Abstract: The present invention relates to fraud prevention and authentication of a device to a user. The method of authenticating a personal device according to the invention comprises a set up sequence, wherein at least a first preferred output format is selected by the user, and a device configuration verification sequence. In the device configuration verification sequence a checksum is calculated and converted to a user friendly output format based on the user selected preferred output format. In addition the checksum may be calculated based on variable, and user selectable, keying material. The personal device, after being authenticated according to the above, may be used to authenticate a second device.

Abstract: A method of establishing keys for at least partially securing media plane data exchanged between first and second end users via respective first and second media plane network nodes. The method comprises sending session set-up signalling from said first end point towards said second end point, said session set-up signalling including a session key generated by said first end point. The set-up signalling is intercepted at a first signalling plane network node and a determination made as to whether or not a signalling plane key has already been established for securing the signalling plane between said first end point and said first signalling plane network node. If a signalling plane key has already been established, then a media plane key is derived from that signalling plane key, and the media plane key sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node.

Abstract: A method of key management in a communication network that includes a plurality of groups with each group including one or several members authorized to have access to key-protected services is provided by an apparatus. The method includes determining when a member starts a switching action from one service to another. A time dependent quantity starting from the switching action is determined. The method includes determining that the member is a member of a switching group when the quantity is less than a threshold value is made, and when the quantity is larger than the threshold, determining that the member has decided to join a new group, and changing the appropriate access key(s).

Abstract: A method and arrangement in a first mobile terminal (600) for determining allocation of radio resources for DMO communication amongst a group of mobile terminals. M the first mobile terminal, a first determining module 600a determines a communication (Sout, Sin) with a second mobile terminal (602) of the group. A second determining module (600b) determines a resource element (RE) for communication by applying a predefined cryptographic function P based on a terminal identification (K)). The cryptographic function has been configured in the mobile terminals of the group to provide terminal-specific resource elements for different mobile terminals within respective radio frames. A communication module (600c) then communicates with the second mobile terminal (602), either by transmission or reception of the data, on the determined resource element (RE).

Abstract: A method of operating a node for performing handover between access networks wherein a user has authenticated for network access in a first access network. The method comprises receiving from a home network a first session key and a temporary identifier allocated to the user for the duration of a communication session. The identifier is mapped to the first session key, and the mapped identifier and key are stored at the node. A second session key is derived from the first session key and the second session key is sent to an access network, and the identifier sent to a user terminal. When the user subsequently moves to a second access network, the node receives the identifier from the user terminal. The node then retrieves the first session key mapped to the received identifier, derives a third session key and sends the third session key to the second access network.

Abstract: Methods and arrangements for supporting a forwarding process in routers when routing data packets through a packet-switched network, by employing hierarchical parameters in which the hops of a predetermined transmission path between a sender and a receiver are encoded. A name server generates and distributes router-associated keys to routers in the network which keys are used for computing the hierarchical parameters.

Abstract: A virtual machine (VM) system is provided. The system includes a target physical server (PS) that has a resource configuration. The system includes a source PS that runs a virtual machine (VM). The source PS is in communication with the target PS. The source PS includes a memory that stores a migration policy file. The migration policy file includes at least one trust criteria in which the at least one trust criteria indicates a minimum resource configuration. The source PS includes a receiver that receives target PS resource configuration and a processor in communication with the memory and receiver. The processor determines whether the target PS resource configuration meets the at least one trust criteria. The processor initiates VM migration to the target PS based at least in part on whether the target PS resource configuration meets the at least one trust criteria.

Abstract: A method in a first user equipment (UE 1) connectable to a second user equipment (UE 2) via a communication network or via a direct radio communication link, of using a direct radio communication link for communication between the UEs is initiated when one of the UEs receives probe signaling information comprising a first probe token via the communication network. The UEs exchange probe signaling messages including a second and/or the first probe token at least partly according to the probe signaling information, such that one of the UEs can compare the probe tokens, generate a probing report and provide the probing report to the communication network, or to the opposite UE for evaluation in case of a successful comparison and such that a direct radio communication link can be used for communication with UE 2 in response to receiving instructions to use the second direct radio communication link from the entity by which the probing report was evaluated.

Abstract: A server in a home domain for managing the authentication of clients that are subscribers of the home domain, but are attached to a visited domain. Based on knowledge of the type of security being used in an access network of the visited domain, the server determines whether a given client is to be authenticated by the visited domain or the home domain. The server then signals the result to the visited domain.

Abstract: A network node (NB1) located within a domain is adapted to receive, from another node, a packet having an in-packet Bloom filter or Bloom filter equivalent encoding information about a route within the domain. The node reversibly modifies the in-packet Bloom filter or Bloom filter equivalent in a manner which is linear with respect to the operation used to add links to the Bloom filter or Bloom filter equivalent. The node then forward the packet with its header containing the modified Bloom filter or Bloom filter to another node (NA1). The invention allows secure Bloom filter-based routing in a domain (Domain B), while requiring that only routers (NB1) at the domain boundary are secure routers. Other routers (NB2, NB3, NB4) in the domain may operate conventionally, and may be secure routers or insecure routers. The modification may be a bit permutation.

Abstract: Methods and arrangements for enabling the use of a first device (300) for controlling transfer of media content from a content provider (306) to a second device (302). The first device has a pre-established security association with the communications network. When the network detects a request made by the first device for delivery of media content to the second device, key information is established which enables determination of one or more media keys for encryption of the media content. The network sends key information to the content provider and to the first device. The content provider then delivers media content encrypted by the media key(s) to the second device. Further, the first device forward the media key(s) over a local communication link to the second device for decryption of media content encrypted by the media key(s) when delivered by the content provider.

Abstract: When a mobile terminal (10), having a basic identity module (12) operative according to a first security standard, initiates a service access, the home network (30) determines whether the mobile terminal has an executable program (14) configured to interact with the basic identity module for emulating an identity module according to the second security standard. If it is concluded that the mobile terminal has such an executable program, a security algorithm is executed at the home network (30) to provide security data according to the second security standard. At least part of these security data are then transferred, transparently to a visited network (20), to the mobile terminal (10). On the mobile terminal side, the executable program (14) is executed for emulating an identity module according to the second security standard using at least part of the transferred security data as input.

Abstract: A method and arrangement is disclosed for providing a user, not previously having an individual subscription with a network operator, with credentials for secure access to network services. The arrangement includes a gateway, associated with a subscription for network services, having means for generating and exporting to a user entity personalized user security data derived from security data related to the subscription. In particular, the derivation of credentials is based on a function that is shared between network and gateway and further conveniently makes use of bootstrapping on keying material from the subscription authentication. Pre-registered user identities are assigned trusted users who, thereafter, can download credentials and authenticate for service access. The invention may be implemented at a public place for providing temporary visitors network access whereby trust may exemplary be established by presenting a credit card.

Abstract: A method of establishing keys for at least partially securing media plane data exchanged between first and second end users via respective first and second media plane network nodes. The method comprises sending session set-up signalling from said first end point towards said second end point, said session set-up signalling including a session key generated by said first end point. The set-up signalling is intercepted at a first signalling plane network node and a determination made as to whether or not a signalling plane key has already been established for securing the signalling plane between said first end point and said first signalling plane network node. If a signalling plane key has already been established, then a media plane key is derived from that signalling plane key, and the media plane key sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node.

Abstract: A Mobile Station (MS), a Base Station System (BSS) and a Mobile Switching Centre (MSC) of a cellular network, such as GSM, are disclosed. According to one embodiment, the MS is arranged to carry out one or more security features in its communication with the network. For example, the MS may be arranged to: by means of information received in a signalling message (0) from the network, discover if the network supports one or more of said security features, exchange information with the network in order to enable the use of one or more of the above-mentioned supported security features in the communication, carry out at least one of the one or more of the supported security features in the communication with the network.

Abstract: In a procedure for delivering streaming media, a Client first requests the media from an Order Server. The Order Server authenticates the Client and sends a ticket to the Client. Then, the Client sends the ticket to a Streaming Server. The Streaming Server checks the ticket for validity and if found valid encrypts the streaming data using a standardized real-time protocol such as the SRTP and transmits the encrypted data to the Client. The Client receives the data and decrypts them. Copyrighted material adapted to streaming can be securely delivered to the Client. The robust protocol used is very well suited for in particular wireless clients and similar devices having a low capacity such as cellular telephones and PDAs.

Abstract: A method of authenticating a user who is a subscriber of a home network, authenticated in a first network, for accessing a service in a second network. This method includes: authenticating the user in the first network with a first authentication method selected in an authentication server; reserving resources for the service towards a rules enforcement device; requesting control rules for the resources towards a control rules server; submitting towards the control rules server information about the first authentication method; determining at the control rules server whether a further authentication of the user with a further authentication method is required; and instructing from the control rules server towards the authentication server to force the further authentication of the user with the further authentication method.

Abstract: The present invention relates to arrangements and methods for generating keys for cryptographic processing of communication between a first communication unit (200) and a second communication unit (300). The first communication unit (200) and second communication unit (300) are adapted to obtain knowledge about a secret function, wherein the first communication unit comprises: -means for selecting a value z (210), means for calculating the secret function as a function of the selected value z (220) means for processing data with the calculated secret function (230), and means for transmitting the processed data in association with the selected z to the second communication unit (240), wherein the secret function is selected from a set of functions that are almost k-wise independent.

Abstract: The present invention relates to a method of key management and to an apparatus (200) of communication network (100) comprising a plurality of groups (141, 142, 143), each group (141) including one or several members (132A, 132B, 132C) authorized to have access to key-protected services provided by the apparatus. According to the method, it is determined when a member (132A) starts a switching action from one service to another and it is determined a time dependent quantity starting from the switching action. The method further comprises, determining that the member (132A) is a member of a switching group (150) when the quantity is less than a threshold value, and when the quantity is larger than the threshold, determining that the member (132A) has decided to join a new group (142), and changing the appropriate access key(s).

Abstract: A method and apparatus for sending a first secured media stream having a payload via an intermediate node. The intermediate node receives from a sender the first secured media stream. An end-to-end context identifier and a hop-by-hop context identifier are determined for the first secured media stream, where the hop-by-hop context identifier relates to the intermediate node and the end-to-end identifier relates to the sender. A second secured media stream is generated, which includes at least the payload of the first secured media stream and the context identifiers to identify the first secured media stream. The second secured media stream is sent to a receiving node, and the context identifiers are also sent to the receiving node. The context identifiers are usable by the receiving node to recover the first secured media stream.