Abstract: Methods and systems taught herein allow mobile device manufacturers to preconfigure mobile devices for subscription with any network operator having access to a centralized device directory server. The directory server stores device records, each including a preliminary subscription identity. Manufacturers individually provision new mobile devices with these preliminary subscription identities, and network operators preliminarily register subscribers by submitting requests to the directory server that cause it to link individual device records with the appropriate credential server addresses. Mobile devices gain temporary network access by submitting their preliminary subscription identities, which get passed along to the directory server for verification. In turn, the directory server generates authentication vectors giving the mobile devices temporary network access, and returns the appropriate credential server addresses.

Abstract: A communication system and device that enables free-hand drawn SMS (Short Messaging Service) messages to be transmitted and received from/to various user devices. A buffer device is inserted within a GSM compatible handset providing a buffer for both conventional SMS messages created by typing a message on the keypad of the handset and for free-hand drawn SMS messages created by drawing or writing the free-hand message on a data entry device. An optional OCR (Optical Character Recognition) facility can be provided in either the buffer device inserted within the handset or in a network server that receives the transmitted message and processes it for proper routing to the intended recipient.

Abstract: A method for provisioning client devices securely and automatically by means of a network provisioning system is disclosed. Provisioning occurs before the client is granted access to the network. The provisioning is determined dynamically at the time a client connects to the network and may depend on a multitude of factors specified by data dictionaries of the provisioning system.

Abstract: A computer program product, apparatus and method for establishing a voice call of a mobile communication system includes: authenticating an origination terminal through a traffic channel by performing call connection between the origination terminal and an origination side network; authenticating a destination terminal through a traffic channel by performing call connection between a termination side network and the destination terminal when the authentication is successful; and establishing a speech path between the origination terminal and the destination terminal when the destination terminal is successfully authenticated. A request and submission of an OTP for authenticating a user of a mobile terminal is possibly performed according to the voice call protocol, whereby the security of the mobile terminal can be strengthened and the strong demand of users with respect to protecting the privacy and information can be satisfied.

Abstract: Disclosed is a method for transitioning an enhanced security context from a UTRAN-based serving network to a GERAN-based serving network. In the method, the remote station the remote station generates first and second session keys, in accordance with the enhanced security context, using an enhanced security context root key and a first information element. The remote station receives a first message from the UTRAN-based serving network. The first message includes a second information element signaling to the remote station to generate third and fourth session keys for use with the GERAN-based serving network. The remote station generates, in response to the first message, the third and fourth session keys using the second information element and the first and second session keys. The remote station protects wireless communications, on the GERAN-based serving network, based on the third and fourth session keys.

Abstract: A data verification method and system is provided. The data verification method includes the steps of transmitting data from a sender to a receiver over a signaling channel, transmitting a first set of bits to the receiver over a voice channel, wherein the first set of bits is generated using the data in the sender, and verifying the data through comparison between the first set of bits and a second set of bits that is generated based on the data in the receiver. The first and the second sets of bits may be a group of bits that are selected from a hash value using a selection mask in the sender and the receiver respectively, wherein the section mask has the same length as the hash value and the hash value is calculated based on the data, and the selection mask may be pre-defined between the sender and the receiver.

Abstract: Various embodiments of methods and apparatuses for managing authentication key contexts are described herein. In various embodiments, the methods and apparatuses include selective purging of authentication key contexts of supplicants even if their authentication keys have not expired.

Abstract: A chip card needs to be allocated in a secured manner to a network operator via a personalization center in order to determine a final authentication key which is attributed to a subscriber of the operator without its being transmitted via a network. The following is loaded into a card by a module: an algorithm and an allocation key; an algorithm for determination of the authentication key and at least one intermediate authentication key. A module transmits an allocation message which includes a final identity number, a random number and an allocation signature from the center to the card. The card authenticates the message by means of the allocation algorithm as a function of the allocation key and the allocation signature, and determines the final authentication key as a function of the intermediate key and the random number.

Abstract: The invention relates to a method of updating an authentication algorithm in at least one data processing device (CARD, SERV) which can store a subscriber identity (IMSI1) which is associated with an authentication algorithm (Algo1) in a memory element of said device (CARD, SERV). The inventive method comprises the following steps, namely: a step whereby a second inactive (Algo2) authentication algorithm is pre-stored in a memory element of the device and a step for switching from the first algorithm (Algo1) to the second algorithm (Algo2) which can inhibit the first algorithm (Algo1) and activate the second (Algo2).

Abstract: Authentication key generation for local area network communication, including: participating in communication of a message comprising a cipher suite selection type indicating cellular network compatible cipher suite; and creating cellular network compatible authentication keys according to said cipher suite selection type.

Abstract: A method for authenticating a user of certain service provided by a system through a first communication channel, in one aspect including receiving an access request from a first terminal of the user through the first communication channel; receiving an address or number of a second terminal of the user through the first communication channel; transferring data including an identification code, to the second terminal of the user through a second communication channel; receiving a user confirmation response, including the user identification code, from the second terminal of the user through the second communication channel; determining whether the identification code transferred to the second terminal is identical to the user identification code received from the second terminal; generating an authentication code if it is determined that both the user identification codes are identical to each other; transferring the user authentication code to the first terminal of the user through the first communication ch

Abstract: An apparatus that facilitates network security for input network traffic includes microcode controlled state machines, each of which includes a computation kernel. Rules applied to a network traffic segment are distributed across the computation kernels. At least two of the computation kernels include condition logic configured by microcode stored in an associated control store to evaluate a unique configured rule in microcode to produce modification instructions. A distribution circuit routes the network traffic segment to each of the microcode controlled state machines. A circuit generates a modification command by combining the modification instructions from each of the at least two computation kernels, and performs a modification of the input network traffic based on the modification command to produce modified output network traffic that facilitates network security.

Abstract: The present invention provides a secure voice solution for the BlackBerry 9000 (BlackBerry Bold™) Rather than make encrypted voice calls through traditional GSM cellular phone calls, the present invention instead receives voice data from the user using the device microphone and built-in media player software in the device. This data is then encrypted and then sent as an IP packet. The device then receives, as IP packets, encrypted voice communication from the other party in the encrypted call, which in turn are decrypted in the device and then played back on a second media player running on the device. The present invention takes advantage of the device's ability to run two media players simultaneously to in effect, simulate a cellular telephone call.

Abstract: There is disclosed a security device for use in a wireless network comprising a group of base stations that communicate with numerous mobile stations. The security device prevents an unprovisioned one of the mobile stations from accessing an Internet protocol (IP) data network through the wireless network. The security device comprises a first controller for receiving from the unprovisioned mobile station an IP data packet comprising an IP packet header and an IP packet payload. The first controller replaces the IP packet header with a replacement IP packet header containing an IP address of a selected provisioning server of the wireless network. The first controller selects the provisioning server by selecting the IP address in the replacement IP packet header according to a load spreading algorithm.

Abstract: Apparatus, and associated method, for facilitating transition, or other communication hand-off, between access points of a wireless local area network. When an old access point is notified of selection to transition communications, the old access point generates a transition request message that is communicated by way of a network to the new access point. The transition request includes a temporary key. And, the old access point notifies the mobile station of the temporary key. The mobile station re-associates with the new access point, and the temporary key is used pursuant to initial communications between the mobile station and the new access point.

Abstract: A method, apparatus, and system for using Bluetooth devices to secure sensitive data on other Bluetooth devices is described. A Bluetooth device is paired with a “trusted” Bluetooth device. When contact with the trusted device is lost, designated sensitive data on the secured Bluetooth device is automatically encrypted. When contact is restored, the data is automatically decrypted. In an alternate embodiment, a secured device can be associated with multiple trusted devices, and the secured device designate different sensitive data for each trusted device. In this way, multiple users can share a common, “public” Bluetooth device without concern that the other users will access their sensitive data on the device when the device is not being used by that user.

Abstract: A device and method for accelerating functioning of a software application having multi-layer, high overhead protocols, wherein the device has a first processor operating a software application having a multi-layer protocol; a second processor configured to operate at least one layer of the multi-layer protocol; and a memory accessible to each of the processor and the second processor.

Abstract: A security management method in a mobile communication system supporting Proxy Mobile Internet Protocol (IP). In the security management method, a Mobile Node (MN), a Serving Packet Data Service Node (S-PDSN), and an Authentication, Authorization and Accounting (AAA) server generate a security key of the Proxy Mobile IP. Upon receipt of information for authentication of a security key from the MN, the S-PDSN sends an access request message to the AAA server and receives information for verification of the security key. The S-PDSN sends a first message for requesting verification of the security-related key to a Home Agent (HA). The HA verifies the security-related key through the AAA server and sends a second message to the S-PDSN when the security-related key is verified. The S-PDSN sends a message indicating initiation of the Proxy Mobile IP, to the MN.

Abstract: Techniques to reduce the amount of registration required by a mobile station in a wireless communication system, especially if the registration zones are defined to be small areas. In one scheme, a mobile station registers (e.g., at RR-level) with a network entity (e.g., a base station) each time it enters a new registration zone, which can correspond to an R-TMSI zone defined by GSM MC-MAP. The mobile station maintains a timer for each zone with which it has already registered but has since left. If the mobile station leaves a particular zone for a period longer than a time-out period, the registration with that zone times out, and the mobile station re-registers with that zone whenever it re-enters the zone. The mobile station may implement zone-based, timer-based, implicit, traffic channel RR, and some other registrations, or a combination thereof. Parameters to facilitate registration may be defined by a base station.

Abstract: A system and method for providing roaming access on a network are disclosed. The network includes a plurality of wireless and/or wired access points. A user may access the network by using client software on a client computer (e.g., a portable computing device) to initiate an access procedure. In response, a network management device operated by a network provider may return an activation response message to the client. The client may send the user's username and password to the network provider. The network provider may rely on a roaming partner, another network provider with whom the user subscribes for internet access, for authentication of the user. Industry-standard methods such as RADIUS, CHAP, or EAP may be used for authentication. The providers may exchange pricing and service information and account information for the authentication session. A customer may select a pricing and service option from a list of available options.

Abstract: A device and method for detecting and preventing sensitive information leakage from a portable terminal is provided. A device for detecting and preventing leakage of sensitive information from a portable terminal includes a data storage unit that stores data containing sensitive information, an external interface that interfaces the portable terminal with the external, a sensitive information manager that detects and prevents leakage of the sensitive information stored in the data storage unit through the external interface, and a sensitive information leakage detecting and preventing unit that is disposed between the data storage unit and the external interface to detect and prevent the leakage of the sensitive information.

Abstract: In a state in which a fingerprint authentication mode is set, a fingerprint authentication unit authenticates a fingerprint input in accordance with an input instruction, performs unlocking if the authentication is successful, instructs another fingerprint input if the authentication fails, and determines unauthorized use and switches the mode to a PIN code authentication mode if the fingerprint authentication sequentially fails for a predetermined number of times. In a state of the PIN code authentication mode, a PIN code authentication unit authenticates a PIN code input in accordance with an input instruction, performs unlocking if the authentication is successful, instructs another PIN code input if the authentication fails, and determines unauthorized use and turns off the power source if the authentication sequentially fails for a predetermined number of times.

Abstract: Methods, systems, devices and computer programs for configuring nodes on a wireless network can include generating a security key for the network, setting the security settings on the access point based on the security key, and saving the security key in a profile data file on a removable memory device along with a portable configuration utility for using the profile data file for configuring other nodes on the network. The removable memory device can then be inserted into other nodes and the portable configuration utility can be run to match the same key on the other network nodes based on the information stored in the profile data file on the removable memory device.

Abstract: A method for managing the security of applications with a security module associated to an equipment connected to a network managed by a control server of an operator. The applications use resources as data or functions stored in the security module locally connected to the equipment. The method may include steps of receiving, analyzing and verifying, by the control server, identification data from the equipment and the security module, generating a cryptogram from the result of the verification of the identification data, transmitting the cryptogram to the security module of the equipment, and selectively activating or selectively deactivating by the security module at least one resource as data or functions of the security module by executing instructions included in the cryptogram and conditioning the functioning of an application according to criteria established by a supplier of the application or the operator or a user of the equipment.

Abstract: Mobile device playback and control of media content stored on a personal media host device is provided. The mobile device may communicate a request for media content to a network server, which may determine whether the mobile device is authorized to access the requested media content. If it is determined that the mobile device is authorized, the network server may access the media content from the host device. The network server may then initiate a media session with the mobile device, wherein the media content is streamed to the mobile device.

Abstract: A system for encrypting and decrypting messages using a browser in either a web or wireless device or secure message client software for transmission to or from a web server on the Internet connected to an email server or message server for the situation where the sender does not possess the credentials and public key of the recipients. The encryption and decryption is conducted using a standard web browser on a personal computer or a mini browser on a wireless device, or message client software on either a personal computer or wireless devices such that messages transmitted to the web or wireless browser or message client software can be completed and encrypted and signed by the user such that encrypted and signed data does not require credentials and public key of the recipients. A method for delivering and using private keys to ensure that such keys are destroyed after use is also provided.

Abstract: A device, such as a cell phone, uses an image sensor to capture image data. The phone can respond to detection of particular imagery feature (e.g., watermarked imagery, barcodes, image fingerprints, etc.) by presenting distinctive graphics on a display screen. Such graphics may be positioned within the display, and affine-warped, in registered relationship with the position of the detected feature, and its affine distortion, as depicted in the image data. Related approaches can be implemented without use of an image sensor, e.g., relying on data sensed from an RFID device. A variety of other features and arrangements are also detailed.

Abstract: An automatic wireless network linking method with a security configuration includes: providing an access point with a floating service set identifier and a shared key. The floating service set identifier has a prefix name. Next, a host system is provided to execute a setting and linking application to automatically scan the access point with the prefix name and obtain the floating service set identifier of the access point. Both the access point and the setting and linking application perform an operation process to generate a dynamic key. The dynamic key is converted into a wireless network encryption algorithm. Finally, the host system links to the access point to perform wireless communication, and uses the wireless network encryption algorithm to encrypt and decrypt data. Thereby, the time required for setting up the wireless network platform is reduced.

Abstract: A system that incorporates teachings of the present disclosure may include, for example, a server having a controller to implement an Elliptic Curve Diffie-Hellman (ECDH) cryptosystem and manage a key exchange, authentication, and certificate exchange with a communication device also implementing the ECDH cryptosystem, wherein the server communicates over a network that provides an encrypted communication link for the communication device. Other embodiments are disclosed.

Abstract: In the conventional network using the PPP stipulated by RFC1661, the LCP phase to establish an LCP link, the authentication phase, and the NCP phase such as address assignment processing of the NCP are sequentially conducted each time the line connection is performed, and hence the connection takes a certain period of time. Particular, in the case of the mobile communication, there is often performed operation in which connection and disconnection are frequently conducted in a short period of time, and hence when the operation up to the connection takes a long period of time, the usability is deteriorated. Therefore, a need exists for a configuration of an apparatus and a communication method to reduce the connection time.

Abstract: A terminal may include a memory to store first encryption information applied to the handheld terminal and second encryption information corresponding to a phone number of another party's terminal, and a control unit to encrypt a message using the first encryption information and the second encryption information stored in the memory, when transmitting the message to the other party's terminal.

Abstract: A system and method for providing secure authentication for website access or other secure transaction. In one embodiment, when a user accesses a website, the web server identifies the user, and sends an authentication request to the user's mobile device. The mobile device receives the authentication requests and sends back authentication key to the web server. Upon verifying the authentication key, the web server grants the access to the user.

Abstract: Methods and apparatus for automatically grouping user-specific information items (400) in a mobile station (102) are disclosed. In one illustrative example, a method includes the steps of reading a first user-specific information item (404, 406, 408, or 410) associated with a first file or application of the mobile station (102); storing the first user-specific information item (404, 406, 408, or 410) in a user information file or message (402) of the mobile station (102); and repeating the acts of reading and storing for at least a second user-specific information item (404, 406, 408, or 410) associated with a second file or application of the mobile station (102), so that the first and the second user-specific information items are grouped together as user information in the user information file or message (402). Examples of user-specific information items (400) include a user name (404) associated with an end user of the mobile station (102), a telephone number (406) (e.g.

Abstract: A method in a communication network wherein users are authenticated based on network originated user identities is disclosed. The authentication method comprising the steps of receiving a network originated identity from a user and associating the network originated identity with at least one non-network originated identity stored in a data storage. When a non-network originated identity is received from the user, the non-network originated identity from the user is compared with the at least one non-network originated identity from the data storage. The user is authenticated if the comparison is valid.

Abstract: Unauthorized wireless access points are detected by configuring authorized access points and mobile units to listen to all wireless traffic in its cell and report all detected wireless devices to a monitor. The monitor checks the reported devices against a list of authorized network devices. If the reported wireless device is not an authorized device, the monitor determines if the reported device is connected to the network. If the reported device is connected to the network and is not an authorized device, the monitor alerts the network operator or network manager of a rogue device connected to the network and attempts to locate and isolate the rogue device.

Abstract: An authentication system is disclosed. The authentication system includes a content provider configured to distribute encrypted content, wherein the encrypted content is generated using a content key, and a client having a symmetric key and configured to store the encrypted content received from the content provider and issue a request to the content provider, wherein the request includes a cryptographic function configured to have the symmetric key and the encrypted content as input, wherein the content provider is further configured to verify the client via the request to ensure that the client has received the encrypted content.

Abstract: A system including a handheld mobile computing device and an external storage medium in communication with the mobile computing device, the storage medium having stored thereon preconfigured user information and security information.

Abstract: The invention described here provides a fully-distributed solution to the problem of confirming the identity of the presenter of a payment card or other credentials, using multiple factors to authenticate the presenter. The invention leverages the wide penetration of mobile phones in modern economies as the basis for the distributed multi-factor authentication. For additional confidence levels biometric data can be incrementally included as part of the multi-factor authentication. The loss of any one of the multiple authentication factors does not compromise the integrity of the system or the individual, and there is no single point of vulnerability for attack or theft. The invention is fully backwards compatible with current payment cards systems and can be extended to almost any situation where the identity of the presenter of credentials needs to be authenticated prior to allowing the individual access to the protected services, systems, or locations.

Abstract: A telecommunication system includes a processor, interfaces in communication with the public telephone network and a data network, respectively, and a memory. The memory comprises executable instructions that when executed by the processor direct the system to controllably permit access to a teleconference bridge in response to a communication from a mobile-communication device that includes information responsive to a previously communicated license key. Generally, the communication is in the form of a call from the user of the mobile-communication device. Upon receipt of the call, the telecommunication system confirms that the mobile-communication device communicates a pass code that was included in an encrypted form in the license key.

Abstract: A method of securely initializing subscriber and security data in a mobile routing system when the subscribers are also subscribers of a radio communication network. The method comprises, within the mobile routing system, authenticating subscribers to the mobile routing system using an authentication procedure defined for the radio communication network, collecting subscriber information from relevant nodes of the radio network, and agreeing upon keys by which further communications between the subscribers and the mobile routing system can take place, and using the subscriber information and keys in the provision of mobility services to subscriber mobile nodes and correspondent nodes.

Abstract: Secure telephone devices, systems and methods are provided for carrying out secure communications utilizing a telephone device that includes cryptographic storage and processing components, the cryptographic processing components including intercepting and injecting capabilities for intercepting an incoming signal, cryptographically processing the signal and injecting the system for delivery to the output of the telephone device, wherein the system and method may utilize the telephone operating system, and wherein embodiments are provided where an exchange component regulates the cryptographic information so that users engaging in secure cryptographic communications do not need to provide encryption key information to each other.

Abstract: Disclosed are a method and a system for mutual inclusive authentication between a service provider, a terminal and a user identity module. The authentication system is configured in a structure that can interact with a public key infrastructure of the current network security environment and can be independently used in a specific network system. The inclusive authentication method is divided into public key authentication and symmetric key authentication. Mutual authentication can be made between a service provider, a terminal and a user identity module using any of the two authentication schemes. Then a user can access content on any terminal device using the content license based on the user's identity.

Abstract: A method for securing text messages ads an encryption-decryption module to a pair of cellular phones. A text message is entered on a first of the pair of cellular phones. The text message is encrypted on the first of the pair of cellular phones. The encrypted text message is transmitted to a second of the pair of cellular phones.

Abstract: An authentication system for performing authentication of a wireless terminal is a system that issues an authentication request to an authentication server connected to a communication network and includes a wireless base station and an authentication server. The wireless base station includes: an authentication information acquisition means for acquiring authentication information from a wireless connection request packet; and an authentication request transmission means for transmitting the authentication information acquired by the authentication information acquisition means and RAS unique information registered in the wireless base station to the authentication server.

Abstract: The invention disclose a method for verifying the validity of a user, making full use of a TID as the bridge for establishing confidence between a NAF and a user equipment, and the BSF assigning a term of validity for the TID, thereby extending the function of the TID, enabling the NAF to verify the term of validity for using the TID, and accordingly, achieving a further verification of the validity to the user. By using the method of the invention, it is possible to avoid the situation in which one TID is permanently valid for one or more NAFs, enhance the system security, decrease the risks caused by the theft of users' TID and corresponding secret keys, and at the same time, implement TID management by the NAF. In addition, a combination of the method with billing system makes it easy to implement the function of charging a user.

Abstract: A system is provided that includes at least one processor and instructions that when executed by the processor promote exchanging extensible authentication protocol (EAP) messages for authentication by sending a plurality of data packets formatted in accordance with an IEEE 802.15.4 standard. The EAP messages are encapsulated within a data field of the IEEE 802.15.4 standard data packet and wherein the encapsulated EAP message comprises an EAP header and a data portion.

Abstract: An electronic circuit 120 includes a more-secure processor (600) having hardware based security (138) for storing data. A less-secure processor (200) eventually utilizes the data. By a data transfer request-response arrangement (2010, 2050, 2070, 2090) between the more-secure processor (600) and the less-secure processor (200), the more-secure processor (600) confers greater security of the data on the less-secure processor (200). A manufacturing process makes a handheld device (110) having a storage space (222), a less-secure processor (200) for executing modem software and a more-secure processor (600) having a protected application (2090) and a secure storage (2210).

Abstract: An embodiment of an apparatus that facilitates network security and traffic monitoring for input network traffic includes a plurality of microcode controlled state machines, each of which includes a computation kernel. A plurality of rules applied to a network traffic segment are distributed across the computation kernels. Each of the computation kernels includes condition logic configured by microcode stored in an associated control store to evaluate a unique configured rule in the microcode to produce an associated output. A distribution circuit routes the network traffic segment to each of the plurality of microcode controlled state machines. An aggregation circuit generates a decision on which forwarding of the network traffic segment is based, where the decision is a logical combination of the associated output of each of the computation kernels.

Abstract: A system and method in a wireless network for discovering which resources (e.g., other wireless computing devices) are proximate a user's wireless computing device. Wireless signal strengths with respect to various base stations are compared with the signal strengths of other network devices or resources, to determine which devices are experiencing similar signal strengths. Devices with similar signal strengths are deemed proximate. Each participating computing device may send its signal strength reports to a proximity server, which distributes proximity data to network clients. Each client may receive and process the signal strength data for determining which other clients/resources are proximate, or the server can perform proximity computations and return a list of proximate clients. Once computed, the identities of the proximate clients can be used to query for additional data about the clients, such as the names and other details of their owners, or information about the resource.

Abstract: The method and network ensure secure forwarding of a message in a telecommunication network that has at least one first terminal and another terminal. The first terminal moves from a first address to a second address. A secure connection between the first address of the first terminal and the other terminal defining at least the addresses of the two terminals is established. When the first terminal moves from the first address to a second address, the connection is changed to be between the second address and to the other terminal by means of a request from the first terminal and preferably a reply back to the first terminal.