Abstract: The present invention involves establishing a top-level key and optionally also a verification tag. The top-level key is used as the MDP key for encrypting a broadcast medium. Only the part of the key message that contains the encrypted top-level key is authenticated, e.g. using a signature or a Message Access Code (MAC). Any known group-key distribution protocol can be used that is based on the creation of a hierarchy of keys. Examples of such methods are the LKH and SD methods. The group-key distribution protocol output key H, traditionally used as the MDP key, or a derivative thereof is used to encrypt the top-level MDP-key. The invention, further, includes optimization of a group-key message by eliminating unnecessary message components relative a specified group or sub-group of users. The optimization can be made in dependence of contextual data such as user profile, network status, or operator policies.

Abstract: In a mobile network with a plurality of access networks (210, 220), a control node (110) which is controlling access of a user equipment (300) to that one of the access networks (210, 220) which is currently used by the user equipment (300) determines an access capability of the user equipment (300) in said access network (210, 220), e.g. support of voice communication over packet switched access. The control node (110) provides an indication of the determined access capability to a subscriber database (150) associated with the user equipment (300). The indication may then be retrieved from the subscriber database (150) and be used to control termination of a connection to the user equipment (300).

Abstract: A method and apparatus for transferring a session from a packet switched access network to a circuit switched access network. A Mobility Management Entity receives a service type indicator from a gateway node. The service type indicator indicates a type of service for the session, and is associated with bearers used for the session. The Mobility Management Entity subsequently receives, from an eNodeB, an indication that the session is to be transferred from the packet switched network to the circuit switched access network. The Mobility Management Entity determines the bearers associated with the session using the service type indicator, and initiates transfer of the session using those bearers. This ensures that the correct bearers are transferred regardless of whether or not identifiers such as QCI values have been ascribed to other types of service.

Abstract: A method and apparatus for use in a communications network whereby an Instance Identifier (ID) is created to uniquely identify a device such as a mobile device or User Equipment (UE) in the communications network.

Abstract: A user terminal for use with a communications system. The user terminal comprises a non-volatile memory and a subscriber identity authentication unit configured in use to communicate with a removable subscriber identity module and with said communications system in order to authenticate a subscriber identity stored in said subscriber identity module. A recording unit is provided for recording a used and authenticated subscriber identity in said non-volatile memory, whilst an emergency call initiation unit is configured to initiate an unauthenticated emergency call in the absence of a subscriber identity module, and to retrieve said used and authenticated subscriber identity from said non-volatile memory and to provide the retrieved subscriber identity to the communications system during the initiation.

Abstract: A system, method, and nodes for managing shared security keys between a User Equipment, UE, an authentication node such as an SCF/NAF, and a service node such as a BM-SC or AS. The SCF/NAF allocates to each BM-SC, a different SCF/NAF identifier such as a fully qualified domain name, FQDN, from the FQDN space the SCF/NAF administers. The SCF/NAF then locally associates these allocated FQDNs with the connected BM-SCs and with different services. The network sends the correct FQDN to the UE in a service description for a desired service, and the UE is able to derive a security key using the FQDN. When the UE requests the desired service, the SCF/NAF is able to associate the service identifier with the correct FQDN and an associated BM-SC. The SCF/NAF uses the FQDN to obtain the security key from a bootstrapping server and sends it to the associated BM-SC. As a result, the UE and the associated BM-SC share a specific security key.

Abstract: A method of facilitating access to services of an IP Multimedia Subsystem, by users groups that require alternative handling in relation to the standard handling of IP Multimedia Subsystem users. Functioning instructions are added to the user groups subscription maintained in the IP Multimedia Subsystem, instructing nodes in the IP Multimedia Subsystem to adapt their standard functioning for this specific group of users. The instructions in a subscription of a specific user group, provide a node of the IP Multimedia Subsystem that does no longer need to be specific for certain types of users, but has a standard way of operation, that is modified by instructions for dedicated operation for only that specific user group. In further aspect embodiments are disclosed providing improved solutions for known problems of IP Multimedia Subsystems making use of functioning instructions included in the subscription.

Abstract: The invention relates to a method of changing allocation of Serving-Call Session Control Functions (S-CSCFs) to a user of an IMS network. The user is being provided with services via a first S-CSCF allocated to the user. The method includes implementing a re-allocation instruction at the first S-CSCF. The reallocation instruction includes criteria for de-allocation of the user from the first S-CSCF. The S-CSCF determines if the criteria are met; and if the criteria are met, de-allocates the user.

Abstract: A method of registering a subscriber in an IP Multimedia Subsystem (IMS) is provided, wherein the method is executed by a call control node (800), wherein the method comprises receiving (402) an access request of the subscriber for circuit switched accessing the IMS, the access request being received via an access, determining (404) an access type of the access, and sending (406) a registration request for circuit switched registering the subscriber in the IMS depending on the determined access type.

Abstract: A VoLGA Access Network Controller (VANC), a User Equipment, and methods are described herein for providing security to Voice over Long-Term Evolution via Generic Access (VoLGA) traffic.

Abstract: The invention relates to a method for providing service continuity with respect to a registration of a mobile terminal, UE, at a control server of an IP Multimedia Subsystem, IMS, network, while a CS-communication session between the UE and a switching server, MSC, of a circuit-switched, CS, network is established. The control server comprises a registration timer which is used for initiating a termination of the registration of the UE at the IMS network, when the registration timer expires, wherein the control server updates the registration timer in dependence of a control information received from the MSC. The invention further relates to a MSC providing such service.

Abstract: The present invention relates to a key management method to establish selective secret information in multiple disjoint groups, more specifically to a method of reducing the broadcast size in access hierarchies and localize and facilitate management in said access hierarchies. The key management method selects a number of subgroups. Each subgroup supports an instance of a key distribution method for receiving distributed key material, and is capable of computing a usage security key based on the distributed key material and predefined user group key material.

Abstract: The invention relates to session control in an IMS domain of a communications network and more particularly to techniques for performing session transfer in an IMS control node (SCC AS) for controlling centralized services in an IMS domain. One embodiment of an SCC AS (200) may be adapted to store, for each of a plurality of ongoing communication sessions, a session information item (218) comprising a user identity (222) identifying a user device involved in the session and a first identifier (216) of the user device in a CS domain of the communications network, wherein the user identity is associated with multiple user devices and the first identifier comprises at least one of an MSISDN (216), an IMSI, and a GRUU.

Abstract: According to a first aspect of the present invention there is provided a method of providing interactive IP Television to a user terminal 1 over an IP Multimedia Subsystem 2. The method comprises, at a content server 3, sending the IP Television content and an interactive object to the user terminal 1 via the IP Multimedia Subsystem 2. At the user terminal 1, displaying graphical components of the interactive object together with the IP Television content, accepting user input to the interactive object and sending the input to an evaluation server 4 via the IP Multimedia Subsystem 2. At the evaluation server 4, comparing the user input with answer information associated with the interactive object and sending a result of the comparison to the user terminal 1 via the IP Multimedia Subsystem 2.

Abstract: Aspects of the present invention provide a mechanism to utilize IMS media security mechanisms in a CS network and, thereby, provide end-to-end media security in the case where the media traffic travels across both a CS network and a PS network.

Abstract: A method and apparatus for key management in a communication network. A Key Management Terminal KMS Terminal Server (KMS) receives from a first device a request for a token associated with a user identity, the user identity being associated with a second device. The KMS then sends the requested token and a user key associated with the user to the first device. The KMS subsequently receives the token from the second device. A second device key is generated using the user key and a modifying parameter associated with the second device. The modifying parameter is available to the first device for generating the second device key. The second device key is then sent from the KMS to the second device. The second device key can be used by the second device to authenticate itself to the first device, or for the first device to secure communications to the second device.

Abstract: A method and apparatus for establishing a communication session in an IMS Centralized Services communication network. A Service Centralization and Continuity Application Server (SCC AS) receives a request from an originating device to establish a session with a target device. The request includes a plurality of codec identifiers that could be used by the originating device. The SCC AS sends a second request to establish the session to the target device. The SCC AS subsequently receives, from an intermediate node between the SCC AS and the target device, an invite message. The invite message includes an indication that a codec identifier has been selected from the plurality of codec identifiers. The SCC AS then sends a message to the intermediate node instructing the intermediate node to establish the session.

Abstract: A method and apparatus for authentication in a communication network. A network node receives an initial request message from a user device, and sends an authentication message to an authentication node. In reply, the network node receives an expected response value and an authentication token from the authentication node. The expected response value is determined using a first shared secret known to the authentication node and the user and a second shared secret known to the authentication node and the user device, and the authentication token is determined using the second shared secret. The network node sends the authentication token from the network node to the user device, and in response receives a response value calculated using authentication token, the first shared secret and the second shared secret. The network node then determines if the response value matches the expected response value and, if so, authenticates the user.

Abstract: The invention provides an establishment of a secret session key shared Between two network elements (NEa, NEb) belonging to different network domains (NDa, NDb). A first network element (NEa) of a first network domain (NDa) requests security parameters from an associated key management center (KMC) (AAAa). Upon reception of the request, the KMC (AAAa) generates a freshness token (FRESH) and calculates the session key (K) based on this token (FRESH) and a master key (KAB) shared with a second network domain (NDb). The security parameters are (securely) provided to the network element (NEa), which extracts the session key (K) and forwards the freshness token (FRESH) to the KMC (AAAb) of the second domain (NDb) through a second network element (NEb). Based on the token (FRESH) and the shared master key (KAB), the KMC (AAAb) generates a copy of the session key (K), which is (securely) provided to the second network element (NEb).

Abstract: A method and apparatus for maintaining service continuity for User Equipment accessing an IP Multimedia Subsystem communication network. A routing identifier is established that identifies a Service Centralization and Continuity Application Server allocated to the User Equipment. The routing identifier is sent to the between the User Equipment and the Service Centralization and Continuity Application Server, a handover message is sent from the User Equipment via a Circuit Switched access network. The handover message includes the routing identifier, and is then forwarded to the identified Service Centralization and Continuity Application Server. This allows the same Service Centralization and Continuity Application Server to be used after the handover as was used before the handover, thereby providing service continuity.