Abstract: A system and method of security authentication and key management scheme in a multi-hop wireless network is provided herein with a hop-by-hop security model. The scheme adapts the 802.11r key hierarchy into the meshed AP network. In this approach, a top key holder (R0KH) derives and holds the top Pairwise Master Key (PMK—0) for each supplicant wireless device after the authentication process. All authenticator AP take the level one key holder (R1KH) role and receive the next level Pairwise Master Key (PMK—1) from R0KH. The link level data protection key is derived from PMK—1 via the 802.11i 4-way handshaking.

Abstract: The cryptographic resources are supplied by at least one cryptographic source having a specific access interface. The application is presented with a mutualized interface substantially independent of the cryptographic sources and of their respective access interfaces. A translation module is placed between the mutualized interface and each interface for accessing a cryptographic source to provide access to the cryptographic resources from the application via the mutualized interface.

Abstract: An improved system, apparatus, and method for securing a network using MAC address filtering is provided. Advantageously, the present invention does not require that a client computer be powered on, and instead provides an efficient user interface for displaying a requestor's MAC address and for allowing or denying the device with an associated MAC address access to the network. Parameters per allowed MAC address may also be provided.

Abstract: An ad hoc mobile service provider for a wireless network includes a processing system configured to support a public service set, comprising the ad hoc mobile service provider and one or more mobile clients, and a private service set, comprising the ad hoc mobile service provider and one or more authenticated mobile clients. The processing system is further configured to authenticate a mobile client with a server, the mobile client being associated with the public service set, and transfer an authenticated mobile client from the public service set to the private service set.

Abstract: The technology described in this case facilitates random access by a user terminal with a radio base station. A user terminal determines one of a first type of uplink scrambling sequences and generates a random access message using the determined one of the first type of uplink scrambling sequences. The random access message is transmitted to the base station. The user terminal receives from the base station a second, different type of uplink scrambling sequence and uses it for subsequent communication with the radio base station. For example, the first uplink scrambling sequences may be specifically associated with the radio base station's cell area or a random access radio channel associated with the radio base station, but they are not specifically assigned to any user terminal, and the second uplink scrambling sequence may be selected from a second set of uplink scrambling sequences specifically assignable to individual user terminals.

Abstract: A contents processing device permitting, when contents are to be stored in a recording medium, only a specified device to read out the stored contents is to be provided, and a contents processing device capable, where it is a mobile telephone, of flexibly adapting to a change of a unique telephone number or a type of the mobile telephone. For the purpose, the contents processing device for inputting and outputting contents to and from a recording medium is provided with contents storage means (RAM) for storing contents, an ID storage unit (ROM) for storing an ID capable of identifying the contents processing device, a recording medium input/output unit (memory card I/F) for inputting to and outputting from the recording medium, and a ciphering unit (ciphering program) for enciphering contents within the contents storage unit by use of a ciphering key generated from the ID within the ID storage unit and storing it from the recording medium input/output unit into the recording medium.

Abstract: The invention proposes a method of performing authentication of a subscriber during a subscriber equipment terminated call, comprising the steps of sending a session invitation message (S4, S5) to the subscriber equipment, the session invitation message including authentication information (AuthData1), and performing an authentication procedure in the subscriber equipment by using the authentication information. The invention also proposes a corresponding network system, network control element and subscriber entity.

Abstract: A method and system for using a key lease in a secondary authentication protocol after a primary authentication protocol has been performed is described. In one embodiment, the primary authentication protocol comprises a strong, secure, computationally complex authentication protocol. Moreover, the secondary authentication protocol comprises a less complex (compared to the primary authentication protocol) and less secure (compared to the primary authentication protocol) authentication protocol which can be performed in a length of time that is shorter than a length of time required to perform the primary authentication protocol. In an embodiment, the key lease includes context information.

Abstract: A method and system for performing pre-authentication across inter-subnets. A pre-authentication request is received by a first access point associated with a first subnet from a mobile node requesting that is requesting pre-authentication with a second access point associated with a second subnet. The request is forwarded by the access point to a first authenticator that is the authenticator for the first subnet. The first authenticator obtains from a root infrastructure node the address for a second authenticator that is the authenticator for the second access point. The first authenticator then pre-authenticates the mobile node with the second authenticator by sending a message to the address for the second authenticator.

Abstract: A method of managing digital rights comprises the following steps. First, a physical electronic key containing a first activation code is provided to a requesting user. Second, locked digital content is provided to the requesting user. The digital content is encoded with a second activation code associated with the first activation code. Third, the locked digital content is received in a playing device that reads the first activation code and determines whether the first activation code is associated with the second activation code. Fourth, the playing device is enabled to unlock and play the digital content if the first activation code is associated with the second activation code. A digital right management system for implementing the foregoing method is also disclosed.

Abstract: Data traffic between a mobile radio network and an IMS network is secured by first authenticating a mobile subscriber in the mobile radio network and in the IMS network. Next, an examination is carried out to check whether the identity of the mobile subscriber authenticated in the IMS network corresponds to the identity of the subscriber authenticated in the mobile radio network. If so, a confirmation message is sent from the IMS network to the mobile subscriber in the even of corresponding identities and a data exchange is carried out between the mobile subscriber and the IMS network by a security protocol protected by a common key derived from the confirmation message.

Abstract: A method, apparatus, and system for using Bluetooth devices to secure sensitive data on other Bluetooth devices is described. A Bluetooth device is paired with a “trusted” Bluetooth device. When contact with the trusted device is lost, designated sensitive data on the secured Bluetooth device is automatically encrypted. When contact is restored, the data is automatically decrypted. In an alternate embodiment, a secured device can be associated with multiple trusted devices, and the secured device designate different sensitive data for each trusted device. In this way, multiple users can share a common, “public” Bluetooth device without concern that the other users will access their sensitive data on the device when the device is not being used by that user.

Abstract: The invention is a method of connecting user equipment to at least one network, a communication system, and a user equipment. In a communication system comprising at least one network, including network entities which provide connectivity to user equipment, a method of connecting the user equipment to the at least one network in accordance with the invention includes establishing a secure tunnel which provides connection between the user equipment and one of the network entities; and authenticating the user equipment with another of the network entities; and wherein the authenticating of the user equipment with the another of the network entities occurs at least partially simultaneously with the establishing of the secure tunnel.

Abstract: Disclosed herein is a method for the establishment of a service tunnel in a wireless local area network (WLAN). The method includes a service authentication authorization unit making authentication and authorization to a WLAN user terminal currently requesting a service, and judging whether the authentication and authorization is successful. If successful, the method includes generating service authorization information that includes a shared communication key used for communication between the WLAN user terminal and a destination packet data gateway (PDG), and otherwise ending the procedure. The method further includes the service authentication authorization unit sending to the destination PDG the generated service authorization information including the shared communication key, and the destination PDG, according to the shared communication key, establishing a trust relation with the WLAN user terminal through negotiation with the WLAN user terminal.

Abstract: A technique for authenticating a user to a server using SIP messages includes forwarding an SIP request from the user agent to the server. The server then forwards a request for authentication to the user agent in response to the invite request, the request for authentication including information that the authentication will be performed using a UMTS AKA mechanism. The user agent then forwards and authentication response to the server in accordance with the UMTS AKA mechanism and the server then performs the appropriate actions to perform an invoked SIP procedure in response to the SIP request. The SIP request may include any standardized SIP request including an SIP INVITE request or an SIP REGISTER request.

Abstract: A client 110 may be authenticated by transmitting or beaming a telecommunication network subscriber's authentication to the client from a device 120, over a wireless link. For example, a GSM telephone 120 may authenticate an electronic book 110 to a content providing service within the Internet. The service verifies the authentication using the subscriber's GSM network operator's Authentication Center 161 to generate an authenticator and the client correspondingly generates a local copy of the authenticator using a GSM SIM over the wireless local link. The authentication is then determined by checking that these authenticators match and thereafter the authenticator can be used as a session key to encrypt data in the service.

Abstract: Methods and systems taught herein allow mobile device manufacturers to preconfigure mobile devices for subscription with any network operator having access to a centralized device directory server. The directory server stores device records, each including a preliminary subscription identity. Manufacturers individually provision new mobile devices with these preliminary subscription identities, and network operators preliminarily register subscribers by submitting requests to the directory server that cause it to link individual device records with the appropriate credential server addresses. Mobile devices gain temporary network access by submitting their preliminary subscription identities, which get passed along to the directory server for verification. In turn, the directory server generates authentication vectors giving the mobile devices temporary network access, and returns the appropriate credential server addresses.

Abstract: A secure wireless LAN device includes a housing, a wireless transceiver carried by the housing, and a cryptography circuit carried by the housing. The cryptography circuit may operate using cryptography information and may also render unuseable the cryptography information based upon tampering. The cryptography circuit may include at least one volatile memory for storing the cryptography information, and a battery for maintaining the cryptography information in the at least one volatile memory. Accordingly, the cryptography circuit may further include at least one switch operatively connected to the housing for disconnecting the battery from the at least one volatile memory so that the cryptography information therein is lost based upon breach of the housing. The cryptographic information may comprise a cryptography key and/or at least a portion of a cryptography algorithm. This cryptographic information remains relatively secure and is lost upon tampering, such as removing the housing.

Abstract: A secure wireless LAN device includes a housing, a wireless transceiver carried by the housing, a medium access controller (MAC) carried by the housing, and a cryptography circuit carried by the housing and connected to the MAC and the wireless transceiver. The cryptography circuit may encrypt both address and data information for transmission, and decrypt both address and data information upon reception. Accordingly, a higher level of security may be provided. The cryptography circuit may implement an algorithm and use a key to provide a predetermined security level, such as up to Type 1 security, although lower levels may also be implemented. Of course, the secure wireless LAN device may be used with other LAN devices, such as user stations and/or access points, in any of a number of different LAN configurations. The MAC may implement a predetermined wireless LAN MAC protocol. For example, the LAN MAC protocol may be based upon the IEEE 802.11 standard.

Abstract: In the method of packet transmission, data packet fragments received from a first mobile station are sent to a second mobile station without assembling and re-fragmenting the received data packet fragments if the first and second mobile stations are in a same cell.

Abstract: In a particular embodiment, a client module is deployed on a wireless device. The client module comprises a policy database including a list of authorized devices to which the wireless device may communicate. In another embodiment, the client module comprises a policy database including at least two user profiles on a wireless device, such as a personal profile and a business profile.

Abstract: A mobile device (100) for establishing a connection with an access point (200) includes an interface module (110), an authentication module (120), and an association module (130). The interface module receives a user authentication instruction to launch authentication. The authentication module authenticates the access point via a first service set identifier (SSID) in order to acquire a second SSID and a key from the access point when the authentication is successfully launched. The association module re-associates with the access point via the second SSID and the key. A communication system and a connection establishing method are also provided.

Abstract: A method includes receiving an authentication request from a mobile station (401) and determining whether to forward the request to an authentication agent. When it is determined to forward the request, the request is forwarded to the authentication agent (107). A random number and a random seed are received from the authentication agent (107). The random number and the random seed are forwarded to the mobile station (401). A response to the random number and the random seed from the mobile station (401) is received and forwarded to the authentication agent (107). The authentication agent (107) compares the response with an expected response. When the authentication agent (107) authenticates the mobile station (401), a derived cipher key is received from the authentication agent (107).

Abstract: A method of authenticating a user access network to a mobile node, where the mobile node wishes to access a service via the access network, the method comprising: establishing a secure transport channel between the mobile node and a service access node of the visited network, said channel being bound to an identity of the service access node; sending an authorization request from the mobile node to the service access node, incorporating an identity of the service access node into the request at the service access node, and forwarding the request to an authorization node of the user's home network; at said authorization node of the home network, authorizing the service access node, and sending to the service access node a user challenge including the identity of the service access node, said identity being included in such a way that a change to the identity can be detected by a recipient; at the serving access node, forwarding the received user challenge to the mobile node; and at the mobile node verifying

Abstract: Methods and apparatus for authenticating a mobile node are disclosed. A server is configured to provide a plurality of security associations associated with a plurality of mobile nodes. A packet identifying a mobile node may then be sent to the server from a network device such as a Home Agent. A security association for the mobile node identified in the packet may then be obtained from the server. The security association may be sent to the network device to permit authentication of the mobile node. Alternatively, authentication of the mobile node may be performed at the server by applying the security association.

Abstract: Before obtaining service from an installed terminal, a mobile unit can be authenticated (subauthenticated) only by the operation of the mobile unit such as an unauthenticated digital camera, etc. using an authenticated mobile phone. A digital camera is radio-connected with an installed terminal, and the digital camera is also radio-connected with a mobile phone of a user. The installed terminal center is notified of the identification code of the mobile phone through the digital camera and the installed terminal. The installed terminal center inquires of the carrier center about the validity/invalidity of the mobile phone. Upon receipt of the notification of the validity of the mobile phone from the carrier center, the installed terminal center permits service to the installed terminal in the installed terminal.

Abstract: Systems and methods disclosed herein provide secure, efficient, and mutually authenticated cryptographic key distribution. A client or client manufacturer may pre-generate and pre-encrypt the cryptographic keys, store the encrypted keys within the client, and deliver such keys to the serving network's access server via the client, while also relying upon, if available, the authentication performed by a trusted access server of an intermediate network which the client must traverse in order to obtain access the serving network. If not available, a client password stored within the client may be used to enable client authentication by the serving network prior to acceptance of the delivered cryptographic keys.

Abstract: In a method of establishing a secure communication link between a first terminal and a second terminal, the first terminal is connected to a third terminal which can be connected to a mobile telephone network and the second terminal is connected to an authentication element of the telephone network. The method includes: transfer of an authentication datum from the third terminal to the network authentication element; following authentication of the third terminal, the transfer of a random variable from the network authentication element to the third terminal; the parallel generation of a session key by the third terminal and the network authentication element from the random variable; the generation by the first and second terminals of a shared key from the session key; and the opening of a secure communication link with the use of the shared key.

Abstract: A Personal Digital Key Digital Content Security System (PDK-DCSS) is used to protect computers from unauthorized use and protect the digital content stored on computers from being wrongfully accessed, copied, and/or distributed. The basic components of the PDK-DCSS are (1) a standard hard drive device, with the addition of a PDK Receiver/Decoder Circuit (PDK-RDC) optionally integrated into the hard drive's controller, and (2) a PDK-Key associated with the PDK-RDC. The PDK-Key and RDC technology is utilized to provide two categories of protection: (1) hard drive access control for providing Drive-Level and Sector-Level protection and (2) operating system-level independent file protection for providing File-Level and Network-Level protection.

Abstract: An apparatus (100) used by a plurality of devices to authenticate an accessory (120) is configured to operate with a device (110) of the plurality of devices. The accessory (120) applies an authentication algorithm to a key and a challenge (130) received from the device (110) and generates a response (132) thereto. A challenge and response memory (114) stores a subset of a set of challenges (232) and pre-computed responses (230). The enabling circuit transmits a challenge (130) to the accessory (120) and receives a received response (132) therefrom. The enabling circuit (112) also compares the received response (132) to the stored response (230) corresponding to the stored challenge (232) sent to the accessory (120).

Abstract: The invention relates to a method and system for authenticating a user of a data transfer device (such as a terminal in a wireless local area network, i.e. WLAN). The method comprises: setting up a data transfer connection from the data transfer device to a service access point. Next, identification data of the mobile subscriber (for example an MSISDN) are inputted to the service access point. This is followed by checking from the mobile communications system whether the mobile subscriber identification data contains an access right to the service access point. If a valid access right exists, a password is generated, then transmitted to a subscriber terminal (for example a GSM mobile phone) corresponding to the mobile subscriber identification data, and login from the data transfer device to the service access point takes place with the password transmitted to the subscriber terminal.

Abstract: Apparatus, and an associated method, for a mobile station, or other radio communication device, operable pursuant to an instant message, or other push message, service. Prior to effectuation of the communications pursuant to the service, the mobile station logs-in. The log-in utilizes encrypted log-in information pursuant to a log-in procedure, e.g., keys are exchanged between the mobile station and a communication network. The network approves the log-in of the mobile station, and admits the mobile station. A detector at the mobile station detects the admittance. Subsequently, messages are generated and sent and received pursuant to the instant message, or other push message, service.

Abstract: Embodiments of wireless communication devices and methods for protecting broadcasted management control messages from insider forgery in wireless network are generally described herein.

Abstract: The present invention provides a method of operating a mobile unit in a wireless communication system. Embodiments of the method may include providing access request message(s) including information indicative of a first counter and a message authentication code formed using a first key. The first key is derived from a second key and the first counter. The second key is derived from a third key established for a security session between the mobile unit and an authenticator. The first counter is incremented in response to each access request provided by the mobile unit.

Abstract: A method and apparatus for the digital signing of a message to be signed, the message to be signed is transmitted via a communication network to a mobile radio telephone to be used as a signing unit. A message to be signed is transmitted from a transmitter to a receiver and then from the receiver to the mobile radio telephone via a telephone network. The mobile radio telephone user indicates that the message to be signed should be signed, and the mobile radio telephone generates a signed message. The signed message is then transmitted from the mobile radio telephone to the receiver and from the receiver to an addressee.

Abstract: Method, apparatus, memory card, and system for establishing a secure connection between a wireless communication apparatus and a data communication apparatus based on a wireless application protocol. The wireless communication apparatus is provided with contact means for receiving information from a separate unit provided with memory means. The memory means comprising information to control the access of the wireless communication apparatus through a wireless communication network connected to said data communication apparatus.

Abstract: The present invention supports a secure transmissions protocol for information packet transmission between a Mobile Node and a Foreign Agent. The information packets are encrypted and decrypted using an integrated software client that combines mobile IP communication support and encrypting and decrypting protocols.

Abstract: A method for accessing content is provided. In this method, information from a first memory device is retrieved. A parameter is generated based on the information and an account on a second memory device is accessed based on the parameter. The second memory device is configured to store the content and the account is associated with the content. The first and second memory devices are configured to be removably coupled to a computing device.

Abstract: The present invention provides for validating an association between computing devices using a succession of human-perceptible stimuli such as sounds, lights colors or shapes. Commands are sent from the initiating device to the responding device in encrypted messages. Human-perceptible stimuli are formed at the responding device in response to at least some of the commands. The responder searches for messages that the responder is unable to decrypt and that are received in a time interval before messages that the responder is able to decrypt. The succession of human-perceptible stimuli may be harmonized, in which case, an association between the initiating device and the responding device is validated when the human-perceptible stimuli formed by the initiating device and the human-perceptible stimuli formed by the responding device are harmonized together.

Abstract: A wireless electronic authentication device with an authenticating smart chip, a local radio communication circuit, an input circuit that receives user input, and a power supply, all housed in a portable housing. Preferably, the authentication device is a mobile telephone with an authenticating smart chip. The user enters a knowledge token, such as a password stated by voice or a personal identification number input at the keyboard, to indicate that he is both in possession of the authorization device and knows the critical information. The knowledge token may be entered in advance and merely confirmed by the user pressing a key on the keypad when a confirmation is requested. A method is provided for making use of the authentication device to perform authorizations. A similar method is disclosed for use in existing systems and then achieving a gradual transition from existing systems to the new authentication device.

Abstract: A network system is proposed comprising a network control element and a communication device (UE) associated to a subscriber, wherein the communication device (UE) is adapted to send a registration message (A8) including subscriber information to be protected and an integrity code (MAC), to the network control element, wherein the communication device (UE) is adapted to calculate the integrity code (MAC) by using a part or whole of the registration message (A8) including the subscriber information to be protected, and the network element is adapted to verify the integrity code (MAC) included in the registration message. Also a case is proposed in which the integrity code is calculated in the network control element and verified in the communication device (UE). Furthermore, corresponding methods are proposed.

Abstract: A device, method, system and computer readable medium allows for using a short-range address, such as a Bluetooth™ address, to identify a cellular device and authenticate cellular messages to the cellular device. In an embodiment of the present invention, a first short-range radio address for a cellular device is stored in a processing device, such as a server coupled to a cellular network. An authentication message is obtained by the processing device. A second short-range radio address is stored in the cellular device. A first message digest is calculated responsive to the authentication message and first short-range radio address. A cellular message, including the authentication message and the first message digest, is transmitted to the cellular device. The cellular device receives the cellular message and calculates a second message digest responsive to the authentication message and the second short-range radio address stored in the cellular device.

Abstract: Wireless devices and methods employ steganography to convey auxiliary data in addition to audio information. An exemplary application is a battery-powered cell phone, having, e.g., a microphone, a speaker, a modulator, an antenna, and an RF amplifier. The steganographically-encoded auxiliary data can be sent to, and/or sent from, such a device, and used for purposes including authentication, system administration, etc.

Abstract: A network including an optical sensing device, and a registration server, wherein a secret key and a unique public identifier are installed in the optical sensing device and in a database of the registration server; wherein the optical sensing device is adapted to communicate with the registration server; wherein, the registration server is adapted to authenticate the optical sensing device when the optical sensing device is connected to the network by verifying the optical sensing device's encryption, using the secret key, of a challenge message; wherein, if the authentication succeeds, the optical sensing device is registered in the database of the registration server; wherein the optical sensing device is adapted to capture a sequence of time-stamped positions of the optical sensing device relative to a surface including coded data.

Abstract: A method and device are provided for handling network activation between a computer and a carrier. In one example, the method involves receiving a command to initiate network activation procedures. The network activation status of the computer is then determined. If the computer is network enabled, a request is sent to a device having network activation information. The network activation information is received from the device. The computer is then configured with the network activation information in order to establish network activation with the carrier.

Abstract: An authentication method between a secure host processor and a controller of an NFC system, the controller being equipped with an NFC interface circuit sending and receiving contactless data, includes connecting the host processor to the controller and checking that there is a predefined relation between a first secret data stored by the host processor and a second secret data stored by the controller. The method further includes transmitting the second secret data to the controller and storing of the second secret data by the controller. The host processor may be removably associated with a contactless component storing the second secret data which is contactlessly transmitted to the controller.

Abstract: Arranging data ciphering in a telecommunication system comprising at least one wireless terminal, a wireless local area network and a public land mobile network. At least one first ciphering key according to the mobile network is calculated in the mobile network and in the terminal for a terminal identifier using a specific secret key for the identifier. Data transmission between the mobile network and the terminal is carried out through the wireless local area network. A second ciphering key is calculated in the terminal and in the mobile network using said at least one first ciphering key. The second ciphering key is sent from the mobile network to the wireless local area network. The data between the terminal and the network is ciphered using said second ciphering key.

Abstract: A method of providing certificate issuance and revocation checks involving mobile devices in a mobile ad hoc network (MANET). The wireless devices communicate with each other via Bluetooth wireless technology in the MANET, with an access point (AP) to provide connectivity to the Internet. A Certificate authority (CA) distributes certificates and certification revocation lists (CRLs) to the devices via the access point (AP). Each group of devices has the name of the group associated with the certificate and signed by the CA. A device that is out of the radio range of the access point may still connect to the CA to validate a certificate or download the appropriate CRL by having all the devices participate in the MANET.

Abstract: A portable storage device with wireless encryption protection is provided, including wireless identification remote control, for transmitting identification signal and information or lock control signal through wireless transmission, a memory interface connected to a data access host, for inputting decryption information from the data access host and for outputting to data access host, a wireless protection gate unit connected to the memory interface for receiving the identification signal and information or lock control signal issued by the wireless identification remote control, and enabling or disabling the data transmission to the memory interface according to the identification result, and at least a protected data region connected to the wireless protection gate unit, for the protected data region to output data to data access host when the wireless protection gate unit being enabled, so that the portable storage device can achieve the objects of accurate and permanently effective wireless encryption.

Abstract: A method wherein an access point authenticates itself with neighboring access points and establishes secure and mutually authenticated communication channels with its neighboring access points. When an access point learns of a neighboring access point, it initiates an authentication with an authentication server through the neighboring access point. Once access points have mutually authenticated each other, whenever a station authenticates itself with a first access point, the first access point communicates the station's authentication context information, for example session key and session identifier, to each neighboring access point. Thus, when the station roams to a neighboring access point, the neighboring access point presents the station with a reauthentication protocol, for example LEAP reauthentication, and if the reauthentication is successful, communication between the station and the neighboring access point takes place immediately and no new EAP authentication needs to occur.