Abstract: A method for estimating the strength of a graphical password comprising two or more segments is disclosed. In some embodiments, this advantageous solution is achieved by implementing a multi-step process. In one step, the data processing system applies a first operation on a first segment to produce a transformed segment. In another step, the data processing system performs a comparison operation between the transformed segment and a second segment. In another step, the data processing system performs a penalty operation with respect to the first segment based on an outcome of the comparison operation. The penalty operation includes one or more of (1) calculating a penalty value, wherein the penalty value may be used in calculating a value representing the strength of the graphical password; and (2) disregarding the first or the second segment when calculating the value representing the strength of the graphical password.

Abstract: Method and Apparatus for Securing a Connection in a Communications Network A method of operating a user equipment (UE) using a Generic Bootstrapping Architecture (GBA) is provided. The method includes establishing a shared secret between the UE and a Network Application Function (NAF). An authentication request is sent to a Bootstrapping Server Function (BSF) by the UE. An original parameter intended for a key derivation function and a bootstrapping transaction identifier is received from the BSF. An application request, including the bootstrapping transaction identifier, is sent by the UE to the NAF. A modified parameter is derived by the UE from the secret and the original parameter intended for the key derivation function. A cryptographic key is determined using said modified parameter in place of or in addition to the original parameter in the key derivation function, and communications with the NAF are secured using the key.

Abstract: A method executed by an Intermediary Node arranged between a Client and a Server for participating in the setting up of a connection between the Client and a Server is described. In response to intercepting a first message, the method transmits from the Client and destined for the Server, and requests for a connection to be set-up between the Client and the Server. The method recognizes, based on content of the received first message, that it is desirable for the Intermediary Node to perform at least one function on the requested connection, the Intermediary Node is transmitting a second message to the Client, comprising an identity of the Intermediary Node. This enables the Client to accept or reject the Intermediary Node as a node participating in the requested connection set-up.

Abstract: A method and arrangements for enabling authentication of a communication device is suggested, where a network node, capable of operating as an authentication server does not have to store all state related information relevant for a roundtrip of an authentication session. Instead of storing all this information, at least a part of it is provided to the authenticator or the communication unit, for later retrieval in a subsequent response. Based on the state related information provided in the response, the network node is capable of reproducing a state associated with a respective roundtrip. By repeating the mentioned process for a required number of roundtrips, an authentication session can be executed, where less state related information need to be stored at the mentioned network node.

Abstract: A network (20) comprises an authenticator node (22) and a server (24) such as an authentication, authorization, and accounting (AAA) server. A method comprises a terminal (30) sending authentication capabilities information (AC) across a network access interface (32) to the network (the authentication capabilities information provides an indication of authentication capabilities of the terminal). The network (20) then uses the authentication capabilities information to determine a first cryptographic value. The terminal (30) then uses the authentication capabilities information to determine a second cryptographic value. The network (20) compares the first cryptographic value and the second cryptographic value to authenticate the terminal.

Abstract: A method (500) of generating a cryptographic checksum for a message M(x) is provided. The method comprises pseudo-randomly selecting (502) a generator polynomial p(x) from the set of polynomials of degree n over a Galois Field and calculating (504) the cryptographic checksum as a first function g of a division of a second function of M(x), ƒ(M(x)), modulo p(x), g(ƒ(M(x))mod p(x)). The generator polynomial p(x) is pseudo-randomly selected based on a first cryptographic key. By replacing a standard checksum, such as a Cyclic Redundancy Check (CRC), with a cryptographic checksum, an efficient message authentication is provided. The proposed cryptographic checksum may be used for providing integrity assurance on the message, i.e., for detecting random and intentional message changes, with a known level of security. Further, a corresponding computer program, a corresponding computer program product, and a checksum generator for generating a cryptographic checksum, are provided.

Abstract: A method of operating a node for performing handover between access networks wherein a user has authenticated for network access in a first access network. The method comprises receiving from a home network a first session key and a temporary identifier allocated to the user for the duration of a communication session. The identifier is mapped to the first session key, and the mapped identifier and key are stored at the node. A second session key is derived from the first session key and the second session key is sent to an access network, and the identifier sent to a user terminal. When the user subsequently moves to a second access network, the node receives the identifier from the user terminal. The node then retrieves the first session key mapped to the received identifier, derives a third session key and sends the third session key to the second access network.

Abstract: A method and an arrangement for providing keys for protecting communication between a terminal (300) and service points in a communication network. A basic key (Ik) is first established with a service control node (304) when the terminal has entered the network. An initial modified key (Ik1) is then created in both the service control node and the terminal, by applying a predetermined first function (f) to at least the basic key and an initial value of a key version parameter (v). The initial modified key is sent to a first service point (302), such that it can be used to protect communication between the terminal and the first service point. When the terminal switches to a second service point (306), the first service point and the terminal both create a second modified key (Ik2) by applying a predetermined second function (g) to the initial modified key, and the first service point sends the second modified key to the second service point.

Abstract: A method and arrangement is disclosed for managing session keys for secure communication between a first and at least a second user device in a communications network. The method is characterized being independent of what type of credential each user device implements for security operations. A first user receives from a first key management server keying information and a voucher and generates a first session key. The voucher is forwarded to at least a responding user device that, with support from a second key management server communicating with the first key management server, resolves the voucher and determines a second session keys. First and second session keys are, thereafter, used for secure communication. In one embodiment the communication traverses an intermediary whereby first and second session keys protect communication with respective leg to intermediary.

Abstract: A method comprising the use of a bootstrapping protocol to define a security relationship between a first server and a second server, the first and second servers co-operating to provide a service to a user terminal. A bootstrapping protocol is used to generate a shared key for securing communication between the first server and the second server. The shared key is based on a context of the bootstrapping protocol, and the context is associated with a Subscriber Identity Module (SIM) associated with the user terminal and provides a base for the shared key. A method of the invention may, for example, be employed within a computing/service network such as a “cloud”, and in particular for communications between two servers in the cloud that are co-operating to provide a service to a user.

Abstract: According to one embodiment, an apparatus for scrambling a message is provided. The apparatus includes a processor and a memory in communication with the processor. The memory contains instructions executable by the processor that are configured to cause the apparatus to retrieve webpage data of at least one webpage. The at least one webpage is different from the message. The memory contains instructions executable by the processor that are configured to cause the apparatus to perform a hash operation on the webpage data to generate hashed webpage data, generate at least one pseudo-random value based at least in part on the hashed webpage data and generate a scrambled message by performing a first logical operation on the at least one generated pseudo-random value and the message.

Abstract: A method of operating a node for performing handover between access networks wherein a user has authenticated for network access in a first access network. The method comprises receiving from a home network a first session key and a temporary identifier allocated to the user for the duration of a communication session. The identifier is mapped to the first session key, and the mapped identifier and key are stored at the node. A second session key is derived from the first session key and the second session key is sent to an access network, and the identifier sent to a user terminal. When the user subsequently moves to a second access network, the node receives the identifier from the user terminal. The node then retrieves the first session key mapped to the received identifier, derives a third session key and sends the third session key to the second access network.

Abstract: A method and apparatus for obtaining a password hint is disclosed. In some embodiments, the method includes: receiving a spatial pattern from a user; obtaining a password comprising a plurality of characters; obtaining a password hint comprising an arrangement of characters, wherein the arrangement of characters includes the plurality of characters of the password and additional characters, and the plurality of characters of the password are located within the arrangement of characters according to the received spatial pattern. The method may also include storing the password hint or providing the password hint to the user.

Abstract: Electronic devices (320) are provided which comprise a digital logic circuit (101) and a test module (322) adapted to receive test parameters from a remote test management device (310), generate test patterns based on the test parameters, apply the test patterns to the digital logic circuit, receive test responses from the digital logic circuit, compact the test responses into a test signature, and either transmit the test signature to the remote test management device or determine a test result based on a comparison of an expected signature received from the remote test management device with the test signature.

Abstract: A Feedback Shift-Register (FSR) enabling improved testing, e.g., Built-In Self-Tests (BIST), is provided. Each cell of the FSR may either be an observable cell, associated with a non-trivial feedback function implemented by a combinational logic circuit, or a controllable cell, having an associated state variable which belongs to the dependence set of exactly one of the non-trivial feedback functions. Each controllable cell is provided with a multiplexer for selecting either a predecessor cell of the controllable cell or a test value as input. Thus, the sequential circuit of the FSR may be tested using tests for combinational logic. The disclosed test procedures utilize a minimal set of test vectors and allow detection of all single stuck-at faults in the FSR. This may not increase the propagation delay of the original design, and the resulting dynamic power dissipation during test can be considerably less than known BIST designs.

Abstract: An authentication method comprises providing a set of N plural number of master keys both to a user terminal (13) and to home network entity (11) and, when performing an authentication key agreement (AKA) transaction for an application, selecting one of the N number of master keys to serve as a master key for use both at the user terminal and the home network entity for deriving further keys for the application.

Abstract: A first network device of a first communication network obtains a challenge, generates a first PFS parameter, obtains a first verification code for the first PFS parameter, and sends the challenge, the first PFS parameter and the first verification code to a communication device, which in turn receives the challenge, the first PFS parameter and the first verification code, forwards the challenge or a derivative thereof to an identity module, receives at least one result parameter as response from the identity module, determines, based on the result parameter, whether the first PFS parameter is authentic, and if the determination is positive generates and sends the second PFS parameter to the first network device, which in turn verifies the second PFS parameter.

Abstract: A first network device of a first communication network obtains a challenge, generates a first PFS parameter, obtains a first verification code for the first PFS parameter, and sends the challenge, the first PFS parameter and the first verification code to a communication device, which in turn receives the challenge, the first PFS parameter and the first verification code, forwards the challenge or a derivative thereof to an identity module, receives at least one result parameter as response from the identity module, determines, based on the result parameter, whether the first PFS parameter is authentic, and if the determination is positive generates and sends the second PFS parameter to the first network device, which in turn verifies the second PFS parameter.

Abstract: A first data handling node (304) is configured to verify data received in a data distribution network with multiple data handling nodes forming a distribution path of a network topology, by obtaining tag information from a hash server (306). The first data handling node (304) receives data (D3) and a hash tag (H3) from a second data handling node (302). The received data (D3) and hash tag (H3) have been generated by the second node based on a previous hash tag (H1, H2) generated by a preceding third data handling node (300a, 300b). The third node has delivered data (D1, D2) to the second node, and the received data (D3) has been generated by the second node based on the data (D1, D2) delivered by the third data handling node.

Abstract: An access authentication system for authenticating a subscriber of a service, the access authentication system comprising an operator access authentication system and one or more private access authentication systems, each private access authentication system being communicatively connectable with the operator access authentication system, the operator access authentication system being adapted to provide one or more authentication functions for facilitating authentication of subscribers of the service based on respective subscriber authentication data items associated with credentials of the subscriber; wherein each private access authentication system is adapted to communicate one or more subscriber authentication data items to said operator access authentication system; and wherein each private access authentication system is further adapted to communicate one or more verification data items indicative of the private access authentication system operating in at least one predetermined state.