Abstract: There is disclosed a system for authentication of a device in a network by establishing a second security context between the device and a serving network node when a first security context has previously been established, assisted by an authentication server, based on a random value and a secret shared between an identity module associated with the device and the authentication server. First re-use information from the establishment of the first security context is stored at the authentication server and at the device, the first re-use information enabling secure generation of the second security context from the random value and the secret. Second re-use information may be generated or stored at the device. A context regeneration request is generated at the device, the context regeneration request authenticated at least partly based on the secret. The context regeneration request is sent to the serving network node.

Abstract: Before actually communicating information/data between two endpoints (C, S) connected to a network a secure and confidential distribution of a special key (K h) is performed to nodes (R j) along a path in the network. This is allowed by performing a path handshaking procedure in which first a hint token is forwarded along the path in a first direction and then a disclosure token is forwarded in the opposite direction. In forwarding the disclosure token it is verified in the nodes against the already received hint token. This assures that only nodes on-the particular path will receive the special key or possibly some other information related thereto.

Abstract: Method and apparatus for controlling the routing of data packets in an IP network (200). A DNS system (202) stores a packet admission policy configured for a first end-host (B) that dictates conditions for allowing other end-hosts to get across data packets to the first end-host or not. A routing voucher is defined which is required for routing data packets to the first end-host. The routing voucher is distributed to routers (R) in the IP network. When an address query is received at the DNS system (202) from a second end-host, the voucher is supplied to the second end-host if the configured policy allows the second end-host to convey data packets. Otherwise, the voucher is not supplied. If allowed, the second end-host will add the routing voucher to any data packets directed to the first end-host. When a valid routing voucher is present in a packet at a router (204) in the network, the packet will be forwarded to the next router in the IP network. The router will otherwise discard the packet.

Abstract: The invention relates to an apparatus for analyzing and reconfiguring a technical system (2) with respect to security, as well as a corresponding decision support system and computer program product. A graph constructor (20) provides, based on technical information about the system (2) received via an input interface (10), a representation of potential attacks in a directed graph of attack nodes. A system/countermeasure analysis unit (30) ranks different sets of countermeasures to enable a selected set of countermeasures to be taken to improve security. The analysis unit (30) performs the following procedure for each set of countermeasures: i) logically apply the set of countermeasures to attacks in the directed graph, and ii) determine a rank of the applied set of countermeasures based on the effectiveness of the countermeasures with respect to the reduction of the risk of attacks.

Abstract: A method and apparatus for sending protected media data from a data source node to a client node via an intermediate node. The data source node establishes a first hop-by-hop key to be shared with the intermediate node and an end-to-end key to be shared with the client node. A single security protocol instance is configured and used to trans-protocol form data from a media stream into transformed data using the keys. The transformed data is then sent to the intermediate node. The intermediate node uses the first hop-by-hop key to apply a security processing to the transformed data, and establishes a second hop-by-hop key with the client node. A second transformation is performed on the transformed data using the second hop-by-hop key to produce further transformed media data, which is then sent to the client node.

Abstract: A method of operating a node for performing handover between access networks wherein a user has authenticated for network access in a first access network. The method comprises receiving from a home network a first session key and a temporary identifier allocated to the user for the duration of a communication session. The identifier is mapped to the first session key, and the mapped identifier and key are stored at the node. A second session key is derived from the first session key and the second session key is sent to an access network, and the identifier sent to a user terminal. When the user subsequently moves to a second access network, the node receives the identifier from the user terminal. The node then retrieves the first session key mapped to the received identifier, derives a third session key and sends the third session key to the second access network.

Abstract: A method and communication node for providing secure communications and services in a High Availability (HA) cluster. The communication node comprises an Operating System (OS) that detects an unavailability of a first service application process and switches a second service application process from the first state to the second state, the second service application being selected for taking over service currently provided from the first service application process, the first state and the second state each being associated to a set of rights in the cluster. The OS generates a private key for the second service application process based on its second state. The set of rights associated to the second state allows the OS to replace the first service application process with the second service application process for providing secure communications between the second service application and other service application processes in the HA cluster.

Abstract: When setting up communication from a user equipment UE (1), such as for providing IP access for the UE in order to allow it to use some service, information or an indication or at least one network properly relating to a first network, e.g. the current access network (3, 3?), is sent to the UE from a node (13) in a sue and network such as the home network (5) of the subscriber ask UE. The information or indication can be sent in a first stage of an authentication procedure being part of the setting up of a connection from the UE. In particular, the network property can indicate whether the access network (3, 3?) is trusted or not.

Abstract: A method of controlling access to content comprises receiving, at a domain gateway (3) of a domain (4), a request from a device (5) in the domain for access to the content. It is determined at the domain gateway whether the number of devices in the domain currently accessing the content is equal to a specified maximum number of devices that may simultaneously access the content. The maximum number of devices that may simultaneously access the content is independent of the number of devices in the domain. If the determination is that the number of devices in the domain currently accessing the content is less than the specified maximum number the request is allowed, otherwise it is refused.

Abstract: Method and apparatus for controlling transmission of data packets in a packet-switched network. When a first end-host (A) sends an address query to a DNS system (300) for a second end-host, the DNS system responds by providing a sender key created from a destination key registered for the second end-host, if the first end-host is authorized to send packets to the second end-host. Thereby, the first end-host, if authorized, is able to get across data packets to the second end-host by attaching a sender tag (TAG) generated from the sender key, as ingress tag to each transmitted data packet. A router (302) in the network matches an ingress tag in a received packet with entries in a forwarding table and sends out the packet on an output port (X) according to a matching entry. Otherwise, the router discards the packet if no matching entry is found in the table.

Abstract: According to an aspect of the present invention there is provided a method of operating a communication device, the communication device being part of a group comprising two or more communication devices that share a subscription to a communication network. The method comprises receiving a group authentication challenge from the network, at least part of the group authentication challenge having been generated using group authentication information that is associated with the shared subscription. The device then generates a device specific response to the group authentication challenge using the group authentication information and device specific authentication information and sends the device specific response to the network. The device is for example a member of a machine-type communication device group.

Abstract: An IMS system includes an IMS initiator user entity. The system includes an IMS responder user entity that is called by the initiator user entity. The system includes a calling side S-CSCF in communication with the caller entity which receives an INVITE having a first protection offer and parameters for key establishment from the caller entity, removes the first protection offer from the INVITE and forwards the INVITE without the first protection offer. The system includes a receiving end S-CSCF in communication with the responder user entity and the calling side S-CSCF which receives the INVITE without the first protection offer and checks that the responder user entity supports the protection, inserts a second protection offer into the INVITE and forwards the INVITE to the responder user entity, wherein the responder user entity accepts the INVITE including the second protection offer and answers with an acknowledgment having a first protection accept.

Abstract: The present invention relates to fraud prevention and authentication of a device to a user. The method of authenticating a personal device according to the invention comprises a set up sequence, wherein at least a first preferred output format is selected by the user, and a device configuration verification sequence. In the device configuration verification sequence a checksum is calculated and converted to a user friendly output format based on the user selected preferred output format. In addition the checksum may be calculated based on variable, and user selectable, keying material. The personal device, after being authenticated according to the above, may be used to authenticate a second device.

Abstract: An IMS system includes an IMS initiator user entity. The system includes an IMS responder user entity that is called by the initiator user entity. The system includes a calling side S-CSCF in communication with the caller entity which receives an INVITE having a first protection offer and parameters for key establishment from the caller entity, removes the first protection offer from the INVITE and forwards the INVITE without the first protection offer. The system includes a receiving end S-CSCF in communication with the responder user entity and the calling side S-CSCF which receives the INVITE without the first protection offer and checks that the responder user entity supports the protection, inserts a second protection offer into the INVITE and forwards the INVITE to the responder user entity, wherein the responder user entity accepts the INVITE including the second protection offer and answers with an acknowledgment having a first protection accept.

Abstract: A method of establishing keys for at least partially securing media plane data exchanged between first and second end users via respective first and second media plane network nodes. The method comprises sending session set-up signalling from said first end point towards said second end point, said session set-up signalling including a session key generated by said first end point. The set-up signalling is intercepted at a first signalling plane network node and a determination made as to whether or not a signalling plane key has already been established for securing the signalling plane between said first end point and said first signalling plane network node. If a signalling plane key has already been established, then a media plane key is derived from that signalling plane key, and the media plane key sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node.

Abstract: A method of key management in a communication network that includes a plurality of groups with each group including one or several members authorized to have access to key-protected services is provided by an apparatus. The method includes determining when a member starts a switching action from one service to another. A time dependent quantity starting from the switching action is determined. The method includes determining that the member is a member of a switching group when the quantity is less than a threshold value is made, and when the quantity is larger than the threshold, determining that the member has decided to join a new group, and changing the appropriate access key(s).

Abstract: A method and arrangement in a first mobile terminal (600) for determining allocation of radio resources for DMO communication amongst a group of mobile terminals. M the first mobile terminal, a first determining module 600a determines a communication (Sout, Sin) with a second mobile terminal (602) of the group. A second determining module (600b) determines a resource element (RE) for communication by applying a predefined cryptographic function P based on a terminal identification (K)). The cryptographic function has been configured in the mobile terminals of the group to provide terminal-specific resource elements for different mobile terminals within respective radio frames. A communication module (600c) then communicates with the second mobile terminal (602), either by transmission or reception of the data, on the determined resource element (RE).

Abstract: A technique for generating a cryptographic key is provided. The technique is particularly useful for protecting the communication between two entities cooperatively running a distributed security operation. The technique comprises providing at least two parameters, the first parameter comprising or deriving from some cryptographic keys which have been computed by the first entity by running the security operation; and the second parameter comprising or deriving from a token, where the token comprises an exclusive OR of a sequence number (SQN) and an Anonymity Key (AK). A key derivation function is applied to the provided parameters to generate the desired cryptographic key.

Abstract: A method of operating a node for performing handover between access networks wherein a user has authenticated for network access in a first access network. The method comprises receiving from a home network a first session key and a temporary identifier allocated to the user for the duration of a communication session. The identifier is mapped to the first session key, and the mapped identifier and key are stored at the node. A second session key is derived from the first session key and the second session key is sent to an access network, and the identifier sent to a user terminal. When the user subsequently moves to a second access network, the node receives the identifier from the user terminal. The node then retrieves the first session key mapped to the received identifier, derives a third session key and sends the third session key to the second access network.

Abstract: A mobile node, a gateway node and methods are provided for securely storing a content into a remote node. The mobile node, or a gateway node of a network providing access to the mobile node, applies a content key to the content prior to sending the content for storage in the remote node. The content key is generated at the mobile node, based on a random value obtained from an authentication server, or directly at the authentication server if applied by the gateway node. The content key is not preserved in the mobile node or in the gateway node, for security purposes. When the mobile node or the gateway node fetches again the content from the remote node, the same content key is generated again for decrypting the content. The remote node does not have access to the content key and can therefore no read or modify the content.