stored CKSN is associated with the stored Kc-128, so that the Kc-128's correspondence to the most current UMTS security context can be tracked. This example method applies to the generation and storage of a 128-bit ciphering key for either the packet-switched or circuit- switched domains. A corresponding user equipment apparatus is also disclosed.

SYSTEM, APPARATUS AND METHOD FOR SIM-BASED AUTHENTICATION AND ENCRYPTION IN WIRELESS LOCAL AREA NETWORK ACCESS

Mobile communication system, mobile station and radio base station

A mobile communication system wherein a mobile station (UE) is configured to simultaneously use a plurality of frequency carriers to communicate with a radio base station (eNB) and wherein the mobile station (UE) is also configured to apply the same key (KeNB) to all of the plurality of frequency carriers, thereby performing a communication security processing.

BOOTSTRAPPING KERBEROS FROM EAP (BKE)

The preferred embodiments involve a mechanism to bootstrap Kerberos from EAP in which EAP is used for initial network access authentication and Kerbe ros is used for provisioning session keys to multiple different protocols. T he preferred embodiments make use of an EAP extension method (EAP-EXT) to re alize the mechanism.

METHOD AND SYSTEM FOR ESTABLISHING ENHANCED AIR INTERFACE KEY

The disclosure provides a method and a system for establishing an enhanced air interface key. During a serving Radio Network Controller (RNC) relocation process, a target RNC with an enhanced security capability enables a received legacy key to perform security protection on communication in the serving RNC relocation process when the target RNC cannot learn from a relocation request sent by a source RNC whether or not a user equipment supports the enhanced security capability (500); and when the target RNC receives a message from the user equipment and learns that the user equipment supports the enhanced security capability, the target RNC notifies a core network to establish and enable the enhanced air interface keys on the network side and in the user equipment respectively (501). With the method of the disclosure ensuring normal accomplishment of the relocation process, and therefore ensuring normal proceeding of subsequent communication.

SECURE INFORMATION TRANSMITTING SYSTEM AND METHOD FOR PERSONAL IDENTITY AUTHENTICATION

The present invention relates to a secure information transmitting system and method for personal identity authentication, which, on the basis of a user public key, encrypt and transmit an authentication number transmitted from a server that provides a service to a user to a mobile communication terminal of the user, thereby preventing an unauthorized user who obtained the authentication number from being recognized even if an authentication number is externally exposed through hacking, wherein the number cannot be decrypted; and having a user public key required for encrypting an authentication number stored and managed in a block chain holding server that is tamper proof and is not a private server, and which, through means capable of providing same whenever needed, preemptively block the exposure of or tampering with the user public key through hacking which can be caused by managing the user public key in a private server. The secure information transmitting system for personal identity ...

PROVIDING DATA FILE UPDATES USING MULTIMEDIA BROADCAST MULTICAST SERVICES

A method is provided for providing application data. The method includes a network node receiving at least one application identifier (App-ID) associated with at least a first user equipment (UE) and a second UE; the network node requesting to receive notifications of updates to application data associated with the at least one App-ID; the network node configuring a broadcast entity to transmit application data associated with the at least one App-ID; and the network node sending configuration data to the first and second UEs for receiving application data from the broadcast entity.

METHOD AND SYSTEM FOR ESTABLISHING A SECURE OVER-THE-AIR (OTA) DEVICE CONNECTION

A method and system for establishing a secure over-the-air (OTA) connection between a connection owner and a server, the connection owner being associated with a wireless device connected to the server via a communications network. A secure session is instantiated on behalf of the connection owner, the secure session being maintained by the server and defining a context for the secure OTA connection. A registration key and a reset key are defined, and stored in association with the secure session on both the server and the wireless device. Access to the secure session is controlled using at least the registration key, and the secure session is maintained on the server only as long as the connection owner has a valid registration key.

METHOD AND SYSTEM FOR SECURE PROCESSING OF AUTHENTICATION KEY MATERIAL IN AN AD HOC WIRELESS NETWORK

A method and system for secure processing of authentication key material in an ad hoc wireless network enables secure distribution of the authentication key material between a mesh authenticator (110) and a mesh key distributor (115), which may be separated by multiple wireless links. The method includes deriving a pairwise transient key for key distribution (PTK-KD) using a mesh key holder security information element (MKHSIE). A mesh authenticator pairwise master key (PMK-MA) is then requested using a first mesh encrypted key information element (MEKIE) that includes data origin information. Using the pairwise transient key for key distribution (PTK-KD), a second mesh encrypted key information element (MEKIE) is then decrypted to obtain the mesh authenticator pairwise master key (PMK-MA).

METHOD AND APPARATUS FOR ESTABLISHING SECURITY ASSOCIATIONS BETWEEN NODES OF AN AD HOC WIRELESS NETWORK

A method and apparatus for establishing security associations between nod es of an ad hoc wireless network includes two authentication steps: an initi al first contact step (authentication, authorization, and accounting (AAA)-b ased authentication), and a "light-weight" step that reuses key material gen erated during first contact. A mesh authenticator within the network provide s two roles. The first role is to implement an 802.1X port access entity (PA E), derive transient keys used for encryption with a supplicant mesh point v ia a four-way handshake and take care of back end communications with a key distributor. The second role is as a key distributor that implements a AAA-c lient and derives keys used to authenticate a mesh point during first contac t or fast security association. The key distributor and the on-line authenti cation server can communicate to one another without these messages being tr ansported over mesh links.

Method and system for transmitting delay media information in ip multimedia subsystem

The present invention provides a method and a system for transmitting delay media information in an IP multimedia subsystem, the system includes: a sending party of media information, a receiving party of the media information, a KMS and a mailbox server of the receiving party of the media information. The method and system of the present invention establishes an end-to-end security association between the sending party and the receiving party of the media information to encrypt the media information between them, without any need for the KMS to store the media key; at the same time, the security association is also established between the sending party and the mailbox server of the receiving party, and between the mailbox server of the receiving party and the receiving party, to perform an integrity protection and a mutual authentication between them, thus the security transmission of the IMS delay media information can be realized.

Method and system for optimizing authentication procedures in media independent hanodver services

A method and system for establishing security association mechanism between a Mobile Node (MN) and a plurality of Point of Services (PoS) are provided. The method includes sending a first request from primary PoS to secondary PoS. The primary PoS then receives a first response along with a derived first key. The first key is derived at the secondary PoS. The method further includes receiving a second request from the MN at the primary PoS. The method then derives a second key based on a MN identity and the derived first key. Thereafter, the method sends a second response along with a second key from the primary PoS to the MN. Further, the method establishes communication between the MN and secondary PoS based on the second key received by the MN and the second key generated at the secondary PoS.

Evolved Packet System Non Access Stratum Deciphering Using Real-Time LTE Monitoring

A monitoring system is coupled to interfaces in an LTE network and passively captures packets from the network interfaces. First data packets associated with an authentication and key agreement procedure are captured on a first interface. Second data packets associated with the authentication and key agreement procedure are captured on a second interface. Individual ones of the first data packets are correlated to individual ones of the second data packets based upon a same parameter. An authentication vector table is created comprising information from the correlated first data packets and second data packets, wherein entries in the table comprise authentication data for a plurality of security contexts. A cipher key is identified to decipher additional packets for the user. The cipher key can also be identified in case of Inter Radio Access Technology Handover by the user equipment.

Security feature negotiation between network and user terminal

A Mobile Station (MS), a Base Station System (BSS) and a Mobile Switching Centre (MSC) of a cellular network, such as GSM, are disclosed. According to one embodiment, the MS is arranged to carry out one or more security features in its communication with the network. For example, the MS may be arranged to: by means of information received in a signalling message ( 0 ) from the network, discover if the network supports one or more of said security features, exchange information with the network in order to enable the use of one or more of the above-mentioned supported security features in the communication, carry out at least one of the one or more of the supported security features in the communication with the network.

Authentication method and apparatus in a communication system

An authentication method and apparatus in a communication system are provided. In a method for authenticating a first node at a second authentication server in a communication system comprising the first node registered to a first authentication server and a second node registered to the second authentication server, an authentication request message requesting authentication of the first node is received from the second node, the authentication request message is transmitted to the first authentication server, and upon receipt of an authentication success message indicating successful authentication of the first node from the first authentication server, the authentication success message is transmitted to the second node.

Methods and apparatuses for avoiding damage in network attacks

Methods and apparatuses in a client terminal ( 400 ) and a web server ( 402 ) for enabling safe communication between said terminal and server. When the terminal obtains a web page from the server in a session, the terminal creates a context-specific key, Ks_NAF′, based on one or more context parameters, P1, . . . Pn, pertaining to said session and/or web page. The terminal then indicates the context-specific key in a login request to the server, and the server determines a context-specific key, Ks_NAF′, in the same manner to verify the client if the context-specific key determined in the web server matches the context-specific key received from the client terminal. The context-specific key is thus bound to and valid for the present context or session only and cannot be used in other contexts or sessions.

Methods and Arrangements for Authorizing and Authentication Interworking

This disclosure relates to a portable communication device and a network-side authorization server, and to methods therein. By splitting the functionality of an OAuth authorization server and moving the authorization endpoint into, for instance a mobile phone, an authorization server within the mobile phone is provided. This mobile phone authorization server does not need to communicate with the network-side for getting an authorization code or an access token.

Using A Single Certificate Request to Generate Credentials with Multiple ECQV Certificates

A method and apparatus are disclosed for using a single credential request (e.g., registered public key or ECQV certificate) to obtain a plurality of credentials in a secure digital communication system having a plurality of trusted certificate authority CA entities and one or more subscriber entities A. In this way, entity A can be provisioned onto multiple PKI networks by leveraging a single registered public key or implicit certificate as a credential request to one or more CA entities to obtain additional credentials, where each additional credential can be used to derive additional public key-private key pairs for the entity A.

Method for Updating Air Interface Key, Core Network Node and Radio Access System

The disclosure discloses a method for updating an air interface key, a core network node and a radio access system, wherein the method for updating an air interface key comprises: a core network node receives a relocation complete indication message from a target RNC (S 502 ), the relocation complete indication message is configured to indicate the successful relocation of User Equipment (UE) from a source RNC to the target RNC; the core network node uses the saved traditional key and the current enhanced key to calculate a next hop enhanced key (S 504 ); the core network node sends the next hop enhanced key to the target RNC (S 506 ). Through the disclosure, the forward security of users is guaranteed effectively, thus the communication security of the radio access system is improved overall.

Wireless local area network (wlan) gateway system

The invention of present provides for real-time authentication and billing gateway for WLAN traffic. Notably, the improved method for implementing a Wireless Local Area Network (WLAN) gateway system enables telecommunications network operators (and like entities) to rate and bill for services accessed by the wireless user. The logic of the invention supports and furthers the art in regard to advanced real-time rating/billing in addition to providing for a variety of replenishment mechanism for casual users via pre-paid vouchers and credit cards.

Key setting method, node, and network system

A key setting method executed by a node transmitting and receiving data through multi-hop communication in an ad-hoc network among multiple ad-hoc networks, includes detecting connection with a mobile terminal communicating with a server connected to a gateway in each ad-hoc network among the ad-hoc networks; transmitting by simultaneously reporting to the ad-hoc network, an acquisition request for a key for encrypting the data when the connection with the mobile terminal is detected at the detecting; receiving from the server via the mobile terminal, a key specific to a gateway and transmitted from the gateway to the server consequent to transfer of the simultaneously reported acquisition request to the gateway in the ad-hoc network; and setting the key specific to the gateway received at the receiving as the key for encrypting the data.

Public key cryptography for applications requiring generic bootstrap architecture

A mobile terminal is configured to store information associated with accessing an application that requires bootstrapping; recognize an invocation of the application; identify a rule, included in the information, associated with accessing the application; determine whether the rule indicates that a user of the mobile terminal is allowed to access the application; determine whether the mobile terminal supports the bootstrapping; and provide access to the application when the rule indicates that the user of the mobile terminal is allowed to access the application and when the mobile terminal supports the bootstrapping.

Method and System for Secure Mobile File Sharing

A system and method for securely storing, retrieving and sharing data using PCs and mobile devices and for controlling and tracking the movement of data to and from a variety of computing and storage devices.

Method and Apparatuses for End-to-Edge Media Protection in ANIMS System

An IMS system includes an IMS initiator user entity. The system includes an IMS responder user entity that is called by the initiator user entity. The system includes a calling side S-CSCF in communication with the caller entity which receives an INVITE having a first protection offer and parameters for key establishment from the caller entity, removes the first protection offer from the INVITE and forwards the INVITE without the first protection offer. The system includes a receiving end S-CSCF in communication with the responder user entity and the calling side S-CSCF which receives the INVITE without the first protection offer and checks that the responder user entity supports the protection, inserts a second protection offer into the INVITE and forwards the INVITE to the responder user entity, wherein the responder user entity accepts the INVITE including the second protection offer and answers with an acknowledgment having a first protection accept. A method for supporting a call by a telecommunications node.

Systems and methods for facilitating conference calls using security keys

Systems and methods are described that facilitate a conference call between a plurality of communication devices. The method may comprise: providing a first primary communication device; providing a second primary communication device; providing a conference call controller; establishing a first control link between the first primary communication device and the conference call controller; communicating first identification data between the first primary communication device and the conference call controller via the first control link; establishing a media link between the first and second primary communication devices via the conference call controller. In certain embodiments, the first identification data corresponds to at least one participation level of the first primary communication device with respect to the media link. The method may further comprise establishing a second control link between the second primary communication device and the conference call controller; communicating second identification data between the second primary communication device and the conference call controller via the second control link; wherein the second identification data establishes a participation level of the second primary communication device with respect to the media link.

Mobile communication method, radio base station, mobile management node, and mobile station

A mobile communication method according to the present invention includes: a step of updating, by a radio base station eNB or a mobile management node MME, a key K x to be used for transmission/reception of a data signal through an Ud interface or a predetermined parameter X for calculating the key K x when the radio base station eNB or the mobile management node MME has received an “SN wrap indication” or a key update request signal from a mobile station UE# 1 or a mobile station UE# 2; a step of notifying, by the radio base station eNB or the mobile management node MME, the mobile station UE# 1 and the mobile station UE# 2 of the updated key K x or the updated predetermined parameter X; and a step of continuing, by the mobile station UE# 1 and the mobile station UE# 2 , transmission/reception of the data signal.

Secure key distribution with general purpose mobile device

One embodiment is directed to a method for managing cryptographic information. The method includes initiating cryptographic information loading application on a general purpose mobile device (GPMD) and establishing a connection between the GPMD and a server that includes cryptographic information. Authentication input is received from a user of the GPMD. Data identifying the GPMD and the authentication input is sent from the GPMD to the server for authentication of the GPMD and the user. The GPMD also sends data identifying an electronic device into which cryptographic information is to be loaded. In response, the GPMD receives cryptographic information for the electronic device at the GPMD from the server. The GPMD then sends the cryptographic information from the GPMD to the electronic device for loading therein.

Performing a group authentication and key agreement procedure

Provided are a method, a corresponding apparatus and a computer program product for performing a group authentication and key agreement procedure. A method comprises initiating, by a master device in a group of devices, a group authentication and key agreement procedure towards an authentication entity, wherein a shared group key is defined for use in the group authentication and key agreement procedure; performing mutual authentication between the master device and the authentication entity based upon the shared group key; and performing mutual authentication between the authenticated master device and other devices in the group based upon the shared group key for completion of the group authentication and key agreement procedure. With the claimed invention, the impact of the signaling overhead on a network can be significantly decreased without substantive modification to the existing architecture of the network.

Mobile communication method and mobile management node

In an attach process executed as a relay node RN, the wasteful use of a resource is avoided. A mobile communication method according to the present invention includes a step of transmitting, by a radio base station DeNB, “(S1) Initial UE message” indicating the attach process executed as the relay node RN to a mobile management node MME in response to “Attach Request (RN)” received from the relay node RN having a secure channel established between the relay node RN and USIM-RN, a step of starting, by the mobile management node MME, “EPS-AKA” between the relay node RN and the USIM-RN in response to the “(S1) Initial UE message”, and a step of failing in the “EPS-AKA” when it is determined that the USIM-RN cannot be used for the attach process executed as the relay node RN.

IN-VEHICLE CONTENT DELIVERY SYSTEM OPERABLE IN AUTONOMOUS MODE AND NON-AUTONOMOUS MODE

Multimedia content may be delivered to content consumer devices via a content-delivery network. Encrypted content and cryptography keys for decrypting the content may be distributed from a data center to various nodes of the content-delivery network, each node acting as a semi-independent content-delivery system. Each content-delivery system is capable of delivering received content to end-users and implementing a key-management scheme to facilitate secure content-delivery and usage tracking, even when the content-delivery system is disconnected from the data center. In other words, the disclosed systems and methods facilitate the operation of nodes which may operate in “autonomous mode” when disconnected from a larger content-delivery network, thus maintaining content-delivery capabilities despite having little if any connectivity to external networks. 1. A system for providing an in-vehicle content-delivery service to mobile consumer devices , the system comprising: one or more processors;', 'one or more communication interfaces that are coupled to the one or more processors and that are configured to: (i) communicatively couple the content delivery system to one or more mobile consumer devices via an in-vehicle network for the vehicle, and (ii) communicatively couple the content delivery system to a license server that is external to the vehicle and that is configured to authorize or not authorize content-requests originating from the one or more mobile consumer devices; and', (i) detect a loss of a connection between the content delivery system and the license server;', '(ii) respond to the detected loss by operating as a proxy for the license server, including performing an authorization operation to determine a particular content-request from a particular mobile consumer device is authorized; and', '(iii) transmit content to the particular mobile consumer device in response to determining that the particular content-request from the particular mobile consumer ...

RADIO NETWORK NODE, NETWORK NODE AND METHODS FOR SETTING UP A SECURE CONNECTION TO THE USER EQUIPMENT (UE)

Embodiments herein relate to e.g. a method performed by a network node for handling a communication of a user equipment, UE, in a wireless communication network. The network node transmits to a radio network node associated with the UE, a request message indicating a request for capability data for the UE, wherein the request message comprises a security indication, and wherein the security indication indicates data for setting up a secure connection to the UE. 1. A method performed by a network node for handling a communication of a user equipment , UE , in a wireless communication network , the method comprising:transmitting to a radio network node associated with the UE OK a request message indicating a request for capability data for the UE, wherein the request message comprises a security indication, and wherein the security indication indicates data for setting up a secure connection to the UE2. The method according to claim 1 , wherein the security indication comprises one or more security keys and/or UE Security Capability claim 1 , and wherein the request message is a UE Capability check request message.3. The method according to claim 1 , wherein the request message is a match request requesting a response indicating whether voice over packet switched is supported or not by the UE and/or the radio network node.4. The method according to claim 1 , wherein the security indication is piggybacked to the request message.5. The method according to claim 1 , further comprising:receiving a capability indication for the UE in a match response, wherein the capability indication indicates a capability of the UE.6. A method performed by a radio network node for handling a communication of a user equipment claim 1 , UE claim 1 , in a wireless communication network claim 1 , the method comprising:receiving from a network node, a request message indicating a request for capability data for the UE, wherein the request message comprises a security indication, and wherein ...

Wireless Network Authentication by a Trusted Virtual Machine

Systems and methods for a virtual machine executing on a host device to establish a secured wireless connection and control a wireless network device without being exposed to the wireless network credentials are provided. A supplicant proxy is provided at the virtual machine to route authentication requests generated at the virtual machine through a supplicant and receive session keys from the supplicant, where the supplicant is at another virtual machine executing on the host device and has access to the network credentials. 1. A method , comprising:generating, at a wireless network stack of a first virtual machine (VM) executing on a host device, an indication to authenticate a wireless data link established between the wireless network stack and a wireless access point via a wireless network device of the host device;sending the indication to authenticate the wireless data link to a supplicant of a second VM executing on the host device;receiving from the supplicant one or more session keys; andsecuring the wireless data link based on the one or more session keys.2. The method of claim 1 , comprising establishing the wireless data link.3. The method of claim 1 , comprising sending the indication to authenticate the wireless data link to the supplicant via a supplicant proxy of the first VM.4. The method of claim 3 , comprising sending the indication to authenticate the wireless data link to the supplicant via the supplicant proxy of the first VM and a supplicant proxy of the second VM.5. The method of claim 1 , wherein the indication to authenticate the wireless data link comprising an extensible authentication protocol (EAP) frame.6. The method of claim 5 , wherein the wireless data link is established based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard and wherein the EAP frame is generated based on the IEEE 802.1X standard.7. A computing apparatus comprising:a wireless network device;a processor; and generate, at a wireless ...

Connectivity and feedback techniques for wireless broadcast services

This disclosure provide systems, devices, apparatus and methods, including computer programs encoded on storage media, for broadcast services feedback techniques. Several broadcast connectivity and feedback techniques are described. A broadcast connectivity protocol may be used by different types of wireless communication devices (such as an access point (AP) and station (STA)) to provide or access broadcast services. A security protocol or enhancement to the broadcast connectivity protocol may provide source authentication or verification for broadcast transmissions. The broadcast services feedback techniques can enable an AP to obtain feedback from one or more STAs. In some implementations, a negative acknowledgement (NACK) scheme may be used to efficiently obtain feedback from multiple STAs. The broadcast connectivity and feedback techniques may be used by a STA that does not have a wireless association with the AP. The techniques may be useful in servicing a multiple STAs in an environment.

SYSTEM AND METHOD FOR PROVIDING NETWORK SUPPORT SERVICES AND PREMISES GATEWAY SUPPORT INFRASTRUCTURE

A service management system communicates via wide area network with gateway devices located at respective user premises. The service management system remotely manages delivery of application services, which can be voice controlled, by a gateway, e.g. by selectively activating/deactivating service logic modules in the gateway. The service management system also may selectively provide secure communications and exchange of information among gateway devices and among associated endpoint devices. An exemplary service management system includes a router connected to the network and one or more computer platforms, for implementing management functions. Examples of the functions include a connection manager for controlling system communications with the gateway devices, an authentication manager for authenticating each gateway device and controlling the connection manager and a subscription manager for managing applications services and/or features offered by the gateway devices. A service manager, controlled by the subscription manager, distributes service specific configuration data to authenticated gateway devices. 122-. (canceled)23. A management device for operation at a user premises to provide local application services for a plurality of endpoint devices at the user premises , the management device comprising:at least one processor;one or more interfaces operably coupled to the at least one processors and configured to enable (1) local, bi-directional communication with the plurality of endpoint devices that is located at the user premises and (2) communication with a service provider remote from the user premises; and receive user command data from a control device at the user premises, wherein the control device is separate from the plurality of endpoint devices;', 'operate the one or more interfaces to deliver at least a portion of content based on the user-command data, via the at least one local application, to at least one endpoint device of the plurality of ...

Mapping special subframes in a wireless communication network

Methods, apparatuses, and systems are described related to mapping special subframes in a wireless communication network. In embodiments, an eNB may assign demodulation reference signals (DM-RSs) and/or cell-specific reference signals (CRSs) to a downlink pilot time slot (DwPTS) of a special subframe responsive to a determined configuration of the special subframe. In embodiments, an eNB may bundle the DwPTS or an uplink pilot time slot (UpPTS) of the special subframe with another subframe for scheduling. In embodiments, a UE may estimate a channel associated with the special subframe based on DM-RSs and/or CRSs transmitted in another subframe. In embodiments, an eNB may exclude the DwPTS from scheduling for certain special subframe configurations if a new carrier type (NCT) is used. In embodiments, an eNB may exclude certain special subframe configurations from use for NCT communications. Other embodiments may be described and claimed.

METHOD AND APPARATUS FOR TRANSMITTING PUBLIC SAFETY WARNING MESSAGES OVER NON-3GPP ACCESS NETWORKS IN WIRELESS COMMUNICATION SYSTEM

The present disclosure relates to a pre-5-Generation (5G) or 5G communication system to be provided for supporting higher data rates beyond 4-generation (4g) communication system such as long term evolution (LTE). Embodiments herein disclose a method for transmitting public safety warning messages over a non-3GPP access networks. The method includes receiving, by an Access and Mobility Management Function (AMF) entity of the 3GPP system (), at least one public safety warning message from Cell Broadcast Entity (CBE) and transmitting, by the AMF entity () of the 3GPP system 3GPP system (), at least one public safety warning message to a Non-3GPP Interworking Function (N3IWF) interface entity () of the 3GPP system 3GPP system (), where the N3IWF interface entity () connects the AMF entity () to the non-3GPP access network. Further, the method includes transmitting, by the N3IWF interface entity () of the 3GPP system 3GPP system (), the at least one public safety warning message to at least one User Equipment (UE) over the non-3gpp access. 1160100a. A method performed by an access and mobility management function (AMF) entity () for transmitting public safety warning messages over a non-3GPP access network using a 3GPP system () , the method comprising:{'b': 160', '100', '120, 'i': 'a', 'receiving, by an access and mobility management function (AMF) entity () of the 3GPP system (), at least one public safety warning message from a cell broadcast entity (CBE) (); and'}{'b': 160', '100', '180', '100, 'i': a', 'a, 'transmitting, by the AMF entity () of the 3GPP system (), at least one public safety warning message to a Non-3GPP interworking function (N3IWF) interface entity () of the 3GPP system ().'}2120160100140a. The method of claim 1 , wherein the CBE () routes the at least one public safety warning message to the AMF entity () of the 3GPP system () through a cell broadcast center (CBC) ().3160100a. The method of claim 1 , wherein the public safety warning messages are ...

FAST BASIC SERVICE SET TRANSITION FOR MULTI-LINK OPERATION

This disclosure provides methods, devices and systems that facilitate mobility of wireless communication devices configured for multi-link operation (MLO). Particular aspects more specifically relate to facilitating fast basic service set (BSS) transitions by wireless communication devices that support MLO. For example, some aspects provide support for station (STA) multi-link device (MLD) roaming between access point (AP) MLDs, from an AP MLD to a non-MLO AP, or from a non-MLO AP to an AP MLD. In some aspects, a STA MLD may be configured to use a medium access control (MAC) service access point address (MAC-SAP address) of the AP MLD when re-associating or communicating with a legacy AP or with an AP MLD. In such aspects, the MAC-SAP address may be used by all STAs of the non-AP MLD for fast BSS transitions. 1. A method for wireless communication by a non-access point (non-AP) multi-link device (MLD) , the method comprising:transmitting, by a first station of a plurality of stations of the non-AP MLD to a first AP MLD, an initial association request to initiate an association between the non-AP MLD and the first AP MLD;receiving, from the first AP MLD, a first response to the initial association request from the first AP MLD indicating establishment of a secret key shared by the non-AP MLD and the first AP MLD;generating a first pairwise master key (PMK) based on the secret key;transmitting, by a second station of the plurality of stations of the non-AP MLD to a first target AP, a first reassociation request based on the first response to the initial association request;generating a second PMK based on the first PMK, a medium access control service access point (MAC-SAP) address that uniquely identifies the non-AP MLD in a wireless local area network (WLAN), and a medium access control (MAC) address of the first target AP;receiving, from the first target AP, a second response to the first reassociation request, the second response to the first reassociation request ...

AUTHENTICATION AND AUTHORIZATION IN PROXIMITY BASED SERVICE COMMUNICATION USING A GROUP KEY

A method of performing authentication and authorization in Proximity based Service (ProSe) communication by a requesting device which sends a request of a communication and a receiving device which receives the request from the requesting device, the method including deriving session keys Kpc and Kpi from an unique key Kp at the requesting and receiving devices, using the session keys Kpc and Kpi for ProSe communication setup and direct communication between the requesting and receiving devices, starting the direct communication with the requesting and receiving devices. The key Kpc is confidentiality key and the key Kpi is integrity protection key. 1. A first User Equipment (UE) for direct communication , the first UE comprising:at least one processor; and receive, from a network node, a message including a group key,', 'receive, from a second UE, an identifier related to the group key, wherein the identifier is received by the second UE from the network node,', 'identify the group key based on the identifier,', 'derive a first key and a second key based on the identified group key, and', 'perform the direct communication with the second UE, the direct communication being protected by the first key and the second key., 'at least one memory coupled to the at least one processor, the at least one memory storing instructions that, when executed by the at least one processor, cause the at least one processor to2. The first UE according to claim 1 , wherein the first key or the second key is an encryption key.3. The first UE according to claim 1 , wherein the UE and the second UE support Proximity Services (ProSe).4. The first UE according to claim 1 , wherein the UE and the second UE get an authorization from a network including at least a Proximity Services (ProSe) Function and a ProSe application server.5. A communication method of a first User Equipment (UE) for direct communication claim 1 , the communication method comprising:receiving, from a network node, a ...

Secure pairing of devices

A process for securely pairing devices. A host device receives an input indicating a user credential for logging into the host device and initiates a scanning process for discovering target devices available for pairing with the host device. During the scanning process, the host device receives wireless pairing information from a target device. The wireless pairing information includes a unique device identifier associated with the target device and an electronic signature generated as a function of a signature key stored at the target device and the unique device identifier. The host device compares the electronic signature with a run-time signature generated at the host device as a function of the user credential received at the host device and the unique device identifier. The host device then initiates a pairing process to establish a short-range communication link with the target device when the electronic signature matches with the run-time signature.

Secure multi-party communication with quantum key distribution managed by trusted authority

Techniques and tools for implementing protocols for secure multi-party communication after quantum key distribution (“QKD”) are described herein. In example implementations, a trusted authority facilitates secure communication between multiple user devices. The trusted authority distributes different quantum keys by QKD under trust relationships with different users. The trusted authority determines combination keys using the quantum keys and makes the combination keys available for distribution (e.g., for non-secret distribution over a public channel). The combination keys facilitate secure communication between two user devices even in the absence of QKD between the two user devices. With the protocols, benefits of QKD are extended to multi-party communication scenarios. In addition, the protocols can retain benefit of QKD even when a trusted authority is offline or a large group seeks to establish secure communication within the group.

Authentication In Heterogeneous IP Networks

The invention proposes a system for authenticating and authorizing network services comprising: a mobile device being adapted to, upon receipt of an information message indicating at least one network access type, determine the network access type, to create a start message containing at least a user identity, and to encapsulate the start message in an authentication message compatible with the access network identified in the information message, and an access controller for reading the encapsulated message from the mobile and forwarding the encapsulated message to an authentication server identified in the encapsulated message. The invention also proposes a corresponding method for authenticating and authorizing network services, and an access control device, a subscriber device and a router device.

SCALABLE CERTIFICATE MANAGEMENT SYSTEM ARCHITECTURES

An example system may include one or more application platforms (e.g., VMs) that run a registration authority and are communicatively connected to one or more compute engines that perform cryptographic computations required by the registration authority. The system may also include one or more application platforms that run an enrollment certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the enrollment certificate authority. It may further include one or more application platforms that run a pseudonym certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the pseudonym certificate authority. It may also include one or more load balancers communicatively connected to the one or more compute engines, the one or more load balancers to perform operations comprising distributing at least one request to the one or more compute engines. 1. A scalable certificate management system for securely providing certificates to a provisioning controller , the scalable certificate management system comprising:one or more application platforms that run a registration authority application and that are communicatively connected to one or more compute engines that perform cryptographic computations requested by the registration authority application;one or more application platforms that run a pseudonym certificate authority application and that are communicatively connected to one or more compute engines that perform cryptographic computations requested by the pseudonym certificate authority application, wherein the pseudonym certificate authority application is operable to generate and conditionally transmit digital assets to the registration authority application; andone or more load balancers communicatively connected to the one or more compute engines, the one or more load balancers being configured to ...

Method and apparatus for storing context information in a mobile device

A method and apparatus for storing and using context information in a wireless communication network are provided. Context information is encrypted and transmitted to a mobile device for storage. A cryptographic key usable for decrypting the context information is stored at a radio access node or other node in the network and an indication of the key and the location of the key is stored at the mobile device. The mobile device transmits a message which includes the key identifier and location and the encrypted context information. The message may further include application data and the encrypted context information may include an indication of a further key for encrypting and decrypting application data in transmissions between the mobile device and the communications network. The encrypted context information may include the further key.

APPARATUS AND METHOD FOR SSP DEVICE AND SERVER TO NEGOTIATE DIGITAL CERTIFICATES

A method of a local bundle assistant (LBA) negotiating a certificate with a secondary platform bundle manager (SPBM) in a wireless communication system including: transmitting a request message requesting information of certificates supported by a secondary secure platform (SSP) to a secondary platform bundle loader (SPBL) of the SSP; receiving the information of certificates supported by the SSP including information of certificate issuers corresponding to a family identifier from the SPBL; transmitting the information of certificates supported by the SSP to the SPBM; and receiving a certificate of the SPBM for key agreement, information of public key identifiers of certificate issuers to be used by the SSP, and information of the family identifier from the SPBM. 1transmitting a request message requesting information of certificates supported by a secondary secure platform (SSP) to a secondary platform bundle loader (SPBL) of the SSP;receiving the information of certificates supported by the SSP including information of certificate issuers corresponding to a family identifier from the SPBL;transmitting the information of certificates supported by the SSP to the SPBM; andreceiving a certificate of the SPBM for key agreement, information of public key identifiers of certificate issuers to be used by the SSP, and information of the family identifier from the SPBM,wherein, the information of certificate issuers corresponding to a family identifier includes information of public key identifiers of certificate issuers that issued certificates included in a certificate chain of the SPBM and are verifiable by the SPBL, information of public key identifiers of certificate issuers that issued certificates included in a certificate chain of the SPBL and are verifiable by the SPBM, and the information of the family identifier.. A method of a local bundle assistant (LBA) negotiating a certificate with a secondary platform bundle manager (SPBM) in a wireless communication system ...

SYSTEM AND METHOD FOR SECURITY PROTECTION OF NAS MESSAGES

Systems and methods that provide NAS security protection for mobile networks. In one embodiment, a network element of a mobile network performs a NAS procedure in multiple phases to establish a NAS communication session with User Equipment (UE) when no NAS security context exists. For a first phase, the network element receives an initial NAS message from the UE populated with a subset of NAS protocol Information Elements (IEs) designated for security-related handling, selects a NAS security algorithm for the NAS security context, and sends a response to the UE that indicates the NAS security algorithm. For a second phase, the network element receives a subsequent NAS message from the UE having a NAS message container that contains the initial NAS message populated with each of the NAS protocol IEs for the NAS procedure, and decrypts the NAS message container of the subsequent NAS message using the NAS security algorithm. 120-. (canceled)21. User Equipment (UE) comprising:at least one processor; andat least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processor, cause the UE to initiate a Non-Access Stratum (NAS) procedure in multiple phases to establish a NAS communication session between the UE and a network element of a mobile network, constructs a first initial NAS message including a first set of NAS protocol Information Elements (IEs) that are designated for security-related handling;', 'sends the first initial NAS message to the network element; and', 'receives a response from the network element that includes a NAS security algorithm and security key set identifier associated with a NAS security context for use by the UE, and, 'wherein, in a first phase of the NAS procedure, the at least one memory and the computer program code are configured, with the at least one processor, to constructs a subsequent NAS message, the subsequent NAS message including a second ...

WIRELESS-NETWORK ATTACK DETECTION

In some examples, a terminal can establish wireless communication with a base station. The terminal can determine a challenge, transmit the challenge, receive a response, and determine that the response is valid. The terminal can, in response, establish a secure network tunnel to a network node. In some examples, a terminal can determine a first communication parameter associated with communication with the base station. The terminal can receive data indicating a second communication parameter via a secure network tunnel. The terminal can determine that the communication parameters do not match, and, in response, provide an indication that an attack is under way against the network terminal. Some example terminals transmit a challenge, determine a response status associated with the challenge, and determine that an attack is under way based on the response status. 1. A network terminal , comprising:a secure storage unit having stored therein a stored key; and attaching to a wireless network using stored network credentials;', 'determining a challenge;', 'after attaching to the wireless network, transmitting the challenge to a network node via the wireless network;', 'subsequently, determining a response status associated with the challenge;', 'determining that an attack is under way based at least in part on the response status;', 'providing an indication that the attack is under way in response to the determining that the attack is under way; and', the determining the challenge is based at least in part on the stored key; or', 'the determining that the attack is under way is based at least in part on the stored key., 'wherein at least], 'a control unit configured to perform operations comprising2. The network terminal according to claim 1 , the operations further comprising:receiving a response to the challenge via the wireless network; anddetermining the response status comprising the response; andwherein the determining that the attack is under way further ...

SECURE VEHICLE TO VEHICLE PTC COMMUNICATION

A computer-implemented method is provided that includes obtaining a first secret and a first public key, and obtaining a second secret a second public key. The method may also include authenticating the first public key of the first vehicle based on a first private key associated with the first vehicle, and authenticating the second public key of the second vehicle based on a second private key associated with the second vehicle. The method may also include preventing a man-in-the-middle attack, by securing at least one of a first vehicle-to-central office communication, a central office-to-first vehicle communication, or a first vehicle-to-second vehicle, wherein the first vehicle-to-central office communication and the central office-to-first vehicle communication are authenticated based on a determined private key associated with a respective first vehicle on-board computer, and sending a message, with the central office server, to a vehicle associated with a conditional movement authority. 1. A computer-implemented method , comprising:obtaining, with a central office server, a first secret and a first public key;obtaining, with the central office server, a second secret a second public key;authenticating, with the central office server, the first public key of the first vehicle based on a first private key associated with the first vehicle;authenticating, with the central office server, the second public key of the second vehicle based on a second private key associated with the second vehicle;preventing a man-in-the-middle attack, by securing at least one of a first vehicle-to-central office communication, a central office-to-first vehicle communication, or a first vehicle-to-second vehicle, wherein the first vehicle-to-central office communication and the central office-to-first vehicle communication are authenticated based on a determined private key associated with a respective first vehicle on-board computer; andsending a message, with the central office ...

RECOVERING DEVICES FROM LIMITED SERVICE DUE TO MIS-CONFIGURATION

Recovering a user equipment (UE) from limited service due to misconfiguration may include providing a universal subscriber identity module (USIM) identification data or a USIM authentication data to a wireless network. Failure data associated with failing to authenticate or identify the UE to the wireless network may be decoded. The failure data received from the wireless network. The failure data may be processed to determine a cause for the failure. Based on processing the failure data, it may be determined that the USIM identification data or the USIM authentication data is misconfigured. In response to determining that the USIM identification data or the USIM authentication data is misconfigured, a recovery for identifying or authenticating the UE to the wireless network may be automatically performed. 1. A user equipment (UE) , comprising:one or more processors; and provide identification data or authentication data associated with the UE to a wireless network that is retrieved from a universal subscriber identity module (USIM);', 'decode failure data associated with failing to identify or authenticate the UE to the wireless network based on the provided identification data or authentication data, the failure data being received from the wireless network;', 'process the failure data to determine a cause for the failure;', 'based on processing the failure data, determine that the identification data or the authentication data is misconfigured; and', 'in response to determining that the identification data or the authentication data is misconfigured, automatically perform a recovery for identifying or authenticating the UE to the wireless network., 'a memory storing instructions that, when executed by the one or more processors, configure the UE to2. The UE of claim 1 , wherein the performed recovery comprises one of to initiate fallback to a 5G system (5GS) NULL-scheme claim 1 , initiate fallback to a next priority protection scheme claim 1 , or downgrade from a ...

SMALL DATA TRANSMISSION (SDT) PROCEDURES AND FAILURE RECOVERY DURING AN INACTIVE STATE

A computer-readable storage medium stores instructions for execution by one or more processors of a UE. The instructions configure the UE for small data transmission (SDT) in a 5G NR network and cause the UE to perform operations comprising detecting while in an RRC_Inactive state, a radio link failure during a first SDT of UL data to a base station. A secure key for a second SDT is generated based on the radio link failure. A configuration message including an indication of the second SDT is transmitted to the base station. A response message including a UL grant is received from the base station. The UL data is encoded for the second SDT using the secure key. The second SDT is performed using the UL grant while the UE is in the RRC_Inactive state. 1. An apparatus for a user equipment (UE) configured for operation in a Fifth Generation New Radio (5G NR) network , the apparatus comprising: detect while in a Radio Resource Control Inactive (RRC_Inactive) state, a radio link failure during a first SDT of uplink (UL) data to a base station;', 'generate a secure key for a second SDT based on the radio link failure;', 'encode a configuration message for transmission to the base station, the configuration message including an indication of the second SDT;', 'decode a response message from the base station, the response message including a UL grant; and', 'encode the UL data for the second SDT, the UL data encoded using the secure key, and the second SDT performed using the UL grant while the UE is in the RRC Inactive state; and, 'processing circuitry, wherein to configure the UE for small data transmission (SDT) in the 5G NR network, the processing circuitry is toa memory coupled to the processing circuitry and configured to store the secure key.2. The apparatus of claim 1 , wherein the processing circuitry is to:decode a second configuration message received from the base station, the second configuration message including at least one next-hop chaining count (NCC) ...

Securing an interface and a process for establishing a secure communication link

The disclosure relates to methods and physical and virtual nodes for securing an interface and for securing a process for establishing a secure communication link between an Application Function located in an unsecure zone and an Authentication Function. In one embodiment, the method comprises the Application Function sending an authentication request message to the Authentication Function, receiving a response to the authentication request from the Authentication Function including an authentication challenge and sending a challenge response to the Authentication Function. The method comprises, upon receiving a response indicating success from the Authentication Function, the Application Function generating a session key using secret authentication credentials and information included in the authentication challenge and the Application Function handshaking with the Authentication Function and establishing the secure communication link using the session key, thereby securing the interface between the Application Function and the Authentication Function.

Methods providing security for multiple nas connections using separate counts and related network nodes and wireless terminals

A first communication node may provide first and second NAS connection identifications for respective first and second NAS connections between the first and a second communication node, with the first and second NAS connection identifications being different and the first and second NAS connections being different. A first NAS message may be communicated between the first and second communication nodes over the first NAS connection, including at performing integrity protection for the first NAS message using the first NAS connection identification and/or performing confidentiality protection for the first NAS message using the first NAS connection identification. A second NAS message may be communicated between the first and second communication nodes over the second NAS connection, including performing integrity protection for the second NAS message using the second NAS connection identification and/or performing confidentiality protection for the second NAS message for confidentiality protection using the second NAS connection identification.

Method and device for downloading profile of operator

Embodiments of the present invention provide a method and device for downloading a profile of an operator, where one method includes: sending, by a terminal to the SM-DP by using an SM-SR, a request for downloading a profile of an operator, where the download request carries the download certificate, an ID of an eUICC of the terminal, and addressing information of the SM-DP; and receiving, by the terminal, the profile of the operator that is sent by the SM-DP by using the SM-SR and is corresponding to the download request, and transmitting the profile of the operator to the eUICC, where the profile of the operator is obtained by the SM-DP according to an identity of the profile of the operator after the SM-DP verifies that the certificate that is for downloading the profile of the operator and is carried in the download request is valid.

System and method for providing vehicle information based on personal authentication and vehicle authentication

An electronic device and method for providing vehicle information based on personal authentication and vehicle authentication are disclosed. According to various example embodiments, an electronic device includes a communication module comprising communication circuitry configured to communicate with a vehicle device and a first server and a processor electrically connected with the communication module, in which the processor is configured to receive an encrypted session key set including at least one session key from the first server, to transmit the encrypted session key set to the vehicle device, receive, from the vehicle device, second vehicle information in which first vehicle information of the vehicle device is encrypted using a first session key of the at least one session key and is signed using a secret key of the vehicle device, and to transmit, to the first server, third vehicle information in which the received second vehicle information is signed using a secret key of a user.

Dynamic configuration of uplink (ul) and downlink (dl) frame resources for a time division duplex (tdd) transmission

Technology for a user equipment (UE) operable to perform adaptive time division duplexing (TDD) hybrid automatic repeat request (HARQ)-ACKnowledgement (ACK) reporting is described. The UE can implement an adaptive uplink-downlink (UL-DL) configuration received from an eNodeB. The UE can process a downlink (DL) HARQ reference configuration received from the eNodeB for a serving cell. The DL HARQ reference configuration can be for the implemented adaptive UL-DL configuration. The UE can format HARQ-ACK feedback for transmission on a physical uplink control channel (PUCCH) or physical uplink shared channel (PUSCH) of the serving cell in accordance with the DL HARQ reference configuration.

TRANSMISSION OF GROUP HANDOVER MESSAGE

Methods, apparatuses, and computer readable medium for enabling an efficient group handover mechanism that has less signaling overhead than single UE handover are provided. An example method at a base station includes transmitting a group handover request for the group of UEs to a target base station. The method further includes receiving a group handover acknowledgment from the target base station. The method further includes transmitting a group handover message to the group of UEs. 1. An apparatus for wireless communication of a base station , comprising:a memory; and transmit a group handover request for a group of user equipment (UEs) to a target base station;', 'receive a group handover acknowledgment from the target base station; and', 'transmit a group handover message to the group of UEs., 'at least one processor coupled to the memory and configured to2. The apparatus of claim 1 , wherein the base station communicates with the group of UEs via a satellite claim 1 , and wherein the group handover message is transmitted to each UE in the group of UEs in a radio resource control (RRC) reconfiguration with synchronization.3. The apparatus of claim 1 , wherein the group handover message is transmitted to the group of UEs based on a cell specific common search space claim 1 , and wherein at least a portion of the group handover message is scrambled with a cell specific group radio network temporary identifier (RNTI).4. The apparatus of claim 3 , wherein the at least one processor coupled to the memory is further configured to:provide a common access stratum (AS) key and group specific or default signaling radio bearer configuration to the group of UEs;wherein the base station sends new signaling radio bearer (SRB) information to the group of UEs with integrity protection and ciphering based on the common AS key and a group specific new SRB configuration.5. The apparatus of claim 1 , wherein the group handover message comprises an RRC message comprising a list of ...

Communications Method and Apparatus

A terminal device obtains first slice selection assistance information, where the first slice selection assistance information is obtained by encrypting second slice selection assistance information, and the second slice selection assistance information is selection assistance information of a slice to which the terminal device is allowed to access. The terminal device sends a registration request message to an access network device, where the registration request message includes the first slice selection assistance information. 1. A communications method , comprising:obtaining, by a terminal device, first slice selection assistance information, wherein the first slice selection assistance information is obtained by encrypting second slice selection assistance information, and the second slice selection assistance information is selection assistance information of a slice to which the terminal device is allowed to access; andsending, by the terminal device, a first registration request message to an access network device, wherein the first registration request message comprises the first slice selection assistance information.2. The method according to claim 1 , wherein the obtaining claim 1 , by a terminal device claim 1 , first slice selection assistance information comprises:generating, by the terminal device, the first slice selection assistance information based on the second slice selection assistance information.3. The method according to claim 2 , wherein the generating claim 2 , by the terminal device claim 2 , the first slice selection assistance information based on the second slice selection assistance information comprises:generating, by the terminal device, the first slice selection assistance information based on the second slice selection assistance information, a first function, and a first random number (RAND).4. The method according to claim 3 , wherein before the generating claim 3 , by the terminal device claim 3 , the first slice selection ...

Identifying a slice name information error in a dispersed storage network

A method begins by a processing module sending list digest requests to a set of dispersed storage (DS) units. The method continues with the processing module receiving list digest responses from at least some of the set of DS units and determining whether an inconsistency exists between first and second list digest responses of the list digest responses. The method continues with the processing module requesting at least a portion of each of the slice name information lists from first and second DS units of the set of DS units and identifying a slice name information error associated with the inconsistency based on the at least a portion of each of the slices name information lists of the first and second DS units when the inconsistency exists between first and second list digest responses of the list digest responses.

AUTHENTICATION OF INTERNET OF THINGS DEVICES, INCLUDING ELECTRONIC LOCKS

Methods and systems for authenticating an Internet of Things device, such as an electronic lock, are disclosed. One method includes generating a first challenge at a server; transmitting the first challenge to the Internet of Things device; receiving a first signed certificate from the Internet of Things device, the first signed certificate being the first random number challenge signed with a private key associated with the internet of things device; and verifying the first signed certificate with the first challenge and a public key associated with the Internet of Things device. Mutual authentication of the server from the Internet of Things device is also provided. 1. A method of authenticating an Internet of Things device comprising:generating a first challenge at a server;transmitting the first challenge to the Internet of Things device;receiving a first response from the Internet of Things device; andverifying the first response with the first challenge and a public key associated with the Internet of Things device.2. The method of claim 1 , further comprising:receiving a second challenge from the Internet of Things device;responding to the second challenge to produce a second response;transmitting the second response to the Internet of Things device; andreceiving confirmation of authentication from the Internet of Things device.3. The method of claim 1 , wherein the Internet of Things device is an electronic lock.4. The method of claim 1 , wherein the transmitting occurs via a mobile device in data communication with both the Internet of Things device and the server.5. The method of claim 4 , wherein the mobile device is in data communication with the Internet of Things device via a Bluetooth connection.6. The method of claim 4 , wherein the mobile device is in data communication with the server via a Wi-Fi connection.7. The method of claim 1 , wherein the transmitting occurs directly between the Internet of Things device and the server via a wireless network ...

INFORMATION OBTAINING METHOD AND APPARATUS

This application provides an information obtaining method and an apparatus. The method includes: sending a first initial NAS message including a non-cleartext information element protected using a first root key from a terminal to a source mobility management network element; receiving a second root key and first indication information from the source mobility management network element, where the first indication information indicates that the second root key is an updated key; sending second indication information and third indication information to the terminal based on the first indication information, where the second indication information indicates the terminal to update the first root key stored by the terminal to obtain the second root key, and the third indication information indicates the terminal to resend the initial NAS message; receiving a second initial NAS message including the non-cleartext information element protected using the second root key from the terminal. 1. A communication system , comprising:a target mobility management network element, configured to: receive a first initial non-access stratum (NAS) message from a terminal, wherein the first initial NAS message comprises a non-cleartext information element that is security protected by using a first root key; and send the first initial NAS message to a source mobility management network element; andthe source mobility management network element, configured to: after performing an integrity check on the first initial NAS message, update the first root key stored by the source mobility management network element, to generate a second root key; and send first indication information and the second root key to the target mobility management network element, wherein the first indication information is used to indicate that the second root key is a root key obtained after the first root key is updated, whereinthe target mobility management network element is further configured to send second ...

COMMUNICATION METHOD AND APPARATUS

This application provides a communication method and apparatus, and relates to the field of communication technologies. The method may include: A network device performs integrity protection on system information by using a first private key, and sends the system information, where the system information includes a first public key corresponding to the first private key and/or an index of the first public key. Correspondingly, a terminal device receives the system information from the network device, and if determining that the first public key is valid, the terminal device verifies integrity of the system information by using the first public key. According to this method, on one hand, the terminal device can effectively identify validity of the system information. On the other hand, because the system information includes the first public key and/or the index of the first public key, flexible update of an asymmetric key can be implemented. 1. A communication apparatus , wherein the apparatus comprises a processor , the processor is coupled to a memory , and the memory is configured to store instructions; and when the instructions are run by the processor , the apparatus is enabled to perform:receiving first system information from a first network device, wherein the first system information comprises at least one of: a first public key and an index of the first public key; andif determining that the first public key is valid, verifying integrity of the first system information by using the first public key.2. The apparatus according to claim 1 , wherein integrity protection is performed on the first system information based on a first private key corresponding to the first public key.3. The apparatus according to claim 1 , wherein the determining that the first public key is valid comprises:receiving public key information, wherein the public key information comprises at least one public key; andif the at least one public key comprises the first public key, ...

PDCP AND ROHC HANDLING FOR MULTI-CONNECTIVITY HANDOVER

Techniques to configure a user equipment (UE) for a multi-connectivity handover with a source base station (SBS) and a target base station (TBS) include encoding a measurement report for transmission to the SBS. The measurement report is triggered based on a measurement event configured by the SBS. Radio resource control (RRC) signaling from the SBS is decoded, the RRC signaling including a handover command in response to the measurement report. The handover command includes an indication for multi-connectivity support by the SBS and the TBS during the handover. A first protocol stack associated with the SBS and a second protocol stack associated with the TBS are configured at the UE. A packet data convergence protocol (PDCP) protocol data unit (PDU) received at the UE during the handover is processed using the first protocol stack or the second protocol stack. 1. An apparatus , comprising:a processor configured to cause a user equipment device (UE) to, in association with a multi-connectivity handover with a source base station (SBS) and a target base station (TBS):transmit a measurement report to the SBS, the measurement report triggered based on a measurement event configured by the SBS;receive radio resource control (RRC) signaling from the SBS, the RRC signaling including a handover command, the handover command including an indication for multi-connectivity support during the handover;configure a first protocol stack associated with the SBS and a second protocol stack associated with the TBS; andprocess a packet data convergence protocol (PDCP) protocol data unit (PDU) received at the UE during the handover, using the first protocol stack or the second protocol stack.2. The apparatus of claim 1 , wherein the processor is further configured to cause the UE to perform one of the following:process the PDCP PDU using the first protocol stack, based on detecting the PDCP PDU originates from the SBS; orprocess the PDCP PDU using the second protocol stack, based on ...

CONTEXT PREPARATION FOR CONSECUTIVE CONDITIONAL HANDOVERS

A method includes determining, by a source base station, based on at least one of a measurement report received from a terminal device and a mobility trajectory of the terminal device, a prepared cell list that includes a set of cells where the terminal device is capable of handover. The method includes sending at least one required context for the handover to the set of cells in the prepared cell list. The method also includes receiving acknowledgement from the set of cells. The method further includes sending a handover complete message, which contains the prepared cell list, to the terminal device, wherein the prepared cell list provides a capability for the terminal device to make a number of handovers when the terminal device is within a coverage area of the set of cells. 111.-. (canceled)12. A method , comprising:sending, by a terminal device, at least one measurement report to a source base station;receiving, by the terminal device and in response to the at least one measurement report, a handover command from the source base station, wherein the handover command includes a prepared cell list of a set of cells where the terminal device is capable of handover and the prepared cell list provides a capability for the terminal device to make a number of handovers in response to the terminal device being within a coverage area of the set of cells;performing, by the terminal device, synchronization and random access with at least one cell from the set of cells; andsending, by the terminal device, a handover complete message to the at least one cell.13. The method according to claims 12 , wherein the handover complete message further includes a handover history of the terminal device of one or more handovers from the source base station to reach the at least one cell.14. The method according to claim 12 , wherein each prepared cell in the prepared cells list has multiple contexts claim 12 , wherein each context is based on a path for the terminal device to reach a ...

Network Devices

The present disclosure is related to systems, methods, and processor readable media for distributing digital data over networks. Certain embodiments relate to systems, methods, and devices used within such networks where at least a substantial portion of the interconnected devices are capable of interacting with one or more neighbouring devices, and then to form such a time synchronous network using local network information. 1. A network system comprising a plurality of devices wherein a substantial portion of the plurality of devices are capable of one or more of the following: transmitting data and receiving data; wherein the distance between devices allows communication between at least one device and at least one other device; and wherein at least a portion of the plurality of devices comprising the network system configure themselves based on local network information.2. The network system of claim 1 , wherein the network has substantially no access points and substantially no routers; and wherein a substantial portion of the plurality of devices are synchronous in time.3. The network system of claim 1 , wherein the substantial portion of the plurality devices are synchronous in time and the network is substantially internal interference free.4. The network system of claim 1 , wherein at least one device from the plurality of devices stores previous configurations and the network build up time is one or more of the following: less than 10 minutes claim 1 , less than 5 minutes claim 1 , less than 1 minute claim 1 , less than 30 seconds claim 1 , less than 10 seconds claim 1 , less than 5 seconds claim 1 , less than 1 second claim 1 , less than 100 msec claim 1 , less than 50 msec and less than 10 msec.5. The network system of claim 1 , wherein the number of devices is N; wherein at least one device from the plurality of devices comprising the network system stores previous configurations and the network build up time is one or more of the following: less than ...

Securely providing a password using an internet of things (iot) system

An apparatus and method are described for securely providing a User ID and/or password to an IoT device. For example, one embodiment of a method comprises: receiving at an Internet of Things (IoT) service a request from a mobile device over a first communication channel to transmit credentials for a particular online service to an IoT device, responsively encrypting the credentials to generate encrypted credentials and transmitting the encrypted credentials to the IoT device over a second communication channel, decrypting the encrypted credentials at the IoT device, and providing the credentials by the IoT device to a computer over a third communication channel, the computer causing the credentials to be provided to the online service to authenticate the user.

Method and system for secure transmission of small data of MTC device group

Disclosed is a method for secure transmission of small data of a machine type communication (MTC) device group, comprising a process wherein an MTC device and an MTC-Interworking Function (MTC-IWF) generate a shared key KIWF on the basis of a GBA procedure, the MTC device and a bootstrapping server (BSF) performing AKA authentication: a home subscriber server (HSS) determines whether the MTC device belongs to the MTC device group and whether said device has small data transmission and reception capabilities; if said device belongs to said group and has said capabilities, an AKA authentication vector generated on the basis of the MTC device group key is sent to said BSF; the BSF carries out AKA authentication with the MTC device on the basis of the received AKA authentication vector. Also disclosed is a system for secure transmission of small data of an MTC device group.

Identifier management

A method for managing identifiers can include receiving, in an identifier management system, a request for an identifier in a computing system. The method can also include verifying availability of the identifier. The method can further include returning an affirmative response to a requesting party.

Communication Method and Communications Apparatus

A communication method and a communications apparatus, where the method includes: after receiving an RRC resume request message from a UE, determining, by a target access network device, a first user plane security protection method between the target access network device and the UE based on a context information obtaining response from a source access network device; determining a first user plane security key between the target access network device and the UE; when receiving first uplink user plane data from the UE, performing user plane security deprotection on the first uplink user plane data based on the first user plane security key and the first user plane security protection method, to obtain uplink user plane data; and sending the uplink user plane data. 1. A communications system , comprising: receive a radio resource control (RRC) resume request from a user equipment (UE), wherein the RRC resume request comprises an inactive-radio network temporary identifier (I-RNTI); and', 'send a context information obtaining request comprising the I-RNTI; and, 'a target access network device configured to receive the context information obtaining request from the target access network device;', 'obtain first indication information based on the I-RNTI, wherein the first indication information indicates a user plane security protection method used before the source access network device and the UE enter an inactive state from a connected state, and wherein the user plane security protection method indicates whether at least one of user plane encryption protection or user plane integrity protection is enabled; and', 'send a context information obtaining response to the target access network device, wherein the context information obtaining response comprises the first indication information,, 'a source access network device configured to receive the context information obtaining response from the source access network device; and', 'activate, using the user plane ...

APPARATUS, SYSTEM AND METHOD FOR SCE

In order for supporting separate ciphering at an MeNB () and an SeNB (), the MeNB () derives separate first and second keys (KUPenc-M, KUPenc-S) from a third key (KeNB). The first key (KUPenc-M) is used for confidentially protecting first traffic transmitted over U-Plane between the MeNB () and a UE (). The first key (KUPenc-M) may be the same as current KUPenc or a new key. The second key (KUPenc-S) is used for confidentially protecting second traffic transmitted over the U-Plane between the UE () and the SeNB (). The MeNB () sends the second key (KUPenc-S) to the SeNB (). The UE () negotiates with the MeNB (), and derives the second key (KUPenc-S) based on a result of the negotiation. 1. A communication method of a base station for dual connectivity (DC) , the method comprising:the base station receiving, from another base station, a first key for the DC;deriving a user plane (UP) key for protecting UP traffic between the base station and a user equipment (UE), the base station also obtaining a second key based on the first key; andconfidentially protecting the UP traffic between the UE and the base station by using the UP key.2. The communication method according to claim 1 , wherein the base station is a secondary base station and the another base station is a master base station.3. The communication method according to claim 1 , wherein the another base station derives the first key from a third key.4. The communication method according to claim 1 , wherein the UE controls deletion of the UP key that is derived by the UE.5. The communication method according to claim 1 , wherein the UE performs control for Packet Data Convergence Protocol (PDCP) COUNT.6. A base station for dual connectivity (DC) claim 1 , the base station comprising:at least one processor; andat least one memory coupled to the at least one processor, the memory storing instructions that when executed by the processor cause the at least one processor to:receive a first key for the DC from ...

Asymmetric key exchange between user equipment using sip

A carrier network may provide for asymmetric key exchange for end to end encryption between user equipment utilizing capability upload and discovery messages of the carrier network. For example, a carrier network may receive a capability upload message from a first user equipment. The carrier network may determine that the capability upload message includes a key bundle for end to end (E2E) encryption of communications. In response, the carrier network may store the key bundle in a key distribution center (KDC). The carrier network may also receive, from a second user equipment, a capability discovery message requesting capability information for the first user equipment. In response, the carrier network may request and receive the key bundle from the KDC and transmit the key bundle to the second user equipment.

METHOD AND APPARATUS FOR MANAGING AND VERIFYING CERTIFICATE

A method of managing and verifying a certificate of a terminal is provided. The method includes obtaining certificate information that is usable when downloading and installing a specific bundle corresponding to at least one of a secondary platform bundle family identifier or a secondary platform bundle family custodian identifier, transmitting, to a secondary platform bundle manager, the certificate information corresponding to the at least one of the secondary platform bundle family identifier or the secondary platform bundle family custodian identifier of the specific bundle, and receiving, from the secondary platform bundle manager, at least one of a certificate of the secondary platform bundle manager, certificate information to be used by a smart secure platform (SSP), the secondary platform bundle family identifier, or the secondary platform bundle family custodian identifier. 1. A method of a smart secure platform (SSP) in a terminal verifying certificate in a wireless communication system , the method comprising:receiving, from a local bundle assistant (LBA), an SSP credential request including an SPBM credential, wherein the SPBM credential includes secondary platform bundle family identifier (SPB Family ID), secondary platform bundle family custodian object identifier (SPB Family Custodian Object ID) and a first secondary platform bundle manager (SPBM) certificate for key agreement, and wherein the first SPBM certificate for the key agreement includes a public key for key agreement of a SPBM;verifying the first SPBM certificate based on the SPB Family ID and the SPB Family Custodian Object ID;generating an ephemeral key pair of a SSP ephemeral public key and a SSP ephemeral secret key;generating a first session key based on the SSP secret public key and the public key for key agreement of the SPBM;generating the SSP credential based on the first session key; andtransmitting, to the LBA, the generated SSP credential,wherein the SPB Family ID represents an ...

First Network Node, Second Network Node, Wireless Device and Methods Therein for Handling Broadcast Information

A method for handling broadcast information is described. A first network node ( 111 ) operating in a wireless communications network ( 100 ) determines ( 403 ) one or more decryption keys (K 1, K 2, K 3 ) to be provided to a wireless device ( 131 ) in the wireless communications network ( 100 ). The decryption keys enable the wireless device ( 131 ) to decrypt information to be broadcasted by a second network node ( 112 ) in the wireless communications network ( 100 ). The information comprises a plurality of subsets of positioning information. Each of the subsets is to be, or is, encrypted with a different encryption key based on a respective type of subscription for wireless devices ( 131, 132, 133 ) in the wireless communications network ( 100 ). The determined decryption keys are based on at least one type of subscription of the wireless device ( 131 ). The first network node ( 111 ) then initiates ( 404 ) providing the determined to the wireless device ( 131 ).

Cryptographic Device with Detachable Data Planes

A system for performing encryption and/or decryption may include a parent cryptographic device. The parent cryptographic device may be configured to receive a first cryptographic key. The parent cryptographic device may be configured to determine one or more session keys based on the first cryptographic key and/or internally generated random data bits. The parent cryptographic device may be configured to insert the one or more session keys onto one or more child cryptographic devices that are operably connected to the parent cryptographic device. The one or more child cryptographic devices may be configured to receive the one or more session keys from the parent cryptographic device, and perform one or more of encryption or decryption of communications exchanged with another child cryptographic device of the one or more child cryptographic devices. The one or more child cryptographic devices may perform encryption/decryption after separation from the parent cryptographic device.

Location-aware beacon scanning and authentication for secure lock control and other iot applications

Systems and methods for location-aware scanning of an IoT beacon by a mobile device, and the authentication of the mobile device, are disclosed herein. The system detects when the mobile device is within a geofenced region associated with the IoT beacon and enables the scanning by the mobile device for signals from the beacon. Using the beacon signals received by the mobile device, the system detects when the mobile device and IoT beacon are sufficiently near one another. Once the mobile device and IoT beacon are sufficiently near each other, the system authenticates control of the mobile device over the IoT beacon by verifying an authentication key transmitted to a server.

Methods and Apparatuses for Avoiding Damage in Network Attacks

Methods and apparatuses in a client terminal and a web server for enabling safe communication between said terminal and server. When the terminal obtains a web page from the server in a session, the terminal creates a context-specific key, Ks_NAF′, based on one or more context parameters, P1, . . . Pn, pertaining to said session and/or web page. The terminal then indicates the context-specific key in a login request to the server, and the server determines a context-specific key, Ks_NAF′, in the same manner to verify the client if the context-specific key determined in the web server matches the context-specific key received from the client terminal. The context-specific key is thus bound to and valid for the present context or session only and cannot be used in other contexts or sessions.

METHOD, APPARATUS, AND COMPUTER PROGRAM PRODUCT FOR SECURE TWO-FACTOR AUTHENTICATION

Various methods are provided for secure two-factor authentication, and more specifically, for incorporating a layer of security to two-factor authentication using Short Message Service in a manner virtually transparent to the end-user. Methods may include receiving a request for registration for two-factor authentication from a client including a username and password; providing a request for a mobile device number; receiving the mobile device number and a pre-shared key; sending to a mobile device an identity of the client and a server key share; receiving from the mobile device a mobile device key share; sending information corresponding to an exchange with the mobile device and a challenge derived from the pre-shared key to the client in response to the device key share corresponding to the server key share; receiving confirmation of registration with the mobile device; and establishing a shared key in response to verification of the confirmation. 1. An apparatus comprising at least one processor and at least one non-transitory memory including computer program code instructions , the computer program code instructions configured to , when executed , cause the apparatus to at least:receive a request for registration for two-factor authentication from a client;receive a username and password;provide a request for a mobile device number in response to the username and password corresponding to an account;receive the mobile device number and a pre-shared key;send, to a mobile device corresponding to the mobile device number, an identity of the client and a server key share;receive, from the mobile device, a device key share;send information corresponding to an exchange with the mobile device and a challenge derived from the pre-shared key to the client in response to the device key share corresponding to the server key share;receive, from the client, confirmation of registration with the mobile device; andestablish a shared key in response to verification of the ...

System and method for nfc peer-to-peer authentication and secure data transfer

A reader device may generate a first identifier. The reader device may transmit the first identifier to a mobile device. The reader device may receive encrypted data and unencrypted data from the mobile device in which the encrypted data includes a second identifier. The reader device may evaluate whether the first identifier and the second identifier correspond to one another.

Power Management and Security for Wireless Modules in "Machine-to-Machine" Communications

Methods and systems are provided for power management and security for wireless modules in “Machine-to-Machine” communications. A wireless module operating in a wireless network and with access to the Internet can efficiently and securely communicate with a server. The wireless network can be a public land mobile network (PLMN) or a wireless local area network (LAN). The wireless module may include a sensor and may be installed next to a monitored unit. The wireless module may utilize active states for collecting and sending data, and sleep states at other times to conserve a battery and/or energy usage. The wireless module minimize the time spent in a radio resource control (RRC) connected state. Messages between the wireless module and server can be transmitted according to a user datagram protocol (UDP). The wireless module and server can utilize public key infrastructure (PKI) for encryption and digital signatures.

Terminal Device, Access Point, Communication Device, And Computer Programs Therefor

A terminal device (e.g., a smartphone) may use a private key to generate a first configuration object used for establishing a first wireless connection between the terminal device and an access point. The terminal device may also use the private key to generate a second configuration object used for establishing a second wireless connection between a communication device (e.g., a printer) and the access point. The terminal device may then transmit specific data (e.g., print data) to the communication device via the access point. 1. One or more non-transitory computer-readable media storing instructions that , when executed by one or more processors , cause a terminal device to:obtain a first public key of a communication device;send, to the communication device via a wireless interface of the terminal device, a first authentication request generated using the first public key;receive, from the communication device via the wireless interface, a first authentication response responsive to the first authentication request;after the first authentication response is received from the communication device, generate second connection information for establishing a second wireless connection between the communication device and an external device different from the communication device;send the second connection information to the communication device via the wireless interface;after sending the second connection information to the communication device, send a query request to the communication device via the wireless interface; andafter sending the query request to the communication device, receive, from the communication device via the wireless interface, a query response responsive to the query request, in a case where the communication device establishes the second wireless connection with the external device using the second connection information.2. The one or more non-transitory computer-readable media as in claim 1 , wherein the terminal device comprises a memory ...

Mobile station, base station, communication system, display control method, communication control method, and program

A mobile station is provided to which multimedia broadcast/multicast service can be applied also during carrier aggregation. A mobile station communicates with a base station by carrier aggregation using a plurality of component carriers having different frequency bands. The mobile station receives contents in MBMS from the base station using at least two component carriers of a plurality of component carriers. The mobile station causes a display to display the received contents.

Bluetooth low energy (ble) pre-check in

One or more Bluetooth® low energy (BLE) beacons in communication with a remote server that provides check in capabilities and payment capabilities may be installed at a location. The BLE beacons may connect with a user's mobile device when the user enters the location and allow the user to check in to the location and authorize payments to be made at the location. Once the user is checked in to the location, the user may be provided with additional functionality, benefits, offers, and applications related to the location and facilitated by the check in. Further, the user may be pre-checked in into a next location when the user is at a current location.

Verfahren zur Nutzungsfreigabe sowie Funktionsfreigabeeinrichtung hierzu

A method is described for the release of use of functions of at least one local data receiving unit () for a user by means of a central data processing unit () and the at least one selected local data receiving unit (). The local data receiving unit () is configured to receive an encrypted release dataset from a user and to release use if at least one security feature contained in the release dataset in each case matches a corresponding release criterion stored in the local data receiving unit (). The method comprises the following steps: 123-. (canceled)24. A method for the release of use of functions of at least one local data receiving unit for a user by a central data processing unit and the at least one selected local data receiving unit , wherein the at least one local data receiving unit is configured to receive an encrypted release dataset from a user and to release use if at least one release criterion contained in the release dataset in each case matches a corresponding release criterion stored in the at least one local data receiving unit , comprising:a) generating the encrypted release dataset through encryption of the at least one release criterion by the central data processing unit with a release key known to the central data processing unit and to the at least one local data receiving unit and with an individual security feature of the user known to the central data processing unit;b) transmitting the encrypted release dataset from the central data processing unit to a mobile terminal device;c) transmitting the release dataset from the mobile terminal device to the at least one local data receiving unit together with an individual security feature of the user;d) decrypting the release dataset which is encrypted with the combination of the release key and the individual security feature in the at least one local data receiving unit to produce a decrypted release dataset; ande) releasing the use of a function on successful verification of the release ...

Device agnostic remote esim provisioning

Systems and methods for device agnostic remote eSIM provisioning. One example method includes detecting, with an electronic processor, a provisioning trigger event. The method includes, responsive to detecting the provisioning trigger event, transmitting, via a transceiver, a provisioning request to a mobile device management server, the provisioning request including a device identifier and an identifier for an integrated circuit card of the wireless communication device. The method includes receiving, from the mobile device management server, an activation code. The method includes transmitting, to the integrated circuit card, a provisioning command based on the activation code.

METHODS, NETWORK NODE AND WIRELESS DEVICE FOR VERIFICATION OF BROADCAST MESSAGES

Embodiments herein relate to a method performed by a network node for enabling verification of a broadcast message transmitted from the network node to a wireless device. The network node signals a first public key, to the wireless device, using a secure connection. The network node further transmits a first broadcast message protected by a signature. The signature is generated from at least a protected part of the first broadcast message using a first private key, the first private key being associated with the first public key. Thereby, the broadcast message can be verified by the wireless device using the distributed first public key, thus preventing fake broadcast messages to be accepted by the device. 1. A method performed by a network node for enabling verification of a broadcast message transmitted from the network node to a wireless device , which network node and wireless device operate in a wireless communication network , the method comprising:signaling a first public key, to the wireless device using a secure connection; andtransmitting a first broadcast message protected by a signature, the signature being generated from at least a protected part of the first broadcast message using a first private key, the first private key being associated with the first public key.2. The method according to claim 1 , wherein the protected part of the first broadcast message comprises a second public key claim 1 , the method further comprising: transmitting a second broadcast message claim 1 , wherein the second broadcast message is at least partly signed using a second private key claim 1 , the second private key being associated with the second public key.3. The method according to claim 2 , wherein a protected part of the second broadcast message comprises a third public key.4. A method performed by a wireless device for verifying a broadcast message transmitted from a network node to the wireless device claim 2 , which network node and wireless device operate in a ...

Communication Method And Device In Wireless Local Area Network

This application provides a communication method and device in a wireless local area network. The communication method includes: A receive end receives indication information from a transmit end, where a buffer of the receive end stores a log-likelihood ratio (LLR) corresponding to coded bits in an aggregated media access control protocol data unit (A-MPDU) subframe including a target media access control protocol data unit (MPDU). The receive end discards the LLR corresponding to the coded bits in the A-MPDU subframe including the target MPDU according to the indication information. According to the technical solutions provided in this application, the LLR corresponding to the coded bits in the buffer of the receive end can be discarded in time, thereby improving throughput of a system and reducing memory requirements. 1. A key configuration method , comprising:receiving, by a target mobility management entity, a first message sent by a source mobility management entity, wherein the first message comprises first bearer information of a terminal device in a source network;determining, by the target mobility management entity, first information based on the first bearer information, wherein the first information is used to indicate a security protection mode of first bearer data in a target network; andsending, by the target mobility management entity, the first information to the source mobility management entity.2. The method according to claim 1 , wherein the first information comprises any one of the following information:non-access stratum NAS protection indication information, access stratum AS protection indication information, and user plane function entity UPF protection indication information; andthe UPF protection indication information is used to indicate that the first bearer data in the target network uses a security protection mechanism between the terminal device and a user plane function entity.3. The method according to claim 1 , wherein the method ...

Cloud enrollment initiation via separate device

Systems and methods for initiating enrollment of a local device in a cloud environment using a separate device are presented. In an example embodiment, a device identifier for the local device is received from the local device by a separate device that is trusted by a cloud computing system. The separate device causes the displaying of an indicator for the local device. In response to receiving an activation of the indicator for the local device, the separate device issues a request to the cloud computing system to receive credential information enabling the local device to enroll with the cloud computing system. The separate device receives the credential information from the cloud computing system and transmits the credential information to the local device.

Operation related to user equipment using secret identifier

A method performed by a network node of a serving public land mobile network, PLMN, associated with a user equipment, UE, comprising: obtaining a secret identifier that uniquely identifies the UE, wherein the secret identifier is a secret that is shared between the UE and at least a home PLMN of the UE and that is shared by the home PLMN with the network node; and performing an operation related to the UE using the secret identifier. Other methods, computer programs, computer program products, network nodes and a serving PLMN are also disclosed.

Seamless handover between devices

A method and apparatus in a wireless network that allows a first device and second device to perform handover of a session, between the first device and a third device, to the second device is disclosed. The first device and the second device exchange information to enable the handover of the session from the first device to the second device. The second device may then continue the session by communicating with the third device in place of the first device. The handover of the session may be triggered by a user of the first device, triggered by a user of the second device, or automatically initiated upon the occurrence of certain other trigger events. The first and second devices may be devices such as first and second mobile devices operating in a WLAN. The third device may be an access point device of the WLAN.

SYSTEMS AND METHODS FOR MANAGING AN ITEM

A method is provided to manage an item connected to an Internet of Things (IoT) platform via an object. The method may include receiving, on the IoT platform, a request for an action relating to the item from a user terminal. The method may include generating a first instruction for processing the action relating to the item in response to the request. The method may include providing, from the IoT platform, the first instruction to the object and/or the user terminal. The method may include receiving, on the IoT platform, feedback information regarding the item upon completion of the action relating to the item in accordance with the first instruction. The method may further include generating, based on the feedback information, a second instruction for triggering, based on the completion of the action, an operation mode of the object. 1. A method for controlling a telematics box (Tbox) of a vehicle connected to a vehicle management platform configured to provide shared use of the vehicle , comprising:receiving, on the vehicle management platform and from a user terminal, a request for an action of returning the vehicle, the request including an identifier of the Tbox of the vehicle;generating a first instruction for processing the action of returning the vehicle in response to the request;providing, from the vehicle management platform, the first instruction to the Tbox of the vehicle;receiving, on the vehicle management platform, feedback information regarding the vehicle upon completion of the action of the returning the vehicle in accordance with the first instruction; andgenerating, based on the feedback information, a second instruction for triggering a mode change of the Tbox from a working mode to a sleeping mode.2. The method of claim 1 , wherein the second instruction further includes a secret key claim 1 , and the method further comprises:transmitting, from the vehicle management platform, the secret key to the Tbox of the vehicle.3. The method of claim ...

Security key generation and management method of pdcp distributed structure for supporting dual connectivity

The present disclosure relates to a pre-5th-Generation (5G) or 5G communication system to be provided for supporting higher data rates Beyond 4th-Generation (4G) communication system such as Long Term Evolution (LTE). A method for communicating by a user equipment with a macro cell base station and a small cell base station in a communication system is provided. The method comprises applying a first base station security key to a first communication link with the macro cell base station; generating a second base station security key to be used for a second communication link with the small cell base station based on the first base station security key; applying the second base station security key to the second communication link with the small cell base station; and communicating through at least one of the first communication link and the second communication link.

Systems and devices for hardened remote storage of private cryptography keys used for authentication

The invention provides for systems and devices for hardened remote storage of private cryptography keys used for authentication. The storage device is tamper-responsive, such that receipt of a signal that indicates physical or non-physical tampering with the storage device or its components results in deletion of the private cryptography key(s) from the memory. The storage device is configured to be separate and remote from a computing node that executes an authentication routine requiring the private cryptography key(s) and, as such, the private cryptography key(s) are accessible to, but not communicated to, the computing node only when the computing node is executing the authentication routine.

Ehn venue-specific application provisioning

In order to leverage an enterprise-hosted network (EHN) associated with an entity, a communication technique may dynamically customize an application on a portable electronic device. In particular, the portable electronic device may discover and then may connect to the EHN using a quarantine zone that restricts access to the EHN. After providing valid credentials to establish a level of trust with the EHN, the portable electronic device may receive a request for authentication and authorization information. In response to the request, the portable electronic device may provide a credential to the EHN. Next, the portable electronic device may receive provisioning information that customizes the application on the portable electronic device to a venue associated with the entity. The provisioning information may include a connection setting associated with the application on the portable electronic device, which allows the portable electronic device to connect to the EHN outside of the quarantine zone.

Method of establishing a communication session between an external device and an implantable medical device

In various examples, a method of establishing a communication session between an external device and an implantable medical device is described. The method includes generating at the external device a first private key and a first public key. A start session order is sent over a long-range communication channel. Evidence of physical proximity is sent from the external device to the implantable medical device over a short-range communication channel. A second private key and a second public key are generated at the implantable medical device. A first shared key is generated by the implantable medical device using the first public key and the second private key. A second shared key is generated by the external device using the second public key and the first private key. The first and second shared keys are used to encrypt and decrypt one or more messages between the external device and the implantable medical device.

ENCRYPTION KEY EXCHANGE PROCESS USING ACCESS DEVICE

Encryption key exchange processes are disclosed. A disclosed method includes initiating communication between a portable communication device including a token and a first limited use encryption key, and an access device. After communication is initiated, the portable communication device receives a second limited use key from a remote server via the access device. The portable communication device then replaces the first limited use key with the second limited use key. The second limited use key is thereafter used to create access data such as cryptograms that can be used to conduct access transactions. 120-. (canceled)21. A method comprising:receiving, by a remote server, an authorization request message from an access device during a transaction between the access device and a portable communication device comprising a first limited use key;determining, by the remote server, a second limited use key;modifying, by the remote server, an authorization response message to include the second limited use key; andtransmitting, by the remote server, the modified authorization response message comprising the second limited use key to the access device.22. The method of claim 21 , wherein the authorization request message further comprises a token and a cryptogram generated with the first limited use key obtained by the access device from the portable communication device claim 21 , wherein the method further comprises:verifying, by the remote server, the cryptogram.23. The method of claim 21 , wherein obtaining the authorization response message further comprises:transmitting, by the remote server, the authorization request message to a host system, wherein the host system determines if the transaction should or should not be authorized and generates the authorization response message; andreceiving, by the remote server, the authorization response message from the host system comprising data indicating an approval or denial of the transaction.24. The method of claim 21 , ...

SYSTEM AND METHOD FOR PROVIDING NETWORK SUPPORT SERVICES AND PREMISES GATEWAY SUPPORT INFRASTRUCTURE

A service management system communicates via wide area network with gateway devices located at respective user premises. The service management system remotely manages delivery of application services, which can be voice controlled, by a gateway, e.g. by selectively activating/deactivating service logic modules in the gateway. The service management system also may selectively provide secure communications and exchange of information among gateway devices and among associated endpoint devices. An exemplary service management system includes a router connected to the network and one or more computer platforms, for implementing management functions. Examples of the functions include a connection manager for controlling system communications with the gateway devices, an authentication manager for authenticating each gateway device and controlling the connection manager and a subscription manager for managing applications services and/or features offered by the gateway devices. A service manager, controlled by the subscription manager, distributes service specific configuration data to authenticated gateway devices. 119-. (canceled)20. A computing system for performing operations for managing voice-controlled services at a user premises , the computing system comprising:at least one processor;{'claim-text': ['receiving, via gateway device connected to a wide area network, configuration data for at least a portion of the voice-controlled services;', 'storing the configuration data;', 'sending, via the wide area network, a request for a streaming service to stream media, at the user premises, wherein the request corresponds to the at least a portion of the voice-controlled services;', 'communicating with one or more endpoint devices over a communication interface for implementing a user interface for the streaming service; and', 'after a verification that the request conforms with policy and/or usage rules associated with the streaming service based on subscription ...

SYNCHRONOUS CONTENT PRESENTATION

In embodiments of systems and methods for synchronous content presentation, an Edge server device may receive a decryption key for an encrypted content segment that is or will be delivered to a plurality of wireless devices over the wireless communication network, and may send the decryption key to the plurality of wireless devices after the encrypted content segment has been received by the plurality of wireless devices in a manner that enables the plurality of wireless devices to decrypt the encrypted content segment approximately simultaneously. A wireless device may receive, and optionally temporarily store, the encrypted content segment from the wireless communication network, receive the decryption key from the Edge server device after receiving the encrypted content segment, and decrypt the stored encrypted content segment using the received decryption key. 1. A method performed by a processor of an Edge server device for synchronous presentation of content delivered over a wireless communication network , comprising:receiving in an Edge server device a decryption key for an encrypted content segment that is or will be delivered to a plurality of wireless devices over the wireless communication network; andsending the decryption key for the encrypted content segment from the Edge server device to the plurality of wireless devices after the encrypted content segment has been received by the plurality of wireless devices in a manner that enables the plurality of wireless devices to decrypt the encrypted content segment approximately simultaneously.2. The method of claim 1 , wherein sending the decryption key for the encrypted content segment from the Edge server device to the plurality of wireless devices after the encrypted content segment has been received by the plurality of wireless devices in a manner that enables the plurality of wireless devices to decrypt the encrypted content segment approximately simultaneously comprises sending the decryption key in ...

KEY NEGOTIATION AND PROVISIONING FOR DEVICES IN A NETWORK

The present disclosure proposes method and systems for establishing secure communication session (s) between a first device and a second device, where the first device operates in a user network and implements a first key exchange protocol for secure communication. The second device is capable of communicating with the first device over a wireless communication network. The second device implements a second key exchange protocol that is different to the first key exchange protocol for secure communication. A proxy entity configured for implementing the first and the second key exchange protocols for secure communication is provided. The proxy entity is configured for generating and/or provisioning one or more session keys for the first and the second devices using the key exchange protocols specific to each device for establishing secure communication between the first and second device based on the generated session key(s). 1. A method of establishing a secure communication session between a first device and a second device , the first device operating in a user network and implementing a first key exchange protocol for secure communication , the second device capable of communicating with the first device using a wireless communication network , the second device implementing a second key exchange protocol different to the first key exchange protocol for secure communication , the method comprising providing a proxy entity configured for implementing the first and the second key exchange protocols for secure communication , the proxy entity implementing the steps of:negotiating a first device key for the first device using the first key exchange protocol and negotiating a second device key for the second device using the second key exchange protocol;computing a first session key for the first device and a second session key for the second device,receiving data from the first device, the data encrypted with the first session key;decrypting the data using the first ...

AUTHENTICATION PROCESSING METHOD AND DEVICE, STORAGE MEDIUM AND ELECTRONIC DEVICE

Provided are an authentication processing method and device, a storage medium and an electronic device, the method includes: a terminal receives a first authentication request message from a network side; the terminal determines whether the number of times of receiving the first authentication request message is greater than a predetermined threshold; and when the number of times is greater than the predetermined threshold, the terminal stops responding to the first authentication request message. 1. An authentication processing method , comprising:receiving, a terminal, a first authentication request message from a network side;determining, by the terminal, whether a number of times of receiving the first authentication request message is greater than a predetermined threshold;stopping, by the terminal, responding to the first authentication request message when the number of times is greater than the predetermined threshold.2. The method according to claim 1 ,after the terminal receiving the first authentication request message from the network side, the method further comprises:verifying, by the terminal, the first authentication request message;determining, by the terminal, whether the number of times of receiving the first authentication request message is greater than a predetermined threshold comprises:determining, by the terminal, whether the number of times of receiving the first authentication request message is greater than the predetermined threshold when the terminal fails to verify the first authentication request message and the failure cause is synchronization failure.3. The method according to claim 1 , wherein after the receiving claim 1 , by the terminal claim 1 , the first authentication request message from the network side claim 1 , the method further comprises:comparing, by the terminal, the first authentication request message with an authentication request message that has been stored in the terminal;recording or updating, by the terminal, ...

Method to Retrieve Security Keys of UE in Gateways

Methods, systems, and computer readable media are presented for retrieving security keys in gateways. In one example embodiment, a method is presented. The method of retrieving security keys from a User Equipment (UE) in gateways includes retrieving, by a HetNet Gateway (HNG) as the HNG virtualizes an eNodeB towards n Mobility Management Entity (MME) through a first message and a second message exchange, a fresh Next Hop, Next Hop Chaining Count {NH, NCC} pair from the MME; and mocking, by the HNG, an X2 handover towards the MME by sending a third message with required Information Elements filled when a fourth message from the eNodeB reaches the HNG. 1. A method of retrieving security keys from a User Equipment (UE) in gateways , comprising:retrieving, by a HetNet Gateway (HNG) as the HNG virtualizes an eNodeB towards n Mobility Management Entity (MME) through a first message and a second message exchange, a fresh Next Hop, Next Hop Chaining Count {NH, NCC} pair from the MME; andmocking, by the HNG, an X2 handover towards the MME by sending a third message with required Information Elements filled when a fourth message from the eNodeB reaches the HNG.2. The method of wherein the first message comprises a PATH SWITCH REQUEST.3. The method of wherein the second message comprises a PATH SWITCH REQUEST ACK.4. The method of wherein the third message comprises a HANDOVER REQEST.5. The method of wherein the fourth message comprises a HANDOVER REQUEST ACK message.6. The method of wherein the fresh {NH claim 1 , NCC} are derived using vertical key derivation.7. A system for retrieving security keys in gateways claim 1 , comprising:a HetNet Gateway (HNG), wherein the HNG retrieves, as the HNG virtualizes an eNodeB towards a Mobility Management Entity (MME) through a first message and a second message exchange, a fresh Next Hop, Next Hop Chaining Count {NH, NCC} pair from the MME; andmocks an X2 handover towards the MME by sending a third message with required Information ...

DISTRIBUTION NETWORK SYSTEM AND METHOD

A distribution network system and method. The distribution system has a plurality of communication channels and is connected to a mesh network. The mesh network uses one of the plurality of communication channels as a distributable network channel. The distribution network system includes an already-distributed network node and a to-be-distributed network node. The already-distributed network node is located in the mesh network and is configured to broadcast a mesh network beacon to the distributable network channel. The to-be-distributed node is configured to alternately monitor whether the mesh network beacon is detected on each communication channel. The to-be-distributed node outputs a network distribution request message to the already-distributed node according to the mesh network beacon, monitors whether a distribution network response message corresponding to the distribution network request message is detected on the distributable network channel, and joins the mesh network according to the distribution network response message. 1. A distribution network system , having a plurality of communication channels , wherein the distribution network system is communicatively connect to a mesh network , the mesh network uses one of the plurality of communication channels as a distributable network channel , and the distribution network system comprises:a first already-distributed network node, located in the mesh network, and configured to broadcast a first mesh network beacon to the distributable network channel;a first to-be-distributed network node, configured to alternately monitor whether the first mesh network beacon is detected on each communication channel, wherein the first to-be-distributed network node outputs a first distribution network request message to the first already-distributed network node according to the first mesh network beacon, monitors whether a first distribution network response message corresponding to the first distribution network ...

WIRELESS BODY AREA NETWORK, KEY GENERATION METHOD AND KEY DISTRIBUTION METHOD IN THE WIRELESS BODY AREA NETWORK, AND RELATED DEVICE

The embodiments of the present disclosure are applicable to the technical field of computer science and application technology, and disclose a wireless body area network, a key generation method and a key distribution method in the wireless body area network, and a related device. The gait acceleration signal is extracted synchronously through the respective acceleration acquisition devices integrated with the coordinator and the wearable equipment, the position information corresponding to the peak value and the valley value in the gait acceleration signal is correspondingly extracted and is taken as the gait common information, and the gait common information is used to perform key distribution in the wireless body area network, the security and the consistency are higher, the calculation is simplified, the key distribution method is suitable for wearable devices having limited resources. 1. A wireless body area network , comprising: a coordinator node and at least one wearable device in communication with the coordinator node , both the coordinator node and the at least one wearable device being integrated with an acceleration acquisition device , wherein:the coordinator node is configured to send a message of synchronously collecting data to the at least one wearable device, to collect a first gait acceleration signal, to extract first gait common information in the first gait acceleration signal, to generate key encryption information according to a key to be distributed and the first gait common information, and to send the key encryption information to the at least one wearable device;the at least one wearable device is configured to receive the message of synchronously collecting data, and to synchronously collect a second gait acceleration signal according to the message of synchronously collecting data, to extract second gait common information in the second gait acceleration signal, to receive the key encryption information, and to decrypt the key ...

Embedding protected memory access into a rfid authentication process based on a challenge-response mechanism

A RFID tag ( 501 ), reader ( 502 ) and protocol allow a protected read operation in a two-step tag authentication with cipher-block cryptography. A challenge-response mechanism using a shared secret symmetric key ( 638 ) for tag authentication includes a challenge and information to read data from a tag's memory ( 637 ). Tag's response to the challenge-response mechanism includes the response to the reader's challenge and data from the tag's memory. A method embeds a protected write operation in a four-step reader authentication with cipher-block cryptography. The protocol allows a challenge-response mechanism using the shared secret symmetric key for reader authentication including a challenge and information to write data to the tag's memory. Reader's response to the challenge-response mechanism includes a response to the tag's challenge and data for writing to the tag's memory. Authenticated read and write data may be in plaintext, message authentication code (MAC)-protected, encrypted, or both encrypted and MAC protected.

Signaling techniques using fragmented and multi-partitioned uwb packets

Techniques are provided for utilizing a hybrid of ultra-wideband (UWB) and narrowband (NB) signaling to provide more efficient operating range and operating efficiency. In one example, a first device may transmit a first packet via an NB signal to a second device, whereby the first packet comprises information indicating to the second device a time period for reception of a second (UWB) packet. In this example, the second packet may comprise a first partition and a second partition, whereby the first partition comprises a first plurality of fragments and the second partition comprising a second plurality of fragments. The respective fragments of each plurality of fragments may be transmitted via a UWB signal. The first device may then transmit the first plurality of fragments, and then subsequently transmit the second plurality of fragments to the second device, the first and second pluralities respectively being associated with different fragment types.

Server-assisted pairing for wireless communications

A wireless communication device such as a payment reader has a wireless communication interface and is able to establish wireless pairing with an interactive electronic device such as a merchant device running a point of sale application. In order to establish pairing, the wireless communication device accesses an identifier. The identifier is transmitted to the interactive electronic device via the wireless communication interface, and the interactive electronic device sends the identifier to a pairing server. The pairing server retrieves a passkey based on the identifier and sends the retrieved passkey to the interactive electronic device via a secure connection. The wireless communication device and the interactive electronic device establish wireless pairing based on the retrieved passkey.

Communication Method and Device

A communication method includes receiving by a SGSN a context request message from a mobility management entity (MME), obtaining by the SGSN an authentication vector-related key, and calculating by the SGSN a root key according to the authentication vector-related key. In addition, the method further includes sending by the SGSN a context response message including the root key to the MME, wherein the MME derives a NAS protection key according to the root key.

Facilitating trusted pairing of an implantable device and an external device

Systems, apparatus, methods and computer-readable storage media facilitating trusted pairing between an implantable medical device (IMD) and an external device are provided. In one embodiment, an IMD includes a housing configured to be implanted within a patient, a memory and circuitry within the housing and a processor that executes executable components stored in the memory. The executable components can include: a communication component configured to initiate establishing a telemetry connection with an external device in accordance with a first telemetry protocol based on reception of a request, from the external device, to establish the telemetry connection with the IMD using the first telemetry protocol; and a validation component configured to restrict establishment of the telemetry connection with the external device in accordance with the first telemetry protocol based on reception of validation information from the external device, wherein provision of the validation information is excluded from the first telemetry protocol.

Method, system and apparatus for protecting absf entity from attack

A method, system and apparatus for protecting a bootstrapping service function (BSF) entity from attack includes: a first temporary identity and a second temporary identity are generated after a BSF entity performs a mutual authentication with a user equipment (UE) by using an initial temporary identity sent from the UE; the BSF entity receives a re-authentication request carrying the first temporary identity from the UE; and the UE sends a service request carrying the second temporary identity to a network application function (NAF) entity. The present disclosure prevents attackers from intercepting the temporary identity at the Ua interface and using the temporary identity to originate a re-authentication request at the Ub interface, thus protecting the BSF entity from attack and avoiding unnecessary load on the BSF entity and saving resources.

SYSTEM AND METHOD THAT FACILITATE STEERING OF ROAMING

Aspects directed towards steering of roaming (SoR) are disclosed. In one example, a communication from a public land mobile network (PLMN) is received by a user equipment (UE) in which the communication indicates an acceptance of a UE registration with the PLMN. This example further includes performing a determination of whether an SoR indicator associated with a home PLMN (HPLMN) is embedded within the communication. The UE then manages PLMN selection according to the determination. In another example, a UE is configured to operate according to an SoR configuration in which the UE is configured to ascertain whether an SoR indicator is embedded within a communication from a PLMN. An SoR indicator associated with an HPLMN is then generated and subsequently transmitted from the HPLMN to the UE via the PLMN. 1. A non-transitory computer-readable medium storing computer-executable code , including code to: a steering of roaming (SoR) indicator associated with a home PLMN (HPLMN); and', 'steering information;, 'receive a communication from a first public land mobile network (PLMN), the communication indicating an acceptance of a user equipment registration with the first PLMN, the communication including calculating a second SoR indicator using the steering information included in the communication; and', 'determining whether the calculated second SoR indicator is the same as the SoR indicator included in the communication; and, 'perform an integrity check based at least in part on the SoR indicator included in the communication, which was received from the first PLMN and that indicated the acceptance of the user equipment registration with the first PLMN, comprisingmanage PLMN selection for the wireless communication device according to the steering information in response to a passing of the integrity check that was based at least in part on the SoR indicator included in the communication, which was received from the first PLMN and that indicated the acceptance of the ...

END-TO-END ENCRYPTION WITH DISTRIBUTED KEY MANAGEMENT IN A TRACKING DEVICE ENVIRONMENT

A tracking device can provide a hashed identifier to a mobile device, for instance within an advertisement packet. The mobile device can query each of a plurality of entities with the hashed identifier to identify an entity associated with the hash key used to generate the hashed identifier. In some embodiments, the mobile device can query a centralized key server, which in turn can query the plurality of entities to identify the entity associated with the hash key. The mobile device can then receive a public key from the identified entity, can determine a location of the mobile device, and can encrypt the location with the public key. The mobile device can then provide the hashed identifier and the encrypted location to the identified entity, which can provide the encrypted location to an owner of the tracking device for decryption using a private key corresponding to the public key. 1. A method comprising:receiving, by a mobile device, a hashed identifier from a tracking device, the tracking device configured to compute the hashed identifier using a hash key, the hashed identifier corresponding to the tracking device;querying, by the mobile device, a server associated with each of a plurality of entities with the hashed identifier, each of the plurality of entities associated with a set of hash keys and associated with a set of tracking devices, the server comprising a directory storing, for each entity, a candidate hashed identifier for each combination of hash key in the set of hash keys associated with the entity and tracking device in the set of tracking devices associated with the entity;receiving, by the mobile device, a public key from a server associated with a first entity of the plurality of entities associated with the hash key used to compute the hashed identifier, the public key associated with the tracking device;accessing, by the mobile device, location data representative of a location of the mobile device;encrypting, by the mobile device, the ...

Authentication method and terminal device

An authentication method and terminal device obtain a device identifier associated with an electronic device and receive an Integrated Circuit Card Identifier (ICC ID) of a Subscriber Identity Module (SIM) of the electronic device. A group of IDs is cryptographically signed with a device key of the terminal device or a key derived from the device key. The group of IDs may comprise the device identifier and the ICC ID.

EARLY MEASUREMENT REPORTING WITH RRC RESUME REQUEST MESSAGE AND INDICATION OF REQUEST FOR EARLY MEASUREMENTS IN ASSOCIATION WITH PAGING

Systems and methods related to early measurement reporting are disclosed. In some embodiments, a method performed by a wireless device in a cellular communications system comprises transmitting measurements with a first message to a network node. The first message is a request to resume a connection of the wireless device with a target cell, and the measurements are measurements performed by the wireless device while in a dormant state. Corresponding embodiments of a wireless device are also disclosed. Embodiments of a method of operation of a wireless device for reception of a request for early measurements in association with a paging message and corresponding embodiments of a wireless device are also disclosed. Embodiments of methods of operation of a network node and corresponding embodiments of a network node are also disclosed. 134-. (canceled)35. A method , performed by a wireless device for early measurement request in association with a paging procedure , the method comprising:receiving a message in a cell on which the wireless device is camping, the message comprising either: (a) a paging message or (b) a separate message that is multiplexed with the paging message;detecting that the message contains an indication that the wireless device is to report available early measurements during a resume-like procedure; andreporting at least one early measurement in accordance with the indication.36. The method of further comprising:determining that at least one early measurement is available at the wireless device;wherein reporting the at least one early measurement comprises reporting the at least one early measurement upon determining that at least one early measurement is available at the wireless device.37. The method of wherein the message comprises the paging message.38. The method of wherein the message comprises the separate message that is multiplexed with the paging message.39. The method of wherein the paging message comprises a Radio Resource Control ...