Abstract: There is provided a device comprising a key request module and a key receive module. The key request module is configured to transmit a key request to a provisioning server, and the key receive module is configured to receive a device root key associated with the device from the provisioning server. The device also comprises an authentication request transmit module configured to transmit an authentication request comprising an international mobile subscriber identity (IMSI) and a device identifier identifying the device to a first home subscriber server (HSS). The device also comprises an authentication under key agreement (AKA) module configured to perform an AKA procedure using the device root key. The key request module, the key receive module, the authentication request transmit module and the AKA module thereby authenticate the device for subscriber identity module (SIM) provisioning of the device.

Abstract: A method for proxy algorithm identity selection may comprise: selecting, at a first network node, a security algorithm identity for a user equipment which is determined to handover to a second network node, based at least in part on security information of the user equipment and a list of security algorithm identities for the second network node; generating security keys for a communication between the user equipment and the second network node, based at least in part on the selected security algorithm identity; providing the security keys and the selected security algorithm identity to the second network node from the first network node; and sending the selected security algorithm identity to the user equipment from the first network node, in response to a handover acknowledgement from the second network node.

Abstract: A method of secure charging for a device-to-device service may comprise: recording charging information of a device-to-device service between a first user equipment and a second user equipment, wherein the charging information is associated at least with the first user equipment; generating a first report comprising the charging information, wherein the first report is protected by a security key of the first user equipment; and sending the first report to a network node by the first user equipment, wherein the first report is used for charging for the device-to-device service together with a second report generated at the second user equipment, and wherein the second report comprises charging information associated at least with the device-to-device service of the second user equipment and is protected by a security key of the second user equipment.

Abstract: There is provided a device comprising a key request module and a key receive module. The key request module is configured to transmit a key request to a provisioning server, and the key receive module is configured to receive a device root key associated with the device from the provisioning server. The device also comprises an authentication request transmit module configured to transmit an authentication request comprising an international mobile subscriber identity (IMSI) and a device identifier identifying the device to a first home subscriber server (HSS). The device also comprises an authentication under key agreement (AKA) module configured to perform an AKA procedure using the device root key. The key request module, the key receive module, the authentication request transmit module and the AKA module thereby authenticate the device for subscriber identity module (SIM) provisioning of the device.

Abstract: Method, network element, user equipment (UE) and system are disclosed for securing device-to-device (D2D) communication in a wireless network. The wireless network has a first UE in an idle mode, a second UE in a connected mode, and a network element. The method comprises: encrypting the second UE's identification (ID) by using a first key which is known to the network element and the first UE and which is unknown to the second UE; sending the encrypted second UE's ID from the network element to the first UE via the second UE; and verifying the second UE's ID by using the encrypted second UE's ID.

Abstract: In accordance with an example embodiment of the present invention, there is provided an apparatus such as for example a mobile or a base station, comprising at least one processing core configured to compile a message comprising information concerning resources used in a communication network, the at least one processing core being configured to perform a first determination, that a second user equipment is engaged in a device-to-device session with a first user equipment, the at least one processing core being configured to, responsive to the first determination, include in the message information concerning the second user equipment, and a transmitter configured to cause the message to be transmitted toward a network node. The message may comprise a resource usage report and/or charging report, for example.

Abstract: There is provided a device comprising a key request module and a key receive module. The key request module is configured to transmit a key request to a provisioning server, and the key receive module is configured to receive a device root key associated with the device from the provisioning server. The device also comprises an authentication request transmit module configured to transmit an authentication request comprising an international mobile subscriber identity (IMSI) and a device identifier identifying the device to a first home subscriber server (HSS). The device also comprises an authentication under key agreement (AKA) module configured to perform an AKA procedure using the device root key. The key request module, the key receive module, the authentication request transmit module and the AKA module thereby authenticate the device for subscriber identity module (SIM) provisioning of the device.

Abstract: A fast-accessing method may comprise: establishing a first security connection between a first network node and a user equipment; obtaining first information from a second network node, wherein the first information comprises at least one of system information of the second network node and an identifier of a security algorithm selected by the second network node for the user equipment; providing second information to the second network node, in response to an indication of the second network node from the user equipment, wherein the second information comprises security information related to the user equipment; and sending the first information to the user equipment for establishing a second security connection between the user equipment and the second network node.

Abstract: Methods and apparatus are provided for key pairing between peer D2D UEs in different eNBs or D2D areas. A method may comprise: receiving at a first access network node serving a first D2D area from a first user equipment in the first D2D area, a request for keys for a D2D communication between the first user equipment and a second user equipment, wherein the request comprises an identification of a second D2D area where the second user equipment is located and being different from the first D2D area; identifying a second access network node serving the second D2D area based on the identification; sending to the second access network node, a request for a security context of the second user equipment; and receiving from the second access network node the security context for obtaining the keys for the D2D communication.

Abstract: There is provided a device comprising a key request module and a key receive module. The key request module is configured to transmit a key request to a provisioning server, and the key receive module is configured to receive a device root key associated with the device from the provisioning server. The device also comprises an authentication request transmit module configured to transmit an authentication request comprising an international mobile subscriber identity (IMSI) and a device identifier identifying the device to a first home subscriber server (HSS). The device also comprises an authentication under key agreement (AKA) module configured to perform an AKA procedure using the device root key. The key request module, the key receive module, the authentication request transmit module and the AKA module thereby authenticate the device for subscriber identity module (SIM) provisioning of the device.

Abstract: A method for key derivation may comprise: generating a second key based at least in part on a first key for a first connection between a user equipment and a first network node, in response to a decision to enter an idle mode; releasing the first connection to enter the idle mode; providing an identity of the user equipment to the first network node via a second network node, in response to initiating a setup procedure for a second connection between the user equipment and a second network node; and using the second key for the second connection, in response to receiving from the second network node an indication that the identity of the user equipment is successfully verified at the first network node.

Abstract: Provided are methods, corresponding apparatuses, and computer program products for a fast handover. A method comprises generating, at a source base station serving a user equipment, a first message and a second message including security information for security communication between a target base station and the user equipment after a fast handover. The method also comprises transmitting simultaneously, from the source base station, the first and second messages respectively to the target base station and the user equipment. With the claimed inventions, a fast X2 handover procedure is complemented and becomes more feasible with proposed security handlings, making it possible to decrease the service interruption during X2 handover for users and hence improve the user experiences.

Abstract: An enhanced connection control including maintaining a first connection between a first network node and a user equipment which has a second connection with a second network node, determining a third network node for re-establishing a third connection between the third network node and the user equipment, in response to a link failure of the second connection, and transferring context information of the user equipment from the first network node to the third network node.

Abstract: A fast-accessing method may comprise: establishing a first security connection between a first network node and a user equipment; obtaining first information from a second network node, wherein the first information comprises at least one of system information of the second network node and an identifier of a security algorithm selected by the second network node for the user equipment; providing second information to the second network node, in response to an indication of the second network node from the user equipment, wherein the second information comprises security information related to the user equipment; and sending the first information to the user equipment for establishing a second security connection between the user equipment and the second network node.

Abstract: Method, network element, mobile terminal, system and computer program product are disclosed for negotiating cryptographic algorithm. The method comprises: receiving a first candidate list from the mobile terminal by the network element, wherein the first candidate list includes at least one candidate cryptographic algorithm supported by the mobile terminal and excludes at least one undesirable cryptographic algorithm even though it is supported by the mobile terminal; and selecting, from the first candidate list, a cryptographic algorithm supported by both the network element and the mobile terminal. As the undesirable cryptographic algorithm(s) is excluded from the first candidate list, the network element will be forced to choose more secure algorithms for communications with the mobile terminal.

Abstract: Method, network element, user equipment (UE) and system are disclosed for securing device-to-device (D2D) communication in a wireless network. The wireless network has a first UE in an idle mode, a second UE in a connected mode, and a network element. The method comprises: encrypting the second UE's identification (ID) by using a first key which is known to the network element and the first UE and which is unknown to the second UE; sending the encrypted second UE's ID from the network element to the first UE via the second UE; and verifying the second UE's ID by using the encrypted second UE's ID.

Abstract: A set of associated keys for an authentication process to be performed in a second network is calculated based on a random value used in an authentication process of a first network.

Abstract: Methods and apparatus are provided for key pairing between peer D2D UEs in different eNBs or D2D areas. A method may comprise: receiving at a first access network node serving a first D2D area from a first user equipment in the first D2D area, a request for keys for a D2D communication between the first user equipment and a second user equipment, wherein the request comprises an identification of a second D2D area where the second user equipment is located and being different from the first D2D area; identifying a second access network node serving the second D2D area based on the identification; sending to the second access network node, a request for a security context of the second user equipment; and receiving from the second access network node the security context for obtaining the keys for the D2D communication.

Abstract: Provided are methods, corresponding apparatuses, and computer program products for a fast handover. A method comprises generating, at a source base station serving a user equipment, a first message and a second message including security information for security communication between a target base station and the user equipment after a fast handover. The method also comprises transmitting simultaneously, from the source base station, the first and second messages respectively to the target base station and the user equipment. With the claimed inventions, a fast X2 handover procedure is complemented and becomes more feasible with proposed security handlings, making it possible to decrease the service interruption during X2 handover for users and hence improve the user experiences.

Abstract: A method for proxy algorithm identity selection may comprise: selecting, at a first network node, a security algorithm identity for a user equipment which is determined to handover to a second network node, based at least in part on security information of the user equipment and a list of security algorithm identities for the second network node; generating security keys for a communication between the user equipment and the second network node, based at least in part on the selected security algorithm identity; providing the security keys and the selected security algorithm identity to the second network node from the first network node; and sending the selected security algorithm identity to the user equipment from the first network node, in response to a handover acknowledgement from the second network node.