Abstract: A single instance of a session key generation protocol is executed in a manner that generates a plurality of security associations between user equipment and a first network element of a communication system. In one aspect, a first one of the security associations is utilized to secure data sent between the user equipment and the first network element in an ongoing communication. In conjunction with a handoff of the ongoing communication from the first network element to a second network element of the communication system, another one of the security associations is selected, and the other selected security association is utilized to secure data sent between the user equipment and the second network element in the ongoing communication. The security associations may comprise respective sets of session keys derived from a single pairwise master key.

Abstract: In conjunction with establishment of a session between an access network and user equipment of a communication system, session-specific information is transmitted from the access network to the user equipment. The session-specific information transmitted from the access network to the user equipment comprises information to be utilized in an authentication protocol carried out between the user equipment and an authentication server of the system. For example, the session-specific information transmitted from the access network to the user equipment may comprise an identifier of a gateway coupled between the access network and the authentication server.

Abstract: A single instance of a session key generation protocol is executed in a manner that generates a plurality of security associations between user equipment and a first network element of a communication system. In one aspect, a first one of the security associations is utilized to secure data sent between the user equipment and the first network element in an ongoing communication. In conjunction with a handoff of the ongoing communication from the first network element to a second network element of the communication system, another one of the security associations is selected, and the other selected security association is utilized to secure data sent between the user equipment and the second network element in the ongoing communication. The security associations may comprise respective sets of session keys derived from a single pairwise master key.

Abstract: Techniques are disclosed for discovering security associations formed in communication environments. For example, a method for forming a discoverable security association between a first computing device (e.g., a first client) and a second computing device (e.g., a second client) comprises the following steps. The first computing device is provided with a seed that is used by the first computing device to generate a secret that is used by the first computing device to compute a key for use in securing communications with the second computing device. The secret is re-computable based on knowledge of the seed and the key is re-computable based on knowledge of the secret such that a third computing device (e.g., an intercepting server) can use the re-computed key to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device.

Abstract: In one embodiment, a method of the invention has the steps of: (A) establishing an access-layer security association (SA) between a mobile node (MN) and an authentication authorization accounting (AAA) server; (B) deriving a secondary key from an extended master session key (EMSK) corresponding to the access-layer SA; (C) providing the secondary key to a home agent; and (D) based on the secondary key, establishing an SA corresponding to an Open System Interconnection (OSI) layer higher than the access layer for securing communications between the home agent and a selected network node. In various embodiments, the selected network node can be (i) the MN, (ii) a proxy node configured on behalf of the MN, or (iii) a proxy node configured on behalf of the home agent.

Abstract: An automated method is provided for mutual discovery between a network entity and a client entity that cooperate for providing a service in a machine-to-machine environment. In an embodiment, the network entity receives an identifier in a communication from a server on behalf of the client entity. At some point in time, the network entity receives a communication containing the identifier from the client entity. Before or after receiving the client entity communication, the network entity discovers itself to the client entity. Some time after receiving the client entity communication, the network entity authenticates the client entity, establishes a permanent security association with the client entity, and initiates the service.

Abstract: Techniques are disclosed for forming a discoverable security association in communication environments and for lawfully discovering security associations formed in communication environments. For example, a method for forming a discoverable security association between a first computing device and a second computing device comprises the following steps. The first computing device obtains from a key management entity: (i) a first private key assigned to the first computing device, which is computationally associative with a first public key associated with the first computing device; and (ii) a first root key assigned to the first computing device. The first computing device chooses a first random value and generating a first nonce, wherein the first nonce is a result of an encryption of the first random value using the first root key. The first computing device generates a first key component based on the first random value.

Abstract: A method of providing peer to peer discovery for a plurality of mobiles on a communications network, the plurality of mobiles including at least a first mobile and a second mobile, includes detecting, at a network element, that the first and second mobiles are in proximity with respect to one another; generating a determination result at the network element after the detecting, the determination result indicating whether the first and second mobiles are capable of establishing a direct device to device (D2D) link with one another based on signal reception qualities of the first and second mobiles; and generating a D2D capability message at the network element based on the determination result, the D2D capability message indicating that the first and second mobiles are capable of establishing a D2D link with one another.

Abstract: A tracker node verifies content possession by a peer node in a peer-to-peer content distribution system. Upon receiving an announcement that a peer node claims to possess a content item, the tracker node in one embodiment obtains the content item, selects a random portion of the content item; formulates a challenge based on the random portion of the content item and determines an expected challenge response. The challenge may comprise, for example, a request for a hash of the random portion (or alternatively, a hash of the random portion and a random seed value). The tracker node issues the challenge to the announcing node and verifies the announcing node's possession of the content item if the challenge response from the announcing node matches the expected challenge response.

Abstract: The present invention provides a method of wireless communication with at least one mobile unit and at least one authentication center in a wireless telecommunications network. The method includes generating at least one access request based upon at least one first sequence number associated with the mobile unit and receiving at least one message formed based upon the access request, the message including at least one second sequence number associated with the authentication center, the second sequence number selected to be acceptable to the mobile unit.

Abstract: A method is provided for Authenticator Relocation in a communication system applying an Extensible Authentication Protocol, or the like, which provides replay protection and mitigates the rogue ASN-GW problem during relocation of the Anchor Authentication, and without conducting re-authentication of the MS. The method of the invention optionally allows secure refresh of the MSK.

Abstract: A tracker node verifies content possession by a peer node in a peer-to-peer content distribution system. Upon receiving an announcement that a peer node claims to possess a content item, the tracker node in one embodiment obtains the content item, selects a random portion of the content item; formulates a challenge based on the random portion of the content item and determines an expected challenge response. The challenge may comprise, for example, a request for a hash of the random portion (or alternatively, a hash of the random portion and a random seed value). The tracker node issues the challenge to the announcing node and verifies the announcing node's possession of the content item if the challenge response from the announcing node matches the expected challenge response.

Abstract: Structures and methods are disclosed for verifying integrity of peer-supplied content in a peer-to-peer content distribution system, for example, to verify that content supplied from a sending peer node to a receiving peer node corresponds to the content that was requested by the receiving node.

Abstract: Techniques include, in response to a first communication network of a hybrid communication system being aware of a potential for a mismatch of reported authentication parameters associated with a second communication network of the hybrid communication system, wherein the first communication network is used to transport the reported authentication parameters to the second communication network, the first communication network preventing the mismatch of the reported authentication parameters. In one example, the first communication network is an LTE network and the second communication network is a CDMA2000 network.

Abstract: Techniques are disclosed for forming a discoverable security association in communication environments and for lawfully discovering security associations formed in communication environments. For example, a method for forming a discoverable security association between a first computing device and a second computing device comprises the following steps. The first computing device obtains from a key management entity: (i) a first private key assigned to the first computing device, which is computationally associative with a first public key associated with the first computing device; and (ii) a first root key assigned to the first computing device. The first computing device chooses a first random value and generating a first nonce, wherein the first nonce is a result of an encryption of the first random value using the first root key. The first computing device generates a first key component based on the first random value.

Abstract: Techniques are disclosed for discovering security associations formed in communication environments. For example, a method for forming a discoverable security association between a first computing device (e.g., a first client) and a second computing device (e.g., a second client) comprises the following steps. The first computing device is provided with a seed that is used by the first computing device to generate a secret that is used by the first computing device to compute a key for use in securing communications with the second computing device. The secret is re-computable based on knowledge of the seed and the key is re-computable based on knowledge of the secret such that a third computing device (e.g., an intercepting server) can use the re-computed key to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device.

Abstract: A communication system includes at least a mobile station, a base station, a gateway and a server, with the base station being configured for wireless communication with the mobile station, and the gateway being configured for connection between the base station and the server. The server stores information indicative of at least one established security capability of the mobile station, and sends at least a portion of that information to the gateway, possibly in conjunction with an authentication process for the mobile station. The gateway uses the information received from the server to verify that one or more security capabilities negotiated between the mobile station and the base station are consistent with the established security capability or capabilities of the mobile station. This can advantageously allow the gateway to prevent a bidding-down attack in which an attacker impersonates the mobile station to negotiate an inferior security capability with the base station.

Abstract: The present invention provides a method involving a mobile node, a home agent, and an authentication server in a wireless communication system. The method includes generating, at the authentication server, a first security key that indicates a secure association between the home agent and the mobile node based on a second security key that indicates a secure association between the mobile node and the authentication server. The method also includes generating, at the authentication server, at least one first index associated with the first security key. The first index is also generated by the mobile node. The method also includes storing, at the authentication server, the first index and the first security key.

Abstract: A key distribution scheme is provided, which is useful for establishing, distributing, and maintaining security associations in a Mobile IP network. An authentication server performs an initial validation of a new session and generates a root key which it delivers to the initial access gateway and to the home agent. The initial access gateway and the home agent each independently compute a derivative key available only to themselves. The initial access gateway, acting as proxy for the mobile station, uses the derivative key to sign the Mobile IP registration or binding update transactions, and sends the signed registration or binding update to the home agent for validation. Once the session is established between the mobile station and the home agent, the access gateways act as proxies on behalf of the mobile station to maintain the session mobility. In handoff, the new access gateway acquires the root key as part of the transferred session context.

Abstract: An automated method is provided for mutual discovery between a network entity and a client entity that cooperate for providing a service in a machine-to-machine environment. In an embodiment, the network entity receives an identifier in a communication from a server on behalf of the client entity. At some point in time, the network entity receives a communication containing the identifier from the client entity. Before or after receiving the client entity communication, the network entity discovers itself to the client entity. Some time after receiving the client entity communication, the network entity authenticates the client entity, establishes a permanent security association with the client entity, and initiates the service.