Abstract: A method and an arrangement for providing keys for protecting communication between a terminal (300) and service points in a communication network. A basic key (Ik) is first established with a service control node (304) when the terminal has entered the network. An initial modified key (Ik1) is then created in both the service control node and the terminal, by applying a predetermined first function (f) to at least the basic key and an initial value of a key version parameter (v). The initial modified key is sent to a first service point (302), such that it can be used to protect communication between the terminal and the first service point. When the terminal switches to a second service point (306), the first service point and the terminal both create a second modified key (Ik2) by applying a predetermined second function (g) to the initial modified key, and the first service point sends the second modified key to the second service point.

Abstract: A first data handling node (304) is configured to verify data received in a data distribution network with multiple data handling nodes forming a distribution path of a network topology, by obtaining tag information from a hash server (306). The first data handling node (304) receives data (D3) and a hash tag (H3) from a second data handling node (302). The received data (D3) and hash tag (H3) have been generated by the second node based on a previous hash tag (H1, H2) generated by a preceding third data handling node (300a, 300b). The third node has delivered data (D1, D2) to the second node, and the received data (D3) has been generated by the second node based on the data (D1, D2) delivered by the third data handling node.

Abstract: A method of securing a session between a Network Application Function, NAF, and a User Equipment, UE, connected to a network. The NAF is assigned a NAF identifier, NAF_id, using the Generic Bootstrapping Architecture, GBA, or a similar architecture and a shared secret is established between the UE and the NAF (S7.1). An application request containing a bootstrapping transaction identifier is sent to the NAF from the UE (S7.2) and an authentication request comprising the bootstrapping transaction identifier, the NAF_id, and information derived from the shared secret is sent to a Bootstrapping Server Function, BSF, from the NAF (S7.4). The BSF and the UE determine a NAF key, Ks_NAF, by using a modified parameter in place of or in addition to an original parameter in a key derivation function, the modified parameter being derived from the shared secret and the original parameter of the key derivation function (S7.5). This NAF key is transmitted from the BSF to the NAF (S7.

Abstract: When setting up communication from a user equipment UE (1), such as for providing IP access for the UE in order to allow it to use some service, information or an indication of at least one network property relating to a first network, e.g. the current access network (3, 3?), is sent to the UE from a node (13) in a second network such as the home network (5) of the subscriber of the UE. The information or indication can be sent in a first stage of an authentication procedure being part of the setting up of a connection from the UE. In particular, the network property can indicate whether the access network (3, 3?) is trusted or not.

Abstract: A method and arrangement in a first mobile terminal (600) for determining allocation of radio resources for DMO communication amongst a group of mobile terminals. M the first mobile terminal, a first determining module 600a determines a communication (Sout, Sin) with a second mobile terminal (602) of the group. A second determining module (600b) determines a resource element (RE) for communication by applying a predefined cryptographic function P based on a terminal identification (K)). The cryptographic function has been configured in the mobile terminals of the group to provide terminal-specific resource elements for different mobile terminals within respective radio frames. A communication module (600c) then communicates with the second mobile terminal (602), either by transmission or reception of the data, on the determined resource element (RE).

Abstract: A method and an arrangement for providing keys for protecting communication between a terminal (300) and service points in a communication network. A basic key (Ik) is first established with a service control node (304) when the terminal has entered the network. An initial modified key (Ik1) is then created in both the service control node and the terminal, by applying a predetermined first function (f) to at least the basic key and an initial value of a key version parameter (v). The initial modified key is sent to a first service point (302), such that it can be used to protect communication between the terminal and the first service point. When the terminal switches to a second service point (306), the first service point and the terminal both create a second modified key (Ik2) by applying a predetermined second function (g) to the initial modified key, and the first service point sends the second modified key to the second service point.

Abstract: A method that comprises maintaining, in a first node serving a mobile terminal over a connection protected by at least one first key, said first key and information about the key management capabilities of the mobile terminal. Upon relocation of the mobile terminal to a second node the method includes: if, and only if, said key management capabilities indicate an enhanced key management capability supported by the mobile terminal, modifying, by said first node, the first key, thereby creating a second key; sending, from the first node to the second node, the second key; and transmitting to the second node the information about the key management capabilities of the mobile terminal.

Abstract: A method for estimating the strength of a graphicalpassword comprising two or more segments is disclosed. In some embodiments, this advantageous solution is achieved by implementing a multi-step process. In one step, the data processing system applies a first operation on a first segment to produce a transformed segment. In another step, the data processing system performs a comparison operation between the transformed segment and a second segment. In another step, the data processing system performs a penalty operation with respect to the first segment based on an outcome of the comparison operation. The penalty operation includes one or more of (1) calculating a penalty value, wherein the penalty value may be used in calculating a value representing the strength of the graphicalpassword; and (2) disregarding the first or the second segment when calculating the value representing the strength of the graphical password.

Abstract: A method and apparatus for providing access to an encrypted communication between a sending node and a receiving node to a Law Enforcement Agency (LEA). A Key Management Server (KMS) function stores cryptographic information used to encrypt the communication at a database. The cryptographic information is associated with an identifier used to identify the encrypted communication between the sending node and the receiving node. The KMS receives a request for Lawful Interception, the request including an identity of a Lawful Interception target. The KMS uses the target identity to determine the identifier, and retrieves the cryptographic information associated with the identifier from the database. The cryptographic information can be used to decrypt the encrypted communication. The KMS then sends either information derived from the cryptographic information or a decrypted communication towards the LEA. This allows the LEA to obtain a decrypted version of the communication.

Abstract: A module (2) for integrity protection of messages transmitted from a mobile software defined radio (SDR) terminal (1), the module provided with a confined cryptographic key K and arranged to receive loaded SDR-code. The module derives an integrity protecting key Rk from at least said cryptographic key K, and provides a periodic integrity protection on-line of generated messages using said key integrity protecting key Rk, and the integrity of said messages is verified by an integrity checking node (10) of the access network.

Abstract: A method and apparatus for sending a first secured media stream having a payload via an intermediate node. The intermediate node receives from a sender the first secured media stream. An end-to-end context identifier and a hop-by-hop context identifier are determined for the first secured media stream, where the hop-by-hop context identifier relates to the intermediate node and the end-to-end identifier relates to the sender. A second secured media stream is generated, which includes at least the payload of the first secured media stream and the context identifiers to identify the first secured media stream. The second secured media stream is sent to a receiving node, and the context identifiers are also sent to the receiving node. The context identifiers are usable by the receiving node to recover the first secured media stream.

Abstract: A method and apparatus to establish trust between two nodes in a communications network. A first node receives from a network node authentication data unique to the first node, which can be used to derive a compact representation of verification data for the first node. The first node also receives a certified compact representation of verification data of all nodes in the network. The first node derives trust information from the authentication data for the node, and sends to a second node a message that includes the trust information and part of the authentication data. The second node has its own copy of the certified compact representation of verification data of all nodes in the network, and verifies the authenticity of the message from the first node using the compact representation of verification data of all nodes in the network and the received trust information and authentication data.

Abstract: A method, arrangement, and first access router in a packet-switched communication network for determining that a first endpoint originating a communication session with a second endpoint is not initiating a malicious man-in-the-middle attack. The first access router provides access for the first endpoint to the network and a second access router provides access for the second endpoint. The first and second access routers facilitate conducting a secure key exchange between the first and second endpoints, wherein a shared secret key is generated. The first access router utilizes a Prefix Reachability Detection (PRD) protocol to determine the first endpoint is topologically legitimate due to being topologically located behind the first access router, and then sends a Prefix Request Test Initialization (PRTI) message to the second access router indicating the first endpoint is topologically legitimate.

Abstract: A technique for generating a cryptographic key is provided. The technique is particularly useful for protecting the communication between two entities cooperatively running a distributed security operation. The technique comprises providing at least two parameters, the first parameter comprising or deriving from some cryptographic keys which have been computed by the first entity by running the security operation; and the second parameter comprising or deriving from a token, where the token comprises an exclusive OR of a sequence number (SQN) and an Anonymity Key (AK). A key derivation function is applied to the provided parameters to generate the desired cryptographic key.

Abstract: A method of authenticating a user who is a subscriber of a home network, authenticated in a first network, for accessing a service in a second network. This method includes: authenticating the user in the first network with a first authentication method selected in an authentication server; reserving resources for the service towards a rules enforcement device; requesting control rules for the resources towards a control rules server; submitting towards the control rules server information about the first authentication method; determining at the control rules server whether a further authentication of the user with a further authentication method is required; and instructing from the control rules server towards the authentication server to force the further authentication of the user with the further authentication method.

Abstract: A method and apparatus to establish trust between two nodes in a communications network. A first node receives from a network node authentication data unique to the first node, which can be used to derive a compact representation of verification data for the first node. The first node also receives a certified compact representation of verification data of all nodes in the network. The first node derives trust information from the authentication data for the node, and sends to a second node a message that includes the trust information and part of the authentication data. The second node has its own copy of the certified compact representation of verification data of all nodes in the network, and verifies the authenticity of the message from the first node using the compact representation of verification data of all nodes in the network and the received trust information and authentication data.

Abstract: A technique for generating a cryptographic key is provided. The technique is particularly useful for protecting the communication between two entities cooperatively running a distributed security operation. The technique comprises providing at least two parameters, the first parameter comprising or deriving from some cryptographic keys which have been computed by the first entity by running the security operation; and the second parameter comprising or deriving from a token, where the token comprises an exclusive OR of a sequence number (SQN) and an Anonymity Key (AK). A key derivation function is applied to the provided parameters to generate the desired cryptographic key.

Abstract: A method of operating a node for performing handover between access networks wherein a user has authenticated for network access in a first access network. The method comprises receiving from a home network a first session key and a temporary identifier allocated to the user for the duration of a communication session. The identifier is mapped to the first session key, and the mapped identifier and key are stored at the node. A second session key is derived from the first session key and the second session key is sent to an access network, and the identifier sent to a user terminal. When the user subsequently moves to a second access network, the node receives the identifier from the user terminal. The node then retrieves the first session key mapped to the received identifier, derives a third session key and sends the third session key to the second access network.

Abstract: A system, method, and node for protecting a telecommunication system against a mobile and multi-homed attacker, MMA (10). The telecommunication system includes one or more correspondent nodes, CN, (102, 104) for transferring data packets. A mobile and multi-homed network node, MMN, (108) associated with the MMA communicates and receives data packets with the CN. An access router, AR, (106) transferring data between the MMN and the CN performs a reachability test with the MMN to determine if the MMN is still reachable. The AR sends a message to the CN to flush cached information associated with the MMN if the MMN is not reachable by the AR. The CN, upon receiving the message to flush cached information, flushes binding cache entries associated with the MMN from the CN.

Abstract: A method in a first user equipment (UE 1) connectable to a second user equipment (UE 2) via a communication network or via a direct radio communication link, of using a direct radio communication link for communication between the UEs is initiated when one of the UEs receives probe signaling information comprising a first probe token via the communication network. The UEs exchange probe signaling messages including a second and/or the first probe token at least partly according to the probe signaling information, such that one of the UEs can compare the probe tokens, generate a probing report and provide the probing report to the communication network, or to the opposite UE for evaluation in case of a successful comparison and such that a direct radio communication link can be used for communication with UE 2 in response to receiving instructions to use the second direct radio communication link from the entity by which the probing report was evaluated.