Abstract: According to one embodiment of the invention, a method for establishing multiple tunnels for each virtual local area network is described. Upon receiving information over a first tunnel associated with a first virtual local area network, a determination is made whether the information is from a network device assigned to a second virtual local area network, which differs from the first virtual local area network. If the network device is a member of the second virtual local area network, a second tunnel associated with the second virtual local area network is created.

Abstract: In a non-limiting and exemplary embodiment, a method is provided for arranging authentication of mobility related signalling messages in a mobile communications system. An authentication code is generated on the basis of a previous authentication code stored in connection with a preceding authentication code generation event. The newly generated authentication code is stored for subsequent authentication code generation event. In response to change of the mobile device to an access network of the network entity, a control message comprising the authentication code is transmitted from a mobile device to a first network entity, for verifying the authentication code by the first network entity or by a second network entity of a previous access system.

Abstract: Embodiments of the present invention disclose a secure localization infrastructure using transmitters that can transmit messages at multiple distinct power levels throughout a community of reference points. Transmitters send messages at different power levels in a manner that every location in the system corresponds to a unique set of messages. Received messages are reported back to the localization infrastructure, which then determines location by comparing the messages reported.

Abstract: The present invention provides methods, devices, and systems for detecting and filtering SPam over Internet Telephony (SPIT). The invention includes a two level filter. The first level may include a robust audio hash used to filter audio messages based on their audio content and the second level may include a near-duplicate pattern matching algorithm having a number of content filters and an evaluator to aggregate the results from the multiple content filters. By supporting multiple aggregation methods, a more flexible SPIT detection scheme is provided.

Abstract: Authentication of a subscriber identity module issued by IMT-2000 network operator is performed with no decrease in the confidentiality of calculation processing, even in cases such as when a roaming network is a GSM network. An HLR of an IMT-2000 mobile communication network comprises an algorithm information attachment unit for attaching, to a RAND field of an authentication vector used to authenticate a USIM, information specifying an algorithm to be used in the authentication calculation.

Abstract: A relay gateway apparatus (HandOver-Gateway (HO-GW) is provided between heterogeneous access networks (a WiMAX access network and a UMB access network). The HO-GW performs conversion of a movement control signal (an Inter-Access Gateway (AGW) handover control signal) and relay of communication data. When the relay is performed, user data from a correspondent node (CN) reaches a wireless terminal (mobile node (MN)) through a host agent (HA) of a core network, an access router ASN-GW, the HO-GW, and a base station eBS.

Abstract: A mobile terminal is provided with a network lock functionality for a network. The mobile terminal includes a subscriber identity module (SIM) slot configured to host a SIM card or an unlocking device, a control chip, an encryption chip, and a network locking module. The control chip is coupled to the SIM slot through a first interface, the encryption chip is coupled to the SIM slot through the first interface to communicate with a module inserted into the SIM slot, and the network locking module is coupled to the encryption chip through a second interface. Further, the network locking module is configured to perform the network lock functionality. The network locking module also has an “open” state supporting a network unlocking operational mode and a “close” state supporting a network locking operational mode.

Abstract: In accordance with the teachings described herein, systems and methods are provided for securing data for transmission to a wireless device. The disclosed systems and methods may include an electronic messaging system used to send and receive data over a first network and also used to forward data to a wireless device operable in a second network. The electronic messaging system may receive an electronic message encrypted with a first encryption algorithm and addressed to a message recipient in the first network, the message recipient having an associated wireless device operable in the second network.

Abstract: A public key cryptography (PKI or other similar system) is used to sent partial or multiple of encryption or decryption algorithm (cipher or decipher) to the data sender or receiver to encrypt or decrypt the data to be sent or received and destroy itself after each or multiple use. Since the encryption algorithm is protected, it can be devised very small in size in compare to the data to be sent and the user can afford to use large key size in it's transmission to increase protection without significant compact to the overall speed. Without knowing the encryption algorithm, which may also be changing from time to time, it will be impossible to use brut force to break the code provided that the algorithm scheme is designed properly. It is due to that there are unlimited numbers of new or old algorithms with countless variations and it takes years of supper fast computing time to break even few algorithms.

Abstract: Communications of a mobile station with a satellite mobile communications system and a terrestrial mobile communications system are coordinated. The mobile station is registered with the terrestrial mobile communications system and, responsive to the registration of the mobile station with the terrestrial mobile communications system, the mobile station is concurrently registered with the satellite mobile communications system. The concurrent registration may include implicitly registering the mobile station with the satellite mobile communications system, e.g., by storing information identifying the mobile station may be stored in a location register of the satellite mobile communications system responsive to the registration of the mobile station with the terrestrial mobile communications system, and maintaining synchronization between the two registrations. Authentication tokens may be pre-generated for quick re-registration with a satellite mobile communications system.

Abstract: There is provided a mobile communication device having a function capable of releasing lock on an IC card function by an authentication key other then a PIN if the IC card function is locked by a PIN authentication error in a mobile phone having a contactless IC card built in. When a PIN is locked in a mobile phone 1 having a contactless IC card built in, an IC application 11 is started up to transmit a second password other than a PIN to an authentication server 3. The authentication server 3 compares the second password received from the mobile phone 1 with another second password stored in a database 31. If both second passwords agree with each other, a PIN lock release command is transmitted to the mobile phone 1. Further, the mobile phone 1 switches the lock flag of the contactless IC card 13 to OFF from ON by the command received. The PIN lock of the IC card function is thereby released.

Abstract: The SSL VPN session failover solution of the appliance and/or client agent described herein provides an environment for handling IP address assignment and end point re-authorization upon failover. The appliances may be deployed to provide a session failover environment in which a second appliance is a backup to a first appliance when a failover condition is detected, such as failure in operation of the first appliance. The backup appliance takes over responsibility for SSL VPN sessions provided by the first appliance. In the failover environment, the first appliance propagates SSL VPN session information including user IP address assignment and end point authorization information to the backup appliance. The backup appliance maintains this information. Upon detection of failover of the first appliance, the backup appliance activates the transferred SSL VPN session and maintains the user assigned IP addresses. The backup appliance may also re-authorize the client for the transferred SSL VPN session.

Abstract: Authentication of an electronic communication apparatus capable of communicating data messages with a server according to a synchronization protocol includes providing an authentication method indicator that specifies an authentication method according to which the authentication is to be executed. The authentication method indicator is incorporated into a message that includes a plurality of authentication capabilities of the communication apparatus. The message is transmitted to the server according to an authentication protocol of the synchronization protocol.

Abstract: Various embodiments of methods and apparatuses for managing authentication key contexts are described herein. In various embodiments, the methods and apparatuses include purging an authentication key context of a supplicant after handing off the supplicant, even the authentication key has not expired.

Abstract: Data representing media content, such as audio data, is processed to produce a signature code therefrom. This code can be used by wireless and other devices for a variety of purposes. Some relate to cryptographic operations. Others relate to determining whether operations involving the media content are legitimate.

Abstract: To make it possible for a legacy user equipment to correctly generate and use a common key between a user equipment and a base station and between the user equipment and a relay node when the relay nodes are being introduced. An HO request processing unit (202) extracts user equipment information from an HO request input from a receiver (201). A user equipment information determination section (204) determines a mode of handover from the user equipment information, and outputs a determination result to a key generator (205), a key information update request preparation section (206), and an HO command generator (207). In a case of handover from one base station to a relay node of another base station or to the other base station, the user equipment information determination section (204) commands the key information update request preparation section (206) to prepare a key information update request to a high-level management node so as to update the key information.

Abstract: A wireless mobile device (104) provides challenge/response based authentication by receiving a first portion of a challenge (132) from an external authentication unit (102), such as a network unit, and utilizes an internal partial challenge generator (114) that internally provides a second portion of the challenge (138) and provides the internally generated second portion of the challenge (138) back to the authentication unit (102). The wireless mobile device (104) also includes combiner logic (116) that combines the externally received first portion of the challenge (132) with the internally produced second portion of the challenge (138) to produce a complete challenge (144). The wireless mobile device (104) then utilizes a response generators (118) that takes the complete challenge (144) that was produced and generates a response (146) based on the complete challenge (144), and other secret information (110) if desired using a suitable cryptographic operation.

Abstract: The object of the present invention is to provide an authentication system capable of achieving suitable authentication processing while guaranteeing the maximum convenience for the customer. A first communication terminal PD1 is built into a television TV that can be connected to the Internet, and communications with an authentication control company BS are possible via the first communication terminal PD1. The authentication control company BS is, for example, a telecommunications company, and performs authentication control for a plurality of product supplier companies SP1 to SP3 according to the product purchase status on the television TV. Furthermore, the present invention simplifies the appropriate procedures by setting authentication levels for authentication control.

Abstract: A method of providing security of a relay station is disclosed, by which the security can he provided for the relay station in a broadband wireless access system having the relay station. In a mobile communication system to relay a signal transfer between a base station and a mobile station, the present invention includes the steps of performing a relay station authentication from an authentication server using an authentication protocol, receiving a master key from the authentication server, deriving an authentication key from the received master key, deriving a message authentication code (MAC) key using the derived authentication key, and relaying a signal exchanged between the mobile station and the base station using the derived message authentication code key.

Abstract: A method for verifying a first identity and a second identity of an entity, said method comprising: receiving first identity information at a checking entity; sending second identity information from the entity to said checking entity; verifying that the first and second identities both belong to said entity; and generating a key using one of said first and second identity information.

Abstract: Method for decrypting, within a wireless communication device, a sequence of encrypted packets received via a wireless communication channel between the communication device and a cell assigned to this device, comprising for each packet the following steps:—the computation of an encrypting sequence corresponding to the packet (21); and—the decrypting of the packet with the aid of the said encrypting sequence (22). In this method, the encrypting sequences are computed before the reception of the packets while the reception quality is above a threshold (20, TH) and an indication of change of cell is not received (24).

Abstract: A transaction processing service operates as an intermediary between acquirers of financial transaction requests and issuing institutions that process the financial transaction requests. The intermediary service utilizes a customer's mobile device as an out-of-band communication channel to notify a customer of a received financial transaction request. To send the notification, the intermediary service retrieves stored customer information, including an address of the customer's mobile device and a list of payment instruments that can be used to pay for the transaction. Before continuing to process the received financial transaction request, the service may first require the customer to confirm the transaction via the mobile device. The intermediary service retrieves financial account information associated with the customer from issuing institutions, and, if the transaction is confirmed, provides the account information to acquirers in order to allow transactions to be processed.

Abstract: When transmitting position/time information calculated by means of a GPS function to a server apparatus, authentication is carried out with the server apparatus. The position/time information may be certified as legitimate measured by a portable apparatus with a GPS reception function employed by a user. When transmitting information related to the position and the time acquired from a portable phone terminal having the GPS function and a network function by means of the GPS function to the server apparatus, authentication is carried out between the portable phone terminal and the server apparatus. The position/time information is transmitted to the server apparatus, only if the server apparatus is authenticated as a legitimate counterpart for connection. A secret key holding section is provided for holding different secret keys for different apparatuses.

Abstract: Systems and methods of authentication and authorization between a client, a server, and a gateway to facilitate communicating a message between a client and a server through a gateway. The client has a trusted relationship with each of the gateway and the server. A method includes registering the client with the gateway. The client also constructs the address space identifying the gateway and the client. The client communicates the address space to the server. The client receives an identity identifying the server. If the client authorizes to receive a message from the server through the gateway, the client informs the authorization to the gateway. The client puts the identity identifying the server on a list of servers which are authorized to send messages to the client. In addition, the client communicates the list of servers to the gateway.

Abstract: The present application provides a system and method for a set of Extensible Authentication Protocols (EAPs) based on ECC (Elliptic Curve Cryptography) and SKE (Symmetric Key Encryption) mechanisms (with a suitable permutation) that can serve Confidentiality, Authentication, Authorization and Accounting (CAAA) issues at an affordable cost. According to one embodiment, a method and system of ECC and SKE based EAPs (through a permutation technique) which can avoid replay attacks. The application also provides a light weight security with better performance in comparison to the lower layer chip level security provided by 2G, 3G or 4G Applications and no certificates exchanged during the communication.

Abstract: Influence on a key used between a user equipment and a base station, which will be imposed by unsecured updating of a key between the base station and a relay node when a relay node is being introduced is diminished. An HO request processing unit (202) extracts user equipment information from an HO request input from a receiver (201). A user equipment information determination section (204) determines a mode of handover from the user equipment information, and outputs a determination result to a key generator (205) and an HO command generator (207). In relation to a determination about a mode of handover on the basis of user equipment information, it is determined whether the handover is handover from a relay node to a base station, handover from a base station to a relay node, handover relating to relay nodes subordinate to the same base station, and the like.

Abstract: A data processing device including a microcontroller and configured to communicate with at least one remote system distributed on a network. The data processing device and the remote system are adapted to store a plurality of parameters identifying a user account belonging to a subscriber. The data processing device comprises a one-time parameter comprising the active account attached to the device designed for a one-time use, and a permanent parameter identifying an account attached to the data processing device, the permanent parameter being deactivated. The one-time and permanent parameter are stored in the at least one remote system, and the microcontroller is programmed to: use the one-time parameter to logon to the network when the data processing device is switched on; and exchanges the one-time parameter with the permanent parameter, upon successful logon to the network, the permanent parameter becoming the permanent active account.

Abstract: Method and system of auditing databases for security compliance. The method and system relating to querying databases for security parameters and auditing the queried parameters against authorized security parameters to determine security compliance of the databases.

Abstract: A wireless phone system and methods performed thereon for cryptographically processing SMS messages is disclosed. A cryptographic pad is used to replace characters in a payload of a SMS message with coded characters. The cryptographic pad is used by the receiver of the SMS message to decode it. The cryptographic pad is one of two or more possible cryptographic pads stored in the receiver. In one embodiment, the two or more possible cryptographic pads are sent as a key where a particular cryptographic pad is referenced in the key using an index.

Abstract: A method of updating a vehicle ECU includes establishing communication between a data communications module of a vehicle and an update server via a cellular network; validating the vehicle using a key exchange protocol between the data communications module and the update server; and sending update information from the update server to the data communications module of the vehicle via the cellular network, the update information configured to be used to update the vehicle ECU.

Abstract: This method makes secure a link, for example a radio link, between a data terminal (PDA2) and a data processing local area network (WLAN2) that is coupled to a mobile telephone network (PLMN2) that includes an authentication center (AU2).

Abstract: An apparatus, system, computer-readable medium, and method to facilitate quick transition of communications of a mobile station between network stations of a radio communication system, such as a WLAN operable to a variant of an IEEE 802 operating specification, is provided. Implementations of embodiments described herein reduce the transition duration by a pre-keying mechanism that performs authentication procedures prior to commencement of reassociation procedures. In other embodiments, a mobile station is allowed to select whether to perform pre-keying processes over an air interface with a target transition access point or whether to perform the pre-keying processes over a distribution system.

Abstract: A VoLGA Access Network Controller (VANC), a User Equipment, and methods are described herein for providing security to Voice over Long-Term Evolution via Generic Access (VoLGA) traffic.

Abstract: A method including generating a plurality of convergence layer protocol data units in a packet-switched telecommunications system protocol stack; ciphering said plurality of convergence layer protocol data units using a ciphering sequence number; transferring said plurality of ciphered convergence layer protocol data units to a link layer of the packet-switched telecommunications system; discarding at least one ciphered convergence layer protocol data unit at the link layer and generating a link layer protocol data unit from at least one of the ciphered convergence layer protocol data units that has not been discarded; and transmitting the link layer protocol data unit and information relating to the discarding for a peer link layer.

Abstract: A system and method for authenticating a user with a wireless data processing device.

Abstract: A data blob has an operator's certificate that specifies a network. The data blob is encrypted by the network using a private key that authenticates that a user device owns a MAC address. The network sends the encrypted data blob to the user device, which decrypts it using a private key that is locally stored in the user device. From that the user device obtains the operator's certificate, locks the user device to a network specified by the operator's certificate, and sends a response message signed with the private key. The network grants access to the user device based on the signed response message. Various embodiments and further details are detailed. This technique is particularly useful for a WiMAX or WLAN/WiFi network in which there is no SIM card to lock the device to the network.

Abstract: Systems and methods of securing wireless communications between a network and a subscriber station are disclosed. One embodiment creates authentication triplets due to expire after a certain amount of time such that they may not be used indefinitely by an attacker who intercepts them.

Abstract: A method of providing certificate issuance and revocation checks involving mobile devices in a mobile ad-hoc network (MANET). The wireless devices communicate with each other via Bluetooth wireless technology in the MANET, with an access point (AP) to provide connectivity to the Internet. A Certificate authority (CA) distributes certificates and certification revocation lists (CRLs) to the devices via the access point (AP). Each group of devices has the name of the group associated with the certificate and signed by the CA. A device that is out of the radio range of the access point may still connect to the CA to validate a certificate or download the appropriate CRL by having all the devices participate in the MANET.

Abstract: Methods and systems taught herein allow mobile device manufacturers to preconfigure mobile devices for subscription with any network operator having access to a centralized device directory server. The directory server stores device records, each including a preliminary subscription identity. Manufacturers individually provision new mobile devices with these preliminary subscription identities, and network operators preliminarily register subscribers by submitting requests to the directory server that cause it to link individual device records with the appropriate credential server addresses. Mobile devices gain temporary network access by submitting their preliminary subscription identities, which get passed along to the directory server for verification. In turn, the directory server generates authentication vectors giving the mobile devices temporary network access, and returns the appropriate credential server addresses.

Abstract: A communication system and device that enables free-hand drawn SMS (Short Messaging Service) messages to be transmitted and received from/to various user devices. A buffer device is inserted within a GSM compatible handset providing a buffer for both conventional SMS messages created by typing a message on the keypad of the handset and for free-hand drawn SMS messages created by drawing or writing the free-hand message on a data entry device. An optional OCR (Optical Character Recognition) facility can be provided in either the buffer device inserted within the handset or in a network server that receives the transmitted message and processes it for proper routing to the intended recipient.

Abstract: A computer program product, apparatus and method for establishing a voice call of a mobile communication system includes: authenticating an origination terminal through a traffic channel by performing call connection between the origination terminal and an origination side network; authenticating a destination terminal through a traffic channel by performing call connection between a termination side network and the destination terminal when the authentication is successful; and establishing a speech path between the origination terminal and the destination terminal when the destination terminal is successfully authenticated. A request and submission of an OTP for authenticating a user of a mobile terminal is possibly performed according to the voice call protocol, whereby the security of the mobile terminal can be strengthened and the strong demand of users with respect to protecting the privacy and information can be satisfied.

Abstract: A method for provisioning client devices securely and automatically by means of a network provisioning system is disclosed. Provisioning occurs before the client is granted access to the network. The provisioning is determined dynamically at the time a client connects to the network and may depend on a multitude of factors specified by data dictionaries of the provisioning system.

Abstract: Disclosed is a method for transitioning an enhanced security context from a UTRAN-based serving network to a GERAN-based serving network. In the method, the remote station the remote station generates first and second session keys, in accordance with the enhanced security context, using an enhanced security context root key and a first information element. The remote station receives a first message from the UTRAN-based serving network. The first message includes a second information element signaling to the remote station to generate third and fourth session keys for use with the GERAN-based serving network. The remote station generates, in response to the first message, the third and fourth session keys using the second information element and the first and second session keys. The remote station protects wireless communications, on the GERAN-based serving network, based on the third and fourth session keys.

Abstract: A data verification method and system is provided. The data verification method includes the steps of transmitting data from a sender to a receiver over a signaling channel, transmitting a first set of bits to the receiver over a voice channel, wherein the first set of bits is generated using the data in the sender, and verifying the data through comparison between the first set of bits and a second set of bits that is generated based on the data in the receiver. The first and the second sets of bits may be a group of bits that are selected from a hash value using a selection mask in the sender and the receiver respectively, wherein the section mask has the same length as the hash value and the hash value is calculated based on the data, and the selection mask may be pre-defined between the sender and the receiver.

Abstract: Various embodiments of methods and apparatuses for managing authentication key contexts are described herein. In various embodiments, the methods and apparatuses include selective purging of authentication key contexts of supplicants even if their authentication keys have not expired.

Abstract: A chip card needs to be allocated in a secured manner to a network operator via a personalization center in order to determine a final authentication key which is attributed to a subscriber of the operator without its being transmitted via a network. The following is loaded into a card by a module: an algorithm and an allocation key; an algorithm for determination of the authentication key and at least one intermediate authentication key. A module transmits an allocation message which includes a final identity number, a random number and an allocation signature from the center to the card. The card authenticates the message by means of the allocation algorithm as a function of the allocation key and the allocation signature, and determines the final authentication key as a function of the intermediate key and the random number.

Abstract: The invention relates to a method of updating an authentication algorithm in at least one data processing device (CARD, SERV) which can store a subscriber identity (IMSI1) which is associated with an authentication algorithm (Algo1) in a memory element of said device (CARD, SERV). The inventive method comprises the following steps, namely: a step whereby a second inactive (Algo2) authentication algorithm is pre-stored in a memory element of the device and a step for switching from the first algorithm (Algo1) to the second algorithm (Algo2) which can inhibit the first algorithm (Algo1) and activate the second (Algo2).

Abstract: Authentication key generation for local area network communication, including: participating in communication of a message comprising a cipher suite selection type indicating cellular network compatible cipher suite; and creating cellular network compatible authentication keys according to said cipher suite selection type.

Abstract: A method for authenticating a user of certain service provided by a system through a first communication channel, in one aspect including receiving an access request from a first terminal of the user through the first communication channel; receiving an address or number of a second terminal of the user through the first communication channel; transferring data including an identification code, to the second terminal of the user through a second communication channel; receiving a user confirmation response, including the user identification code, from the second terminal of the user through the second communication channel; determining whether the identification code transferred to the second terminal is identical to the user identification code received from the second terminal; generating an authentication code if it is determined that both the user identification codes are identical to each other; transferring the user authentication code to the first terminal of the user through the first communication ch

Abstract: An apparatus that facilitates network security for input network traffic includes microcode controlled state machines, each of which includes a computation kernel. Rules applied to a network traffic segment are distributed across the computation kernels. At least two of the computation kernels include condition logic configured by microcode stored in an associated control store to evaluate a unique configured rule in microcode to produce modification instructions. A distribution circuit routes the network traffic segment to each of the microcode controlled state machines. A circuit generates a modification command by combining the modification instructions from each of the at least two computation kernels, and performs a modification of the input network traffic based on the modification command to produce modified output network traffic that facilitates network security.