Abstract: A method (500) of generating a cryptographic checksum for a message M(x) is provided. The method comprises pseudo-randomly selecting (502) at least two irreducible polynomials pi(x). Each irreducible polynomial pi(x) is selected based on a first cryptographic key from the set of irreducible polynomials of degree ni over a Galois Field. The method further comprises calculating (503) a generator polynomial p(x) of degree n=formula (I) as a product of the N irreducible polynomials formula (II), and calculating (505) the cryptographic checksum as a first function g of a division of a second function of M(x), ƒ(M(x)), modulo p(x), i.e., g(ƒ(M(x)) mod p(x)). By replacing a standard checksum, such as a Cyclic Redundancy Check (CRC), with a cryptographic checksum, an efficient message authentication is provided. The proposed cryptographic checksum may be used for providing integrity assurance on the message, i.e., for detecting random and intentional message changes, with a known level of security.

Abstract: A method for estimating the strength of a graphical password comprising two or more segments is disclosed. In some embodiments, this advantageous solution is achieved by implementing a multi-step process. In one step, the data processing system applies a first operation on a first segment to produce a transformed segment. In another step, the data processing system performs a comparison operation between the transformed segment and a second segment. In another step, the data processing system performs a penalty operation with respect to the first segment based on an outcome of the comparison operation. The penalty operation includes one or more of (1) calculating a penalty value, wherein the penalty value may be used in calculating a value representing the strength of the graphical password; and (2) disregarding the first or the second segment when calculating the value representing the strength of the graphical password.

Abstract: There is provided a method of authenticating a public land mobile network (PLMN) to a mobile station (MS). The PLMN provides a circuit switched access network to the MS, and the MS and a trusted service, TS, have established a security context. The initiation of a voice call or initiation of sending or receiving of a pushed message by the MS (S10.1) is detected, and the TS generates a response authentication token using a session identifier and the security context (S10.7). The TS sends a response comprising the response authentication token to the MS such that the response is delivered to the MS over a signalling channel of the PLMN using a mobile subscriber integrated services digital network-number (MSISDN) associated with the subscriber or subscription to direct the message (S10.9). The MS authenticates the response using the response authentication token, the security context, and the session identifier (S10.12) in order to authenticate the PLMN.

Abstract: A method (500) of generating a cryptographic checksum for a message M(x) is provided. The method comprises pseudo-randomly selecting (502) a generator polynomial p(x) from the set of polynomials of degree n over a Galois Field and calculating (504) the cryptographic checksum as a first function g of a division of a second function of M(x), ƒ(M(x)), modulo p(x), g(ƒ(M(x))mod p(x)). The generator polynomial p(x) is pseudo-randomly selected based on a first cryptographic key. By replacing a standard checksum, such as a Cyclic Redundancy Check (CRC), with a cryptographic checksum, an efficient message authentication is provided. The proposed cryptographic checksum may be used for providing integrity assurance on the message, i.e., for detecting random and intentional message changes, with a known level of security. Further, a corresponding computer program, a corresponding computer program product, and a checksum generator for generating a cryptographic checksum, are provided.

Abstract: It is disclosed a method and trusted execution environments (TEE) of assigning a selected identifier to an application. A request is received to load or install, within or outside a profile domain, of an application with a selected identifier. It is checked that the selected identifier is not already stored in an application registry entry outside the profile registry 230, 302. If it is requested to load or install the application in the selected profile domain, the selected identifier is assigned to said application if the selected identifier is not already stored in an application entry of a profile domain registry associated with the selected profile domain. If it is requested to load or install the application outside any profile domain, the selected identifier is assigned to said application if the selected identifier is not already stored in an application entry of any of at least two profile domain registries.

Abstract: A method and apparatus for obtaining a password hint is disclosed. In some embodiments, the method includes: receiving a spatial pattern from a user; obtaining a password comprising a plurality of characters; obtaining a password hint comprising an arrangement of characters, wherein the arrangement of characters includes the plurality of characters of the password and additional characters, and the plurality of characters of the password are located within the arrangement of characters according to the received spatial pattern. The method may also include storing the password hint or providing the password hint to the user.

Abstract: A Feedback Shift-Register (FSR) enabling improved testing, e.g., Built-In Self-Tests (BIST), is provided. Each cell of the FSR may either be an observable cell, associated with a non-trivial feedback function implemented by a combinational logic circuit, or a controllable cell, having an associated state variable which belongs to the dependence set of exactly one of the non-trivial feedback functions. Each controllable cell is provided with a multiplexer for selecting either a predecessor cell of the controllable cell or a test value as input. Thus, the sequential circuit of the FSR may be tested using tests for combinational logic. The disclosed test procedures utilize a minimal set of test vectors and allow detection of all single stuck-at faults in the FSR. This may not increase the propagation delay of the original design, and the resulting dynamic power dissipation during test can be considerably less than known BIST designs.

Abstract: A node (17, 21) in an information centric network (ICN) receives a first identifier associated with an information object. The node (17, 21) causes creation of a virtual node (18) in the ICN, for holding a mapping between a second identifier and the first identifier. The second identifier is assigned to a copy of the information object stored in the ICN. The node (17, 21) causes creation of the virtual node (18) such that the mapping is arranged to cease after a predetermined event. The virtual node (18) is created with the sole purpose of providing copies of the information object to a small number of requestors (14), and possibly to just one requestor (14). Ceasing the mapping after delivery of the one copy, or the few copies, of the information object prevents unauthorised retrieval of the information object.

Abstract: It is disclosed a method and a constrained resource device (502, 70, 90) for establishing a secret first key between a client device (506) and the constrained resource device. The invention also relates to a method and an authorization server (504, 60, 80) for enabling establishing a secret first key between a client device (506) and the constrained resource device. Based on a secret second key shared (508) between the constrained RD and the AS, the secret first key shared between the constrained resource device and the client device can be established. Devices having constrained resources cannot use protocols with which additional messages are required to share a secure identity. Embodiments of the present invention have the advantage that a secret identity can be established within an authentication protocol and that no additional messages are required to establish the secret identity.

Abstract: A method, computer program and a server node (100) in a communications network (50) for reduction of undesired energy consumption of the server node (100), the method comprising: receiving a request message from a client (120), the request message containing message fields comprising at least a message ID field and an integrity indication field containing a first integrity indication, determining a relation key by performing a calculation by usage of a master key commonly known by the server node (100) and an authorization engine (110) and at least data comprised in the message ID field, calculating a second integrity indication based on a subset of the message fields by usage of the relation key, wherein the subset excludes at least one message field that is predictable by a trusted client (120), verifying the subset of the message fields by comparing the first and second integrity indications, and determining the message to be authorized when the comparison indicates equality, and wherein when the message i

Abstract: A method of authorizing a message received at a node in a wireless network is disclosed. The message from a sender device is formed by a plurality of symbols and includes a first message integrity indicator located at a predetermined distance from the start of the message such that further symbols of the message are included after the first message integrity indicator. The position of the first message integrity indicator in the message is determined, and a cryptographic operation is performed on at least some of the symbols of the message before the first message integrity indicator so as to generate a second message integrity indicator before the first message integrity indicator is received. The first and second message integrity indicators are compared, and an indication that the message is not authorized is provided if the second message integrity indicator does not match the first message integrity indicator.

Abstract: It is disclosed methods and trusted execution environments (TEE) of enabling one of at least two profile domains. An authorisation token for authorising a TEE application to request one of the at least two profile domains to be enabled, is received (816, 1102). The validity of the authorization token is checked (818, 1104). If the authorization token is valid, information about the TEE application being authorised to request one of the at least two profile domains to be enabled, is stored (820, 1106). If receiving (822) a command requesting the authorised TEE application to request (824, 1108) one of the at least two profile domains to be enabled, said one of the at least two profile domains is enabled (826, 1110). A TEE comprises a processor and a memory storing a computer program comprising computer program code for executing the method when the code is run in the processor.

Abstract: It is disclosed a method and trusted execution environments (TEE) of assigning a selected identifier to an application. A request is received to load or install, within or outside a profile domain, of an application with a selected identifier. It is checked that the selected identifier is not already stored in an application registry entry outside the profile registry 230, 302. If it is requested to load or install the application in the selected profile domain, the selected identifier is assigned to said application if the selected identifier is not already stored in an application entry of a profile domain registry associated with the selected profile domain. If it is requested to load or install the application outside any profile domain, the selected identifier is assigned to said application if the selected identifier is not already stored in an application entry of any of at least two profile domain registries.

Abstract: There is provided a method of authenticating a public land mobile network (PLMN) to a mobile station (MS). The PLMN provides a circuit switched access network to the MS, and the MS and a trusted service, TS, have established a security context. The initiation of a voice call or initiation of sending or receiving of a pushed message by the MS (S10.1) is detected, and the TS generates a response authentication token using a session identifier and the security context (S10.7). The TS sends a response comprising the response authentication token to the MS such that the response is delivered to the MS over a signalling channel of the PLMN using a mobile subscriber integrated services digital network-number (MSISDN) associated with the subscriber or subscription to direct the message (S10.9). The MS authenticates the response using the response authentication token, the security context, and the session identifier (S10.12) in order to authenticate the PLMN.

Abstract: A method and arrangement in a first mobile terminal (600) for determining allocation of radio resources for DMO communication amongst a group of mobile terminals. M the first mobile terminal, a first determining module 600a determines a communication (Sout, Sin) with a second mobile terminal (602) of the group. A second determining module (600b) determines a resource element (RE) for communication by applying a predefined cryptographic function P based on a terminal identification (K)). The cryptographic function has been configured in the mobile terminals of the group to provide terminal-specific resource elements for different mobile terminals within respective radio frames. A communication module (600c) then communicates with the second mobile terminal (602), either by transmission or reception of the data, on the determined resource element (RE).

Abstract: A method for estimating the strength of a graphicalpassword comprising two or more segments is disclosed. In some embodiments, this advantageous solution is achieved by implementing a multi-step process. In one step, the data processing system applies a first operation on a first segment to produce a transformed segment. In another step, the data processing system performs a comparison operation between the transformed segment and a second segment. In another step, the data processing system performs a penalty operation with respect to the first segment based on an outcome of the comparison operation. The penalty operation includes one or more of (1) calculating a penalty value, wherein the penalty value may be used in calculating a value representing the strength of the graphicalpassword; and (2) disregarding the first or the second segment when calculating the value representing the strength of the graphical password.

Abstract: A module (2) for integrity protection of messages transmitted from a mobile software defined radio (SDR) terminal (1), the module provided with a confined cryptographic key K and arranged to receive loaded SDR-code. The module derives an integrity protecting key Rk from at least said cryptographic key K, and provides a periodic integrity protection on-line of generated messages using said key integrity protecting key Rk, and the integrity of said messages is verified by an integrity checking node (10) of the access network.

Abstract: A method in a first user equipment (UE 1) connectable to a second user equipment (UE 2) via a communication network or via a direct radio communication link, of using a direct radio communication link for communication between the UEs is initiated when one of the UEs receives probe signaling information comprising a first probe token via the communication network. The UEs exchange probe signaling messages including a second and/or the first probe token at least partly according to the probe signaling information, such that one of the UEs can compare the probe tokens, generate a probing report and provide the probing report to the communication network, or to the opposite UE for evaluation in case of a successful comparison and such that a direct radio communication link can be used for communication with UE 2 in response to receiving instructions to use the second direct radio communication link from the entity by which the probing report was evaluated.

Abstract: A method and apparatus for obtaining a password hint is disclosed. In some embodiments, the method includes: receiving a spatial pattern from a user; obtaining a password comprising a plurality of characters; obtaining a password hint comprising an arrangement of characters, wherein the arrangement of characters includes the plurality of characters of the password and additional characters, and the plurality of characters of the password are located within the arrangement of characters according to the received spatial pattern. The method may also include storing the password hint or providing the password hint to the user.

Abstract: Methods, apparatus, and computer program products for creating an association between a first user equipment and at least one access point assisted by a registration server in a telecommunication network are disclosed. The registration server responds to a first contact request carried out using a first association number for the access point, provided by the first user equipment, receives a first association request for the association with the access point, provided by the first user equipment, authorizes the first association request based on a first authorization information provided by the first user equipment; registers the association between the first user equipment and the access point responsive to authorization of the first association request. The first user equipment is associated with the access point and the association is administered by the registration server.