Abstract: A system and method for providing secure authentication for website access or other secure transaction. In one embodiment, when a user accesses a website, the web server identifies the user, and sends an authentication request to the user's mobile device. The mobile device receives the authentication requests and sends back authentication key to the web server. Upon verifying the authentication key, the web server grants access to the user.

Abstract: Arranging data ciphering in a telecommunication system comprising at least one wireless terminal, a wireless local area network and a public land mobile network. At least one first ciphering key according to the mobile network is calculated in the mobile network and in the terminal for a terminal identifier using a specific secret key for the identifier. Data transmission between the mobile network and the terminal is carried out through the wireless local area network. A second ciphering key is calculated in the terminal and in the mobile network using said at least one first ciphering key. The second ciphering key is sent from the mobile network to the wireless local area network. The data between the terminal and the network is ciphered using said second ciphering key.

Abstract: Authentication method of at least one application using resources stored in a security module associated to an equipment connected to a control server via a network. The control server receives via the network, analyses and verifies identification data comprising at least an identifier of the equipment and an identifier of the security module, generates a cryptogram comprising a digest of the application, the identification data and instructions intended for the security module and transmits the cryptogram, via the network and the equipment, to the security module. The latter verifies the application by comparing the digest extracted from the cryptogram with a calculated digest, wherein, during at least one of initialization and activation of the application, the security module executes the instructions extracted from the cryptogram and either releases or blocks access to certain resources of said security module according to a result of the verification of the application.

Abstract: Disclosed is a method for providing fast secure handoff in a wireless mesh network. The method comprises configuring multiple first level key holders (R0KHs) within a radio access network to which supplicants within the multi-hop wireless mesh network are capable of establishing a security association, configuring a common mobility domain identifier within the first level key holders of a mobility domain, and propagating identity of a first level key holder and the mobility domain identifier through the wireless mesh network to enable the supplicants within the mobility domain to perform fast secure handoff.

Abstract: A mobile phone includes a fingerprint input unit, a storage unit, a switch unit, and a control unit. The fingerprint input unit is used to read and record fingerprint information of a user, and output the fingerprint information. The storage unit stores a fingerprint mode. The switch unit is connected to a power on/off terminal of the mobile phone. The control unit is used to receive the fingerprint information and compare the received fingerprint information with the stored fingerprint mode. If the received fingerprint information is not consistent with the stored fingerprint mode and the mobile phone is at a power-off state, the control unit outputs a first control signal to control switch unit to keep the mobile phone being at the power-off state.

Abstract: An authentication method is provided in which a first portable device generates and transmits a first random number and a first timestamp to a first USIM in the first portable device; the first USIM calculates a first sign for the first portable device; the first portable device requests authentication for authenticated communication from a second portable device through transmission of the first random number, the first timestamp, and the first sign to the second portable device; the second portable device generates a second random number and a second timestamp and transmits the information to a second USIM in the second portable device; the second USIM generates a second sign for the second portable device and a second personal key which the second portable device transmits to the first portable device; the first portable device then transmits the information to the first USIM which generates a first personal key for authenticated communication.

Abstract: Delivering content to a requesting device over a content delivery network, the content being deliverable in only one or more restricted geographic regions and the requesting device being communicatively connected to a cellular communications service provider via a cellular communications network, the method comprising steps of: receiving a network identifier of the requesting device uniquely identifying the requesting device in the cellular communications network; transmitting a verification message over the cellular communications network for receipt by the requesting device; receiving, from the requesting device, an access control submission; receiving, from the cellular communications service provider, location information corresponding to a geographic location of the requesting device; and in response to a determination that the access control submission derives from the transmitted verification message and the location information indicates the requesting device is in one of the one or more restricted ge

Abstract: A source device is initially enabled to maintain data synchronization with a host server over a wireless communication network via a first wireless transceiver for user data of an application program associated with a user account. To enable a target device, the source device is operative to establish a programming session with the target device via a second wireless transceiver. During the programming session, the source device causes user account data (e.g. an encryption/decryption key for the data-synchronized communications) for the user account to be transmitted to the target device via the second wireless transceiver. The user data associated with the application program may be transferred from the source device to the target device via a removable memory card such as a secure digital (SD) card.

Abstract: In a method for protecting data of a mobile phone, the mobile phone includes a storage system. The storage system stores a plaintext file to be encrypted and an international mobile equipment identification (IMEI) number of the mobile phone. The IMEI number of the mobile phone and the plaintext file are read from the storage system. A ciphertext is generated from the plaintext file according to the IMEI number of the mobile phone using an encryption algorithm. The IMEI number of the mobile phone and the ciphertext are read from the storage system when the ciphertext needs to be decrypted. The plaintext file is recovered from the ciphertext according to the IMEI number of the mobile phone using a decryption algorithm.

Abstract: The present invention provides a method involving a mobile node, a home agent, and an authentication server in a wireless communication system. The method includes generating, at the authentication server, a first security key that indicates a secure association between the home agent and the mobile node based on a second security key that indicates a secure association between the mobile node and the authentication server. The method also includes generating, at the authentication server, at least one first index associated with the first security key. The first index is also generated by the mobile node. The method also includes storing, at the authentication server, the first index and the first security key.

Abstract: A system and method for controlling access to a computer provides for loose security within a local network while retaining strong security against external access to the network. In one embodiment, a user has access to trusted nodes in a secured group within an unmanaged network, without being required to choose, enter and remember a login password. To establish such a secure blank password or one-click logon account for the user on a computer, a strong random password is generated and stored, and the account is designated as a blank password account. If the device is part of a secured network group, the strong random password is replicated to the other trusted nodes. When a user with a blank password account wishes to log in to a computer, the stored strong random password is retrieved and the user is authenticated.

Abstract: Systems and methods of securing wireless communications between a network and a subscriber station include inserting a marker denoting an encryption type within a random value used for authentication, calculating a first session key and a first response value as a function of the random value, then calculating a second session key and a second response value as a function of the random value, first session key and first response value. The two levels of session keys and response values may be used by upgraded subscriber stations and network access points to prevent attackers from intercepting authentication triplets.

Abstract: An encrypted communication system is provided, in which an encryption key for use in encrypted communication and settings information for the encrypted communication are distributed to each of a plurality of communication devices performing encrypted communication within a group, and in which traffic generated by distributing the encryption key and the like can be reduced. In the encrypted communication system according to the present invention, information including a key for use in the intra-group encrypted communication or a seed which generates the key is distributed to the communication devices belonging to the group that are participating (e.g., logged in) in the intra-group encrypted communication.

Abstract: One embodiment of the present invention provides a system that facilitates accessing a credential. During operation, the system receives a request at a credentials-storage framework (CSF) to retrieve the credential. If a target credential store containing the credential is not already connected to the CSF, the system looks up a bootstrap credential for the target credential store in a bootstrap credential store, which contains bootstrap credentials for other credential stores. Next, the system uses this bootstrap credential to connect the CSF to the target credential store. Finally, the system retrieves the credential from the target credential store, and returns the credential to the requestor.

Abstract: A communication device supports leaving a message using a communication device input interface when the device is in a locked state. The communication device may be a network telephone having a display interface and a user input interface. The communication device may be configured to transition to a locked state, store a message based on input received at the locked communication device, and present the message to an intended recipient. The message may be presented to the intended recipient upon unlocking the device (e.g., stored locally and presented when the phone is unlocked), presented to the intended recipient in accordance with communication settings (e.g., delivered to an email account, cell phone, etc.), or otherwise delivered.

Abstract: A method achieves secure mobile communications by authenticating a mobile device seeking communication with a secure server. The method prescribes steps for generating a code to indicate a plurality of portions of a digital fingerprint to request from the mobile device, each portion representing a different parameter of the mobile device, sending the code to the mobile device, receiving from the mobile device a response code representing the requested plurality of portions of the digital fingerprint, comparing each portion of the received plurality of portions with one or more predetermined codes, and granting the mobile device an access privilege when results of the comparison satisfy a predetermined minimum accuracy.

Abstract: A system for generating and printing travel documents for a customer associated with a journey having one or more parts, the system comprising: a travel documentation distribution module capable of generating travel documentation for the customer and capable of passing the documents for storage on a customer device at the request of the customer; and a printer located in the vicinity of a starting point of one of the parts of the journey which is capable of responding to a short range communication from the customer device to print the travel documents for said part of the journey for the customer.

Abstract: There is disclosed a method for verifying a first identity and a second identity of an entity, said method comprising: receiving a first and second identity of said entity at a checking entity; sending information relating to at least one of the first and second identities to a home subscriber entity; and verifying that said first and second identities both belong to the entity from which said first and second identities have been received.

Abstract: A mobile telecommunications network and method of operation that includes establishing a first user plane connection between a telecommunications device registered with the network and a network gateway device of the network via a first access point; providing the telecommunications device with a token using the first user plane connection; establishing a second user plane connection between the telecommunications device and the network gateway device via a second access point bv using the token information to validate the telecommunications device; and, subsequent to establishment of and corresponding to the second user plane connection, establishing a control plane connection between the telecommunications device and the network gateway device via the second access point.

Abstract: Some embodiments of a smart card accessible over a personal area network have been presented. In one embodiment, an apparatus includes a wireless transceiver to communicatively couple to a personal area network (PAN) to receive an authentication request via the PAN from a device. The device may include a computer. The apparatus further includes a storage device to store a digital certificate that uniquely identifies a user. An authentication module in the apparatus may authenticate the user in response to an authentication request from the device using the digital certificate, wherein the user is allowed to access the computer upon authentication.

Abstract: A method for generating one-time password (OTP) using a mobile phone registers a telephone number of the mobile phone on a website at first. A communication server generates a first random number and a second random number. Furthermore, the communication server generates a first OTP according to the first random number, and a subscriber identity module (SIM) card of the mobile phone generates a second OTP according to the second random number. The communication server checks if the second OTP is the same as the first OTP. If the second OTP is the same as the first OTP, the mobile phone has successfully logged onto the website.

Abstract: In a mobile communication method according to the present invention includes the steps of: transmitting, from a handover source radio base station to a switching center, a handover request including an NCC, a PCI and a KeNB*; changing, at the switching center, the NCC, changing, at the switching center, the KeNB* on the basis of the PCI, and transmitting, from the switching center to the handover target radio base station, the handover request including the changed NCC and the changed KeNB*; generating, at the handover target radio base station, a first key on the basis of the KeNB*; and generating, at the mobile station, the first key on the basis of the NCC and the PCI included in a handover command.

Abstract: A system and method for transmitting/receiving encryption information in a mobile broadcast system supporting broadcast service (BCAST) are provided. In the mobile broadcast system, a BCAST Subscription Management (BSM) manages subscriber information of a terminal, and transmits to a BCAST Service Distribution/Adaptation (BSD/A) a first delivery message including a Registration Key Material (RKM) provided for registration of the broadcast service of the terminal and including at least one service or content's identifier. The BSD/A transmits to the BSM a first delivery confirmation message including information indicating success/fail in receipt of the first delivery message, and transmits the RKM to the terminal.

Abstract: For digital rights management (DRM), a method for performing authentication between a device and a portable storage, which is performed by the device, includes transmitting a first key to the portable storage, receiving a third key and a first encrypted random number obtained by encrypting a first random number using the first key from the portable storage and decrypting the first encrypted random number using a second key related with the first key, generating a second encrypted random number by encrypting a second random number using the third key and transmitting the second encrypted random number to the portable storage, and generating a session key using the first random number and the second random number. The technique guarantees secure authentication between the device and the portable storage for DRM.

Abstract: A wireless network system, information providing apparatus and wireless terminal that can prevent the leak of information such as an address of the wireless terminal. A wireless network system includes an information providing apparatus that provides service information over a wireless network, and multiple wireless terminals each of which receives the service information provided from the information providing apparatus. In this case, the information providing apparatus includes destination possibility data in the service information, and each of the wireless terminals determines the destination possibility that the destination of the provided service information is the wireless terminal based on the destination possibility data included in the provided service information accepts the provided service information only if it is determined that there is the destination possibility.

Abstract: A method of validating a digital certificate comprises retrieving from a first data store a digital certificate, retrieving from a second data store a plurality of certificate revocation lists (CRLs), and selecting one of the plurality of CRLs to validate the digital certificate as of a date which is before the current date.

Abstract: A network provider can receive a request, via a first mobile device and a mobile wireless telephone network, for access to a wireless network secured with at least one encryption key and implemented by at least one wireless access point. In response to the request, the network provider can associate the first mobile device with a user account of a user and can provide a token to a registrar and to the first mobile device via the mobile wireless telephone network. The registrar can receive, from the first mobile device or a second mobile device associated the user via the wireless access point. After determining, based on the one or more hash values, that the first or second mobile device has possession of the token, the registrar can provide the encryption key to that mobile device.

Abstract: A system and method for the secure storage of data in a network. Data stored on a primary server connected to the network is initially encrypted. The IP address of the primary server is sent to a second server, via the network, and a communication is received from the second server indicating pending instructions. If the instructions indicate that theft of the primary server has occurred, then the data stored on the primary server is re-encrypted and the IP address of the primary server is sent to the second server. If attempted unauthorized access of the primary server is determined, and a predetermined number of consecutive unauthorized attempts to access the primary server are made, then the data stored on the primary server is erased.

Abstract: Methods and devices for allowing a wireless communication device (1301) initially unauthorized for communication with a network to obtain persistent soft network subscription credential information (1303) from a wireless communication device (1401) initially authorized for communication with the network are disclosed. In performing the persistent transfer of the soft network subscription credential information (1303), one of a token management module (1312), a session initiation protocol communication module (1408), or a electronic rights manager (1406) may be used to ensure that only one communication device is capable of communicating with a network at any one time.

Abstract: A system and method for providing roaming access on a network are disclosed. The network includes a plurality of wireless and/or wired access points. A user may access the network by using client software on a client computer (e.g., a portable computing device) to initiate an access procedure. In response, a network management device operated by a network provider may return an activation response message to the client. The client may send the user's username and password to the network provider. The network provider may rely on a roaming partner, another network provider with whom the user subscribes for internet access, for authentication of the user. Industry-standard methods such as RADIUS, CHAP, or EAP may be used for authentication. The providers may exchange pricing and service information and account information for the authentication session. A customer may select a pricing and service option from a list of available options.

Abstract: Systems and methods for handling user interface field data. A system and method can be configured to receive input which indicates that the mobile device is to enter into a protected mode. Data associated with fields displayed on a user interface are stored in a secure form on the mobile device. After the mobile device leaves the protected mode, the stored user interface field data is accessed and used to populate one or more user interface fields with the accessed user interface field data for display to a user.

Abstract: Systems, methods, and programs for generating an authorized user profile for a mobile communication device, may sample an audio stream generated by the mobile communication device during communication and may store the audio sample. The systems methods and programs may determine an audio characteristic of the stored audio sample and may create the authorized user profile based on the audio characteristic. Systems, methods, and programs for detecting unauthorized use of a mobile communication device may sample an audio stream generated by the device during communication, may determine an audio characteristic of the audio sample, and may compare the determined audio characteristics of the sample with an authorized user profile.

Abstract: Methods and systems are provided that authenticate an intended user of a mobile client in a roaming environment. One embodiment of the invention provides a mobile communication network architecture that includes a first base station (e.g., a first base station controller and/or a first transceiver station), a second base station (e.g., a second base station controller and/or a second transceiver station), a mobile client, and a server coupled to the mobile client via either the first base station controller or the second base station. The first base station is coupled to an authentication center that authenticates an intended user so that the user can communicate a message between the mobile client and the server via the first base station. A credential (or status) of the authentication made at the authentication center is then transmitted from the first base station to the second base station when the mobile client moves to utilize the second base station to communicate with the server.

Abstract: A method is provided for connecting a wireless local network (WLAN) to a UMTS terminal station (ME) having USIM/USAT functionality, including the following method steps: monitoring the activity of the local network via the terminal station; transmitting the type and/or identity number of the local network to the terminal station once the activity of the local network has been successfully detected; initiating a logical link between the local network and the terminal station, and; querying the specific subscriber data of the local network. In an embodiment of the present invention, the temporary status of the local network and/or specific subscriber data of the local network are/is queried at periodic intervals.

Abstract: A method, a system, and a computer program product are provided for wireless establishment of identity via bi-directional radio-frequency identification (RFID). The method is implemented in a computer infrastructure having computer executable code tangibly embodied on a computer readable storage medium having programming instructions operable for sending device data including at least a username and a password to a transceiver. The method also includes receiving an identifier of an access point in a wireless network from the transceiver, the transceiver sending the device data to the access point via a security server. The device data is sent to the access point based on the identifier of the access point, the access point establishing a secure connection to the computer infrastructure based on the device data received from the transceiver and the computer infrastructure.

Abstract: In a digital content management system, a mobile device determines whether it is authorized to use digital content by sending, to a service provider, a hash value that has been pre-stored in the mobile device and that is associated with the digital content. The hash value is generated by combining a user identifier, among other data, into a combined hash. The other data included in the combined hash may be, for example, a service provider key unknown to the user, and a hash of the protected content. A telecommunications service provider, such as a service provider of a CDMA wireless network, determines whether the hash value is valid and, accordingly, whether the mobile device is authorized to use the digital content.

Abstract: A method and an apparatus for managing an HFN for ciphering/deciphering at an RNC of a mobile communication system are provided. In the method, a Timing Adjustment (ToA) value is received from a base station, and a Connection Frame Number (CFN) is corrected. Whether correction of the CFN has been generated within the same cycle is determined by comparing the correction CFN with an absolute CFN serving as a reference. An HFN value is changed or maintained depending on whether the CFN correction has been generated within the same cycle.

Abstract: A module dual mode device architecture and method of use is disclosed. The system architecture provides a distributed design of an IEEE 802.11i compliant supplicant module that provides security to data/voice packets sent over the wireless local area network (“WLAN”) radio interface from a dual mode device to an access point. The dual mode device establishes a connection with the access point and if the access point is security enabled, one or more session keys are generated. The session keys are used to provide security for communications over the radio interface between the dual mode device and the access point.

Abstract: The invention relates to a system comprising a lock (40) provided with NFC circuits, a mobile phone (32) also provided with NFC circuits, a remote lock management site (18), and a mobile network operator (20). For each lock, the management site generates a unique random algorithm, a unique identifier (PUID) and transport keys and transmits the identifier and the transport keys to a lock manufacturer (16). The mobile network operator receives a unique lock identifier (PUID) from the user and transmits same to the handling site which, in return, transmits the unique random algorithm, the cryptographic key, the transport key and the user key corresponding to the lock to the phone. The phone implements the initial programming of the lock, by loading the unique random algorithm, the cryptographic key and the user key onto the lock and, subsequently, the phone activates a secure cryptographic procedure.

Abstract: An authentication loading control feature enables a service provider to control the number of authentication procedures or percentage of time that authentication procedures are performed by a network element adapted to perform authentication procedures (e.g., a Serving GPRS Support Node (SGSN) of a UMTS network); and an information recapture feature enables the network element to obtain, in the absence of authentication, UE information that conventionally would have been received as a part of the authentication procedure as needed, for example and without limitation, to support charging and lawful intercept functions.

Abstract: Wireless device monitoring methods, wireless device monitoring systems, and articles of manufacture are described. According to one embodiment, a wireless device monitoring method includes accessing device configuration information of a wireless device present at a secure area, wherein the device configuration information comprises information regarding a configuration of the wireless device, accessing stored information corresponding to the wireless device, wherein the stored information comprises information regarding the configuration of the wireless device, comparing the device configuration information with the stored information, and indicating the wireless device as one of authorized and unauthorized for presence at the secure area using the comparing.

Abstract: The present invention provides a safe handover method and system which are applied in a handover process of a terminal in the next generation network, wherein the next generation network comprises a handover management module, an authentication server and a terminal. The safe handover method comprises: presetting initial safety parameters in the authentication server and the terminal, and generating safety parameters from the initial safety parameters; the handover management module obtaining the safety parameters; and the handover management module and the terminal interacting with each other by using the generated safety parameters to ensure a communication safety between the two communication parties. The present invention can ensure the communication safety between the terminal and the handover management module.

Abstract: Methods and apparatus for secure over-the-air (OTA) programming, and particularly, activation, of a wireless unit in a particular communications system. The unit stores a stored key having been generated by using a key algorithm (K-algorithm) with an identifier associated with the unit as an input to the K-algorithm. The unit may receive information such as parameters and a verification number from a communications system for the purpose of programming the unit. The verification number is generated by using an authorization algorithm (A-algorithm) having the parameters and a key as A-algorithm inputs. They key is generated by the K-algorithm having the identifier associated with the K-algorithm input. In response to the receipt of the parameters and the verification number, the wireless unit generates a trial verification number by using the A-algorithm with the parameters and the stored key as trial inputs. The unit compares the verification number to the trial verification number for a match.

Abstract: A process may be utilized for securing unlock password generation and distribution. A first set of exclusive responsibilities, assigned to a trusted authority, includes random generation and encryption of an unlock password to compose a randomly generated encrypted unlock password. Further, a second set of exclusive responsibilities, assigned to a security agent, includes sending information associated with the unlock password and a digital signature of information associated with the unlock password to a communication device configured for a network in order to mate the unlock password to the communication device, and sending the randomly generated and encrypted unlock password along with mating data to a password processing center. In addition, a third set of exclusive responsibilities, assigned to a password processing center, includes decrypting the randomly generated and encrypted unlock password.

Abstract: A method, system, and computer-readable media are provided for determining connection needs of a mobile device connecting to a wireless network. In one aspect, the computer-readable media provide a method that includes receiving a request from a mobile device to access a wireless network, and performing an authentication phase related to the mobile device attempting to access the wireless network. Furthermore, the method includes evaluating signaling behavior of the mobile device during the authentication phase to determine which access technology from a plurality of types of access technologies to use to connect the mobile device to the wireless network. Moreover, the method includes connecting the mobile device to the wireless network using the determined access technology.

Abstract: A method, apparatus, and system for using Bluetooth devices to secure sensitive data on other Bluetooth devices is described. A Bluetooth device is paired with a “trusted” Bluetooth device. When contact with the trusted device is lost, designated sensitive data on the secured Bluetooth device is automatically encrypted. When contact is restored, the data is automatically decrypted. In an alternate embodiment, a secured device can be associated with multiple trusted devices, and the secured device designate different sensitive data for each trusted device. In this way, multiple users can share a common, “public” Bluetooth device without concern that the other users will access their sensitive data on the device when the device is not being used by that user.

Abstract: An authentication device that the user wears reads biometrics information and executes individual authentication by verification. Only when the individual authentication has been successfully performed, authentication with an external unit (such as a server) can be started. Then, only when both the individual authentication based on the biometrics information and the mutual authentication between the external unit (such as a server) and the authentication device have been successfully performed, subsequent data processing, such as payment processing, can be executed. Therefore, even if a fraudulent third party uses a stolen authentication device, because the party cannot satisfy the start condition of authentication with the external server or a PC, fraudulent transactions and other illegitimate behaviors are effectively prevented.

Abstract: Methods and apparatus for dynamically generating authentication keys are disclosed. Specifically, a Mobile-Foreign authentication key is separately generated by both the Mobile Node and Foreign Agent. Similarly, a Foreign-Home authentication key is separately generated by the Foreign Agent and the Home Agent. In accordance with one embodiment, generation of the Mobile-Foreign authentication key and Foreign-Home authentication key are accomplished via the Diffie-Hellman key generation scheme.

Abstract: Disclosed is a method for generating a Short Term Key Message (STKM) for protection of a broadcast service being broadcasted to a terminal in a mobile broadcast system. The method includes transmitting, by a Broadcast Service Subscription Management (BSM) for managing subscription information, at least one key information for authentication of the broadcast service to a Broadcast Service Distribution/Adaptation (BSD/A) for transmitting the broadcast service, generating, by the BSD/A, a Traffic Encryption Key (TEK) for deciphering of the broadcast service in the terminal and inserting the TEK into a partially created STKM, and performing, by the BSD/A, Message Authentication Code (MAC) processing on the TEK-inserted STKM using the at least one key information, thereby generating a completed STKM.

Abstract: According to one embodiment of the invention, a method for establishing multiple tunnels for each virtual local area network is described. Upon receiving information over a first tunnel associated with a first virtual local area network, a determination is made whether the information is from a network device assigned to a second virtual local area network, which differs from the first virtual local area network. If the network device is a member of the second virtual local area network, a second tunnel associated with the second virtual local area network is created.