Abstract: The present invention relates to a multiple application QR code capable of storing information of a plurality of data containers in such a way that a respective information can be retrieved for an application program and the configuring of the application program in a reliable and time-efficient manner. There is provided methods and device whereby the configuring an application program to run on a device comprises reading a QR code, using a first application program, the QR code containing at least two data containers, extracting a first information from a first data container in the QR code and downloading a second application program using the first information, extracting a second information from a second data container in the QR code, the second information containing configuration parameters for the second application program, and using the configuration parameters to configure the second application program.

Abstract: The present invention relates to a multiple application QR code capable of storing information of a plurality of applications in such a way that a respective information can be retrieved for each application in a reliable and time-efficient manner. The information is encoded into encoded data including at least a header and a respective data container per application. The header can comprise at least a single identifier indicating a presence of the plurality of applications and a respective application identifier per application. The encoded data are distributedly stored in a plurality of data pixels distributed over an encoding region of the QR code, according to an allocation rule. A QR code reader can retrieve the information stored in the QR code by only accessing and processing the data pixels associated with the respective application of interest and by using an error correction which is specific to this respective application.

Abstract: A wireless communication system enables one-sided authentication of a responder device (120) by an initiator device (110) and mutual authentication of both devices. Embodiments of the initiator may have a message unit (116) and a state machine (117). The initiator starts by acquiring a responder public key via an out-of-band action and sends an authentication request. The responder sends an authentication response comprising responder authentication data based on a responder private key and a mutual progress status indicative of the mutual authentication being in progress for enabling the responder device to acquire an initiator public key via a responder out-of-band action. The initiator state machine is arranged to provide a mutual authenticating state, engaged upon receiving the mutual progress status, for awaiting mutual authentication. Thereby long time-out periods during wireless communication are avoided, while also enabling the initiator to report communication errors to the user within a short time.

Abstract: A device is arranged for encrypting input data and protecting integrity of the input data and associated data. An encryption processor has a first hash unit arranged to compute an integrity value based on the input data, a second hash unit arranged to compute an initialization vector based on the integrity value and associated data, producing an initialization vector that is different from the integrity value. At least one of the hash units may be a keyed hash unit. An encryption unit is arranged for encrypting the input data to generate encrypted data using the initialization vector and an encryption key. As the initialization vector depends on both the integrity value and the associated data, any change therein will result in failure of the decryption and decrypted data that are substantially different from the original input data.

Abstract: A network access device (130) is described arranged to cooperate with a configurator (120) according to a configuration protocol (DPP) that enables to configure wireless networks and wireless devices. The network access device has a transceiver (131) for wireless communication (Wi-Fi), and a processor (132) arranged to accommodate an operational network (161) arranged to enable access to an external network (152) using a network communication protocol (TCP/IP), and a configuration network (162) arranged not to provide access to the external network after configuration of the operational network.

Abstract: A device is arranged for distance measurement according to a ranging protocol using a measurement message from a second device. Based on a first arrival time of the measurement message a first distance (151) between the first device (110) and the second device (120) is determined. A third device (130) acts as a cooperating device that is located at a trusted distance (150). The cooperating device determines a third arrival time of the same measurement message, and transfers support data to the first device, the support data being based on the third arrival time. The first device obtains a third distance (153) between the third device and the second device using the support data. Then a verification test is performed on the first distance (151), the trusted distance (150) and the third distance (153). The first distance is reliable when said distances correspond to a viable spatial constellation (100) of the devices.

Abstract: A device is arranged for determining a first distance according to a ranging protocol using a measurement message from a second device. A cooperating device (130) has a directional antenna (133) and is located at a trusted distance (150) sharing a connecting direction (160) with the first device. The cooperating device determines a third direction of the same measurement message, and transfers support data to the first device based on the third direction. The first device first determines a first angle (161) between the first direction and the connecting direction and obtains a third angle (163) between the third direction and the connecting direction using the support data. Then a verification test is performed on the first distance (151), the trusted distance (150), the first and the third angle. The first distance is reliable when said distances and angles correspond to a viable spatial constellation (100) of the devices.

Abstract: Thus there is provided a method and appropriately arranged devices for configuring for communications in a wireless network comprising performing a configuration protocol, and sending by the enrollee device, during an execution of the configuration protocol, a message containing an indication of a status of a previous configuration attempt. A configuring device receiving the status of the previous configuration attempt is then able to act upon it and inform the user that a previous attempt failed. The information provided to the user would allow the user to understand why the device fails to connect to the desired network and perhaps alert them to the fact that it has not connected.

Abstract: Method for operating a wireless terminal to communicate in a cellular network, said cellular network comprising at least one first cell station, said first cell station serving a first cell, and at least one relay station served by a second cell station serving a second cell, the method comprising the steps of the wireless terminal receiving a downlink signal sent by the first cell station and carrying downlink control information, said downlink control information including at least an indication of an allocated uplink resource to be used by the wireless terminal for transmitting a signal to the relay station, the wireless terminal generating uplink information, the wireless terminal transmitting to the relay station on the allocated uplink resource the signal carrying the uplink information, said uplink information to be forwarded to the second cell station.

Abstract: A non-SI device (120) is arranged for wireless communication (130) and cooperates with an SI device (110) having access to a subscriber identity. The non-SI device has a transceiver (121) to communicate in a local network and a processor (122) to establish an association with the SI. A non-SI public key is provided to the SI device via a first communication channel. A verification code is shared with the SI device via a second communication channel. The channels are different and include an out-of-band channel (140). Proof of possession of a non-SI private key is provided to the SI device via the first or the second communication channel. From the SI device, security data is received that is related to the SI and is computed using the non-SI public key. The security data reliably enables the non-SI device to access the core network via the local network and a gateway between the local network and the core network.

Abstract: This application relates to devices and methods of authenticating messages exchanged over a network between a transmitter and a receiver. The transmitter generates a truncated MAC code by selecting predetermined bits from a message authentication code (MAC) computed over a concatenation of a part of the message with a part of a previously transmitted message. The transmitter appends the truncated MAC code to the message for transmission. The receiver receives a previously transmitted message, the currently transmitted message, and the truncated MAC code, and generates an expected truncated MAC code by selecting predetermined bits from a message authentication code (MAC) computed over a concatenation of the part of the message with the previously transmitted message. The receiver authenticates the message and the previously transmitted message if the truncated MAC code as received is identical to the expected truncated MAC code.

Abstract: A non-SI device is arranged for wireless communication and cooperates with an SI device having access to a subscriber identity. The non-SI device has a transceiver to communicate in a local network and a processor to establish an association with the SI. A non-SI public key is provided to the SI device via a first communication channel. A verification code is shared with the SI device via a second communication channel. The channels are different and include an out-of-band channel. Proof of possession of a non-SI private key is provided to the SI device via the first or the second communication channel. From the SI device, a certificate is received that is related to the SI and comprises a signature computed over at least part of the non-SI public key. The certificate reliably enables the non-SI device to access the core network via the local network and a gateway between the local network and the core network.

Abstract: Devices (110,120) and methods are described to establish secure communication between a first and a second device over a physical channel according to a security protocol. The protocol establishes first integrity data in the first device and second integrity data in the second device. The protocol has at least two security levels. The applied security level is selectable based on grading information transferred via the physical channel. Advantageously, a grading indicator indicative of a minimum security level as minimally required in at least one of the first device (110) and second device (120) is transferred via the physical channel, while integrity protection of the grading indicator is provided based on the integrity data. Thereby, a man-in-the-middle attack by a further device (130) to downgrade the security level may be prevented.

Abstract: A non-SI device (120) is arranged for wireless communication (130) and cooperates with an SI device (110) having access to a subscriber identity. The non-SI device has a transceiver (121) to communicate in a local network and a processor (122) to establish an association with the SI. A non-SI public key is provided to the SI device via a first communication channel. A verification code is shared with the SI device via a second communication channel. The channels are different and include an out-of-band channel (140). Proof of possession of a non-SI private key is provided to the SI device via the first or the second communication channel. From the SI device, a certificate is received that is related to the SI and comprises a signature computed over at least part of the non-SI public key. The certificate reliably enables the non-SI device to access the core network via the local network and a gateway between the local network and the core network.

Abstract: A wireless communication system enables one-sided authentication of a responder device (120) by an initiator device (110) and mutual authentication of both devices. Embodiments of the initiator may have a message unit (116) and a state machine (117). The initiator starts by acquiring a responder public key via an out-of-band action and sends an authentication request. The responder sends an authentication response comprising responder authentication data based on a responder private key and a mutual progress status indicative of the mutual authentication being in progress for enabling the responder device to acquire an initiator public key via a responder out-of-band action. The initiator state machine is arranged to provide a mutual authenticating state, engaged upon receiving the mutual progress status, for awaiting mutual authentication. Thereby long time-out periods during wireless communication are avoided, while also enabling the initiator to report communication errors to the user within a short time.

Abstract: This application relates to devices and a method to establish a secure wireless link for communication between a first and a second device over a wireless physical channel, wherein a paring protocol requires sending over the wireless channel identifying information by the first device, the identifying information being data suitable for identifying the device sending the identifying information, or a user thereof, wherein the first device encrypts and transmits the identifying information and random information by using a public key information of the second device. The second device receives the encrypted identifying and random information and, using private key information associated with the public key information, it extracts the identifying information. The devices use a secret uniquely related to the identifying information to derive a session key and then use the session key to establish the secure wireless link.

Abstract: A non-SI device (120) is arranged for wireless communication (130) and cooperates with an SI device (110) having access to a subscriber identity. The non-SI device has a transceiver (121) to communicate in a local network and a processor (122) to establish an association with the SI. A non-SI public key is provided to the SI device via a first communication channel. A verification code is shared with the SI device via a second communication channel. The channels are different and include an out-of-band channel (140). Proof of possession of a non-SI private key is provided to the SI device via the first or the second communication channel. From the SI device, security data is received that is related to the SI and is computed using the non-SI public key. The security data reliably enables the non-SI device to access the core network via the local network and a gateway between the local network and the core network.

Abstract: There is provided a method of configuring an Enrollee device for communications in a wireless network. The method comprises, on the Enrollee side, providing a Configurator device, executing a configuration protocol, and sending by the Enrollee device, during an execution of the configuration protocol, an announcement message comprising an indication of a type of a public key previously used by the Enrollee as part of the protocol if an attempt by the Enrollee device to connect to the network has failed following an earlier execution of part of the configuration protocol. There are also provided an Enrollee and Configurator devices arranged to execute the method.

Abstract: There is provided a method of configuring an Enrollee device for communications in a wireless network comprises a Configurator device, the Configurator and Enrollee devices performing at least part of a configuration protocol, the Enrollee device encrypting Enrollee identifying information using a public key information of the Configurator and random information to produce a first encrypted message, the Enrollee device transmitting the first encrypted message to the Configurator device, the Configurator device receiving the first encrypted message, the Configurator device decrypting the first encrypted message using private key information associated with the public key, the Configurator device identifying the Enrollee device using the Enrollee identifying information and deciding whether or not it should continue the configuration based on the Enrollee identifying information. There are also provided Configurator and Enrollee devices arranged to perform the method.

Abstract: In a network system for wireless communication an enrollee accesses the network via a configurator. The enrollee acquires a data pattern that represents a network public key via an out-of-band channel by a sensor. The enrollee derives a first shared key based on the network public key and the first enrollee private key, and encodes a second enrollee public key using the first shared key, and generates a network access request. The configurator also derives the first shared key, and verifies whether the encoded second enrollee public key was encoded by the first shared key, and, if so, generates security data and cryptographically protects data using a second shared key, and generates a network access message. The enrollee processor also derives the second shared key and verifies whether the data was cryptographically protected and, if so, engages the secure communication based on the second enrollee private key and the security data.