Abstract: Methods and systems are provided that use smartcards, such as subscriber identity module (SIM) cards to provide secure functions for a mobile client. One embodiment of the invention provides a mobile communication network system that includes a mobile network, a mobile terminal, a server coupled to the mobile terminal via the mobile network, and a subscriber identity module (SIM) card coupled to the mobile terminal. The SIM card includes a first key and a second key. The first key is used to authenticate an intended user of the mobile terminal to the mobile network. Upon successful authentication of the intended user to the mobile network, the mobile terminal downloads a function offered from the server through the mobile network. The second key is then used by the mobile terminal to authenticate the intended user to the downloaded function so that the intended user can utilize the function.

Abstract: One embodiment of the present invention provides a system for enhancing security in a secure communication channel. During operation, the system collects contextual information associated with a mobile device or a user of the mobile device and determines whether a trigger condition is met based on the collected contextual information. In response to determining that the trigger condition is met, the system performs a first type of key-ratcheting operation on a current cryptographic key to update the cryptographic key. In response to determining that the trigger condition is not met, the system performs a second type of key-ratcheting operation on the current cryptographic key to update the cryptographic key. The system then encrypts a to-be-sent message using an encryption key associated with the updated cryptographic key.

Abstract: An approach is provided for performing authentication in a communication system. In one embodiment, a key is established with a terminal in a communication network according to a key agreement protocol. The agreed key is tied to an authentication procedure to provide a security association that supports reuse of the key. A master key is generated based on the agreed key. In another embodiment, digest authentication is combined with key exchange parameters (e.g., Diffie-Hellman parameters) in the payload of the digest message, in which a key (e.g., SMEKEY or MN-AAA) is utilized as a password. In yet another embodiment, an authentication algorithm (e.g., Cellular Authentication and Voice Encryption (CAVE)) is employed with a key agreement protocol with conversion functions to support bootstrapping.

Abstract: In the existing WLAN network, the authentication method using the pre-shared cipher key has low safety, and is not applicable for large scale deployment; while the authentication method based on 802.1x is very complex and needs to introduce EAP/RADIUS servers. The invention provides an authentication method and device in a converged wireless access network, wherein, the wireless access network and the UE all maintain a cipher key of a UE for accessing the first wireless access network, when the UE accessing the second wireless access network, the wireless access network and the UE implements the authentication based on the cipher key. In the invention, the UE key for accessing the first wireless access network, which has been obtained safely, is used in the authentication for the access of the UE in the second wireless access network. Compared to the traditional solution of the shared cipher key, the proposed solution ensures safety; and compared to the traditional 802.

Abstract: A security system for an external data storage apparatus and control method thereof are disclosed. The system utilizes a preset identification (ID) and input ID to selectively permit data to be written and/or read.

Abstract: A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths.

Abstract: A lighting system (100) and a method of protecting a lighting device of a lighting system against theft are provided. The lighting system comprises a lighting device (110) and at least one other device (170). Both the lighting device and the at least one other device comprises a data storage (116, 176), a controller (114, 174) and a network interface (112, 172). The lighting device additionally comprises a light emitter (118). When the lighting device powers up, the other device transmits a verification value stored in its data storage to lighting device. The lighting device assesses the verification value in relation to a unique value stored in its data storage to check whether the lighting system knows the lighting device. In dependence of the assessment, the lighting device is controlled to operate in a first or in a second operational mode. In a commissioning procedure the other device may receive the verification value for storage in its data storage.

Abstract: A method for changing an operating mode of a mobile device is provided. According to the method, a request from the user of the mobile device to change from a first operating mode to a second operating mode is received. In response to the received request a credential is requested from the user. Next, the credential (RCK) is received from the user and validated. If the received credential (RCK) is valid, the second operating mode is set and an indication of the mobile device indicating that the second operating mode has been set is set. If the second operating mode has been set, a reset of the indication is prohibited.

Abstract: A machine includes a number of slots. Each of the slots is configured to receive one or more components for implementing some functionality role of the slot in the machine. The machine further includes one or more replaceable components in each of the slots. The components are configured to communicate (or be communicated for) on behalf of a slot or the machine, to an external system(s). The external system(s) implement rules to perform authorization or other operations based on the role of the slot in the context of the machine. A different derived key is used to communicate by or for each component with the external system. Each derived key for a component is derived from a machine proof for the machine and information identifying the slot in which the component is installed.

Abstract: Methods and systems for wireless network management are described. In one embodiment, a radio measurement of a characteristic of a wireless access technology may be taken. The wireless access technology may enable data communication through a wireless network when connected to an access point. A report may be transmitted through an alternate access technology. The report may be based on the radio measurement. Additional methods and systems are disclosed.

Abstract: Providing secure radio information transfer over a mobile radio bearer by generating one or more secret keys, applying symmetric encryption to unencrypted radio information to generate encrypted radio information, applying a keyed hash operation to the unencrypted radio information using the generated one or more secret keys to generate a message digest, and transmitting both the encrypted radio information and the message digest over a network.

Abstract: Methods and systems for deploying management tunnels between managed and managing devices are provided. According to one embodiment, the use of PKI-authenticated serial numbers within network devices manufactured by a particular manufacturer enables one-step provisioning of one or more managed devices. A managed device is provisioned with the serial number of a management device manufactured by the particular manufacturer. When the managed device is installed within a network, the management device is located by the managed device with the assistance of a locator server and the managed device initiates establishment of an encrypted management tunnel with the management device.

Abstract: A system and method can allow a first subscriber who is unable to use his mobile device due to theft, damage, loss, or any other reason to authenticate himself on a telecommunications network using a second subscriber's mobile device. The system and method can also allow the first subscriber to continue to make and receive calls and messages with the second subscriber's mobile device. Any charges incurred by usage of the second subscriber's mobile device by the first subscriber can be billed to an account associated with the first subscriber.

Abstract: A login request initiated by a user at a current page is received. Whether there exists an account record matched with a login account name and login password combination in the login request is searched from an account table of the current page. If a result is positive, the user is allowed to log in. If a result is not positive, a preconfigured account name collection corresponding to the login account name is acquired. The account name collection includes login account names of the user's registered accounts in a plurality of member systems. A login account name in a member system to which the current page belongs is searched from the account name collection, and the found login account name is provided to the user. The techniques of the present disclosure prompts a correct login account name to the user, especially when there are many user login account names, thereby reducing memory burden of the user and assisting the user in implementing a quick login under multi-account management.

Abstract: A method and a wireless transmit/receive unit (WTRU), including a universal subscriber identity module (USIM), for identifying a closed subscriber group (CSG) cell are disclosed. The WTRU receives a broadcast from a cell including a cell identifier (ID). If the cell ID is associated with a CSG cell, the WTRU determines whether the CSG ID is programmed in the USIM. The cell broadcast may include a single bit information element (IE) indicating that the cell is a CSG cell. If the cell ID is a CSG ID, the cell ID may further include a plurality of fields which indicate at least one of a country, a region, an operator, and a home evolved Node-B (HeNB) number. The cell broadcast may further include a bit indicating whether the CSG cell is public or private. The cell broadcast may further include a bit indicating that emergency calls are allowed from all users.

Abstract: A method comprising performing following acts on a network server: receiving a communication from a client terminal operated by a client; performing a first authentication of the client terminal or client; in response to the first authentication, delivering a first service to the client; after delivering the first service, sending an offer for a second service to the client terminal; receiving an acceptance message for the second service from the client terminal; performing a second authentication of the client terminal and/or the client; in response to receiving the acceptance message for the second service from the client terminal and to the second authentication being successful, delivering a second service to the client; wherein the first authentication and the second authentication use different authentication techniques. Other aspects include a programmed data processing apparatus for carrying out the method and a tangible program carrier instructing the apparatus to perform the acts.

Abstract: The radio communication system has a user equipment, a first base station, a second base station, a serving gateway, and a switching station. The first base station has a control-plane path set to the switching station. The second base station has no control-plane path to the switching station. A path setting determiner determines whether to set a user-plane path, based on measurement information reported from the user equipment. A base station determiner determines, based on identification information obtained by the user equipment, whether a base station to which the user-plane path is to be set is the second base station, the base station corresponding to the obtained identification information.

Abstract: A system for providing a predetermined set of functionality to primary applications is provided. The system includes a primary application interface that receives a user identifier, primary application configuration data and an application identifier associated with one of the primary applications from a plurality of primary applications, wherein the user identifier and the application identifier for each of the primary applications are different. A feature functionality system alters one or more features to match the primary application, the feature functionality system configured to provide a feature to a user associated with the user identifier and to transfer a primary application currency amount to the primary application or to award the user a prize upon completion of the feature by the user. A billing system interface unlocks external feature functionality for a certain number of interactions or a certain time period or generates the primary application currency amount.

Abstract: A method, an apparatus, and a computer program product for wireless communication are provided. The apparatus may be a STA. The STA sends, in a re-association procedure, a re-association object to a first AP to establish a first security association with the first AP. The re-association object is encrypted by using a first key unknown to the STA. The re-association object includes a second key derived from a second security association in a previous association procedure between the STA and a second AP. The STA receives a response from the first AP indicating that the first security association has been successfully established. The STA authenticates the response.

Abstract: A method and apparatus including units configured to send a request from a first network entity to a user equipment for an identifier and receive a message indicating that a public key is required from the user equipment by the first network entity. The method and apparatus also includes units configured to send, by the first network entity, the public key to the user equipment and receive an encrypted identifier by the first network entity, wherein upon authenticating the public key, the user equipment encrypts at least part of the identifier using the public key, thereby enabling further processing between the network entity and the user equipment.

Abstract: Aspects of the subject disclosure may include, for example, determining a credential of a first subscribed service, responsive to authentication of a user device within a first communication network. Authentication of the user with respect to the first service is facilitated and, in response, a second subscribed service is identified. A notification is provided to an access control function that the user device is granted access to the second subscribed service. The credential is stored in a common authentication repository accessible by the first and second subscribed services. An inquiry from a second communication network is determined in response to the user device requesting authentication there. A second notification is provided to the second communication network that the user device has already been authenticated, allowing the user device to access the services without further authentication. Other embodiments are disclosed.

Abstract: A computing system for redacting and/or tokenizing non-public information of electronic documents stored in a database may include a data redaction computing device and/or a data tokenization computing device, a first database storing a plurality of electronic documents, and a second database storing computer executable instructions for analyzing information associated with the plurality of electronic documents stored in the first database. The computer executable instructions may cause the data redaction/tokenization computing device to identify non-public information in one or more of the plurality of electronic documents and/or at least one of a document type, a source of the electronic document, and a destination to which the electronic document is to be communicated.

Abstract: Methods and apparatus for correcting error events associated with identity provisioning. In one embodiment, repeated requests for access control clients are responded to with the execution of a provisioning feedback mechanism which is intended to prevent the unintentional (or even intentional) over-consumption or waste of network resources via the delivery of an excessive amount of access control clients. These provisioning feedback mechanisms include rate-limiting algorithms and/or methodologies which place a cost on the user. Apparatus for implementing the aforementioned provisioning feedback mechanisms are also disclosed and include specialized user equipment and/or network side equipment such as a subscriber identity module provisioning server (SPS).

Abstract: Systems and methods for associating a remote controller with a device are provided. The systems and methods generally relate to receiving a request from a remote controlled to pair the remote controller to a device at several devices and determining at each of the several devices the strength of the wireless pairing request signal received by that device. If a device determines that its received signal is the strongest, the device may be paired with the remote controller. If instead a device determines that its received signal is not the strongest, it may ignore subsequent communications received from the remote controller.

Abstract: Disclosed are a system, device and method for network authorization based on no password or a random password, the device comprising: a memory having instructions stored thereon; at least one processor to execute the instructions to cause: obtaining information carried in a consult message by accessing a server, wherein the consult message is generated and sent to the server by a network access device upon reception of a connection establishment request message, and the consult message comprises network communication address information identifying uniquely the master control device and information of whether a terminal device is allowed to access a network; generating an instruction notification comprising instruction information according to user input information, wherein the instruction information comprises physical address information of the terminal device and information of whether allowing the terminal device to access the network; and sending the instruction notification so that the network access d

Abstract: A method of conferring security trust and privileges between proximally positioned devices in the presence of a root trust device includes configuring a microprocessor to activate at least one wireless communications module to receive a unique environmental signal (UES) and a proximally positioned device's unique device identifier (UDI) in response to detecting a threshold charge capacity in a battery during its initial charging, imprinting a primary device asymmetric key pair, the UDI, and the UES as a primary device pairing event, transmitting a primary device certificate to the proximally positioned device, encrypting device content on the proximally positioned device by multiplexing a device content signal with an asymmetric key, and decrypting the device content on another proximally positioned device using a corresponding asymmetric key from a shared certificate while in the presence of the root trust device.

Abstract: Embodiments disclosed describe room specific pairing of electronic devices using the combination of ultrasonic signal and other wireless means such as Bluetooth. The ultrasonic signal is used to communicate a unique identifier to the electronic devices within the same physical location. The electronic device receiving the ultrasonic signal uses the unique identifier to establish a secure wireless communication with the base station. The wireless communication is then used to communication the configuration information for a second network connection between the base station and the electronic device.

Abstract: An apparatus and method for performing procedures (protocols) of a PDCP (Packet Data Convergence Protocol) layer and an RLC (radio layer in an E-UMTS (Evolved Universal Mobile Telecommunications System) which has evolved from UMTS, among radio protocols of a mobile communication system. The PDCP layer performs ciphering on data (i.e., PDCP SDU) received from an upper layer, generates an indicator discriminating ciphered data and non-ciphered data (i.e., an ROHC feedback packet directly generated by the PDCP layer), and transmits the same to a lower layer (i.e., MAC layer). A PDCP SN (Sequence Number) is defined as an algorithm for ciphering the data in the PDCP layer to perform ciphering in the PDCP layer.

Abstract: The embodiments described herein recite a geo-location based community of interest (COI) system and method that add the capability to configure Network Connect Devices (NCD) to identify the location of the source and destination IP addresses. The NCDS may drop any packets that are destined to an IP address outside of its predefined radius. For any sent/received packets, the geo-location position of the remote IP-address on the wide area network (WAN) may be determined. The distance between two points on the earth given their latitudes and longitudes of the devices may be determined. If the distance is greater than the predefined range, the data packets may be denied. If the distance falls within the pre-determined range, the data packets are allowed to reach their destination.

Abstract: A transceiver may be arranged to operate according to a Radio Access Technology (RAT) in a cellular communication system. A position value for the transceiver is determined, and a database is accessed based on the determined position value. A transceiver parameter set corresponding to the determined position value is acquired, and the transceiver parameter set is arranged to adapt operation of the transceiver for the determined position within the RAT. Settings of the transceiver are applied according to the acquired transceiver parameter set.

Abstract: A method and system for securely enrolling personal identity credentials into personal identification devices. The system of the invention comprises the manufacturer of the device and an enrollment authority. The manufacturer is responsible for recording serial numbers or another unique identifier for each device that it produces, along with a self-generated public key for each device. The enrollment authority is recognized by the manufacturer or another suitable institution as capable of validating an individual before enrolling him into the device. The enrollment authority maintains and operates the appropriate equipment for enrollment, and provides its approval of the enrollment. The methods described herein discuss post-manufacturing, enrollment, backup, and recovery processes for the device.

Abstract: A device that incorporates the subject disclosure may perform, for example, generating a security domain root structure for a universal integrated circuit card of an end user device, where the security domain root structure includes a hierarchy of a link provider operator security domain above a mobile network operator trusted security domain, where the link provider operator security domain enables transport management by a link provider operator, and where the mobile network operator trusted security domain enables card content management and subscription eligibility verification by a mobile network operator trusted service manager. Other embodiments are disclosed.

Abstract: Examples disclosed herein include methods, systems, and devices to help a UE to securely output a copy of a security key stored on the UE. According to examples, a UE receives a test security key from a provider. Based on the received test security key, the UE computes a test result, and then the UE transmits the computed test result to a network authentication system. The UE receives from the network authentication system a response indicating a match between the computed test result and a test result computed by the network authentication system. Based on the received response indicating the match, the UE outputs a copy of the security key stored in the UE to the provider.

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

Abstract: A privacy indicator is provided that shows whether sensor data are being processed in a private or non-private mode. When sensor data are used only for controlling a device locally, it may be in a private mode, which may be shown by setting the privacy indicator to a first color. When sensor data are being sent to a remote site, it may be in a non-private mode, which may be shown by setting the privacy indicator to a second color. The privacy mode may be determined by processing a command in accordance with a privacy policy of determining if the command is on a privacy whitelist, blacklist, greylist or is not present in a privacy command library. A non-private command may be blocked.

Abstract: Method and Apparatus for Securing a Connection in a Communications Network A method of operating a user equipment (UE) using a Generic Bootstrapping Architecture (GBA) is provided. The method includes establishing a shared secret between the UE and a Network Application Function (NAF). An authentication request is sent to a Bootstrapping Server Function (BSF) by the UE. An original parameter intended for a key derivation function and a bootstrapping transaction identifier is received from the BSF. An application request, including the bootstrapping transaction identifier, is sent by the UE to the NAF. A modified parameter is derived by the UE from the secret and the original parameter intended for the key derivation function. A cryptographic key is determined using said modified parameter in place of or in addition to the original parameter in the key derivation function, and communications with the NAF are secured using the key.

Abstract: A method of encrypting information using a computational tag may include, by a mobile electronic device, detecting a computational tag within a near field communication range of the mobile electronic device, identifying a document to be encrypted by the mobile electronic device, transmitting the document to the computational tag by the mobile electronic device, receiving, from the computational tag, an encrypted document, wherein the encrypted document comprises an encrypted version of the document that was to be encrypted, and storing the encrypted document in a memory of the mobile electronic device.

Abstract: A system and method implemented at a server system, for securely wiping a remote mobile device after the device registration has been removed from the server system. Prior to removal of the device registration from the server system, a “pre-packaged” command is created and stored at the server system. In the event that it is determined, after removal of the registration, that the device should be wiped or disabled, means are provided for an administrator to issue the previously stored command to the target mobile device.

Abstract: Methods, systems, and techniques for securing access to stored data are provided. Example embodiments provide a Storage Management System (“SMS”) that is configured to facilitate protected information sharing. The SMS may restrict access to shared information based on one or more criteria that validate an entity's right to access the information. For example, the SMS may restrict access to entities that are located in a particular geographic region, that are using a particular type of hardware or software, that hold particular credentials, or the like. In some cases, the SMS may require that an entity's claim to meet on or more required criteria be validated by a trusted third party.

Abstract: A system and method is provided for using information broadcast by devices and resources in the immediate vicinity of a mobile device, or by sensors located within the mobile device itself, to ascertain and make a determination of the immediate environment and state of the mobile device. This determination may be used to control and manage the actions that the device is asked to carry out by or on behalf of the user.

Abstract: A secret sharing apparatus generates, from secret data, a plurality of pieces of shared data from which the secret data is able to be restored. The secret data includes a plurality of pieces of divided data which does not include a random number. The secret sharing apparatus includes a shared data generating section which performs an XOR operation between the pieces of divided data and generates the plurality of pieces of shared data which includes the result of the XOR operation between the pieces of divided data.

Abstract: Methods and systems for deploying management tunnels between managed and managing devices are provided. According to one embodiment, the use of PKI-authenticated serial numbers within network devices manufactured by a particular manufacturer enables one-step provisioning of one or more managed devices. A managed device is provisioned with the serial number of a management device manufactured by the particular manufacturer. When the managed device is installed within a network, the management device is located by the managed device with the assistance of a locator server and the managed device initiates establishment of an encrypted management tunnel with the management device.

Abstract: An automatic content recognition (ACR)-enabled connected TV device may be operable to identify, utilizing ACR, viewer interaction and/or viewer information. The ACR-enabled connected TV device may present, utilizing the ACR, a variant of an advertisement in a next ad pod during presentation of content, based on the identified viewer interaction and/or the identified viewer information. The viewer information may comprise customized preferences profile, default preferences setting, viewing habits, time of day and/or location. The viewer information may also comprise objects and/or events captured by an associated camera. When an identified stored episode of a show is presented via DVR playback, the ACR-enabled connected TV device may present, in a next ad pod, a new version of an advertisement, where the new version of the advertisement may be associated with a new episode of the show and presentation of the new version may result in a C3 rating credit.

Abstract: A discovery method for Device-to-Device (D2D) communication is provided. A terminal transmits a discovery service request message for D2D communication including one of application information and group information for a Proximity based Service (ProSe) to a server. The terminal receives, from the server, a discovery service key delivery message including a discovery service key corresponding to the one of the application information and the group information for a ProSe. The terminal acquires the discovery service key by decrypting the discovery service key delivery message, and performs discovery by encrypting a discovery code with the acquired discovery service key.

Abstract: Embodiments are provided for automatically identifying reduced availability of multi-channel media distributors for authentication or authorization. For example, an entitlement service communicates with a multi-channel media distributor to authenticate viewers requesting content from programmers or to confirm that authenticated viewers are authorized to receive content from the programmers. The entitlement service receives requests for various programmers to provide media content to user devices, and transmits the requests to the multi-channel media distributor. The entitlement service determines a reduced availability of the multi-channel media distributor based on, for example, an unusually low success rate for authenticating users or authorizing the users' access to content access based on the transmitted requests.

Abstract: A method implemented in a user equipment (UE) comprising a processor. First information is stored to a removable memory connected to the UE and second information is stored to a non-volatile memory of the UE. The first information may be a unique value and may include additional information. A connection request based at least in part on the first information is received. A connection response based at least in part on the second information and the connection request is sent.

Abstract: A wearable device stores data therein. The wearable device transmits the data to a master device registered as a transmission destination of the data when communication is possible with the master device. Then, the wearable device transmits, to the master device, a request to cancel registration of the master device registered as the transmission destination of the data. Thereafter, having received a permission to cancel the registration from the master device, the wearable device cancels the registration of the master device and waits for registration of a device with which communication is possible.

Abstract: Systems and methods for securing or encrypting data or other information arising from a user's interaction with software and/or hardware, resulting in transformation of original data into ciphertext. Generally, the ciphertext is generated using context-based keys that depend on the environment in which the original data originated and/or was accessed. The ciphertext can be stored in a user's storage device or in an enterprise database (e.g., at-rest encryption) or shared with other users (e.g., cryptographic communication). The system generally allows for secure federation across organizations, including mechanisms to ensure that the system itself and any other actor with pervasive access to the network cannot compromise the confidentially of the protected data.

Abstract: The present disclosure describes techniques for configuring and participating in encrypted audio calls, audio conferences, video calls, and video conferences. In particular, a call initiator generates a meeting identifier and a first meeting key, which are encrypted using a first encryption key and distributed to one or more participants of the call. The one or more participants decrypt the meeting identifier and the first meeting key, and use that information to participate in the encrypted call. Further, participants respond to the encrypted communication data by encrypting their reply data with the first meeting key. The call initiator decrypts the reply data using the first meeting key.

Abstract: A method to facilitate secure access to a sponsored data service (SDS) through an application programming interface gateway includes providing an access token to a content provider device, where the access token authorizes the content provider device to receive sponsored data services (SDSs). The method also includes receiving a first request for an SDS resource from the content provider device; generating a first timestamp associated with the first request; determining a destination for the first request, where the destination specifies a network address corresponding to an SDS resource device; forwarding the first request to the SDS resource device based on the determined destination; receiving a first response from the SDS resource device corresponding to the first request; generating a second timestamp associated with the first response; and forwarding the first response, along with the first timestamp and the second timestamp, to the content provider device.