Abstract: Arranging data ciphering in a telecommunication system comprising at least one wireless terminal, a wireless local area network and a public land mobile network. At least one first ciphering key according to the mobile network is calculated in the mobile network and in the terminal for a terminal identifier using a specific secret key for the identifier. Data transmission between the mobile network and the terminal is carried out through the wireless local area network. A second ciphering key is calculated in the terminal and in the mobile network using said at least one first ciphering key. The second ciphering key is sent from the mobile network to the wireless local area network. The data between the terminal and the network is ciphered using said second ciphering key.

Abstract: This invention proposes an integrated process for AAA (Authentication, Authorisation, and Accounting) with the order reversed whereby L2 follows L3. The L3 process treats the wireless link as any normal IP access link, and the L3 authorisation provides L3 processing, but also includes the L2 terminal authentication identifiers so that the L2 security parameters can also be returned. This means that the wireless link and the IP layer are not secured until after the L3 authorisation has completed and therefore the first IP messages that trigger authorisation are sent insecurely. This invention also provides methods to avoid these insecure messages presenting any opportunities to an attacker. Finally, the inventions include methods to enable L3 before L2 authorisation when a user is roaming in a foreign network.

Abstract: A method, a mobile node (MN) and a correspondent node (CN) exchanging a Secret Authentication Key (SKbm) within an IPv6 network. The MN has a pair of keys comprising a private key and a public key and a HoA. Upon displacement of the MN from a home portion to a visited portion of the IPv6 network, a CoA is set. Thereafter, an establishment message is sent from the MN to the CN through a Home Agent associated to the MN. Upon reception of the establishment message, the CN tests the HoA and the CoA and therefor sends a first portion and a second portion of a secret data. The MN thereafter sends the secret data back to the CN within a signed message. In response thereto, the CN sends an acknowledgement message to the MN comprising the SKbm encrypted using the public key of the MN.

Abstract: In a communication system (100), a method and apparatus provides for message integrity regardless of the operating version of an authentication center (198) or an interface (197) between the authentication center (198) and a mobile switching center (199). The method and apparatus include generating a cellular message encryption algorithm (CMEA) key, and generating a CMEA-key-derived integrity key (CIK) based on the CMEA key for message integrity between a mobile station and a base station. The mobile station transmits a registration message to the base station, and determines an operating version of the authentication center (198) in communication with the base station based on whether the mobile station receives a registration accepted order or some elements of an authentication vector from the base station. The CIK is generated based on the CMEA key, if the mobile station receives a valid registration accepted order from the base station.

Abstract: A method and apparatus for preventing unauthorized use of a mobile terminal are provided, in which an execution code processor decrypts an Mobile Phone Certificate (MPC) using an MPC decryption code stored in it, when the mobile terminal is booted, an MPC processor compares a pre-stored MPC decryption execution code with the MPC decryption execution code, compares a pre-stored MPC encryption key with an MPC encryption key stored in the execution code processor. When the MPC decryption execution codes are identical, sets data required for an initial operation of the mobile terminal using an MPC management execution code included in a pre-stored MPC. When the MPC encryption keys are identical, decrypts Secured Code (SCode) blocks for execution of an application program, after executing the MPC management execution code. The execution code processor performs an operation program of the mobile terminal using the MPC management execution code and the decrypted SCode blocks.

Abstract: A computer-readable recording medium which records a remote control program for allowing data on a network protected by a gateway device to be transferred to an external device by external remote-control operations; a portable terminal device; and a gateway device. The terminal device transmits to the gateway device an access ticket issue request. The gateway device generates key information and transmits to the terminal device an access ticket including the key information. The terminal device transfers to a data acquisition device a data acquisition instruction including the acquired access ticket. The acquisition device transmits to the gateway device a data request including the key information. When the key information added to the access ticket and the key information included in the data request are the same, the gateway device transfers the data request to a data server device. The server device transfers the data to the acquisition device.

Abstract: A method and apparatus protect data stored in a device by storing data from the device on a backup system upon the device being connected to the backup system; detecting that the device has been lost or stolen; encrypting a set of data stored on the device that has not been stored on the backup system using an encryption key based on another set of data stored on the device and also stored on the backup system; and deleting the other set of data and encryption key from the device.

Abstract: A mobile device is configured to maintain data synchronization with a host server over a wireless network for user data of a host application program associated with a user account. The user account is associated with user account data which includes an encryption/decryption key, and the user data is communicated over the wireless network in an encrypted format in accordance with the encryption/decryption key. For the data synchronization, the mobile device regularly causes the user data associated with the user account to be stored in memory in a decrypted format for use with the client application program of the mobile device. The mobile device further causes a copy of the user data to be stored in the removable memory card in the encrypted format, for use in securely transferring the user data to an alternate mobile device for use with a client application program of the alternate mobile device.

Abstract: A method of establishing a collaborative domain among a plurality of communication terminals can include having a communication terminal authenticate one or more other communication terminals based on personal information, which can be stored on a removable memory card in the other terminals, and/or based on the geographic location of the other terminals. A first communication terminal can determine the geographic location of a second communication terminal and can authenticate the second communication terminal in response to both the determined geographic location and personal information defined in the second communication terminal. In response to the authentication by the first communication terminal, communication of user and/or program information, which is unrelated to authentication, is allowed between at least the first and second communication terminals.

Abstract: A method of unlocking a mobile terminal after a period of use and ensuring that the first operator who sold the terminal receives adequate payment prior to the use thereof. The identity of the terminal is saved and a security algorithm, which is not known to the operator, is implemented in a security module which is introduced into a server that is managed by the operator. After the period of use, the security module determines a secret key which is obtained by applying the terminal identity transmitted thereby and an operator code to the security algorithm, following a request transmitted by the service entity. The determined secret key, which is encrypted at the terminal, is transmitted over the operator's radiocommunications network and decrypted in the mobile terminal so that it can be compared to the saved secret key in order for the mobile terminal to be unlocked when the compared secret keys are identical.

Abstract: A system is provided for establishing a secure link among multiple users on a single machine with a remote machine. The system includes a subsystem to filter traffic so that traffic from each user is separate. The subsystem generates and associates a Security Association (SA) with at least one filter corresponding to the user and the traffic, and employs the SA to establish the secure link. An Internet Key Exchange module and a policy module may be included to generate and associate the security association, wherein the policy module is configured via Internet Protocol Security (IPSEC).

Abstract: An apparatus is disclosed for acquiring information to be transmitted to a receiving facility and for transmitting such thereto. A capture device captures information from a first source. A stamping device is provided for associating with the captured information a representation of the date and time of the capture of the information, such that the representation of the date and time information in association with the captured information forms augmented captured information. A data processing unit is provided for placing the augmented captured information in association with subscriber information in a transmission of the augmented captured information to a receiving facility requiring such subscriber information. A transmitter transmits the transmission including the augmented captured information and the subscriber information to said receiving facility. An encryptor encrypts the augmented captured information for transmission to said receiving facility.

Abstract: The invention relates to a method for authenticating the user of a terminal (5), in which terminal a device (15) for verifying the rights to use is applied for running an authentication protocol. The device (15) for verifying the rights to use is connected to the terminal (5). In the device (15) for verifying the rights to use, an extensible authentication protocol interface is applied, via which at least some of the authentication functions are carried out.

Abstract: When wireless binding or pairing is required, two wireless devices change from a normal broad wireless operating range to a reduced wireless operating range. The wireless devices then conduct binding or pairing operations in the reduced wireless range. This prevents other wireless devices in the same area from detecting the same reduced range binding signaling and inadvertently binding with the wrong devices. After the reduced range binding operations are completed, the wireless devices automatically switch back to the broader normal wireless operating range and use the exchanged binding information for conducting normal wireless communications. The reduced range pairing scheme creates a simple and intuitive technique for pairing wireless devices without requiring the user to press buttons or select devices from a list.

Abstract: A wireless digital personal communications system (or PCS) having a plurality of radio cell base stations, fixed terminals, and portable handset terminals, each having a predetermined radio cell coverage area. The wireless PCS has a full digital network interface. The personal communications system facilitates the interconnection and switching of PCS call traffic through the digital network interface and the public switched telephone network, or any switched network. The personal communications system has voice/data/image (or any combination thereof) and incoming and outgoing calling capability. The PCS is fully operational and compatible with any and all modulation approaches selected for wireless communications.

Abstract: A wireless communication apparatus which wirelessly communicates with other communication apparatus or apparatuses, comprises a setting unit that sets a maximum number of other communication apparatus or apparatuses up to which the wireless communication apparatus authenticates to perform wireless communication, a storage unit that stores said maximum number set by said setting unit, and an authentication unit that authenticates other communication apparatus or apparatuses within said maximum number stored in said storage unit.

Abstract: A decryption apparatus (109) comprises a key stream generator (111) generating a local decryption key stream. It furthermore comprises a synchronization value receiver (201) receiving key stream synchronization values. A synchronization processor (203) implements a state machine which may operate in a synchronized state (303) wherein the communication is decrypted using the local key stream, a non-synchronized state (301) wherein the local key stream is not synchronized, or in an uncertain synchronization state (305) wherein the communication is decrypted using the local key stream and wherein the local key stream is synchronized to each new received synchronization value. The synchronization processor (203) furthermore comprises a transition controller (213) operable to transition from the synchronized state to the non-synchronized state in response to a first criterion and to the uncertain synchronization state in response to a second criterion.

Abstract: Various embodiments provide a way to adjust transmission rates of a medium access controller (MAC) to a physical layer (PHY) to accommodate for packet expansions due to encryption that takes place in the PHY. In at least some embodiments, a communication interface between different MACs in a system is re-purposed to allow the PHY to communicate to a system MAC to notify the system MAC to pause and then resume, at an appropriate time, its packet transmissions.

Abstract: The details of an apparatus and method for determining uplink ciphering activation time in universal mobile telecommunications system user equipment are disclosed herein. The ciphering activation time is determined for radio bearers other than RB2 by measuring the data rate on each target radio bearer during the time that it takes for a polling or RRC message sent from the user equipment UE to be acknowledged by the network UTRAN. For RB2, the uplink ciphering activation time is determined by taking into account the size of the RRC response message and the data already queued on RB2 for transmission.

Abstract: A intrusion detection method is disclosed for use in a wireless local area data communications system, wherein mobile units communicate with access points, and wherein the system is arranged to locate transmitters using signals transmitted by the transmitters. A database relating authorized transmitters to location is maintained. Selected signals are detected at the access points and location data corresponding to the selected signals for use in locating a source of the signals is recorded. The source location is determined using the location data, and the source location is compared to a corresponding location in the database. An alarm is signaled if the source location is inconsistent with the corresponding database location.

Abstract: A method and system for distribution of scrambled data and/or services to at least one master terminal and to at least one slave terminal linked with the master terminal. The method and system transmit to the master terminal a first secret code and transmit to each slave terminal a second secret code in a biunique relationship with the first secret code, and authorize the reception of the data and/or services by a slave terminal only if the first secret code is previously stored in the slave terminal.

Abstract: Various improvements relating to digital watermarking and related technologies are detailed, including methods that enhance security and functionality, and new articles including watermarked puzzles and marked DNA.

Abstract: A method of operating a mobile electronic device includes detecting at least one other mobile electronic device within a predetermined distance of the mobile electronic device, and determining a spatial relationship of the at least one other mobile electronic device relative to the mobile electronic device. An ad hoc wireless connection is established with the at least one other mobile electronic device based on the determined spatial relationship. Data may be transmitted to and/or received from the at least one other mobile electronic device over the ad hoc wireless connection based on the determined spatial relationship. Related systems, devices, and computer program products are also discussed.

Abstract: Provisioned wireless service (PWS) authentication apparatus and method simplifies determination of PWS authentication state by dual mode access point (DMAP) receiving an identifying credential from supplicant dual mode mobile station (DMMS) within predefined authentication period and comparing with authentication credential. DMMS is provisioned PWS upon authentication. DMAP having multiple BSSID remotely configurable to differentiate between provisioned services (e.g., voice, VoIP) and standard wireline/fixed wireless services. DMAP and DMMS are each identifiable by respective unique provisioned service BSSID. Identifying credential can be pass code supplied to DMMS user by DMAP operator to facilitate authenticated association and to deter wireless channel interlopers.

Abstract: A system, method and computer program product are provided. Included is a bridge capable of communication with a non-wireless capable device and a wireless network. In use, such bridge incorporates security functionality for remotely and automatically securing the non-wireless capable device during use of the wireless network.

Abstract: Methods for producing and applications for single-use transaction numbers. The transaction numbers are single-use in that the numbers are only valid for a single transaction. The transaction numbers can be generated just prior to being used, minimizing the amount of time during which they can be lost or stolen. The transaction numbers can be generated using encryption technology such as dynamic password technology. The encryption technology makes it very difficult if not impossible to predict what the next transaction number generated will be. The transaction numbers are unique to the user and can be validated or authenticated by an issuing institution that maintains an ability to generate the same transaction numbers issued to the user.

Abstract: The invention is directed to a security module deployed in a host device, which provides a secondary agent that operates in coordination with the host agent in the host device, but operates independent of the host operating system of the host device to independently access an existing communication network interface in the host device or a separate dedicated network interface, if available. In one aspect, the present invention enables robust theft recovery and asset tracking services. The system comprises a monitoring center; one or more monitored devices; a security module in the monitored devices; and one or more active communications networks. Monitored devices may be stand alone devices, such as computers (e.g., portable or desktop computers), or a device or a subsystem included in a system. A monitored device comprises a security module, a host agent and software to support the host agent that runs in the monitored device's OS.

Abstract: A globally unique identification system for a communications protocol and database is disclosed. A method for generating the globally unique identification code and for generating a compressed globally unique identification code is also described. The communications protocol permits multiple communications sessions to be sent through a single open port of a firewall.

Abstract: The authentication capability of a portable terminal connected to a playback device is used to perform user authentication, thereby providing content with a sufficient reliability while only requiring a simple mechanism.

Abstract: An examination apparatus includes a receiving part, an acquisition part, and an examination part. The receiving part receives a public key certificate and identification information of the communication device from the device, which conduct the authentication process by using the public key encryption and sends the public key certificate used for the authentication process only to a specific communication partner. The acquisition part acquires information showing the public key certificate corresponding to the identification information, from a location other than the device based on the identification information. And, the examination part examines the device based on whether or not the public key certificate received by the receiving part is proper, by referring to the information acquired by the acquisition part.

Abstract: A system and method for providing secure one-way transmissions in a vehicle wireless communications system. The system and method rely on a clock signal to assure that the vehicle and server receive proper messages. The vehicle and the server will periodically synchronize their internal clocks to a global clock signal. The server will add its local time to the body of a message including a vehicle identification number and a function code. The server will then encrypt the message and transmit it to the vehicle. The vehicle will decrypt the message and compare the transmitted vehicle identification number with its identification number. If the identification numbers match, the vehicle will then see if the time in the message is within a predefined window of the vehicle time. If the transmitted time is within the predefined window of the vehicle time, the vehicle will accept the message and perform the function.

Abstract: A communication device comprises a receiver configured to receive a notification of a cipher parameter used for encryption of data and a requested start time at which the encryption starts; and a correction unit configured to determine whether the cipher parameter needs to be corrected in response to the notification having been retransmitted based on the requested start time and an actual start time at which the encryption actually starts, and correct the cipher parameter.

Abstract: Proposed are a method and a system for management of resources of portable resource modules, each connected to a communication terminal, which modules comprise electronic memory units and are designed in particular as chipcards. A first resource management instruction comprising a module identification is transmitted to a resource management center. A second resource management instruction is transmitted from the resource management center via a communication network to the resource module identified through the module identification. In the particular resource module, resources are made ready or released by a resource control mechanism corresponding to the received second resource management instruction. A resource management confirmation is transmitted by the particular resource module via the communication network to the resource management center, and in the resource management center information about the resources made ready or released is stored assigned to the module identification.

Abstract: A service request is received and associated with a subscriber id. Profile information is accessed for the source of the service request. A copy of the profile information is stored in a network element employed by the source of the service request to access the network.

Abstract: Methods, systems, and computer program products for implementing a roaming controlled wireless network and services is provided. The method includes assigning an identifier and key to a multi-mode network-enabled communications device, the identifier and key inaccessible to an end user of the communications device. The method further includes assigning an identifier and key to a gateway device. The method further includes configuring an auto-provisioning element on each of the devices and remotely provisioning activation of roaming controlled communications services for the end user of the communications device. The remote provisioning includes transmitting a signal to one of the devices configured with the auto-provisioning element, which causes the devices to exchange identifiers and keys via a wireless local network. In response to exchanging the identifiers and keys between the devices, the communications device is permitted to communicate over the wireline network via the gateway device.

Abstract: A system, method, and apparatus for identifying and authenticating the presence of high value assets at remote location includes associating an identification tag with the asset. The identification tag includes identification information that can be electronically read and sent to a remote location for verifying the authenticity of the asset.

Abstract: An analog telephone adapter (ATA) having a subscriber identity component in the format of a Subscriber Identity Module (SIM) that couples a telephone to a cellular network via Voice over Internet Protocol (VoIP), thereby allowing a cellular service provider to provide an alternative communication service for the home or business. Instead of using the plain old telephone service, a subscriber can plug their analog telephone into the SIM-enabled ATA (SIM-ATA) and receive telephone service from a cellular service provider, eliminating or reducing the need for a traditional Local Exchange Carrier. The SIM-ATA converts signals from analog to digital, and vice-versa. Once the analog telephone signal has been converted to digital, an IP-based protocol (e.g., VoIP) can be used to transmit the telephone call over a digital network. The cellular service provider can then track usage and bill the subscriber accordingly.

Abstract: A system and method of security authentication and key management scheme in a multi-hop wireless network is provided herein with a hop-by-hop security model. The scheme adapts the 802.11r key hierarchy into the meshed AP network. In this approach, a top key holder (R0KH) derives and holds the top Pairwise Master Key (PMK—0) for each supplicant wireless device after the authentication process. All authenticator AP take the level one key holder (R1KH) role and receive the next level Pairwise Master Key (PMK—1) from R0KH. The link level data protection key is derived from PMK—1 via the 802.11i 4-way handshaking.

Abstract: A method of providing certificate issuance and revocation checks involving mobile devices in a mobile ad-hoc network (MANET). The wireless devices communicate with each other via Bluetooth wireless technology in the MANET, with an access point (AP) to provide connectivity to the Internet. A Certificate authority (CA) distributes certificates and certification revocation lists (CRLs) to the devices via the access point (AP). Each group of devices has the name of the group associated with the certificate and signed by the CA. A device that is out of the radio range of the access point may still connect to the CA to validate a certificate or download the appropriate CRL by having all the devices participate in the MANET.

Abstract: Systems and methods for authentication using paired dynamic secrets in secured wireless networks are provided. Each authenticated user is assigned a random secret generated so as to be unique to the user. The secret is associated with a wireless interface belonging to the user, so that no other wireless interface may use the same secret to access the network. The secret may be updated either periodically or at the request of a network administrator, and reauthentication of the wireless network may be required.

Abstract: A wireless piconet network device includes a GPS receiver to determine and provide earth coordinates to a gatekeeper of a wireless network so as to provide a level of security to wireless networks which requires accessing wireless devices to be within predefined boundary coordinates. The automatic restriction of access to a wireless network (e.g., a wireless local area network (LAN) such as a piconet network) by requiring a wireless network device to provide earth coordinates (e.g., GPS location information) as part of an establishment or maintenance of a connection to a wireless network, independent of a range of communication of any device in the wireless network. A wireless piconet network device outside of predetermined earth coordinates of a secured area (e.g., a building, a room in a building, a desk in a room in a building, etc.

Abstract: A method and apparatus for the digital signing of a message to be signed, the message to be signed is transmitted via a communication network to a mobile radio telephone to be used as a signing unit. A message to be signed is transmitted from a transmitter to a receiver and then from the receiver to the mobile radio telephone via a telephone network. The mobile radio telephone user indicates that the message to be signed should be signed, and the mobile radio telephone generates a signed message. The signed message is then transmitted from the mobile radio telephone to the receiver and from the receiver to an addressee.

Abstract: The method and apparatus updates a binary number that will be used in cellular telephone system authentication procedures by applying a first algorithm to a plurality of most significant bits of a first binary number to obtain a second binary number; operates on a plurality of least significant bits of the first binary number with a second algorithm to obtain a third binary number, and applies a block cipher to the concatenation of the second and third numbers to obtain the updated binary number. When the most significant bits of the updated binary number comprise an all-zeroes number they are replaced with the most significant bits of the concatenation of the second and third numbers.

Abstract: Techniques to reduce the amount of registration required by a mobile station in a wireless communication system, especially if the registration zones are defined to be small areas. In one scheme, a mobile station registers (e.g., at RR-level) with a network entity (e.g., a base station) each time it enters a new registration zone, which can correspond to an R-TMSI zone defined by GSM MC-MAP. The mobile station maintains a timer for each zone with which it has already registered but has since left. If the mobile station leaves a particular zone for a period longer than a time-out period, the registration with that zone times out, and the mobile station re-registers with that zone whenever it re-enters the zone. The mobile station may implement zone-based, timer-based, implicit, traffic channel RR, and some other registrations, or a combination thereof. Parameters to facilitate registration may be defined by a base station.

Abstract: Methods, systems, and data stores generate and manage temporarily assigned identities. A requestor issues a request for a service. The request includes an identity used for authenticating the requestor. The identity is used for generating an identity configuration and for generating a temporarily assigned identity that is updated to a protected identity directory. The request and the temporarily assigned identity are transmitted to the service. The service uses the temporarily assigned identity to access the protected identity directory for purposes of authenticating the request. The service uses the authenticated request to access attributes associated with the temporarily assigned identity.

Abstract: A method and apparatus are provided for early distribution of at least one encryption key intended for securing a communication to be set up on the link layer of a cellular network formed of a plurality of cells, each controlled by an attachment point, between a mobile terminal and a set of attachment points, termed the target attachment points. The includes, for at least one target attachment point: creation of an encryption ticket containing an encryption key, enciphered on the basis of at least one authentication key specific to this target attachment point; receipt of the enciphered encryption ticket, by way of a current attachment point to which the mobile terminal is connected; identification, of a means of deciphering the enciphered encryption ticket, with the aid of the at least one authentication key, making it possible to obtain the encryption key.

Abstract: The present invention relates to a method for providing content in a communication system. The method comprises encoding content to a first part and a second part. Furthermore, the method comprises protecting the second part of the content against unauthorised use. Furthermore, the method comprises transmitting the content to user equipment associated with an identity module. The present invention relates also to a method for obtaining content in user equipment in a communication system. The method comprises receiving content encoded to a first layer and a protected second layer. Furthermore, the method comprises requesting for opening the protection of the second layer, receiving opening means and opening the protection of the second layer using the opening means interacting with an identity module associated with the user equipment. Furthermore, a network element and user equipment are configured to execute the method.

Abstract: A system, method and computer program product are provided. In use, a peer-to-peer wireless network is advertised utilizing a granting node. Further, a requesting node is provided for connecting to the peer-to-peer wireless network. Thereafter, such requesting node is redirected to a portal. To this end, a software application is capable of being downloaded to the requesting node via the peer-to-peer wireless network utilizing the portal.

Abstract: A method, apparatus, and system for using Bluetooth devices to secure sensitive data on other Bluetooth devices is described. A Bluetooth device is paired with a “trusted” Bluetooth device. When contact with the trusted device is lost, designated sensitive data on the secured Bluetooth device is automatically encrypted. When contact is restored, the data is automatically decrypted. In an alternate embodiment, a secured device can be associated with multiple trusted devices, and the secured device designate different sensitive data for each trusted device. In this way, multiple users can share a common, “public” Bluetooth device without concern that the other users will access their sensitive data on the device when the device is not being used by that user.

Abstract: A mutual authentication method is provided for securely agreeing application-security keys with mobile terminals supporting legacy Subscriber Identity Modules (e.g., GSM SIM and CDMA2000 R-UIM, which do not support 3G AKA mechanisms). A challenge-response key exchange is implemented between a bootstrapping server function (BSF) and mobile terminal (MT). The BSF generates an authentication challenge and sends it to the MT under a server-authenticated public key mechanism. The MT receives the challenge and determines whether it originates from the BSF based on a bootstrapping server certificate. The MT formulates a response to the authentication challenge based on keys derived from the authentication challenge and a pre-shared secret key. The BSF receives the authentication response and verifies whether it originates from the MT.