Abstract: A method and apparatus including units configured to send a request from a first network entity to a user equipment for an identifier and receive a message indicating that a public key is required from the user equipment by the first network entity. The method and apparatus also includes units configured to send, by the first network entity, the public key to the user equipment and receive an encrypted identifier by the first network entity, wherein upon authenticating the public key, the user equipment encrypts at least part of the identifier using the public key, thereby enabling further processing between the network entity and the user equipment.

Abstract: A method and apparatus for intersystem mobility security context handling between different radio access networks which can include a receiver configured to receive a tracking area update message from a user terminal. The message can include a first key identifier configured to identify a mapped security context and a second key identifier configured to identify a cached security context. A verifier can be configured to verify the tracking area update message with a key identified by the first or second key identifier.

Abstract: An identifier containing at least one encrypted part is received at a first network entity. A second network entity may then be determined based on the identifier. A request for assistance in decryption of the identifier from the second network entity may be sent from the first entity to the second network entity. The second network entity may then assist the first networks entity in an appropriate manner.

Abstract: In a method for key handling in mobile communication systems, first and second numbers are exchanged between entities of the mobile communication system. The first and second numbers are respectively used only once with respect to the respective system parameters of the communication system and therefore allowing greater security in the communication system.

Abstract: The user equipment (UE) and the Mobility Management Entity (MME) in an evolved 3GPP system generate authentication material that can be carried inside a packet switched network temporary mobile station identifier (P-TMSI) signature field of a Universal Mobile Telecommunications System (UMTS) signaling message from the UE to a UMTS/GPRS serving GPRS support node (SGSN) in a UMTS or GPRS Terrestrial Radio Access Network (UTRAN) or in a GSM/Edge Radio Access Network (GERAN), as well as from the SGSN to the MME of the evolved 3GPP system. The MME authenticates a context transfer request from the UTRAN/GERAN system based on the transferred authentication material and knowledge of how to create or to verify the authentication material. Additionally, the MME and the UE derive or verify authentication material, based on at least one user-specific key, for embedding in the P-TMSI signature field in legacy 3GPP signalling.

Abstract: In accordance with an example embodiment of the present invention, there is provided an apparatus comprising at least one memory configured to store an identity of a terminal, at least one processing core configured to use a terminal-specific inactivity timer value and to associate the terminal-specific inactivity timer value with the identity to provide terminal- or user-specific inactivity timers to manage state transitions in mobiles.

Abstract: A communication network manages key material. A method generates and provides session keys from a security node to an access node for further propagation during handoff procedures, without requiring the security node to take part in the handoff procedures.

Abstract: An auxiliary handover message is sent from a target eNB to a UE being handed over from a source eNB. The auxiliary handover message includes a context identifier that is established between the source eNB and the UE, which the source eNB provides to the target eNB during context data exchange when preparing for the handover. The UE uses the context identifier to verify that the auxiliary handover message is valid. Various approaches are detailed for minimizing signaling overhead and minimizing the time the UE must monitor the separate channel for the auxiliary handover message in the event the UE does not properly receive the original handover message from the source eNB. The context identifier may be a random number, a C-RNTI, an eNB-ID, or a token. The auxiliary handover command sent from the target eNB may be the context identifier with or without a copy of the handover command.

Abstract: A method and apparatus including units configured to send a request from a first network entity to a user equipment for an identifier and receive a message indicating that a public key is required from the user equipment by the first network entity. The method and apparatus also includes units configured to send, by the first network entity, the public key to the user equipment and receive an encrypted identifier by the first network entity, wherein upon authenticating the public key, the user equipment encrypts at least part of the identifier using the public key, thereby enabling further processing between the network entity and the user equipment.

Abstract: An identifier containing at least one encrypted part is received at a first network entity. A second network entity may then be determined based on the identifier. A request for assistance in decryption of the identifier from the second network entity may be sent from the first entity to the second network entity. The second network entity may then assist the first networks entity in an appropriate manner.

Abstract: A communication network manages key material. A method generates and provides session keys from a security node to an access node for further propagation during handoff procedures, without requiring the security node to take part in the handoff procedures.

Abstract: A method and apparatus including units configured to send a request from a first network entity to a user equipment for an identifier and receive a message indicating that a public key is required from the user equipment by the first network entity. The method and apparatus also includes units configured to send, by the first network entity, the public key to the user equipment and receive an encrypted identifier by the first network entity, wherein upon authenticating the public key, the user equipment encrypts at least part of the identifier using the public key, thereby enabling further processing between the network entity and the user equipment.

Abstract: A communication network manages key material. A method generates and provides session keys from a security node to an access node for further propagation during handoff procedures, without requiring the security node to take part in the handoff procedures.

Abstract: The invention allows changing a Radio Access Network security algorithm during handover in a manner that is efficient and secure. A security message is received at a mobile station previously using a first security algorithm in communication with a first access point, which message instructs to use a second security algorithm required by a second access point. In response, the mobile station is changed to use the second security algorithm.

Abstract: The present invention performs a Binding Update or a Location Update message authentication independently and terminal-specifically in a home SAE gateway. A key, which is derived in a home AAA server from an initially set long term key, is given to a visited network for encrypting the update messages in Proxy Mobile IP. In Client Mobile IP, the key is transmitted to a mobile node for update message encryption. When the update message is received in the home SAE gateway, the key can be derived independently in the home SAE gateway without any key requests between the gateway and the home AAA server. Thus, it is possible to authenticate the binding or location update messages by verifying the two signatures. The present invention can also be implemented on a lower hierarchy of the system. The invention can be implemented in 3GPP standard releases enhanced with LTE technology, for instance.

Abstract: Handoffs must be fast for wireless mobile nodes without sacrificing the security between a mobile node and wireless access points in an access network. A secure session keys context approach is shown having all the good features, like mobility and security optimization, of the currently existing proposals of key-request, pre-authentication, and pre-distribution but also providing improved scalability for the access network and for the mobile node. The new approach is compared to the existing proposals including memory requirements and especially how to reduce memory usage using a “just-in-time” transfer of security information between access points and a mobile node during a handover.

Abstract: Cryptographic network separation functionality is provided on a user device. An option to store information about a type of database where a user is homed is provided in an indicator on a storage medium. An interface is provided between the user device and the storage medium for accessing the indicator. In case the information about the type of database cannot be obtained from the storage medium, it is determined not to enforce the cryptographic network separation functionality on the user device.

Abstract: Provided are apparatuses and methods for providing security measures for a handover execution procedure in a communication network. In one example, the handover procedure is initiated by more than one base station. In another example, a base station may not launch a Denial or Service (DoS) attack towards other base stations or towards a core network using handover signaling messages. For example, a user device may send at least one encryption parameter, such as a Nonce associated with the user device to a source base station. Handover of the user device from the source base station to a target base station may be accomplished based on the at least one encryption parameter to avoid the DoS attack.

Abstract: Sequence numbers for data packets to be transmitted using bearers having bearer identifiers in a communications system are generated, wherein the sequence numbers are generated independently for each of the bearers used for transmitting the data packets. Last generated sequence numbers for each of the bearers identifiers are stored and held in a memory. When a sequence number for a data packet to be transmitted using a bearer out of the bearers which has been used before is to be generated the memory is checked on a last generated sequence number for the bearer with a previously used bearer identifier and the sequence number is generated in accordance therewith.

Abstract: In a method for key handling in mobile communication systems, first and second numbers are exchanged between entities of the mobile communication system. The first and second numbers are respectively used only once with respect to the respective system parameters of the communication system and therefore allowing greater security in the communication system.