Abstract: System and method for providing secure machine to machine, M2M, communications comprising a device management, DM, server configured to obtain credentials of one or more M2M devices and provision the one or more M2M devices with credentials of a virtual private network, VPN. An application programming interface, API. A VPN server comprising a first communications interface configured to communicate API requests and API responses with the API. A second communications interface configured to provide a VPN for the one or more M2M devices. Logic configured to issue an API request, wherein the request includes the credentials of the VPN. Receive an API response from the DM server including an indication of the one or more M2M devices provisioned with the credentials of the VPN. Initiate a VPN over the second interface between the one or more M2M devices and the VPN server.

Abstract: Method, system and apparatus for provisioning a subscription of a service to a device comprising: receiving a message from a device, the message protected by first provisioning data installed on the device. Authenticating the message using data corresponding to the first provisioning data. On successful authentication, providing data enabling the device to recover protected second provisioning data from a subscription manager. Providing the device with the protected second provisioning data.

Abstract: A device, method or server having memory configured to store cryptographic material required to execute one or more device functions. A communications interface for communicating over a network. Logic configured to receive from the server over the communications interface the cryptographic material required to execute the one or more device functions. The device is configured to delete the cryptographic material from the memory.

Abstract: Method and system for communicating securely with a user equipment, UE, using generic bootstrapping architecture, GBA, the system comprising a bootstrapping server function, BSF. A proxy server configured to receive messages from a user equipment, UE, in a first format. Convert the received messages from the first format to a second format. Transmit the received UE messages to a bootstrapping server function, BSF, in the second format. Receive messages from the BSF, in a third format. Convert the messages received from the BSF from the third format to a fourth format. Transmit the received BSF messages to the UE in the fourth format.

Abstract: Provisioning a subscriber in a network is provided by: receiving an initialisation request for access to a network on behalf of a subscriber, at an admission platform of a network operator associated with the subscriber, and assigning the subscriber limited access rights to the network, the limited access rights being configured for communication between the subscriber and a subscription manager, for reconfiguration of identity information associated with the subscriber.

Abstract: Embodiments disclosed herein provide a server, a device and methods for providing security data to a device requiring a password for use in protecting a function of the device. An example method comprises communicating a device identifier to the server; the server communicating security data to the device, wherein the password is derivable, at least in part, from the security data; the device deriving the password, at least in part, from the security data and storing the password as the access code for the protected function; and the server storing the device identifier with an association to the password.

Abstract: Method, system and apparatus for provisioning a subscription of a service to a device comprising: receiving a message from a device, the message protected by first provisioning data installed on the device. Authenticating the message using data corresponding to the first provisioning data. On successful authentication, providing data enabling the device to recover protected second provisioning data from a subscription manager. Providing the device with the protected second provisioning data.

Abstract: Facilitating authentication on communication between a mobile terminal and a server is achieved. The communication is made through a Serving GPRS Support Node (SGSN) of a network in which the mobile terminal is operating. A Home Public Land Mobile Network (PLMN) of the mobile terminal generates a ciphering key for encryption of packet-switched data between the mobile terminal and the server. As part of a message from a network entity in the Home PLMN to the SGSN in which the SGSN expects to receive the ciphering key, alternative data is communicated in place of the ciphering key. Secure communication between the mobile terminal and the server is performed by applying encryption using a ciphering key generated by a network entity in a Home PLMN of the mobile terminal in messages between the mobile terminal and the server.

Abstract: To enable formation of secure associations between IP-enabled devices when they have not previously connected, a method is proposed where a declaration of ownership of a target device is made by the subscriber of a originating device and that subscriber giving that declaration is authenticated by means of a SIM card, say. The originating device establishes secure connection to a first server. The target device establishes a secure connection to a second server. Provided the first and second servers can establish a conventional IP-type SA (e.g. using IPSec or TLS), there is a chain of secure associations between the two devices. This chain is then used to build a new secure association between originating device and target Device. The first and second servers thus act as proxies for two devices respectively and negotiate the secure association on their behalf. They then transfer the new secure association information securely to the devices using the existing chain of secure associations.

Abstract: To allow devices to authenticate to a wide area mobile network when they temporarily do not have a connection to a SIM card and to authenticate the base station and so protect against false base stations, a system is provided where certain authentication credentials are pre-fetched while connection to the SIM card and the authentication subsystem of the wide area mobile network are in signaling connection. These advance credentials are then presented by the devices in authentication requests without requiring access via the mobile network or the connected presence of the SIM card being necessary for successful authentication.

Abstract: System and method for providing secure machine to machine, M2M, communications comprising a device management, DM, server configured to obtain credentials of one or more M2M devices and provision the one or more M2M devices with credentials of a virtual private network, VPN. An application programming interface, API. A VPN server comprising a first communications interface configured to communicate API requests and API responses with the API. A second communications interface configured to provide a VPN for the one or more M2M devices. Logic configured to issue an API request, wherein the request includes the credentials of the VPN. Receive an API response from the DM server including an indication of the one or more M2M devices provisioned with the credentials of the VPN. Initiate a VPN over the second interface between the one or more M2M devices and the VPN server.

Abstract: Provisioning a subscriber in a network is provided by: receiving an initialisation request for access to a network on behalf of a subscriber, at an admission platform of a network operator associated with the subscriber, and assigning the subscriber limited access rights to the network, the limited access rights being configured for communication between the subscriber and a subscription manager, for reconfiguration of identity information associated with the subscriber.

Abstract: Method and system for communicating securely with a user equipment, UE, using generic bootstrapping architecture, GBA, the system comprising a bootstrapping server function, BSF. A proxy server configured to receive messages from a user equipment, UE, in a first format. Convert the received messages from the first format to a second format. Transmit the received UE messages to a bootstrapping server function, BSF, in the second format. Receive messages from the BSF, in a third format. Convert the messages received from the BSF from the third format to a fourth format. Transmit the received BSF messages to the UE in the fourth format.

Abstract: A device, method or server having memory configured to store cryptographic material required to execute one or more device functions. A communications interface for communicating over a network. Logic configured to receive from the server over the communications interface the cryptographic material required to execute the one or more device functions. The device is configured to delete the cryptographic material from the memory.

Abstract: The present disclosure provides a server 120, a device 110 and methods for providing security data to a device 110 requiring a password for use in protecting a function of the device 110. An example method comprises communicating a device identifier to the server 120; the server 120 communicating security data to the device 110, wherein the password is derivable, at least in part, from the security data; the device 110 deriving the password, at least in part, from the security data and storing the password as the access code for the protected function; and the server 120 storing the device identifier with an association to the password.

Abstract: Where a smartcard is embedded or inaccessible within a cellular telecommunications device (i.e. an eUICC), locking the smartcard (or the subscription associated with the smartcard) to a particular MNO while allowing the MNO to be altered legitimately presents a challenge. A method is described using policy control tables stored in a trusted service manager registry and/or the smartcard's data store. By maintaining the policy control table, any MNO subscription may be downloaded/activated on the smartcard but the device will be prevented from accessing the desired MNO because that access would violate the lock rules.

Abstract: To facilitate authentication over a wireless access network, it is proposed to provide a hub device having an authentication storage means (i.e. a (U)SIM) to which one or more machine devices are connected. Each machine devices connects to a wireless access network and in order to authenticate with that network requests authentication information from the hub device. The core network of the wireless access network, authenticates each machine device and provides the machine devices with parallel access to the access network in accordance with authentication information obtained from the hub device. The authentication information is unique to the respective machine device but also associated with information stored on the authentication storage means of the hub device.

Abstract: Facilitating authentication on communication between a mobile terminal and a server is achieved. The communication is made through a Serving GPRS Support Node (SGSN) of a network in which the mobile terminal is operating. A Home Public Land Mobile Network (PLMN) of the mobile terminal generates a ciphering key for encryption of packet-switched data between the mobile terminal and the server. As part of a message from a network entity in the Home PLMN to the SGSN in which the SGSN expects to receive the ciphering key, alternative data is communicated in place of the ciphering key. Secure communication between the mobile terminal and the server is performed by applying encryption using a ciphering key generated by a network entity in a Home PLMN of the mobile terminal in messages between the mobile terminal and the server.

Abstract: Communicating between a mobile terminal and a Gateway GPRS Support Node (GGSN) in a Home Public Land Mobile Network (HPLMN) of the mobile terminal. An authentication and key agreement push message is communicated from the GGSN to the mobile terminal. This communicating is via a control plane channel and/or the authentication and key agreement push message is generated at the GGSN.

Abstract: Communication between a mobile terminal operating in a cellular network and a server is provided. Communication between the mobile terminal and the server is routed through a Serving GPRS Support Node (SGSN) of the cellular network in which the mobile terminal is operating. Cryptographic integrity check information is communicated in data link layer messages between the mobile terminal and the SGSN.