Abstract: A method for providing identity data to network-enabled devices includes receiving a request for identity data from a network-enabled device that is deployed to an end-user. The network-enabled device is pre-provisioned with a PIN, a global key pair, a user-accessible first device identifier, and a second device identifier usable by a service provider delivering a service to the device. The identity data request includes the first and second identifiers, a protected rendition of the PIN, and an encryption key or other data from which an encryption key is derivable. The identifiers, the protected rendition of the PIN, and the encryption key or the other data are signed by a private key in the global key pair. The validity of the PIN included in the request is verified to authenticate the device. If the PIN is valid, identity data for the device is generated, encrypted and sent to the network-enabled device.

Abstract: A method and apparatus are provided for locating network resources over a communication network. The method includes receiving a digital certificate identifying a first entity and extracting information from at least one predetermined field of the digital certificate. The extracted information is used as input to a location generation function to create a resource locator (e.g., a URL). The network resource is contacted over the communication network in accordance with a communication protocol using the resource locator to obtain requested information concerning the first entity.

Abstract: A method for providing redacted representations of data. The method comprises hosting a resource on a server that comprises data pieces each tagged with a redaction level, generating a plurality of redacted representations of the resource, each redacted representations being designated for one of a plurality of authorization levels that each corresponding to a different range of redaction levels, and the redacted representation for a particular authorization level containing one or more of the data pieces that are tagged with a redaction level that falls within the range of redaction levels for that particular authorization level, receiving a request from a client comprising a claimed authorization level, and providing the client with one of the redacted representations that is designated for the authorization level that matches the claimed authorization level.

Abstract: A method and system for providing a record of consent in scenarios in which the user and a device may have to perform a function that involves two entities that don't trust each other or are not necessary interested in cooperating. In one such example, a user wants to switch services from an “old” operator to a “new” operator. An operator switch without explicit user consent may have legal or business ramifications for both the “old” and “new” operators. The ramifications are even more severe if the switch is the result of actions of, for example, a hacker maliciously causing this switches in order to cause monetary or other damage to either operators or denial of service to the users. In such cases it is useful for both operators to be on record and have an archive of proof of user consent should future disputes arise.

Abstract: A method is provided for operating a consumer programming device that provisions consumer electronic devices. The method includes receiving over a communication link a first enable message that authorizes the consumer programming device to make available one or more resources which enable it to provide services to consumer electronic devices. Services are provided to consumer electronic devices up until all the resources have been exhausted. Additional consumer electronic devices are provided with services only if a second enable message is received over the communication link.

Abstract: A method of authentication and authorization over a communications system is provided. Disclosed herein are systems and methods for creating a cryptographic evidence, called authentication/authorization evidence, AE, when a successful authentication/authorization between a client and an authentication server is complete. There are a variety of methods for generating AE. For instance, the AE can be data that is exchanged during the authentication signaling or data that results from it. A distinctive point being that AE results from the authentication process and is used as prior state for the following TLS exchange. An example for creation of AE, is as follows: EAP authentications typically result in an Extended Master Session Key (EMSK). The EMSK can be used to create an Evidence Master Key (EMK) that can then be used to create AE for a variety of servers.

Abstract: A method for providing identity data to network-enabled devices includes receiving a request for identity data from a network-enabled device that is deployed to an end-user. The network-enabled device is pre-provisioned with a PIN, a global key pair, a user-accessible first device identifier, and a second device identifier usable by a service provider delivering a service to the device. The identity data request includes the first and second identifiers, a protected rendition of the PIN, and an encryption key or other data from which an encryption key is derivable. The identifiers, the protected rendition of the PIN, and the encryption key or the other data are signed by a private key in the global key pair. The validity of the PIN included in the request is verified to authenticate the device. If the PIN is valid, identity data for the device is generated, encrypted and sent to the network-enabled device.

Abstract: A method, a network element, and a client device for creating a trusted connection with a network are disclosed. A client device 104 may attempt to access a sub-network 106. The client device 104 may determine that a certificate of the sub-network 106 is issued by a certification authority absent from a device certificate trust list. The client device 104 may receive via the sub-network 106 a certificate trust list update 400 from a certificate trust list provider 108.

Abstract: A method of authentication and authorization over a communication system is provided. The method performs a first authentication of a device based on a set of device identity and credentials. The first authentication includes creation of a first set of keying material. The method also includes performing a second authentication of a subscriber based on a set of subscriber identity and credentials. The second authentication includes creation of a second set of keying material. A set of compound key material is created with a key derivation mechanism that uses the first set of keying material and the second set of keying material. A binding token is created by cryptographically signing at least the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using the set of compound keying material. The signed binding token is exchanged for verification with an authenticating and authorizing party.

Abstract: A novel system for utilizing an authorization token to separate authentication and authorization services. The system authenticates a client to an authenticating server; generates an authorization token with the authenticating server and the client; and authorizes services for the client using the generated authorization token.

Abstract: Techniques (400, 600, 700) and apparatuses (102, 106, 108, 800) are described that enable a policy for secure packet transmission using required node paths and cryptographic signatures. These techniques and apparatuses enable a secure execution environment (SEE) of a target device to receive trustworthy sensitive data.

Abstract: A method for secure and reliable authentication in a communication system. In an embodiment, the authentication method includes performing authentication of a user utilizing Extensible Authentication Protocol (EAP), and transmitting a result indication message to the user. The result indication message can include additional information for security and reliability. The method also includes receiving an acknowledgement message from the user. The acknowledgement message is sent by the user for confirming the reception of the result indication. In an embodiment, the method also includes retransmitting the result indication message if the acknowledgement message is not received within a predetermined time. The additional information for security and reliability can include Message Authentication Code (MAC) and time interval information. The additional information for security and reliability can also include a security/reliability flag.

Abstract: A method and system for providing a record of consent in scenarios in which the user and a device may have to perform a function that involves two entities that don't trust each other or are not necessary interested in cooperating. In one such example, a user wants to switch services from an “old” operator to a “new” operator. An operator switch without explicit user consent may have legal or business ramifications for both the “old” and “new” operators. The ramifications are even more severe if the switch is the result of actions of, for example, a hacker maliciously causing this switches in order to cause monetary or other damage to either operators or denial of service to the users. In such cases it is useful for both operators to be on record and have an archive of proof of user consent should future disputes arise.

Abstract: Communication nodes, acting as intermediate routers for communication packets transmitted between a source node and a destination node, are provided with different access rights to the fields of the routed communication packets. Routes of intermediate routers between the source node and the destination node are discovered and the identities of intermediate routers on the discovered routes are collected. The aggregate trust levels of the intermediate routers are computed allowing the most trusted route to be selected. Encryption keys are securely distributed to intermediate routers on the most trusted route based on the trust level of the intermediate routers and fields of the communication packets are encrypted with encryption keys corresponding to the assigned trust level. Intermediated nodes are thereby prevented from accessing selected fields of the communication packets.

Abstract: A method of authentication and authorization over a communications system is provided. Disclosed herein are systems and methods for creating a cryptographic evidence, called authentication/authorization evidence, AE, when a successful authentication/authorization between a client and an authentication server is complete. There are a variety of methods for generating AE. For instance, the AE can be data that is exchanged during the authentication signaling or data that results from it. A distinctive point being that AE results from the authentication process and is used as prior state for the following TLS exchange. An example for creation of AE, is as follows: EAP authentications typically result in an Extended Master Session Key (EMSK). The EMSK can be used to create an Evidence Master Key (EMK) that can then be used to create AE for a variety of servers.

Abstract: A communications component comprising a processor configured to implement a method comprising acquiring an authentication identifier (Auth ID), and constructing a network service identifier (NSI) comprising the Auth ID and an authentication, authorization, and accounting (AAA) realm. The disclosure includes a system comprising an authorization server in communication with a host, wherein the authorization server is configured to verify a previous authentication of the host using a NSI. Also disclosed is a method comprising receiving a NSI and a service request, wherein the NSI comprises an Auth ID, determining an authentication server associated with the Auth ID, verifying an authentication of a host using the Auth ID, and authorizing the host to receive a service associated with the service request.

Abstract: A method and apparatus are provided for locating network resources over a communication network. The method includes receiving a digital certificate identifying a first entity and extracting information from at least one predetermined field of the digital certificate. The extracted information is used as input to a location generation function to create a resource locator (e.g., a URL). The network resource is contacted over the communication network in accordance with a communication protocol using the resource locator to obtain requested information concerning the first entity.

Abstract: A method of authentication and authorization over a communication system is provided. The method performs a first authentication of a device based on a set of device identity and credentials. The first authentication includes creation of a first set of keying material. The method also includes performing a second authentication of a subscriber based on a set of subscriber identity and credentials. The second authentication includes creation of a second set of keying material. A set of compound key material is created with a key derivation mechanism that uses the first set of keying material and the second set of keying material. A binding token is created by cryptographically signing at least the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using the set of compound keying material. The signed binding token is exchanged for verification with an authenticating and authorizing party.

Abstract: A method for establishing a new security association between a mobile node and a network source, the method comprising creating a first token comprising a security association between a network source and a mobile node, the first token being encrypted using a first key known to the mobile node and a first trust authority within a home network associated with the mobile node, and creating a second token comprising the same security association between the network source and the mobile node, the second token being encrypted using a second key known to the first trust authority and a second trust authority associated with the network source, wherein the first token and the second token are sent to the second trust authority using a chain of trust infrastructure.

Abstract: A method is provided for operating a consumer programming device that provisions consumer electronic devices. The method includes receiving over a communication link a first enable message that authorizes the consumer programming device to make available one or more resources which enable it to provide services to consumer electronic devices. Services are provided to consumer electronic devices up until all the resources have been exhausted. Additional consumer electronic devices are provided with services only if a second enable message is received over the communication link.