Abstract: The present invention relates to a far-end control method with a security mechanism including a host transmitting an identification code through the PSTN (Public switched telephone network) to the I/O control device of the far-end. The I/O control device has a CPU to receive the identification code and judge whether the identification code matches with the predetermined value stored therein; if the identification code matches with the predetermined value, the mobile internet connection between the host and the I/O control device is activated to enable the host to mutually transmit information or signals with a far-end control device from the I/O control device through the mobile internet, and the connection will be disabled after the information or signal transmission is completed.

Abstract: A mobile application gateway configured to interconnect mobile communication devices on a cellular network with an enterprise network is provided. The mobile application gateway includes a voice and data signaling gateway configured to provide routing functionalities, service functionalities and admission control. A gateway GPRS support node (GGSN) is configured to establish a secure data session between one or more of the mobile communication devices and the enterprise network by establishing a GPRS tunneling protocol (GTP) tunnel between a carrier-hosted serving GPRS support node (SGSN) and the GGSN.

Abstract: Systems, methods, and apparatus for facilitating secure over-the-air (OTA) programming are presented herein. A device can store a key, which can be based on a key algorithm (K-algorithm) and an identifier associated with the device. The device can receive information such as parameter(s) and a verification number from a communications system. The verification number can be generated by using an authorization algorithm (A-algorithm) based on the parameter(s) and a K-algorithm input. The device can generate a trial verification number by using the A-algorithm with the parameter(s) and the key as trial inputs. The device can compare the verification number to the trial verification number, and in response to the verification number being at least similar to the trial verification number, the device can use the parameter(s) for programming of the device.

Abstract: There are provided measures for trustworthiness decision making for access authentication, for example relating to the trustworthiness of non-3GPP access networks within a 3GPP-compliant packet data system, exemplary comprising receiving an indication about a provisional trustworthiness of an access network, which provides packet data access for a roaming user, with respect to a visited network of said user from a network element of said visited network, determining the applicability of local breakout or home routing for each subscribed access point name of said user, and deciding about a final trustworthiness of said access network based upon the received provisional trustworthiness indication and the determined routing applicability for each subscribed access point name of said user.

Abstract: A method and system of controlling the locking/unlocking of the network access functions of a terminal including a security processor, like a mobile telephone handset. The terminal is allotted an original public key for verifying the integrity of data loaded into the terminal, a pair of keys associated with the network being generated along with an original approval certificate for the terminal, a locking certificate containing the original approval certificate, the public keys, configuration data and random data, this locking certificate being signed on the basis of the private key associated with the original public key and loaded into the terminal. On entering a user code, the terminal or a function thereof is unlocked after verification of the integrity of the locking certificate and validation of the user code entered.

Abstract: One embodiment of the invention provides a mobile communication network architecture that includes a first base station (e.g., a first base station controller and/or a first transceiver station), a second base station (e.g., a second base station controller and/or a second transceiver station), a mobile client, and a server coupled to the mobile client via either the first base station controller or the second base station. The first base station is coupled to an authentication center that authenticates an intended user so that the user can communicate a message between the mobile client and the server via the first base station. A credential (or status) of the authentication made at the authentication center is then transmitted from the first base station to the second base station when the mobile client moves to utilize the second base station to communicate with the server.

Abstract: A multi-user computer system and a remote control method for the multi-user computer system includes a remote controller, with an input unit that receives a remote-control password to remotely operate the computer, information on an OS booted when the remote-control password is input, a key input setting the computer in a mode wherein the remote-control password and the OS information are set, and a key input operating the computer, a microprocessor, a wireless transmitter, and a computer, with a wireless receiver, a microprocessor, and a BIOS that automatically loads an OS corresponding to the remote-control password stored in the memory when the received remote-control password stored in the wireless receiver and the remote-control password in the memory are the same.

Abstract: Auditing a communication is disclosed. Credentials are received from a client. It is determined whether the client is authorized to communicate with a remote resource. If it is determined that the communication with the remote resource is allowed, a communication is forwarded from the local resource to the remote resource.

Abstract: An apparatus and method for receiving a request for authorization and access from a requestor; determining the association of a care-of-address (CoA) in the request with an access technology used by the requestor; administering authorization rules based on the association of the care-of-address (COA) and the access technology; and determining either to allow access or to deny access to the requestor using results from administering the authorization rules.

Abstract: A method of and system for digital rights management, in which access to a piece of content is granted in accordance with a license owned by a license owner to a client who is a member of a domain. This requires successfully verifying that a membership relation exists between the client and the domain as reflected in a first state variable, and that an association relation exists between the license owner and the domain as reflected in a second state variable. Both relationships are revoked by executing an online protocol between the parties in the relationship after which both remove the corresponding state variable. The domain controller propagates the state administration relating to the domain is propagated to the client so that the client can update its state administration.

Abstract: The present invention discloses a security management method and a security management system for a WAPI terminal accessing an IMS network. The method comprises: an authentication service unit (ASU) sending, under the circumstance that an access point and the WAPI terminal pass the verification of the ASU, a security information request message to a home subscriber server (HSS) (S302); the HSS setting security information corresponding to the IMS account information of the WAPI terminal as access layer security after receiving the security information request message from the ASU (S304); a proxy-call session control function (P-CSCF) receiving an IMS login request message from the WAPI terminal, inquiring about the security information of the WAPI terminal through the HSS, and allowing the WAPI terminal to execute an IMS service flow under the circumstance that the security information of the WAPI terminal is the access layer security (S306).

Abstract: In one embodiment, a system processes access decisions for individuals where the system includes a portable handheld housing for the processor, display, internal memory, and card reader of the system.

Abstract: Techniques and tools are described which provide control access mechanisms for contents made available by a service provider to a user. The user, after a registration process, uses a mobile application on a mobile device to generate a one-time content key. The content key is input into a set-top box which validates the key and provides access to the protected content. The mobile application allows for password protection for the user, as well as a recharging ability when its one-time content keys are exhausted.

Abstract: A method of securing a telecommunication terminal that is connected to a module used to identify a user of the terminal is described. The method includes a step including executing a procedure in which the terminal is matched to the identification module, consisting in: securely loading a first software program including a data matching key onto the identification module; securely loading a second software program which can operate in conjunction with the first software program onto the telecommunication terminal; transmitting a data matching key that corresponds to that of the first software program to the second software program; storing the transmitted data matching key in the secured storage zone of the telecommunication terminal; and conditionally submitting every response from the first software program to a request from the second software program upon verification at the true value of the valid possession of the data matching key by the second program.

Abstract: A method for revoking access to a mobile device includes providing a plurality of authenticated applications accessible by the mobile device, and providing a plurality of revocation timeout intervals for revoking access by the mobile device to the plurality of authenticated applications. Access to a first authenticated application is revoked after a first timeout interval and access to a second authenticated application is revoked after a second timeout interval.

Abstract: A method for ensuring media stream security in an IP Multimedia Subsystem network is disclosed. The method includes: assigning an end-to-end media stream security key for a calling User Equipment (UE) or a called UE, by a network device with which the calling UE or the called UE is registered, respectively, and transmitting the media stream security key to a network device with which the opposite end is registered; encrypting the end-to-end media stream security key using a session key shared with the calling UE or the called UE respectively, and transmitting the encrypted end-to-end media stream security key to the calling UE or the called UE, respectively, via a session message; encrypting or decrypting a media stream, by the calling UE or the called UE, respectively, using the end-to-end media stream security key.

Abstract: A system and method for secure communications in a communication system, wherein the system programs a computer to perform the method, which includes: receiving at least one authentication key, without an encryption key, from a key-management server; receiving a packet, which is encrypted, from a source device; authenticating the packet, using the at least one authentication key, without cryptographically altering the packet; and forwarding the authenticated packet to a destination device of the packet.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for providing contextual data aided security protection. In one aspect, a method includes automatically parsing an electronic message associated with a user that includes location information, and extracting the location information from the electronic message. The location information can be added to a database (e.g., white list) associated with the user. The location information in the database can be used to authenticate the user's request for access to electronic mail.

Abstract: A wireless phone system and methods performed thereon for cryptographically processing SMS messages is disclosed. A cryptographic pad is used to replace characters in a payload of a SMS message with coded characters. The cryptographic pad is used by the receiver of the SMS message to decode it. The cryptographic pad is one of two or more possible cryptographic pads stored in the receiver. In one embodiment, the two or more possible cryptographic pads are sent as a key where a particular cryptographic pad is referenced in the key using an index.

Abstract: Users of mobile terminals in a communication network are provided controlled access to files in a file system through the steps of configuring the files as a file body containing a file content and a file header containing content profile information; providing a security identity module and a secure agent; storing in the security identity module user profile information identifying a set of content profiles allowed for access to the file system; extracting, via the secure agent, the content profile information from the headers of the files; retrieving, via the secure agent, the user profile information stored in the security identity module; checking the user profile information and the content profile information; and providing the user with access to those files in the file system for which the user profile information and the content profile information are found to match.

Abstract: An authentication loading control feature enables a service provider to control the number of authentication procedures or percentage of time that authentication procedures are performed by a network element adapted to perform authentication procedures (e.g., a Serving GPRS Support Node (SGSN) of a UMTS network); and an information recapture feature enables the network element to obtain, in the absence of authentication, UE information that conventionally would have been received as a part of the authentication procedure as needed, for example and without limitation, to support charging and lawful intercept functions.

Abstract: Certain embodiments allow security keys to be maintained across mobile device states, or communication events, such as hand-over, and system idle and sleep power savings modes. By monitoring the lifetime of security keys, keys may be refreshed in an effort to ensure key lifetimes will not expire during a hand-over process or other device unavailable state.

Abstract: In the method and the arrangement for checking the authenticity of a first communication subscriber in a communications network, a first information item is formed in the first communication subscriber using a fault detection data item of the first communication subscriber and an information item relating to a random data item. In a second communication subscriber in the communications network, a second fault information item is formed using a fault detection data item of the second communication subscriber and the information relating to the random data item. The authenticity of the first communication subscriber is checked using the first fault information and the second fault information.

Abstract: A lock system that unlocks a lock with an unlock signal, prevents malfunction of locking or unlocking, and reduces power consumption of a receiving unit side that receives the unlock signal. The lock system avoids radio wave interference of the unlock signal and prevents malfunction of locking or unlocking by providing irregularity in a transmission timing of the unlock signal to a device that unlocks a lock with the unlock signal. In regard to a reception of the unlock signal, the lock system sets a receiving window by setting a reception-ON time and a reception-OFF time, and by stopping an operation of the receiving unit except during the reception-ON time, reduction of power consumption can be achieved.

Abstract: The present invention relates to a system and method to enable subscriber self-activation and configuration of wireless data terminals by means of an activate button provided through the User Interface (UI). This allows for operations to be performed on the device by self-care. Any wireless device, in order to access the network needs credentials. This invention generates temporary credentials to present to the network for service activation. Once access is granted to the network, the device can be activated and configured for using the resources of the network.

Abstract: A method, information processing system, and wireless device provide authentication information to a network. The method includes determining that at least one authentication context (120) resides in memory (412). The at least one authentication context (120) is analyzed to determine if at least one realm identifier associated with a home service provider is included in the at least one authentication context (120). A user is prompted to update the at least one authentication context (120) with at least one realm identifier associated with a home service provider in response to determining that at least one realm identifier fails to be included in the at least one authentication context (120). At least one realm identifier is received (612) from a user that is associated with a home service provider. The at least one authentication context (120) is updated with the at least one realm identifier received from the user.

Abstract: A system that incorporates teachings of the present disclosure may include, for example, a computer-readable storage medium in a communication device having computer instructions to establish communications with a cellular base station, generate a message request, and transmit to an authentication device by way of the cellular base station the message request. The computer-readable storage medium can also have computer instructions to receive from the authentication device by way of the cellular base station a message response, authenticate the message response, and determine from the authenticated message response whether the cellular base station is an approved network element of a cellular communication system. Other embodiments are disclosed.

Abstract: The present invention relates to fraud prevention and authentication of a device to a user. The method of authenticating a personal device according to the invention comprises a set up sequence, wherein at least a first preferred output format is selected by the user, and a device configuration verification sequence. In the device configuration verification sequence a checksum is calculated and converted to a user friendly output format based on the user selected preferred output format. In addition the checksum may be calculated based on variable, and user selectable, keying material. The personal device, after being authenticated according to the above, may be used to authenticate a second device.

Abstract: A method of authentication and authorization over a communication system is provided. The method performs a first authentication of a device based on a set of device identity and credentials. The first authentication includes creation of a first set of keying material. The method also includes performing a second authentication of a subscriber based on a set of subscriber identity and credentials. The second authentication includes creation of a second set of keying material. A set of compound key material is created with a key derivation mechanism that uses the first set of keying material and the second set of keying material. A binding token is created by cryptographically signing at least the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using the set of compound keying material. The signed binding token is exchanged for verification with an authenticating and authorizing party.

Abstract: A system for facilitating persistent communications between entities in a network. In a specific embodiment, the system is adapted to facilitate fast reauthentication of a client performed by a server, such as an Authentication, Authorization, and Accounting (AAA) server, that is coupled to the client via a load balancer. The system includes a first message to be exchanged between the server and the client, wherein the first message includes a field identifying the server and/or the client. A matching module communicates with or is otherwise incorporated within the load balancer. The matching module includes one or more routines for employing the field to selectively route the first message to the client and/or server. In a more specific embodiment, the server a fast reauthentication module adapted to append the field in the message. The field includes sub-realm information identifying the server.

Abstract: According to the teachings presented herein, a wireless communication device reverts from subscription credentials to temporary access credentials, in response to detecting an access failure. The device uses its temporary access credentials to gain temporary network access, either through a preferred network (e.g., home network) or through any one of one or more non-preferred networks (e.g., visited networks). After gaining temporary access, the device determines whether it needs new subscription credentials and, if so, uses the temporary access to obtain them. Correspondingly, in one or more embodiments, a registration server is configured to support such operations, such as by providing determination of credential validity and/or by redirecting the device to a new home operator for obtaining new subscription credentials.

Abstract: A method of authenticating a client to two or more servers coupled together via a communications network, wherein the client and a first server possess a shared secret. The method comprises authenticating the client to a first server using said shared secret, signalling associated with this authentication process being sent between the client and said first server via a second server, generating a session key at the client and at the first server, and providing the session key to said second server, and using the session key to authenticate the client to the second server.

Abstract: An system for and method of providing end-to-end encrypted real-time phone calls using a commodity mobile phone and without requiring service provider cooperation is presented. The system and method improve upon prior art techniques by omitting any requirement for mobile phones that are specially manufactured to include end-to-end encryption functionality.

Abstract: A system and method for maintaining privacy of a user's telephone number is disclosed. The method provides a means by which a user A may prefer to exchange her contact number with another user B. The contact number is encrypted by user A and passed on to the mobile phone of user B. In the phonebook of user B, the contact number of user A is stored in encrypted format. Further, when user B initiates a call to user A, the encrypted number is sent to the network. At the MSC of user B, the number is decrypted and a call is established with user A. When user A calls user B, user A's number is encrypted at user B's MSC. This is transmitted to user B, where it is compared with the already encrypted number in the phonebook. The matching name of user A is then displayed.

Abstract: An integrated, multi-service virtual private network (VPN) network client for cellular mobile devices is described. The multi-service network client can be deployed as a single software package on cellular mobile network devices to provide integrated services including secure enterprise VPN connectivity, acceleration, security management including monitored and enforced endpoint compliance, and collaboration services. The multi-service client integrates with an operating system of the device to provide a VPN handler to establish a VPN connection with a remote VPN security device. The VPN network client includes to data acceleration module exchange network packets with the VPN handler and apply at least one acceleration service to the network packets, and a VPN control application that provides a unified user interface that allows a user to configure both the VPN handler and the data acceleration module.

Abstract: A wireless network apparatus including an authentication information storage unit to store first authentication information for network communication, an authentication information converting unit to generate second authentication information by converting the stored first authentication information according to an predetermined authentication method, a nonvolatile storage unit to store the generated second authentication information, and an authentication processing unit to conduct an authentication based on the second authentication information.

Abstract: Systems, methods, and programs for generating an authorized profile for a text communication device or account, may sample a text communication generated by the text communication device or account during communication and may store the text sample. The systems, methods, and programs may extract a language pattern from the stored text sample and may create an authorized profile based on the language pattern. Systems, methods, and programs for detecting unauthorized use of a text communication device or account may sample a text communication generated by the device or account during communication, may extract a language pattern from the audio sample, and may compare extracted language pattern of the sample with an authorized user profile.

Abstract: Techniques for non-repudiation of storage in cloud or shared storage environments are provided. A unique signature is generated within a cloud or shared storage environment for each file of the storage tenant that accesses the cloud or shared storage environment. Each signature is stored as part of the file system and every time a file is accessed that signature is verified. When a file is updated, the signature is updated as well to reflect the file update.

Abstract: When transmitting position/time information calculated by means of a GPS function to a server apparatus, authentication is carried out with the server apparatus. The position/time information may be certified as legitimate measured by a portable apparatus with a GPS reception function employed by a user. When transmitting information related to the position and the time acquired from a portable phone terminal having the GPS function and a network function by means of the GPS function to the server apparatus, authentication is carried out between the portable phone terminal and the server apparatus. The position/time information is transmitted to the server apparatus, only if the server apparatus is authenticated as a legitimate counterpart for connection. A secret key holding section is provided for holding different secret keys for different apparatuses.

Abstract: Methods, systems, devices and computer programs for configuring nodes on a wireless network can include generating a security key for the network, setting the security settings on the access point based on the security key, and saving the security key in a profile data file on a removable memory device along with a portable configuration utility for using the profile data file for configuring other nodes on the network. The removable memory device can then be inserted into other nodes and the portable configuration utility can be run to match the same key on the other network nodes based on the information stored in the profile data file on the removable memory device.

Abstract: A biometric authentication system is disclosed that provides authentication capability using biometric data in connection with a challenge for parties engaging in digital communications such as digital text-oriented, interactive digital communications. End-user systems may be coupled to devices that include biometric data capture devices such as retina scanners, fingerprint recorders, cameras, microphones, ear scanners, DNA profilers, etc., so that biometric data of a communicating party may be captured and used for authentication purposes.

Abstract: In one embodiment, a Time-Lapse Cryptography Service is provided based on a network of parties. Senders encrypt their messages with this public key whose secret key is not known to anyone—not even a trusted third party—until a predefined and specific future time T+.delta., at which point the secret key is constructed and published. In one example, the secret key can only be known after it is constructed. At or after that time, anyone can decrypt the cipher text using this secret key. In one embodiment, a method for cryptographic encoding is provided, including generation of cryptographic key components by a plurality of parties, where participation of the parties is verified. A public key is constructed from a plurality of key components.

Abstract: A process using code segment which is installed over a transport medium, using a device, such as a network, for transmitting real-time end-to-end encrypted voice or data communications between at least a first digital device and a second device in real time is disclosed. The network includes a network portal for Registration, Key Management, Authentication, and Authorization of the first digital device and the second device. Accordingly, the devices are capable of securely communicating with each other in real-time by providing each digital device with at least first and second keys, and receives requests to communicate, provides authorization to set up a secure session, and encrypts and decrypts the voice and data messages sent to and received from the portal. The intent is to provide a low cost, COTS, real-time software voice and data encryption upgrade solution which is scalable, interoperable, and agnostic for all communications.

Abstract: The invention relates to a method and system for authentication of a user (11) at an access device by means of a cellular mobile radio network (17). The access device gives access to a facility or a service different from the mobile radio network (17). The cellular mobile radio network (17) comprises a base station (12) defining a mobile radio cell (16) with a unique identifier. A mobile radio terminal (14) having a unique identifier books into the mobile radio network (17) via said base station (12), and the authentication is carried out by means of the identifier of the mobile radio cell (16) and the identifier of the mobile radio terminal (14). The base station (12) is arranged at the location of the access device so that the access device has its own mobile radio cell (16) serviced by the base station (12), this mobile radio cell (16) defining an authentication cell (16) of the mobile radio network (17).

Abstract: An example of the present invention is a method of transmitting encrypted user data to a mobile terminal in a wireless telecommunications network. The method comprises sending to the mobile terminal a data packet. The data packet comprises both an identifier of encryption information to used in recovering encrypted user data, and user data encrypted using said encryption information.

Abstract: Method, device and computer readable storage medium for managing applications on a wireless device by providing applications on the wireless device. The wireless device is used in a short-range wireless system with an effective range. The wireless device and a client device are brought into proximity and thereby into the effective range of the short-range wireless system. The wireless device and the client device are connected and associated. The application is associated with the client device. The application is then automatically launched on the wireless device.

Abstract: For a communication terminal (10), proposed is a security module (1) configured to authenticate a telecommunications network (2). The security module (1) comprises a locking module (12), for disabling usability of an application module (11), an unlocking module (13), for re-enabling usability of the application module (11), and a control module (14) for activating the unlocking module (13), depending on received data that is assignable in an authenticated way to a specific telecommunications network (2). The control module (14) is configured to activate the locking module (12) depending on the selection and usage of the application module (11). The control module (14) is configured to activate the unlocking module (12) depending on the reception of authorization messages, that can be authenticated, or authentication data of the telecommunications network (2).

Abstract: A network component comprising at least one processor configured to implement a method comprising deriving a Master Session Key (MSK) using a secret key and at least one parameter obtained from an Extensible Authentication Protocol (EAP) sequence, deriving a first Pairwise Master Key (PMK) and a second PMK from the MSK, authenticating with a home gateway (HG) using the first PMK, and authenticating with an end point using the second PMK. Included is an apparatus comprising a node comprising an access controller (AC) and a protocol for carrying authentication for network access (PANA) Authentication Agent (PAA), wherein the AC is configured to manage authentication for a UE, and wherein the PAA is configured to implement a PANA to forward authentication information related to the UE.

Abstract: To provide reliable and customized authentication, a parameter to be used in authentication is defined for the operator. A secret which may be stored e.g. in a subscriber identity module is calculated from the operator parameter and a subscriber key. An authentication response is calculated from the secret and the challenge to be used in authentication with a one-way function.

Abstract: Disclosed are a cellular phone terminal, a cellular phone system and a privacy protection method therefor that enable to prevent leakage of private information from the communication data when conducting a search for wireless LAN base stations. The cellular phone terminal comprises, in addition to the cellular phone function section, a cellular phone network transmitter/receiver section, a wireless LAN transmitter/receiver section and a wireless LAN connection control section, an SSID•MAC address management section connected to the wireless LAN connection control section and the cellular phone network transmitter/receiver section. The SSID•MAC address management section is allocated by a MAC address management server one or more temporary MAC addresses together with their time limit by way of the cellular phone network transmitter/receiver section and a cellular phone base station and the temporary MAC addresses are used when conducting a search for wireless LAN base stations.