Abstract: Thus there is provided a method and appropriately arranged devices for configuring for communications in a wireless network comprising performing a configuration protocol, and sending by the enrollee device, during an execution of the configuration protocol, a message containing an indication of a status of a previous configuration attempt. A configuring device receiving the status of the previous configuration attempt is then able to act upon it and inform the user that a previous attempt failed. The information provided to the user would allow the user to understand why the device fails to connect to the desired network and perhaps alert them to the fact that it has not connected.

Abstract: A device is arranged for determining a first distance according to a ranging protocol using a measurement message from a second device. A cooperating device (130) has a directional antenna (133) and is located at a trusted distance (150) sharing a connecting direction (160) with the first device. The cooperating device determines a third direction of the same measurement message, and transfers support data to the first device based on the third direction. The first device first determines a first angle (161) between the first direction and the connecting direction and obtains a third angle (163) between the third direction and the connecting direction using the support data. Then a verification test is performed on the first distance (151), the trusted distance (150), the first and the third angle. The first distance is reliable when said distances and angles correspond to a viable spatial constellation (100) of the devices.

Abstract: A wireless communication system comprises a host device (110) and mobile devices (120) arranged for wireless communication and for distance (140) measurement. The host device has a user interface (113) comprising a connect button (115), and is arranged to execute a connection sequence upon a user activating the connect button. The connection sequence first determines respective distances between the host and respective mobile devices. A first mobile device is identified exhibiting a movement. Then a connection action is executed regarding a connection between the first mobile device and the host device. The mobile device is arranged for executing a ranging protocol and, upon subsequently receiving a connection message, executing a connection action regarding a connection between the first mobile device and the host device. Effectively a connection may be established upon the user of a mobile device pressing a single button on a selected host device and moving the mobile device.

Abstract: A wireless communication system enables one-sided authentication of a responder device (120) by an initiator device (110) and mutual authentication of both devices. Embodiments of the initiator may have a message unit (116) and a state machine (117). The initiator starts by acquiring a responder public key via an out-of-band action and sends an authentication request. The responder sends an authentication response comprising responder authentication data based on a responder private key and a mutual progress status indicative of the mutual authentication being in progress for enabling the responder device to acquire an initiator public key via a responder out-of-band action. The initiator state machine is arranged to provide a mutual authenticating state, engaged upon receiving the mutual progress status, for awaiting mutual authentication. Thereby long time-out periods during wireless communication are avoided, while also enabling the initiator to report communication errors to the user within a short time.

Abstract: This application relates to devices and methods of authenticating messages exchanged over a network between a transmitter and a receiver, the method comprising: at a transmitter side, for transmitting a message, generating a truncated MAC code by selecting or generating predetermined bits from a message authentication code (MAC) computed over a concatenation of a predetermined part of the message with at least one predetermined part of a previously transmitted message; wherein a bitlength of truncated MAC code is smaller than a bitlength of the message authentication code (MAC) appending the truncated MAC code to the message for transmission; at a receiver side, for authenticating a message, receiving a previously transmitted message, the message and the truncated MAC code, generating an expected truncated MAC code by selecting or generating predetermined bits from a message authentication code (MAC) computed over a concatenation of a predetermined part of the message with at least one predetermined part of a

Abstract: A wireless communication system comprises a host device (110) and mobile devices (120) arranged for wireless communication and for distance (140) measurement. The host device has a user interface (113) comprising a connect button (115), and is arranged to execute a connection sequence upon a user activating the connect button. The connection sequence first determines respective distances between the host and respective mobile devices. A first mobile device is identified exhibiting a movement. Then a connection action is executed regarding a connection between the first mobile device and the host device. The mobile device is arranged for executing a ranging protocol and, upon subsequently receiving a convection message, executing a connection action regarding a connection between the first mobile device and the host device. Effectively a connection may be established upon the user of a mobile device pressing a single button on a selected host device and moving the mobile device.

Abstract: A wireless communication system enables one-sided authentication of a responder device (120) by an initiator device (110) and mutual authentication of both devices. Embodiments of the initiator may have a message unit (116) and a state machine (117). The initiator starts by acquiring a responder public key via an out-of-band action and sends an authentication request. The responder sends an authentication response comprising responder authentication data based on a responder private key and a mutual progress status indicative of the mutual authentication being in progress for enabling the responder device to acquire an initiator public key via a responder out-of-band action. The initiator state machine is arranged to provide a mutual authenticating state, engaged upon receiving the mutual progress status, for awaiting mutual authentication. Thereby long time-out periods during wireless communication are avoided, while also enabling the initiator to report communication errors to the user within a short time.

Abstract: This application relates to devices and a method to establish a secure wireless link for communication between a first and a second device over a wireless physical channel, wherein a paring protocol requires sending over the wireless channel identifying information by the first device, identifying information being data suitable for identifying the device sending the identifying information or a user thereof wherein the first device encrypts and transmits the identifying information by using a public key information of the second device and random information, the second device receives the encrypted identifying information and using private key information associated with the public key information it extracts the identifying information. The devices use a secret uniquely related to the identifying information to derive a session key and then use the session key to establish the secure wireless link.

Abstract: A non-SI device (120) is arranged for wireless communication (130) and cooperates with an SI device (110) having access to a subscriber identity. The non-SI device has a transceiver (121) to communicate in a local network and a processor (122) to establish an association with the SI. A non-SI public key is provided to the SI device via a first communication channel. A verification code is shared with the SI device via a second communication channel. The channels are different and include an out-of-band channel (140). Proof of possession of a non-SI private key is provided to the SI device via the first or the second communication channel. From the SI device, a certificate is received that is related to the SI and comprises a signature computed over at least part of the non-SI public key. The certificate reliably enables the non-SI device to access the core network via the local network and a gateway between the local network and the core network.

Abstract: A device is arranged for encrypting input data and protecting integrity of the input data and associated data. An encryption processor has a first hash unit (311) arranged to compute an integrity value based on the input data, a second hash unit (310) arranged to compute an initialization vector based on the integrity value and the associated data. At least one of the hash units may be a keyed hash unit. An encryption unit (315) is arranged for encrypting the input data to generate encrypted data using the initialization vector and an encryption key (k2). Effectively, the initialization vector is different from the integrity value. As the initialization vector depends on both the integrity value and the associated data, any change therein will result in failure of the decryption and decrypted data that are very different from the original plaintext P.

Abstract: A non-SI device (120) is arranged for wireless communication (130) and cooperates with an SI device (110) having access to a subscriber identity. The non-SI device has a transceiver (121) to communicate in a local network and a processor (122) to establish an association with the SI. A non-SI public key is provided to the SI device via a first communication channel. A verification code is shared with the SI device via a second communication channel The channels are different and include an out-of-band channel (140). Proof of possession of a non-SI private key is provided to the SI device via the first or the second communication channel. From the SI device, security data is received that is related to the SI and is computed using the non-SI public key. The security data reliably enables the non-SI device to access the core network via the local network and a gateway between the local network and the core network.

Abstract: A device (110) arranged for wireless communication (130) has a processor (112) to execute a handover sequence to establish a new connection with a further device (120). A handover request message has a protocol indication indicating one or more alternative communication protocols that are supported by the requester and a channel indication indicating at least one channel to be used for a new connection. Upon receiving a first handover request message including an initial protocol indication and an initial channel indication, it is determined whether the new connection is to be established based on the initial protocol indication and via a selected channel based on the initial channel indication. If not so, the processor determines a second protocol indication and a second channel indication indicating at least one further channel to be used for the new connection and sends a second handover request message. Effectively the role of handover requester and handover selector are switched.

Abstract: In a network system (100) for wireless communication an enrollee (110) accesses the network via a configurator (130). The enrollee acquires a data pattern (140) that represents a network public key via an out-of-band channel by a sensor (113). The enrollee derives a first shared key based on the network public key and the first enrollee private key, and encodes a second enrollee public key using the first shared key, and generates a network access request. The configurator also derives the first shared key, and verifies whether the encoded second enrollee public key was encoded by the first shared key, and, if so, generates security data and cryptographically protects data using a second shared key, and generates a network access message. The enrollee processor also derives the second shared key and verifies whether the data was cryptographically protected and, if so, engages the secure communication based on the second enrollee private key and the security data.

Abstract: A method for a client device (1) to request data from a cloud storage device (2) comprises receiving a user request (UR) specifying requested data (RD), producing a client evaluation result (ER1) by evaluating an access policy associated with the requested data, and optionally also producing a client cryptographic commitment (P1) on the client evaluation result (ER1). The user request (UR) and the optional client cryptographic commitment (P1) may be transmitted to the cloud storage device (2), and in response a cloud evaluation result (ER2) may be received from the cloud storage device (2), the cloud evaluation result (ER2) being produced by the cloud storage device (2) by evaluating the access policy associated with the requested data. Then, the client evaluation result (ER1) and the cloud evaluation result (ER2) may be compared, and if the client evaluation result (ER1) fails to match the cloud evaluation result (ER2), a warning message may be produced.

Abstract: In a network system (100) for wireless communication an enrollee (110) accesses the network via a configurator (130). The enrollee acquires a data pattern (140) that represents a network public key via an out-of-band channel by a sensor (113). The enrollee derives a first shared key based on the network public key and the first enrollee private key, and encodes a second enrollee public key using the first shared key, and generates a network access request. The configurator also derives the first shared key, and verifies whether the encoded second enrollee public key was encoded by the first shared key, and, if so, generates security data and cryptographically protects data using a second shared key, and generates a network access message. The enrollee processor also derives the second shared key and verifies whether the data was cryptographically protected and, if so, engages the secure communication based on the second enrollee private key and the security data.

Abstract: A secure wireless communication system has a communication device acting as a service seeker (210) and a further communication device acting as a service provider (220) according to a security protocol defining link layer security according to a security mechanism. The service provider enables a first service requiring a link layer security according to a first security mechanism. The devices establish a first secure link connection 5 (241) to engage the first service. The service provider determines that a further service requires a link layer security according to a second security mechanism different from the first security mechanism.

Abstract: A wireless communication system comprises a host device (110) and mobile devices (120) arranged for wireless communication and for distance (140) measurement. The host device has a user interface (113) comprising a connect button (115), and is arranged to execute a connection sequence upon a user activating the connect button. The connection sequence first determines respective distances between the host and respective mobile devices. A first mobile device is identified exhibiting a movement. Then a connection action is executed regarding a connection between the first mobile device and the host device. The mobile device is arranged for executing a ranging protocol and, upon subsequently receiving a convection message, executing a connection action regarding a connection between the first mobile device and the host device. Effectively a connection may be established upon the user of a mobile device pressing a single button on a selected host device and moving the mobile device.

Abstract: A wireless communication system enables one-sided authentication of a responder device (120) by an initiator device (110) and mutual authentication of both devices. Embodiments of the initiator may have a message unit (116) and a state machine (117). The initiator starts by acquiring a responder public key via an out-of-band action and sends an authentication request. The responder sends an authentication response comprising responder authentication data based on a responder private key and a mutual progress status indicative of the mutual authentication being in progress for enabling the responder device to acquire an initiator public key via a responder out-of-band action. The initiator state machine is arranged to provide a mutual authenticating state, engaged upon receiving the mutual progress status, for awaiting mutual authentication. Thereby long time-out periods during wireless communication are avoided, while also enabling the initiator to report communication errors to the user within a short time.

Abstract: A method of calibrating a sensor, comprising: —determining a position of the sensor; —providing sensor data comprising identification data and the position of the sensor to a calibration data provider; —obtaining calibration data from the calibration data provider; and —calibrating the sensor in accordance with the calibration data.

Abstract: A host (100) provides a service to a dockee (120) via wireless docking. The host has a host wireless communication unit (102) and a near field receiver (103). When the user places the dockee near the host within a near field communication (153) distance, a near field transmitter (123) transmits a service search signal comprising a dockee identifier and a dockee service list for indicating services which are relevant to the dockee. The host determines a matching service set of services that are available at the host, and transmits, via the host communication unit, a service available signal comprising the dockee identifier and the matching service set via the host communication unit. The dockee processor determines whether the received dockee identifier corresponds to the dockee identifier and any of the matching services is actually required by the dockee, and if so, initiates the wireless docking with the host.