Abstract: Disclosed is a method for transitioning a remote station from a current serving network node having an enhanced security context to a new serving network node. In the method, the remote station provides at least one legacy key, and generates at least one session key based on a calculation using a root key and using an information element associated with the enhanced security context. The remote station forwards a first message having the information element to the new serving network node. The remote station receives a second message, from the new serving network node, having a response based on either the legacy key or the session key. The remote station determines that the new serving network node does not support the enhanced security context if the response of the second message is based on the legacy key. Accordingly, the remote station protects communications based on the legacy key upon determining that the enhanced security context is not supported.

Abstract: A method and apparatus are provided for a subsidizing service provider entity to personalize a subscriber device to ensure the subscriber device cannot be used in a network of a different service provider entity. As the service provider entity subsidizes the subscriber device, it desires to ensure that subscriber device is personalized such that the subscriber device may operate only in its network and not a network of a different service provider entity. The subscriber device is pre-configured with a plurality of provider-specific and/or unassociated root certificates by the manufacturer of the subscriber device. A communication service is established between the service provider entity and the subscriber device allowing for the mutual authentication of the subscriber device and the service provider entity. After mutual authentication, the service provider entity sends a command to the subscriber device to disable/delete some/all root certificates that are unassociated with the service provider entity.

Abstract: Disclosed is a method for transitioning a remote station from a current serving network node having an enhanced security context to a new serving network node. In the method, the remote station provides at least one legacy key, and generates at least one session key based on a calculation using a root key and using an information element associated with the enhanced security context. The remote station forwards a first message having the information element to the new serving network node. The remote station receives a second message, from the new serving network node, having a response based on either the legacy key or the session key. The remote station determines that the new serving network node does not support the enhanced security context if the response of the second message is based on the legacy key. Accordingly, the remote station protects communications based on the legacy key upon determining that the enhanced security context is not supported.

Abstract: Prior to transmission, a message is divided into multiple transmission units. A sub-message authentication code is obtained for each of the transmission units. A composed message authentication code is obtained for the whole message based on the sub-message authentication codes of the multiple transmission units. The multiple transmission units and the composed message authentication code are then transmitted. A receiver of the message receives a plurality of transmission units corresponding to the message. A local sub-message authentication code is calculated by the receiver for each transmission unit. A local composed message authentication code is calculated by the receiver based on the local sub-message authentication codes for the plurality of transmission units. The local composed message authentication code is compared to a received composed message authentication code to determine the integrity and/or authenticity of the received message.

Abstract: Methods and apparatus for protecting user privacy in a shared key system. According to one aspect, a user generates a derived identity based on a key and a session variable, and sends the derived identity to an application. In one embodiment, a key server may be used to receive the derived identity from the application, and return a sub-key to the application to use for encrypting communications with the user.

Abstract: A method and apparatus are provided for a subsidizing service provider entity to personalize a subscriber device to ensure the subscriber device cannot be used in a network of a different service provider entity. As the service provider entity subsidizes the subscriber device, it desires to ensure that subscriber device is personalized such that the subscriber device may operate only in its network and not a network of a different service provider entity. The subscriber device is pre-configured with a plurality of provider-specific and/or unassociated root certificates by the manufacturer of the subscriber device. A communication service is established between the service provider entity and the subscriber device allowing for the mutual authentication of the subscriber device and the service provider entity. After mutual authentication, the service provider entity sends a command to the subscriber device to disable/delete some/all root certificates that are unassociated with the service provider entity.

Abstract: A mobile communication system that utilizes multiple access technologies achieves multiple session registrations by deriving a plurality of extended unique device identifications from a specific unique device identification (e.g., private user identification (PIID) stored on a subscriber identity module (SIM)) assigned to a user equipment. Each of the plurality of extended unique device identifications have the benefit of allowing multiple registrations with one or more access networks while allowing a home subscriber system to detect the one unique device identification embedded in the extended unique device identifications for authentication purposes. Thereby, a large population of deployed UEs and access network infrastructure may benefit without replacement by allowing a UE to maintain session continuity when transitioning between access networks, to select a preferred access technology when in overlapping coverage areas without session interruption, or to maintain multiple sessions (e.g.

Abstract: A mobile communication system that utilizes multiple access technologies achieves multiple session registrations by deriving a plurality of extended unique device identifications from a specific unique device identification (e.g., private user identification (PIID) stored on a subscriber identity module (SIM)) assigned to a user equipment. Each of the plurality of extended unique device identifications have the benefit of allowing multiple registrations with one or more access networks while allowing a home subscriber system to detect the one unique device identification embedded in the extended unique device identifications for authentication purposes. Thereby, a large population of deployed UEs and access network infrastructure may benefit without replacement by allowing a UE to maintain session continuity when transitioning between access networks, to select a preferred access technology when in overlapping coverage areas without session interruption, or to maintain multiple sessions (e.g.

Abstract: A mobile communication system that utilizes multiple access technologies achieves multiple session registrations by deriving a plurality of extended unique device identifications from a specific unique device identification (e.g., private user identification (PIID) stored on a subscriber identity module (SIM)) assigned to a user equipment. Each of the plurality of extended unique device identifications have the benefit of allowing multiple registrations with one or more access networks while allowing a home subscriber system to detect the one unique device identification embedded in the extended unique device identifications for authentication purposes. Thereby, a large population of deployed UEs and access network infrastructure may benefit without replacement by allowing a UE to maintain session continuity when transitioning between access networks, to select a preferred access technology when in overlapping coverage areas without session interruption, or to maintain multiple sessions (e.g.

Abstract: A mobile communication system that utilizes multiple access technologies achieves multiple session registrations by deriving a plurality of extended unique device identifications from a specific unique device identification (e.g., private user identification (PIID) stored on a subscriber identity module (SIM)) assigned to a user equipment. Each of the plurality of extended unique device identifications have the benefit of allowing multiple registrations with one or more access networks while allowing a home subscriber system to detect the one unique device identification embedded in the extended unique device identifications for authentication purposes. Thereby, a large population of deployed UEs and access network infrastructure may benefit without replacement by allowing a UE to maintain session continuity when transitioning between access networks, to select a preferred access technology when in overlapping coverage areas without session interruption, or to maintain multiple sessions (e.g.

Abstract: Prior to transmission, a message is divided into multiple transmission units. A sub-message authentication code is obtained for each of the transmission units. A composed message authentication code is obtained for the whole message based on the sub-message authentication codes of the multiple transmission units. The multiple transmission units and the composed message authentication code are then transmitted. A receiver of the message receives a plurality of transmission units corresponding to the message. A local sub-message authentication code is calculated by the receiver for each transmission unit. A local composed message authentication code is calculated by the receiver based on the local sub-message authentication codes for the plurality of transmission units. The local composed message authentication code is compared to a received composed message authentication code to determine the integrity and/or authenticity of the received message.

Abstract: Methods and apparatus for protecting user privacy in a shared key system. According to one aspect, a user generates a derived identity based on a key and a session variable, and sends the derived identity to an application. In one embodiment, a key server may be used to receive the derived identity from the application, and return a sub-key to the application to use for encrypting communications with the user.