Abstract: A wireless network apparatus including an authentication information storage unit to store first authentication information for network communication, an authentication information converting unit to generate second authentication information by converting the stored first authentication information according to an predetermined authentication method, a nonvolatile storage unit to store the generated second authentication information, and an authentication processing unit to conduct an authentication based on the second authentication information.

Abstract: Techniques for non-repudiation of storage in cloud or shared storage environments are provided. A unique signature is generated within a cloud or shared storage environment for each file of the storage tenant that accesses the cloud or shared storage environment. Each signature is stored as part of the file system and every time a file is accessed that signature is verified. When a file is updated, the signature is updated as well to reflect the file update.

Abstract: When transmitting position/time information calculated by means of a GPS function to a server apparatus, authentication is carried out with the server apparatus. The position/time information may be certified as legitimate measured by a portable apparatus with a GPS reception function employed by a user. When transmitting information related to the position and the time acquired from a portable phone terminal having the GPS function and a network function by means of the GPS function to the server apparatus, authentication is carried out between the portable phone terminal and the server apparatus. The position/time information is transmitted to the server apparatus, only if the server apparatus is authenticated as a legitimate counterpart for connection. A secret key holding section is provided for holding different secret keys for different apparatuses.

Abstract: Methods, systems, devices and computer programs for configuring nodes on a wireless network can include generating a security key for the network, setting the security settings on the access point based on the security key, and saving the security key in a profile data file on a removable memory device along with a portable configuration utility for using the profile data file for configuring other nodes on the network. The removable memory device can then be inserted into other nodes and the portable configuration utility can be run to match the same key on the other network nodes based on the information stored in the profile data file on the removable memory device.

Abstract: A biometric authentication system is disclosed that provides authentication capability using biometric data in connection with a challenge for parties engaging in digital communications such as digital text-oriented, interactive digital communications. End-user systems may be coupled to devices that include biometric data capture devices such as retina scanners, fingerprint recorders, cameras, microphones, ear scanners, DNA profilers, etc., so that biometric data of a communicating party may be captured and used for authentication purposes.

Abstract: The invention relates to a method and system for authentication of a user (11) at an access device by means of a cellular mobile radio network (17). The access device gives access to a facility or a service different from the mobile radio network (17). The cellular mobile radio network (17) comprises a base station (12) defining a mobile radio cell (16) with a unique identifier. A mobile radio terminal (14) having a unique identifier books into the mobile radio network (17) via said base station (12), and the authentication is carried out by means of the identifier of the mobile radio cell (16) and the identifier of the mobile radio terminal (14). The base station (12) is arranged at the location of the access device so that the access device has its own mobile radio cell (16) serviced by the base station (12), this mobile radio cell (16) defining an authentication cell (16) of the mobile radio network (17).

Abstract: A process using code segment which is installed over a transport medium, using a device, such as a network, for transmitting real-time end-to-end encrypted voice or data communications between at least a first digital device and a second device in real time is disclosed. The network includes a network portal for Registration, Key Management, Authentication, and Authorization of the first digital device and the second device. Accordingly, the devices are capable of securely communicating with each other in real-time by providing each digital device with at least first and second keys, and receives requests to communicate, provides authorization to set up a secure session, and encrypts and decrypts the voice and data messages sent to and received from the portal. The intent is to provide a low cost, COTS, real-time software voice and data encryption upgrade solution which is scalable, interoperable, and agnostic for all communications.

Abstract: In one embodiment, a Time-Lapse Cryptography Service is provided based on a network of parties. Senders encrypt their messages with this public key whose secret key is not known to anyone—not even a trusted third party—until a predefined and specific future time T+.delta., at which point the secret key is constructed and published. In one example, the secret key can only be known after it is constructed. At or after that time, anyone can decrypt the cipher text using this secret key. In one embodiment, a method for cryptographic encoding is provided, including generation of cryptographic key components by a plurality of parties, where participation of the parties is verified. A public key is constructed from a plurality of key components.

Abstract: An example of the present invention is a method of transmitting encrypted user data to a mobile terminal in a wireless telecommunications network. The method comprises sending to the mobile terminal a data packet. The data packet comprises both an identifier of encryption information to used in recovering encrypted user data, and user data encrypted using said encryption information.

Abstract: Method, device and computer readable storage medium for managing applications on a wireless device by providing applications on the wireless device. The wireless device is used in a short-range wireless system with an effective range. The wireless device and a client device are brought into proximity and thereby into the effective range of the short-range wireless system. The wireless device and the client device are connected and associated. The application is associated with the client device. The application is then automatically launched on the wireless device.

Abstract: For a communication terminal (10), proposed is a security module (1) configured to authenticate a telecommunications network (2). The security module (1) comprises a locking module (12), for disabling usability of an application module (11), an unlocking module (13), for re-enabling usability of the application module (11), and a control module (14) for activating the unlocking module (13), depending on received data that is assignable in an authenticated way to a specific telecommunications network (2). The control module (14) is configured to activate the locking module (12) depending on the selection and usage of the application module (11). The control module (14) is configured to activate the unlocking module (12) depending on the reception of authorization messages, that can be authenticated, or authentication data of the telecommunications network (2).

Abstract: A network component comprising at least one processor configured to implement a method comprising deriving a Master Session Key (MSK) using a secret key and at least one parameter obtained from an Extensible Authentication Protocol (EAP) sequence, deriving a first Pairwise Master Key (PMK) and a second PMK from the MSK, authenticating with a home gateway (HG) using the first PMK, and authenticating with an end point using the second PMK. Included is an apparatus comprising a node comprising an access controller (AC) and a protocol for carrying authentication for network access (PANA) Authentication Agent (PAA), wherein the AC is configured to manage authentication for a UE, and wherein the PAA is configured to implement a PANA to forward authentication information related to the UE.

Abstract: Embodiments of the invention provide systems and methods for providing service level, policy-based QoS enforcement on a network or networks. According to one embodiment, a system can comprise at least one communications network, a first endpoint communicatively coupled with the communications network, and a second endpoint communicatively coupled with the communications network and can monitor traffic on the communications network between the first endpoint and the second endpoint. A policy enforcer can be communicatively coupled with the network monitor. The policy enforcer can apply one or more policies based the traffic between the first endpoint and the second endpoint. The one or more policies can define a Quality of Service (QoS) for the traffic between the first endpoint and the second endpoint and can apply the policies to affect the traffic between the endpoints to maintain the QoS defined by the one or more policies.

Abstract: Disclosed are a cellular phone terminal, a cellular phone system and a privacy protection method therefor that enable to prevent leakage of private information from the communication data when conducting a search for wireless LAN base stations. The cellular phone terminal comprises, in addition to the cellular phone function section, a cellular phone network transmitter/receiver section, a wireless LAN transmitter/receiver section and a wireless LAN connection control section, an SSID•MAC address management section connected to the wireless LAN connection control section and the cellular phone network transmitter/receiver section. The SSID•MAC address management section is allocated by a MAC address management server one or more temporary MAC addresses together with their time limit by way of the cellular phone network transmitter/receiver section and a cellular phone base station and the temporary MAC addresses are used when conducting a search for wireless LAN base stations.

Abstract: To provide reliable and customized authentication, a parameter to be used in authentication is defined for the operator. A secret which may be stored e.g. in a subscriber identity module is calculated from the operator parameter and a subscriber key. An authentication response is calculated from the secret and the challenge to be used in authentication with a one-way function.

Abstract: Methods and systems for slow associated control channel signaling are disclosed. An example method for securing communications in a mobile network disclosed herein comprises transmitting a first variant of a message of a first type on a first slow associated control channel (SACCH) before ciphering is started on the first SACCH, and after ciphering is started on the first SACCH, transmitting a second variant of the message of the first type on the first SACCH, and subsequently transmitting the second variant of the message of the first type on the first SACCH, wherein the subsequently transmitted second variant of the message of the first type is the next transmitted message of the first type on the first SACCH.

Abstract: In the context of facilitating a circuit switched to packet switched handover of a call in a cellular communication system, a first node (e.g., packet switched target node) generates a security context for a client whose call is being handed over. This involves the first node receiving at least one cryptographic key from a second node (e.g., a circuit switched node supporting the existing connection) and receiving identities of security algorithms supported by the client from a third node (e.g., a packet switched node supporting the existing connection); The first node uses the at least one cryptographic key and the identities to generate the security context for the client.

Abstract: A trusted domain name server is introduced to provide a secure route optimization procedure for MIPv6. A trusted authority registers network addresses of a mobile node with corresponding fully qualified domain names. The trusted domain name server can later be queried to compare the domain of a network address for a mobile node with the domain of a network address for another network node.

Abstract: A mobile device can save time by validating a stored message, which was previously unreadable, by utilizing a related message, which can be received at a much quicker rate. In accordance with some aspects, the mobile device can save time by validating the stored message by reading a new related message and subsequently re-reading or descrambling the stored message or its CRC. The first attempt to read the message might not be successful due to a scrambling information change or due to other reasons. The reason for the failure of the first attempt to read the message may be determined based on whether a later attempt to read the message with the same or a different scrambling information is successful.

Abstract: The present invention is directed to security systems and methods for mobile network-based data environments. The present invention provides an integration of security, mobile computing, wireless and IT infrastructure management technology, to create a new level of automation and enforcement to enable the transparent application of mobile security across an enterprise, while embracing end user “transparency” and “ease of use” and empowering IT administration.

Abstract: When transmitting position/time information calculated by means of a GPS function to a server apparatus, authentication is carried out with the server apparatus. The position/time information may be certified as legitimate measured by a portable apparatus with a GPS reception function employed by a user. When transmitting information related to the position and the time acquired from a portable phone terminal having the GPS function and a network function by means of the GPS function to the server apparatus, authentication is carried out between the portable phone terminal and the server apparatus. The position/time information is transmitted to the server apparatus, only if the server apparatus is authenticated as a legitimate counterpart for connection. A secret key holding section is provided for holding different secret keys for different apparatuses.

Abstract: Systems and methods for identifying, tracking, tracing and determining the authenticity of a good include an imaging system, a database, and an authentication center. The imaging system is configured to capture an image of a unique signature associated with a good. The unique signature can be, for example, a random structure or pattern unique to the particular good. The imaging system is configured to process the image to identify at least one metric that distinguishes the unique signature from unique signatures of other goods. The database is configured to receive information related to the good and its unique signature from the imaging system, and to store the information therein. The authentication center is configured to analyze the field image with respect to the information stored in the database to determine whether the unique signature in the field image is a match to the captured image stored in the database.

Abstract: When transmitting position/time information calculated by means of a GPS function to a server apparatus, authentication is carried out with the server apparatus. The position/time information may be certified as legitimate measured by a portable apparatus with a GPS reception function employed by a user. When transmitting information related to the position and the time acquired from a portable phone terminal having the GPS function and a network function by means of the GPS function to the server apparatus, authentication is carried out between the portable phone terminal and the server apparatus. The position/time information is transmitted to the server apparatus, only if the server apparatus is authenticated as a legitimate counterpart for connection. A secret key holding section is provided for holding different secret keys for different apparatuses.

Abstract: A reach back secure communications terminal includes a digital PBX adapter that offers immediate and secure voice, data and video connectivity over any of various commercially available PBX systems. In addition to use with a PBX system, integrated components simplify access to varied networks allowing deployed users to select and connect quickly to a network that best supports their present mission. Commercial or optional NSA Type 1 encryption may be implemented. Networking options include any of PSTN, PBX, GSM (or CDMA or other cell telephone standard), SAT, IP and WiFi. The digital PBX adapter includes an audio mixer that converts a 4-wire input from a handset jack of a PBX handset base, into a 2-wire output destined for an encryption unit (FNBDT). The user determines a necessary gain of the audio mixer for the particular PBX system by trial and error using a multi-position switch.

Abstract: A system and method for efficiently enabling local security connectivity between electronic devices over multiple bearers. Electronic devices are configured to advertise, over each bearer, their respective configuration parameters for each bearer. After a connection has been established between the electronic devices over a first bearer, the two electronic devices use the first bearer to establish connections over the other bearers using the configuration parameters contained in the advertisements and advertised over the first bearer. Shared keys are established for the other bearers either using keys derived from the first shared key or by using the first secure connection as an out-of-band channel. The present invention also provides for the creation of an ad hoc WLAN connection once a Bluetooth connection has been established.

Abstract: The present invention relates to a system (10) operable to control access to different physical spaces, each provided with an electrical locking device (121, . . . , 12n), with the aid of a programmable, mobile unit (14). The system (10) comprises an authority means (16) operable to issue access rights connected to the programmable, mobile unit (14) in the form of an authorizing data (AD), which authorizing data (AD) is sent to an authorization means (18) connected to the authority means (16), and operable to generate an alpha-numerical key for the mobile unit (14), and to send the alpha-numerical key and a unique identifier of the mobile unit (14) to an operator (20), which is connected to the authorization means (18). The operator (20) is operable to send the alpha-numerical key to the mobile unit (14) identified by the unique identifier.

Abstract: A mobile communication terminal connected to the portable electronic device encodes a system serial number and an authentication key, generates an integration secrete key, and transmits the integration secrete key to an authentication center computer. The authentication center computer decodes the integration secrete key, performs authentication registration, encodes a temporary service approval key and a temporary integration authentication key, and transmits the temporary service approval key and the temporary integration authentication key to the mobile communication terminal. The mobile communication terminal decodes the temporary integration authentication key, obtains approval for the relay, and transmits the temporary service approval key to the portable electronic device. The portable electronic device decodes the temporary service approval key, performs authentication for utilizing a service, and applies the temporary service approval key to an application service.

Abstract: A mobile terminal is provided with a network lock functionality for a network. The mobile terminal includes a subscriber identity module (SIM) slot configured to host a SIM card or an unlocking device, a control chip, an encryption chip, and a network locking module. The control chip is coupled to the SIM slot through a first interface, the encryption chip is coupled to the SIM slot through the first interface to communicate with a module inserted into the SIM slot, and the network locking module is coupled to the encryption chip through a second interface. Further, the network locking module is configured to perform the network lock functionality. The network locking module also has an “open” state supporting a network unlocking operational mode and a “close” state supporting a network locking operational mode.

Abstract: A key message can include a key-encryption-key (KEK) associated with a KeyDomainID and a KeyGroupID. A session description message can describe streaming media initialization parameters containing media stream information for one or more media streams. For each media stream, the media stream information can include an IP address and a data port. The session description message can further contain a linkage for binding the KEK to a corresponding one of the media streams. The linkage can include the KeyDomainID and KeyGroupID or can include an abstract representation of the KeyDomainID and KeyGroupID. During session initialization, the key-encryption-key (KEK) can be bound to the media streams using the linkage of the session description message. Each of the media streams can be secured using a traffic key conveyed to user equipment (UE) under protection of the key-encryption-key (KEK).

Abstract: Methods and systems are provided that use smartcards, such as subscriber identity module (SIM) cards to provide secure functions for a mobile client. One embodiment of the invention provides a mobile communication network system that includes a mobile network, a mobile terminal, a server coupled to the mobile terminal via the mobile network, and a subscriber identity module (SIM) card coupled to the mobile terminal. The SIM card includes a first key and a second key. The first key is used to authenticate an intended user of the mobile terminal to the mobile network. Upon successful authentication of the intended user to the mobile network, the mobile terminal downloads a function offered from the server through the mobile network. The second key is then used by the mobile terminal to authenticate the intended user to the downloaded function so that the intended user can utilize the function.

Abstract: A method of operating a node for performing handover between access networks wherein a user has authenticated for network access in a first access network. The method comprises receiving from a home network a first session key and a temporary identifier allocated to the user for the duration of a communication session. The identifier is mapped to the first session key, and the mapped identifier and key are stored at the node. A second session key is derived from the first session key and the second session key is sent to an access network, and the identifier sent to a user terminal. When the user subsequently moves to a second access network, the node receives the identifier from the user terminal. The node then retrieves the first session key mapped to the received identifier, derives a third session key and sends the third session key to the second access network.

Abstract: A computer implemented method for accessing materials for a meeting may include receiving a call from a meeting participant by a system, wherein the meeting participant calls a prearranged teleconference number to participate in the meeting. The method may also include validating participation of the meeting participant in the meeting by the system. The method may further include providing access to an appropriate set of materials to the meeting participant based on a predetermined attribute associated with the meeting participant.

Abstract: In a method for protecting data of a mobile phone, the mobile phone includes a storage system. The storage system stores a plaintext file to be encrypted and an international mobile equipment identification (IMEI) number of the mobile phone. The IMEI number of the mobile phone and the plaintext file are read from the storage system. A ciphertext is generated from the plaintext file according to the IMEI number of the mobile phone using an encryption algorithm. The IMEI number of the mobile phone and the ciphertext are read from the storage system when the ciphertext needs to be decrypted. The plaintext file is recovered from the ciphertext according to the IMEI number of the mobile phone using a decryption algorithm.

Abstract: A bit sequence, which is contained in a signalling message and which is known to a network unit and to a communications terminal which receives the signalling message from the network unit, informs the communications terminal that a test value is contained in a signalling message. The test value received by the communications terminal is compared with a test value computed by the communications terminal, and the communications terminal defines a signalling message as being unmodified only in the event that the bit sequence contained in a signalling message has been received and the comparison of both test values yields a positive result.

Abstract: The present invention provides a method involving a femtocell in communication with an Internet Protocol Multimedia Subsystem (IMS) network. In one embodiment, the femtocell operates according to code division multiple access (CDMA) standards. The method includes receiving, from the femtocell and at a first secure entity in the IMS network, first authentication information generated by the mobile unit using a first random number broadcast by the femtocell in a global challenge. The method also includes receiving, from a second secure entity in the secure network, at least one security key formed based on the global challenge and second authentication information for uniquely challenging the mobile unit. In one embodiment, the second secure entity is a CDMA-based authentication server. The method further includes providing the security key(s) to the femtocell in response to authenticating the mobile unit based upon the second authentication information.

Abstract: A process for testing an integrated circuit includes collecting a set of points of a physical property while the integrated circuit is executing a multiplication, dividing the set of points into a plurality subsets of lateral points, calculating an estimation of the value of the physical property for each subset, and applying to the subset of lateral points a step of horizontal transversal statistical processing by using the estimations of the value of the physical property, to verify a hypothesis about the variables manipulated by the integrated circuit.

Abstract: A data communication method, a communication system, and related devices are configured to establish a transaction identifier (TI) in a user equipment (UE). The data communication method includes the following steps. A mobility management entity (MME) receives a request message and obtains ability information of the UE. If the UE has an ability to access a Universal Terrestrial Radio Access Network/GSM/EDGE Radio Access Network (UTRAN/GERAN), the MME generates the TI. A communication system and related devices are also provided. Thus, the TI is effectively established in the UE, so as to ensure normal processing of the UE.

Abstract: According to an embodiment, a programmable logic device includes a plurality of logic blocks, memory and a logic unit. The logic blocks are grouped into one or more partitions. The memory stores authentication and partition information uploaded to the programmable logic device prior to partition programming. The logic unit authenticates programming access to the one or more partitions based on the authentication information and controls programming of the one or more partitions based on the partition information.

Abstract: A method is provided for Authenticator Relocation in a communication system applying an Extensible Authentication Protocol, or the like, which provides replay protection and mitigates the rogue ASN-GW problem during relocation of the Anchor Authentication, and without conducting re-authentication of the MS. The method of the invention optionally allows secure refresh of the MSK.

Abstract: One embodiment includes a method for designating, at a first device, one of a first plurality of wireless channels as a bind channel, then transmitting a channel change request message using a second plurality of wireless channels, wherein the channel change request includes which one of the plurality of wireless channels is a designated bind channel, transmitting a bind request message using the designated bind channel, and then receiving a bind response message from a second wireless device using the designated bind channel.

Abstract: A computer-implemented method for diverting children from restricted computing activities. The method may include maintaining a list of safe computing activities, maintaining a list of restricted computing activities, and detecting a child's attempt to perform a restricted computing activity identified in the list of restricted computing activities. The method may also include selecting a safe computing activity from the list of safe computing activities. The method may further include, in response to the child's attempt to perform the restricted computing activity, blocking the restricted computing activity and initializing the safe computing activity selected from the list of safe computing activities. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems and methods for implementing a location token service (LTS) to enhance the security of mobile device identity tokens by using the location of the mobile device to augment the tokens. The LTS enforces re-authentication (login) of the mobile device to one or more applications if the mobile device moves beyond a threshold distance from the location of the last use of the token within a time period defined in a temporal threshold. The LTS increases authentication strength and drastically reduces the potential for spoofing or otherwise permitting unauthorized access to one or more applications on the mobile device.

Abstract: Methods and devices for allowing a wireless communication device (1301) initially unauthorized for communication with a network to obtain persistent soft network subscription credential information (1303) from a wireless communication device (1401) initially authorized for communication with the network are disclosed. In performing the persistent transfer of the soft network subscription credential information (1303), one of a token management module (1312), a session initiation protocol communication module (1408), or a electronic rights manager (1406) may be used to ensure that only one communication device is capable of communicating with a network at any one time.

Abstract: The disclosure discloses a method for communication based on pseudo-contact information, which including: when a call is received, acquiring contact information of a calling party, and encrypting the contact information by using a preset encryption algorithm to acquire pseudo-contact information; when the pseudo-contact information does not match locally stored pseudo-contact information, displaying real contact information of the calling party, wherein the locally stored pseudo-contact information represents the pseudo-contact information generated by encrypting the contact information to be stored according to the preset encryption algorithm and locally stored; and when the pseudo-contact information matches the locally stored pseudo-contact information, displaying a substituted contact information generated by substituting a plurality of bits of the real contact information of the calling party with an identifier.

Abstract: A method and terminal for implementing hot-plug of a smart card are disclosed. The method includes: during the process of playing mobile multimedia, a descrambling library sending request information for obtaining a program key to a smart card driving module, which judges whether a smart card is in a plug-in state or a pull-out state after receiving the request information: if in the plug-in state, the smart card driving module forwarding the request information to the smart card, receiving response information returned by the smart card, forwarding the response information to the descrambling library, and meanwhile forwarding the response information to a virtual smart card module to save; if in the pull-out state, the smart card driving module forwarding the request information to the virtual smart card module, which returns the saved response information to the smart card driving module, which forwards the response information to the descrambling library.

Abstract: The present invention provides a method involving a femtocell in communication with an Internet Protocol Multimedia Subsystem (IMS) network. In one embodiment, the femtocell operates according to code division multiple access (CDMA) standards. The method includes receiving, from the femtocell and at a first secure entity in the IMS network, first authentication information generated by the mobile unit using a first random number broadcast by the femtocell in a global challenge. The method also includes receiving, from a second secure entity in the secure network, at least one security key formed based on the global challenge and second authentication information for uniquely challenging the mobile unit. In one embodiment, the second secure entity is a CDMA-based authentication server. The method further includes providing the security key(s) to the femtocell in response to authenticating the mobile unit based upon the second authentication information.

Abstract: A method and system is provided for assessing the cumulative set of access entitlements to which an entity, of an information system, may be implicitly or explicitly authorized, by virtue of the universe of authorization intent specifications that exist across that information system, or a specified subset thereof, that specify access for that entity or for any entity collectives with which that entity may be directly or transitively affiliated. The effective system-level access granted to the user based upon operating system rules or according to access check methodologies is determined and mapped to administrative tasks to arrive at the cumulative set of access entitlements authorized for the user.

Abstract: The present invention provides a method and apparatus for protecting a core network (102) by receiving (202) a message (302, 402) containing a mobile identity of a MS (104) and dropping (210) the message (302, 402) whenever the received mobile identity does not match a stored mobile identity associated with the MS (104). The message (302, 402) is processed (208) whenever the received mobile identity matches the stored mobile identity associated with the MS (104). The mobile identity can be an IMSI, a TMSI or a P-TMSI. The message (302, 402) can be an uplink message (302) or a downlink message (402), such as a Mobility Management (MM) message, a General Packet Radio Service (GPRS) Mobility Management (GMM) message, or a UMA or Unlicensed Radio Resources (URR) message. The present invention can be implemented as a computer program embodied on a computer readable medium wherein the various method steps are implemented by one or more code segments.

Abstract: An authentication control apparatus is disclosed that includes plural authentication units that perform authentication for an operator with different authentication methods; a corresponding information management unit that manages corresponding information between the mode of an authentication request and the authentication unit to be used; and an authentication control unit that determines the authentication unit corresponding to the mode of the authentication request based on the corresponding information in response to the authentication request from the operator and causes the determined authentication unit to execute the authentication for the operator.

Abstract: A multimedia messaging system for receiving/sending multimedia messages, includes: a wireless LAN; and a MMS gateway. The MMS gateway performs: receiving/sending the multimedia message to/from a MMS user device via the wireless LAN; and encrypting the multimedia message. The encryption is performed by: issuing a certificate to the MMS user device; sending a session ID and a master key encrypted by the MMS gateway's private key to the MMS user device in response to a request of the MMS user device having the certificate; generated a shared secret key using an algorithm combining the master key with the MMS user device's phone number and the session ID; and encrypting the multimedia message using the shared secret key.