Abstract: A method is provided for interworking of mobility key management among access networks operating under different access technologies. The method is carried out by performing mobility key management by a core-network authentication server based on the access technology that a mobile terminal accessing a wireless network has selected for operation. The method of the invention defines authentication server behavior based on different access technologies and therefore solves the technology interworking issue seamlessly. The method of the invention also facilitates coexistence of more than two different access technologies without any need for each access technology to be modified in order to interwork with core network that is specified by another technology.

Abstract: A method is provided for Authenticator Relocation in a communication system applying an Extensible Authentication Protocol, or the like, which provides replay protection and mitigates the rogue ASN-GW problem during relocation of the Anchor Authentication, and without conducting re-authentication of the MS. The method of the invention optionally allows secure refresh of the MSK.

Abstract: A technique to extend location-based (e.g. GPS) mobile device battery lifetime by reducing the location-based (e.g. GPS) circuitry power consumption is provided. The technique defines and controls when to start power and when to stop power to the device in the context of a mobile terminating (MT) location request and/or a mobile originated (MO) location request that is either on-demand or periodic.

Abstract: The present invention provides a method involving a mobile unit, a location server, a location-based application client, and a location-based application server configured to provide location-based applications. The method includes receiving, at the location server and from the location-based application server, a request from location-based application client for a current location of the mobile unit and attempting, at the location server, to determine the current location of the mobile unit. The method also includes providing, from the location server to the location-based application server, information indicating a previous location of the mobile unit when the attempt to determine the current location of the mobile unit is unsuccessful.

Abstract: A method is provided for operating a dual-mode access terminal such that a CAVE based authentication process may be used in both an IS-2000 and an HRPD mode of operation. Generally, the access terminal receives a CHAP challenge from an access network, and then derives a RAND challenge based on at least a portion of the CHAP challenge. The CAVE based authentication process is then performed using the RAND challenge to produce a SMEKEY and a PLCM. Thereafter a secret CHAP key is derived from the SMEKEY and PLCM and provided to the access network for purposes of authenticating the access terminal in the HRPD mode of operation.

Abstract: A single instance of a session key generation protocol is executed in a manner that generates a plurality of security associations between user equipment and a first network element of a communication system. In one aspect, a first one of the security associations is utilized to secure data sent between the user equipment and the first network element in an ongoing communication. In conjunction with a handoff of the ongoing communication from the first network element to a second network element of the communication system, another one of the security associations is selected, and the other selected security association is utilized to secure data sent between the user equipment and the second network element in the ongoing communication. The security associations may comprise respective sets of session keys derived from a single pairwise master key.

Abstract: In conjunction with establishment of a session between an access network and user equipment of a communication system, session-specific information is transmitted from the access network to the user equipment. The session-specific information transmitted from the access network to the user equipment comprises information to be utilized in an authentication protocol carried out between the user equipment and an authentication server of the system. For example, the session-specific information transmitted from the access network to the user equipment may comprise an identifier of a gateway coupled between the access network and the authentication server.

Abstract: A communication system includes at least a mobile station, a base station, a gateway and a server, with the base station being configured for wireless communication with the mobile station, and the gateway being configured for connection between the base station and the server. The server stores information indicative of at least one established security capability of the mobile station, and sends at least a portion of that information to the gateway, possibly in conjunction with an authentication process for the mobile station. The gateway uses the information received from the server to verify that one or more security capabilities negotiated between the mobile station and the base station are consistent with the established security capability or capabilities of the mobile station. This can advantageously allow the gateway to prevent a bidding-down attack in which an attacker impersonates the mobile station to negotiate an inferior security capability with the base station.

Abstract: A method is provided for optimizing the sending of a Mobile IP Revocation Reply. According to the invention methodology, a Foreign Agent operating as the care-of address for a given mobile unit will send to the Home Agent for that mobile unit a Revocation Acknowledgement message immediately after receiving a Revocation message from the Home Agent, without awaiting the conclusion of the Foreign Agent's tear-down steps. After sending that immediate acknowledgement to the Home Agent, the Foreign Agent independently proceeds with its regular procedures of forwarding the Revocation message to the client (as needed), waiting for a response from the client (including retransmitting the request to the client on a timer if no response received), and tearing down the user plane. With the method of the invention, the latency of the latter procedures would not result in a delay in sending the Revocation Acknowledgement from the Foreign Agent to the Home Agent.

Abstract: The present invention provides a method of wireless communication involving at least one first base station associated with a first access serving network and at least one second base station associated with a second access serving network is provided. The method may include generating a first key associated with the first access serving network and the second base station, receiving information indicating that the first key is temporary, and establishing a communication link with the second base station using the first key.

Abstract: The present invention provides a method for communication involving a supplicant, an authenticator, and an authentication server having an established security association based on a first key. The supplicant and the authenticator also have an established security association based on a second key. The method may include modifying the second key using the first key in response to determining that a challenge response from the supplicant is valid.

Abstract: A method is provided for determining a private key for a first network based on at least one security value associated with a second network. The method further includes establishing a plurality of sessions between a mobile terminal and the first network based on the private key.

Abstract: Methods for dynamic management of security associations in a network are provided. According to one method, a security key management entity determines whether to apply a new security key as an active security key based on an existing active security key. Each of the new security key and the existing active security key are associated with a same home agent, and the existing active security key serves as a basis for an existing security association between the home agent and at least one other network element.

Abstract: In one embodiment, a method of the invention has the steps of: (A) establishing an access-layer security association (SA) between a mobile node (MN) and an authentication authorization accounting (AAA) server; (B) deriving a secondary key from an extended master session key (EMSK) corresponding to the access-layer SA; (C) providing the secondary key to a home agent; and (D) based on the secondary key, establishing an SA corresponding to an Open System Interconnection (OSI) layer higher than the access layer for securing communications between the home agent and a selected network node. In various embodiments, the selected network node can be (i) the MN, (ii) a proxy node configured on behalf of the MN, or (iii) a proxy node configured on behalf of the home agent.

Abstract: The present invention provides a method of operating a mobile unit in a wireless communication system. Embodiments of the method may include providing access request message(s) including information indicative of a first counter and a message authentication code formed using a first key. The first key is derived from a second key and the first counter. The second key is derived from a third key established for a security session between the mobile unit and an authenticator. The first counter is incremented in response to each access request provided by the mobile unit.

Abstract: The present invention provides a method involving a mobile node, a home agent, and an authentication server in a wireless communication system. The method includes generating, at the authentication server, a first security key that indicates a secure association between the home agent and the mobile node based on a second security key that indicates a secure association between the mobile node and the authentication server. The method also includes generating, at the authentication server, at least one first index associated with the first security key. The first index is also generated by the mobile node. The method also includes storing, at the authentication server, the first index and the first security key.

Abstract: A key distribution scheme is provided, which is useful for establishing, distributing, and maintaining security associations in a Mobile IP network. An authentication server performs an initial validation of a new session and generates a root key which it delivers to the initial access gateway and to the home agent. The initial access gateway and the home agent each independently compute a derivative key available only to themselves. The initial access gateway, acting as proxy for the mobile station, uses the derivative key to sign the Mobile IP registration or binding update transactions, and sends the signed registration or binding update to the home agent for validation. Once the session is established between the mobile station and the home agent, the access gateways act as proxies on behalf of the mobile station to maintain the session mobility. In handoff, the new access gateway acquires the root key as part of the transferred session context.

Abstract: A first communication network is used to securely communicate a key that is used for communications over a different network. In one embodiment, a CDMA network is used to securely communicate a key that is used for communications in a data network. The key used in the data network may be used for authentication and/or enciphering or encryption.

Abstract: A method and apparatus enhancing the security of an encrypted cryptographic key by storing its key re-transforming information in a decryption store that is separate from a cryptographic key store, which stores the encrypted cryptographic key, from which accessing circuitry is able to access the encrypted cryptographic key. The cryptographic key store may be a disk drive of a computer, the decryption store may be a network access card installed in that computer or a mobile terminal coupled to that computer, and the accessing circuitry may be the computer's controller. Decryption of the encrypted cryptographic key is carried out in the decryption store, as is the subsequent encryption or decryption using the decrypted cryptographic key.

Abstract: A method for improving an established Authentication and Key Agreement procedure which prevents rogue mobiles from fraudulently gaining access to a communication system. The communication system periodically broadcasts a challenge interrogation message requesting that a mobile, which is currently validated to use the system, to authenticate itself to the system. The mobile computes an authentication response based on information known only to the communication system and the USIM of the mobile and transmits said response to the communication system. The communication system also computes an authentication response and compares said response with that received from the mobile. A mobile is authenticated by the communication system when the two authentication responses are equal. Otherwise, the mobile is not given access to the communication system.