Abstract: During a connection between a network infrastructure and user equipment a first indication of the amount of data transmitted over the connection is maintained in the network infrastructure and a second indication of the amount data transmitted is maintained in the user equipment. A checking procedure is triggered in response to encountering a predetermined checking value. The checking procedure utilizes integrity protected signalling. During the checking procedure the first indication is compared with the second indication. This checking procedure enables easy discovery of an intruder who either sends and/or receives data on an authorized connection between a network infrastructure and a mobile station, the data transmission being charged from the mobile station.

Abstract: The invention relates to a method for sharing the authorization to use specific resources among multiple devices, which resources are accessible via messages on which a secret key operation was applied with a predetermined secret master key d available at a master device 11. In order to provide an optimized sharing of authorization, it is proposed that the master device 11 splits the secret master key d into two parts d1, d2. A piece of information relating to the first part d1 of the secret master key d is forwarded to the slave device 13 for enabling this slave device to perform a partial secret key operation on a message m. The second part d2 of the secret master key d is forwarded to a server 12 for enabling the server 12 to perform partial secret key operations on a message m received from the slave device 13.

Abstract: A method for protecting traffic in a radio access network connected to at least two core networks. The method comprises maintaining a core-network-specific authentication protocol and a radio-bearer-specific ciphering process, and generating, for each ciphering process, a count parameter comprising a cyclical sequence number and a hyperframe number (HFN) which is incremented each time the cyclical sequence number completes one cycle. For each core network or authentication protocol, a first radio bearer of a session is initialized with a HFN exceeding the highest HFN used during the previous session. When a new radio bearer is established, the mobile station selects the highest HFN used during the session for the core network in question, increments it and uses it for initializing the count parameter for the new radio bearer. At the end of a session, the mobile station stores at least part of the highest HFN used during the session.

Abstract: An identifier containing at least one encrypted part is received at a first network entity. A second network entity may then be determined based on the identifier. A request for assistance in decryption of the identifier from the second network entity may be sent from the first entity to the second network entity. The second network entity may then assist the first networks entity in an appropriate manner.

Abstract: A method for protecting traffic in a radio access network connected to at least two core networks. The method includes maintaining a core-network-specific authentication protocol and a radio-bearer-specific ciphering process, and generating, for each ciphering process, a count parameter including a cyclical sequence number and a hyperframe number (HFN) which is incremented each time the cyclical sequence number completes one cycle. For each core network or authentication protocol, a first radio bearer of a session is initialized with a HFN exceeding the highest HFN used during the previous session. When a new radio bearer is established, the mobile station selects the highest HFN used during the session for the core network in question, increments it and uses it for initializing the count parameter for the new radio bearer. At the end of a session, the mobile station stores at least part of the highest HFN used during the session.

Abstract: The invention is directed to a method for checking the integrity of messages between a mobile station and the cellular network. Two time-varying parameters are used in MAC calculation, one of which is generated by the mobile station, and the other by the network. The parameter specified by the network is used in one session only, and is transmitted to the mobile station in the beginning of the connection. The parameter specified by the mobile station is stored in the mobile station between connections in order to allow the mobile station to use a different parameter in the next connection. The parameter specified by the mobile station is transmitted to the network in the beginning of the connection.

Abstract: The invention provides a method, system, program and devices such as a user equipment, terminal, smart card, for protection of a communication or session, in particular in an IMS.

Abstract: A network system is proposed comprising a first network control element in a visited network, a second network control element in a home network and a communication device (UE) associated to a subscriber, wherein the first network control element is adapted to perform a first authentication (A9) of a roaming subscriber requesting authentication, and the second network control element is adapted to perform a second authentication (A11) of the same subscriber. By this measure, both network control elements are able to verify that the authentication was performed correctly. Also a corresponding method is proposed.

Abstract: A mechanism for synchronizing transmission of frames in a telecommunications network including a mobile station, a radio network controller, at least one base station. The mobile station and each base station have a corresponding timing reference. The mechanism includes or performs the steps of establishing a connection-specific timing reference which is common to all nodes involved in the connection; determining, for the base stations an offset between the timing reference of the base station in question and the CFN; and using the offset in the base stations, to compensate for the difference between the timing references.

Abstract: A method of communication between a first node and a second node for a system where a plurality of different channels is provided between said first and second node. The method comprises the step of calculating an integrity output. The integrity output is calculated from a plurality of values, some of said values being the same for said different channels. At least one of said values is arranged to comprise information relating to the identity of said channel, each channel having a different identity. After the integrity output has been calculated, Information relating to the integrity output is transmitted from one of said nodes to the other.

Abstract: A method of communication between a first node and a second node for a system where a plurality of different channels is provided between said first and second node. The method comprises the step of calculating an integrity output. The integrity output is calculated from a plurality of values, some of said values being the same for said different channels. At least one of said values is arranged to comprise information relating to the identity of said channel, each channel having a different identity. After the integrity output has been calculated, Information relating to the integrity output is transmitted from one of said nodes to the other.

Abstract: A communications device comprising means for transmitting a signal to another party; and means for controlling the signal level with which said transmitting means transmits, wherein said signal level is initially relatively low and when a connection is established with said another party, said signal level is increased.

Abstract: A method for handling user identity and privacy, wherein a first Session Initiation Protocol (SIP) proxy is about to forward a SIP request to a next SIP proxy includes the step of determining whether Transport Layer Security (TLS) is supported in a hop to a next SIP proxy. When TLS is supported, the method includes establishing a TLS connection to the hop to the next SIP proxy, requesting a certificate from the next SIP proxy, receiving the certificate, verifying the certificate and trustworthiness of a network of the next SIP proxy and retaining identity information when the certificate and the trustworthiness of the network is verified. When TLS is not supported, or when the certificate is not verified, or when the trustworthiness of the network is not verified, the identity information is removed. Thereafter, the SIP request is forwarded over the TLS connection.

Abstract: A method, program product and system of preventing or limiting the number of simultaneous sessions in a wireless local area network (WLAN). The method includes: determining whether subscriber terminal information has been changed between an old session and a new session, maintaining a connection with the old session if the subscriber terminal information has not changed, and establishing and authenticating the new session and disconnecting the old session if the subscriber terminal information has changed. A medium access control (MAC) address and a WLAN radio network identification can be compared between the old session and the new session to determine whether subscriber terminal information has been changed.

Abstract: A recording device for digital data streams, such as digital TV broadcasts or digitized music, stores copies of program content encrypted by a key unique to the recording device. Distribution of program content is thus discouraged, since intelligible playback of program content would not be obtained on another recording device, which would have a different key. To reduce manufacturing complexity which would result from requiring all bits of a key to inhere in hardware, a first portion of the key inheres in hardware and a second portion is selected from among several candidates residing in a memory device, the key being determined by combining the first and second portions according to predetermined rules. The second portion is reselected at predetermined intervals from among the candidates. Only payload portions of packets are encrypted while header portions are left in the clear in order to facilitate ancillary functions of recorder such as fast forward, fast rewind, and program search.

Abstract: A method for authenticating a terminal in a communication system, the terminal comprising identification means for applying authentication functions to input data to form response data, and the communication system being arranged to utilise a first authentication protocol for authentication of the terminal, wherein an authentication functionality and the terminal share challenge data, the terminal forms response data and a first key by applying the authentication functions to the challenge data by means of the identification means, and returns the response data to the authentication functionality, and the authentication functionality authenticates the terminal by means of the response data and can apply an authentication function to the challenge data to duplicate the first key; the method comprising; executing a second authentication protocol wherein the terminal authenticates the identity of a network entity and the terminal and the network entity share a second key for use in securing subsequent communicat

Abstract: The present invention is a system and method which provides authentication for data services for at least one UE (12) using common authentication information based upon information stored in a HSS (16) of a home network (20) of the at least one UE for multiple protocols. At least one proxy server (18) stores authentication information for each of the protocols which may be used to provide data services to the at least one UE. Authentication of the protocols available to the least one UE uses the authentication information stored at the at least one proxy server obtained from the protocol used in the home network of the at least one UE.

Abstract: A method of communication between a calling party in a first network and a called party in a second network is disclosed. The method comprises determining in the first network an address associated with the called party. The method also comprises determining, based on the address, if the called party is in a trusted network, and controlling the communication between the called party and the calling party in dependence on if the called party is in a trusted network.

Abstract: There is disclosed a technique of providing message authentication in a communication system comprising the steps of: transmitting a first message from a first device to a second device; transmitting a second message from the second device to the first device, the second message including a message authentication code determined using said first and second messages; transmitting a third message from the first device to the second device, the third messages including a message authentication code determined using the third message. The message authentication code of the third message may be additionally based on the second or the second and first messages.

Abstract: The invention proposes a method for transmitting a message to a plurality of user entities in a network by using a multicast service, comprising the steps of encrypting a multicast message by using ciphering, and sending the encrypted multicast message to the plurality of user entities simultaneously. The invention also proposes a corresponding multicast service control device and a corresponding user entity.