Abstract: A method of forwarding IP packets, sent to an old care-of-address of a mobile node, to the mobile node following a handover of the mobile node from a first old access router to a second new access router. The method comprises, prior to completion of said handover, providing said first router or another proxy node with information necessary to determine the new IP care-of address to be used by the mobile node when the mobile node is transferred to the second access router. At said first router or said proxy node, the new care-of-address for the mobile node is determined using said information and ownership of the new care-of-address by the mobile node confirmed, and subsequently packets received at said first access network and destined for said old care-of-address are forwarded to the predicted care-of-address address.

Abstract: A modified Host Identity Protocol, HIP, base exchange method is provided for use by first and second HIP hosts (Initiator and Responder) having a shared state from a pre-existing relationship. In the modified HIP base exchange method, an authentication message (I2?) is sent (S2) from the first host (Initiator) to the second host (Responder) comprising an identifier (HITI) of the first host (Initiator) and a cryptographic item (PF). The authentication message (I2?) is received (S3) at the second host (Responder). Following receipt, the identifier and information relating to the shared state are used (S4) to authenticate the cryptographic item (PF). If the cryptographic item, and the rest of the authentication message, is authenticated, a confirmation message (R2?) is sent from the second host (Responder) to the first host (Initiator) to indicate successful authentication.

Abstract: A method of improving privacy by hiding, in an ordered sequence of messages M[x(1), D(1)], M[x(2), D(2)], etc, communicated between a first and at least one second party sharing a key k, metadata x(i) descriptive of message processing, wherein D(i) denotes payload data. The method comprises the first and the second party agreeing on a pseudo random mapping depending on a shared key k, Fk, mapping at least x(i) to y(i), and the first party modifying the messages by replacing x(i) by y(i) in each message M(x(i), D(i)). The first party then transmits the modified messages maintaining their original order, and on reception of a message M(y(m), D), the second party uses a mapping Gk to retrieve position m of received value and the original value x(m).

Abstract: A method of delegating responsibility for an IP address owned by a first IP network node to a second IP network node, at least a part of the IP address being derivable from a public key of a public/private key pair belonging to the first node. The method comprises notifying the first node of a public key of a public/private key pair belonging to the second node, at the first node, signing the public key of the second node with the private key of the first node to provide an authorisation certificate, and sending the authorisation certificate from the first node to the second node, wherein the authorisation certificate is subsequently included with messages relating to said IP address and signed with the private key of the second node, sent from the second node to receiving nodes, and is used by the receiving nodes to verify the second node's claim on the IP address.

Abstract: A method of facilitating Internet Protocol access by a mobile node to an access Network, the method comprising: sending an attachment request from the mobile node to an access router of the access network, the request containing a mobile node identifier and an Interface Identifier or means for deriving an Interface Identifier, and being signed by the mobile node to allow the message to be authenticated as originating at that mobile node; receiving the request at the access router and authenticating the message there using the signature, and in response to the receipt and authentication of the message, performing a predefined set of tasks delegated to the access node and which are required to facilitate said access; and returning an acknowledgment from the access router to the mobile node confirming the access permission, the acknowledgement containing a network routing prefix and means for authenticating the access router to the mobile node.

Abstract: A method is provided of using the Host Identity Protocol (HIP) to at least partially secure communications between a first host (102) operating in a first network environment and a second, HIP-enabled host (122) operating in a second network environment, with a gateway node (114) forming a gateway between the two environments. In the method, an identifier is associated with the first host (102), stored at the gateway node (114), and sent to the first host (102). The identifier is then used as a source address in a subsequent session initiation message sent from the first host (102) to the gateway node (114), having an indication that the destination of the message is the second host (122). The stored identifier at the gateway node is then used to negotiate a secure HIP connection to the second host. The first network environment may be a UMTS or GPRS environment, in which case the gateway node may be a Gateway GPRS Support Node (GGSN).

Abstract: A method of securely initialising subscriber and security data in a mobile routing system when the subscribers are also subscribers of a radio communication network. The method comprises, within the mobile routing system, authenticating subscribers to the mobile routing system using an authentication procedure defined for the radio communication network, collecting subscriber information from relevant nodes of the radio network, and agreeing upon keys by which further communications between the subscribers and the mobile routing system can take place, and using said subscriber information and keys in the provision of mobility services to subscriber mobile nodes and correspondent nodes.

Abstract: A method of authenticating a mobile node to a communication system is provided, the communication system comprising a plurality of access nodes, the method comprising the steps of (a) generating a numerical chain comprising a series of values using a one-way coding function such that a given value within the chain is easily obtainable from a subsequent value, but the subsequent value is not easily obtainable from that given value; (b) sending a value from the first numerical chain from the mobile node to an access node to which the mobile node wishes to attach; and (c) using the sent value at the access node to authenticate the mobile node.

Abstract: A method of verifying that a host coupled to an IP network is authorised to use an IP address which the host claims to own, the IP address comprising a routing prefix and an interface identifier part. The method comprises receiving from the host one or more components, applying a one-way coding function to the or each component and/or derivatives of the or each component, and comparing the result or a derivative of the result against the interface identifier part of the IP address. If the result or its derivative matches the interface identifier the host is assumed to be authorised to use the IP address and if the result or its derivative does not match the interface identifier the host is assumed not to be authorised to use the IP address.

Abstract: A method of forwarding IP packets, sent to an old care-of-address of a mobile node, to the mobile node following a handover of the mobile node from a first old access router to a second new access router. The method comprises, prior to completion of said handover, providing said first router or another proxy node with information necessary to determine the new IP care-of address to be used by the mobile node when the mobile node is transferred to the second access router. At said first router or said proxy node, the new care-of-address for the mobile node is determined using said information and ownership of the new care-of-address by the mobile node confirmed, and subsequently packets received at said first access network and destined for said old care-of-address are forwarded to the predicted care-of-address address.

Abstract: A method of delegating responsibility for an IP address owned by a first IP network node to a second IP network node, at least a part of the IP address being derivable from a public key of a public/private key pair belonging to the first node. The method comprises notifying the first node of a public key of a public/private key pair belonging to the second node, at the first node, signing the public key of the second node with the private key of the first node to provide an authorisation certificate, and sending the authorisation certificate from the first node to the second node, wherein the authorisation certificate is subsequently included with messages relating to said IP address and signed with the private key of the second node, sent from the second node to receiving nodes, and is used by the receiving nodes to verify the second node's claim on the IP address.

Abstract: A method of verifying that a host coupled to an IP network is authorised to use an IP address which the host claims to own, the IP address comprising a routing prefix and an interface identifier part. The method comprises receiving from the host one or more components, applying a one-way coding function to the or each component and/or derivatives of the or each component, and comparing the result or a derivative of the result against the interface identifier part of the IP address. If the result or its derivative matches the interface identifier the host is assumed to be authorised to use the IP address and if the result or its derivative does not match the interface identifier the host is assumed not to be authorised to use the IP address.

Abstract: A data processing system implements a security protocol based on processing data in packets. The data processing system comprises processing packets for storing filter code and processing data packets according to stored filter code, and a policy managing function for generating filter code and communicating generated filter code for packet processing. The packet processing function is arranged to examine, whether the stored filter code is applicable for processing a certain packet. If the stored filter code is not applicable for the processing of a packet, the packet is communicated to the policy managing function, which generates filter code applicable for the processing of the packet and communicates the generated filter code for packet processing.

Abstract: The present invention relates to electronic monetary systems in general, and in particular to measures for making their use easier for an average user. The present invention is based on the idea that the use of electronic money is greatly simplified for a non-expert user, if the Internet Service Provider of the user takes care of the payments, and adds corresponding charges on the user's telephone bill. Such functionality requires the intervention of the ISP in the transmissions between a user and a third party, i.e. intercepting the electronic payment requests sent by a merchant. According to the present invention, the ISP uses electronic money on behalf of the user, and charges the payments on the user's telephone bill. The ISP can take care of all technical details necessary for obtaining different forms of electronic money in a centralized manner, and all users of the ISP can use the electronic money obtained by the ISP simply by allowing the ISP to add corresponding charges to their telephone bills.